System, method and apparatus for detecting, identifying and responding to fraudulent requests on a network

US 7,120,934 B2
Filed: 03/29/2001
Issued: 10/10/2006
Est. Priority Date: 03/30/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A system for identifying and diverting problematic information packets transmitted from a first network device to a second network device, comprising:

a switching system that provides a network address of the second network device to the first network device, said switching system receiving information packets from the first network device and directing the information packets to the second network device;

a route arbitration system that monitors the information packets received by said switching system, said route arbitration system determining whether the information packets comprise abnormal network activity in accordance with a first predetermined criteria and, if said route arbitration system determines that the information packets comprise abnormal network activity, identifying the information packets as being abnormal information packets;

a traffic analysis system that monitors the abnormal information packets identified by said route arbitration system, said traffic analysis system determining whether the abnormal information packets are problematic in accordance with a second predetermined criteria and, if said traffic analysis system determines that the abnormal information packets are problematic, identifying the abnormal information packets as being the problematic information packets and inhibiting said switching system from broadcasting the network address of the second network device to the first network device,wherein said switching system, when inhibited, renders the second network device unreachable and prevents the first network device from transmitting the problematic information packets to said switching system; and

a firewall system that identifies suspect information packets received from the first network device, said switching system directing the information packets to the second network device via said firewall system, wherein said traffic analysis system determines whether the suspect information packets are problematic and, if said traffic analysis system determines that the suspect information packets are problematic, inhibits said switching system from broadcasting the network address of the second network device to the first network device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention are directed to a detection system, method and apparatus that identifies and eradicates fraudulent requests on a network. Embodiments of the detection system comprise at least one router, a server, and an activity monitoring system. The activity monitoring system comprises a route arbiter and a traffic analyzer, wherein the route arbiter monitors the activity on the router. The route arbiter continuously monitors the router and firewall device to determine if abnormal activity or traffic patterns are emerging. If a determination is made that abnormal activity or abnormal traffic patterns exist, the activity monitoring system responds by blocking the activity or redirecting the traffic.

174 Citations

35 Claims

1. A system for identifying and diverting problematic information packets transmitted from a first network device to a second network device, comprising:
- a switching system that provides a network address of the second network device to the first network device, said switching system receiving information packets from the first network device and directing the information packets to the second network device;
  
  a route arbitration system that monitors the information packets received by said switching system, said route arbitration system determining whether the information packets comprise abnormal network activity in accordance with a first predetermined criteria and, if said route arbitration system determines that the information packets comprise abnormal network activity, identifying the information packets as being abnormal information packets;
  
  a traffic analysis system that monitors the abnormal information packets identified by said route arbitration system, said traffic analysis system determining whether the abnormal information packets are problematic in accordance with a second predetermined criteria and, if said traffic analysis system determines that the abnormal information packets are problematic, identifying the abnormal information packets as being the problematic information packets and inhibiting said switching system from broadcasting the network address of the second network device to the first network device,wherein said switching system, when inhibited, renders the second network device unreachable and prevents the first network device from transmitting the problematic information packets to said switching system; and
  
  a firewall system that identifies suspect information packets received from the first network device, said switching system directing the information packets to the second network device via said firewall system, wherein said traffic analysis system determines whether the suspect information packets are problematic and, if said traffic analysis system determines that the suspect information packets are problematic, inhibits said switching system from broadcasting the network address of the second network device to the first network device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, wherein said switching system includes a routing system.
  - 3. The system of claim 1, wherein said route arbitration system is at least partially incorporated into said switching system.
  - 4. The system of claim 1, wherein said route arbitration system communicates with said switching system via at least one communication link selected from the group consisting of a remote monitoring network probe, a switching device, and an Ethernet probe.
  - 5. The system of claim 1, wherein said route arbitration system monitors a volume of the information packets.
  - 6. The system of claim 5, wherein said route arbitration system determines that the information packets comprise said abnormal network activity when the volume of the information packets is greater than a preselected volume threshold level.
  - 7. The system of claim 1, wherein said route arbitration system, upon determining that the information packets no longer comprise said abnormal network activity, enables said switching system to again provide the network address of the second network device to the first network device and receive the information packets from the first network device.
  - 8. The system of claim 1, wherein said traffic analysis system is at least partially incorporated into said switching system.
  - 9. The system of claim 1, wherein said traffic analysis system monitors a volume of the abnormal information packets.
  - 10. The system of claim 9, wherein said traffic analysis system determines that the abnormal information packets are problematic when the volume of the abnormal information packets is greater than a preselected volume threshold level.
  - 11. The system of claim 9, wherein said traffic analysis system determines that the abnormal information packets are problematic when the volume of the abnormal information packets does not decrease during a preselected time interval.
  - 12. The system of claim 1, wherein said traffic analysis system instructs said switching system to redirect the information packets to a null network device having a null address, said null network device receiving the information packets and providing no response to the first network device.
  - 13. The system of claim 12, wherein said traffic analysis system instructs said switching system to provide said null address to the first network device such that the first network device transmits the problematic information packets to said null network device.
  - 14. The system of claim 13, wherein said null network device is provided by at least one of said route arbitration system and said traffic analysis system.

