1. Patent Search
  2. Details

METHOD CIRCUITS DEVICES SYSTEMS AND FUNCTIONALLY ASSOCIATED COMPUTER EXECUTABLE CODE FOR DETECTING AND MITIGATING DENIAL OF SERVICE ATTACK DIRECTED ON OR THROUGH A RADIO ACCESS NETWORK

20210258342 · 2021-08-19

    Inventors

    Cpc classification

    International classification

    Abstract

    The present invention includes methods, circuits, systems and functionally associated computer executable code for systems and functionally associated computer executable code for detecting and mitigating a denial of service attack on or through a radio access network. According to some embodiments, there may be provided a radio access network with one or more radio access points to wirelessly engage in communication with one or more wireless communication devices, a Malicious Packet Detector (MPD) communicatively coupled to one or more radio access points and configured to detect one or more malicious packets transmitted to the radio access network by the one or more wireless communication devices, and a controller functionally associated with the MPD and configured to alter network operation so as to mitigate malicious packet flow from the one or more malicious packet transmitting wireless communication devices.

    Claims

    1. A radio access network comprising: a one or more radio access points to wirelessly engage in communication with one or more wireless client communication devices; a Malicious Packet Detector (MPD) communicatively coupled to one or more radio access points and including a packet inspector to perform packeting sniffing into packets wirelessly received by said radio access network while the packets are in an IP tunnel in order to detect one or more malicious packets transmitted to said radio access network by the one or more wireless client communication devices; and a controller functionally associated with the MPD and configured to alter network operation to mitigate malicious packet flow from the one or more malicious packet transmitting wireless communication devices.

    2. The radio access network according to claim 1, wherein mitigating malicious packet flow from the one or more malicious packet transmitting wireless communication devices includes (a) redirecting packets detected to be part of a malicious packet flow, (b) terminating packets detected to be part of a malicious packet flow, or (c) altering a radio link of the one or more wireless client communication devices with said radio access network.

    3. The radio access network according to claim 1, wherein said MPD detects whether a packet is a malicious packet by inspecting at least one characteristics of the packet to assess whether the packet is part of a denial of service attack on a data network resource.

    4. The radio access network according to claim 1, wherein the data network resource is selected from the group consisting of: (a) a Domain Name Server, (b) a digital content or media server, and (c) an application engine or server.

    5. The radio access network according to claim 3, wherein said MPD detects whether a packet is part of a malicious packet flow by inspecting at least one characteristic of a set of packets addressed to a common or related data network resource.

    6. The radio access network according to claim 5, wherein the at least one characteristic of the set of packets is selected from the group consisting of: (a) destination address, (b) source address, (c) duration between consecutive packets, (d) patterns of packet transmissions from a given device, and (e) a correlation between packets being transmitted to a common destination address substantially concurrently by separate devices.

    7. The radio access network according to claim 2, wherein altering a radio link of the device which is transmitting the malicious packet flow includes signaling a radio access point with which the device is communicatively coupled to deallocate or otherwise restrict bandwidth to the device.

    8. The radio access network according to claim 1, wherein mitigating a malicious packet flow includes reporting detection of the malicious packet flow to a network control unit, wherein reporting includes reporting an identifier of a device transmitting the malicious packet flow.

    9. A network security appliance of a radio access network with one or more radio access points wirelessly engaged in communication with one or more wireless client communication devices, wherein said network security appliance comprises: a Malicious Packet Detector (MPD) communicatively coupled to one or more radio access points and including a packet inspector to perform packeting sniffing into packets wirelessly received by said radio access network while the packets are in an IP tunnel in order to detect one or more malicious packets transmitted to said radio access network by the one or more wireless client communication devices; and a controller functionally associated with the MPD and configured to alter wireless access network operation to mitigate malicious packet flow from the one or more malicious packet transmitting wireless communication devices.

    10. The security appliance according to claim 9, wherein mitigating malicious packet flow from the one or more malicious packet transmitting wireless communication devices includes (a) redirecting packets detected to be part of a malicious packet flow, (b) terminating packets detected to be part of a malicious packet flow, or (c) altering a radio link between the one or more wireless client communication devices and said radio access network.

    11. The security appliance according to claim 9, wherein said MPD detects whether a packet is a malicious packet by inspecting at least one characteristics of the packet to assess whether the packet is part of a denial of service attack on a data network resource.

    12. The security appliance according to claim 10, wherein the data network resource is selected from the group consisting of: (a) a Domain Name Server, (b) a digital content or media server, and (c) an application engine or server.

    13. The security appliance according to claim 11, wherein said MPD detects whether a packet is part of a malicious packet flow by inspecting at least one characteristic of a set of packets addressed to a common or related data network resource.

