Techniques for network protection based on subscriber-aware application proxies
First Claim
1. A method for protecting a packet switched network at a service gateway, comprising the steps of:
- receiving user data at a gateway server in a communication path on a packet switched network between a network access server and a content server,wherein the user data includessubscriber identifier data that indicates a unique identifier for a particular user,network address data that indicates a network address for a host used by the particular user,NAS data that indicates an identifier for the network access server,flow list data that indicates one or more open data packet flows, wherein an open data packet flow comprises a data packet that indicates a start of a series of data packets that pass through the gateway server for communications between the user and the content server without a corresponding termination of the series of data packets between the user and the content server, andsuspicious activity data that indicates a value for a property of the open data packet flows that indicates suspicious activity;
determining whether an intrusion condition is satisfied based on the suspicious activity data, wherein the intrusion condition is associated with a scanning attack, which is identified through the suspicious activity data by recognizing an excessive number of open flows being established per second such that other flows are denied access because of the excessive number of open flows; and
if it is determined that the intrusion condition is satisfied, then responding to the intrusion by dropping packets originated from an Internet Protocol (IP) address associated with the particular end user and by sending a message to remove the particular end user'"'"'s IP address from a list of authorized users for the network; and
communicating a message based on the subscriber identifier data to a billing agent that is involved in determining charges for a particular user for causing the billing agent to penalize the particular user.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques for responding to intrusions on a packet switched network include receiving user data at a subscriber-aware gateway server between a network access server and a content server. The user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, and suspicious activity data. The suspicious activity data indicates a value for a property of the open data packet flows that indicates suspicious activity. It is determined whether an intrusion condition is satisfied based on the suspicious activity data. If the intrusion condition is satisfied, then the gateway responds based at least in part on user data other than the network address data.
-
Citations
34 Claims
-
1. A method for protecting a packet switched network at a service gateway, comprising the steps of:
-
receiving user data at a gateway server in a communication path on a packet switched network between a network access server and a content server, wherein the user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, wherein an open data packet flow comprises a data packet that indicates a start of a series of data packets that pass through the gateway server for communications between the user and the content server without a corresponding termination of the series of data packets between the user and the content server, and suspicious activity data that indicates a value for a property of the open data packet flows that indicates suspicious activity; determining whether an intrusion condition is satisfied based on the suspicious activity data, wherein the intrusion condition is associated with a scanning attack, which is identified through the suspicious activity data by recognizing an excessive number of open flows being established per second such that other flows are denied access because of the excessive number of open flows; and if it is determined that the intrusion condition is satisfied, then responding to the intrusion by dropping packets originated from an Internet Protocol (IP) address associated with the particular end user and by sending a message to remove the particular end user'"'"'s IP address from a list of authorized users for the network; and communicating a message based on the subscriber identifier data to a billing agent that is involved in determining charges for a particular user for causing the billing agent to penalize the particular user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. An apparatus for protecting a packet switched network at a service gateway, comprising:
-
means for receiving user data at a gateway server in a communication path on a packet switched network between a network access server and a content server, wherein the user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, wherein an open data packet flow comprises a data packet that indicates a start of a series of data packets that pass through the gateway server for communications between the user and the content server without a corresponding termination of the series of data packets between the user and the content server, and suspicious activity data that indicates a value for a property of the open data packet flows that indicates suspicious activity; means for determining whether an intrusion condition is satisfied based on the suspicious activity data determining whether an intrusion condition is satisfied based on the suspicious activity data, wherein the intrusion condition is associated with a scanning attack, which is identified through the suspicious activity data by recognizing an excessive number of open flows being established per second such that other flows are denied access because of the excessive number of open flows; and means for responding to the intrusion, if it is determined that the intrusion condition is satisfied, by dropping packets originated from an Internet Protocol (IP) address associated with the particular end user and by sending a message to remove the particular end user'"'"'s IP address from a list of authorized users for the network; means for receiving, at a billing agent server, malicious subscriber data that includes subscriber identifier data that indicates a unique identifier for a particular user and intrusion data that indicates the particular user is associated with an intrusion on the target network; and means for penalizing the particular user in response to receiving the malicious subscriber data by causing the particular user to be removed from a list of authorized users of the target network; sending an out-of-band message to the particular user to warn the particular user to cease the intrusion on the target network; and causing a penalty fee to be charged to an account associated with the particular user.
