Mechanism for identifying malicious content, DoS attacks, and illegal IPTV services

US 8,769,682 B2
Filed: 09/18/2008
Issued: 07/01/2014
Est. Priority Date: 09/18/2008
Status: Expired due to Fees

First Claim

Patent Images

1. An apparatus in a network for providing a plurality of Internet protocol television (IPTV) streams, comprising:

a memory configured to store a plurality of parameter characteristics indicative of a security breach in the network; and

a processing module configured to;

receive a first plurality of control messages addressed to a first multicast group from at least one network element in the network, wherein the first plurality of control messages is operably transmitted by an authorized user device in the network to a service provider device in the network and is re-addressed by the at least one network element for transmission to the first multicast group, wherein the first multicast group includes at least the apparatus and the service provider device as destinations;

monitor the first plurality of control messages for at least one of the plurality of parameter characteristics;

determine that the first plurality of control messages displays at least one of the plurality of parameter characteristics;

perform at least one protective measurement that includes;

subscribing to a second multicast group including a plurality of IPTV streams associated with the authorized user device, wherein the second multicast group includes at least the first apparatus and the service provider device as destinations;

performing deep packet inspection (DPI) of at least one packet within at least one of the plurality of IPTV streams; and

in the event that an anomaly within the at least one packet is detected, removing the at least one packet from the at least one of the plurality of IPTV streams.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mechanism for identifying malicious content, DoS attacks, and illegal IPTV services. By monitoring the characteristics of various control messages being transmitted within a network that services Internet protocol television (IPTV) content to identify suspicious behavior (e.g., such as that associated with malicious content, denial of service (DoS) attacks, IPTV service stealing, etc.). In addition to monitoring control messages within such a network, deep packet inspection (DPI) may be performed for individual packets within an IPTV stream to identify malicious content therein (e.g., worms, viruses, etc. actually within the IPTV stream itself). By monitoring control messages and/or actual IPTV content within a network (e.g., vs. at the perimeter of a network only), protection against both outside and inside attacks can be effectuated. This network level basis of operation effectively guards against promulgation of malicious content to other devices within the network.

13 Citations

View as Search Results

20 Claims

1. An apparatus in a network for providing a plurality of Internet protocol television (IPTV) streams, comprising:
- a memory configured to store a plurality of parameter characteristics indicative of a security breach in the network; and
  
  a processing module configured to;
  
  receive a first plurality of control messages addressed to a first multicast group from at least one network element in the network, wherein the first plurality of control messages is operably transmitted by an authorized user device in the network to a service provider device in the network and is re-addressed by the at least one network element for transmission to the first multicast group, wherein the first multicast group includes at least the apparatus and the service provider device as destinations;
  
  monitor the first plurality of control messages for at least one of the plurality of parameter characteristics;
  
  determine that the first plurality of control messages displays at least one of the plurality of parameter characteristics;
  
  perform at least one protective measurement that includes;
  
  subscribing to a second multicast group including a plurality of IPTV streams associated with the authorized user device, wherein the second multicast group includes at least the first apparatus and the service provider device as destinations;
  
  performing deep packet inspection (DPI) of at least one packet within at least one of the plurality of IPTV streams; and
  
  in the event that an anomaly within the at least one packet is detected, removing the at least one packet from the at least one of the plurality of IPTV streams.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The apparatus of claim 1, wherein:
    - the first plurality of control message includes at least one of an Internet Group Message Protocol (IGMP) message and a Customer premise Management System (CMS) message.
  - 3. The apparatus of claim 1, wherein the processing module is configured to determine that the at least one of the plurality of parameter characteristics in the at least one of the first plurality of control messages indicates a security breach by at least one of:
    - determining a deviation of an expected number of control messages sent per unit of time from the authorized user device in the network;
      
      determining a deviation of an expected number of control messages sent per unit of time from an authorized residential gateway in the network;
      
      determining a deviation from an expected rate of re-booting of the authorized user device in the network;
      
      determining a deviation from an expected value of a selected bit within a control message;
      
      determining a deviation from an expected switch through which a control message passes from the authorized user device; and
      
