Identification of patterns in stateful transactions

US 8,526,306 B2
Filed: 11/19/2009
Issued: 09/03/2013
Est. Priority Date: 12/05/2008
Status: Active Grant

First Claim

Patent Images

1. A method of identifying a pattern in a plurality of messages, the method comprising:

(a) for each message of the plurality of messages transmitted by a first device to a recipient over a network, intercepting the message prior to receipt by the recipient;

(b) adding, with a processor as each message of the plurality of messages is intercepted, a descriptor representative of the intercepted message to a message pattern operative to accumulate descriptors of intercepted messages;

(c) comparing the message pattern to a plurality of exemplary message patterns;

(d) identifying when the message pattern matches at least one of the exemplary message patterns; and

(e) determining an action to take with respect to the message based on the identifying.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for the identification of patterns in stateful transactions may include a message interceptor, a message pattern processor, a message handler, and a memory. The message interceptor may be operative to intercept messages transmitted by a first device over a network to a recipient. The message interceptor may be operative to intercept the messages before the messages are received by the recipient. The message pattern processor may be operative to add the message to a message pattern and store the message pattern in a memory. The message pattern processor may compare the message pattern to a plurality of exemplary message patterns and identify when the message pattern matches at least one of the exemplary message patterns. The message handler may be operative to determine an action to take with respect to the message based on the at least one matching exemplary message pattern identified by the message pattern processor.

40 Citations

View as Search Results

26 Claims

1. A method of identifying a pattern in a plurality of messages, the method comprising:
- (a) for each message of the plurality of messages transmitted by a first device to a recipient over a network, intercepting the message prior to receipt by the recipient;
  
  (b) adding, with a processor as each message of the plurality of messages is intercepted, a descriptor representative of the intercepted message to a message pattern operative to accumulate descriptors of intercepted messages;
  
  (c) comparing the message pattern to a plurality of exemplary message patterns;
  
  (d) identifying when the message pattern matches at least one of the exemplary message patterns; and
  
  (e) determining an action to take with respect to the message based on the identifying.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - (f) intercepting a response sent by the recipient to the first device in response to the message, prior to receipt by the first device;
      
      (g) adding a descriptor representative of the response to the message pattern;
      
      (c) comparing the message pattern to the plurality of exemplary message patterns;
      
      (d) identifying when the message pattern matches at least one of the exemplary message patterns; and
      
      (e) determining an action to take with respect to the response based on the identifying.
  - 3. The method of claim 1, wherein the plurality of exemplary message patterns comprise valid message patterns, the action comprising allowing the message to continue to the recipient when the message pattern matches at least one of the exemplary message patterns and preventing the message from reaching the recipient when the message pattern fails to match at least one of the exemplary message patterns.
  - 4. The method of claim 1, wherein the plurality of exemplary message patterns comprise invalid message patterns, the action comprising allowing the message to continue to the recipient when the message pattern fails to match at least one of the exemplary message patterns and preventing the message from reaching the recipient when the message pattern matches at least one of the exemplary message patterns.
  - 5. The method of claim 1, wherein each of the plurality of exemplary message patterns comprises a regular expression.
  - 6. The method of claim 1, wherein the plurality of messages comprises a session initiation protocol.
  - 7. The method of claim 1, wherein the plurality of messages establish a session between the first device and the recipient, the session being characterized by a state, each message of the plurality of messages being capable of altering the state of the session, the identifying further determining when the state of the session changes from a first state to a second state based on the message.

8. A system for identifying a pattern in a plurality of messages, the system comprising:
- (a) means for intercepting each message of the plurality of messages transmitted by a first device to a recipient over a network prior to receipt by the recipient;
  
  (b) means for adding, as each message of the plurality of messages is intercepted, a descriptor representative of the intercepted message to a message pattern operative to accumulate descriptors of intercepted messages;
  
  (c) means for comparing the message pattern to a plurality of exemplary message patterns;
  
  (d) means for identifying when the message pattern matches at least one of the exemplary message patterns; and
  
