Real-time network attack detection and mitigation infrastructure

US 9,332,026 B2
Filed: 04/01/2014
Issued: 05/03/2016
Est. Priority Date: 10/12/2010
Status: Active Grant

First Claim

Patent Images

1. A method of operating elements of a communications system to detect and mitigate network attacks in a VoIP network, said elements including a gateway, an analyzer and a guardian module, the method comprising:

receiving, by the gateway, via the VOIP network, an incoming call and associated signaling;

transmitting, from the gateway to the analyzer, a call detail record (CDR) for the incoming call;

maintaining in memory, by the analyzer, a plurality of adaptable profiles that capture statistical and behavioral properties of call detail records (CDRs) associated with a plurality of received calls in the VOIP network;

maintaining in memory, by the analyzer, a plurality of reference profiles that reflect normal call behavior corresponding to the plurality of adaptable profiles;

updating, by the analyzer, an adaptable profile from the plurality of adaptable profiles based on the CDR of the incoming call;

comparing, by the analyzer, the updated adaptable profile with a corresponding reference profile from the plurality of reference profiles;

determining, by the analyzer, if an anomaly indicative of a network attack exists based on the comparing using multivariate analysis; and

when said analyzer determines that an anomaly exists indicative of a network attack;

generating, by the analyzer, an alarm corresponding to the incoming call indicative of the network attack;

transmitting, by the analyzer, to a rules engine, the alarm indicative of the network attack to determine a mitigation action for the incoming call; and

determining by the rules engine one or more mitigation actions for the incoming call, said one or more mitigation actions including a first mitigation action comprising rerouting the incoming call to the guardian module to receive an audio challenge-response test, wherein a complexity level of the test is determined based on the alarm.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention features systems and methods for detecting and mitigating network attacks in a Voice-Over-IP (VoIP) network. A server is configured to receive information related to a mitigation action for a call. The information can include a complexity level for administering an audio challenge-response test to the call and an identification of the call. The server also generates i) a routing label based on the identification of the call, and ii) a script defining a plurality of variables that store identifications of a plurality of altered sound files for the audio challenge-response test. Each altered sound file is randomly selected by the server subject to one or more constraints associated with the complexity level. The server is further configured to transmit the script to a guardian module and the routing label to a gateway.

16 Citations

View as Search Results

13 Claims

1. A method of operating elements of a communications system to detect and mitigate network attacks in a VoIP network, said elements including a gateway, an analyzer and a guardian module, the method comprising:
- receiving, by the gateway, via the VOIP network, an incoming call and associated signaling;
  
  transmitting, from the gateway to the analyzer, a call detail record (CDR) for the incoming call;
  
  maintaining in memory, by the analyzer, a plurality of adaptable profiles that capture statistical and behavioral properties of call detail records (CDRs) associated with a plurality of received calls in the VOIP network;
  
  maintaining in memory, by the analyzer, a plurality of reference profiles that reflect normal call behavior corresponding to the plurality of adaptable profiles;
  
  updating, by the analyzer, an adaptable profile from the plurality of adaptable profiles based on the CDR of the incoming call;
  
  comparing, by the analyzer, the updated adaptable profile with a corresponding reference profile from the plurality of reference profiles;
  
  determining, by the analyzer, if an anomaly indicative of a network attack exists based on the comparing using multivariate analysis; and
  
  when said analyzer determines that an anomaly exists indicative of a network attack;
  
  generating, by the analyzer, an alarm corresponding to the incoming call indicative of the network attack;
  
  transmitting, by the analyzer, to a rules engine, the alarm indicative of the network attack to determine a mitigation action for the incoming call; and
  
  determining by the rules engine one or more mitigation actions for the incoming call, said one or more mitigation actions including a first mitigation action comprising rerouting the incoming call to the guardian module to receive an audio challenge-response test, wherein a complexity level of the test is determined based on the alarm.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein determining if an anomaly exists using multivariate analysis further comprises:
    - computing a distance between the adaptable profile and the reference profile; and
      
      determining if the difference exceeds a threshold.
  - 3. The method of claim 1 further comprising determining the adaptable profile from the plurality of adaptable profiles, including:
    - determining a calling number of the incoming call;
      
      locating one or more received calls from the plurality of received calls with the same calling number; and
      
