System, method and apparatus for authenticating and protecting an IP user-end device

US 8,503,657 B2
Filed: 10/21/2009
Issued: 08/06/2013
Est. Priority Date: 02/08/2007
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating and protecting an Internet Protocol (IP) user-end device comprising the steps of:

providing a client-based security software resident on the IP user-end device;

authenticating the IP user-end device using the client-based security software and a network security node communicably coupled to the IP user-end device;

in response to successfully authenticating the IP user-end device, authenticating a user of the IP user-end device whenever a trigger condition occurs using an in-band channel between the client-based security software and the network security node, wherein the step of authenticating the user of the IP user-end device comprises the steps of;

initiating a authenticating call from the network security node to the IP user-end device;

in response to the authenticating call being answered at the IP user-end device, sending a request for a passcode to the IP user-end device, wherein the request prompts the user of the IP user-end device to enter a passcode;

sending to the IP user-end device a message to disable the IP user-end device when the passcode is invalid; and

after determining whether the passcode is valid or invalid, terminating the authenticating call; and

protecting the IP user-end device by;

(a) screening incoming IP traffic to the IP user-end device using the client-based security software, and (b) detecting an attack or a threat involving the IP user-end device using the network security node.

View all claims

22 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and apparatus authenticates and protects an Internet Protocol (IP) user-end device by providing a client-based security software resident on the IP user-end device, authenticating the IP user-end device using the client-based security software and a network security node communicably coupled to the IP user-end device, authenticating a user of the IP user-end device whenever a trigger condition occurs using an in-band channel between the client-based security software and the network security node, and protecting the IP user-end device by: (a) screening incoming IP traffic to the IP user-end device using the client-based security software, and (b) detecting an attack or a threat involving the IP user-end device using the network security node.

Citations

22 Claims

1. A method for authenticating and protecting an Internet Protocol (IP) user-end device comprising the steps of:
- providing a client-based security software resident on the IP user-end device;
  
  authenticating the IP user-end device using the client-based security software and a network security node communicably coupled to the IP user-end device;
  
  in response to successfully authenticating the IP user-end device, authenticating a user of the IP user-end device whenever a trigger condition occurs using an in-band channel between the client-based security software and the network security node, wherein the step of authenticating the user of the IP user-end device comprises the steps of;
  
  initiating a authenticating call from the network security node to the IP user-end device;
  
  in response to the authenticating call being answered at the IP user-end device, sending a request for a passcode to the IP user-end device, wherein the request prompts the user of the IP user-end device to enter a passcode;
  
  sending to the IP user-end device a message to disable the IP user-end device when the passcode is invalid; and
  
  after determining whether the passcode is valid or invalid, terminating the authenticating call; and
  
  protecting the IP user-end device by;
  
  (a) screening incoming IP traffic to the IP user-end device using the client-based security software, and (b) detecting an attack or a threat involving the IP user-end device using the network security node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method as recited in claim 1, wherein:
    - the step of authenticating the IP user-end device uses a smart card, a subscriber identity module (SIM) card, a Flexi-SIM card, a security certificate stored on the smart card or the SIM card or on the IP user-end device, one or more control messages, one or more voice prompts, a “
      
      white-list”
      
      , or a combination thereof;
      
      the IP user-end device comprises a dual mode phone, a wireless phone, a soft phone, a web phone, a personal data assistant, a computer, or other IP-based telecommunications device; and
      
      the IP user-end device runs an IP-based application comprising a Voice over IP (VoIP) application, an Instant Messaging (IM) application, a Short Message Service (SMS) application, a video application, a presence application, or a Unified Communication (UC) application.
  - 3. The method as recited in claim 1, wherein:
    - the trigger condition comprises a time-based condition, an event-based condition or a combination thereof;
      
      the time-based condition comprises a requirement to authenticate the user of the IP user-end device daily, weekly, bi-weekly, monthly, quarterly, yearly or some other specified time; and
      
      the event-based condition comprises receiving a registration request from the IP user-end device, a switch-over to standby, a challenge from an authentication manager, a request for a specified service, a request for access to a specified device, or a failure of a fingerprint match.
  - 4. The method as recited in claim 3, wherein:
    - the fingerprint match comprises a change in a format, a value or an order of information in a header; and
      
      the header information comprises via, max forwards, contact, user agent, allow, proxy require, supported, route, command sequence (Cseq), session expires, allow events, content length, session description protocol (SDP) bandwidth, SDP silence suppression, SDP connection, SDP originator or SDP payload.
  - 5. The method as recited in claim 1, wherein the attack or the threat comprises denial of service/distributed denial of service (DoS/DDoS) floods, fuzzing/malformed messages, reconnaissance attacks, spoofing attacks, man in the middle (MIM) attacks, stealth call attacks, rogue media, anomalous behavior, and/or spam.
  - 6. The method as recited in claim 1, further comprising the step of generating a security incidence whenever the authentication of the IP user-end device fails.
  - 7. The method as recited in claim 1, further comprising the step of blocking any messages from the IP user-end device until the IP user-end device and the user are authenticated.
  - 8. The method as recited in claim 1, wherein:
    - the request for the passcode comprises one or more display prompts, one or more voice prompts or a combination thereof; and
      
