-
公开(公告)号:US07464398B2
公开(公告)日:2008-12-09
申请号:US10440233
申请日:2003-05-19
CPC分类号: H04L63/1458 , H04L29/06 , H04L47/50 , H04L67/322 , H04L69/329
摘要: Systems and methods of mitigating attacks, such as Denial of Service (DoS) attacks, in a communications network are presented. Source addresses of packets received at network devices are monitored in relation to known reliable addresses stored in a decision engine. If the source address, as stored in a source table, is known as being legitimate the packets are placed in a high priority queue for transmission at the highest rate. Packets with an unknown address are placed in a lower priority queue, the source address stored in a different source table, and the packet is serviced at a lower rate. Packets that become known to be legitimate are moved from the unknown table to the table from which high priority queues are serviced. In this way, an attacker that employs spoofing techniques is prevented from overtaxing network resources.
摘要翻译: 介绍了在通信网络中减轻攻击的系统和方法,如拒绝服务(DoS)攻击。 在网络设备接收的分组的源地址与存储在决策引擎中的已知可靠地址相关。 如果存储在源表中的源地址被认为是合法的,则将数据包放置在高优先级队列中,以便以最高速率进行传输。 具有未知地址的数据包放在较低优先级的队列中,源地址存储在不同的源表中,数据包以较低的速率进行服务。 已知为合法的数据包将从未知表移动到从中提供高优先级队列的表。 以这种方式,防止使用欺骗技术的攻击者超载网络资源。
-
公开(公告)号:US07284272B2
公开(公告)日:2007-10-16
申请号:US10158115
申请日:2002-05-31
CPC分类号: H04L63/1408 , H04L63/1458
摘要: Methods of preventing flooding-type denial-of-service attacks in a computer-based network are described. Connection establishing messages known as SYN packets are matched with connection terminating messages (FIN packets) by using a hash algorithm. The hash algorithm or message digest uses source and destination IP addresses, port numbers, and a secret key as input parameters. The SYN packets and FIN packets are mapped to buckets using the hash algorithm and statistics are maintained for each bucket. A correspondence between SYN packets and FIN packets is maintained to close a security hole.
摘要翻译: 描述了在基于计算机的网络中防止洪泛型拒绝服务攻击的方法。 通过使用散列算法,将连接建立消息称为SYN数据包与连接终止消息(FIN数据包)进行匹配。 散列算法或消息摘要使用源和目标IP地址,端口号和密钥作为输入参数。 使用散列算法将SYN数据包和FIN数据包映射到存储桶,并为每个存储桶维护统计信息。 保持SYN数据包与FIN数据包之间的对应关系,以关闭安全漏洞。
-
公开(公告)号:US07114182B2
公开(公告)日:2006-09-26
申请号:US10158116
申请日:2002-05-31
CPC分类号: H04L63/1408 , H04L63/1416 , H04L63/1425 , H04L63/1458
摘要: Methods of detecting TCP SYN flooding attacks at a router located between a LAN and a network such as the Internet are described. The methods rely on a counting arrangement in which SYN and Fin packets are counted on both the LAN side and the network or Internet side of the router during a time interval. Weighting factors are applied to each count, the factor for the LAN side count having the opposite polarity to the factor for the network side count. The absolute values of the sums of the weighting factors of like polarity are equal. An abnormal number of unsuccessful connection attempts are determined based on a parameter calculated using the weighting factors in conjunction with the respective counts.
-
公开(公告)号:US07284269B2
公开(公告)日:2007-10-16
申请号:US10156083
申请日:2002-05-29
CPC分类号: H04L63/0227 , H04L63/0263
摘要: A communications security system has been described. The security system in the form of a firewall is made up of a plurality of communicatively coupled sets of modules in a matrix configuration. The modules may be implemented in hardware and software in order to rely on the advantages of each technology. Data packets are typically coupled to an ingress side of the firewall where policy rules having the highest importance are checked first. The result is a high speed system having carrier class availability.
摘要翻译: 已经描述了通信安全系统。 防火墙形式的安全系统由矩阵配置的多个通信耦合的模块组成。 这些模块可以在硬件和软件中实现,以便依靠每种技术的优点。 数据包通常耦合到防火墙的入口侧,首先检查具有最高重要性的策略规则。 结果是具有载波类可用性的高速系统。
-
公开(公告)号:US07822017B2
公开(公告)日:2010-10-26
申请号:US10990472
申请日:2004-11-18
IPC分类号: H04L12/66
CPC分类号: H04L63/0435 , H04L63/0272 , H04L63/0414 , H04L63/08 , H04L63/168 , H04Q3/0025
摘要: Systems and methods of providing secure signaling for voice communications over a public switched voice network (PSTN) are described. The call signaling is received at a first secure voice signaling gateway (SVSG) in which it is encrypted utilizing a security key. The encrypted payload is tunneled from the first SVSG to a second SVSG at a destination network element. The destination SVSG decrypts the payload and passes it on to the destination. According to the invention the communication can be either masqueraded in which the address of the first SVSG is given as the origin or non-masqueraded in which the actual original of the voice communication is retained.
