Dynamic and selective response to cyber attack for telecommunications carrier networks
First Claim
1. A network device, comprising:
- a memory that stores executable instructions; and
a processor, coupled to the memory, that facilitates execution of the executable instructions to perform operations, comprising;
receiving information comprising network traffic data at the network device, from a mobile device, to facilitate a response to a detected network attack, wherein the network device is located between a radio access network device and a serving general packet radio service support node device and the network device does not have a network address causing it to be network transparent;
analyzing the network traffic data of the information to determine a value related to a probability of the mobile device participating in the detected network attack;
facilitating an updating of a variable related to an access privilege employed in determining access to another network device by the mobile device;
in response to a defined condition relating to the variable being determined to be satisfied, altering the access privilege for the mobile device to access the other network device comprising decreasing a data rate of at least a portion of the information received from the mobile device, wherein the portion of the information is related to a type of the network traffic data corresponding to with the mobile device participating in the detected network attack; and
in response to another defined condition relating to the variable being determined to be satisfied, not altering at least another portion of the information received from the mobile device and generating an indicator facilitating disabling of a feature of the mobile device, wherein the other portion of the information is not related to the type of the network traffic data corresponding to the mobile device participating in the detected network attack.
1 Assignment
0 Petitions
Accused Products
Abstract
The disclosed subject matter provides a response to a cyber attack on a carrier network. The response can be based on inspection of traffic flowing through a carrier network. The response can automatically adapt the traffic flow in response to a perceived threat. Traffic can be adapted by dynamically updating permission variables related to allowing access for user equipment (UE) to a carrier network, withdrawing or denying access to the carrier network for selected UEs. In other embodiments, signaling can be initiated at the carrier network to cause selected UEs to disable transmission of traffic contributing to the traffic flow. Determining a cyber attack condition can be based on predetermined rules associated with the traffic flow. Further, the determination can be performed at a front end of the carrier network to limit exposure of the carrier network to a detected cyber attack.
73 Citations
20 Claims
-
1. A network device, comprising:
-
a memory that stores executable instructions; and a processor, coupled to the memory, that facilitates execution of the executable instructions to perform operations, comprising; receiving information comprising network traffic data at the network device, from a mobile device, to facilitate a response to a detected network attack, wherein the network device is located between a radio access network device and a serving general packet radio service support node device and the network device does not have a network address causing it to be network transparent; analyzing the network traffic data of the information to determine a value related to a probability of the mobile device participating in the detected network attack; facilitating an updating of a variable related to an access privilege employed in determining access to another network device by the mobile device; in response to a defined condition relating to the variable being determined to be satisfied, altering the access privilege for the mobile device to access the other network device comprising decreasing a data rate of at least a portion of the information received from the mobile device, wherein the portion of the information is related to a type of the network traffic data corresponding to with the mobile device participating in the detected network attack; and in response to another defined condition relating to the variable being determined to be satisfied, not altering at least another portion of the information received from the mobile device and generating an indicator facilitating disabling of a feature of the mobile device, wherein the other portion of the information is not related to the type of the network traffic data corresponding to the mobile device participating in the detected network attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method, comprising:
-
receiving, by a system comprising a processor and located between a radio access network device and a mobility management entity device of a wireless carrier network, a traffic stream comprising network traffic data related to a user equipment other than the system, wherein the system is not associated with a network address rendering the system network transparent; determining, by the system, a threat condition of the traffic stream indicative of a detected network attack; allowing, by the system in response to a first rule related to the threat condition being determined to be satisfied, the user equipment to access a value indicating a function of the user equipment that should be disabled; and adapting, by the system in response to a second condition relating to the variable being determined to be satisfied, a permission related to subsequent access to the traffic stream, resulting in decreasing a data rate of at least a portion of the traffic stream corresponding to the user equipment being determined to be participating in the detected network attack, and not modifying, in response to a third condition relating to the variable being determined to be satisfied, at least another portion of the traffic stream not corresponding to the user equipment being determined to be participating in the detected network attack. - View Dependent Claims (15, 16, 17)
-
-
18. A non-transitory machine-readable storage medium, comprising executable instructions that, when executed by a processor, facilitate performance of operations, comprising:
-
receiving, by a device that does not have a network address causing it to be network transparent and that is communicatively coupled to a radio access network device and a mobility management entity device of a wireless carrier network, a security indicator related to altering access to traffic corresponding to a user equipment other than the device, wherein the altering comprises; decreasing a data rate of at least a portion of the traffic associated with a cyber attack by the user equipment in response to a first defined condition relating to the security indicator being determined to be satisfied, wherein the portion of the traffic is related to a type of network traffic data corresponding to the user equipment participating in the cyber attack and withholding from altering at least another portion of the traffic not corresponding to the cyber attack by the user equipment in response to a second defined condition relating to the security indicator being determined to be satisfied, wherein the other portion of the traffic is not related to the type of network traffic data corresponding to the user equipment participating in the cyber attack, and wherein the traffic contributes to a traffic stream of the set of network devices, and wherein the security indicator is determined in response to inspection of the traffic stream and identification of a condition indicative of the cyber attack involving the user equipment; in response to the security indicator satisfying a rule associated with user equipment feature truncation, designating, at the device, an indicator associated with restricting execution of a feature of the user equipment; and facilitating updating an access permission, at the device, based on satisfaction of the first defined condition relating to the security indicator. - View Dependent Claims (19, 20)
-
Specification