      the passcode comprises a personal identification code, a token code, a physical key, an electronic key, a biometric identifier, a magnetic signature, an electronic signature, one or more numbers, one or more symbols, one or more alphabet characters, one or more keystrokes, or a combination thereof.
  - 9. The method as recited in claim 1, further comprising the step of resending the request for the passcode after a specified period of time whenever the user does not answer the call.
  - 10. The method as recited in claim 1, wherein the step of sending the message to disable the IP user-end device or rejecting the authentication request from the IP user-end device is performed after a specified number of consecutive of authentication attempts have failed.
  - 11. The method as recited in claim 1, further comprising the step of notifying the user that the IP user-end device has been disabled or the authentication request from the IP user-device has been rejected using one or more display messages, audio messages, voice mail messages, electronic mail messages, text messages, or a combination thereof.
  - 12. The method as recited in claim 1, further comprising the steps of initiating another call to the IP user-end device and sending another request for a passcode to the IP user-end device after the IP user-end device has been disabled for a specified period of time or after the specified period of time since the authentication request from the IP user-device was rejected.
  - 13. The method as recited in claim 1, further comprising the step of enabling the IP user-end device after the IP user-end device has been disabled using a “
    - clearing”
      
      process executed by the user, a technician, a security person, a supervisor or a combination thereof.
  - 14. The method as recited in claim 1, further comprising the step of requesting authentication of the received passcode from an authentication server.
  - 15. The method as recited in claim 1, further comprising the step of delaying registration of the IP user-end device with a call manager until the IP user-end device and the user are authenticated.
  - 16. The method as recited in claim 1, further comprising the steps of:
    - receiving a request for a configuration file from the IP user-end device;
      
      retrieving the configuration file;
      
      sending the configuration file to the IP user-end device;
      
      requesting the configuration file from a call manager;
      
      receiving the requested configuration file; and
      
      saving the requested configuration file and sending a reset message to the IP user-end device whenever the requested configuration file is different than the configuration file.
  - 17. The method as recited in claim 16, further comprising the steps of:
    - receiving another request for the configuration file in response to the reset message; and
      
      sending the requested configuration file to the IP user-end device.
  - 18. The method as recited in claim 1, wherein the client-based security software splits one or more resources of the IP-user-end device into one or more logical access-controlled areas.

19. An apparatus for authenticating and protecting an Internet Protocol (IP) user-end device comprising:
- a communications interface;
  
  a memory; and
  
  a processor communicably coupled to the communications interface and the memory wherein the processor is configured to run a client-based security software resident on the IP user-end device;
  
  wherein the client-based security software and a network security node are communicably coupled to the IP user-end device and are operable to;
  
  (a) authenticate the IP user-end device, and (b) in response to successfully authenticating the IP user-end device, authenticate a user of the IP user-end device whenever a trigger condition occurs using an in-band channel between the client-based security software and the network security node, wherein the step of authenticating the user of the IP user-end device comprises the steps of;
  
  initiating a authenticating call from the network security node to the IP user-end device;
  
  in response to the authenticating call being answered at the IP user-end device, sending a request for a passcode to the IP user-end device, wherein the request prompts the user of the IP user-end device to enter a passcode;
  
  sending to the IP user-end device a message to disable the IP user-end device when the passcode is invalid; and
  
  after determining whether the passcode is valid or invalid, terminating the authenticating call;
  
  wherein client-based security software protects the IP user-end device by screening incoming IP traffic to the IP user-end device; and
  
  wherein the network security node protects the IP user-end device by detecting an attack or a threat involving the IP user-end device.

20. A system comprising:
- one or more Internet Protocol (IP) user-end devices, each IP end-user device comprising a first communications interface, a first memory, and a first processor communicably coupled to the first communications interface and the first memory wherein the first processor is configured to run a client-based security software resident on the IP user-end device;
  
  a network security node comprising a second communications interface, a second memory, and a second processor communicably coupled to the second communications interface and the second memory;
  
  an IP network communicably coupling the one or more IP user-end devices to the network security node;
  
  wherein the client-based security software and the network security node;
  
  (a) authenticate the IP user-end device, and (b) in response to successfully authenticating the IP user-end device, authenticate a user of the IP user-end device whenever a trigger condition occurs using an in-band channel between the client-based security software and the network security node, wherein the step of authenticating the user of the IP user-end device comprises the steps of;
  
  initiating a authenticating call from the network security node to the IP user-end device;
  
  in response to the authenticating call being answered at the IP user-end device, sending a request for a passcode to the IP user-end device, wherein the request prompts the user of the IP user-end device to enter a passcode;
  
  sending to the IP user-end device a message to disable the IP user-end device when the passcode is invalid; and
  
  after determining whether the passcode is valid or invalid, terminating the authenticating call;
  
  wherein client-based security software protects the IP user-end device by screening incoming IP traffic to the IP user-end device; and
  
  wherein the network security node protects the IP user-end device by detecting an attack or a threat involving the IP user-end device.
- View Dependent Claims (21, 22)
- - 21. The system as recited in claim 20, further comprising an authentication server communicably coupled to the network security node.
  - 22. The system as recited in claim 20, further comprising a call manager communicably coupled to the network security node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arlington Technologies, LLC (Dominion Harbor Enterprises, LLC)
Original Assignee
Avaya Incorporated
Inventors
Tyagi, Satyam, Thodime-Venkata, Guru-Prasad
Primary Examiner(s)
Nguyen, Khai N

Application Number

US12/603,236
Publication Number

US 20100107230A1
Time in Patent Office

1,385 Days
Field of Search

379/90.02, 379/93.02, 379/142.05, 379/90.01, 379/93.03, 379/142.04, 379/167.06, 379/207.02, 379/207.11, 379/207.13, 455/411, 713/155, 713/168
US Class Current

379/207.13
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/101   Access control lists [ACL]

H04L 65/1069   Session establishment or de...

H04L 65/1076   Screening of IP real time c...

H04M 7/0078   Security; Fraud detection; ...

System, method and apparatus for authenticating and protecting an IP user-end device

First Claim

22 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

System, method and apparatus for authenticating and protecting an IP user-end device

First Claim

22 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links