US20220076209A1 - Process for Abuse Mitigation - Google Patents

Process for Abuse Mitigation Download PDF

Info

Publication number
US20220076209A1
US20220076209A1 US17/403,415 US202117403415A US2022076209A1 US 20220076209 A1 US20220076209 A1 US 20220076209A1 US 202117403415 A US202117403415 A US 202117403415A US 2022076209 A1 US2022076209 A1 US 2022076209A1
Authority
US
United States
Prior art keywords
message
computing device
messages
malicious
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
US17/403,415
Inventor
Nirmal Mody
Michael O'Reirdan
Matt Scully
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Comcast Cable Communications LLC
Original Assignee
Comcast Cable Communications LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Comcast Cable Communications LLC filed Critical Comcast Cable Communications LLC
Priority to US17/403,415 priority Critical patent/US20220076209A1/en
Publication of US20220076209A1 publication Critical patent/US20220076209A1/en
Assigned to COMCAST CABLE COMMUNICATIONS, LLC reassignment COMCAST CABLE COMMUNICATIONS, LLC MERGER (SEE DOCUMENT FOR DETAILS). Assignors: COMCAST CABLE HOLDINGS, LLC
Assigned to COMCAST CABLE HOLDINGS, LLC reassignment COMCAST CABLE HOLDINGS, LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: O'REIRDAN, MICHAEL J., SCULLY, MATT, MODY, NIRMAL
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management
    • G06Q10/107Computer-aided management of electronic mailing [e-mailing]
    • H04L51/12
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/21Monitoring or handling of messages
    • H04L51/212Monitoring or handling of messages using filtering or selective blocking
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/141Denial of service attacks against endpoints in a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/144Detection or countermeasures against botnets
    • H04L51/28
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/48Message addressing, e.g. address format or anonymous messages, aliases

