Dynamic and selective response to cyber attack for telecommunications carrier networks

US 9,363,278 B2
Filed: 05/11/2011
Issued: 06/07/2016
Est. Priority Date: 05/11/2011
Status: Active Grant

First Claim

Patent Images

1. A network device, comprising:

a memory that stores executable instructions; and

a processor, coupled to the memory, that facilitates execution of the executable instructions to perform operations, comprising;

receiving information comprising network traffic data at the network device, from a mobile device, to facilitate a response to a detected network attack, wherein the network device is located between a radio access network device and a serving general packet radio service support node device and the network device does not have a network address causing it to be network transparent;

analyzing the network traffic data of the information to determine a value related to a probability of the mobile device participating in the detected network attack;

facilitating an updating of a variable related to an access privilege employed in determining access to another network device by the mobile device;

in response to a defined condition relating to the variable being determined to be satisfied, altering the access privilege for the mobile device to access the other network device comprising decreasing a data rate of at least a portion of the information received from the mobile device, wherein the portion of the information is related to a type of the network traffic data corresponding to with the mobile device participating in the detected network attack; and

in response to another defined condition relating to the variable being determined to be satisfied, not altering at least another portion of the information received from the mobile device and generating an indicator facilitating disabling of a feature of the mobile device, wherein the other portion of the information is not related to the type of the network traffic data corresponding to the mobile device participating in the detected network attack.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed subject matter provides a response to a cyber attack on a carrier network. The response can be based on inspection of traffic flowing through a carrier network. The response can automatically adapt the traffic flow in response to a perceived threat. Traffic can be adapted by dynamically updating permission variables related to allowing access for user equipment (UE) to a carrier network, withdrawing or denying access to the carrier network for selected UEs. In other embodiments, signaling can be initiated at the carrier network to cause selected UEs to disable transmission of traffic contributing to the traffic flow. Determining a cyber attack condition can be based on predetermined rules associated with the traffic flow. Further, the determination can be performed at a front end of the carrier network to limit exposure of the carrier network to a detected cyber attack.

73 Citations

View as Search Results

20 Claims

1. A network device, comprising:
- a memory that stores executable instructions; and
  
  a processor, coupled to the memory, that facilitates execution of the executable instructions to perform operations, comprising;
  
  receiving information comprising network traffic data at the network device, from a mobile device, to facilitate a response to a detected network attack, wherein the network device is located between a radio access network device and a serving general packet radio service support node device and the network device does not have a network address causing it to be network transparent;
  
  analyzing the network traffic data of the information to determine a value related to a probability of the mobile device participating in the detected network attack;
  
  facilitating an updating of a variable related to an access privilege employed in determining access to another network device by the mobile device;
  
  in response to a defined condition relating to the variable being determined to be satisfied, altering the access privilege for the mobile device to access the other network device comprising decreasing a data rate of at least a portion of the information received from the mobile device, wherein the portion of the information is related to a type of the network traffic data corresponding to with the mobile device participating in the detected network attack; and
  
  in response to another defined condition relating to the variable being determined to be satisfied, not altering at least another portion of the information received from the mobile device and generating an indicator facilitating disabling of a feature of the mobile device, wherein the other portion of the information is not related to the type of the network traffic data corresponding to the mobile device participating in the detected network attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The network device of claim 1, wherein the facilitating the updating of the variable comprises facilitating the updating of the variable at the other network device.
  - 3. The network device of claim 2, wherein the network device is configured to receive the information before the information is routed via a wireless carrier network device.
  - 4. The network device of claim 3, wherein the analyzing the information comprises facilitating the analyzing of the information at the other network device.
  - 5. The network device of claim 1, wherein the facilitating the updating of the variable comprises communicating via a data link layer protocol.
  - 6. The network device of claim 1, wherein the facilitating the updating of the variable comprises facilitating the updating of the variable at the other network device, the other network device comprising home location register information.
  - 7. The network device of claim 1, wherein the altering the access privilege comprises allowing a portion of the information associated with emergency data to be communicated between the mobile device and the other network device, and blocking another portion of the information not associated with the emergency data from being communicated between the mobile device and the other network device.
  - 8. The network device of claim 1, wherein the altering the access privilege comprises redirecting the information received from the mobile device to the other network device.
  - 9. The network device of claim 1, wherein the altering the access privilege comprises blocking packet-switched information and allowing circuit-switched information between the mobile device and the other network device.
  - 10. The network device of claim 1, wherein the operations further comprise:
    - receiving a rule relating to determination of the detected network attack from a data store communicatively coupled to the other network device.
  - 11. The network device of claim 10, wherein the analyzing the information comprises facilitating applying the rule to the information at the other network device.
  - 12. The network device of claim 1, wherein the analyzing the information comprises facilitating analyzing the information at the serving general packet radio service support node device of a wireless carrier network device.
  - 13. The network device of claim 1, wherein the network device is located between the radio access network device and a mobility management entity device and the analyzing the information comprises analyzing the information at the mobility management entity device of a wireless carrier network.