      determining a deviation from typical usage of IPTV streams based on a history of IPTV streams received or selected by the authorized.
  - 4. The apparatus of claim 1, wherein the processing module is configured to determine that the at least one of the plurality of parameter characteristics in the at least one of the first plurality of control messages indicates a security breach by:
    - determining that the at least one of the first plurality of control messages includes indicia corresponding to virus, worm, or malware infection.
  - 5. The apparatus of claim 1, wherein:
    - in the event that the processing module detects an anomaly within the at least one packet of the plurality of IPTV streams, the processing module is further configured to block the at least one of the plurality of IPTV streams from being broadcast via the network by the service provider device.
  - 6. The apparatus of claim 5, wherein:
    - the anomaly indicates that the at least one packet is virus, worm, or malware infected.
  - 7. The apparatus of claim 1, wherein in the event that the processing module determines at least one of the plurality of parameter characteristics in at least one of the first plurality of control messages indicates a security breach, the processing module is further configured to perform at least one of the following protective measurements:
    - generate an instruction to block any future control message sent from the authorized user device;
      
      generate an instruction to block the plurality of IPTV streams from being broadcast to the authorized user device; and
      
      monitor a second plurality of control messages sent from the authorized user device to the service provider device and in the event that at least one of the second plurality of control messages includes characteristics corresponding to at least one additional of the plurality of parameter characteristics, generate an instruction to block any future control message sent from the authorized user device.
  - 8. The apparatus of claim 1, wherein:
    - each control message of the first plurality of control messages has a corresponding type, a corresponding service, a corresponding sending device, and a corresponding receiving device associated therewith;
      
      the first multicast group includes the first plurality of control messages having at least one of a first type, a first service, and a first receiving device associated therewith;
      
      a third multicast group includes a second plurality of control messages having at least one of a second type, a second service, and a second receiving device associated therewith;
      
      control messages of the first multicast group are received by the apparatus; and
      
      control messages of the third multicast group are received by at least one additional apparatus.
  - 9. The apparatus of claim 1, wherein:
    - the processing module is further configured to;
      
      update the plurality of parameter characteristics based on the first plurality of control messages thereby generating an updated plurality of parameter characteristics;
      
      monitor a second plurality of control messages for at least one of the updated plurality of parameter characteristics for determining a security breach in the network; and
      
      in the event that at least one of the second plurality of control messages includes characteristics corresponding to at least one of the updated plurality of parameter characteristics, isolate the authorized user device from the network.
  - 10. The apparatus of claim 1, wherein the processing module is configured to track one or more of the following plurality of parameter characteristics:
    - a number of control messages sent per unit of time by the authorized user device;
      
      a number of control messages sent per unit of time from an expected number of control messages sent per unit of time;
      
      a re-booting process of the authorized user device;
      
      an expected value of a selected bit within a control message;
      
      an address of a switch through which a control message passes between the authorized user device and the service provider device; and
      
      a history of IPTV streams received or selected by the authorized user device.

11. An apparatus in a network for providing a plurality of Internet protocol television (IPTV) streams, comprising:
- a memory that stores a plurality of parameter characteristics; and
  
  a processing module that;
  
  monitors a first plurality of control messages sent from an authorized user device to a service provider device in the network, wherein the first plurality of control messages identifies a first multicast group that includes at least the apparatus and the service provider device as destinations and wherein at least one network element readdressed the first plurality of control messages to the first multicast group; and
  
  in the event that at least one of the first plurality of control messages includes at least one of the plurality of parameter characteristics indicating a security breach, the processing module;
  
  generates an instruction to isolate the authorized user device from the network;
  
  generates an instruction to block the plurality IPTV streams from being broadcast to the authorized user device;
  
  monitors a second plurality of control messages sent from the authorized user device to the service provider device and in the event that at least one of the second plurality of control messages includes characteristics corresponding to at least one additional of the plurality of parameter characteristics, generates an instruction to block any future control message sent from the first device; and
  
  performs deep packet inspection (DPI) of at least one packet within at least one of the plurality of IPTV streams to the authorized user device and in the event that the processing module detects an anomaly within the at least one packet in accordance with the DPI, the processing module performs at least one of;
  
  removes the at least one packet from the at least one of the plurality of IPTV streams; and
  
