Methods, devices, systems, and computer program products for edge driven communications network security monitoring

US 8,302,189 B2
Filed: 11/30/2009
Issued: 10/30/2012
Est. Priority Date: 11/30/2009
Status: Active Grant

First Claim

Patent Images

1. A method of providing security for a communications network comprising:

monitoring, using a programmed computer processor circuit, data at an edge of the communications network, that is outside a backbone of the communications network, the data being received at the edge from outside the backbone of the communications network;

determining, at the edge, that the data being monitored at the edge comprises a security threat to the communications network;

reporting the data determined at the edge to be the security threat to a central management system associated with the backbone; and

blocking the data at the edge responsive to determining at the edge that the data is the security threat to the communications network;

wherein blocking comprises blocking data directed to a victim at the edge for a relatively low bandwidth aggregated security threat and blocking data directed to the victim at the backbone for a relatively high bandwidth security threat.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An edge monitoring approach can be utilized to detect an attack which includes a plurality of relatively low bandwidth attacks, which are aggregated at a victim sub-network. The aggregated low bandwidth attacks can generate a relatively high bandwidth attack including un-solicited data traffic directed to the victim'"'"' so that the aggregated attack becomes more detectable at an edge monitor circuit located proximate to the victim. Related systems, devices, and computer program products are also disclosed.

Citations

17 Claims

1. A method of providing security for a communications network comprising:
- monitoring, using a programmed computer processor circuit, data at an edge of the communications network, that is outside a backbone of the communications network, the data being received at the edge from outside the backbone of the communications network;
  
  determining, at the edge, that the data being monitored at the edge comprises a security threat to the communications network;
  
  reporting the data determined at the edge to be the security threat to a central management system associated with the backbone; and
  
  blocking the data at the edge responsive to determining at the edge that the data is the security threat to the communications network;
  
  wherein blocking comprises blocking data directed to a victim at the edge for a relatively low bandwidth aggregated security threat and blocking data directed to the victim at the backbone for a relatively high bandwidth security threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method according to claim 1 wherein the edge of the communications network comprises a device operated under control of an internet service provider controlling the backbone, the device being logically located at an outermost position of the communications network immediately adjacent to a sub-network operated by a customer of the internet service provider.
  - 3. A method according to claim 1 wherein the edge of the communications network comprises a peer router operated under control of an internet service provider controlling the backbone, the peer router interfacing the communications network of the internet service provider to a network under control of another internet service provider.
  - 4. A method according to claim 1 wherein monitoring data comprises:
    - monitoring source data at a first sub-network connected to the backbone as the source data is received at a first edge and monitoring aggregated data including the source data upon receipt at a second sub-network located at a second edge of the communications network after traversing the backbone; and
      
      wherein determining comprises determining at the second edge that the aggregated data comprises the security threat.
  - 5. A method according to claim 1 wherein reporting further comprises:
    - receiving information associated with the data determined to be the security threat at the central management system;
      
      modifying a security policy controlled by the central management system to provide an updated security policy;
      
      transmitting the updated security policy to the edge;
      
      receiving the updated security policy at the edge; and
      
      blocking the data at the edge responsive to receiving the updated security policy.
  - 6. A method according to claim 5 wherein determining comprises determining that the data is associated with an unsolicited data transfer to a victim.
  - 7. A method according to claim 5 wherein determining comprises determining that the data is associated with a port scan of a victim.
  - 8. A method according to claim 5 wherein the updated security policy comprises an instruction to the edge to block data directed to an address associated with at least one victim of the security threat.

9. A system for providing security for a communications network comprising:
- an edge monitor circuit configured to monitor data at an edge of the communications network, that is outside a backbone of the communications network, the data being received at the edge from outside the backbone of the communications network;
  
  the edge monitor circuit configured to determine, at the edge, that the data being monitored at the edge comprises a security threat to the communications network;
  
  the edge monitor circuit configured to report the data determined at the edge to be the security threat to a central management system associated with the backbone; and
  
  the edge monitor circuit configured to block the data at the edge responsive to determining at the edge that the data is the security threat to the communications network;
  
  wherein the edge monitor circuit is further configured to block data directed to a victim at the edge for a relatively low bandwidth aggregated security threat and the central management system is further configured to block data directed to the victim at the backbone for a relatively high bandwidth security threat.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. A system according to claim 9 wherein the edge monitor circuit comprises a device operated under control of an internet service provider controlling the backbone, the device being logically located at an outermost position of the communications network immediately adjacent to a sub-network operated by a customer of the internet service provider.
  - 11. A system according to claim 9 wherein the edge monitor circuit comprises a peer router operated under control of an internet service provider controlling the backbone, the peer router interfacing the communications network of the internet service provider to a network under control of another internet service provider.
  - 12. A system according to claim 9 wherein the edge monitor circuit is further configured to monitor source data at a first sub-network connected to the backbone as the source data is received at a first edge and to monitor aggregated data including the source data upon receipt at a second sub-network located at a second edge of the communications network after traversing the backbone;
    - andwherein the edge monitor circuit is further configured to determine at the second edge that the aggregated data comprises the security threat.
  - 13. A system according to claim 9 wherein the central management system is further configured to receive information associated with the data determined to be the security threat at the central management system, modify a security policy controlled by the central management system to provide an updated security policy;
    - and to transmit the updated security policy to the edge; and
      
      wherein the edge monitor circuit is further configured to receive the updated security policy at the edge and to block the data at the edge responsive to receiving the updated security policy.
  - 14. A system according to claim 13 wherein the edge monitor circuit is further configured to determine that the data is associated with an unsolicited data transfer to a victim.
  - 15. A system according to claim 13 wherein the edge monitor circuit is further configured to determine that the data is associated with a port scan of a victim.
  - 16. A system according to claim 13 wherein the updated security policy comprises an instruction to the edge monitor circuit to block data directed to an address associated with at least one victim of the security threat.

17. A computer program product for providing security for a communications network, the computer readable program product comprising a non-transitory computer readable storage medium having computer readable program code embodied therein, the computer readable program code comprising:
- computer readable program code that is configured to monitor data at an edge of the communications network, that is outside a backbone of the communications network, the data being received at the edge from outside the backbone of the communications network;
  
  computer readable program code that is configured to determine, at the edge, that the data being monitored at the edge comprises a security threat to the communications network;
  
  computer readable program code that is configured to report the data determined at the edge to be the security threat to a central management system associated with the backbone; and
  
  computer readable program code that is configured to block the data at the edge responsive to determining at the edge that the data is the security threat to the communications network;
  
  wherein the computer readable program code configured to block comprises computer readable program code configured to block data directed to a victim at the edge for a relatively low bandwidth aggregated security threat and computer readable program code configured to block data directed to the victim at the backbone for a relatively high bandwidth security threat.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
de los Reyes, Gustavo, Jayawardena, Thusitha, Xu, Gang
Primary Examiner(s)
Yalew, Fikremariam A

Application Number

US12/627,733
Publication Number

US 20110131650A1
Time in Patent Office

1,065 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

H04L 63/0209 Architectural arrangements,...

H04L 63/1416 Event detection, e.g. attac...

Methods, devices, systems, and computer program products for edge driven communications network security monitoring

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, devices, systems, and computer program products for edge driven communications network security monitoring

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links