      selecting the adaptable file, created for the one or more received calls, from the plurality of adaptable profiles.
  - 4. The method of claim 1 further including replaying the audio challenge-response test or providing a second audio challenge-response test if a response to the audio challenge-response test is incorrect.
  - 5. The method of claim 4 wherein said one or more mitigation actions includes a third mitigation action, said third mitigation action includes diverting the incoming call to an operator for further investigation when an incorrect answer is received in response to either the replaying of the audio challenge-response test or the playing of the second audio challenge-response test.
  - 6. The method of claim 1 wherein the one or more mitigation actions includes a second mitigation action, said second mitigation action comprising recording the incoming call.
  - 7. The method of claim 1 wherein said guardian module is a network border switch.
  - 8. The method of claim 1 further comprising:
    - routing the incoming call corresponding to the alarm to a specific location.
  - 9. The method of claim 1 wherein a plurality of said adaptable profiles is updated based on gateway identifications of the corresponding calls.
  - 10. The method of claim 1 further including receiving at the rules engine two types of rules, said first type of rule maps an incoming alarm event to a mitigation action and the second type of rule tracks the impact of a mitigation action and adjusts the mitigation strategy by implementing a different mitigation action when it is determined that previous mitigation action was ineffective.

11. A communications system for detecting and mitigating network attacks in a VoIP network, the communications system comprising:
- a gateway configured to;
  
  (1) receive via the VOIP network an incoming call and associated signaling and (2) transmit to an analyzer a call detail record (CDR) for the incoming call;
  
  a database for maintaining;
  
  i) a plurality of adaptable profiles that capture statistical and behavioral properties of call detail records (CDRs) associated with a plurality of received calls, and ii) a plurality of reference profiles that reflect normal call behavior corresponding to the plurality of adaptable profiles;
  
  a profile unit for updating an adaptable profile from the plurality of adaptable profiles based on a CDR of an incoming call; and
  
  the analyzer further configured to;
  
  compare the updated adaptable profile with a corresponding reference profile from the plurality of reference profiles, determine if an anomaly indicative of a network attack exists based on the comparing using multivariate analysis, andwhen it is determined that an anomaly indicative of a network attack exists to;
  
  generate an alarm corresponding to the incoming call indicative of the network attack and transmit the alarm indicative of a network attack to a rules engine to determine a mitigation action for the incoming call; and
  
  the rules engine being configured to determine one or more mitigation actions for the incoming call, said one or more mitigation actions including a first mitigation action comprising rerouting the incoming call to a guardian module to receive an audio challenge-response test, wherein a complexity level of the test is determined based on the alarm.
- View Dependent Claims (12)
- - 12. The communications system of claim 11 wherein said profile unit is further configured to determine the adaptable profile from the plurality of adaptable profiles by:
    - determining a calling number of the incoming call;
      
      locating one or more received calls from the plurality of received calls with the same calling number; and
      
      selecting the adaptable file, created for the one or more received calls, from the plurality of adaptable profiles.

13. A computer program product stored on a non-transitory computer readable storage medium, for detecting and mitigating network attacks in a VoIP network, the computer program product including instructions being operable to cause data processing apparatus to:
- receive an incoming call and associated signaling;
  
  transmit call detail record (CDR) for the incoming call;
  
  maintain in memory a plurality of adaptable profiles that capture statistical and behavioral properties of call detail records (CDRs) associated with a plurality of received calls;
  
  maintain in memory a plurality of reference profiles that reflect normal call behavior corresponding to the plurality of adaptable profiles;
  
  update an adaptable profile from the plurality of adaptable profiles based on a CDR of an incoming call;
  
  compare the updated adaptable profile with a corresponding reference profile from the plurality of reference profiles;
  
  determine if an anomaly indicative of a network attack exists based on the comparing using multivariate analysis; and
  
  when it is determined that an anomaly indicative of a network attack exists to;
  
  generate an alarm corresponding to the incoming call indicative of the network attack anddetermine one or mitigation actions for the incoming call, said one or more actions including a first mitigation action comprising rerouting the incoming call to a guardian module to receive an audio challenge-response test, wherein a complexity level of the test is determined based on the alarm.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ribbon Communications Operating Company, Inc. (Ribbon Communications, Inc.)
Original Assignee
Sonus Networks Incorporated (Ribbon Communications, Inc.)
Inventors
Lapsley, David, Mansur, Miri, Klotzbach, Jonathan, Shu, Ti-yuan Dean, Chary, Sri, Joseph, Joby, Topham, Mark, Matragi, Wassim, Dumble, Kenneth
Primary Examiner(s)
Traore, Fatoumata
Assistant Examiner(s)
LE, KHOI V

Application Number

US14/242,758
Publication Number

US 20150047036A1
Time in Patent Office

763 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Real-time network attack detection and mitigation infrastructure

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

13 Claims

Specification

Use Cases

Quick Links

Others

Real-time network attack detection and mitigation infrastructure

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

13 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others