15. A system for identifying and diverting problematic information packets transmitted from a first network device to a second network device, comprising:
- a switching system that provides a network address to the first network device, said switching system receiving information packets from the first network device and directing the information packets to the second network device;
  
  an activity monitoring system that monitors the information packets received by said switching system, said activity monitoring system determining whether the information packets are problematic in accordance with at least one predetermined criteria and, if said activity monitoring system determines that the information packets are problematic, identifying the information packets as being the problematic information packets and inhibiting said switching system from broadcasting the network address of the second network device to the first network device,wherein said switching system, when inhibited, renders the second network device unreachable and prevents the first network device from transmitting the problematic information packets to said switching system; and
  
  said activity monitoring system includes;
  
  a route arbitration system that monitors the information packets received by said switching system, said route arbitration system determining whether the information packets comprise abnormal network activity in accordance with a first information packets comprise abnormal network activity, identifying the information packets are being abnormal information packets; and
  
  a traffic analysis system that monitors the abnormal information packets identified by said route arbitration system, said analysis system determining whether the abnormal information packets comprises the problematic information packets in accordance with a second predetermined criteria and, if said traffic analysis system determines that the abnormal information packets comprise the problematic information packets, inhibiting said switching system from providing the network information packets, inhibiting said switching system from broadcasting the network address of the second network device to the first network device.
- View Dependent Claims (16, 17)
- - 16. The system of claim 15, wherein said activity monitoring system monitors a volume of the information packets and determines that the information packets are problematic when the volume of the information packets is greater than a preselected volume threshold level.
  - 17. The system of claim 16, wherein said activity monitoring system monitors a volume of the information packets that exceed said preselected volume threshold level and determines that the information packets are problematic when the volume of the information packets exceeding said preselected volume threshold level does not decrease during a preselected time interval.

18. A system for identifying and diverting problematic information packets received from an external network device, comprising:
- a protected network device having a network address;
  
  a switching system that provides said network address to the external network device, said switching system receiving information packets from the external network device and directing the information packets to said protected network device;
  
  a route arbitration system that monitors the information packets received by said switching system, said route arbitration system determining whether the information packets comprise abnormal network activity in accordance with a first predetermined criteria and, if said route arbitration system determines that the information packets comprise abnormal network activity, identifying the information packets as being abnormal information packets;
  
  a traffic analysis system that monitors the abnormal information packets identified by said route arbitration system, said traffic analysis system determining whether the abnormal information packets are problematic in accordance with a second predetermined criteria and, if said traffic analysis system determines that the abnormal information packets are problematic, identifying the abnormal information packets as being the problematic information packets and inhibiting said switching system from broadcasting the network address of said protected network device to the external network device,wherein said switching system, when inhibited, renders said protected network device unreachable and prevents the external network device from transmitting the problematic information packets to said switching system; and
  
  a firewall system that identifies suspect information packets received from the external network device, said switching system directing the information packets to the protected network device via said firewall system, said traffic analysis system determining whether the suspect information packets are problematic and, if said traffic analysis system determines that the suspect information packets are problematic, inhibiting said switching system from broadcasting the network address of the protected network device to the external network device.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 19. The system of claim 18, wherein said protected network device comprises at least one network device selected from the group consisting of a server system, a computer system, a provider computer system, a user computer system, a router system, an edge router system, a core router system, and a firewall.
  - 20. The system of claim 18, further comprising a communication system, said switching system communicating with the external network device via said communication system.
  - 21. The system of claim 20, wherein said communication system comprises a communication link selected from the group consisting of a local area network, a wired communication network, a wireless communication network, a wide area network, a public communication network, and the Internet.
  - 22. The system of claim 18, wherein said route arbitration system monitors a volume of the information packets and determines that the information packets comprise said abnormal network activity when the volume of the information packets is greater than a preselected volume threshold level.
  - 23. The system of claim 18, wherein said route arbitration system, upon determining that the information packets no longer comprise said abnormal network activity, enables said switching system to again provide the network address of the protected network device to the external network device and receive the information packets from the external network device.
  - 24. The system of claim 18, wherein said traffic analysis system monitors a volume of the abnormal information packets and determines that the abnormal information packets are problematic when the volume of the abnormal information packets is greater than a preselected volume threshold level.
  - 25. The system of claim 18, wherein said traffic analysis system monitors a volume of the abnormal information packets and determines that the abnormal information packets are problematic when the volume of the abnormal information packets does not decrease during a preselected time interval.
  - 26. The system of claim 18, wherein said traffic analysis system instructs said switching system to redirect the information packets to a null network device having a null address, said null network device receiving the information packets and providing no response to the external network device.
  - 27. The system of claim 18, wherein said traffic analysis system instructs said switching system to redirect the information packets to a traffic analysis device, said traffic analysis device receiving and analyzing the information packets.

28. A method for identifying and diverting problematic information packets transmitted from a first network device to a second network device, comprising:
- providing a network address of the second network device to the first network device via a switching system receiving information packets from the first network device and directing the information packets to said second network device;
  
  monitoring the information packets received from the first network device;
  
  determining whether the information packets comprise abnormal network activity in accordance with a first predetermined criteria;
  
  if the information packets are determined to comprise abnormal network activity, identifying the information packets as being abnormal information packets;
  
  monitoring the abnormal information packets;
  
  determining whether the abnormal information packets are problematic in accordance with a second predetermined criteria; and
  
  if the abnormal information packets are determined to be problematic,identifying the abnormal information packets as being the problematic information packets;
  
  inhibiting said switching system from broadcasting the network address of said second network device to the first network device,wherein said switching system, when inhibited, renders the second network device unreachable and prevents the first network device from transmitting the problematic information packets to said switching system; and
  
  a firewall system that identifies suspect information packets received from the external network device, said switching system directing the information packets to the protected network device via said firewall system, said monitoring system determining whether the suspect information packets are problematic and, if said monitoring system determines that the suspect information packets are problematic, inhibiting said switching system from broadcasting the network address of the protected network device to the external network device.
- View Dependent Claims (29, 30, 31, 32, 33)
- - 29. The method of claim 28, wherein said monitoring the information packets includes monitoring a volume of the information packets and wherein said determining whether the information packets comprise said abnormal network activity includes determining that the information packets comprise said abnormal network activity when the volume of the information packets is greater than a preselected volume threshold level.
  - 30. The method of claim 28, wherein said monitoring the abnormal information packets includes monitoring a volume of the abnormal information packets and wherein said determining whether the abnormal information packets are problematic includes determining that the abnormal information packets are problematic when the volume of the abnormal information packets does not decrease during a preselected time interval.
  - 31. The method of claim 28, further comprising determining that the information packets no longer comprise said abnormal network activity and enabling said switching system to again provide the network address of the second network device to the first network device and receive the information packets from the first network device.
  - 32. The method of claim 28, wherein said inhibiting said switching system includes redirecting the information packets to a null network device having a null address, said null network device receiving the information packets and providing no response to the first network device.
  - 33. The method of claim 32, wherein said redirecting the information packets includes instructing said switching system to provide said null address to the first network device such that the first network device transmits the problematic information packets to said null network device.

34. A method for identifying and diverting problematic information packets transmitted from a first network device to a second network device, comprising:
- providing a network address of the second network device to the first network device via a switching system receiving information packets from the first network device and directing the information packets to said second network device;
  
  monitoring the information packets received from the first network device;
  
  determining whether the information packets are problematic in accordance with at least one predetermined criteria;
  
  if the information packets are determined to be problematic,identifying the information packets as being the problematic information packets; and
  
  inhibiting said switching system from broadcasting the network address of said second device to the first network device,wherein said switching system, when inhibited, renders the second network device unreachable and prevents the first network device from transmitting the problematic information packets to said switching system; and
  
  a firewall system that identifies suspect information packets received from the external network device, said switching System directing the information packets to the protected network device via said firewall system, said monitoring system determining whether the suspect information packets are problematic and if said monitoring system determines that the suspect information packets are problematic, inhibiting said switching system from broadcasting the network address of the protected network device to the external network device.
- View Dependent Claims (35)
- - 35. The method of claim 34, wherein said determining whether the information packets are problematic includes:
    - determining whether the information packets comprise abnormal network activity in accordance with a first predetermined criteria;
      
      if the information packets are determined to comprise abnormal network activity, identifying the information packets as being abnormal information packets;
      
      monitoring the abnormal information packets; and
      
      determining whether the abnormal information packets are problematic in accordance with a second predetermined criteria.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Irdeto USA Incorporated (MultiChoice Group Ltd.)
Original Assignee
Mark M. Ishikawa
Inventors
Ishikawa, Mark M.
Primary Examiner(s)
Louis-Jacques, Jacques H.
Assistant Examiner(s)
Tran, Tongoc

Application Number

US09/821,565
Publication Number

US 20010039623A1
Time in Patent Office

2,021 Days
Field of Search

713153-154, 713200-202, 713/172, 713/163, 380/51, 705/5, 726/11, 726/12, 726/13, 726/3, 726/22, 709/238, 709/242, 370/389, 370/390, 370/392, 370/401, 370/432
US Class Current

726/23
CPC Class Codes

H04L 12/12   Arrangements for remote con...

H04L 43/00   Arrangements for monitoring...

H04L 43/12   Network monitoring probes

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

Y02D 30/50   in wire-line communication ...

System, method and apparatus for detecting, identifying and responding to fraudulent requests on a network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

174 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

System, method and apparatus for detecting, identifying and responding to fraudulent requests on a network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

174 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links