System and method for correlating security events with subscriber information in a mobile network environment

US 9,338,657 B2
Filed: 10/16/2012
Issued: 05/10/2016
Est. Priority Date: 10/16/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

identifying one or more first packets as subscriber accounting traffic associated with a subscriber device in a mobile network environment;

extracting, from a subscriber accounting start packet of the one or more first packets, subscriber device information and a network address of the subscriber device;

mapping, in a first memory element, the network address to the subscriber device information;

identifying one or more second packets as subscriber data network traffic; and

correlating the subscriber device information and a security event if the security event is detected in the one or more second packets and if the one or more second packets are associated with the subscriber device, wherein the correlating comprises;

searching the first memory element for at least one of a source network address and a destination network address of the one or more second packets;

obtaining, from the first memory element, the subscriber device information mapped to the network address of the subscriber device, when the network address of the subscriber device corresponds to one of the source network address and the destination network address.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment and includes receiving a subscriber accounting start packet for a subscriber device in a mobile network environment. The method also includes extracting, from the subscriber accounting start packet, subscriber device information and a network address of the subscriber device. The method further includes mapping the network address to the subscriber device information, and then correlating the subscriber device information and a security event when the security event is detected in subscriber data network traffic associated with the subscriber device. In a specific embodiment, the subscriber device information includes at least one of an International Mobile Equipment Identity (IMEI), an International Mobile Subscriber Identity (IMSI), a Mobile Station International Subscriber Directory Number (MSISDN), and an access point name (APN). In further embodiments, an identification of the security event and one or more items of the subscriber device information are provided to a user.

Citations

20 Claims

1. A method, comprising:
- identifying one or more first packets as subscriber accounting traffic associated with a subscriber device in a mobile network environment;
  
  extracting, from a subscriber accounting start packet of the one or more first packets, subscriber device information and a network address of the subscriber device;
  
  mapping, in a first memory element, the network address to the subscriber device information;
  
  identifying one or more second packets as subscriber data network traffic; and
  
  correlating the subscriber device information and a security event if the security event is detected in the one or more second packets and if the one or more second packets are associated with the subscriber device, wherein the correlating comprises;
  
  searching the first memory element for at least one of a source network address and a destination network address of the one or more second packets;
  
  obtaining, from the first memory element, the subscriber device information mapped to the network address of the subscriber device, when the network address of the subscriber device corresponds to one of the source network address and the destination network address.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the subscriber device information includes at least one of an International Mobile Equipment Identity (IMEI), an International Mobile Subscriber Identity (IMSI), a Mobile Station International Subscriber Directory Number (MSISDN), and an access point name (APN).
  - 3. The method of claim 1, wherein the mapping includes storing the network address and the subscriber device information in a mapping table of the first memory element.
  - 4. The method of claim 3, further comprising:
    - receiving a subscriber accounting stop packet;
      
      identifying a network address in the accounting stop packet;
      
      searching the mapping table for a stored network address corresponding to the network address of the accounting stop packet; and
      
      deleting the stored network address from the mapping table.
  - 5. The method of claim 3, further comprising, prior to the storing:
    - identifying the network address in the accounting start packet;
      
      searching the mapping table for the network address; and
      
      deleting the network address from the mapping table if the network address is found in the mapping table.
  - 6. The method of claim 1, further comprising:
    - identifying the source network address and the destination network address in the one or more second packets to be used for searching the first memory element.
  - 7. The method of claim 1, further comprising:
    - providing, after the correlating, the security event information and the subscriber device information to a management console.

8. Logic encoded in one or more non-transitory computer-readable media that includes code for execution and when executed by a processor is operable to perform operations comprising:
- identifying one or more first packets as subscriber accounting traffic associated with a subscriber device in a mobile network environment;
  
  extracting, from a subscriber accounting start packet of the one or more first packets, subscriber device information and a network address of the subscriber device;
  
  mapping, in a first memory element, the network address to the subscriber device information; and
  
  identifying one or more second packets as subscriber data network traffic; and
  
  correlating the subscriber device information and a security event if the security event is detected in the one or more second packets and if the one or more second packets are associated with the subscriber device, wherein the correlating comprises;
  
  searching the first memory element for at least one of a source network address and a destination network address of the one or more second packets;
  
