Filtering unwanted data traffic via a per-customer blacklist

US 8,161,155 B2
Filed: 09/29/2008
Issued: 04/17/2012
Est. Priority Date: 09/29/2008
Status: Active Grant

First Claim

Patent Images

1. A method for generating a customer blacklist associated with a customer system, comprising:

generating, at a computer, a network blacklist comprising a first plurality of internet protocol addresses, the first plurality of internet protocol addresses identifying a plurality of unwanted traffic sources;

generating a customer whitelist based on analyzing a customer historical usage pattern including traffic sources with repeatedly completed sessions and traffic sources with repeated initiated sessions, the customer whitelist comprising a second plurality of internet protocol addresses, the second plurality of internet protocol addresses identifying a plurality of wanted traffic sources;

comparing each internet protocol address in the first plurality of internet protocol addresses with each internet protocol address in the second plurality of internet protocol addresses; and

for each internet protocol address in the first plurality of internet protocol addresses;

adding the internet protocol address to the customer blacklist if the internet protocol address is not in the second plurality of internet protocol addresses; and

not adding the internet protocol address to the customer blacklist if the internet protocol address is in the second plurality of internet protocol addresses;

wherein generating a network blacklist further comprises;

acquiring a raw blacklist comprising a third plurality of internet protocol addresses identifying a third plurality of unwanted traffic sources;

sorting the third plurality of internet protocol addresses according to prefix groups with a network-specified prefix length selected based on network-specified heuristics;

rank ordering the prefix groups according to traffic frequency including number of connection attempts over a time interval; and

selecting a set of top prefix groups based on the rank ordering for inclusion in the network blacklist.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Traffic flow from a traffic source with a source IP address to a customer system with a destination IP address is filtered by comparing the source IP address to a customer blacklist. If the source IP address is on the customer blacklist, then traffic to the customer system is blocked; else, traffic to the customer system is allowed. The customer blacklist is generated from a network blacklist, comprising IP addresses of unwanted traffic sources, and a customer whitelist, comprising IP addresses of wanted traffic sources. The customer blacklist is generated by removing from the network blacklist any IP address also on the customer whitelist. The network blacklist is generated by acquiring raw blacklists from reputation systems. IP addresses on the raw blacklists are sorted by prefix groups, which are rank ordered by traffic frequency. Top prefix groups are selected for the network blacklist.

22 Citations

View as Search Results

12 Claims

1. A method for generating a customer blacklist associated with a customer system, comprising:
- generating, at a computer, a network blacklist comprising a first plurality of internet protocol addresses, the first plurality of internet protocol addresses identifying a plurality of unwanted traffic sources;
  
  generating a customer whitelist based on analyzing a customer historical usage pattern including traffic sources with repeatedly completed sessions and traffic sources with repeated initiated sessions, the customer whitelist comprising a second plurality of internet protocol addresses, the second plurality of internet protocol addresses identifying a plurality of wanted traffic sources;
  
  comparing each internet protocol address in the first plurality of internet protocol addresses with each internet protocol address in the second plurality of internet protocol addresses; and
  
  for each internet protocol address in the first plurality of internet protocol addresses;
  
  adding the internet protocol address to the customer blacklist if the internet protocol address is not in the second plurality of internet protocol addresses; and
  
  not adding the internet protocol address to the customer blacklist if the internet protocol address is in the second plurality of internet protocol addresses;
  
  wherein generating a network blacklist further comprises;
  
  acquiring a raw blacklist comprising a third plurality of internet protocol addresses identifying a third plurality of unwanted traffic sources;
  
  sorting the third plurality of internet protocol addresses according to prefix groups with a network-specified prefix length selected based on network-specified heuristics;
  
  rank ordering the prefix groups according to traffic frequency including number of connection attempts over a time interval; and
  
  selecting a set of top prefix groups based on the rank ordering for inclusion in the network blacklist.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - monitoring a traffic flow from a traffic source identified by a source internet protocol address to the customer system, wherein the customer system is identified by a destination internet protocol address;
      
      comparing the source internet protocol address with the customer blacklist;
      
      blocking the traffic flow if the source internet protocol address is on the customer blacklist; and
      
      allowing the traffic flow if the source internet protocol address is not on the customer Blacklist.
  - 3. The method of claim 2, wherein blocking the traffic flow further comprises:
    - blocking the traffic flow at a node.
  - 4. The method of claim 1, wherein acquiring a raw blacklist further comprises:
    - accessing a reputation system.
  - 5. The method of claim 1, wherein generating a network blacklist further comprises:
    - populating a filter table with the top prefix groups.
  - 6. The method of claim 1, wherein generating a network blacklist further comprises:
    - acquiring a raw blacklist comprising a third plurality of internet protocol addresses identifying a third plurality of unwanted traffic sources;
      
      sorting the third plurality of internet protocol addresses according to prefix groups with a network-specified prefix length;
      
      analyzing traffic patterns within each prefix group generating prefix subgroups based at least on the prefix groups and the analyzed traffic patterns;
      
      rank ordering the prefix subgroups according to traffic frequency; and
      
      selecting the top network-specified prefix subgroups.

