Attack protection for a packet-based network

US 8,601,564 B2
Filed: 04/28/2009
Issued: 12/03/2013
Est. Priority Date: 04/22/2008
Status: Active Grant

First Claim

Patent Images

1. A method for protecting a packet-based network from attacks, comprising the steps of:

performing a signature analysis on a packet stream received in a security border node of the packet-based network to detect attacks by comparing signatures of the packet stream with a set of signatures of previously identified attacks;

performing, by the security border node, an anomaly detection on at least part of the packet stream to detect anomalies in the packet stream;

updating, by the security border node, the set of signatures when the anomalies in the packet stream are detected, the updated set of signatures being subsequently used to perform the signature analysis;

distributing, by the security border node, at least one signature of the updated set of signatures to at least one further security border node of the packet-based network; and

performing, by the security border node, an anomaly detection by semantic processing on application layer control messages of the packet stream to identify semantically incorrect application layer control messages, and updating the set of signatures based on the identified semantically incorrect application layer control messages.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a protection unit for protecting a packet-based network from attacks, comprising: a signature analyzer for analyzing a packet stream received in a security border node of the packet-based network and for detecting attacks by comparing signatures of the packet stream with a set of signatures of previously identified attacks, an anomaly detector for detecting anomalies in the packet stream, and a signature interference unit for updating the set of signatures when anomalies in the packet stream are detected, the updated set of signatures being subsequently used for performing the signature analysis. A distribution unit distributes at least one signature of the updated set of signatures to at least one further security border node of the packet-based network. The invention also relates to a security border node comprising such a protection unit, a network comprising at least two such protection units, and a corresponding protection method.

Citations

18 Claims

1. A method for protecting a packet-based network from attacks, comprising the steps of:
- performing a signature analysis on a packet stream received in a security border node of the packet-based network to detect attacks by comparing signatures of the packet stream with a set of signatures of previously identified attacks;
  
  performing, by the security border node, an anomaly detection on at least part of the packet stream to detect anomalies in the packet stream;
  
  updating, by the security border node, the set of signatures when the anomalies in the packet stream are detected, the updated set of signatures being subsequently used to perform the signature analysis;
  
  distributing, by the security border node, at least one signature of the updated set of signatures to at least one further security border node of the packet-based network; and
  
  performing, by the security border node, an anomaly detection by semantic processing on application layer control messages of the packet stream to identify semantically incorrect application layer control messages, and updating the set of signatures based on the identified semantically incorrect application layer control messages.
- View Dependent Claims (2, 3, 12, 13, 16, 17, 18)
- - 2. The method according to claim 1, further comprising the step of:
    - controlling the sensitivity of the signature analysis and/or of the anomaly detection using a security threshold for the detection of attacks and/or for the detection of the anomalies, the security threshold being adjusted in dependence of at least one characteristic of the attacks.
  - 3. The method according to claim 2, wherein the anomaly detection is performed as a parallel multi-sequence byte analysis, and wherein weights of a byte sequence analysis are controlled in dependence of the security threshold.
  - 12. The method according to claim 1, wherein the anomaly detection is based on statistical analysis.
  - 13. The method according to claim 1, wherein the anomaly detection is based on machine learning.
  - 16. The method according to claim 1, wherein the application layer control messages are session initiation protocol (SIP) messages.
  - 17. The method according to claim 1, wherein the security border node is configured to receive updated sets of signatures from the at least one further security border nodes.
  - 18. The method according to claim 1, wherein the distributed adaptive security loop is based on a peer-to-peer information exchange.

4. A protection unit for protecting a packet-based network from attacks, comprising:
- a signature analyzer configured to analyze a packet stream received in a security border node of the packet-based network and to detect attacks via a comparison of signatures of the packet stream with a set of signatures of previously identified attacks;
  
  an anomaly detector configured to detect anomalies in the packet stream;
  
  a signature interference unit configured to update the set of signatures when the anomalies in the packet stream are detected, the updated set of signatures being subsequently used by the signature analyzer to perform the signature analysis;
  
  a distribution unit configured to distribute at least one signature of the updated set of signatures to at least one further security border node of the packet-based network; and
  
  a session initiation protocol (SIP) stack configured to perform an anomaly detection by semantic processing on SIP messages contained in the packet stream, the updated set of signatures in the signature interference unit being based on the identified semantically incorrect SIP messages.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 14, 15)
- - 5. The protection unit according to claim 4, further comprising:
    - a control unit configured to control the sensitivity of the signature analyzer and/or of the anomaly detector using a security threshold for the detection of attacks and/or for the detection of the anomalies, the security threshold being adjusted in dependence of at least one characteristic of the attacks.
  - 6. The protection unit according to claim 5, wherein the anomaly detector is a parallel multi-sequence byte analyzer, wherein weights of a byte sequence analysis are controlled in dependence of the security threshold.
  - 7. The protection unit according to claim 5, further comprising:
    - a secured SIP stack to process application layer control messages contained in the data stream, a decision about the application layer control messages which have to be processed in the secured signalling stack being made in dependence of the security threshold.
  - 8. The protection unit according to claim 4, further comprising:
    - a decision unit configured to make a decision about the SIP messages contained in the data stream for which the anomaly detection has to be performed; and
      
      a session queuing unit configured to queue up the messages for which the anomaly detection is performed, the queued-up messages being either dropped or processed in dependence of the result of the anomaly detection.
  - 9. The protection unit according to claim 4, further comprising:
    - a pinhole to drop messages from the data stream, the pinhole being controlled in a feedback loop by the anomaly detector and/or by the signature analyzer.
  - 10. A security border node for a packet-based network, comprising:
    - a protection unit according to claim 4.
  - 11. A packet -based network, comprising:
    - at least two protection units according to claim 4, the protection units having a common signature interference unit which is arranged in a centralized network security instance of the packet-based network.
  - 14. The protection unit according to claim 4, wherein the anomaly detector is a statistical analyzer.
  - 15. The protection unit according to claim 5, wherein the at least one characteristic of the attacks is based on a number of the attacks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Wahl, Stefan, Domschitz, Peter, Sienel, Juergen, Noe, Bernhard
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Jamshidi, Ghodrat

Application Number

US12/387,121
Publication Number

US 20090265778A1
Time in Patent Office

1,680 Days
Field of Search

726 11- 13, 726/22
US Class Current

726/11
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 65/1016 IP multimedia subsystem [IMS]

Attack protection for a packet-based network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Attack protection for a packet-based network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links