Detection and mitigation of denial-of-service attacks in wireless communication networks

US 9,781,156 B2
Filed: 02/18/2016
Issued: 10/03/2017
Est. Priority Date: 10/21/2013
Status: Expired due to Fees

First Claim

Patent Images

1. A device, comprising:

a processor; and

a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations comprising;

obtaining data relating to a set of collision events on a shared channel of a communication network, wherein a plurality of terminals attempt to access the channel contemporaneously according to an access protocol, the data comprising time intervals between access attempts for each of the plurality of terminals, the channel being associated with a set of resource blocks, the terminals communicating with a base station on the network;

estimating a probability of collision in the channel;

generating a first probability distribution of the time intervals for each of the terminals, based on the estimated probability of collision;

calculating a second probability distribution of the time intervals for each of the terminals, based on the data;

calculating for each terminal a first cumulative distribution function and a second cumulative distribution function from the first probability distribution and the second probability distribution respectively;

comparing the first cumulative distribution function and the second cumulative distribution function for each terminal to identify a malfunctioning terminal not operating in accordance with the protocol, wherein the base station, responsive to estimating an angle of arrival of a signal incoming to the base station from the malfunctioning terminal, blocks the signal from the malfunctioning terminal; and

responsive to determining that the base station is not capable of estimating an angle of arrival of a signal incoming to the base station from the malfunctioning terminal, re-assigning the channel to a different set of resource blocks.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method that incorporates teachings of the subject disclosure may include, for example, obtaining data relating to a set of collision events on a shared channel on a wireless network according to a contention-based access protocol in which a plurality of terminals attempt to access the channel contemporaneously. A probability of collision in the channel is estimated and a probability distribution of time intervals between access attempts is generated based on the estimated probability of collision. Empirical and theoretical cumulative distribution functions for the time intervals are calculated, and compared to identify a malfunctioning terminal not operating in accordance with the protocol. Other embodiments are disclosed.

17 Citations

View as Search Results

20 Claims

1. A device, comprising:
- a processor; and
  
  a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations comprising;
  
  obtaining data relating to a set of collision events on a shared channel of a communication network, wherein a plurality of terminals attempt to access the channel contemporaneously according to an access protocol, the data comprising time intervals between access attempts for each of the plurality of terminals, the channel being associated with a set of resource blocks, the terminals communicating with a base station on the network;
  
  estimating a probability of collision in the channel;
  
  generating a first probability distribution of the time intervals for each of the terminals, based on the estimated probability of collision;
  
  calculating a second probability distribution of the time intervals for each of the terminals, based on the data;
  
  calculating for each terminal a first cumulative distribution function and a second cumulative distribution function from the first probability distribution and the second probability distribution respectively;
  
  comparing the first cumulative distribution function and the second cumulative distribution function for each terminal to identify a malfunctioning terminal not operating in accordance with the protocol, wherein the base station, responsive to estimating an angle of arrival of a signal incoming to the base station from the malfunctioning terminal, blocks the signal from the malfunctioning terminal; and
  
  responsive to determining that the base station is not capable of estimating an angle of arrival of a signal incoming to the base station from the malfunctioning terminal, re-assigning the channel to a different set of resource blocks.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The device of claim 1, wherein the operations further comprise broadcasting information regarding the re-assigning on a broadcast channel.
  - 3. The device of claim 1, wherein the channel is a random access channel, and wherein access to the channel is according to a contention-based protocol.
  - 4. The device of claim 3, wherein each of the time intervals corresponds to a random number of time frames associated with the random access channel.
  - 5. The device of claim 1, wherein the comparing further comprises generating a test statistic based on the first cumulative distribution function and the second cumulative distribution function for each terminal.
  - 6. The device of claim 5, wherein the comparing further comprises applying a one-sided statistical goodness of fit test to the test statistic to determine a goodness of fit threshold function, wherein for some time interval, the malfunctioning terminal has a second cumulative distribution function value that exceeds the threshold function.
  - 7. The device of claim 1, wherein an attempt to access the channel comprises transmission of a preamble message by a sending terminal of the plurality of terminals.
  - 8. The device of claim 7, wherein the operations further comprise identifying the sending terminal based on an identifier included in the preamble message.
  - 9. The device of claim 7, wherein the data further comprise an arrival time stamp of the preamble message, and wherein the operations further comprise computing a time interval between access attempts based on the arrival time stamp of the preamble message and an arrival time stamp of a subsequent preamble message.
  - 10. The device of claim 1, wherein the malfunctioning terminal is identified as a source of a denial-of-service attack.