    14. The security appliance according to claim 13, wherein the at least one characteristic of the set of packets is selected from the group consisting of: (a) destination address, (b) source address, (c) duration between consecutive packets, (d) patterns of packet transmissions from a given device, and (e) a correlation between packets being transmitted to a common destination address substantially concurrently by separate devices.

    15. The security appliance according to claim 10, wherein altering a radio link of the device which is transmitting the malicious packet flow includes signaling a radio access point with which the device is communicatively coupled to deallocate or otherwise restrict bandwidth to the device.

    16. The security appliance according to claim 9, wherein altering a malicious packet flow includes reporting detection of the malicious packet flow to a network control unit, wherein reporting includes reporting an identifier of a device transmitting the malicious packet flow.

    Description

    BRIEF DESCRIPTION OF THE FIGURES

    [0025] The subject matter regarded as the invention is particularly pointed out and distinctly claimed in the concluding portion of the specification. The invention, however, both as to organization and method of operation, together with objects, features, and advantages thereof, may best be understood by reference to the following detailed description when read with the accompanying drawings in which:

    [0026] FIG. 1 shows a symbolic block network diagram of a wireless radio access network according to embodiments of the present invention including a malicious packet detector and filter unit coupled to each of two network access points and operating to inspect and filter malicious packets being transmitted to the network by devices communicatively coupled to a respective access point;

    [0027] FIG. 2 shows a functional block diagram of an exemplary malicious packet detector and filter unit according to embodiments including: a packet inspector, a packet pattern detector, a packet routing module and signaling modules for the radio access circuits and for the network management units;

    [0028] FIG. 3 shows a flowchart including the steps of a method by which an MPD according to embodiments of the present invention may detect and mitigate negative impact of malicious packets transmitted by devices communicatively coupled to a network access point serviced or otherwise cover by the MPD;

    [0029] FIG. 4A is a packet flow diagram illustrating an exemplary malicious packet flow interception according to embodiments of the present invention;

    [0030] FIG. 4B is a packet flow diagram illustrating an exemplary malicious packet flow interception according to embodiments of the present invention;

    [0031] FIG. 4C is a packet flow diagram illustrating an exemplary malicious packet flow interception according to embodiments of the present invention; and

    [0032] FIG. 5 shows a network diagram of a cellular radio access network with multiple access zones and an MPD according to embodiments of the present invention, wherein the MPD is servicing or otherwise providing coverage to one of the network's access zones in order to mitigate negative impact on network resources by malicious packets transmitted by devices connected to the network through access points within the network access zone.

    [0033] It will be appreciated that for simplicity and clarity of illustration, elements shown in the figures have not necessarily been drawn to scale. For example, the dimensions of some of the elements may be exaggerated relative to other elements for clarity. Further, where considered appropriate, reference numerals may be repeated among the figures to indicate corresponding or analogous elements.

    DETAILED DESCRIPTION OF THE FIGURES

    [0034] In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the invention. However, it will be understood by those skilled in the art that the present invention may be practiced without these specific details. In other instances, well-known methods, procedures, components and circuits have not been described in detail so as not to obscure the present invention.

    [0035] Unless specifically stated otherwise, as apparent from the following discussions, it is appreciated that throughout the specification discussions utilizing terms such as “processing”, “computing”, “calculating”, “determining”, or the like, may refer to the action and/or processes of a computer or computing system, or similar electronic computing device, that manipulate and/or transform data represented as physical, such as electronic, quantities within the computing system's registers and/or memories into other data similarly represented as physical quantities within the computing system's memories, registers or other such information storage, transmission or display devices.

    [0036] In addition, throughout the specification discussions utilizing terms such as “storing”, “hosting”, “caching”, “saving”, or the like, may refer to the action and/or processes of ‘writing’ and ‘keeping’ digital information on a computer or computing system, or similar electronic computing device, and may be interchangeably used. The term “plurality” may be used throughout the specification to describe two or more components, devices, elements, parameters and the like.

    [0037] Some embodiments of the invention, for example, may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment including both hardware and software elements. Some embodiments may be implemented in software, which includes but is not limited to firmware, resident software, microcode, or the like.

    [0038] Furthermore, some embodiments of the invention may take the form of a computer program product accessible from a computer-usable or computer-readable medium providing program code for use by or in connection with a computer or any instruction execution system. For example, a computer-usable or computer-readable medium may be or may include any apparatus that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.

    [0039] In some embodiments, the medium may be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device) or a propagation medium. Some demonstrative examples of a computer-readable medium may include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), any composition and/or architecture of semiconductor based Non-Volatile Memory (NVM), any composition and/or architecture of biologically based Non-Volatile Memory (NVM), a rigid magnetic disk, and an optical disk. Some demonstrative examples of optical disks include compact disk-read only memory (CD-ROM), compact disk-read/write (CD-R/W), and DVD.

