Message flooding prevention in messaging networks

US 9,491,195 B2
Filed: 05/09/2016
Issued: 11/08/2016
Est. Priority Date: 02/23/2012
Status: Active Grant

First Claim

Patent Images

1. A messaging system comprising:

at least one message interceptor node having a processor and ports adapted to receive messages at a point in a communications network,at least one flood detect node, having a processor adapted to;

extract data from a message,generate at least one code from the extracted data, and save said code to a database,compare the code or codes with one or more previous codes, anddetermine according to the comparison if the received message is suspected to be a flooding message,wherein said processor is adapted to perform said comparing and processing steps by;

providing a set of a fixed number of data buckets, each said bucket having an associated code, a fill parameter value, a time stamp indicating the last time it was incremented, a leak rate indicating a decrease in the fill parameter with time, and an identifier of an associated flood detect algorithm,selecting a bucket according to the generated code,incrementing a fill parameter of the selected bucket,determining suspicion of flooding by executing the associated flood detection algorithm, andsaving flood-detection data to persistent memory if there is suspected flooding,wherein at least one flood detect node is adapted to perform a first level detection to select a fixed number of buckets, to execute said flood detection algorithm for each bucket to detect flooding, and to execute an empty/cleanest bucket selection algorithm to select a bucket for updating a count, andwherein at least one flood detect node is adapted to perform a second level detection only for those buckets whose activity during detection is above a certain threshold.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A message flooding prevention system (1) has multiple interceptors (2, 3, 4), each with an interceptor unit linked with an RCS server, and SMSC, or an MMSC. The interceptors (2, 3, 4) are connected to flood detect nodes (10) for receiving messages at a point in a communications network, extracting data from a message, generating at least one code from extracted data, and comparing the code or codes with one or more previous codes. The flood detect nodes (10) determine according to the comparison if the received message is suspected to be a flooding message and if so, performs code generation including hashing. The flood detect nodes (10) save the code to one of a set of database buckets (21), each bucket being associated with a code, and select a bucket according to the generated code, and increment a fill parameter of the selected bucket.

Citations

17 Claims

1. A messaging system comprising:
- at least one message interceptor node having a processor and ports adapted to receive messages at a point in a communications network,at least one flood detect node, having a processor adapted to;
  
  extract data from a message,generate at least one code from the extracted data, and save said code to a database,compare the code or codes with one or more previous codes, anddetermine according to the comparison if the received message is suspected to be a flooding message,wherein said processor is adapted to perform said comparing and processing steps by;
  
  providing a set of a fixed number of data buckets, each said bucket having an associated code, a fill parameter value, a time stamp indicating the last time it was incremented, a leak rate indicating a decrease in the fill parameter with time, and an identifier of an associated flood detect algorithm,selecting a bucket according to the generated code,incrementing a fill parameter of the selected bucket,determining suspicion of flooding by executing the associated flood detection algorithm, andsaving flood-detection data to persistent memory if there is suspected flooding,wherein at least one flood detect node is adapted to perform a first level detection to select a fixed number of buckets, to execute said flood detection algorithm for each bucket to detect flooding, and to execute an empty/cleanest bucket selection algorithm to select a bucket for updating a count, andwherein at least one flood detect node is adapted to perform a second level detection only for those buckets whose activity during detection is above a certain threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The messaging system as claimed in claim 1, wherein said code generation includes hashing.
  - 3. The messaging system as claimed in claim 1, wherein each bucket has a fixed pre-set mapped memory space.
  - 4. The messaging system as claimed in claim 1, wherein each of said flood detect nodes is adapted to select a bucket if its associated code matches a current generated code, and if no match is found to select the least full bucket.
  - 5. The messaging system as claimed in claim 1, wherein said processor is adapted to generate the code from extracted data which represents only a subset of the message.
  - 6. The messaging system as claimed in claim 1, wherein each of said flood detect nodes is adapted to generate a plurality of codes from data extracted from a single message.
  - 7. The messaging system as claimed in claim 1, wherein a code is generated from each of a plurality of bit string slices.
  - 8. The messaging system as claimed in claim 1, wherein a code is generated from each of a plurality of bit string slices;
    - and wherein a particular slice is used to indicate a memory space portion or bucket to write the code to.
  - 9. The messaging system as claimed in claim 1, wherein the system comprises a plurality of distributed flood detect nodes, wherein each of said flood detect nodes is adapted to communicate with another node to manage a single logical bucket, and wherein said flood detect nodes are adapted to be compatible with a plurality of messaging technologies and deployment models to perform configurable data extraction, data normalization, and mapping to a single cryptographic fingerprint code format, and wherein the system is adapted to be geographically distributed by assigning flood detect nodes based on a hashing algorithm, thus scaling and centralizing specific code subsets and/or distributing the memory and CPU load over multiple instances.
  - 10. The messaging system as claimed in claim 1, wherein the system is adapted to be geographically distributed by assigning flood detect nodes based on a hashing algorithm, thus scaling and centralizing specific code subsets and/or distributing the memory and CPU load over multiple instances.
  - 11. The messaging system as claimed in claim 1, wherein the system is adapted to publish confirmed offending sources for point-of-connect blocking and/or, network connectivity barring.
  - 12. The messaging system as claimed in claim 1, wherein there is a plurality of flood detect nodes and they all generate codes of a single type and there is at least one shared memory table for said buckets.
  - 13. The messaging system as claimed in claim 1, wherein said flood detect nodes use a specific rule to create the codes, and the threshold parameters can be adapted to specific detection times, and wherein the flood detect nodes are adapted to combine a low detection threshold on specific content fragments with a high detection threshold for generic traffic originating from specific foreign networks.

