Methods and systems for controlling traffic on a communication network

US 8,995,274 B2
Filed: 07/02/2009
Issued: 03/31/2015
Est. Priority Date: 07/03/2008
Status: Active Grant

First Claim

Patent Images

1. A method for controlling traffic on a communication network, comprising:

receiving, at a hardware processor in a receiver, a query message for permission to send a data flow to the receiver;

sending, using the hardware processor, a permission message from the receiver;

receiving, at the hardware processor, a signaling message that indicates a volume of data that has been sent to the receiver;

determining, using the hardware processor, that at least one data packet is unauthorized if a volume of data that has been received by the receiver is greater than the volume of data that has been sent to the receiver as indicated in the signaling message; and

in response to determining that the at least one data packet is unauthorized, causing the path for sending the data flow to be changed using the hardware processor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mechanisms for controlling traffic on a communication network are described. The mechanisms can be implemented, for example, using signaling messages. For example, a receiver can send a permission message to allow the sender to send a given amount of data along a particular path. As another example, a sender can send a query message indicating a volume of data that has been sent since the sender received a permission message. Upon receiving the query message, a receiver (or another device such as a router, etc.) can detect an attack by comparing the volume of data in the query message with the volume of data that has been received by the receiver. Upon detecting an attack, the receiver can drop unauthorized packets or request the sender to use a security protocol (e.g., IPsec AH) when transmitting data packets and/or change the path of the data flow (e.g., using multi-homing).

Citations

30 Claims

1. A method for controlling traffic on a communication network, comprising:
- receiving, at a hardware processor in a receiver, a query message for permission to send a data flow to the receiver;
  
  sending, using the hardware processor, a permission message from the receiver;
  
  receiving, at the hardware processor, a signaling message that indicates a volume of data that has been sent to the receiver;
  
  determining, using the hardware processor, that at least one data packet is unauthorized if a volume of data that has been received by the receiver is greater than the volume of data that has been sent to the receiver as indicated in the signaling message; and
  
  in response to determining that the at least one data packet is unauthorized, causing the path for sending the data flow to be changed using the hardware processor.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein the path is changed to use a relay node.
  - 3. The method of claim 1, wherein the path is changed using multi-homing.

4. A method for controlling traffic on a communication network, comprising:
- passing, using a hardware processor, a query message for permission to send a data flow to a receiver;
  
  passing, using the hardware processor, a permission message that authorizes the sender to send a given volume of data;
  
  receiving, at the hardware processor, a signaling message that indicates a volume of data that has been sent to the receiver; and
  
  determining, using the hardware processor, that at least one data packet is unauthorized if a volume of data that has been received by the receiver is greater than the volume of data that has been sent to the receiver as indicated in the signaling message.
- View Dependent Claims (5)
- - 5. The method of claim 4, further comprising dropping the at least one data packet that is determined to be unauthorized using the hardware processor.

6. A method for controlling traffic on a communication network, comprising:
- passing, using a hardware processor, a query message for permission to send a data flow to a receiver;
  
  passing, using the hardware processor, a signaling message that indicates a volume of data that has been sent to the receiver;
  
  determining, using the hardware processor, that at least one data packet is unauthorized if a volume of data that has been received by the receiver is greater than the volume of data that has been sent to the receiver as indicated in the signaling message;
  
  in response to determining that the at least one data packet is unauthorized, passing, using the hardware processor, a permission message that indicates a security protocol to be used when transmitting packets to the receiver; and
  
  determining, using the hardware processor, that a further data packet being sent to the receiver violates the security protocol.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6, further comprising blocking the data packet from being received at the receiver using the hardware processor.
  - 8. The method of claim 6, wherein the security protocol is IPSec AH.
  - 9. The method of claim 6, further comprising passing, using the hardware processor, a message indicating that an encryption technique used in the security protocol is changed.
  - 10. The method of claim 9, wherein the encryption technique is changed from symmetric key encryption to public key encryption.

