System and method for providing network level and nodal level vulnerability protection in VoIP networks
First Claim
1. A method for protecting one or more communications devices comprising the steps of:
- receiving a communication at a first processor communicably coupled to the one or more communications devices via a network;
filtering the received communication using the first processor wherein the first processor executes three or more stages selected from the group comprising a media protection and filtering plane, a policy-based filtering plane, a signature-based filtering plane, a protocol anomaly detection and filtering plane, and a behavioral learning-based filtering plane;
either allowing or blocking the received communication using the first processor based on the selected stages;
wherein the media protection and filtering plane blocks the received communication whenever the communication falls outside one or more communication media-based parameters comprising signaling media integrity, media validation and anomaly detection;
wherein the policy-based filtering plane blocks the received communication whenever one or more user defined media and time policies are violated;
wherein the signature-based filtering plane blocks the received communication whenever the received communication matches one or more known attack signatures;
wherein the protocol anomaly detection and filtering plane blocks the received communication whenever the received communication violates one or more protocol policies comprising a protocol misuse policy, a protocol message scrubbing policy, and a device specific policy;
wherein the behavioral learning-based filtering plane uses a probability analysis to detect anomalies based on one or more learned parameters and resolve probable false alarms into a correct decision to either block or allow the received communication;
further comprising;
one or more media subsystems having a second processor communicably and securely connected to one or more signaling subsystems and deployed as a security and monitoring interface between the network and the one or more communications devices; and
an element management system (EMS) subsystem having a third processor communicably and securely connected to the one or more signaling subsystems;
ora verify subsystem having a fourth processor communicably and securely connected to the one or more signaling subsystems.
19 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides a system, method and apparatus for providing network level and nodal level vulnerability protection in VoIP networks by receiving a communication, filtering the received communication using three or more stages selected from the group comprising a media protection and filtering plane, a policy based filtering plane, a signature based filtering plane, a protocol anomaly detection and filtering plane and a behavioral learning based filtering plane, and either allowing or denying the received communication based the filtering step. The stages are applicable to one or more protocols including SIP, IMS, UMA, H.248, H.323, RTP, CSTA/XML or a combination thereof. In addition, the stages can be implemented within a single device or are distributed across a network (e.g., SIP network, a UMA network, an IMS network or a combination thereof).
124 Citations
18 Claims
-
1. A method for protecting one or more communications devices comprising the steps of:
-
receiving a communication at a first processor communicably coupled to the one or more communications devices via a network; filtering the received communication using the first processor wherein the first processor executes three or more stages selected from the group comprising a media protection and filtering plane, a policy-based filtering plane, a signature-based filtering plane, a protocol anomaly detection and filtering plane, and a behavioral learning-based filtering plane; either allowing or blocking the received communication using the first processor based on the selected stages; wherein the media protection and filtering plane blocks the received communication whenever the communication falls outside one or more communication media-based parameters comprising signaling media integrity, media validation and anomaly detection; wherein the policy-based filtering plane blocks the received communication whenever one or more user defined media and time policies are violated; wherein the signature-based filtering plane blocks the received communication whenever the received communication matches one or more known attack signatures; wherein the protocol anomaly detection and filtering plane blocks the received communication whenever the received communication violates one or more protocol policies comprising a protocol misuse policy, a protocol message scrubbing policy, and a device specific policy; wherein the behavioral learning-based filtering plane uses a probability analysis to detect anomalies based on one or more learned parameters and resolve probable false alarms into a correct decision to either block or allow the received communication;
further comprising;one or more media subsystems having a second processor communicably and securely connected to one or more signaling subsystems and deployed as a security and monitoring interface between the network and the one or more communications devices; and an element management system (EMS) subsystem having a third processor communicably and securely connected to the one or more signaling subsystems;
ora verify subsystem having a fourth processor communicably and securely connected to the one or more signaling subsystems. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer readable medium for protecting one or more communications devices comprising program instructions when executed by a first processor causes the first processor to perform the steps of:
-
receiving a communication at the first processor communicably coupled to the one or more communications devices via a network; filtering the received communication using three or more stages selected from the group comprising a media protection and filtering plane, a policy-based filtering plane, a signature-based filtering plane, a protocol anomaly detection and filtering plane and a behavioral learning-based filtering plane; either allowing or blocking the received communication based on the selected stages; wherein the media protection and filtering plane blocks the received communication whenever the received communication falls outside one or more communication media based parameters comprising signaling media integrity, media validation and anomaly detection; wherein the policy-based filtering plane blocks the communication whenever one or more user defined media and time policies are violated; wherein the signature-based filtering plane blocks the received communication whenever the received communication matches one or more known attack signatures; wherein the protocol anomaly detection and filtering plane blocks the received communication whenever the received communication violates one or more protocol policies comprising a protocol misuse policy, a protocol message scrubbing policy and a device specific policy; wherein the behavioral learning-based filtering plane uses a probability analysis to detect anomalies based on one or more learned parameters and resolve probable false alarms into a correct decision to either block or allow the received communication;
further comprising;one or more media subsystems having a second processor communicably and securely connected to one or more signaling subsystems and deployed as a security and monitoring interface between the network and the one or more communications devices; and an element management system (EMS) subsystem having a third processor communicably and securely connected to the one or more signaling subsystems;
ora verify subsystem having a fourth processor communicably and securely connected to the one or more signaling subsystems. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A system for protecting one or more communications devices comprising:
-
a network communicably coupled to the one or more communications devices; one or more signaling subsystems having a first processor deployed as a security and monitoring gateway between the one or more communications devices and the network; an intelligence subsystem having a second processor communicably and securely connected to the one or more signaling subsystems; wherein the first processor of the one or more signaling subsystems receives a communication, filters the received communication using three or more stages selected from the group comprising a media protection and filtering plane, a policy-based filtering plane, a signature-based filtering plane, a protocol anomaly detection and filtering plane and a behavioral learning-based filtering plane, and either allows or denies the received communication based the selected stages; wherein the media protection and filtering plane blocks the received communication whenever the received communication falls outside one or more communication media based parameters comprising signaling media integrity, media validation and anomaly detection; wherein the policy-based filtering plane blocks the received communication whenever one or more user defined media and time policies are violated; wherein the signature-based filtering plane blocks the received communication whenever the received communication matches one or more known attack signatures; wherein the protocol anomaly detection and filtering plane blocks the received communication whenever the received communication violates one or more protocol policies comprising a protocol misuse policy, a protocol message scrubbing policy and a device specific policy; wherein the behavioral learning-based filtering plane uses a probability analysis to detect anomalies based on one or more learned parameters and resolve probable false alarms into a correct decision to either block or allow the received communication;
further comprising;one or more media subsystems having a third processor communicably and securely connected to the one or more signaling subsystems and deployed as a security and monitoring interface between the network and the one or more communications devices; and an element management system (EMS) subsystem having a fourth processor communicably and securely connected to the one or more signaling subsystems;
ora verify subsystem having a fifth processor communicably and securely connected to the one or more signaling subsystems. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification