Techniques for network protection based on subscriber-aware application proxies

US 8,266,696 B2
Filed: 11/14/2005
Issued: 09/11/2012
Est. Priority Date: 11/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method for protecting a packet switched network at a service gateway, comprising the steps of:

receiving user data at a gateway server in a communication path on a packet switched network between a network access server and a content server,wherein the user data includessubscriber identifier data that indicates a unique identifier for a particular user,network address data that indicates a network address for a host used by the particular user,NAS data that indicates an identifier for the network access server,flow list data that indicates one or more open data packet flows, wherein an open data packet flow comprises a data packet that indicates a start of a series of data packets that pass through the gateway server for communications between the user and the content server without a corresponding termination of the series of data packets between the user and the content server, andsuspicious activity data that indicates a value for a property of the open data packet flows that indicates suspicious activity;

determining whether an intrusion condition is satisfied based on the suspicious activity data, wherein the intrusion condition is associated with a scanning attack, which is identified through the suspicious activity data by recognizing an excessive number of open flows being established per second such that other flows are denied access because of the excessive number of open flows; and

if it is determined that the intrusion condition is satisfied, then responding to the intrusion by dropping packets originated from an Internet Protocol (IP) address associated with the particular end user and by sending a message to remove the particular end user'"'"'s IP address from a list of authorized users for the network; and

communicating a message based on the subscriber identifier data to a billing agent that is involved in determining charges for a particular user for causing the billing agent to penalize the particular user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for responding to intrusions on a packet switched network include receiving user data at a subscriber-aware gateway server between a network access server and a content server. The user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, and suspicious activity data. The suspicious activity data indicates a value for a property of the open data packet flows that indicates suspicious activity. It is determined whether an intrusion condition is satisfied based on the suspicious activity data. If the intrusion condition is satisfied, then the gateway responds based at least in part on user data other than the network address data.

Citations

34 Claims

1. A method for protecting a packet switched network at a service gateway, comprising the steps of:
- receiving user data at a gateway server in a communication path on a packet switched network between a network access server and a content server,wherein the user data includessubscriber identifier data that indicates a unique identifier for a particular user,network address data that indicates a network address for a host used by the particular user,NAS data that indicates an identifier for the network access server,flow list data that indicates one or more open data packet flows, wherein an open data packet flow comprises a data packet that indicates a start of a series of data packets that pass through the gateway server for communications between the user and the content server without a corresponding termination of the series of data packets between the user and the content server, andsuspicious activity data that indicates a value for a property of the open data packet flows that indicates suspicious activity;
  
  determining whether an intrusion condition is satisfied based on the suspicious activity data, wherein the intrusion condition is associated with a scanning attack, which is identified through the suspicious activity data by recognizing an excessive number of open flows being established per second such that other flows are denied access because of the excessive number of open flows; and
  
  if it is determined that the intrusion condition is satisfied, then responding to the intrusion by dropping packets originated from an Internet Protocol (IP) address associated with the particular end user and by sending a message to remove the particular end user'"'"'s IP address from a list of authorized users for the network; and
  
  communicating a message based on the subscriber identifier data to a billing agent that is involved in determining charges for a particular user for causing the billing agent to penalize the particular user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. A method as recited in claim 1, wherein:
    - the property that indicates suspicious activity is a number of the open data packet flows that are started within a particular period of time; and
      
      said step of determining whether an intrusion condition is satisfied comprises determining whether the number of the open data packet flows that are started within the particular period of time exceeds a threshold rate.
  - 3. A method as recited in claim 1, wherein:
    - the property that indicates suspicious activity is a number of the open data packet flows for which there is no acknowledgement message from the user; and
      
      said step of determining whether an intrusion condition is satisfied comprises determining whether the number of the open data packet flows for which there is no acknowledgement message from the user exceeds at least one of a threshold number and a threshold percentage of a total number of open data packet flows.
  - 4. A method as recited in claim 1, wherein:
    - the property that indicates suspicious activity is a number of the open data packet flows for which there is no acknowledgement message from the content server; and
      
