System and method for detecting hacked modems

US 8,707,339 B2
Filed: 07/30/2010
Issued: 04/22/2014
Est. Priority Date: 07/30/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

performing a heuristic test on an online communication device to determine a likelihood that the communication device is hacked, wherein performing the heuristic test comprises;

determining that a provisioning mode of the communication device is in accordance with DOCSIS 1.0, and either that a STB QoS profile is not present and the communication device conforms to DOCSIS 2.0 or higher or that a STB QoS profile is present and a public customer premises equipment is present behind the communication device, andbased on the determining, noting that the likelihood that the communication device is hacked is increased; and

associating the likelihood that the communication device is hacked with the communication device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and computer program product are provided for detecting hacked modems in a cable network system. A cable Internet service provider can provide the disclosed heuristic to determine whether a particular cable modem has likely been hacked by obtaining a score corresponding to this likelihood. This score, as well as information regarding failure and success of various tests, can be used to generate a report identifying the likelihood that various modems have been hacked.

Citations

69 Claims

1. A method comprising:
- performing a heuristic test on an online communication device to determine a likelihood that the communication device is hacked, wherein performing the heuristic test comprises;
  
  determining that a provisioning mode of the communication device is in accordance with DOCSIS 1.0, and either that a STB QoS profile is not present and the communication device conforms to DOCSIS 2.0 or higher or that a STB QoS profile is present and a public customer premises equipment is present behind the communication device, andbased on the determining, noting that the likelihood that the communication device is hacked is increased; and
  
  associating the likelihood that the communication device is hacked with the communication device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 68)
- - 2. The method of claim 1, further comprising:
    - intercepting communications for the communication device based on the likelihood that the communication device is hacked;
      
      inserting a warning message in the intercepted communications; and
      
      forwarding the intercepted communications comprising the warning message to the communication device.
  - 3. The method of claim 2, wherein the intercepted communications comprise an HTTP session.
  - 4. The method of claim 1, wherein associating the likelihood that the communication device is hacked with the communication device further comprises:
    - producing a score based on a set of test results of the heuristic test; and
      
      associating the likelihood that the communication device is hacked with the communication device based on the score being above a threshold.
  - 5. The method of claim 4, wherein producing the score comprises:
    - performing two or more individually-scored tests to produce the set of test results,wherein the score is based on score results from the set of test results of the two or more individually-scored tests.
  - 6. The method of claim 1, wherein performing the heuristic test comprises:
    - determining whether a valid account is associated with the communication device.
  - 7. The method of claim 1, wherein performing the heuristic test comprises:
    - determining whether the communication device is attached to an expected network element if the communication device has a conflicting unique identifier.
  - 8. The method of claim 7, wherein the network element comprises a network node.
  - 9. The method of claim 7, wherein the unique identifier comprises a MAC address.
  - 10. The method of claim 1, wherein performing the heuristic test comprises:
    - determining whether the communication device responds to a remote management query; and
      
      resending the remote management query after rebooting the communication device, if the communication device does not respond to the remote management query.
  - 11. The method of claim 10, wherein the remote management query comprises an SNMP query.
  - 12. The method of claim 1, wherein performing the heuristic test comprises:
    - determining whether a MAC address for the communication device has a valid OUI component.
  - 13. The method of claim 1, wherein performing the heuristic test comprises:
    - obtaining the communication device'"'"'s model name and configuration file name;
      
      determining whether the communication device'"'"'s model name matches an expected model name;
      
      determining whether the configuration file name matches an expected pattern; and
      
      determining whether a MAC address embedded in the configuration file name matches a MAC address in use by the communication device.
  - 14. The method of claim 1, wherein performing the heuristic test comprises:
    - determining whether BPI+ has been disabled, whether the communication device is using a default configuration template, and whether the communication device conforms to the DOCSIS 2.0 standard or higher.
  - 15. The method of claim 1, wherein the communication device comprises a cable modem.
  - 16. The method of claim 1, wherein the communication device comprises a cable set-top box.
  - 17. The method of claim 1, wherein associating the likelihood that the communication device is hacked with the communication device further comprises:
    - applying a classification rule to a set of test results of the heuristic test; and
      
      associating the communication device with a classification group corresponding to the likelihood that the communication device is hacked.
  - 18. The method of claim 1, further comprising:
    - generating a report comprising a listing of communication devices associated with a specified likelihood that the communication devices are hacked.
  - 19. The method of claim 1, further comprising:
    - disabling the communication device based on the likelihood that the communication device is hacked.
  - 20. The method of claim 1, further comprising:
    - disabling a feature of the communication device based on the likelihood that the communication device is hacked.
  - 21. The method of claim 20, wherein the disabled feature comprises a communication function of the communication device.
  - 22. The method of claim 1, further comprising:
    - limiting communications of the communication device based on the likelihood that the communication device is hacked.
  - 68. The method of claim 1, wherein performing the heuristic test further comprises performing the heuristic test such that the communication device is able to access a communication network while circumventing legitimacy mechanisms.