Definitions

  • the present invention relates to methods and systems associated with reducing malicious communications over an Internet Protocol (IP) network, such as but not limited to reducing messaging associated with Spam and Denial of Service (DoS) attacks.
  • IP Internet Protocol
  • DoS Spam and Denial of Service
  • Spam can be described as transmission of unsolicited email messages to a large number of users and devices on public or private data networks. Spam constitutes up to 90% of email traffic on the Internet. Spam is a vehicle for phishing attacks on internet users and it is leading to distrust of the Internet and reduced usage of some services as a result. Spam can be sent knowingly by a user (Spammer) or unknowingly when the user's device is compromised with mal-ware (BOTS) that gives another user control of that user's device. Typically, the user is completely unaware that their device has been compromised. The purpose of BOTS is to compromise the user's privacy, financial data (phishing) and to seek other vulnerable targets on data networks and infect them as well.
  • BOTS mal-ware
  • BOTS belonging to BOTnets can generate large amounts of traffic in the form of Spam and DoS attacks.
  • command and control centers provide instructions to BOTS.
  • Typically assigned instructions include a list of nodes or IP address which the BOT is to target with DNS queries, replication attempts and open mail servers.
  • the BOT generates large numbers amounts of DNS queries to resolve domain names pre-fix such as Mail or SMTP to a valid IP address and vise a versa, for example the BOT will attempt to when resolve “mail comcast.net” to a valid IP address, i.e. 63.240.76.7210.
  • BOTS are also self-contained, in that they have the ability to act as mail-relay agents if they can not find any one mail servers.
  • the purpose of phishing is to obtain financial information such as credit card numbers and account information from the mail's recipient. Typically by tricking the user to believe that the email is legitimate.
  • ICMP “Ping” and Port scans of IP addresses in order to infect other devices on the Internet. These are devices are typically insecure computers with either outdated or no anti-viral software and or lacking operating system security updates.
  • ISPs Internet Service Providers
  • the ISP absorbs this cost in most cases but not all users download the free software which keeps their computers vulnerable.
  • the other risk that ISPs faces is to increase spending on high-availability of its systems, especially mail and DNS systems. This is because email severs process millions of messages and has to determine the legitimacy of each email
  • Deep packet inspection (DPI) technology is accurate for identifying friend or foe SMTP traffic as it relies on heuristics and various rule sets to categorize SMTP traffic for legitimacy. Additionally, statistical analysis of DNS query pattern analysis can also be used to identify BOTS on the network. These systems and processes coupled with PacketCable Multimedia form an effective detection and enforcement process to stop Spam and other forms of malicious traffic.
  • DPI Deep packet inspection
  • FIG. 1 illustrates a system for providing media content in accordance with one non-limiting aspect of the present invention
  • FIG. 2 illustrates a flowchart of a method of mitigating malicious messages in accordance with one non-limiting aspect of the present invention.
  • FIG. 1 illustrates a system 10 for providing media content in accordance with one non-limiting aspect of the present invention.
  • the system 10 may include a media provider (not shown) for providing media services over an operator network 12 to subscribers at one or more subscriber locations 14 .
  • the system 10 may 10 include elements suitable for the mitigation of malicious messages carried over the network 12 , such as but not limited to elements associated with mitigating malicious messages use with Spam and Denial of Service (DoS) attacks.
  • DoS Spam and Denial of Service
  • the media provider for exemplary purpose, is most prominently described with respect to being a cable television service provider having capabilities for providing cable television, telecommunications, and high-speed data services to the subscriber locations, primarily through wired and/or wireless communications.
  • the present invention is not so limited and fully contemplates the provider being associated with any type of service provider, including other television providers (IP, broadcast, satellite, etc.) and non-television providers, such as those associated with high-speed data, telecommunications, cellular communications, and the like.
  • the media provider may be configured to support and/or facilitate the use of any number of television and non-television services and applications, such as, but not limited to email services, data transmission service, linear and non-linear television programming/signaling (cable, satellite, broadcast, etc.), Video on Demand (VOD), interactive television (iTV), interactive gaming, pay-per-view (PPV), digital video recording (local and remote), and/or broadcasting of signals associated with supporting television programming, movies, audio, and other multimedia, as well as, downloading of clips or full-length versions of the same.
  • VOD Video on Demand
  • iTV interactive television
  • PV pay-per-view
  • digital video recording local and remote
  • broadcasting of signals associated with supporting television programming, movies, audio, and other multimedia as well as, downloading of clips or full-length versions of the same.
  • the messages associated with these and any number of other services may be limited in accordance with the present invention.
  • the network 12 may include any number of features and devices to facilitate signal transportation and other operations associated with interfacing the subscriber locations with each other and otherwise supporting communications associated with services of the media provider.
  • the network 12 may include terrestrial and extraterrestrial components and infrastructures, including cable lines, telephone lines, and/or satellite or other wireless architectures.
  • the network 12 may be associated with other private and/or public networks, such as the Internet and dedicated or virtual private networks.
  • Each subscriber location 14 may include one or more media devices, such as but not limited to a personal computer 16 , to facilitate user interaction with the media content/services.
  • the scope of such interaction may be based on subscriptions and other parameters set by the media provider.
  • the subscriptions may specify various classes of services and other parameters associated with usage rights and services available to the corresponding subscriber.
  • the media devices may relate to any number of devices suitable for interfacing and/or facilitating interfacing the subscribers.
  • the media devices may be a settop box (STB), digital video recorder (DVR), personal computer (PC), television (which may include embedded user interface and processing capabilities), outlet digital adapter (ODA), media terminal adapter (MTA), cable modem (CM), personal digital assistant (PDA), computer, mobile device (phone, computer, etc.), personal media device, and any other item having capabilities to supporting access to any number of the services.
  • STB settop box
  • DVR digital video recorder
  • PC personal computer
  • television which may include embedded user interface and processing capabilities
  • ODA outlet digital adapter
  • MTA media terminal adapter
  • CM cable modem
  • PDA personal digital assistant
  • computer mobile device
  • phone phone, computer, etc.
  • personal media device and any other item having capabilities to supporting access to any number of the services.
  • the messages associated with supporting or interacting with these and any number of other media devices may be limited in accordance with the present invention.
  • the media devices may be configured to descramble and to support and/or facilitate the use of any number of television and non-television related signals, such as, but not limited to, Hyper Text Transfer Protocol (HTTP), Dynamic Host Configuration Protocol (DHCP), Syslog, Simple Network Management Protocol (SNMP), Trivial File Transfer Protocol (TFTP), Data Over Cable Service Interface Specification (DOCSIS), Domain Name System (DNS) applications, DOCSIS Settop Gateway (DSG), out-of-band (OOB) messaging, and others.
  • HTTP Hyper Text Transfer Protocol
  • DHCP Dynamic Host Configuration Protocol
  • SNMP Simple Network Management Protocol
  • TFTP Trivial File Transfer Protocol
  • DOCSIS Data Over Cable Service Interface Specification
  • DSG DOCSIS Settop Gateway
  • OOB out-of-band
  • the content sources be associated with the media provider (which in turn may receive the content from other sources) and/or one or more of the subscriber devices or other non-subscriber devices connected to the network.
  • the media provider is a television service provider
  • a portion of the media content may relate to television programs, movies, and other multimedia packets.
  • This content may be delivered from the media service provider to the subscribers through streaming, downloading, broadcast, peer-to-peer, and any number of other processes.
  • the media content may be delivered to the subscriber locations directly from the media service provider and/or from one or more of the other devices in communication therewith.
  • multiple regional enterprises such as headend units and the like, may be configured to provide regional programming to a number of subscribers associated therewith.
  • Each of the headends may store various types of media content for distribution to the subscribers it services.
  • the headends may be configured to support headend to headend communications such that non-direct subscribers, i.e., those supported by other headends, may similarly receive content from other headends.
  • some of the media content may be sourced from the subscribers themselves, such as by transporting content stored locally on the home networks of the subscribers to other locations within the same home network and/or to other locations beyond the home network that are in communication therewith by way of the network.
  • the media provider may include features and capabilities to facilitate such inter-subscriber communications.
  • the system 10 may include any number of elements associated with mitigating malicious messaging in accordance with the present invention.
  • the present invention is predominately described with respect to limiting BOTS, Zombies, or other attackers from utilizing the subscribers PC 16 to send Spam and/or execute DoS attacks.
  • the present invention fully contemplates the mitigation of malicious messaging associated with and originating from any number of locations and element, both inside and outside of the system, and not just PCs associated with subscriber locations.
  • the system 10 may include a cable modem (CM) 22 or digital subscriber line (DSL) modem, a cable modem termination system (CMTS) 24 or digital subscriber line access multiplexer (DSLAM), a first router 26 , a deep packet inspector 28 , a second router 32 , a policy server 34 , an application manager 36 , a domain name system (DNS) 38 , a voicemail/email system 40 , a statistical analysis server 42 , a DNS/email sink-hole 44 , a walled garden 46 , and an open network (not controlled by media provider) 48 .
  • DNS domain name system
  • the Deep Packet Inspection system 28 may be responsible for identifying malicious traffic originating from the subscriber device 16 .
  • the Packet Inspection system 28 may also be responsible for signaling to the Application Manager (AM) 36 to mitigate the abuse.
