Method and apparatus for communicating intrusion-related information between internet service providers

US 8,091,131 B2
Filed: 10/28/2005
Issued: 01/03/2012
Est. Priority Date: 07/06/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method for communicating intrusion-related information from a first node associated with a first internet service provider to a second node associated with a second internet service provider comprising:

establishing a peering relationship between the first node and the second node, the peering relationship specifying a peering point;

establishing a direct link between the first internet service provider and second internet service provider for forwarding packets from the second internet service provider to the first internet service provider without routing via a public link, the direct link comprising the peering point;

enabling exchange of private routing information of the first internet service provider and second internet service provider between the first and second node across the direct link, the private routing information specifying a network address for the first node;

identifying, by the first node, first intrusion-related information meeting a first criteria;

receiving, by the first node, second intrusion-related information from the peering point, the second intrusion-related information routed to the first node using the private routing information via the direct link;

determining whether the second intrusion-related information comprises information about an attack at a protocol stack layer;

modifying the peering relationship to generate a modified peering relationship based on the second intrusion-related information and the determining whether the second intrusion-related information comprises information about the attack at the protocol stack layer; and

determining whether to transmit the first intrusion-related information to the second node via the direct link in accordance with the modified peering relationship.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a system and method for the sharing of intrusion-related information. The sharing of intrusion-related information occurs via a peering relationship between a first Internet Service Provider (ISP) and a second ISP. A first node associated with a first ISP transmits intrusion-related information to a second node associated with a second ISP. The first node identifies intrusion-related information meeting a first criteria. The first node then transmits the intrusion-related information to the second node. The intrusion-related information includes one or more of a list of attackers that previously probed the first node, the protocol used, the time of the probes, and the individual alarms raised.

16 Citations

View as Search Results

18 Claims

1. A method for communicating intrusion-related information from a first node associated with a first internet service provider to a second node associated with a second internet service provider comprising:
- establishing a peering relationship between the first node and the second node, the peering relationship specifying a peering point;
  
  establishing a direct link between the first internet service provider and second internet service provider for forwarding packets from the second internet service provider to the first internet service provider without routing via a public link, the direct link comprising the peering point;
  
  enabling exchange of private routing information of the first internet service provider and second internet service provider between the first and second node across the direct link, the private routing information specifying a network address for the first node;
  
  identifying, by the first node, first intrusion-related information meeting a first criteria;
  
  receiving, by the first node, second intrusion-related information from the peering point, the second intrusion-related information routed to the first node using the private routing information via the direct link;
  
  determining whether the second intrusion-related information comprises information about an attack at a protocol stack layer;
  
  modifying the peering relationship to generate a modified peering relationship based on the second intrusion-related information and the determining whether the second intrusion-related information comprises information about the attack at the protocol stack layer; and
  
  determining whether to transmit the first intrusion-related information to the second node via the direct link in accordance with the modified peering relationship.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 further comprising identifying third intrusion-related information meeting a second criteria.
  - 3. The method of claim 2 wherein the second criteria is the same as the first criteria.
  - 4. The method of claim 2 further comprising transmitting the second intrusion-related information to a third node associated with a third internet service provider.
  - 5. The method of claim 1 further comprising receiving third intrusion-related information from the second node.
  - 6. The method of claim 5 further comprising determining whether the received third intrusion-related information meets a first usefulness metric.
  - 7. The method of claim 6 further comprising determining whether the second node meets a second usefulness metric.
  - 8. The method of claim 7 further comprising determining intrusion signatures the second node is capable of delivering and a level of granularity that the second node is capable of delivering.
  - 9. The method of claim 1 wherein the second intrusion-related information comprises a list of attackers that previously probed the second node, the list of attackers that previously probed the second node comprising, for each attacker:
    - protocol used, time of probe, and individual alarms raised.

10. A first node associated with a first internet service provider communicating intrusion-related information to with a second node associated with a second internet service provider, the first node comprising:
- a processor configured to;
  
  establish a peering relationship between the first node and the second node, the peering relationship specifying a peering point;
  
  establish a direct link between the first internet service provider and second internet service provider for forwarding packets from the second internet service provider to the first internet service provider without routing via a public link, the direct link comprising the peering point;
  
  enable exchange of private routing information of the first internet service provider and second internet service provider between the first and second node across the direct link, the private routing information specifying a network address for the first node;
  
  identify first intrusion-related information meeting a first criteria designated by the peering relationship;
  
  receive, by the first node, second intrusion-related information from the peering point, the second intrusion-related information routed to the first node using the private routing information via the direct link;
  
  determine whether the second intrusion-related information comprises information about an attack at a protocol stack layer;
  
  modify the peering relationship to generate a modified peering relationship based on the second intrusion-related information and whether the second intrusion-related information comprises information about the attack at the protocol stack layer; and
  
  determine whether to transmit the first intrusion-related information to the second node in accordance with the modified peering relationship; and
  
  an interface configured to communicate via the direct link the first intrusion-related information to the second node.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The first node of claim 10 wherein the processor is further configured to identify third intrusion-related information meeting a second criteria.
  - 12. The first node of claim 11 wherein the second criteria is the same as the first criteria.
  - 13. The first node of claim 11 wherein the interface is configured to transmit the second intrusion-related information to a third node associated with a third internet service provider.
  - 14. The first node of claim 10 wherein the interface is configured to receive third intrusion-related information from the second node.
  - 15. The first node of claim 14 wherein the processor determines whether the received third intrusion-related information meets a first usefulness metric.
  - 16. The first node of claim 15 wherein the processor is configured to determine whether the second node meets a third usefulness metric.
  - 17. The first node of claim 16 wherein the processor is configured to determine intrusion signatures the third node is capable of delivering and a level of granularity that the third node is capable of delivering.
  - 18. The first node of claim 10 wherein the second intrusion-related information comprises a list of attackers that previously probed the second node, the list of attackers that previously probed the second node comprising, for each attacker:
    - protocol used, time of the probe, and individual alarms raised.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property II LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property II LP (AT&T, Inc.)
Inventors
Krishnamurthy, Balachander
Primary Examiner(s)
SHAW, YIN CHEN

Application Number

US11/260,974
Publication Number

US 20070011743A1
Time in Patent Office

2,258 Days
Field of Search

726 22- 25, 726 11- 15, 713/188, 370/254, 370/351, 709/221, 709223-229
US Class Current

726/23
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

Method and apparatus for communicating intrusion-related information between internet service providers

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for communicating intrusion-related information between internet service providers

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others