23. A computer-readable storage device having stored thereon computer-executable instructions, execution of which, by one or more computing devices, causes the computing devices to perform operations comprising:
- performing a heuristic test on an online communication device to determine a likelihood that the communication device is hacked, wherein performing the heuristic test comprises;
  
  determining that a provisioning mode of the communication device is in accordance with DOCSIS 1.0, and either that a STB QoS profile is not present and the communication device conforms to DOCSIS 2.0 or higher or that a STB QoS profile is present and public customer premises equipment is present behind the communication device, andbased on the determining, noting that the likelihood that the communication device is hacked is increased; and
  
  associating the likelihood that the communication device is hacked with the communication device.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 69)
- - 24. The computer-readable storage device of claim 23, the operations further comprising:
    - intercepting communications for the communication device based on the likelihood that the communication device is hacked;
      
      inserting a warning message in the intercepted communications; and
      
      forwarding the intercepted communications comprising the warning message to the communication device.
  - 25. The computer-readable storage device of claim 24, wherein the intercepted communications comprise an HTTP session.
  - 26. The computer-readable storage device of claim 23, wherein associating the likelihood that the communication device is hacked with the communication device further comprises:
    - producing a score based on a set of test results of the heuristic test; and
      
      associating the likelihood that the communication device is hacked with the communication device based on the score being above a threshold.
  - 27. The computer-readable storage device of claim 26, wherein producing the score comprises:
    - performing two or more individually-scored tests to produce the set of test results, wherein the score is based on score results from the set of test results of the two or more individually-scored tests.
  - 28. The computer-readable storage device of claim 23, wherein performing the heuristic test comprises:
    - determining whether a valid account is associated with the communication device.
  - 29. The computer-readable storage device of claim 23, wherein performing the heuristic test comprises:
    - determining whether the communication device is attached to an expected network element if the communication device has a conflicting unique identifier.
  - 30. The computer-readable storage device of claim 29, wherein the network element comprises a network node.
  - 31. The computer-readable storage device of claim 29, wherein the unique identifier comprises a MAC address.
  - 32. The computer-readable storage device of claim 23, wherein performing the heuristic test comprises:
    - determining whether the communication device responds to a remote management query; and
      
      resending the remote management query after rebooting the communication device, if the communication device does not respond to the remote management query.
  - 33. The computer-readable storage device of claim 32, wherein the remote management query comprises an SNMP query.
  - 34. The computer-readable storage device of claim 23, wherein performing the heuristic test comprises:
    - determining whether a MAC address for the communication device has a valid OUT component.
  - 35. The computer-readable storage device of claim 23, wherein performing the heuristic test comprises:
    - obtaining the communication device'"'"'s model name and configuration file name;
      
      determining whether the communication device'"'"'s model name matches an expected model name;
      
      determining whether the configuration file name matches an expected pattern; and
      
      determining whether a MAC address embedded in the configuration file name matches a MAC address in use by the communication device.
  - 36. The computer-readable storage device of claim 23, wherein performing the heuristic test comprises:
    - determining whether BPI+ has been disabled, whether the communication device is using a default configuration template, and whether the communication device conforms to the DOCSIS 2.0 standard or higher.
  - 37. The computer-readable storage device of claim 23, wherein the communication device comprises a cable modem.
  - 38. The computer-readable storage device of claim 23, wherein the communication device comprises a cable set-top box.
  - 39. The computer-readable storage device of claim 23, wherein associating the likelihood that the communication device is hacked with the communication device further comprises:
    - applying a classification rule to a set of test results of the heuristic test; and
      
      associating the communication device with a classification group corresponding to the likelihood that the communication device is hacked.
  - 40. The computer-readable storage device of claim 23, the operations further comprising:
    - generating a report comprising a listing of communication devices associated with a specified likelihood that the communication devices are hacked.
  - 41. The computer-readable storage device of claim 23, the operations further comprising:
    - disabling the communication device based on the likelihood that the communication device is hacked.
  - 42. The computer-readable storage device of claim 23, the operations further comprising:
    - disabling a feature of the communication device based on the likelihood that the communication device is hacked.
  - 43. The computer-readable storage device of claim 23, wherein the disabled feature comprises a communication function of the communication device.
  - 44. The computer-readable storage device of claim 23, the operations further comprising:
    - limiting communications of the communication device based on the likelihood that the communication device is hacked.
  - 69. The computer-readable storage device of claim 23, wherein performing the heuristic test further comprises performing the heuristic test such that the communication device is able to access a communication network while circumventing legitimacy mechanisms.