摘要翻译: 描述了通过公共交换语音网络(PSTN)提供语音通信的安全信令的系统和方法。 在第一安全语音信令网关(SVSG)处接收呼叫信令,其中使用安全密钥加密呼叫信令。 加密的有效载荷从第一SVSG隧道传送到目的网元的第二SVSG。 目的地SVSG解密有效载荷并将其传递到目的地。 根据本发明,通信可以是伪装的,其中给出第一SVSG的地址作为其中保留语音通信的实际原件的原始或非伪装。
-
6.发明授权公开(公告)号:US07743421B2
公开(公告)日:2010-06-22
申请号:US11132118
申请日:2005-05-18
申请人: Francois J. N. Cosquer , Bertrand Marquet , Robert W. MacIntosh , Yvon Leclerc , Scott David D'Souza
发明人: Francois J. N. Cosquer , Bertrand Marquet , Robert W. MacIntosh , Yvon Leclerc , Scott David D'Souza
CPC分类号: H04L63/1416 , H04L63/1441
摘要: Communication network security risk exposure management systems and methods are disclosed. Risks to a communication network are determined by analyzing assets of the communication network and vulnerabilities affecting the assets. Assets may include physical assets such as equipment or logical assets such as software or data. Risk analysis may be adapted to assess risks to a particular feature of a communication network by analyzing assets of the communication network which are associated with that feature and one or more of vulnerabilities which affect the feature and vulnerabilities which affect the assets associated with the feature. A feature may be an asset itself or a function or service offered in the network and supported by particular assets, for example.
摘要翻译: 披露了通信网络安全风险管理系统和方法。 通信网络的风险是通过分析通信网络的资产和影响资产的漏洞来确定的。 资产可能包括物理资产,如设备或逻辑资产,如软件或数据。 可以通过分析与该特征相关联的通信网络的资产以及影响影响与特征相关联的资产的特征和漏洞的一个或多个漏洞来评估风险分析来评估通信网络的特定特征的风险。 特征可以是资产本身或网络中提供并由特定资产支持的功能或服务。
-
7.发明授权Detection of denial of service attacks against SIP (session initiation protocol) elements 有权检测针对SIP(会话发起协议)元素的拒绝服务攻击公开(公告)号:US07526803B2
公开(公告)日:2009-04-28
申请号:US10713035
申请日:2003-11-17
IPC分类号: G06F21/00
CPC分类号: H04L63/1458 , H04L29/06027 , H04L65/1006 , H04L65/1079
摘要: A method and apparatus directed to detecting DoS (denial of service) attacks against SIP enabled devices. A substantial imbalance between an accounting of SIP INVITE (INV) and SIP 180 Ringing (N180) messages indicates a DoS attack. Preferably the number (H) of INVITE messages including credentials (INVc) that are sent from a user client in response to a 407 Authentication Required message from a proxy server are removed from the accounting before the balance is tested. If the equation INVo+INVc−H=N180 (where INVo is the number of INVITE messages without credentials) is not true within a small margin of error then the presence of a current DoS attack on the proxy server is indicated by the inequality.
摘要翻译: 一种用于检测针对SIP使能设备的DoS(拒绝服务)攻击的方法和装置。 SIP INVITE(INV)和SIP 180 Ringing(N180)消息的计费之间的实质性不平衡表示DoS攻击。 优选地,在平衡被测试之前,包括从用户客户端响应于来自代理服务器的407认证必需消息发送的凭证(INVc)的INVITE消息的数量(H)从计帐中移除。 如果方程式INVo + INVc-H = N180(其中INVo是没有凭证的INVITE消息的数量)在错误的小范围内不是真的,则代理服务器上当前DoS攻击的存在由不等式指示。
-
公开(公告)号:US07254713B2
公开(公告)日:2007-08-07
申请号:US10659341
申请日:2003-09-11
申请人: Scott David D'Souza
发明人: Scott David D'Souza
IPC分类号: G06F1/24
CPC分类号: H04L63/1441 , H04L63/1458
摘要: Systems and methods of mitigating DOS attacks on a victim node in a computer based communication system are presented. According to the methods a node such as a router upstream from the victim analyzes traffic flow directed to the victim node and if a pattern indicating a possible attack is detected a notification to the effect is sent to the victim node. The victim can either ignore the notification or chose to suggest or request attack mitigation measures be implemented by the upstream router. Alternatively the upstream router can implement attack mitigation measures without waiting for input from the victim node.
摘要翻译: 介绍了在基于计算机的通信系统中减轻受害者节点上DOS攻击的系统和方法。 根据方法,诸如来自受害者上游的路由器的节点分析指向受害节点的业务流,并且如果检测到指示可能的攻击的模式,则向该受害节点发送通知。 受害者可以忽略该通知,也可以选择建议或请求由上游路由器实施的攻击缓解措施。 或者,上游路由器可以在不等待受害节点的输入的情况下实现攻击缓解措施。
-
-
-
-
-
-
-
搜索结果
8 条记录 (耗时 0.025 秒)
