Method and apparatus for monitoring malicious traffic in communication networks

US 20070153689A1
Filed: 01/03/2006
Published: 07/05/2007
Est. Priority Date: 01/03/2006
Status: Active Grant

First Claim

Patent Images

1. A method of monitoring data traffic in a communication network, comprising receiving data traffic at a router connected to said communication network, monitoring at said router information contained in the received data traffic, and based on said information, determining at said router whether data in said traffic is indicative of a malicious threat to one or more resources connected to said communication network.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for monitoring data traffic in a communication network are provided. A router connected to the communication network monitors information contained in the data traffic, and based on the information determines whether data in the traffic is indicative of a malicious threat to one or more resources connected to the network. Parameters which control monitoring of traffic at the router, such as the sampling rate and what information is to be extracted from the data is varied according to the condition of the network so that the monitoring can be adapted to focus on traffic which relates to a particular suspected or detected threat.

122 Citations

22 Claims

1. A method of monitoring data traffic in a communication network, comprising receiving data traffic at a router connected to said communication network, monitoring at said router information contained in the received data traffic, and based on said information, determining at said router whether data in said traffic is indicative of a malicious threat to one or more resources connected to said communication network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A method as claimed in claim 1, wherein the step of determining comprises comparing information from the received data traffic with predetermined information indicative of the presence in the communication network of a malicious threat.
  - 3. A method as claimed in claim 1, comprising performing said monitoring using a first criteria, and, if said determining step determines that data in said traffic is indicative of a malicious threat, performing said monitoring according to a second criteria, different from said first criteria.
  - 4. A method as claimed in claim 3, wherein said first and second criteria includes first and second rates at which received data traffic is sampled to produce said information, and said second sampling rate is one of:
    - higher than, the same as, or lower than said first sampling rate.
  - 5. A method as claimed in claim 4, further comprising identifying a parameter associated with data in said traffic that is indicative of a malicious threat, and controlling selectivity of data in said traffic for monitoring, based on said parameter.
  - 6. A method as claimed in claim 5, wherein said controlling comprises biasing the selectivity of data to be monitored towards data associated with said parameter.
  - 7. A method as claimed in claim 3, further comprising performing said monitoring according to said second criteria, and determining from information obtained from monitoring according to said second criteria, whether data in said received traffic is indicative of a malicious threat.
  - 8. A method as claimed in claim 7, comprising monitoring received data according to a third criteria, different from said first and second criteria, if it is determined from information monitored according to said second criteria, that said data is indicative of a malicious threat.
  - 9. A method as claimed in claim 8, wherein said second and third criteria comprises second and third rates of sampling said received data, wherein said third sampling rate is one of:
    - higher than, the same as, or lower than said second sampling rate.
  - 10. A method as claimed in claim 1, further comprising transmitting from said router information collected by said monitoring in response to determining that received data is indicative of a malicious threat.
  - 11. A method as claimed in claim 1, further comprising selecting information relating to data from which it is determined by said determining step is indicative of a malicious threat, and transmitting said data from said router.

12. A network element for receiving and routing data traffic in a communication network, comprising:
- an interface for receiving traffic from a communication network, a monitor for monitoring information contained in the received data traffic, and a module for determining from said monitored information, whether the data in said traffic is indicative of a malicious threat to one or more resources connected to said communication network.
- View Dependent Claims (13, 14, 15)
- - 13. A network element as claimed in claim 12, wherein said module includes a comparator for comparing information based on the monitored information, with predetermined information indicative of the presence in said communication network of a malicious threat.
  - 14. A network element as claimed in claim 13, wherein said monitor is operable to monitor data traffic according to a plurality of different criteria, including a first criteria and a second criteria, and said monitor is adapted to change from said first criteria to said second criteria in response to a control signal.
  - 15. A network element as claimed in claim 14, wherein said module is adapted to generate said control signal if said module determines that data in said traffic is indicative of a malicious threat.

16. A network element for receiving and routing data traffic in a communication network, comprising:
- an interface for receiving data traffic from a communication network, a monitor for monitoring said data traffic, wherein said monitor is operable to monitor said data traffic according to a plurality of different criteria, and is responsive to a detector detecting that data in said traffic is indicative of a malicious threat to one or more resources connected to said communication network to change monitoring from a predetermined monitoring criteria to another monitoring criteria.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. A network element as claimed in claim 16, further comprising said detector.
  - 18. A network element as claimed in claim 17, further comprising a module for determining a parameter indicative of said malicious threat, and wherein said other monitoring criteria biases said monitor towards monitoring said data traffic associated with said parameter.
  - 19. A network element as claimed in claim 18, wherein said module includes a comparator for comparing information from the monitored traffic with one or more threshold criteria, and is adapted to determine said parameter based on a result of said comparison.
  - 20. A network element as claimed in claim 16, wherein said monitor includes a sampler for sampling said data traffic, said sampler being capable of sampling said data traffic at different sampling rates, and wherein said predetermined monitoring criteria and said other monitoring criteria each include a sampling rate, wherein the sampling rate of the predetermined monitoring criteria is different from that of the other monitoring criteria.
  - 21. A network element as claimed in claim 16, wherein said monitor comprises a sampler for sampling said data traffic, and said sampler is capable of being configured to sample said data traffic according to a plurality of different sampling criteria.
  - 22. A network element as claimed in claim 17, wherein each different sampling criteria defines a selection criteria for controlling the selection of information from the traffic, wherein each selection criteria is different from another selection criteria.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Alcatel SA (Nokia Corporation)
Inventors
Grah, Adrian, Strub, Lyle, Bou-Diab, Bashar

Granted Patent

US 9,794,272 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/230
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1441 Countermeasures against mal...

Method and apparatus for monitoring malicious traffic in communication networks

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

122 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for monitoring malicious traffic in communication networks

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

122 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links