      said step of determining whether an intrusion condition is satisfied comprises determining whether the number of the open data packet flows for which there is no acknowledgement message from the content server exceeds at least one of a threshold number and a threshold percentage of a total number of open data packet flows.
  - 5. A method as recited in claim 1, said step of responding to the intrusion further comprising the step of sending a message to the network access server based on the NAS data to terminate communications from the particular user.
  - 6. A method as recited in claim 5, said step of sending the message to the network access server further causing the network access server to free resources allocated to the user in an access network between the user and the network access server.
  - 7. A method as recited in claim 6, said step of sending the message to the network access server comprising the step of sending a Remote Access Dial-in User Service (RADIUS) Packet of Disconnect (POD) to the network access server, whereby the network access server tears down a communication path in the access network and frees resources in the access network allocated to the user.
  - 8. A method as recited in claim 1, wherein the billing agent causes a message that requests the particular user to cease undesired activity to be sent to the particular user outside the packet-switched network.
  - 9. A method as recited in claim 1, wherein the billing agent causes the particular user to lose authorization for access to a set of one or more content servers.
  - 10. A method as recited in claim 1, wherein the billing causes an excess fee to be charged to the particular user.
  - 11. A method as recited in claim 1, said step of responding to the intrusion further comprising the steps of:
    - determining whether a logon message is received for authorization of access for the packet-switched network, which logon message includes the subscriber identifier data; and
      
      if the logon message that includes the subscriber identifier data is received, then not granting access for the packet-switched network.
  - 12. A method as recited in claim 11, said step of not granting access for the packet-switched network further comprising the step of not granting access for the packet-switched network during a particular penalty period of time.
  - 13. A method as recited in claim 1, said step of responding to the intrusion further comprising the steps of:
    - determining whether a logon message is received for authorization of access for the packet-switched network, which logon message includes the subscriber identifier data; and
      
      if the logon message that includes the subscriber identifier data is received, then forwarding the message to a particular server to generate a special response for the particular user.
  - 14. A method as recited in claim 1, said step of responding to the intrusion further comprising the step of deleting all data flows associated with the same subscriber identifier.
  - 15. The method as recited in claim 1, further comprising:
    - receiving, at a billing agent server, malicious subscriber data that includes subscriber identifier data that indicates a unique identifier for a particular user and intrusion data that indicates the particular user is associated with an intrusion on the target network, wherein the billing agent server is configured to respond to the malicious subscriber data by dropping packets originated from an Internet Protocol (IP) address associated with the particular end user and by sending a message to remove the particular end user'"'"'s IP address from a list of authorized users for the network; and
      
      in response to receiving the malicious subscriber data, penalizing the particular user by;
      
      sending an out-of-band message to the particular user to warn the particular user to cease the intrusion on the target network; and
      
      causing a penalty fee to be charged to an account associated with the particular user.
  - 16. A method as recited in claim 15, further comprising:
    - determining whether a penalty period has expired; and
      
      if it is determined that a penalty period has expired, then causing the particular user to be restored to a list of authorized users of the target network.

17. An apparatus for protecting a packet switched network at a service gateway, comprising:
- means for receiving user data at a gateway server in a communication path on a packet switched network between a network access server and a content server,wherein the user data includessubscriber identifier data that indicates a unique identifier for a particular user,network address data that indicates a network address for a host used by the particular user,NAS data that indicates an identifier for the network access server,flow list data that indicates one or more open data packet flows, wherein an open data packet flow comprises a data packet that indicates a start of a series of data packets that pass through the gateway server for communications between the user and the content server without a corresponding termination of the series of data packets between the user and the content server, andsuspicious activity data that indicates a value for a property of the open data packet flows that indicates suspicious activity;
  
  means for determining whether an intrusion condition is satisfied based on the suspicious activity data determining whether an intrusion condition is satisfied based on the suspicious activity data, wherein the intrusion condition is associated with a scanning attack, which is identified through the suspicious activity data by recognizing an excessive number of open flows being established per second such that other flows are denied access because of the excessive number of open flows; and
  
  means for responding to the intrusion, if it is determined that the intrusion condition is satisfied, by dropping packets originated from an Internet Protocol (IP) address associated with the particular end user and by sending a message to remove the particular end user'"'"'s IP address from a list of authorized users for the network;
  
  means for receiving, at a billing agent server, malicious subscriber data that includes subscriber identifier data that indicates a unique identifier for a particular user and intrusion data that indicates the particular user is associated with an intrusion on the target network; and
  
  means for penalizing the particular user in response to receiving the malicious subscriber data bycausing the particular user to be removed from a list of authorized users of the target network;
  
  sending an out-of-band message to the particular user to warn the particular user to cease the intrusion on the target network; and
  
  causing a penalty fee to be charged to an account associated with the particular user.

