Method for protecting a packet-based network from attacks, and security border node

US 8,365,284 B2
Filed: 06/01/2009
Issued: 01/29/2013
Est. Priority Date: 06/12/2008
Status: Active Grant

First Claim

Patent Images

1. Method for protecting a packet-based network from attacks, comprising:

performing an anomaly detection in the form of a statistical analysis on a session control message contained in a packet stream received in a security border node of the network utilizing message context information about the session control message, when the session control message has a message type that matches an allowed next message type and there is no indication to bypass performing the anomaly detection on the session control message; and

updating the message context information to include information about a result of the anomaly detection, whereinthe message context information includes client history information and session history information, the client history information indicating a number of received messages and the session history information indicating the allowed next message type.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a security border node (2a) for protecting a packet-based network from attacks, comprising: an anomaly detection unit (10) for performing an anomaly detection, in particular a statistical analysis, on session control messages (11), in particular on SIP messages contained in a packet stream (5) received in the security border node (2a). The security border node further comprises a message context provisioning unit (13) for providing at least one session control message (11) to the anomaly detection unit (10) together with message context information (12, 17, 24) related to a client (22) and/or to a session (23) to which the session control message (11, 11a to 11f) is attributed. The invention also relates to a method for protecting a packet-based network from attacks, to a computer program product, and to a packet-based network.

30 Citations

View as Search Results

17 Claims

1. Method for protecting a packet-based network from attacks, comprising:
- performing an anomaly detection in the form of a statistical analysis on a session control message contained in a packet stream received in a security border node of the network utilizing message context information about the session control message, when the session control message has a message type that matches an allowed next message type and there is no indication to bypass performing the anomaly detection on the session control message; and
  
  updating the message context information to include information about a result of the anomaly detection, whereinthe message context information includes client history information and session history information, the client history information indicating a number of received messages and the session history information indicating the allowed next message type.
- View Dependent Claims (2, 3, 4, 14)
- - 2. Method according to claim 1, further comprising the step of including the message context information in the session control message.
  - 3. Method according to claim 1, further comprising:
    - addressing a database for storing and retrieving the message context information.
  - 4. Method according to claim 1, wherein the session history information is used to determine a client call rate, the allowed next message type, and message interarrival times.
  - 14. A non-transitory computer program product comprising code means configured to perform all the steps of the method according to claim 1.

5. Security border node for protecting a packet-based network from attacks, comprising:
- an anomaly detection unit configured to perform an anomaly detection in the form of a statistical analysis on a session control message contained in a packet stream received in the security border node utilizing message context information related to a session to which the session control message is attributed, when the session control message has a message type that matches an allowed next message type and there is no indication to bypass performing the anomaly detection on the session control message; and
  
  a message context provisioning unit configured to provide the session control message and the message context information to the anomaly detection unit, and update the message context information to include information about a result of the anomaly detection, whereinthe message context information includes client history information and session history information, the client history information indicating a number of received messages and the session history information indicating the allowed next message type.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 17)
- - 6. Security border node according to claim 5, wherein the message context provisioning unit is configured to include the message context information into the session control message.
  - 7. Security border node according to claim 5, further comprising:
    - a database configured to store and retrieve the message context information, whereinthe message context provisioning unit is configured to address the database.
  - 8. Security border node according to claim 7, wherein the anomaly detection unit performs anomaly detection using the database to determine a client call rate, the allowed next message type, and message interarrival times.
  - 9. Security border node according to claim 7, wherein the message context provisioning unit is configured to provide timestamps of the session control messages to the database.
  - 10. Security border node according to claim 5, further comprising:
    - a decision unit configured to decide if the session control message has to be dropped or forwarded based upon the result of the anomaly detection.
  - 11. Security border node according to claim 7, further comprising:
    - a session control message stack, configured to process the session control messages and provide information about the result of the processing as a message context information to the database.
  - 12. Security border node according to claim 10, further comprising:
    - a message handling unit configured to handle session control messages in a different way depending on the message context information about the result of the decision and/or the information about the result of the processing of previous session control messages attributed to the same client and/or session.
  - 13. Packet-based network, comprising at least one security border node according to claim 5.
  - 15. Security border note according to claim 5, wherein the client identity history includes information associated with a client ID, a session ID and a source IP address.
  - 16. Security border note according to claim 10, wherein when the decision unit decides to drop the message, information about the result of the decision is sent to the database.
  - 17. Security border note according to claim 10, wherein when the decision unit decides to forward the message, the message context information is removed from the session control message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Wahl, Stefan
Primary Examiner(s)
ZIA, SYED

Application Number

US12/457,069
Publication Number

US 20090313698A1
Time in Patent Office

1,338 Days
Field of Search

726 1- 36
US Class Current

726/23
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 65/1104 Session initiation protocol...

Method for protecting a packet-based network from attacks, and security border node

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method for protecting a packet-based network from attacks, and security border node

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links