14. A method, comprising:
- receiving, by a system comprising a processor and located between a radio access network device and a mobility management entity device of a wireless carrier network, a traffic stream comprising network traffic data related to a user equipment other than the system, wherein the system is not associated with a network address rendering the system network transparent;
  
  determining, by the system, a threat condition of the traffic stream indicative of a detected network attack;
  
  allowing, by the system in response to a first rule related to the threat condition being determined to be satisfied, the user equipment to access a value indicating a function of the user equipment that should be disabled; and
  
  adapting, by the system in response to a second condition relating to the variable being determined to be satisfied, a permission related to subsequent access to the traffic stream, resulting in decreasing a data rate of at least a portion of the traffic stream corresponding to the user equipment being determined to be participating in the detected network attack, and not modifying, in response to a third condition relating to the variable being determined to be satisfied, at least another portion of the traffic stream not corresponding to the user equipment being determined to be participating in the detected network attack.
- View Dependent Claims (15, 16, 17)
- - 15. The method of claim 14, wherein the adapting the permission comprises updating permission information stored at a wireless network device other than the user equipment and selectively preventing propagation of the traffic stream to another wireless network device in response to the adapting the permission.
  - 16. The method of claim 14, wherein the adapting the permission comprises updating home location register information of the system.
  - 17. The method of claim 14, wherein the adapting the permission comprises updating home subscriber server information of the system.

18. A non-transitory machine-readable storage medium, comprising executable instructions that, when executed by a processor, facilitate performance of operations, comprising:
- receiving, by a device that does not have a network address causing it to be network transparent and that is communicatively coupled to a radio access network device and a mobility management entity device of a wireless carrier network, a security indicator related to altering access to traffic corresponding to a user equipment other than the device, wherein the altering comprises;
  
  decreasing a data rate of at least a portion of the traffic associated with a cyber attack by the user equipment in response to a first defined condition relating to the security indicator being determined to be satisfied, wherein the portion of the traffic is related to a type of network traffic data corresponding to the user equipment participating in the cyber attack andwithholding from altering at least another portion of the traffic not corresponding to the cyber attack by the user equipment in response to a second defined condition relating to the security indicator being determined to be satisfied, wherein the other portion of the traffic is not related to the type of network traffic data corresponding to the user equipment participating in the cyber attack, andwherein the traffic contributes to a traffic stream of the set of network devices, and wherein the security indicator is determined in response to inspection of the traffic stream and identification of a condition indicative of the cyber attack involving the user equipment;
  
  in response to the security indicator satisfying a rule associated with user equipment feature truncation, designating, at the device, an indicator associated with restricting execution of a feature of the user equipment; and
  
  facilitating updating an access permission, at the device, based on satisfaction of the first defined condition relating to the security indicator.
- View Dependent Claims (19, 20)
- - 19. The non-transitory machine-readable storage medium of claim 18, wherein the operations further comprise:
    - facilitating access to the access permission by a network device of the wireless carrier network enabling the network device to alter access to the traffic contributing to the traffic stream of the wireless carrier network.
  - 20. The non-transitory machine-readable storage medium of claim 18, wherein the facilitating the updating of the access permission comprises facilitating the updating of home location register information on the device based on the security indicator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Mobility II LLC (AT&T, Inc.)
Original Assignee
AT&T Mobility II LLC (AT&T, Inc.)
Inventors
Maria, Arturo
Primary Examiner(s)
TURCHEN, JAMES R

Application Number

US13/105,841
Publication Number

US 20120291125A1
Time in Patent Office

1,854 Days
Field of Search

726/22
US Class Current

1/1
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

H04W 28/0268   using specific QoS paramete...

Dynamic and selective response to cyber attack for telecommunications carrier networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

73 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic and selective response to cyber attack for telecommunications carrier networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

73 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links