-
-
18. An apparatus for protecting a packet switched network at a service gateway server in a communication path on the packet switched network between a network access server and a content server on the packet switched network comprising:
-
a network interface that is coupled to the packet switched network for communicating therewith a data packet; one or more processors; a computer-readable medium; and one or more sequences of instructions stored in the computer-readable medium, which, when executed by the one or more processors, causes the one or more processors to carry out the step of; receiving user data that includes subscriber identifier data, network address data, NAS data, flow list data and suspicious activity data, determining whether an intrusion condition is satisfied based on the suspicious activity data; if it is determined that the intrusion condition is satisfied, then responding to the intrusion by dropping packets originated from an Internet Protocol (IP) address associated with the particular end user and by sending a message to remove the particular end user'"'"'s IP address from a list of authorized users for the network, determining whether an intrusion condition is satisfied based on the suspicious activity data, wherein the intrusion condition is associated with a scanning attack, which is identified through the suspicious activity data by recognizing an excessive number of open flows being established per second such that other flows are denied access because of the excessive number of open flows; communicating a message based on the subscriber identifier data to a billing agent that is involved in determining charges for a particular user for causing the billing agent to penalize the particular user; and wherein the subscriber identifier data indicates a unique identifier for a particular user, the NAS data indicates an identifier for the network access server, the flow list data indicates one or more open data packet flows, wherein an open data packet flow comprises a data packet that indicates a start of a series of data packets that pass through the gateway server for communications between the user and the content server without a corresponding termination of the series of data packets between the user and the content server, and the suspicious activity data indicates a value for a property of the open data packet flows that indicates suspicious activity. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
-
-
32. An apparatus for responding to intrusions on a packet switched network at a billing agent server that provides payment information for a remote user who accesses the packet switched network, comprising:
-
a network interface that is coupled to the packet switched network for communicating therewith a data packet; one or more processors, a computer-readable medium; and one or more sequences of instructions stored in the computer-readable medium, which, when executed by the one or more processors, causes the one or more processors to carry out the step of; receiving, from a subscriber-aware service gateway server, malicious subscriber data that includes subscriber identifier data that indicates a unique identifier for a particular user and intrusion data that indicates the particular user is associated with an intrusion on the packet switched network; and in response to receiving the malicious subscriber data, penalizing the particular user by; causing the particular user to be removed from a list of authorized users of the packet switched network; dropping packets originated from an Internet Protocol (IP) address associated with the particular end user; sending an out-of-band message to the particular user to warn the particular user to cease the intrusion on the packet switched network; determining whether a penalty period has expired; and if it is determined that a penalty period has expired, then causing the particular user to be restored to a list of authorized users of the target network.
-
-
33. A non-transitory computer-readable medium carrying one or more sequences of instructions for protecting a packet switched network at a service gateway, wherein execution of the one or more sequences of instructions by one or more processors, included in a network element configured to send and to receive Internet protocol (IP) packets, causes the one or more processors to perform the steps of:
-
receiving user data at a gateway server in a communication path on a packet switched network between a network access server and a content server, wherein the user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, wherein an open data packet flow comprises a data packet that indicates a start of a series of data packets that pass through the gateway server for communications between the user and the content server without a corresponding termination of the series of data packets between the user and the content server, and suspicious activity data that indicates a value for a property of the open data packet flows that indicates suspicious activity; determining whether an intrusion condition is satisfied based on the suspicious activity data determining whether an intrusion condition is satisfied based on the suspicious activity data, wherein the intrusion condition is associated with a scanning attack, which is identified through the suspicious activity data by recognizing an excessive number of open flows being established per second such that other flows are denied access because of the excessive number of open flows; and if it is determined that the intrusion condition is satisfied, then responding to the intrusion by dropping packets originated from an Internet Protocol (IP) address associated with the particular end user and by sending a message to remove the particular end user'"'"'s IP address from a list of authorized users for the network; receiving, at a billing agent server, malicious subscriber data that includes subscriber identifier data that indicates a unique identifier for a particular user and intrusion data that indicates the particular user is associated with an intrusion on the target network; and in response to receiving the malicious subscriber data, penalizing the particular user by; causing the particular user to be removed from a list of authorized users of the target network; and dropping packets originated from an Internet Protocol (IP) address associated with the particular end user. - View Dependent Claims (34)
-
Specification