  (e) means for determining an action to take with respect to the message based on the identifying.
- View Dependent Claims (9, 10, 11)
- - 9. The system of claim 8, further comprising:
    - (f) means for intercepting a response sent by the recipient to the first device in response to the message, prior to receipt by the first device;
      
      (g) means for adding a descriptor representative of the response to the message pattern;
      
      (c) means for comparing the message pattern to the plurality of exemplary message patterns;
      
      (d) means for identifying when the message pattern matches at least one of the exemplary message patterns; and
      
      (e) means for determining an action to take with respect to the response based on the identifying.
  - 10. The system of claim 8, wherein the plurality of exemplary message patterns comprise valid message patterns, the action comprising means for allowing the message to continue to the recipient when the message pattern matches at least one of the exemplary message patterns and means for preventing the message from reaching the recipient when the message pattern fails to match at least one of the exemplary message patterns.
  - 11. The system of claim 8, wherein the plurality of exemplary message patterns comprise invalid message patterns, the action comprising means for allowing the message to continue to the recipient when the message pattern fails to match at least one of the exemplary message patterns and means for preventing the message from reaching the recipient when the message pattern matches at least one of the exemplary message patterns.

12. A method for the identification of patterns in stateful transactions, the method comprising:
- (a) identifying a plurality of exemplary message patterns, wherein each exemplary message pattern comprises a specification describing a sequence of messages for a transaction over a network;
  
  (b) intercepting a message from a first device intended to be communicated over the network to a second device;
  
  (c) adding, as the message is intercepted, a descriptor of the intercepted message to a current message pattern operative to accumulate descriptors of intercepted messages, wherein the current message pattern comprises a specification describing a sequence of messages associated with a current transaction over the network between the first device and the second device;
  
  (d) determining whether the current message pattern matches one of the plurality of exemplary message patterns; and
  
  (e) one of communicating the message to the second device or preventing the message from being communicated to the second device based on the determining.
- View Dependent Claims (13, 14, 15)
- - 13. The method of claim 12 further comprising:
    - (f) removing the descriptor of the message from the current message pattern if the current message pattern does not match one of the plurality of exemplary message patterns; and
      
      (g) repeating steps (b)-(f).
  - 14. The method of claim 12 wherein the plurality of exemplary message patterns comprises a plurality of exemplary session initiation protocol message patterns.
  - 15. The method of claim 12 wherein determining whether the current message pattern matches one of the plurality of exemplary message patterns further comprises using a regular expression engine to determine whether the current message pattern matches one of the plurality of exemplary message patterns.

16. A method of preventing fraudulent signals in session initiation protocol transactions, the method comprising:
- providing a packet monitoring device to intercept a plurality of packets intended to be communicated to a session initiation protocol proxy server;
  
  intercepting the plurality of packets intended to be communicated to the session initiation protocol proxy server;
  
  performing a deep packet inspection on the plurality of packets together to identify a session initiation protocol signal;
  
  processing the session initiation protocol signal to determine whether the session initiation protocol signal is fraudulent; and
  
  dropping the plurality of packets if the session initiation protocol signal is determined to be fraudulent, otherwise allowing the plurality of packets to be communicated to the intended session initiation protocol proxy server.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16 further comprising storing the session initiation protocol signal in a data store.
  - 18. The method of claim 17 further comprising:
    - processing a header of the session initiation protocol signal to determine a transaction identifier of the session initiation protocol signal;
      
      determining whether the transaction identifier of the session initiation protocol signal matches a transaction identifier of at least one session initiation protocol signal stored in the data store; and
      
      allowing the plurality of packets to be communicated to the intended session initiation protocol proxy server if the transaction identifier matches the transaction identifier of at least one session initiation protocol signal stored in the data store, otherwise dropping the plurality of packets.
  - 19. The method of claim 18 wherein the header comprises a uniform resource identifier, a branch parameter and a command sequence parameter, and the transaction identifier of the session initiation protocol signal is determined by calculating a 32-bit hash of the uniform resource identifier, the branch parameter and the command sequence parameter.
  - 20. The method of claim 18 further comprising:
    - determining a number of session initiation protocol signals in the data store received over a period of time having a transaction identifier matching the transaction identifier of the session initiation protocol signal; and
      
      dropping the plurality of packets if the determined number of session initiation protocol signals exceeds a rate limit, otherwise allowing the plurality of packets to be communicated to the intended session initiation protocol proxy server.

