Access point name and application identity based security enforcement in service provider networks

US 10,834,136 B2
Filed: 03/28/2018
Issued: 11/10/2020
Est. Priority Date: 06/15/2017
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

monitor network traffic on a service provider network at a security platform to identify an access point name for a new session, wherein the new session is associated with an Internet of Things (IoT) device, comprising;

identify, within the network traffic in a mobile network, a create Packet Data Protocol (PDP) request message or a create session request message to create the new session; and

extract access point name information including an access point name network identifier and an operator identifier from the create PDP request message or the create session request message;

determine an application identifier for user traffic associated with the new session at the security platform, comprising to;

monitor, via deep packet inspection, tunneled user traffic after the new session has been created to obtain the application identifier, wherein the tunneled user traffic includes General Packet Radio Service (GPRS) Tunneling Protocol User Plane (GTP-U) traffic;

determine a security policy to apply at the security platform to the new session based on the access point name and the application identifier; and

perform an enforcement action based on the security policy to provide enhanced IoT device security, wherein the security policy includes two or more security rules for threat detection, threat prevention, Uniform Resource Location (URL) filtering, Denial of Service (DoS) detection, and/or Denial of Service (DoS) prevention; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for access point name and application identity based security enforcement in service provider networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for access point name (e.g., APN) and application identity (e.g., application identifier) based security enforcement in service provider networks includes monitoring network traffic on a service provider network at a security platform to identify an access point name for a new session; determining an application identifier for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the access point name and the application identifier.

79 Citations

View as Search Results

21 Claims

1. A system, comprising:
- a processor configured to;
  
  monitor network traffic on a service provider network at a security platform to identify an access point name for a new session, wherein the new session is associated with an Internet of Things (IoT) device, comprising;
  
  identify, within the network traffic in a mobile network, a create Packet Data Protocol (PDP) request message or a create session request message to create the new session; and
  
  extract access point name information including an access point name network identifier and an operator identifier from the create PDP request message or the create session request message;
  
  determine an application identifier for user traffic associated with the new session at the security platform, comprising to;
  
  monitor, via deep packet inspection, tunneled user traffic after the new session has been created to obtain the application identifier, wherein the tunneled user traffic includes General Packet Radio Service (GPRS) Tunneling Protocol User Plane (GTP-U) traffic;
  
  determine a security policy to apply at the security platform to the new session based on the access point name and the application identifier; and
  
  perform an enforcement action based on the security policy to provide enhanced IoT device security, wherein the security policy includes two or more security rules for threat detection, threat prevention, Uniform Resource Location (URL) filtering, Denial of Service (DoS) detection, and/or Denial of Service (DoS) prevention; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system recited in claim 1, wherein the security platform is configured with a plurality of security policies based on the access point name and the application identifier.
  - 3. The system recited in claim 1, wherein the security platform is configured to perform security policy enforcement based on the access point name and the application identifier.
  - 4. The system recited in claim 1, wherein the security platform is configured to perform threat detection and/or threat prevention based on the access point name and the application identifier.
  - 5. The system recited in claim 1, wherein the security platform is configured to perform Uniform Resource Link (URL) filtering based on the access point name and the application identifier.
  - 6. The system recited in claim 1, wherein the security platform monitors wireless interfaces including a plurality of interfaces for a control protocol and user data traffic in a mobile core network for a 3G and/or 4G network.
  - 7. The system recited in claim 1, wherein the security platform monitors wireless interfaces including a plurality of interfaces for a GPRS Tunneling Protocol (GTP) in a mobile core network for a 3G and/or 4G network.
  - 8. The system recited in claim 1, wherein the processor is further configured to:
    - block the new session from accessing a resource based on the security policy.
  - 9. The system recited in claim 1, wherein the security platform performs the enforcement action based on the security policy based on the access point name and the application identifier, wherein the access point name (APN) is associated with a private APN for IoT devices.