  • the AM 36 may receive a request for a Quality of Service policy to be enforced for an IP address on the ISP' s network which has been identified as generating malicious messaging.
  • the AM 36 serves as a Policy Decision Point (PDP) to determine if the intended action is authorized for the particular user.
  • PDP Policy Decision Point
  • the Policy Server (PS) 34 may be a component which acts as a policy decision point for the CMTS 24 and a policy enforcement point to the AM 36 .
  • the PS 34 may be responsible for managing CMTS resources and establishing the service flow on the CMTS 24 when requested by the AM 36 .
  • the CMTS 24 may maintain a state for each CM 22 in the form of provisioning and admission control. It may also act as a routing device which converts Radio Frequency (RF) signals from the CM 22 into binary (packetized) format for transport on the network.
  • RF Radio Frequency
  • the routers 26 , 32 may then be used to further interface signal between the CMTS 24 and other elements in the system 10 for further transport over the network 12 .
  • the packet inspector 28 may utilize a set of heuristics for identifying application level attacks based on the contents of the packet.
  • the DNS and email sink-hole 44 may be a spoofed DNS or email server that responds with a non-valid IP address when queried with a type A DNS query request or a SMTP mail-server which responds with successful acknowledgements to outbound emails such that it may be used to keep Spam email and DNS query messages from leaving the operator's network.
  • the walled garden 46 may be a captive web-portal, typically on the operator's network, where all HTTP queries are redirected to for purposes of self-care, self-registration and notifications.
  • the DPI 28 may analyze the frequency, count, or other indicator of traffic against a desired traffic threshold and provide an indication of the same to the AM 36 . For example, if the message type (email (port 25), DNS query (port 53), etc.) from the same user/device (IP address or host-name) exceeds a pre-set threshold (500 message per minute), a signal may be sent to the AM 36 regarding the triggering event. The contents of the signal may include the IP address, source port and destination port of the originating device, i.e., the spammer.
  • a pre-set threshold 500 message per minute
  • the AM 36 may then parse the message, verify that the IP address of the source falls within its managed domain, and trigger an action against the user based on a policy defined by the media provider or other operator associated with the system. For example, the AM 36 may trigger the policy server 34 to set a bandwidth restriction policy on the subscriber's bridging device, such as the CM 22 .
  • the policy restriction may be limited to the port or other interface associated with the message. This allows the subscriber to execute normal operations of the other ports, such as allowing an unsuspecting subscriber to maintain at least PC functionality.
  • the policy may include throttling the bandwidth of the port, for example to 500 bits per second, on any traffic associated with the port, i.e., port 25 for email, port 53 for DNS queries, and port 80 for web activities.
  • the SMTP packets or other packets associated with email may be tagged with a Type of Service marking so that any packet from the PC 16 bound on port 25 may be diverted to the sink-hole email system 44 by the router 26 residing on the operator's domain. This allows the sink-hole email system 44 to respond with a successful acknowledgment message to purposely mislead the Spammer/BOT, which can be helpful in making certain that the Spammer/BOT does not switch ports and re-initiate its efforts.
  • the packets or other information associated with DNS queries may be similarly diverted to the DNS sink-hole 44 for the same purposes.
  • the DNS sink-hole 44 may respond with a invalid IP for any type A DNS query such that DoS or ICMP packets attached to valid websites are prevented from exiting the PC.
  • HTTP/HTTPS Other traffic, i.e. that are not particularly associated with the attached ports (HTTP/HTTPS), may be associated may be diverted to a sink-hole garden 44 in order to prevent the further spread of the virus to other elements in contact with the network.
  • Any HTTP/HTTPS traffic is redirected to the walled-garden 46 where users may be notified about the specifics of the abuse and be provided with anti-virus/anti-malware tools to clean their PC.
  • the operator may also set up a rule to drop all packets from that modem 22 outside the routing domain of the operator. Such a policy would force the subscriber to either clean their devices manually or stop the abuse of the network.
  • the statistical analysis 42 system may be used to identify BOTS on the network.
  • the statistical analysis system 42 may continuously monitor application server usage such as that of DNS, Email or Voice Mail Systems. It may perform a query, for example, of the top 20 clients queering the DNS servers or voice-mail system on a random interval.
  • the AM 36 such as the DNS server 38 , may provide the IP address and query rate of users.
  • the statistical analysis system 42 may determine if the query rate, type and statistics, warrants a notification via a mediation layer to both the AM 36 and the packet inspector 28 to implement the protection procedures described above.
  • the message may contain a unique event-id, IP address of the suspected abuser, abuse type, in this example DNS, and the port number for DNS, (TCP 53).
  • various elements in the system may collaborate to mitigate malicious message attacks.
  • the various elements are shown to be separate features within the system, however, the present invention is not intended to be so limited.
  • the present invention fully contemplates any one or more of the operations described above with respect to the separate elements to be combined or otherwise executed by a common or standalone entity, such as for example with a traffic agent having capabilities to execute any number of the operations described above.
  • FIG. 2 illustrates a flowchart 60 of a method of mitigating malicious messages communicated over a network from a computer to one or more remotely located network elements associated with a network in accordance with one non-limiting aspect of the present invention.
  • the method may be implemented with one or more of the elements associated with the system and/or through some other entity or element having capabilities sufficient to support the operations described herein.
  • Block 62 relates to monitoring malicious messaging traffic levels for one or more elements associated with a network, such as but not limited to a PC of a subscriber associated with a provider of the network.
  • the monitoring may include inspecting traffic, bandwidth consumption, and/or any number of operations associated with transmitting messages over the network.
  • the monitored messages may be associated with any type of network element and traffic associated therewith.
  • the message may comprise a complete set of data and/or individual bits, bytes, or packets of data.
  • Block 64 relates to determining whether the messaging traffic is above a threshold associated with normal messaging activities, i.e., determining whether the traffic is indicative of malicious messaging.
  • the threshold may be set according to any number of operating parameters and requirements of the service provider and/or subscriber.
  • different thresholds may be established for different messaging types, i.e. email, DNS, web, etc., such the present invention may be able to monitor one or more types of messaging associate with the PC.
  • Block 62 is returned to if the messaging traffic is commiserating with normal messaging activities, i.e., no corrective action is deemed necessary.
  • Block 66 is reached if the messaging traffic indicates an attack or other abnormal activity that may be associated with malicious conduct by a PC and/or the like.
  • Block 66 generally relates to limiting the communication capabilities of the offending entity so as to limit the proliferation of the malicious messages. This may include mitigating the malicious traffic to levels below the normal threshold, which may be referred to as a restricted threshold.
  • the communication capabilities may be limited according to any number of parameters associated with the offending messages. For example, bandwidth allocated to a port associated with the offending message type may be throttled or otherwise limited. The bandwidth may be restricted so as to permit some of the offending messages to be transmitted from the computer without alerting the 130 T or zombie of the restriction. This may include limiting bandwidth allocated to particular ports as a function of the message type, such as but not limited to throttling port 25 for offending email message, port 53 for offending DNS queries, and port 80 for offending web queries.
  • Block 68 relates to diverting the offending messages that are permitted to be transported over the throttled bandwidth. These messages may be diverted to a sink-hole or other entity suitable for preventing the messages from reaching locations beyond the provider network.
  • the entity may also include capabilities to acknowledge delivery of the offending messages such that the BOT/Spammers is mislead into believing the message reached the intended recipient.
  • non-offending messages may be similarly diverted and/or held until the BOT/virus is cleaned from the PC or others removed so as to prevent the spread of the BOT/virus from the offending PC.
  • Block 70 relates to diverting HTTP queries or other traffic of the offending PC to a walled garden or other entity in the control or directed by media provider.
  • entity may be a webpage or other portal having capabilities for notifying the subscriber of the communication restrictions.
  • entity may further include utilities or other tools for download that may be used by the subscriber to eliminate the BOT/virus from their computer.
  • Block 72 relates to restoring the restricted communication capabilities after removal or cleansing of the BOT(s) associated with implementing the same. This may include increasing the bandwidth allocated to the offending messaging type from the restricted threshold to the normal threshold or non-restricted threshold such that the associated port may be free to communicate at any level. Block may be returned to monitor future messaging of the PC.
  • the invention may include a process to utilize packet inspection technology along with various network services, such as DNS, coupled with PCMM Application Manager and Policy Servers to dynamically identify, signal, throttle, and notify abusive subscribers.
  • the process may include a solution to re-direct or otherwise divert malicious traffic to a “sink-hole” system and re-direct HTTP queries to a walled-garden where the Spammers can be notified of their actions and provided tools for self-care if the user is unaware of their computer being infected.
  • the present invention provides an end-to-end solution for detecting and mitigating various types of abuse scenarios.
  • the process introduces other concepts such as defining the use of Type of Service (ToS) an DiffSery Code Point (DSCP) marking of malicious IP packets so they may be redirected to a walled-garden or sink-hole systems.
  • ToS Type of Service
  • DSCP DiffSery Code Point
  • the proposal also defines the option where the Operator's DNS, E-Mail or Voice Mail system can detect and signal the PCMM Application Manager if the packet inspection technology fails to identify abuse.
  • the process also includes an Email and DNS sink-hole to generate false notification to Spammer to keep them from going dormant or utilizing alternate ports.