21. A system for identifying a pattern in a plurality of messages, the system comprising:
- a message interceptor operative, for each message of the plurality of messages transmitted by a first device to a recipient over a network, to intercept the message prior to receipt by the recipient;
  
  a message pattern processor operative to add, as each message of the plurality of messages is intercepted, a descriptor representative of the intercepted message to a message pattern operative to accumulate descriptors of intercepted messages, store the message pattern in a memory, compare the message pattern to a plurality of exemplary message patterns, identify when the message pattern matches at least one of the exemplary message patterns; and
  
  a message handler operative to determine an action to take with respect to the message based on the at least one exemplary message pattern identified by the message pattern processor.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The system of claim 21, further comprising:
    - the message interceptor operative to intercept a response message sent by the recipient to the first device in response to the message, prior to receipt by the first device;
      
      the message pattern processor further operative to add a descriptor representative of the response message to the message pattern; and
      
      the message handler further operative to take an action with respect to the response message based on the at least one matching exemplary message pattern identified by the message pattern processor.
  - 23. The system of claim 21, wherein the plurality of exemplary message patterns comprise valid message patterns, the message handler further operative to allow the message to continue to the recipient, and prevent the message from continuing to the recipient, and the action comprising the message handler allowing the message to continue to the recipient when the message pattern matches at least one of the exemplary message patterns and the message handler preventing the message from reaching the recipient when the message pattern fails to match at least one of the exemplary message patterns.
  - 24. The system of claim 21, wherein the plurality of exemplary message patterns comprise invalid message patterns, the message handler further operative to allow the message to continue to the recipient, and prevent the message from continuing to the recipient, and the action comprising the message handler allowing the message to continue to the recipient when the message pattern fails to match at least one of the exemplary message patterns and the message handler preventing the message from reaching the recipient when the message pattern matches at least one of the exemplary message patterns.
  - 25. The system of claim 21, wherein each of the plurality of exemplary message patterns comprises a regular expression.

26. A method of preventing fraudulent signals in session initiation protocol transactions, the method comprising:
- providing a packet monitoring device to intercept a plurality of packets intended to be communicated to a session initiation protocol proxy server;
  
  intercepting the plurality of packets intended to be communicated to the session initiation protocol proxy server;
  
  performing a deep packet inspection on the plurality of packets to identify a session initiation protocol signal;
  
  processing the session initiation protocol signal to determine whether the session initiation protocol signal is fraudulent;
  
  dropping the plurality of packets if the session initiation protocol signal is determined to be fraudulent, otherwise allowing the plurality of packets to be communicated to the intended session initiation protocol proxy server; and
  
  processing a header of the session initiation protocol signal to determine a transaction identifier of the session initiation protocol signal,wherein the header comprises a uniform resource identifier, a branch parameter and a command sequence parameter, and the transaction identifier of the session initiation protocol signal is determined by calculating a 32-bit hash of the uniform resource identifier, the branch parameter and the command sequence parameter.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookingglass Cyber Solutions, LLC
Original Assignee
CloudShield Technologies, Inc. (ZeroFox Holdings, Inc.)
Inventors
Jungck, Peder J., Helms, David
Primary Examiner(s)
Yao, Kwang B
Assistant Examiner(s)
NGO, NGUYEN HOANG

Application Number

US12/621,810
Publication Number

US 20100142382A1
Time in Patent Office

1,384 Days
Field of Search

370/229, 370/230, 370/232, 370/235, 370/236, 370/401
US Class Current

370/230
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 51/23   Reliability checks, e.g. ac...

H04L 63/0245   Filtering by information in...

H04L 63/10   for controlling access to d...

H04L 63/123   received data contents, e.g...

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

H04L 65/1076   Screening of IP real time c...

H04L 65/1104   Session initiation protocol...

H04W 4/14   Short messaging services, e...

Identification of patterns in stateful transactions

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Identification of patterns in stateful transactions

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links