11. A method comprising:
- obtaining, by a device comprising a processor, data relating to a set of collision events associated with attempts to access a shared channel of a communication network, the data comprising time intervals between access attempts for each of a plurality of terminals communicating with a base station on the network;
  
  estimating, by the device, a probability of collision in the channel;
  
  generating, by the device, a first probability distribution of the time intervals for each of the terminals, based on the estimated probability of collision;
  
  calculating, by the device, a second probability distribution of the time intervals for each of the terminals, based on the data;
  
  calculating, by the device, for each terminal a first cumulative distribution function and a second cumulative distribution function from the first probability distribution and the second probability distribution respectively;
  
  comparing, by the device, the first cumulative distribution function and the second cumulative distribution function for each terminal to identify a malfunctioning terminal, wherein the base station, responsive to estimating an angle of arrival of a signal incoming to the base station from the malfunctioning terminal, blocks the signal from the malfunctioning terminal; and
  
  responsive to determining, by the device, that the base station is not capable of estimating an angle of arrival of a signal incoming to the base station from the malfunctioning terminal, re-assigning the channel.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11, wherein the channel is associated with a set of resource blocks, and wherein the re-assigning further comprises re-assigning the channel to a different set of resource blocks.
  - 13. The method of claim 11, further comprising broadcasting information regarding the re-assigning on a broadcast channel.
  - 14. The method of claim 11, wherein the plurality of terminals attempt to access the channel contemporaneously according to an access protocol, and wherein the malfunctioning terminal is identified as not operating in accordance with the protocol.
  - 15. The method of claim 11, wherein the comparing further comprises generating a test statistic based on the first cumulative distribution function and the second cumulative distribution function for each terminal.
  - 16. The method of claim 15, wherein the comparing further comprises applying a one-sided statistical goodness of fit test to the test statistic to determine a goodness of fit threshold function, wherein for some time interval, the malfunctioning terminal has a second cumulative distribution function value that exceeds the threshold function.

17. A non-transitory machine-readable storage medium comprising executable instructions that, when executed by a processor, facilitate performance of operations comprising:
- obtaining, by a device comprising a processor, data relating to a set of collision events associated with attempts to access a shared channel of a communication network according to an access protocol, the data comprising time intervals between access attempts for each of a plurality of terminals communicating with a base station on the network;
  
  estimating a probability of collision in the channel;
  
  generating a first probability distribution of the time intervals for each of the terminals, based on the estimated probability of collision;
  
  calculating a second probability distribution of the time intervals for each of the terminals, based on the data;
  
  calculating for each terminal a first cumulative distribution function and a second cumulative distribution function from the first probability distribution and the second probability distribution respectively;
  
  comparing the first cumulative distribution function and the second cumulative distribution function for each terminal to identify a malfunctioning terminal not operating in accordance with the protocol, wherein the base station, responsive to estimating an angle of arrival of a signal incoming to the base station from the malfunctioning terminal, blocks the signal from the malfunctioning terminal;
  
  responsive to determining that the base station is not capable of estimating an angle of arrival of a signal incoming to the base station from the malfunctioning terminal, re-assigning the channel; and
  
  broadcasting information regarding the re-assigning on a broadcast channel.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory machine-readable storage medium of claim 17, wherein the channel is associated with a set of resource blocks, and wherein the re-assigning further comprises re-assigning the channel to a different set of resource blocks.
  - 19. The non-transitory machine-readable storage medium of claim 17, wherein the comparing further comprises generating a test statistic based on the first cumulative distribution function and the second cumulative distribution function for each terminal.
  - 20. The non-transitory machine-readable storage medium of claim 19, wherein the comparing further comprises applying a one-sided statistical goodness of fit test to the test statistic to determine a goodness of fit threshold function, wherein for some time interval, the malfunctioning terminal has a second cumulative distribution function value that exceeds the threshold function.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Jover, Roger Piqueras, Murynets, Ilona
Primary Examiner(s)
PARK, JUNG H

Application Number

US15/047,298
Publication Number

US 20160248807A1
Time in Patent Office

593 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04W 24/04   Arrangements for maintainin...

H04W 24/08   Testing, supervising or mon...

H04W 64/00   Locating users or terminals...

H04W 68/00   User notification, e.g. ale...

H04W 72/30   Resource management for bro...

H04W 74/0833   Random access procedures, e...

H04W 74/0858   collision detection

Detection and mitigation of denial-of-service attacks in wireless communication networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Detection and mitigation of denial-of-service attacks in wireless communication networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others