Detection and mitigation of denial-of-service attacks in wireless communication networks

US 9,295,028 B2
Filed: 10/21/2013
Issued: 03/22/2016
Est. Priority Date: 10/21/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

obtaining, by a base station comprising a processor, data relating to a set of collision events on a shared channel for communicating with the base station on a wireless network according to a contention-based access protocol,wherein a plurality of terminals attempt to access the channel contemporaneously, the data comprising a first number representing a number of unsuccessful attempts to access the channel by the plurality of terminals, a second number representing a number of access attempts, and a set of time intervals between access attempts for each of the plurality of terminals, the channel being associated with a set of resource blocks;

estimating, by the base station, a probability of collision in the channel based on the first number, the second number, and the protocol;

generating, by the base station, a first probability distribution of the time intervals for each of the terminals, based on the estimated probability of collision;

calculating, by the base station, a second probability distribution of the time intervals for each of the terminals, based on the data;

calculating, by the base station, for each terminal a first cumulative distribution function and a second cumulative distribution function from the first probability distribution and the second probability distribution respectively;

comparing, by the base station, the first cumulative distribution function and the second cumulative distribution function for each terminal to identify a malfunctioning terminal not operating in accordance with the protocol;

responsive to determining that the base station is in a multi-antenna system and is capable of estimating an angle of arrival of a signal incoming to the base station from the malfunctioning terminal, blocking the signal from the malfunctioning terminal; and

responsive to determining that the base station is not in a multi-antenna system or is not capable of estimating an angle of arrival of a signal incoming to the base station from the malfunctioning terminal, re-assigning the channel to a different set of resource blocks and broadcasting information regarding the re-assigning on a broadcast channel.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method that incorporates teachings of the subject disclosure may include, for example, obtaining data relating to a set of collision events on a shared channel on a wireless network according to a contention-based access protocol in which a plurality of terminals attempt to access the channel contemporaneously. A probability of collision in the channel is estimated and a probability distribution of time intervals between access attempts is generated based on the estimated probability of collision. Empirical and theoretical cumulative distribution functions for the time intervals are calculated, and compared to identify a malfunctioning terminal not operating in accordance with the protocol. Other embodiments are disclosed.

17 Citations

View as Search Results

20 Claims

1. A method comprising:
- obtaining, by a base station comprising a processor, data relating to a set of collision events on a shared channel for communicating with the base station on a wireless network according to a contention-based access protocol,wherein a plurality of terminals attempt to access the channel contemporaneously, the data comprising a first number representing a number of unsuccessful attempts to access the channel by the plurality of terminals, a second number representing a number of access attempts, and a set of time intervals between access attempts for each of the plurality of terminals, the channel being associated with a set of resource blocks;
  
  estimating, by the base station, a probability of collision in the channel based on the first number, the second number, and the protocol;
  
  generating, by the base station, a first probability distribution of the time intervals for each of the terminals, based on the estimated probability of collision;
  
  calculating, by the base station, a second probability distribution of the time intervals for each of the terminals, based on the data;
  
  calculating, by the base station, for each terminal a first cumulative distribution function and a second cumulative distribution function from the first probability distribution and the second probability distribution respectively;
  
  comparing, by the base station, the first cumulative distribution function and the second cumulative distribution function for each terminal to identify a malfunctioning terminal not operating in accordance with the protocol;
  
  responsive to determining that the base station is in a multi-antenna system and is capable of estimating an angle of arrival of a signal incoming to the base station from the malfunctioning terminal, blocking the signal from the malfunctioning terminal; and
  
