Processing method for network address translation technology, NAT device and BNG device

US 9,998,492 B2
Filed: 08/27/2013
Issued: 06/12/2018
Est. Priority Date: 11/14/2012
Status: Active Grant

First Claim

Patent Images

1. A processing method for a Network Address Translation (NAT), the method comprising:

determining, by an NAT device, whether or not a session establishment of a user equipment (UE) reaches a preset threshold;

notifying, by the NAT device, a Broadband Network Gateway (BNG) device to execute a security strategy for the UE responsive to determining the session establishment of the UE reaches the preset threshold, wherein the security strategy is used for stopping an attack behavior of the UE and informing the UE of the attack behavior of the UE;

wherein the method further comprises;

accelerating, by the NAT device, aging of one or more sessions of the UE when the NAT device notifies the BNG device to execute the security strategy for the UE;

wherein executing, by the BNG device, the security strategy for the UE comprises;

executing, by the BNG device, a forced Web page pushing strategy for the UE to re-direct an Hypertext Transfer protocol (HTTP) request sent by the UE to a first prompt page, wherein the first prompt page is used for informing the UE of an existence of the attack behavior during an access of the UE;

wherein after executing, by the BNG device, the security strategy for the UE, the method further comprises;

notifying, by the NAT device, the BNG device to execute, aiming at an access behavior of the UE, an operation of forcing the UE to be offline or returning the UE to an unauthenticated state; and

notifying, by the NAT device, an Authentication, Authorization and Accounting (AAA) server to mark or set the UE as a UE having the attack behavior, wherein the first prompt page is further used for reminding the UE that the UE is to be forced to be offline or returned to the unauthenticated state;

responsive to the UE requesting to be online and/or to be authenticated again, authenticating, by the AAA server, the UE, after the UE passes the authentication by the AAA server, notifying, by the AAA server, the BNG device to execute a forced Web page pushing strategy for the UE to re-direct a page access request of the UE to a second prompt page, wherein the second prompt page is used for reminding the UE that a reason why the UE was formerly forced to be offline or returned to the unauthenticated state is the attack behavior of the UE and responsive to determining the UE still has the attack behavior, the UE will be forced to be offline or returned to the unauthenticated state again, and reminding the UE to check and kill viruses and/or Trojans.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are a processing method for a Network Address Translation, NAT, technology, an NAT device and a BNG device, the method includes: the NAT device determining whether or not session establishment of a UE reaches a preset threshold, and notifying the BNG device to execute a security strategy for the UE if the session establishment of the UE reaches the preset threshold, wherein the security strategy is used for stopping the attack behavior of the UE and informing the UE of the attack behavior of the UE. In the disclosure, the technical problem in the related art that the user lodges complaints against the operator for the abnormal behavior of the host user is solved, thus by reminding the user to check the security of the host user, the disclosure increases the utilization rate of the NAT device and improves user experience.

Citations

14 Claims

1. A processing method for a Network Address Translation (NAT), the method comprising:
- determining, by an NAT device, whether or not a session establishment of a user equipment (UE) reaches a preset threshold;
  
  notifying, by the NAT device, a Broadband Network Gateway (BNG) device to execute a security strategy for the UE responsive to determining the session establishment of the UE reaches the preset threshold, wherein the security strategy is used for stopping an attack behavior of the UE and informing the UE of the attack behavior of the UE;
  
  wherein the method further comprises;
  
  accelerating, by the NAT device, aging of one or more sessions of the UE when the NAT device notifies the BNG device to execute the security strategy for the UE;
  
  wherein executing, by the BNG device, the security strategy for the UE comprises;
  
  executing, by the BNG device, a forced Web page pushing strategy for the UE to re-direct an Hypertext Transfer protocol (HTTP) request sent by the UE to a first prompt page, wherein the first prompt page is used for informing the UE of an existence of the attack behavior during an access of the UE;
  
  wherein after executing, by the BNG device, the security strategy for the UE, the method further comprises;
  
  notifying, by the NAT device, the BNG device to execute, aiming at an access behavior of the UE, an operation of forcing the UE to be offline or returning the UE to an unauthenticated state; and
  