18. An apparatus for protecting a packet switched network at a service gateway server in a communication path on the packet switched network between a network access server and a content server on the packet switched network comprising:
- a network interface that is coupled to the packet switched network for communicating therewith a data packet;
  
  one or more processors;
  
  a computer-readable medium; and
  
  one or more sequences of instructions stored in the computer-readable medium, which, when executed by the one or more processors, causes the one or more processors to carry out the step of;
  
  receiving user data that includes subscriber identifier data, network address data, NAS data, flow list data and suspicious activity data,determining whether an intrusion condition is satisfied based on the suspicious activity data;
  
  if it is determined that the intrusion condition is satisfied, then responding to the intrusion by dropping packets originated from an Internet Protocol (IP) address associated with the particular end user and by sending a message to remove the particular end user'"'"'s IP address from a list of authorized users for the network, determining whether an intrusion condition is satisfied based on the suspicious activity data, wherein the intrusion condition is associated with a scanning attack, which is identified through the suspicious activity data by recognizing an excessive number of open flows being established per second such that other flows are denied access because of the excessive number of open flows;
  
  communicating a message based on the subscriber identifier data to a billing agent that is involved in determining charges for a particular user for causing the billing agent to penalize the particular user; and
  
  whereinthe subscriber identifier data indicates a unique identifier for a particular user,the NAS data indicates an identifier for the network access server,the flow list data indicates one or more open data packet flows, wherein an open data packet flow comprises a data packet that indicates a start of a series of data packets that pass through the gateway server for communications between the user and the content server without a corresponding termination of the series of data packets between the user and the content server, andthe suspicious activity data indicates a value for a property of the open data packet flows that indicates suspicious activity.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 19. An apparatus as recited in claim 18, wherein:
    - the property that indicates suspicious activity is a number of the open data packet flows that are started within a particular period of time; and
      
      said step of determining whether an intrusion condition is satisfied comprises determining whether the number of the open data packet flows that are started within the particular period of time exceeds a threshold rate.
  - 20. An apparatus as recited in claim 18, wherein:
    - the property that indicates suspicious activity is a number of the open data packet flows for which there is no acknowledgement message from the user; and
      
      said step of determining whether an intrusion condition is satisfied comprises determining whether the number of the open data packet flows for which there is no acknowledgement message from the user exceeds at least one of a threshold number and a threshold percentage of a total number of open data packet flows.
  - 21. An apparatus as recited in claim 18, wherein:
    - the property that indicates suspicious activity is a number of the open data packet flows for which there is no acknowledgement message from the content server; and
      
      said step of determining whether an intrusion condition is satisfied comprises determining whether the number of the open data packet flows for which there is no acknowledgement message from the content server exceeds at least one of a threshold number and a threshold percentage of a total number of open data packet flows.
  - 22. An apparatus as recited in claim 18, said step of responding to the intrusion further comprising the step of sending a message to the network access server based on the NAS data to terminate communications from the particular user.
  - 23. An apparatus as recited in claim 22, said step of sending the message to the network access server further causing the network access server to free resources allocated to the user in an access network between the user and the network access server.
  - 24. An apparatus as recited in claim 23, said step of sending the message to the network access server comprising the step of sending a Remote Access Dial-in User Service (RADIUS) Packet of Disconnect (POD) to the network access server, whereby the network access server tears down a communication path in the access network and frees resources in the access network allocated to the user.
  - 25. An apparatus as recited in claim 18, wherein the billing agent causes a message that requests the particular user to cease undesired activity to be sent to the particular user outside the packet-switched network.
  - 26. An apparatus as recited in claim 18, wherein the billing agent causes the particular user to lose authorization for access to a set of one or more content servers.
  - 27. An apparatus as recited in claim 18, wherein the billing causes an excess fee to be charged to the particular user.
  - 28. An apparatus as recited in claim 18, said step of responding to the intrusion further comprising the steps of:
    - determining whether a logon message is received for authorization of access for the packet-switched network, which logon message includes the subscriber identifier data; and
      
      if the logon message that includes the subscriber identifier data is received, then not granting access for the packet-switched network.
  - 29. An apparatus as recited in claim 28, said step of not granting access for the packet-switched network further comprising the step of not granting access for the packet-switched network during a particular penalty period of time.
  - 30. An apparatus as recited in claim 18, said step of responding to the intrusion further comprising the steps of:
    - determining whether a logon message is received for authorization of access for the packet-switched network, which logon message includes the subscriber identifier data; and
      
      if the logon message that includes the subscriber identifier data is received, then forwarding the message to a particular server to generate a special response for the particular user.
  - 31. An apparatus as recited in claim 18, said step of responding to the intrusion further comprising the step of deleting all data flows associated with the same subscriber identifier.

