Detecting and deterring network attacks

US 10,819,727 B2
Filed: 10/15/2018
Issued: 10/27/2020
Est. Priority Date: 10/15/2018
Status: Active Grant

First Claim

Patent Images

1. A system to detect a network attack, comprising:

a first device, comprising;

a first processor;

a first non-transitory computer-readable medium to store a plurality of modules comprising instructions executable by the first processor;

a first time input in communication with a high-precision time source;

a first time stamping module in communication with the first time input to associate a first time stamp with each of a first plurality of data packets, the first time stamp corresponding to a time that each data packet is transmitted by the first device according to the high-precision time source; and

a network interface to transmit the first plurality of data packets through a data network;

a second device, comprising;

a second processor;

a second non-transitory computer-readable medium to store a plurality of modules comprising instructions executable by the second processor;

a second time input in communication with the high-precision time source;

a second time stamping module in communication with the second time input to associate a second time stamp with each of the first plurality of data packets, the second time stamp corresponding to a time that each data packet is received by the second device according to the high-precision time source;

a time of flight subsystem module to;

determine a time of flight for each of the first plurality of data packets based on the first time stamp and the second time stamp; and

determine whether the time of flight for each of the first plurality of data packets is consistent with at least one valid time of flight; and

a protective action subsystem module to implement a protective action based on a determination that the time of flight of at least one of the first plurality of data packets is inconsistent with the at least one valid time of flight;

wherein the protective action comprises detecting that the first time input is compromised based on the determination that the time of flight of at least one of the first plurality of data packets is inconsistent with the at least one valid time of flight and selectively rerouting at least one of the first plurality of data packets.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure pertains to detecting a network attack. In one embodiment, a first device may receive a high-precision time signal and may use the signal to associate a first time stamp with each of a plurality of data packets reflecting a time that each data packet is transmitted. A second device may receive the plurality of data packets from the first device via a data network. The second device may also receive the high-precision time signal and may use the signal to associate a second time stamp with each of the plurality of data packets reflecting a time that each data packet is received. A time of flight may be determined based on the first time stamp and the second time stamp. The second device may determine whether the time of flight for each of the first plurality of data packets is consistent with a valid time of flight.

236 Citations

19 Claims

1. A system to detect a network attack, comprising:
- a first device, comprising;
  
  a first processor;
  
  a first non-transitory computer-readable medium to store a plurality of modules comprising instructions executable by the first processor;
  
  a first time input in communication with a high-precision time source;
  
  a first time stamping module in communication with the first time input to associate a first time stamp with each of a first plurality of data packets, the first time stamp corresponding to a time that each data packet is transmitted by the first device according to the high-precision time source; and
  
  a network interface to transmit the first plurality of data packets through a data network;
  
  a second device, comprising;
  
  a second processor;
  
  a second non-transitory computer-readable medium to store a plurality of modules comprising instructions executable by the second processor;
  
  a second time input in communication with the high-precision time source;
  
  a second time stamping module in communication with the second time input to associate a second time stamp with each of the first plurality of data packets, the second time stamp corresponding to a time that each data packet is received by the second device according to the high-precision time source;
  
  a time of flight subsystem module to;
  
  determine a time of flight for each of the first plurality of data packets based on the first time stamp and the second time stamp; and
  
  determine whether the time of flight for each of the first plurality of data packets is consistent with at least one valid time of flight; and
  
  a protective action subsystem module to implement a protective action based on a determination that the time of flight of at least one of the first plurality of data packets is inconsistent with the at least one valid time of flight;
  
  wherein the protective action comprises detecting that the first time input is compromised based on the determination that the time of flight of at least one of the first plurality of data packets is inconsistent with the at least one valid time of flight and selectively rerouting at least one of the first plurality of data packets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the network comprises a software defined network and selectively rerouting at least one of the first plurality of data packets comprises a change to a data flow to reroute a data flow.
  - 3. The system of claim 1, wherein the protective action comprises flagging at least one of the first plurality of data packets that is inconsistent with the at least one valid time of flight for operator review.
  - 4. The system of claim 1, wherein the first device further comprises a hash subsystem to generate a hash value and to associate the hash value with each of the first plurality of data packets.
  - 5. The system of claim 4, wherein the hash value is generated based on an identifier of the first device and a data value in each of the first plurality of data packets.
  - 6. The system of claim 1, wherein the high-precision time source comprises a global navigation satellite system (GNSS) and each of the first time input and the second time input are in communication with a GNSS receiver.
  - 7. The system of claim 1, wherein each of the first device and the second device comprise a network switch.
  - 8. The system of claim 1, wherein each of the first device and the second device comprise an intelligent electronic device.
  - 9. The system of claim 1, wherein the at least one valid time of flight is determined based on a time of flight of a second plurality of data packets transmitted during a configuration process.
  - 10. The system of claim 1, wherein the first time stamp is appended to each data packet using one of a precision time protocol tag and an offset into a data field.
  - 11. The system of claim 1, wherein a time of flight module is further configured to:
    - determine a valid number of hops associated with the at least one valid time of flight; and
      
      determine whether an actual number of hops for each of the first plurality of data packets is consistent with the valid number of hops.

