Method for protecting a packet-based network from attacks, and security border node
First Claim
1. Method for protecting a packet-based network from attacks, comprising:
- performing an anomaly detection in the form of a statistical analysis on a session control message contained in a packet stream received in a security border node of the network utilizing message context information about the session control message, when the session control message has a message type that matches an allowed next message type and there is no indication to bypass performing the anomaly detection on the session control message; and
updating the message context information to include information about a result of the anomaly detection, whereinthe message context information includes client history information and session history information, the client history information indicating a number of received messages and the session history information indicating the allowed next message type.
3 Assignments
0 Petitions
Accused Products
Abstract
The invention relates to a security border node (2a) for protecting a packet-based network from attacks, comprising: an anomaly detection unit (10) for performing an anomaly detection, in particular a statistical analysis, on session control messages (11), in particular on SIP messages contained in a packet stream (5) received in the security border node (2a). The security border node further comprises a message context provisioning unit (13) for providing at least one session control message (11) to the anomaly detection unit (10) together with message context information (12, 17, 24) related to a client (22) and/or to a session (23) to which the session control message (11, 11a to 11f) is attributed. The invention also relates to a method for protecting a packet-based network from attacks, to a computer program product, and to a packet-based network.
30 Citations
17 Claims
-
1. Method for protecting a packet-based network from attacks, comprising:
-
performing an anomaly detection in the form of a statistical analysis on a session control message contained in a packet stream received in a security border node of the network utilizing message context information about the session control message, when the session control message has a message type that matches an allowed next message type and there is no indication to bypass performing the anomaly detection on the session control message; and updating the message context information to include information about a result of the anomaly detection, wherein the message context information includes client history information and session history information, the client history information indicating a number of received messages and the session history information indicating the allowed next message type. - View Dependent Claims (2, 3, 4, 14)
-
-
5. Security border node for protecting a packet-based network from attacks, comprising:
-
an anomaly detection unit configured to perform an anomaly detection in the form of a statistical analysis on a session control message contained in a packet stream received in the security border node utilizing message context information related to a session to which the session control message is attributed, when the session control message has a message type that matches an allowed next message type and there is no indication to bypass performing the anomaly detection on the session control message; and a message context provisioning unit configured to provide the session control message and the message context information to the anomaly detection unit, and update the message context information to include information about a result of the anomaly detection, wherein the message context information includes client history information and session history information, the client history information indicating a number of received messages and the session history information indicating the allowed next message type. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 17)
-
Specification