  generates an instruction to block the at least one of the plurality of IPTV streams from being broadcast via the network by the second device.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The apparatus of claim 11, wherein:
    - the plurality of control message includes at least one of an Internet Group Message Protocol (IGMP) message and a Customer premise Management System (CMS) message.
  - 13. The apparatus of claim 11, wherein:
    - the at least one of the plurality of parameter characteristics includes indicia corresponding to virus, worm, or malware infection.
  - 14. The apparatus of claim 11, wherein:
    - the anomaly indicates that the at least one packet is virus, worm, or malware infected.
  - 15. The apparatus of claim 11, wherein:
    - each control message of the first plurality of control messages has a corresponding type, a corresponding service, a corresponding sending device, and a corresponding receiving device associated therewith;
      
      the first multicast group includes control messages having at least one of a first type, a first service, and a first receiving device associated therewith;
      
      a second multicast group includes control messages having at least one of a second type, a second service, and a second receiving device associated therewith;
      
      control messages of the first multicast group are received by the apparatus; and
      
      control messages of the second multicast group are received by at least one additional apparatus.
  - 16. The apparatus of claim 11, wherein one of the plurality of parameter characteristics includes at least one of:
    - a number of control messages sent per unit of time;
      
      a deviation of the number of control messages sent per unit of time from an expected number of control messages sent per unit of time;
      
      a re-booting process of the authorized user device;
      
      an expected value of a selected bit within a control message;
      
      a switch through which a control message passes between the authorized user device and the service provider device; and
      
      a history of IPTV streams received or selected by the authorized user device.

17. A method, comprising:
- receiving control messages in a first multicast group by a security device that is a member of the first multicast group, wherein the control messages are transmitted from a authorized user device to a service provider device in a network for providing a plurality of Internet protocol television (IPTV) streams via the network and wherein at least one network element readdressed the first plurality of control messages to the first multicast group;
  
  monitoring a first plurality of the control messages by the security device;
  
  in the event that at least one of the first plurality of control messages includes characteristics corresponding to at least one of a plurality of parameter characteristics, performing by the security device;
  
  instructing to block any future control message sent from the first device;
  
  instructing to block the plurality IPTV streams from being broadcast to the first device; and
  
  monitoring a second plurality of control messages sent from the first device to the second device and instructing to isolate the first device from the network in the event that at least one of the second plurality of control messages includes characteristics corresponding to at least one additional of the plurality of parameter characteristics.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, further comprising:
    - performing deep packet inspection (DPI) of at least one packet within at least one of the plurality of IPTV streams; and
      
      in the event that an anomaly is detected within the at least one packet in accordance with the DPI, providing an instruction to block the at least one of the plurality of IPTV streams from being broadcast via the network by the second device.
  - 19. The method of claim 17, wherein:
    - each control message of the first plurality of control messages has a corresponding type, a corresponding service, a corresponding sending device, and a corresponding receiving device associated therewith;
      
      a first multicast group includes control messages having at least one of a first type, a first service, and a first receiving device associated therewith;
      
      a second multicast group includes control messages having at least one of a second type, a second service, and a second receiving device associated therewith; and
      
      further comprising;
      
      providing control messages of the first multicast group to a first security appliance that is coupled to the network; and
      
      providing control messages of the second multicast group to a second security appliance that is coupled to the network.
  - 20. The method of claim 17, wherein one of the plurality of parameter characteristics includes at least one of:
    - a number of control messages sent per unit of time;
      
      a deviation of the number of control messages sent per unit of time from an expected number of control messages sent per unit of time;
      
      a re-booting process of the first device;
      
      an expected value of a selected bit within a control message;
      
      an address of a switch through which a control message passes between the authorized user device and the service provider device; and
      
      a history of IPTV streams received or selected by the authorized user device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
KHAN, FAUD A., Guingo, Pierrick, Choyi, Vinod K.
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
TRUONG, THONG P

Application Number

US12/233,561
Publication Number

US 20100071062A1
Time in Patent Office

2,112 Days
Field of Search

726/13, 726/22, 726/23, 370/352, 709/223
US Class Current

726/23
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 41/0213   Standardised network manage...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 65/611   for multicast or broadcast ...

H04N 21/6405   Multicasting data broadcast...

H04N 21/64322   IP

H04N 21/64723   Monitoring of network proce...

Mechanism for identifying malicious content, DoS attacks, and illegal IPTV services

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Mechanism for identifying malicious content, DoS attacks, and illegal IPTV services

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others