Attack protection for a packet-based network
First Claim
1. A method for protecting a packet-based network from attacks, comprising the steps of:
- performing a signature analysis on a packet stream received in a security border node of the packet-based network to detect attacks by comparing signatures of the packet stream with a set of signatures of previously identified attacks;
performing, by the security border node, an anomaly detection on at least part of the packet stream to detect anomalies in the packet stream;
updating, by the security border node, the set of signatures when the anomalies in the packet stream are detected, the updated set of signatures being subsequently used to perform the signature analysis;
distributing, by the security border node, at least one signature of the updated set of signatures to at least one further security border node of the packet-based network; and
performing, by the security border node, an anomaly detection by semantic processing on application layer control messages of the packet stream to identify semantically incorrect application layer control messages, and updating the set of signatures based on the identified semantically incorrect application layer control messages.
3 Assignments
0 Petitions
Accused Products
Abstract
The invention relates to a protection unit for protecting a packet-based network from attacks, comprising: a signature analyzer for analyzing a packet stream received in a security border node of the packet-based network and for detecting attacks by comparing signatures of the packet stream with a set of signatures of previously identified attacks, an anomaly detector for detecting anomalies in the packet stream, and a signature interference unit for updating the set of signatures when anomalies in the packet stream are detected, the updated set of signatures being subsequently used for performing the signature analysis. A distribution unit distributes at least one signature of the updated set of signatures to at least one further security border node of the packet-based network. The invention also relates to a security border node comprising such a protection unit, a network comprising at least two such protection units, and a corresponding protection method.
-
Citations
18 Claims
-
1. A method for protecting a packet-based network from attacks, comprising the steps of:
-
performing a signature analysis on a packet stream received in a security border node of the packet-based network to detect attacks by comparing signatures of the packet stream with a set of signatures of previously identified attacks; performing, by the security border node, an anomaly detection on at least part of the packet stream to detect anomalies in the packet stream; updating, by the security border node, the set of signatures when the anomalies in the packet stream are detected, the updated set of signatures being subsequently used to perform the signature analysis; distributing, by the security border node, at least one signature of the updated set of signatures to at least one further security border node of the packet-based network; and performing, by the security border node, an anomaly detection by semantic processing on application layer control messages of the packet stream to identify semantically incorrect application layer control messages, and updating the set of signatures based on the identified semantically incorrect application layer control messages. - View Dependent Claims (2, 3, 12, 13, 16, 17, 18)
-
-
4. A protection unit for protecting a packet-based network from attacks, comprising:
-
a signature analyzer configured to analyze a packet stream received in a security border node of the packet-based network and to detect attacks via a comparison of signatures of the packet stream with a set of signatures of previously identified attacks; an anomaly detector configured to detect anomalies in the packet stream; a signature interference unit configured to update the set of signatures when the anomalies in the packet stream are detected, the updated set of signatures being subsequently used by the signature analyzer to perform the signature analysis; a distribution unit configured to distribute at least one signature of the updated set of signatures to at least one further security border node of the packet-based network; and a session initiation protocol (SIP) stack configured to perform an anomaly detection by semantic processing on SIP messages contained in the packet stream, the updated set of signatures in the signature interference unit being based on the identified semantically incorrect SIP messages. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 14, 15)
-
Specification