14. A message processing method performed by a messaging system comprising at least one message interceptor node having a processor and ports adapted to receive messages at a point in a communications network, and at least one flood detect node, the method comprising the steps of:
- extracting data from a message,generating at least one code from the extracted data, and saving said code to a database,comparing the code or codes with one or more previous codes, anddetermining according to the comparison if the received message is suspected to be a flooding message,wherein said comparing and processing steps include;
  
  providing a set of a fixed number of data buckets, each said bucket having an associated code, a fill parameter value, a time stamp indicating the last time it was incremented, a leak rate indicating a decrease in the fill parameter with time, and an identifier of an associated flood detect algorithm,selecting a bucket according to the generated code,incrementing a fill parameter of the selected bucket,determining suspicion of flooding by executing the associated flood detection algorithm, andsaving flood-detection data to persistent memory if there is suspected flooding,wherein at least one flood detect node performs a first level detection to select a fixed number of buckets, executes a token-bucket algorithm for each bucket to detect flooding, and executes an empty/cleanest bucket selection algorithm to select a bucket for updating a count, andwherein at least one flood detect node performs a second level detection only for those buckets whose activity during detection is above a certain threshold.
- View Dependent Claims (15, 16)
- - 15. The message processing method as claimed in claim 14, wherein said code generation includes hashing.
  - 16. The message processing method as claimed in claim 14, wherein each bucket has a fixed pre-set mapped memory space.

17. A non-transitory computer readable medium comprising software code adapted to perform the following message processing method when executing on a digital processor:
- extracting data from a received message,generating at least one code from the extracted data, and saving said code to a database,comparing the code or codes with one or more previous codes, anddetermining according to the comparison if the received message is suspected to be a flooding message,wherein, said comparing and processing steps include;
  
  providing a set of a fixed number of data buckets, each said bucket having an associated code, a fill parameter value, a time stamp indicating the last time it was incremented, a leak rate indicating a decrease in the fill parameter with time, and an identifier of an associated flood detect algorithm,selecting a bucket according to the generated code,incrementing a fill parameter of the selected bucket,determining suspicion of flooding by executing the associated flood detection algorithm, andsaving flood-detection data to persistent memory if there is suspected flooding,wherein at least one flood detect node performs a first level detection to select a fixed number of buckets, executes a token-bucket algorithm for each bucket to detect flooding, and executes an empty/cleanest bucket selection algorithm to select a bucket for updating a count, andwherein at least one flood detect node performs a second level detection only for those buckets whose activity during detection is above a certain threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Markport Limited (Mavenir Group Holdings Ltd.)
Original Assignee
Markport Limited (Mavenir Group Holdings Ltd.)
Inventors
Wijbrans, Klaas, Plimmer, Jim
Primary Examiner(s)
ABEDIN, SHANTO

Application Number

US15/149,241
Publication Number

US 20160255112A1
Time in Patent Office

183 Days
Field of Search

726/1, 726 22- 25
US Class Current

1/1
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 51/58   Message adaptation for wire...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1466   Active attacks involving in...

H04L 63/20   for managing network securi...

H04W 12/125   Protection against power ex...

H04W 12/128   Anti-malware arrangements, ...

H04W 4/12   Messaging; Mailboxes; Annou...

H04W 88/184   Messaging devices, e.g. mes...

Message flooding prevention in messaging networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Message flooding prevention in messaging networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links