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Computer Security & Cryptography (AREA)
  • Human Resources & Organizations (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Computer Hardware Design (AREA)
  • Strategic Management (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Tourism & Hospitality (AREA)
  • General Engineering & Computer Science (AREA)
  • Economics (AREA)
  • Marketing (AREA)
  • Operations Research (AREA)
  • Quality & Reliability (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Method of limiting offending messages communicated over a network, such as but not limited to messages associated with Spam and DoS attacks. The message limiting optionally including limiting bandwidth or other communication capabilities associated with an entity communicating or facilitating communication of the messages.

Description

    BACKGROUND OF THE INVENTION 1. Field of the Invention
  • The present invention relates to methods and systems associated with reducing malicious communications over an Internet Protocol (IP) network, such as but not limited to reducing messaging associated with Spam and Denial of Service (DoS) attacks.
    • 2. Background Art
  • Spam, Denial of Service (Dos) attacks, and any number of other attacks may disrupt network based services. Spam can be described as transmission of unsolicited email messages to a large number of users and devices on public or private data networks. Spam constitutes up to 90% of email traffic on the Internet. Spam is a vehicle for phishing attacks on internet users and it is leading to distrust of the Internet and reduced usage of some services as a result. Spam can be sent knowingly by a user (Spammer) or unknowingly when the user's device is compromised with mal-ware (BOTS) that gives another user control of that user's device. Typically, the user is completely unaware that their device has been compromised. The purpose of BOTS is to compromise the user's privacy, financial data (phishing) and to seek other vulnerable targets on data networks and infect them as well.
  • While one BOT would have minimal effect on the ISP' s network, BOTS belonging to BOTnets can generate large amounts of traffic in the form of Spam and DoS attacks. In the normal course of mal-ware operations command and control centers provide instructions to BOTS. Typically assigned instructions include a list of nodes or IP address which the BOT is to target with DNS queries, replication attempts and open mail servers. The BOT generates large numbers amounts of DNS queries to resolve domain names pre-fix such as Mail or SMTP to a valid IP address and vise a versa, for example the BOT will attempt to when resolve “mail comcast.net” to a valid IP address, i.e. 63.240.76.7210. Once the
  • BOT finds an open Mail System, it will attempt send out either vast quantities of unsolicited mail containing advertisements and or phishing scams. BOTS are also self-contained, in that they have the ability to act as mail-relay agents if they can not find any one mail servers. The purpose of phishing is to obtain financial information such as credit card numbers and account information from the mail's recipient. Typically by tricking the user to believe that the email is legitimate.
  • Another common problem includes ICMP “Ping” and Port scans of IP addresses in order to infect other devices on the Internet. These are devices are typically insecure computers with either outdated or no anti-viral software and or lacking operating system security updates.
  • To counteract the effects of BOTS, Internet Service Providers (ISPs) have to increase spending on anti-abuse systems and provide tools for its subscriber base. The ISP absorbs this cost in most cases but not all users download the free software which keeps their computers vulnerable. The other risk that ISPs faces is to increase spending on high-availability of its systems, especially mail and DNS systems. This is because email severs process millions of messages and has to determine the legitimacy of each email
  • As stated previously 90% of messages are spam so when the operator's mail system receives an outbound mail it would have to scan each message to determine if it is Spam or contains a virus or is a valid email
  • Continuous transmission by thousands of BOTS and the sheer volume eventually results in a significant slow down of the system to a state which interferes with the normal email delivery of benevolent/worthy users or possibly a system crash. Email systems are not 100% accurate in identifying and filtering Spam email such that Spam email gets delivered to a vast array of users who in turn complain to their ISP.
  • This leads to another problem faced by the ISP in having mail and IP addresses from their domain name, i.e. “comcast.net,” black-listed because users within that domain are identified as hosting BOT-nets. Unfortunately, because of BOTS, mail from creditable users is also blocked by the receiving ISP.
  • Deep packet inspection (DPI) technology is accurate for identifying friend or foe SMTP traffic as it relies on heuristics and various rule sets to categorize SMTP traffic for legitimacy. Additionally, statistical analysis of DNS query pattern analysis can also be used to identify BOTS on the network. These systems and processes coupled with PacketCable Multimedia form an effective detection and enforcement process to stop Spam and other forms of malicious traffic.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The present invention is pointed out with particularity in the appended claims However, other features of the present invention will become more apparent and the present invention will be best understood by referring to the following detailed description in conjunction with the accompany drawings in which:
  • FIG. 1 illustrates a system for providing media content in accordance with one non-limiting aspect of the present invention; and
  • FIG. 2 illustrates a flowchart of a method of mitigating malicious messages in accordance with one non-limiting aspect of the present invention.
    •  DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT(S)
  • FIG. 1 illustrates a system 10 for providing media content in accordance with one non-limiting aspect of the present invention. The system 10 may include a media provider (not shown) for providing media services over an operator network 12 to subscribers at one or more subscriber locations 14. The system 10 may 10 include elements suitable for the mitigation of malicious messages carried over the network 12, such as but not limited to elements associated with mitigating malicious messages use with Spam and Denial of Service (DoS) attacks.
  • The media provider, for exemplary purpose, is most prominently described with respect to being a cable television service provider having capabilities for providing cable television, telecommunications, and high-speed data services to the subscriber locations, primarily through wired and/or wireless communications. The present invention, however, is not so limited and fully contemplates the provider being associated with any type of service provider, including other television providers (IP, broadcast, satellite, etc.) and non-television providers, such as those associated with high-speed data, telecommunications, cellular communications, and the like.
  • The media provider may be configured to support and/or facilitate the use of any number of television and non-television services and applications, such as, but not limited to email services, data transmission service, linear and non-linear television programming/signaling (cable, satellite, broadcast, etc.), Video on Demand (VOD), interactive television (iTV), interactive gaming, pay-per-view (PPV), digital video recording (local and remote), and/or broadcasting of signals associated with supporting television programming, movies, audio, and other multimedia, as well as, downloading of clips or full-length versions of the same. The messages associated with these and any number of other services may be limited in accordance with the present invention.
  • The network 12 may include any number of features and devices to facilitate signal transportation and other operations associated with interfacing the subscriber locations with each other and otherwise supporting communications associated with services of the media provider. The network 12 may include terrestrial and extraterrestrial components and infrastructures, including cable lines, telephone lines, and/or satellite or other wireless architectures. The network 12 may be associated with other private and/or public networks, such as the Internet and dedicated or virtual private networks.
  • Each subscriber location 14 may include one or more media devices, such as but not limited to a personal computer 16, to facilitate user interaction with the media content/services. The scope of such interaction may be based on subscriptions and other parameters set by the media provider. The subscriptions may specify various classes of services and other parameters associated with usage rights and services available to the corresponding subscriber.
  • The media devices may relate to any number of devices suitable for interfacing and/or facilitating interfacing the subscribers. For example, the media devices may be a settop box (STB), digital video recorder (DVR), personal computer (PC), television (which may include embedded user interface and processing capabilities), outlet digital adapter (ODA), media terminal adapter (MTA), cable modem (CM), personal digital assistant (PDA), computer, mobile device (phone, computer, etc.), personal media device, and any other item having capabilities to supporting access to any number of the services. The messages associated with supporting or interacting with these and any number of other media devices may be limited in accordance with the present invention.
  • The media devices may be configured to descramble and to support and/or facilitate the use of any number of television and non-television related signals, such as, but not limited to, Hyper Text Transfer Protocol (HTTP), Dynamic Host Configuration Protocol (DHCP), Syslog, Simple Network Management Protocol (SNMP), Trivial File Transfer Protocol (TFTP), Data Over Cable Service Interface Specification (DOCSIS), Domain Name System (DNS) applications, DOCSIS Settop Gateway (DSG), out-of-band (OOB) messaging, and others.
  • The content sources be associated with the media provider (which in turn may receive the content from other sources) and/or one or more of the subscriber devices or other non-subscriber devices connected to the network. For example, if the media provider is a television service provider, a portion of the media content may relate to television programs, movies, and other multimedia packets. This content may be delivered from the media service provider to the subscribers through streaming, downloading, broadcast, peer-to-peer, and any number of other processes.
  • The media content may be delivered to the subscriber locations directly from the media service provider and/or from one or more of the other devices in communication therewith. In more detail, as is common with larger media content providers, multiple regional enterprises, such as headend units and the like, may be configured to provide regional programming to a number of subscribers associated therewith. Each of the headends may store various types of media content for distribution to the subscribers it services. Optionally, the headends may be configured to support headend to headend communications such that non-direct subscribers, i.e., those supported by other headends, may similarly receive content from other headends.
  • In addition, some of the media content may be sourced from the subscribers themselves, such as by transporting content stored locally on the home networks of the subscribers to other locations within the same home network and/or to other locations beyond the home network that are in communication therewith by way of the network. The media provider may include features and capabilities to facilitate such inter-subscriber communications.
  • The system 10 may include any number of elements associated with mitigating malicious messaging in accordance with the present invention. For exemplary purposes only, and without intending to limit the scope and contemplation of the present invention, the present invention is predominately described with respect to limiting BOTS, Zombies, or other attackers from utilizing the subscribers PC 16 to send Spam and/or execute DoS attacks. The present invention, however, fully contemplates the mitigation of malicious messaging associated with and originating from any number of locations and element, both inside and outside of the system, and not just PCs associated with subscriber locations.
  • The system 10 may include a cable modem (CM) 22 or digital subscriber line (DSL) modem, a cable modem termination system (CMTS) 24 or digital subscriber line access multiplexer (DSLAM), a first router 26, a deep packet inspector 28, a second router 32, a policy server 34, an application manager 36, a domain name system (DNS) 38, a voicemail/email system 40, a statistical analysis server 42, a DNS/email sink-hole 44, a walled garden 46, and an open network (not controlled by media provider) 48. These elements may operate in conjunction with each other and other elements to facilitate limiting messaging associated with the same or other elements.
