System and method for correlating network information with subscriber information in a mobile network environment

US 9,185,093 B2
Filed: 12/31/2012
Issued: 11/10/2015
Est. Priority Date: 10/16/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at an out of band network threat behavior analysis engine, a plurality of records containing information related to network traffic associated with a network connection between a packet data network and a subscriber device of a plurality of subscriber devices in a mobile network, wherein the information is to include a network address and application metadata of at least one application used by the subscriber device, wherein the network traffic is intercepted by a network security device that generates the plurality of records;

extracting at least some of the application metadata from the plurality of records;

correlating the information with a mobile telephone number of the subscriber device based on the network address from the information being mapped to subscriber device information of the subscriber device in a memory element that maps subscriber device information of authenticated subscriber devices in the mobile network to real-time network addresses of the authenticated subscriber devices; and

generating a network behavior profile for the subscriber device based, at least in part, on the extracted application metadata, wherein the network behavior profile is to include a characterization of network traffic sent by the subscriber device, an identification of one or more applications used by the subscriber device, and an identification of communications by the subscriber device to one or more websites.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment and includes receiving information for network traffic in a wireless network; correlating the information with a subscriber of a plurality of subscribers; and generating a behavior profile for the subscriber based on the information over a period of time.

Citations

18 Claims

1. A method comprising:
- receiving, at an out of band network threat behavior analysis engine, a plurality of records containing information related to network traffic associated with a network connection between a packet data network and a subscriber device of a plurality of subscriber devices in a mobile network, wherein the information is to include a network address and application metadata of at least one application used by the subscriber device, wherein the network traffic is intercepted by a network security device that generates the plurality of records;
  
  extracting at least some of the application metadata from the plurality of records;
  
  correlating the information with a mobile telephone number of the subscriber device based on the network address from the information being mapped to subscriber device information of the subscriber device in a memory element that maps subscriber device information of authenticated subscriber devices in the mobile network to real-time network addresses of the authenticated subscriber devices; and
  
  generating a network behavior profile for the subscriber device based, at least in part, on the extracted application metadata, wherein the network behavior profile is to include a characterization of network traffic sent by the subscriber device, an identification of one or more applications used by the subscriber device, and an identification of communications by the subscriber device to one or more websites.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the information is at least two of transport layer information, application layer information, and network layer information.
  - 3. The method of claim 2, wherein generating the network behavior profile comprises:
    - correlating the application layer information with the transport layer and network layer information to form a risk profile and an application profile for the subscriber device.
  - 4. The method of claim 1, further comprising:
    - receiving an authentication for the subscriber device entering the mobile network;
      
      determining whether an Internet Protocol (IP) address of the subscriber device is present in the memory element;
      
      responsive to the IP address being present, removing previous subscriber association with the IP address from the memory element; and
      
      correlating the subscriber device information of the subscriber device with the IP address in the memory element.
  - 5. The method of claim 1, further comprising:
    - receiving an authentication for the subscriber device leaving the mobile network;
      
      determining whether an Internet Protocol (IP) address of the subscriber device is present in the memory element; and
      
      responsive to the IP address being present, removing previous information associated with the IP address from the memory element.

6. One or more non-transitory computer-readable media that includes code for execution and when executed by a processor is operable to perform operations comprising:
- receiving, at an out of band network threat behavior analysis engine, a plurality of records containing information related to network traffic associated with a network connection between a packet data network and a subscriber device of a plurality of subscriber devices in a mobile network, wherein the information is to include a network address and application metadata of at least one application used by the subscriber device, wherein the network traffic is intercepted by a network security device that generates the plurality of records;
  
  extracting at least some of the application metadata from the plurality of records;
  
  correlating the information with a mobile telephone number of the subscriber device based on the network address from the information being mapped to subscriber device information of the subscriber device in a memory element that maps subscriber device information of authenticated subscriber devices in the mobile network to real-time network addresses of the authenticated subscriber devices; and
  
  generating a network behavior profile for the subscriber device based, at least in part, on the extracted application metadata, wherein the network behavior profile is to include a characterization of network traffic sent by the subscriber device, an identification of one or more applications used by the subscriber device, and an identification of communications by the subscriber device to one or more websites.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
- - 7. The one or more non-transitory computer-readable media of claim 6, wherein the information is at least two of transport layer information, application layer information, and network layer information.
  - 8. The one or more non-transitory computer-readable media of claim 6, wherein the processor is operable to perform further operations comprising:
    - receiving an authentication for the subscriber device entering the mobile network;
      
      determining whether an Internet Protocol (IP) address of the subscriber device is present in the memory element;
      
