Techniques for network protection based on subscriber-aware application proxies
First Claim
1. A method implemented at an information processing apparatus, the method comprising:
- receiving subscriber data in a communication path between a network access server and an authentication, authorization, and accounting server, wherein the subscriber data includes a user name and a number of open data flows established in a predetermined period of time;
identifying, with the information processing apparatus, an occurrence of an intrusion condition, in response to a determination that the number of open data flows established in the predetermined period of time exceeds a predetermined threshold rate; and
responding to the intrusion condition, with the information processing apparatus, based on the user name in the subscriber data.
0 Assignments
0 Petitions
Accused Products
Abstract
Techniques for responding to intrusions on a packet switched network include receiving user data at a subscriber-aware gateway server between a network access server and a content server. The user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, and suspicious activity data. The suspicious activity data indicates a value for a property of the open data packet flows that indicates suspicious activity. It is determined whether an intrusion condition is satisfied based on the suspicious activity data. If the intrusion condition is satisfied, then the gateway responds based at least in part on user data other than the network address data.
64 Citations
20 Claims
-
1. A method implemented at an information processing apparatus, the method comprising:
-
receiving subscriber data in a communication path between a network access server and an authentication, authorization, and accounting server, wherein the subscriber data includes a user name and a number of open data flows established in a predetermined period of time; identifying, with the information processing apparatus, an occurrence of an intrusion condition, in response to a determination that the number of open data flows established in the predetermined period of time exceeds a predetermined threshold rate; and responding to the intrusion condition, with the information processing apparatus, based on the user name in the subscriber data. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. Logic encoded in one or more non-transitory media that includes code for execution and, when executed by one or more processors, is operable to perform operations comprising:
-
receiving subscriber data in a communication path between a network access server and an authentication, authorization, and accounting server, wherein the subscriber data includes a user name and a number of open data flows established in a predetermined period of time; identifying an occurrence of an intrusion condition, in response to a determination that the number of open data flows established in the predetermined period of time exceeds a predetermined threshold rate; and responding to the intrusion condition based on the user name. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. An apparatus, comprising:
-
a network interface coupled to a packet switched network in a communication path between a network access server and an authentication, authorization, and accounting server; and one or more processors operable to execute instructions such that the apparatus is configured to receive subscriber data through the network interface, wherein the subscriber data includes a user name and a number of open data flows established in a predetermined period of time; identify an occurrence of an intrusion condition, in response to a determination that the number of open data flows established in the predetermined period of time exceeds a predetermined threshold rate; and respond to the intrusion condition based on the user name. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification