Techniques for network protection based on subscriber-aware application proxies

US 8,844,035 B2
Filed: 02/09/2012
Issued: 09/23/2014
Est. Priority Date: 11/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method implemented at an information processing apparatus, the method comprising:

receiving subscriber data in a communication path between a network access server and an authentication, authorization, and accounting server, wherein the subscriber data includes a user name and a number of open data flows established in a predetermined period of time;

identifying, with the information processing apparatus, an occurrence of an intrusion condition, in response to a determination that the number of open data flows established in the predetermined period of time exceeds a predetermined threshold rate; and

responding to the intrusion condition, with the information processing apparatus, based on the user name in the subscriber data.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for responding to intrusions on a packet switched network include receiving user data at a subscriber-aware gateway server between a network access server and a content server. The user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, and suspicious activity data. The suspicious activity data indicates a value for a property of the open data packet flows that indicates suspicious activity. It is determined whether an intrusion condition is satisfied based on the suspicious activity data. If the intrusion condition is satisfied, then the gateway responds based at least in part on user data other than the network address data.

64 Citations

View as Search Results

20 Claims

1. A method implemented at an information processing apparatus, the method comprising:
- receiving subscriber data in a communication path between a network access server and an authentication, authorization, and accounting server, wherein the subscriber data includes a user name and a number of open data flows established in a predetermined period of time;
  
  identifying, with the information processing apparatus, an occurrence of an intrusion condition, in response to a determination that the number of open data flows established in the predetermined period of time exceeds a predetermined threshold rate; and
  
  responding to the intrusion condition, with the information processing apparatus, based on the user name in the subscriber data.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the subscriber data comprises a number of open data flows for which an acknowledgement has not been received, and the identifying the occurrence of the intrusion condition comprises determining if the number of open data flows for which an acknowledgement has not been received exceeds a threshold.
  - 3. The method of claim 1, wherein the responding to the intrusion condition comprises penalizing a subscriber associated with the user name.
  - 4. The method of claim 1, wherein the responding to the intrusion condition comprises terminating communications associated with the user name.
  - 5. The method of claim 1, wherein responding to the intrusion condition comprises preventing a network access with the user name.
  - 6. The method of claim 1, wherein the responding to the intrusion condition includes sending a message to a network access server in response to the identifying, and the subscriber data indicates an IP address of the network access server.
  - 7. The method of claim 1, further comprising:
    - maintaining a mapping between an IP address and the user name.

8. Logic encoded in one or more non-transitory media that includes code for execution and, when executed by one or more processors, is operable to perform operations comprising:
- receiving subscriber data in a communication path between a network access server and an authentication, authorization, and accounting server, wherein the subscriber data includes a user name and a number of open data flows established in a predetermined period of time;
  
  identifying an occurrence of an intrusion condition, in response to a determination that the number of open data flows established in the predetermined period of time exceeds a predetermined threshold rate; and
  
  responding to the intrusion condition based on the user name.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The encoded logic of claim 8, wherein the subscriber data comprises a number of open data flows for which an acknowledgement has not been received, and the identifying the occurrence of the intrusion condition comprises determining if the number of open data flows for which an acknowledgement has not been received exceeds a threshold.
  - 10. The encoded logic of claim 8, wherein the responding to the intrusion condition comprises penalizing a subscriber associated with the user name.
  - 11. The encoded logic of claim 8, wherein the responding to the intrusion condition comprises terminating communications associated with the user name.
  - 12. The encoded logic of claim 8, wherein the responding to the intrusion condition comprises preventing a network access with the user name.
  - 13. The encoded logic of claim 8, wherein the responding to the intrusion condition includes sending a message to a network access server in response to the identifying, and the subscriber data indicates an IP address of the network access server.
  - 14. The encoded logic of claim 8, the operations further comprising:
    - maintaining a mapping between an IP address and the user name.

15. An apparatus, comprising:
- a network interface coupled to a packet switched network in a communication path between a network access server and an authentication, authorization, and accounting server; and
  
  one or more processors operable to execute instructions such that the apparatus is configured toreceive subscriber data through the network interface, wherein the subscriber data includes a user name and a number of open data flows established in a predetermined period of time;
  
  identify an occurrence of an intrusion condition, in response to a determination that the number of open data flows established in the predetermined period of time exceeds a predetermined threshold rate; and
  
  respond to the intrusion condition based on the user name.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The apparatus of claim 15, wherein the subscriber data comprises a number of open data flows for which an acknowledgement has not been received, and the one or more processors determine if the number of open data flows for which an acknowledgement has not been received exceeds a threshold.
  - 17. The apparatus of claim 15, wherein the apparatus responds to the intrusion condition by penalizing a subscriber associated with the user name.
  - 18. The apparatus of claim 15, wherein the apparatus responds to the intrusion condition by terminating communications associated with the user name.
  - 19. The apparatus of claim 15, wherein the one or more processors respond to the intrusion condition at least by sending a message to a network access server, and the subscriber data indicates an IP address of the network access server.
  - 20. The apparatus of claim 15, wherein the one or more processors maintain a mapping between an IP address and the user name.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
O'Rourke, Christopher C., Bordonaro, Frank Gerard, Menditto, Louis, Batz, Robert
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US13/369,498
Publication Number

US 20120137366A1
Time in Patent Office

957 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

Techniques for network protection based on subscriber-aware application proxies

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

64 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for network protection based on subscriber-aware application proxies

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links