45. A system comprising:
- a memory configured to store modules comprising;
  
  a performing module configured to perform a heuristic test on an online communication device to determine a likelihood that the communication device is hacked, wherein performing the heuristic test comprises;
  
  determining that a provisioning mode of the communication device is in accordance with DOCSIS 1.0, and either that a STB QoS profile is not present and the communication device conforms to DOCSIS 2.0 or higher or that a STB QoS profile is present and a public customer premises equipment is present behind the communication device, andbased on the determining, noting that the likelihood that the communication device is hacked is increased, andan associating module configured to associate the likelihood that the communication device is hacked with the communication device; and
  
  one or more processors configured to process the modules.
- View Dependent Claims (46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67)
- - 46. The system of claim 45, further comprising:
    - an intercepting module configured to intercept communications for the communication device based on the likelihood that the communication device is hacked;
      
      an inserting module configured to insert a warning message in the intercepted communications; and
      
      a forwarding module configured to forward the intercepted communications comprising the warning message to the communication device.
  - 47. The system of claim 46, wherein the intercepted communications comprise an HTTP session.
  - 48. The system of claim 45, wherein the associating module is further configured to produce a score based on a set of test results of the heuristic test, and to associate the likelihood that the communication device is hacked with the communication device based on the score being above a threshold.
  - 49. The system of claim 48, wherein producing the score comprises:
    - performing two or more individually-scored tests to produce the set of test results, wherein the score is based on score results from the set of test results of the two or more individually-scored tests.
  - 50. The system of claim 45, wherein the performing module is further configured to determine whether a valid account is associated with the communication device.
  - 51. The system of claim 45, wherein the performing module is further configured to determine whether the communication device is attached to an expected network element if the communication device has a conflicting unique identifier.
  - 52. The system of claim 51, wherein the network element comprises a network node.
  - 53. The system of claim 51, wherein the unique identifier comprises a MAC address.
  - 54. The system of claim 45, wherein the performing module is further configured to determine whether the communication device responds to a remote management query, and to resend the remote management query after rebooting the communication device, if the communication device does not respond to the remote management query.
  - 55. The system of claim 54, wherein the remote management query comprises an SNMP query.
  - 56. The system of claim 45, wherein the performing module is further configured to determine whether a MAC address for the communication device has a valid OUI component.
  - 57. The system of claim 45, wherein the performing module is further configured to obtain the communication device'"'"'s model name and configuration file name, to determine whether the communication device'"'"'s model name matches an expected model name, to determine whether the configuration file name matches an expected pattern, and to determine whether a MAC address embedded in the configuration file name matches a MAC address in use by the communication device.
  - 58. The system of claim 45, wherein the performing module is further configured to determine whether BPI+ has been disabled, the communication device is using a default configuration template, and the communication device conforms to the DOCSIS 2.0 standard or higher.
  - 59. The system of claim 45, wherein the communication device comprises a cable modem.
  - 60. The system of claim 45, wherein the communication device comprises a cable set-top box.
  - 61. The system of claim 45, wherein the associating module is further configured to apply a classification rule to a set of test results of the heuristic test, and to associate the communication device with a classification group corresponding to the likelihood that the communication device is hacked.
  - 62. The system of claim 45, further comprising:
    - a generating module configured to generate a report comprising a listing of communication devices associated with a specified likelihood that the communication devices are hacked.
  - 63. The system of claim 45, further comprising:
    - a disabling module configured to disable the communication device based on the likelihood that the communication device is hacked.
  - 64. The system of claim 45, further comprising:
    - a disabling module configured to disable a feature of the communication device based on the likelihood that the communication device is hacked.
  - 65. The system of claim 64, wherein the disabled feature comprises a communication function of the communication device.
  - 66. The system of claim 45, further comprising:
    - a limiting module configured to limit communications of the communication device based on the likelihood that the communication device is hacked.
  - 67. The system of claim 45, wherein the performing module is configured to perform the heuristic test such that the communication device is able to access a communication network while circumventing legitimacy mechanisms.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CSC Holdings LLC (Altice USA, Inc.), CSC Holdings, Inc. (Expedia Group, Inc.)
Original Assignee
CSC Holdings LLC (Altice USA, Inc.)
Inventors
Godas, Joe, Pomeroy, John, Daniels, Brian
Primary Examiner(s)
Kumar, Pankaj
Assistant Examiner(s)
ANDRAMUNO, FRANKLIN S

Application Number

US12/847,180
Publication Number

US 20120030724A1
Time in Patent Office

1,362 Days
Field of Search

725/111, 725/109, 725/133
US Class Current

725/10
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 16/951   Indexing; Web crawling tech...

H04L 63/1466   Active attacks involving in...

H04N 21/2347   involving video stream encr...

H04N 21/2396   characterized by admission ...

H04N 21/6118   involving cable transmissio...

H04N 21/6168   involving cable transmissio...

H04W 12/121   Wireless intrusion detectio...

System and method for detecting hacked modems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

69 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting hacked modems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

69 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links