12. A method for detecting a network attack, comprising:
- receiving, using a first device, a high-precision time signal;
  
  associating, using the first device, a first time stamp with each of a first plurality of data packets, the first time stamp corresponding to a time that each data packet is transmitted by the first device according to the high-precision time source;
  
  transmitting, using the first device, the first plurality of data packets through a data network;
  
  receiving, using a second device, the high-precision time signal;
  
  associating, using the second device, a second time stamp with each of the first plurality of data packets, the second time stamp corresponding to a time that each data packet is received by the second device according to the high-precision time source;
  
  determining, using the second device, a time of flight for each of the first plurality of data packets based on difference between the first time stamp and the second time stamp;
  
  determining, using the second device, whether the time of flight for each of the first plurality of data packets is consistent with at least one valid time of flight;
  
  implementing, using the second device, a protective action based on a determination that the time of flight of at least one of the first plurality of data packets is inconsistent with the at least one valid time of flight; and
  
  wherein the protective action comprises detecting that the first time input is compromised based on the determination that the time of flight of at least one of the first plurality of data packets is inconsistent with the at least one valid time of flight and selectively rerouting at least one of the first plurality of data packets.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The method of claim 12, wherein selectively rerouting at least one of the first plurality of data packets comprises rerouting data packets in the network by changing a data flow in a software defined network.
  - 14. The method of claim 12, further comprising:
    - generating, using the first device, a hash value; and
      
      associating the hash value with each of the first plurality of data packets.
  - 15. The method of claim 14, wherein the hash value is generated based on an identifier of the first device and a data value in each of the first plurality of data packets.
  - 16. The method of claim 12, wherein each of the first device and the second device comprise a network switch.
  - 17. The method of claim 12, wherein each of the first device and the second device comprise an intelligent electronic device.
  - 18. The method of claim 12, further comprising:
    - determining the at least one valid time of flight based on a time of flight of a second plurality of data packets transmitted during a configuration process.

19. A system to detect a network attack, comprising:
- a first device, comprising;
  
  a first processor;
  
  a first non-transitory computer-readable medium to store a plurality of modules comprising instructions executable by the first processor;
  
  a first time input in communication with a high-precision time source;
  
  a first time stamping module in communication with the first time input to associate a first time stamp with each of a first plurality of data packets, the first time stamp corresponding to a time that each data packet is transmitted by the first device according to the high-precision time source; and
  
  a network interface to transmit the first plurality of data packets through a data network;
  
  a second device, comprising;
  
  a second processor;
  
  a second non-transitory computer-readable medium to store a plurality of modules comprising instructions executable by the second processor;
  
  a second time input in communication with the high-precision time source;
  
  a second time stamping module in communication with the second time input to associate a second time stamp with each of the first plurality of data packets, the second time stamp corresponding to a time that each data packet is received by the second device according to the high-precision time source;
  
  a time of flight module to;
  
  determine a time of flight for each of the first plurality of data packets based on the first time stamp and the second time stamp; and
  
  determine whether the time of flight for each of the first plurality of data packets is consistent with at least one valid time of flight; and
  
  a protective action module to implement a protective action based on a determination that the time of flight of at least one of the first plurality of data packets is inconsistent with the at least one valid time of flight;
  
  wherein the protective action comprises detecting that the first time input is compromised based on the determination that the time of flight of at least one of the first plurality of data packets is inconsistent with the at least one valid time of flight and selectively discard at least one of the first plurality of data packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Schweitzer Engineering Laboratories, Incorporated
Original Assignee
Schweitzer Engineering Laboratories, Incorporated
Inventors
Kalra, Amandeep Singh, Dolezilek, David J.
Primary Examiner(s)
Harris, Christopher C

Application Number

US16/159,925
Publication Number

US 20200120119A1
Time in Patent Office

743 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/106   using time related informat...

H04L 47/28   in relation to timing consi...

H04L 49/25   Routing or path finding in ...

H04L 63/123   received data contents, e.g...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Y04S 40/00   Systems for electrical powe...

Y04S 40/20   Information technology spec...

Detecting and deterring network attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

236 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Detecting and deterring network attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

236 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others