  notifying, by the NAT device, an Authentication, Authorization and Accounting (AAA) server to mark or set the UE as a UE having the attack behavior, wherein the first prompt page is further used for reminding the UE that the UE is to be forced to be offline or returned to the unauthenticated state;
  
  responsive to the UE requesting to be online and/or to be authenticated again, authenticating, by the AAA server, the UE, after the UE passes the authentication by the AAA server, notifying, by the AAA server, the BNG device to execute a forced Web page pushing strategy for the UE to re-direct a page access request of the UE to a second prompt page, wherein the second prompt page is used for reminding the UE that a reason why the UE was formerly forced to be offline or returned to the unauthenticated state is the attack behavior of the UE and responsive to determining the UE still has the attack behavior, the UE will be forced to be offline or returned to the unauthenticated state again, and reminding the UE to check and kill viruses and/or Trojans.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, wherein re-directing, by the BNG device, the HTTP request sent by the UE to the first prompt page comprises:
    - re-directing, by the BNG device, the HTTP request sent by the UE to the first prompt page at a preset interval.
  - 3. The method according to claim 1, wherein the first prompt page is further used for reminding the UE to check or kill viruses and/or Trojans.
  - 4. The method according to claim 1, wherein the NAT device comprises at least one of:
    - an NAT device integrated with the BNG device; and
      
      an NAT device arranged separated from the BNG device.
  - 5. The method according to claim 4, wherein in case the NAT device is integrated with the BNG device, notifying, by the NAT device, the BNG device to execute the security strategy for the UE comprises one of:
    - sending, by the NAT device, identification information of the UE to a security strategy server, and notifying, by the security strategy server, the BNG device to execute the security strategy for the UE; and
      
      sending, by the NAT device, identification information of the UE to the BNG device to notify the BNG device to execute the security strategy for the UE.
  - 6. The method according to claim 1, wherein after notifying, by the NAT device, the BNG device to execute the security strategy for the UE, the method further comprises:
    - responsive to determining, by the NAT device, that the session establishment of the UE fails to reach the preset threshold or that the UE cancels execution of the security strategy via a forcedly pushed Web page, notifying, by the NAT device, the BNG device to cancel execution of the security strategy for the UE.
  - 7. The method according to claim 6, wherein in case the NAT device is integrated with the BNG device, notifying, by the NAT device, the BNG device to cancel execution of the security strategy for the UE comprises one of:
    - sending, by the NAT device, identification information of the UE to a security strategy server, and the security strategy server notifying the BNG device to cancel execution of the security strategy for the UE; and
      
      sending, by the NAT device, identification information of the UE to the BNG device to notify the BNG device to cancel execution of the security strategy for the UE.
  - 8. The method according to claim 1, wherein in case the NAT device executes an operation of forcedly pushing a Web page in a public network aiming at access behavior of the UE, the NAT device establishes a session between the UE and an Hypertext Transfer protocol (HTTP) connection of the forcedly pushed Web page.
  - 9. The method according to claim 1, wherein a session for the NAT device to determine whether or not the session establishment of the UE reaches the preset threshold comprises at least one of:
    - a session established by a Transmission Control Protocol (TCP) connection of the UE;
      
      a session established by an Internet Control Message Protocol (ICMP) connection of the UE; and
      
      a session established by a User Datagram Protocol (UDP) connection of the UE.
  - 10. The method according to claim 1, wherein the preset threshold comprises at least one of:
    - a total number of sessions established by the UE, and a speed of establishing sessions by the UE.

11. A Network Address Translation (NAT) device, comprising:
- a hardware processor coupled with a memory and configured to execute program components stored on the memory, wherein the program components comprises;
  
  a determination component configured to determine whether or not a session establishment of a user equipment (UE) a reaches a preset threshold; and
  
  a first notification component configured to notify a Broadband Network Gateway (BNG) device to execute a security strategy for the UE responsive to determining the session establishment of the UE reaches the preset threshold, wherein the security strategy is used for stopping an attack behavior of the UE and informing the UE of the attack behavior of the UE;
  
  wherein the program components further comprise;
  
  a processing component configured to accelerate aging of one and more sessions of the UE when the NAT device notifies the BNG device to execute the security strategy for the UE,wherein the program components further comprise;
  