10. A method, comprising:
- monitoring network traffic on a service provider network at a security platform to identify an access point name for a new session, wherein the new session is associated with an Internet of Things (IoT) device, comprising;
  
  identifying, within the network traffic in a mobile network, a create Packet Data Protocol (PDP) request message or a create session request message to create the new session; and
  
  extracting access point name information including an access point name network identifier and an operator identifier from the create PDP request message or the create session request message;
  
  determining an application identifier for user traffic associated with the new session at the security platform, comprising to;
  
  monitoring, via deep packet inspection, tunneled user traffic after the new session has been created to obtain the application identifier, wherein the tunneled user traffic includes General Packet Radio Service (GPRS) Tunneling Protocol User Plane (GTP-U) traffic;
  
  determining a security policy to apply at the security platform to the new session based on the access point name and the application identifier; and
  
  perform an enforcement action based on the security policy to provide enhanced IoT device security, wherein the security policy includes two or more security rules for threat detection, threat prevention, Uniform Resource Location (URL) filtering, Denial of Service (DoS) detection, and/or Denial of Service (DoS) prevention.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10, wherein the security platform is configured with a plurality of security policies based on the access point name and the application identifier.
  - 12. The method of claim 10, wherein the security platform is configured to perform security policy enforcement based on the access point name and the application identifier.
  - 13. The method of claim 10, wherein the security platform is configured to perform threat detection and/or threat prevention based on the access point name and the application identifier.
  - 14. The method of claim 10, wherein the security platform is configured to perform Uniform Resource Link (URL) filtering based on the access point name and the application identifier.
  - 15. The method of claim 10, further comprising:
    - blocking the new session from accessing a resource based on the security policy.

16. A computer program product, the computer program product being embodied in a non-transitory tangible computer readable storage medium and comprising computer instructions for:
- monitoring network traffic on a service provider network at a security platform to identify an access point name for a new session, wherein the new session is associated with an Internet of Things (IoT) device, comprising;
  
  identifying, within the network traffic in a mobile network, a create Packet Data Protocol (PDP) request message or a create session request message to create the new session; and
  
  extracting access point name information including an access point name network identifier and an operator identifier from the create PDP request message or the create session request message;
  
  determining an application identifier for user traffic associated with the new session at the security platform, comprising to;
  
  monitoring, via deep packet inspection, tunneled user traffic after the new session has been created to obtain the application identifier, wherein the tunneled user traffic includes General Packet Radio Service (GPRS) Tunneling Protocol User Plane (GTP-U) traffic;
  
  determining a security policy to apply at the security platform to the new session based on the access point name and the application identifier; and
  
  perform an enforcement action based on the security policy to provide enhanced IoT device security, wherein the security policy includes two or more security rules for threat detection, threat prevention, Uniform Resource Location (URL) filtering, Denial of Service (DoS) detection, and/or Denial of Service (DoS) prevention.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The computer program product recited in claim 16, wherein the security platform is configured with a plurality of security policies based on the access point name and the application identifier.
  - 18. The computer program product recited in claim 16, wherein the security platform is configured to perform security policy enforcement based on the access point name and the application identifier.
  - 19. The computer program product recited in claim 16, wherein the security platform is configured to perform threat detection and/or threat prevention based on the access point name and the application identifier.
  - 20. The computer program product recited in claim 16, wherein the security platform is configured to perform Uniform Resource Link (URL) filtering based on the access point name and the application identifier.
  - 21. The computer program product recited in claim 16, further comprising computer instructions for:
    - blocking the new session from accessing a resource based on the security policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Verma, Sachin, Burakovsky, Leonid
Primary Examiner(s)
Song, Hee K

Application Number

US15/939,053
Publication Number

US 20180367574A1
Time in Patent Office

958 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0254   Stateful filtering

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04W 12/088   using filters or firewalls

H04W 12/73   Access point logical identity

Access point name and application identity based security enforcement in service provider networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

79 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Access point name and application identity based security enforcement in service provider networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links