  responsive to determining that the base station is not in a multi-antenna system or is not capable of estimating an angle of arrival of a signal incoming to the base station from the malfunctioning terminal, re-assigning the channel to a different set of resource blocks and broadcasting information regarding the re-assigning on a broadcast channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the comparing step further comprises generating a test statistic based on the first cumulative distribution function and the second cumulative distribution function for each terminal, and applying a one-sided statistical goodness of fit test to the test statistic to determine a goodness of fit threshold function.
  - 3. The method of claim 2, wherein for some time interval in the set of time intervals, the malfunctioning terminal has a second cumulative distribution function value that exceeds the threshold function.
  - 4. The method of claim 1, wherein the comparing step further comprises determining that a given terminal is operating in accordance with the protocol, based on a determination that the second cumulative distribution function is less than or equal to the first cumulative distribution function for the terminal.
  - 5. The method of claim 2, wherein the comparing step further comprises comparing the second cumulative distribution function and the threshold function for each terminal, and determining that a given terminal is operating in accordance with the protocol, based on a determination that the second cumulative distribution function is less than or equal to the threshold function for the terminal.
  - 6. The method of claim 1, wherein an attempt to access the channel comprises transmission of a preamble message by a sending terminal of the plurality of terminals.
  - 7. The method of claim 6, further comprising identifying the sending terminal based on an identifier included in the preamble message.
  - 8. The method of claim 6, wherein the data further comprise an arrival time stamp of the preamble message, and further comprising computing, by the base station, a time interval between access attempts based on the arrival time stamp of the preamble message and an arrival time stamp of a subsequent preamble message.
  - 9. The method of claim 1, wherein the malfunctioning terminal is identified as a source of a denial-of-service attack without information regarding a strategy for the attack.

10. A base station comprising:
- a memory to store instructions; and
  
  a processor coupled to the memory, wherein responsive to executing the instructions, the processor performs operations comprising;
  
  obtaining data relating to a set of collision events on a shared channel for communicating with the base station on a wireless network according to a contention-based access protocol,wherein a plurality of terminals attempt to access the channel contemporaneously, the data comprising a first number representing a number of unsuccessful attempts to access the channel by the plurality of terminals, a second number representing a number of access attempts, and a set of time intervals between access attempts for each of the plurality of terminals, the channel being associated with a set of resource blocks;
  
  estimating a probability of collision in the channel based on the first number, the second number, and the protocol;
  
  generating a first probability distribution of the time intervals for each of the terminals, based on the estimated probability of collision;
  
  calculating a second probability distribution of the time intervals for each of the terminals;
  
  calculating for each terminal a first cumulative distribution function and a second cumulative distribution function from the first probability distribution and the second probability distribution respectively;
  
  generating a test statistic based on the first cumulative distribution function and the second cumulative distribution function for each terminal;
  
  applying a one-sided statistical goodness of fit test to the test statistic to determine a goodness of fit threshold function;
  
  comparing the second cumulative distribution function and the goodness of fit threshold function for each terminal to identify a malfunctioning terminal not operating in accordance with the protocol, wherein for some time interval in the set of time intervals, the malfunctioning terminal has a second cumulative distribution function value that exceeds the threshold function;
  
  responsive to determining that the base station is in a multi-antenna system and is capable of estimating an angle of arrival of a signal incoming to the base station from the malfunctioning terminal, blocking the signal from the malfunctioning terminal; and
  
  responsive to determining that the base station is not in a multi-antenna system or is not capable of estimating an angle of arrival of a signal incoming to the base station from the malfunctioning terminal, re-assigning the channel to a different set of resource blocks and broadcasting information regarding the re-assigning on a broadcast channel.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The base station of claim 10, wherein the operations further comprise determining that a given terminal is operating in accordance with the protocol, based on a determination that the second cumulative distribution function is less than or equal to the first cumulative distribution function for the terminal.
  - 12. The base station of claim 10, wherein the operations further comprise comparing the second cumulative distribution function and the threshold function for each terminal, and determining that a given terminal is operating in accordance with the protocol, based on a determination that the second cumulative distribution function is less than or equal to the threshold function for the terminal.
  - 13. The base station of claim 10, wherein an attempt to access the channel comprises transmission of a preamble message by a sending terminal of the plurality of terminals.
  - 14. The base station of claim 13, wherein the operations further comprise identifying the sending terminal based on an identifier included in the preamble message.
  - 15. The base station of claim 13, wherein the data further comprise an arrival time stamp of the preamble message, and wherein the operations further comprise computing a time interval between access attempts based on the arrival time stamp of the preamble message and an arrival time stamp of a subsequent preamble message.