  • The Deep Packet Inspection system 28 may be responsible for identifying malicious traffic originating from the subscriber device 16. The Packet Inspection system 28 may also be responsible for signaling to the Application Manager (AM) 36 to mitigate the abuse. The AM 36 may receive a request for a Quality of Service policy to be enforced for an IP address on the ISP' s network which has been identified as generating malicious messaging. The AM 36 serves as a Policy Decision Point (PDP) to determine if the intended action is authorized for the particular user.
  • The Policy Server (PS) 34 may be a component which acts as a policy decision point for the CMTS 24 and a policy enforcement point to the AM 36. The PS 34 may be responsible for managing CMTS resources and establishing the service flow on the CMTS 24 when requested by the AM 36. The CMTS 24 may maintain a state for each CM 22 in the form of provisioning and admission control. It may also act as a routing device which converts Radio Frequency (RF) signals from the CM 22 into binary (packetized) format for transport on the network.
  • The routers 26, 32 may then be used to further interface signal between the CMTS 24 and other elements in the system 10 for further transport over the network 12. The packet inspector 28 may utilize a set of heuristics for identifying application level attacks based on the contents of the packet. The DNS and email sink-hole 44 may be a spoofed DNS or email server that responds with a non-valid IP address when queried with a type A DNS query request or a SMTP mail-server which responds with successful acknowledgements to outbound emails such that it may be used to keep Spam email and DNS query messages from leaving the operator's network. The walled garden 46 may be a captive web-portal, typically on the operator's network, where all HTTP queries are redirected to for purposes of self-care, self-registration and notifications.
  • For example, if the PC 16 initiates the transmission of vast quantities of mail messages via the SMTP protocol on port 25 or a DNS DoS attack on port 53, the DPI 28 may analyze the frequency, count, or other indicator of traffic against a desired traffic threshold and provide an indication of the same to the AM 36. For example, if the message type (email (port 25), DNS query (port 53), etc.) from the same user/device (IP address or host-name) exceeds a pre-set threshold (500 message per minute), a signal may be sent to the AM 36 regarding the triggering event. The contents of the signal may include the IP address, source port and destination port of the originating device, i.e., the spammer.
  • The AM 36 may then parse the message, verify that the IP address of the source falls within its managed domain, and trigger an action against the user based on a policy defined by the media provider or other operator associated with the system. For example, the AM 36 may trigger the policy server 34 to set a bandwidth restriction policy on the subscriber's bridging device, such as the CM 22. The policy restriction may be limited to the port or other interface associated with the message. This allows the subscriber to execute normal operations of the other ports, such as allowing an unsuspecting subscriber to maintain at least PC functionality. The policy may include throttling the bandwidth of the port, for example to 500 bits per second, on any traffic associated with the port, i.e., port 25 for email, port 53 for DNS queries, and port 80 for web activities.
  • The SMTP packets or other packets associated with email, for example, may be tagged with a Type of Service marking so that any packet from the PC 16 bound on port 25 may be diverted to the sink-hole email system 44 by the router 26 residing on the operator's domain. This allows the sink-hole email system 44 to respond with a successful acknowledgment message to purposely mislead the Spammer/BOT, which can be helpful in making certain that the Spammer/BOT does not switch ports and re-initiate its efforts. The packets or other information associated with DNS queries may be similarly diverted to the DNS sink-hole 44 for the same purposes. The DNS sink-hole 44 may respond with a invalid IP for any type A DNS query such that DoS or ICMP packets attached to valid websites are prevented from exiting the PC.
  • Other traffic, i.e. that are not particularly associated with the attached ports (HTTP/HTTPS), may be associated may be diverted to a sink-hole garden 44 in order to prevent the further spread of the virus to other elements in contact with the network. Any HTTP/HTTPS traffic is redirected to the walled-garden 46 where users may be notified about the specifics of the abuse and be provided with anti-virus/anti-malware tools to clean their PC. Optionally, the operator may also set up a rule to drop all packets from that modem 22 outside the routing domain of the operator. Such a policy would force the subscriber to either clean their devices manually or stop the abuse of the network.
  • BOTS and Spammers could potentially adapt overtime to undermine the use of Deep Packet Inspection systems the chances are that small percent of Spam and DoS packets will go undetected by the DPI technology. As such, application usage via statistical analysis such as DNS query pattern analysis becomes important. In addition to or in place of the packet inspector, the statistical analysis 42 system may be used to identify BOTS on the network. The statistical analysis system 42 may continuously monitor application server usage such as that of DNS, Email or Voice Mail Systems. It may perform a query, for example, of the top 20 clients queering the DNS servers or voice-mail system on a random interval. The AM 36, such as the DNS server 38, may provide the IP address and query rate of users. Similar to the packet inspector heuristics, the statistical analysis system 42 may determine if the query rate, type and statistics, warrants a notification via a mediation layer to both the AM 36 and the packet inspector 28 to implement the protection procedures described above. The message may contain a unique event-id, IP address of the suspected abuser, abuse type, in this example DNS, and the port number for DNS, (TCP 53).
  • As described above, various elements in the system may collaborate to mitigate malicious message attacks. The various elements are shown to be separate features within the system, however, the present invention is not intended to be so limited. The present invention fully contemplates any one or more of the operations described above with respect to the separate elements to be combined or otherwise executed by a common or standalone entity, such as for example with a traffic agent having capabilities to execute any number of the operations described above.
  • FIG. 2 illustrates a flowchart 60 of a method of mitigating malicious messages communicated over a network from a computer to one or more remotely located network elements associated with a network in accordance with one non-limiting aspect of the present invention. The method may be implemented with one or more of the elements associated with the system and/or through some other entity or element having capabilities sufficient to support the operations described herein.
  • Block 62 relates to monitoring malicious messaging traffic levels for one or more elements associated with a network, such as but not limited to a PC of a subscriber associated with a provider of the network. The monitoring may include inspecting traffic, bandwidth consumption, and/or any number of operations associated with transmitting messages over the network. The monitored messages may be associated with any type of network element and traffic associated therewith. The message may comprise a complete set of data and/or individual bits, bytes, or packets of data.
  • Block 64 relates to determining whether the messaging traffic is above a threshold associated with normal messaging activities, i.e., determining whether the traffic is indicative of malicious messaging. The threshold may be set according to any number of operating parameters and requirements of the service provider and/or subscriber. Optionally, different thresholds may be established for different messaging types, i.e. email, DNS, web, etc., such the present invention may be able to monitor one or more types of messaging associate with the PC.
  • Block 62 is returned to if the messaging traffic is commiserating with normal messaging activities, i.e., no corrective action is deemed necessary. Block 66, however, is reached if the messaging traffic indicates an attack or other abnormal activity that may be associated with malicious conduct by a PC and/or the like. Block 66 generally relates to limiting the communication capabilities of the offending entity so as to limit the proliferation of the malicious messages. This may include mitigating the malicious traffic to levels below the normal threshold, which may be referred to as a restricted threshold.
  • The communication capabilities may be limited according to any number of parameters associated with the offending messages. For example, bandwidth allocated to a port associated with the offending message type may be throttled or otherwise limited. The bandwidth may be restricted so as to permit some of the offending messages to be transmitted from the computer without alerting the 130T or zombie of the restriction. This may include limiting bandwidth allocated to particular ports as a function of the message type, such as but not limited to throttling port 25 for offending email message, port 53 for offending DNS queries, and port 80 for offending web queries.
  • Block 68 relates to diverting the offending messages that are permitted to be transported over the throttled bandwidth. These messages may be diverted to a sink-hole or other entity suitable for preventing the messages from reaching locations beyond the provider network. The entity may also include capabilities to acknowledge delivery of the offending messages such that the BOT/Spammers is mislead into believing the message reached the intended recipient. Optionally, non-offending messages may be similarly diverted and/or held until the BOT/virus is cleaned from the PC or others removed so as to prevent the spread of the BOT/virus from the offending PC.
  • Block 70 relates to diverting HTTP queries or other traffic of the offending PC to a walled garden or other entity in the control or directed by media provider. The entity may be a webpage or other portal having capabilities for notifying the subscriber of the communication restrictions. The entity may further include utilities or other tools for download that may be used by the subscriber to eliminate the BOT/virus from their computer.
  • Block 72 relates to restoring the restricted communication capabilities after removal or cleansing of the BOT(s) associated with implementing the same. This may include increasing the bandwidth allocated to the offending messaging type from the restricted threshold to the normal threshold or non-restricted threshold such that the associated port may be free to communicate at any level. Block may be returned to monitor future messaging of the PC.
  • As demonstrated above, one non-limiting aspect of the present invention relates to significantly reducing Spam and Denial of Service attacks generated by a customer on an ISP's network. The invention may include a process to utilize packet inspection technology along with various network services, such as DNS, coupled with PCMM Application Manager and Policy Servers to dynamically identify, signal, throttle, and notify abusive subscribers. The process may include a solution to re-direct or otherwise divert malicious traffic to a “sink-hole” system and re-direct HTTP queries to a walled-garden where the Spammers can be notified of their actions and provided tools for self-care if the user is unaware of their computer being infected.
  • Optionally, the present invention provides an end-to-end solution for detecting and mitigating various types of abuse scenarios. Additionally, the process introduces other concepts such as defining the use of Type of Service (ToS) an DiffSery Code Point (DSCP) marking of malicious IP packets so they may be redirected to a walled-garden or sink-hole systems. The proposal also defines the option where the Operator's DNS, E-Mail or Voice Mail system can detect and signal the PCMM Application Manager if the packet inspection technology fails to identify abuse. The process also includes an Email and DNS sink-hole to generate false notification to Spammer to keep them from going dormant or utilizing alternate ports.
  • As required, detailed embodiments of the present invention are disclosed herein; however, it is to be understood that the disclosed embodiments are merely exemplary of the invention that may be embodied in various and alternative forms. The figures are not necessarily to scale, some features may be exaggerated or minimized to show details of particular components. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a representative basis for the claims and/or as a representative basis for teaching one skilled in the art to variously employ the present invention.
  • While embodiments of the invention have been illustrated and described, it is not intended that these embodiments illustrate and describe all possible forms of the invention. Rather, the words used in the specification are words of description rather than limitation, and it is understood that various changes may be made without departing from the spirit and scope of the invention.