7. A non-transitory computer readable medium storing computer program instructions for generating a customer blacklist associated with a customer system, the computer instructions comprising:
- generating a network blacklist comprising a first plurality of internet protocol addresses, the first plurality of internet protocol addresses identifying a plurality of unwanted traffic sources;
  
  generating a customer whitelist based on analyzing a customer historical usage pattern including traffic sources with repeatedly completed sessions and traffic sources with repeated initiated sessions, the customer whitelist comprising a second plurality of internet protocol addresses, the second plurality of internet protocol addresses identifying a plurality of wanted traffic sources;
  
  comparing each internet protocol address in the first plurality of internet protocol addresses with each internet protocol address in the second plurality of internet protocol addresses; and
  
  for each internet protocol address in the first plurality of internet protocol addresses;
  
  adding the internet protocol address to the customer blacklist if the internet protocol address is not in the second plurality of internet protocol addresses; and
  
  not adding the internet protocol address to the customer blacklist if the internet protocol address is in the second plurality of internet protocol addresses;
  
  wherein generating a network blacklist further comprises;
  
  acquiring a raw blacklist comprising a third plurality of internet protocol addresses identifying a third plurality of unwanted traffic sources;
  
  sorting the third plurality of internet protocol addresses according to prefix groups with a network-specified prefix length selected based on network-specified heuristics;
  
  rank ordering the prefix groups according to traffic frequency including number of connection attempts over a time interval; and
  
  selecting a set of top prefix groups based on the rank ordering for inclusion in the network blacklist.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The non-transitory computer readable medium of claim 7, wherein the computer instructions for generating a customer blacklist further comprises computer program instructions comprising:
    - monitoring a traffic flow from a traffic source identified by a source internet protocol address to the customer system, wherein the customer system is identified by a destination internet protocol address;
      
      comparing the source internet protocol address with the customer blacklist;
      
      blocking the traffic flow if the source internet protocol address is on the customer blacklist; and
      
      allowing the traffic flow if the source internet protocol address is not on the customer Blacklist.
  - 9. The non-transitory computer readable medium of claim 8, wherein the computer program instructions defining the step of blocking the traffic flow further comprises computer programming instructions comprising:
    - blocking the traffic flow at a node.
  - 10. The non-transitory computer readable medium of claim 7, wherein the computer program instructions defining the step of acquiring a raw blacklist further comprises computer program instructions comprising:
    - accessing at least one reputation system.
  - 11. The non-transitory computer readable medium of claim 7, wherein the computer program instructions defining the step of generating a network blacklist further comprises computer program instructions comprising:
    - populating a filter table with the top prefix groups.
  - 12. The non-transitory computer readable medium of claim 7, wherein the computer program instructions defining the step of generating a network blacklist further comprises computer program instructions comprising:
    - acquiring a raw blacklist comprising a third plurality of internet protocol addresses identifying a third plurality of unwanted traffic sources;
      
      sorting the third plurality of internet protocol addresses according to prefix groups with a network-specified prefix length;
      
      analyzing traffic patterns within each prefix group generating prefix subgroups based at least on the prefix groups and the analyzed traffic patterns;
      
      rank ordering the prefix subgroups according to traffic frequency; and
      
      selecting the top network-specified prefix subgroups.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Van Der Merwe, Jacobus Erasmus, El Defrawy, Karim, Krishnamurthy, Balachander
Primary Examiner(s)
Lazaro, David
Assistant Examiner(s)
Kim, Edward

Application Number

US12/286,213
Publication Number

US 20100082811A1
Time in Patent Office

1,296 Days
Field of Search

709/232, 709223-225, 726 1- 21
US Class Current

709/225
CPC Class Codes

G06F 16/9535 Search customisation based ...

Filtering unwanted data traffic via a per-customer blacklist

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Filtering unwanted data traffic via a per-customer blacklist

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links