32. An apparatus for responding to intrusions on a packet switched network at a billing agent server that provides payment information for a remote user who accesses the packet switched network, comprising:
- a network interface that is coupled to the packet switched network for communicating therewith a data packet;
  
  one or more processors,a computer-readable medium; and
  
  one or more sequences of instructions stored in the computer-readable medium, which, when executed by the one or more processors, causes the one or more processors to carry out the step of;
  
  receiving, from a subscriber-aware service gateway server, malicious subscriber data that includes subscriber identifier data that indicates a unique identifier for a particular user and intrusion data that indicates the particular user is associated with an intrusion on the packet switched network; and
  
  in response to receiving the malicious subscriber data, penalizing the particular user by;
  
  causing the particular user to be removed from a list of authorized users of the packet switched network;
  
  dropping packets originated from an Internet Protocol (IP) address associated with the particular end user;
  
  sending an out-of-band message to the particular user to warn the particular user to cease the intrusion on the packet switched network;
  
  determining whether a penalty period has expired; and
  
  if it is determined that a penalty period has expired, then causing the particular user to be restored to a list of authorized users of the target network.

33. A non-transitory computer-readable medium carrying one or more sequences of instructions for protecting a packet switched network at a service gateway, wherein execution of the one or more sequences of instructions by one or more processors, included in a network element configured to send and to receive Internet protocol (IP) packets, causes the one or more processors to perform the steps of:
- receiving user data at a gateway server in a communication path on a packet switched network between a network access server and a content server,wherein the user data includessubscriber identifier data that indicates a unique identifier for a particular user,network address data that indicates a network address for a host used by the particular user,NAS data that indicates an identifier for the network access server,flow list data that indicates one or more open data packet flows, wherein an open data packet flow comprises a data packet that indicates a start of a series of data packets that pass through the gateway server for communications between the user and the content server without a corresponding termination of the series of data packets between the user and the content server, andsuspicious activity data that indicates a value for a property of the open data packet flows that indicates suspicious activity;
  
  determining whether an intrusion condition is satisfied based on the suspicious activity data determining whether an intrusion condition is satisfied based on the suspicious activity data, wherein the intrusion condition is associated with a scanning attack, which is identified through the suspicious activity data by recognizing an excessive number of open flows being established per second such that other flows are denied access because of the excessive number of open flows; and
  
  if it is determined that the intrusion condition is satisfied, then responding to the intrusion by dropping packets originated from an Internet Protocol (IP) address associated with the particular end user and by sending a message to remove the particular end user'"'"'s IP address from a list of authorized users for the network;
  
  receiving, at a billing agent server, malicious subscriber data that includes subscriber identifier data that indicates a unique identifier for a particular user and intrusion data that indicates the particular user is associated with an intrusion on the target network; and
  
  in response to receiving the malicious subscriber data, penalizing the particular user by;
  
  causing the particular user to be removed from a list of authorized users of the target network; and
  
  dropping packets originated from an Internet Protocol (IP) address associated with the particular end user.
- View Dependent Claims (34)
- - 34. A computer-readable medium as recited in claim 33, wherein execution of the code further causes the one or more processors to perform the steps of:
    - determining whether a penalty period has expired; and
      
      if it is determined that a penalty period has expired, then causing the particular user to be restored to a list of authorized users of the target network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
O'Rourke, Christopher C., Bordonaro, Frank Gerard, Menditto, Louis, Batz, Robert
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US11/273,112
Publication Number

US 20070113284A1
Time in Patent Office

2,493 Days
Field of Search

726 1- 3, 726 11- 14, 726 22- 23, 726/24, 726/25, 705/400
US Class Current

726/23
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

Techniques for network protection based on subscriber-aware application proxies

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for network protection based on subscriber-aware application proxies

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links