Claims (24)

1. A method comprising:
receiving, by one or more first computing devices and from a second computing device, a first message addressed to a destination device; and
based on determining that the first message is malicious:
preventing sending of the first message to the destination device; and
sending, to the second computing device, a second message comprising an invalid network address and configured to prevent the second computing device from sending one or more additional messages.
2. The method of claim 1, wherein determining that the first message is malicious comprises one or more of:
monitoring messages received from the second computing device;
analyzing content of the first message;
determining that a quantity messages received from the second computing device satisfies a maximum threshold quantity of messages; or determining that the first message has been sent via a port of the second computing device, wherein messages, previously sent by the second computing device via the port of the second computing device, indicate malicious messaging by the second computing device.
3. The method of claim 1, wherein the second computing device is associated with a first network, and
wherein preventing sending of the first message to the destination device comprises preventing sending of the first message to a destination device associated with a second network different than the first network.
4. The method of claim 1, wherein determining that the first message is malicious comprises:
determining that messages, of at least one message type and sent by the second computing device, indicate malicious messaging by the second computing device; and
determining, based on the first message being of that at least one message type, that the first message is malicious.
5. The method of claim 1, wherein the first message is of at least one message type, and
wherein the second message is configured to prevent the second computing device from sending additional messages of the at least one message type.
6. The method of claim 1, wherein the second message comprises an acknowledgement that provides a false indication of a successful receipt of the first message by the destination device.
7. The method of claim 1, further comprising:
determining that the second computing device sent the first message via a port of the second computing device; and
sending additional messages, received via the port of the second computing device, to a sink-hole device.
8. The method of claim 1, wherein the second message is configured to limit a quantity of subsequent messages that will be sent by the second computing device.
9. A first computing device comprising:
one or more processors; and
memory storing instructions that, when executed by the one or more processors, cause the first computing device to:
receive, from a second computing device, a first message addressed to a destination device; and
based on determining that the first message is malicious:
prevent sending of the first message to the destination device; and
send, to the second computing device, a second message comprising an invalid network address and configured to prevent the second computing device from sending one or more additional messages.
10. The first computing device of claim 9, wherein the instructions, when executed by the one or more processors, cause the first computing device to determine that the first message is malicious by causing one or more of:
monitoring messages received from the second computing device;
analyzing content of the first message;
determining that a quantity messages received from the second computing device satisfies a maximum threshold quantity of messages; or
determining that the first message has been sent via a port of the second computing device, wherein messages, previously sent by the second computing device via the port of the second computing device, indicate malicious messaging by the second computing device.
11. The first computing device of claim 9, wherein the second computing device is associated with a first network, and
wherein the instructions, when executed by the one or more processors, cause the first computing device to prevent the sending of the first message to the destination device by preventing sending of the first message to a destination device associated with a second network different than the first network.
12. The first computing device of claim 9, wherein the instructions, when executed by the one or more processors, cause the first computing device to determine that the first message is malicious by causing the first computing device to:
determine that messages, of at least one message type and sent by the second computing device, indicate malicious messaging by the second computing device; and
determine based on the first message being of that at least one message type, that the first message is malicious.
13. The first computing device of claim 9, wherein the first message is of at least one message type, and
wherein the second message is configured to prevent the second computing device from sending additional messages of the at least one message type.
14. The first computing device of claim 9, wherein the second message comprises an acknowledgement that provides a false indication of a successful receipt of the first message by the destination device.
15. The first computing device of claim 9, wherein the instructions, when executed by the one or more processors, further cause the first computing device to:
determine that the second computing device sent the first message via a port of the second computing device; and
send additional messages, received via the port of the second computing device, to a sink-hole device.
16. The first computing device of claim 9, wherein the second message is configured to limit a quantity of subsequent messages that will be sent by the second computing device.
17. A non-transitory computer readable medium storing instructions that, when executed, cause:
receiving, from a computing device, a first message addressed to a destination device; and
based on determining that the first message is malicious:
preventing sending of the first message to the destination device; and
sending, to the computing device, a second message comprising an invalid network address and configured to prevent the computing device from sending one or more additional messages.
18. The non-transitory computer readable medium of claim 17, wherein the instructions, when executed, cause determining that the first message is malicious by causing one or more of:
monitoring messages received from the computing device;
analyzing content of the first message;
determining that a quantity messages received from the computing device satisfies a maximum threshold quantity of messages; or
determining that the first message has been sent via a port of the computing device, wherein messages, previously sent by the computing device via the port of the computing device, indicate malicious messaging by the computing device.
19. The non-transitory computer readable medium of claim 17, wherein the computing device is associated with a first network, and
wherein the instructions, when executed, cause preventing sending of the first message to the destination device by causing preventing sending of the first message to a destination device associated with a second network different than the first network.
20. The non-transitory computer readable medium of claim 17, wherein the instructions, when executed, cause determining that the first message is malicious by causing:
determining that messages, of at least one message type and sent by the computing device, indicate malicious messaging by the computing device; and
determining, based on the first message being of that at least one message type, that the first message is malicious.
21. The non-transitory computer readable medium of claim 17, wherein the first message is of at least one message type, and
wherein the second message is configured to prevent the computing device from sending additional messages of the at least one message type.
22. The non-transitory computer readable medium of claim 17, wherein the second message comprises an acknowledgement that provides a false indication of a successful receipt of the first message by the destination device.
23. The non-transitory computer readable medium of claim 17, wherein the instructions, when executed, further cause:
determining that the computing device sent the first message via a port of the computing device; and
sending additional messages, received via the port of the computing device, to a sink-hole device.
24. The non-transitory computer readable medium of claim 17, wherein the second message is configured to limit a quantity of subsequent messages that will be sent by the computing device.
US17/403,415 2006-11-16 2021-08-16 Process for Abuse Mitigation Pending US20220076209A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US17/403,415 US20220076209A1 (en) 2006-11-16 2021-08-16 Process for Abuse Mitigation