  a second notification component configured to notify the BNG device to execute, aiming at an access behavior of the UE, an operation of forcing the UE to be offline or returning the UE to an unauthenticated state and notify an Authentication, Authorization and Accounting (AAA) server to mark or set the UE as a UE having the attack behavior, wherein a first prompt page is further used for reminding the UE that the UE is to be forced to be offline or returned to the unauthenticated state so as to let the UE request to be online and/or to be authenticated again;
  
  the second notification component further configured to notify the BNG device to execute a forced Web page pushing strategy for the UE to re-direct a page access request of the UE to a second prompt page after the UE passes authentication executed by the AAA server, wherein the second prompt page is used for informing the UE that a reason why the UE was formerly forced to be offline or returned to the unauthenticated state is the attack behavior of the UE, and reminding the UE that the UE will be forced to be offline or returned to the unauthenticated state again responsive to determining the UE still has the attack behavior, and reminding the UE to check and kill viruses and/or Trojans.
- View Dependent Claims (12, 13)
- - 12. The NAT device according to claim 11, wherein the program components further comprise:
    - a third notification component configured to notify the BNG device to cancel execution of the security strategy for the UE responsive to determining that the session establishment of the UE fails to reach the preset threshold or that the UE cancels execution of the security strategy via a forcedly pushed Web page.
  - 13. The NAT device according to claim 11, wherein the program components further comprise:
    - a third notification component configured to notify the BNG device to cancel execution of the security strategy for the UE responsive to determining that the session establishment of the UE fails to reach the preset threshold or that the UE cancels execution of the security strategy via a forcedly pushed Web page.

14. A Broadband Network Gateway (BNG) device, comprising:
- a hardware processor coupled with a memory and configured to execute program components stored on the memory, wherein the program components comprises;
  
  a first receiving component configured to receive a first notification which is sent by a Network Address Translation (NAT) device to indicate execution of a security strategy for a user equipment (UE) when a session establishment of the UE reaches a preset threshold, the security strategy is used for stopping attack behavior of the UE and informing the UE of the attack behavior of the UE; and
  
  a re-direct component configured to execute a forced Web page pushing strategy for the UE to re-direct an Hypertext Transfer protocol (HTTP) request sent by the UE to a first prompt page, wherein the first prompt page is used for informing the UE of an existence of the attack behavior of the UE;
  
  wherein the program components further comprise;
  
  a second receiving component configured to receive a second notification which is sent by the NAT device to indicate execution of an operation of forcing the UE to be offline or returning the UE to an unauthenticated state aiming at an access behavior of the UE; and
  
  a processing component configured to execute, aiming at the access behavior of the UE, an operation of forcing the UE to be offline or returning the UE to the unauthenticated state according to the second notification and notify an Authentication, Authorization and Accounting (AAA) server to mark or set the UE as a UE having the attack behavior, wherein the first prompt page is further used for reminding the UE that the UE is to be forced to be offline or returned to the unauthenticated state so as to let the UE request to be online and/or to be authenticated again, the processing component further configured to execute a forced Web page pushing strategy for the UE to re-direct a page access request of the UE to a second prompt page when the BNG device is notified by the AAA server after the UE passes authentication executed by the AAA server, wherein the second prompt page reminding the UE that a reason why the UE was formerly forced to be offline or returned to the unauthenticated state is the attack behavior of the UE, and remind the UE that the UE will be forced to be offline or returned to the unauthenticated state again responsive to determining the UE still has the attack behavior, and remind the UE to check and kill viruses and/or Trojans.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ZTE Corporation
Original Assignee
ZTE Corporation
Inventors
Fan, Liang, Yuan, Bo
Primary Examiner(s)
NGUYEN, TRONG H

Application Number

US14/442,549
Publication Number

US 20160285908A1
Time in Patent Office

1,750 Days
Field of Search
US Class Current
CPC Class Codes

H04L 12/2869   Operational details of acce...

H04L 61/2517   using port numbers

H04L 61/2557   Translation policies or rules

H04L 63/0227   Filtering policies mail mes...

H04L 63/0892   by using authentication-aut...

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

H04L 67/02   based on web technology, e....

H04L 67/55   Push-based network services

H04L 67/563   Data redirection of data ne...

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

Processing method for network address translation technology, NAT device and BNG device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Processing method for network address translation technology, NAT device and BNG device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links