      responsive to the IP address being present, removing previous subscriber association with the IP address from the memory element; and
      
      correlating the subscriber device information of the subscriber device with the IP address in the memory element.
  - 9. The one or more non-transitory computer-readable media of claim 6, wherein the processor is operable to perform further operations comprising:
    - receiving an authentication for the subscriber device leaving the mobile network;
      
      determining whether an Internet Protocol (IP) address of the subscriber device is present in the memory element; and
      
      responsive to the IP address being present, removing previous information associated with the IP address from the memory element.
  - 10. The one or more non-transitory computer-readable media of claim 6, wherein the network behavior profile is to include one or more of application usage of the one or more applications used by the subscriber device, identification of any applications downloaded by the subscriber device, bandwidth consumed by the subscriber device, and bandwidth consumed by the subscriber device per application.
  - 11. The one or more non-transitory computer-readable media of claim 6, wherein the network behavior profile is to include an identification of any attacks sent by the subscriber device and an identification of any attacks received by the subscriber device.
  - 12. The one or more non-transitory computer-readable media of claim 6, wherein the subscriber device information is to include at least one of an International Mobile Equipment Identity (IMEI), an International Mobile Subscriber Identity (IMSI), a Mobile Station International Subscriber Directory Number (MSISDN), and an access point name (APN).
  - 13. The one or more non-transitory computer-readable media of claim 6, wherein the mobile telephone number of the subscriber device is a Mobile Station International Subscriber Directory Number (MSISDN).

14. An apparatus, comprising:
- a memory element configured to store data;
  
  a hardware processor operable to execute instructions associated with the data;
  
  an out of band network threat behavior analysis engine configured to interface with the memory element and the hardware processor to;
  
  receive a plurality of records containing information related to network traffic associated with a network connection between a packet data network and a subscriber device of a plurality of subscriber devices in a mobile network, the information to include a network address and application metadata of at least one application used by the subscriber device, wherein the network traffic is intercepted by a network security device that generates the plurality of records;
  
  extract at least some of the application metadata from the plurality of records;
  
  andgenerate a network behavior profile for the subscriber device based, at least in part on the extracted application metadata, wherein the network behavior profile is to include a characterization of network traffic sent by the subscriber device, an identification of one or more applications used by the subscriber device, and an identification of communications by the subscriber device to one or more websites; and
  
  a correlation module configured to interface with the memory element and the hardware processor to correlate the information with a mobile telephone number of the subscriber device based on the network address from the information being mapped to subscriber device information of the subscriber device in a memory element that maps subscriber device information of authenticated subscriber devices in the mobile network to real-time network addresses of the authenticated subscriber devices.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The apparatus of claim 14, further comprising:
    - the network security device, wherein the network security device is configured to;
      
      identify the information in the network traffic; and
      
      send the plurality of records containing the information to the network threat behavior analysis engine.
  - 16. The apparatus of claim 14, wherein the network threat behavior analysis engine is configured to:
    - receive an authentication for the subscriber device entering the mobile network;
      
      determine whether an Internet Protocol (IP) address of the subscriber device is present in the memory element;
      
      responsive to the IP address being present, remove previous subscriber association with the IP address from the memory element; and
      
      correlate the subscriber device information of the subscriber device with the IP address in the memory element.
  - 17. The apparatus of claim 14, further comprising:
    - the network threat behavior analysis engine configured to;
      
      receive an authentication for the subscriber device leaving the mobile network;
      
      determine whether an Internet Protocol (IP) address of the subscriber device is present in the memory element; and
      
      responsive to the IP address being present, remove previous information associated with the IP address from the memory element.
  - 18. The apparatus of claim 14, wherein the information is to include at least two of transport layer information, application layer information, and network layer information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Gupta, Bikram Kumar, Swamy, Sudarshan, Vissamsetti, Srikant
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
DE JESUS LASSAIA, CARLOS MANUEL

Application Number

US13/731,480
Publication Number

US 20140189861A1
Time in Patent Office

1,044 Days
Field of Search

726 22- 24
US Class Current

1/1
CPC Class Codes

H04L 43/026   using flow identification

H04L 43/028   by filtering

H04L 63/08   for authentication of entit...

H04L 63/123   received data contents, e.g...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 67/30   Profiles

H04L 67/535   Tracking the activity of th...

H04L 69/321   Interlayer communication pr...

H04W 12/128   Anti-malware arrangements, ...

System and method for correlating network information with subscriber information in a mobile network environment

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for correlating network information with subscriber information in a mobile network environment

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links