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11/560,437 US11120406B2 (en) 2006-11-16 2006-11-16 Process for abuse mitigation
US17/403,415 US20220076209A1 (en) 2006-11-16 2021-08-16 Process for Abuse Mitigation

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US11/560,437 Continuation US11120406B2 (en) 2006-11-16 2006-11-16 Process for abuse mitigation

Publications (1)

Publication Number Publication Date
US20220076209A1 true US20220076209A1 (en) 2022-03-10

Family

ID=39402469

Family Applications (2)

Application Number Title Priority Date Filing Date
US11/560,437 Active 2031-01-06 US11120406B2 (en) 2006-11-16 2006-11-16 Process for abuse mitigation
US17/403,415 Pending US20220076209A1 (en) 2006-11-16 2021-08-16 Process for Abuse Mitigation

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US11/560,437 Active 2031-01-06 US11120406B2 (en) 2006-11-16 2006-11-16 Process for abuse mitigation

Country Status (3)

Country Link
US (2) US11120406B2 (en)
EP (1) EP2095233B1 (en)
WO (1) WO2008061171A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210400082A1 (en) * 2018-09-28 2021-12-23 Orange Method of collaboration and for requesting collaboration between protecting services associated with at least one domain, corresponding agents and computer program
US11477128B1 (en) * 2013-11-19 2022-10-18 Tripwire, Inc. Bandwidth throttling in vulnerability scanning applications

Families Citing this family (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8046832B2 (en) * 2002-06-26 2011-10-25 Microsoft Corporation Spam detector with challenges
US8065370B2 (en) 2005-11-03 2011-11-22 Microsoft Corporation Proofs to filter spam
US8224905B2 (en) * 2006-12-06 2012-07-17 Microsoft Corporation Spam filtration utilizing sender activity data
US8331229B1 (en) * 2006-12-15 2012-12-11 At&T Mobility Ii Llc Policy-enabled dynamic deep packet inspection for telecommunications networks
EP1990960A1 (en) * 2007-05-09 2008-11-12 Wayport, Inc. System and method for providing application categorization and quality of service in a network with multiple users
US7870285B2 (en) * 2007-10-12 2011-01-11 Cisco Technology, Inc. Mitigating subscriber side attacks in a cable network
US8504622B1 (en) * 2007-11-05 2013-08-06 Mcafee, Inc. System, method, and computer program product for reacting based on a frequency in which a compromised source communicates unsolicited electronic messages
US8244752B2 (en) * 2008-04-21 2012-08-14 Microsoft Corporation Classifying search query traffic
WO2010022777A1 (en) * 2008-08-28 2010-03-04 Nokia Siemens Networks Oy Suspicious heavy user handling
US8284786B2 (en) * 2009-01-23 2012-10-09 Mirandette Olivier Method and system for context aware deep packet inspection in IP based mobile data networks
US8787182B2 (en) * 2009-05-18 2014-07-22 Comcast Cable Holdings, Llc Configuring network devices
US8494000B1 (en) * 2009-07-10 2013-07-23 Netscout Systems, Inc. Intelligent slicing of monitored network packets for storing
US8381291B2 (en) 2009-12-10 2013-02-19 At&T Intellectual Property I, L.P. Methods, systems, and computer program products for mitigating email address harvest attacks by positively acknowledging email to invalid email addresses
US9264321B2 (en) * 2009-12-23 2016-02-16 Juniper Networks, Inc. Methods and apparatus for tracking data flow based on flow state values
US8903986B1 (en) * 2010-04-05 2014-12-02 Symantec Corporation Real-time identification of URLs accessed by automated processes
US8438638B2 (en) * 2010-04-08 2013-05-07 At&T Intellectual Property I, L.P. Bot-network detection based on simple mail transfer protocol (SMTP) characteristics of e-mail senders within IP address aggregates
US9450781B2 (en) * 2010-12-09 2016-09-20 Alcatel Lucent Spam reporting and management in a communication network
US20120174220A1 (en) * 2010-12-31 2012-07-05 Verisign, Inc. Detecting and mitigating denial of service attacks
US8935383B2 (en) 2010-12-31 2015-01-13 Verisign, Inc. Systems, apparatus, and methods for network data analysis
US10547636B2 (en) * 2016-12-28 2020-01-28 Verisign, Inc. Method and system for detecting and mitigating denial-of-service attacks
US11599675B2 (en) * 2020-09-30 2023-03-07 Mcafee, Llc Detecting data leakage to websites accessed using a remote browsing infrastructure
US11164156B1 (en) * 2021-04-30 2021-11-02 Oracle International Corporation Email message receiving system in a cloud infrastructure

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070097988A1 (en) * 2005-10-27 2007-05-03 Lg Electronics Inc. Method of setting up PS call in mobile communication system
US20080196099A1 (en) * 2002-06-10 2008-08-14 Akonix Systems, Inc. Systems and methods for detecting and blocking malicious content in instant messages
US20110138041A1 (en) * 2003-02-19 2011-06-09 Google Inc. Zero-minute virus and spam detection
US20130263247A1 (en) * 2000-06-23 2013-10-03 Peder J. Jungck Transparent Provisioning of Network Access to an Application