  obtaining, from the first memory element, the subscriber device information mapped to the network address of the subscriber device, when the network address of the subscriber device corresponds to one of the source network address and the destination network address.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The logic of claim 8, wherein the subscriber device information includes at least one of an International Mobile Equipment Identity (IMEI), an International Mobile Subscriber Identity (IMSI), a Mobile Station International Subscriber Directory Number (MSISDN), and an access point name (APN).
  - 10. The logic of claim 9, wherein the mapping includes storing the network address and the subscriber device information in a mapping table of the first memory element.
  - 11. The logic of claim 10, wherein the processor is operable to perform further operations comprising:
    - receiving a subscriber accounting stop packet;
      
      identifying a network address in the accounting stop packet;
      
      searching the mapping table for a stored network address corresponding to the network address of the accounting stop packet; and
      
      deleting the stored network address from the mapping table.
  - 12. The logic of claim 10, wherein the processor is operable to perform further operations comprising:
    - identifying the network address in the accounting start packet;
      
      searching the mapping table for the network address; and
      
      deleting the network address from the mapping table if the network address is found in the mapping table.
  - 13. The logic of claim 8, wherein the first memory element comprises one or more real-time network addresses assigned to one or more respective subscriber devices currently online in the mobile network environment.
  - 14. The logic of claim 8, wherein the processor is operable to perform further operations comprising:
    - storing, in a second memory element, the device information and the security event information obtained from the first memory element; and
      
      generating a report, from the second memory element, that indicates a total number of security events associated with the subscriber device and a type of each security event associated with the subscriber device.

15. An apparatus, comprising:
- a memory element configured to store data;
  
  a processor operable to execute instructions associated with the data; and
  
  an extraction module configured to interface with the memory element and the processor to;
  
  identify one or more first packets as subscriber accounting traffic associated with a subscriber device in a mobile network environment;
  
  extract, from a subscriber accounting start packet of the one or more first packets, subscriber device information and a network address of the subscriber device;
  
  map, in a first memory element, the network address to the subscriber device information; and
  
  identify one or more second packets as subscriber data network traffic; and
  
  a correlation module configured to interface with the memory element and the processor to correlate the subscriber device information and a security event if the security event is detected in the one or more second packets and if the one or more second packets are associated with the subscriber device, wherein the correlation module is to;
  
  search the first memory element for at least one of a source network address and a destination network address of the one or more second packets;
  
  obtain, from the first memory element, the subscriber device information mapped to the network address of the subscriber device, when the network address of the subscriber device corresponds to one of the source network address and the destination network address.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The apparatus of claim 15, wherein the subscriber device information includes at least one of an International Mobile Equipment Identity (IMEI), an International Mobile Subscriber Identity (IMSI), a Mobile Station International Subscriber Directory Number (MSISDN), and an access point name (APN).
  - 17. The apparatus of claim 15, wherein the correlation module is further configured to map the network address to the subscriber device information by storing the network address and the subscriber device information in a mapping table of the first memory element.
  - 18. The apparatus of claim 17, wherein the extraction module is further configured to:
    - receive a subscriber accounting stop packet;
      
      identify a network address in the accounting stop packet;
      
      search the mapping table for a stored network address corresponding to the network address of the accounting stop packet; and
      
      delete the stored network address from the mapping table.
  - 19. The apparatus of claim 17, wherein the extraction module is further configured to:
    - identify the network address in the accounting start packet;
      
      search the mapping table for the network address; and
      
      delete the network address from the mapping table if the network address is found in the mapping table.
  - 20. The apparatus of claim 15, wherein the apparatus is deployed in one of a Gi or an SGi interface in a core network of the mobile network environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Gupta, Bikram Kumar, Ammoor Anbalagan, Elanthiraiyan, Subramanian, Sakthikumar, Gupta, Manish
Primary Examiner(s)
Ton, Dang
Assistant Examiner(s)
Kaur, Pamit

Application Number

US13/652,923
Publication Number

US 20140105119A1
Time in Patent Office

1,302 Days
Field of Search

370/329, 370/328, 370/349
US Class Current

1/1
CPC Class Codes

H04L 2101/65   Telephone numbers

H04L 2101/654   International mobile subscr...

H04L 43/028   by filtering

H04L 61/103   across network layers, e.g....

H04L 61/4588   containing mobile subscribe...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04W 12/12   Detection or prevention of ...

H04W 12/71   Hardware identity

H04W 12/72   Subscriber identity

System and method for correlating security events with subscriber information in a mobile network environment

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for correlating security events with subscriber information in a mobile network environment

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links