16. A non-transitory computer-readable storage device comprising executable instructions which, when executed by a processor, cause the processor to perform operations comprising:
- obtaining data relating to a set of collision events on a shared channel for communicating with a base station on a wireless network according to a contention-based access protocol,wherein a plurality of terminals attempt to access the channel contemporaneously, the data comprising a first number representing a number of unsuccessful attempts to access the channel by the plurality of terminals, a second number representing a number of access attempts, and a set of time intervals between access attempts for each of the plurality of terminals, the channel being associated with a set of resource blocks,wherein an attempt to access the channel comprises transmission of a preamble message by a sending terminal of the plurality of terminals;
  
  estimating a probability of collision in the channel based on the first number, the second number, and the protocol;
  
  generating a first probability distribution of the time intervals for each of the terminals, based on the estimated probability of collision;
  
  calculating a second probability distribution of the time intervals for each of the terminals;
  
  calculating for each terminal a first cumulative distribution function and a second cumulative distribution function from the first probability distribution and the second probability distribution respectively;
  
  generating a test statistic based on the first cumulative distribution function and the second cumulative distribution function for each terminal;
  
  applying a one-sided statistical goodness of fit test to the test statistic to determine a goodness of fit threshold function;
  
  comparing the second cumulative distribution function and the goodness of fit threshold function for each terminal to identify a malfunctioning terminal not operating in accordance with the protocol, wherein for some time interval in the set of time intervals, the malfunctioning terminal has a second cumulative distribution function value that exceeds the threshold function;
  
  responsive to determining that the base station is in a multi-antenna system and is capable of estimating an angle of arrival of a signal incoming to the base station from the malfunctioning terminal, blocking the signal from the malfunctioning terminal; and
  
  responsive to determining that the base station is not in a multi-antenna system or is not capable of estimating an angle of arrival of a signal incoming to the base station from the malfunctioning terminal, re-assigning the channel to a different set of resource blocks and broadcasting information regarding the re-assigning on a broadcast channel.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer-readable storage device of claim 16, wherein the operations further comprise determining that a given terminal is operating in accordance with the protocol, based on a determination that the second cumulative distribution function is less than or equal to the first cumulative distribution function for the terminal.
  - 18. The non-transitory computer-readable storage device of claim 16, wherein the operations further comprise comparing the second cumulative distribution function and the threshold function for each terminal, and determining that a given terminal is operating in accordance with the protocol, based on a determination that the second cumulative distribution function is less than or equal to the threshold function for the terminal.
  - 19. The non-transitory computer-readable storage device of claim 16, wherein the data further comprise an arrival time stamp of the preamble message, and wherein the operations further comprise identifying the sending terminal based on an identifier included in the preamble message, and computing a time interval between access attempts based on the arrival time stamp of the preamble message and an arrival time stamp of a subsequent preamble message.
  - 20. The non-transitory computer-readable storage device of claim 19, wherein timing of messages on the channel is in accordance with frames of a predetermined duration, wherein the preamble message is transmitted on the channel as a packet during a frame, and wherein the time interval comprises a random number of frames.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Jover, Roger Piqueras, Murynets, Ilona
Primary Examiner(s)
PARK, JUNG H

Application Number

US14/059,414
Publication Number

US 20160050574A1
Time in Patent Office

883 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04W 24/04   Arrangements for maintainin...

H04W 24/08   Testing, supervising or mon...

H04W 64/00   Locating users or terminals...

H04W 68/00   User notification, e.g. ale...

H04W 72/30   Resource management for bro...

H04W 74/0833   Random access procedures, e...

H04W 74/0858   collision detection

Detection and mitigation of denial-of-service attacks in wireless communication networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detection and mitigation of denial-of-service attacks in wireless communication networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links