    [0040] In some embodiments, a data processing system suitable for storing and/or executing program code may include at least one processor coupled directly or indirectly to memory elements, for example, through a system bus. The memory elements may include, for example, local memory employed during actual execution of the program code, bulk storage, and cache memories which may provide temporary storage of at least some program code in order to reduce the number of times code must be retrieved from bulk storage during execution.

    [0041] In some embodiments, input/output or I/O devices (including but not limited to keyboards, displays, pointing devices, etc.) may be coupled to the system either directly or through intervening I/O controllers. In some embodiments, network adapters may be coupled to the system to enable the data processing system to become coupled to other data processing systems or remote printers or storage devices, for example, through intervening private or public networks. In some embodiments, modems, cable modems and Ethernet cards are demonstrative examples of types of network adapters. Other functionally suitable components may be used.

    [0042] Turning now to FIG. 1, there is shown a symbolic block network diagram of a wireless radio access network according to embodiments of the present invention including a malicious packet detector and filter unit coupled to each of two network access points and operating to inspect and filter malicious packets being transmitted to the network by devices communicatively coupled to a respective access point. The unit may be comprised of a single network appliance, a part of one or more network appliance of multiple network appliances working in concert.

    [0043] The MPD may operate inside of a RAN, a flat IP environment, an IP tunnel or any other data environment found within a cellular communication network. The MPD may include one or more packet inspectors, including a deep packet inspector. The MPD may include an IP tunnel sniffer or the like.

    [0044] The MPD shown of FIG. 1 may detected and mitigate negative impact of malicious packets transmitted by communication device connected to the network upon network performance and on network resources, both inside and outside the network. The MPD is configured to detect and filter out malicious packets, such as DDoS packets, targeting network resources on the network access segment, at the network core and/or external resources outside the network.

    [0045] Turning now to FIG. 2, there is shown a functional block diagram of an exemplary malicious packet detector and filter unit according to embodiments including: a packet inspector, a packet pattern detector, a packet routing module and signaling modules for a radio access (RF) circuits and for the network management units. Also shown are network resources which may be protected by the MPD. The functional elements and operation of the MPD may be described in conjunction with the steps illustrated in FIG. 3, which figure shows a flowchart including the steps of a method by which an MPD according to embodiments of the present invention may detect and mitigate negative impact of malicious packets transmitted by devices communicatively coupled to a network access point serviced or otherwise cover by the MPD.

    [0046] Packets received by the network from communication devices via wireless radio circuits of the network may be received by the MPD over an interface to the radio circuits. Individual packets may be inspected by a packet inspector and a packet pattern detector may detect packet patterns indicative of a DDoS attach. A library of packet signatures, packet patterns or packet flow/stream behaviors may be used by the packet inspector and/or the packet the packet pattern detector.

    [0047] Packets not found to be malicious are routed by the MPD routing module to their respective target network resources destination, as shown in FIG. 4A, which is a packet flow diagram illustrating an exemplary selective malicious packet flow interception, while allowing normal packets to pass, according to embodiments of the present invention. Packets found to be malicious, for example being part of a DDoS attack may be terminated at the MPD. Furthermore, signaling by the MPD, through a radio access signaling module, may cause the radio circuits through which malicious packets were received to reallocate, limit or otherwise disrupt bandwidth or connectivity to the communication device(s) which transmitted the malicious packet(s). A Malicious packet source reporting module may also report the source of detected malicious packets to a network management unit, such as a network access controller, optionally causing the network management unit to cause the network to disconnect from the communication device(s) which transmitted the malicious packet(s).

    [0048] Turning now to FIG. 4B, there is shown a packet flow diagram illustrating an exemplary malicious packet flow interception according to embodiments of the present invention wherein all packets from a malicious packet source device are terminated at the MPD. FIG. 4C is a packet flow diagram illustrating an exemplary malicious packet flow interception according to embodiments of the present invention where all packets from malicious packet source device are terminated at or before the radio access circuits. The flow of FIG. 4C may occur when either the radio circuits or the network management unit disconnect or otherwise restrict access of communication devices which were found to transmit malicious packets to the network.

    [0049] Turning now to FIG. 5, there is shown a network diagram of a wireless radio access cellular network with multiple access zones and an MPD according to embodiments of the present invention, wherein the MPD is servicing or otherwise providing coverage to one of the network's access zones in order to mitigate negative impact on network resources by malicious packets transmitted by devices connected to the network through access points within the network access zone.

    [0050] Functions, operations, components and/or features described herein with reference to one or more embodiments, may be combined or otherwise utilized with one or more other functions, operations, components and/or features described herein with reference to one or more other embodiments, or vice versa. While certain features of the invention have been illustrated and described herein, many modifications, substitutions, changes, and equivalents will now occur to those skilled in the art. It is, therefore, to be understood that the appended claims are intended to cover all such modifications and changes as fall within the true spirit of the invention.