Real-time network attack detection and mitigation infrastructure
First Claim
1. A method of operating elements of a communications system to detect and mitigate network attacks in a VoIP network, said elements including a gateway, an analyzer and a guardian module, the method comprising:
- receiving, by the gateway, via the VOIP network, an incoming call and associated signaling;
transmitting, from the gateway to the analyzer, a call detail record (CDR) for the incoming call;
maintaining in memory, by the analyzer, a plurality of adaptable profiles that capture statistical and behavioral properties of call detail records (CDRs) associated with a plurality of received calls in the VOIP network;
maintaining in memory, by the analyzer, a plurality of reference profiles that reflect normal call behavior corresponding to the plurality of adaptable profiles;
updating, by the analyzer, an adaptable profile from the plurality of adaptable profiles based on the CDR of the incoming call;
comparing, by the analyzer, the updated adaptable profile with a corresponding reference profile from the plurality of reference profiles;
determining, by the analyzer, if an anomaly indicative of a network attack exists based on the comparing using multivariate analysis; and
when said analyzer determines that an anomaly exists indicative of a network attack;
generating, by the analyzer, an alarm corresponding to the incoming call indicative of the network attack;
transmitting, by the analyzer, to a rules engine, the alarm indicative of the network attack to determine a mitigation action for the incoming call; and
determining by the rules engine one or more mitigation actions for the incoming call, said one or more mitigation actions including a first mitigation action comprising rerouting the incoming call to the guardian module to receive an audio challenge-response test, wherein a complexity level of the test is determined based on the alarm.
7 Assignments
0 Petitions
Accused Products
Abstract
The invention features systems and methods for detecting and mitigating network attacks in a Voice-Over-IP (VoIP) network. A server is configured to receive information related to a mitigation action for a call. The information can include a complexity level for administering an audio challenge-response test to the call and an identification of the call. The server also generates i) a routing label based on the identification of the call, and ii) a script defining a plurality of variables that store identifications of a plurality of altered sound files for the audio challenge-response test. Each altered sound file is randomly selected by the server subject to one or more constraints associated with the complexity level. The server is further configured to transmit the script to a guardian module and the routing label to a gateway.
16 Citations
13 Claims
-
1. A method of operating elements of a communications system to detect and mitigate network attacks in a VoIP network, said elements including a gateway, an analyzer and a guardian module, the method comprising:
-
receiving, by the gateway, via the VOIP network, an incoming call and associated signaling; transmitting, from the gateway to the analyzer, a call detail record (CDR) for the incoming call; maintaining in memory, by the analyzer, a plurality of adaptable profiles that capture statistical and behavioral properties of call detail records (CDRs) associated with a plurality of received calls in the VOIP network; maintaining in memory, by the analyzer, a plurality of reference profiles that reflect normal call behavior corresponding to the plurality of adaptable profiles; updating, by the analyzer, an adaptable profile from the plurality of adaptable profiles based on the CDR of the incoming call; comparing, by the analyzer, the updated adaptable profile with a corresponding reference profile from the plurality of reference profiles; determining, by the analyzer, if an anomaly indicative of a network attack exists based on the comparing using multivariate analysis; and when said analyzer determines that an anomaly exists indicative of a network attack; generating, by the analyzer, an alarm corresponding to the incoming call indicative of the network attack; transmitting, by the analyzer, to a rules engine, the alarm indicative of the network attack to determine a mitigation action for the incoming call; and determining by the rules engine one or more mitigation actions for the incoming call, said one or more mitigation actions including a first mitigation action comprising rerouting the incoming call to the guardian module to receive an audio challenge-response test, wherein a complexity level of the test is determined based on the alarm. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A communications system for detecting and mitigating network attacks in a VoIP network, the communications system comprising:
-
a gateway configured to;
(1) receive via the VOIP network an incoming call and associated signaling and (2) transmit to an analyzer a call detail record (CDR) for the incoming call;a database for maintaining;
i) a plurality of adaptable profiles that capture statistical and behavioral properties of call detail records (CDRs) associated with a plurality of received calls, and ii) a plurality of reference profiles that reflect normal call behavior corresponding to the plurality of adaptable profiles;a profile unit for updating an adaptable profile from the plurality of adaptable profiles based on a CDR of an incoming call; and the analyzer further configured to;
compare the updated adaptable profile with a corresponding reference profile from the plurality of reference profiles, determine if an anomaly indicative of a network attack exists based on the comparing using multivariate analysis, andwhen it is determined that an anomaly indicative of a network attack exists to;
generate an alarm corresponding to the incoming call indicative of the network attack and transmit the alarm indicative of a network attack to a rules engine to determine a mitigation action for the incoming call; andthe rules engine being configured to determine one or more mitigation actions for the incoming call, said one or more mitigation actions including a first mitigation action comprising rerouting the incoming call to a guardian module to receive an audio challenge-response test, wherein a complexity level of the test is determined based on the alarm. - View Dependent Claims (12)
-
-
13. A computer program product stored on a non-transitory computer readable storage medium, for detecting and mitigating network attacks in a VoIP network, the computer program product including instructions being operable to cause data processing apparatus to:
-
receive an incoming call and associated signaling; transmit call detail record (CDR) for the incoming call; maintain in memory a plurality of adaptable profiles that capture statistical and behavioral properties of call detail records (CDRs) associated with a plurality of received calls; maintain in memory a plurality of reference profiles that reflect normal call behavior corresponding to the plurality of adaptable profiles; update an adaptable profile from the plurality of adaptable profiles based on a CDR of an incoming call; compare the updated adaptable profile with a corresponding reference profile from the plurality of reference profiles; determine if an anomaly indicative of a network attack exists based on the comparing using multivariate analysis; and when it is determined that an anomaly indicative of a network attack exists to; generate an alarm corresponding to the incoming call indicative of the network attack and determine one or mitigation actions for the incoming call, said one or more actions including a first mitigation action comprising rerouting the incoming call to a guardian module to receive an audio challenge-response test, wherein a complexity level of the test is determined based on the alarm.
-
Specification