11. A method for controlling traffic on a communication network, comprising:
- receiving, at a hardware processor in a receiver, a query message for permission to send a data flow to the receiver;
  
  receiving, at the hardware processor, a signaling message that indicates a volume of data that has been sent to the receiver;
  
  determining, using the hardware processor, that at least one data packet is unauthorized if a volume of data that has been received by the receiver is greater than the volume of data that has been sent to the receiver as indicated in the signaling message;
  
  in response to determining that the at least one data packet is unauthorized, sending, using the hardware processor, a permission message that indicates a security protocol to be used when transmitting packets to the receiver; and
  
  detecting, using the hardware processor, that a further data packet being sent to the receiver violates the security protocol.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, further comprising ignoring the data packet at the receiver using the hardware processor.
  - 13. The method of claim 11, wherein the security protocol is IPSec AH.
  - 14. The method of claim 11, further comprising sending, using the hardware processor, a message indicating that an encryption technique used in the security protocol is changed.
  - 15. The method of claim 14, wherein the encryption technique is changed from symmetric key encryption to public key encryption.

16. A system for controlling traffic on a communication network, comprising:
- a receiver having a hardware processor that;
  
  receives a query message for permission to send a data flow to the receiver;
  
  sends a permission message from the receiver;
  
  receives a signaling message that indicates a volume of data that has been sent to the receiver;
  
  determines that at least one data packet is unauthorized if a volume of data that has been received by the receiver is greater than the volume of data that has been sent to the receiver as indicated in the signaling message; and
  
  causes the path for sending the data flow to be changed in response to determining that the at least one data packet is unauthorized.
- View Dependent Claims (17, 18)
- - 17. The system of claim 16, wherein the path is changed using a relay node.
  - 18. The system of claim 16, wherein the path is changed using multi-homing.

19. A system for controlling traffic on a communication network, comprising:
- a hardware processor that;
  
  passes a query message for permission to send a data flow to a receiver;
  
  passes a permission message that authorizes the sender to send a given volume of data;
  
  receives a signaling message that indicates a volume of data that has been sent to the receiver; and
  
  determines that at least one data packet is unauthorized if a volume of data that has been received by the receiver is greater than the volume of data that has been sent to the receiver as indicated in the signaling message.
- View Dependent Claims (20)
- - 20. The system of claim 19, wherein the hardware processor drops the at least one data packet that is determined to be unauthorized.

21. A system for controlling traffic on a communication network, comprising:
- a hardware processor that;
  
  passes a query message for permission to send a data flow to a receiver;
  
  passes a signaling message that indicates a volume of data that has been sent to the receiver;
  
  determines that at least one data packet is unauthorized if a volume of data that has been received by the receiver is greater than the volume of data that has been sent to the receiver as indicated in the signaling message;
  
  in response to determining that the at least one data packet is unauthorized, passes a permission message that indicates a security protocol to be used when transmitting packets to the receiver; and
  
  detects that a further data packet being sent to the receiver violates the security protocol.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The system of claim 21, wherein the hardware processor also blocks the data packet from being received at the receiver.
  - 23. The system of claim 21, wherein the security protocol is IPSec AH.
  - 24. The system of claim 21, wherein the hardware processor also causes an encryption technique used in the security protocol to be changed.
  - 25. The system of claim 24, wherein the encryption technique is changed from symmetric key encryption to public key encryption.

26. A system for controlling traffic on a communication network, comprising:
- a receiver having a hardware processor that;
  
  receives a query message for permission to send a data flow to the receiver;
  
  receives a signaling message that indicates a volume of data that has been sent to the receiver;
  
  determines that at least one data packet is unauthorized if a volume of data that has been received by the receiver is greater than the volume of data that has been sent to the receiver as indicated in the signaling message;
  
  in response to determining that the at least one data packet is unauthorized, sends a permission message that indicates a security protocol to be used when transmitting packets to the receiver; and
  
  detects that a further data packet being sent to the receiver violates the security protocol.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The system of claim 26, wherein the receiver also ignores the data packet at the receiver.
  - 28. The system of claim 26, wherein the security protocol is IPSec AH.
  - 29. The system of claim 26, wherein the hardware processor also causes an encryption technique used in the security protocol to be changed.
  - 30. The system of claim 29, wherein the encryption technique is changed from symmetric key encryption to public key encryption.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Original Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Inventors
Hong, Se Gi, Schulzrinne, Henning
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
PARSONS, THEODORE C

Application Number

US13/002,417
Publication Number

US 20110107098A1
Time in Patent Office

2,098 Days
Field of Search

726/23, 726/26, 726/22, 370/235, 370/229, 370/236
US Class Current

370/236
CPC Class Codes

H04L 2463/143   Denial of service attacks i...

H04L 45/00   Routing or path finding of ...

H04L 45/22   Alternate routing

H04L 45/304   Route determination for sig...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

Methods and systems for controlling traffic on a communication network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for controlling traffic on a communication network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links