Family Cites Families (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5784569A (en) * 1996-09-23 1998-07-21 Silicon Graphics, Inc. Guaranteed bandwidth allocation method in a computer system for input/output data transfers
US6625650B2 (en) 1998-06-27 2003-09-23 Intel Corporation System for multi-layer broadband provisioning in computer networks
US6643260B1 (en) * 1998-12-18 2003-11-04 Cisco Technology, Inc. Method and apparatus for implementing a quality of service policy in a data communications network
US6687740B1 (en) * 1999-09-21 2004-02-03 Neostar, Inc. System, method and article of manufacture for preventing the proliferation of unwanted electronic messages
US20040100982A1 (en) * 1999-09-30 2004-05-27 Sivaram Balasubramanian Distributed real-time operating system
US7028264B2 (en) * 1999-10-29 2006-04-11 Surfcast, Inc. System and method for simultaneous display of multiple information sources
US6917622B2 (en) * 2000-05-19 2005-07-12 Scientific-Atlanta, Inc. Allocating access across a shared communications medium in a carrier network
US6650890B1 (en) 2000-09-29 2003-11-18 Postini, Inc. Value-added electronic messaging services and transparent implementation thereof using intermediate server
US20020078164A1 (en) * 2000-12-13 2002-06-20 Marnetics Ltd. System and method for data transfer acceleration in a TCP network environment
US20020133613A1 (en) * 2001-03-16 2002-09-19 Teng Albert Y. Gateway metering and bandwidth management
US8438241B2 (en) * 2001-08-14 2013-05-07 Cisco Technology, Inc. Detecting and protecting against worm traffic on a network
JP2004070860A (en) * 2002-08-09 2004-03-04 Hitachi Ltd Stream contents distribution system and proxy server
US6983323B2 (en) * 2002-08-12 2006-01-03 Tippingpoint Technologies, Inc. Multi-level packet screening with dynamically selected filtering criteria
US20050105513A1 (en) * 2002-10-27 2005-05-19 Alan Sullivan Systems and methods for direction of communication traffic
US20040146006A1 (en) * 2003-01-24 2004-07-29 Jackson Daniel H. System and method for internal network data traffic control
US7676546B2 (en) * 2003-03-25 2010-03-09 Verisign, Inc. Control and management of electronic messaging
KR100540932B1 (en) * 2003-07-01 2006-01-10 삼성전자주식회사 Apparatus for controlling flow of a frame and method using the same, and apparatus for transmitting a frame and method using the same
US7409712B1 (en) * 2003-07-16 2008-08-05 Cisco Technology, Inc. Methods and apparatus for network message traffic redirection
US7155738B2 (en) * 2003-11-04 2006-12-26 Yahoo! Inc. System and method for managing a trusted email datastore
JP2005184792A (en) 2003-11-27 2005-07-07 Nec Corp Band control device, band control method, and program
US20050177635A1 (en) * 2003-12-18 2005-08-11 Roland Schmidt System and method for allocating server resources
EP1719285A4 (en) * 2004-01-26 2010-12-01 Cisco Tech Inc Upper-level protocol authentication
GB0402739D0 (en) * 2004-02-09 2004-03-10 Saviso Group Ltd Methods and apparatus for routing in a network
US7627670B2 (en) 2004-04-29 2009-12-01 International Business Machines Corporation Method and apparatus for scoring unsolicited e-mail
JP2008508805A (en) * 2004-07-29 2008-03-21 インテリ7・インコーポレーテッド System and method for characterizing and managing electronic traffic
WO2006075323A2 (en) * 2005-01-13 2006-07-20 Flash Networks Ltd Method and system for optimizing dns queries.
CA2601298A1 (en) * 2005-03-17 2006-09-28 Mark E. Dillon System, method and device for trapping mass-delivery electronic messages
US20070066297A1 (en) * 2005-09-20 2007-03-22 Ghobad Heidari-Bateni Network monitoring system and method
WO2007050244A2 (en) * 2005-10-27 2007-05-03 Georgia Tech Research Corporation Method and system for detecting and responding to attacking networks
US7596097B1 (en) * 2006-03-09 2009-09-29 Cisco Technology, Inc. Methods and apparatus to prevent network mapping

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130263247A1 (en) * 2000-06-23 2013-10-03 Peder J. Jungck Transparent Provisioning of Network Access to an Application
US20080196099A1 (en) * 2002-06-10 2008-08-14 Akonix Systems, Inc. Systems and methods for detecting and blocking malicious content in instant messages
US20110138041A1 (en) * 2003-02-19 2011-06-09 Google Inc. Zero-minute virus and spam detection
US20070097988A1 (en) * 2005-10-27 2007-05-03 Lg Electronics Inc. Method of setting up PS call in mobile communication system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11477128B1 (en) * 2013-11-19 2022-10-18 Tripwire, Inc. Bandwidth throttling in vulnerability scanning applications
US20210400082A1 (en) * 2018-09-28 2021-12-23 Orange Method of collaboration and for requesting collaboration between protecting services associated with at least one domain, corresponding agents and computer program
US11985161B2 (en) * 2018-09-28 2024-05-14 Orange Method of collaboration and for requesting collaboration between protecting services associated with at least one domain, corresponding agents and computer program

Also Published As

Publication number Publication date
WO2008061171A3 (en) 2008-10-09
WO2008061171A2 (en) 2008-05-22
EP2095233A4 (en) 2011-03-02
US20080120413A1 (en) 2008-05-22
US11120406B2 (en) 2021-09-14
EP2095233A2 (en) 2009-09-02
EP2095233B1 (en) 2016-07-13

Similar Documents

Publication Publication Date Title
US20220076209A1 (en) Process for Abuse Mitigation
US11924170B2 (en) Methods and systems for API deception environment and API traffic control and security
US9432318B2 (en) Mechanism for establishing reputation in a network environment
JP4917776B2 (en) Method for filtering spam mail for mobile communication devices
US9674217B2 (en) Method and system for mitigation of distributed denial of service (DDOS) attacks
US7926108B2 (en) SMTP network security processing in a transparent relay in a computer network
US9185127B2 (en) Network protection service
US8763117B2 (en) Systems and methods of DNS grey listing
EP2502398B1 (en) Detecting malicious behaviour on a network
US20060075084A1 (en) Voice over internet protocol data overload detection and mitigation system and method
WO2005029245A2 (en) Methods and apparatus for monitoring local network traffic on local network segments and resolving detected security and network management problems occurring on those segments
EP2281371B1 (en) Statistical spam message detection
JP5699162B2 (en) How to detect hijacking of computer resources
JP2009515426A (en) High reliability communication network
US8180835B1 (en) System and method for protecting mail servers from mail flood attacks
US20090119292A1 (en) Peer to peer traffic control method and system
EP2109281A1 (en) Method and system for server-load and bandwidth dependent mitigation of distributed denial of service attacks
Whyte et al. Addressing malicious smtp-based mass-mailing activity within an enterprise network
Still et al. DDoS protections for SMTP servers
KR101399037B1 (en) Method and device for processing spam mail using ip address of sender
Al-Bataineh et al. Detection and prevention methods of botnet-generated spam
Oche et al. Securing VOiP network: An overview of applied approaches and analysis
Kührer Large-scale analysis of network-based threats and potential countermeasures
Disterer et al. Denial-of-Service (DoS) Attacks: Prevention, Intrusion Detection, and Mitigation
Salomon et al. Network security

Legal Events

Date Code Title Description
STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

AS Assignment

Owner name: COMCAST CABLE HOLDINGS, LLC, PENNSYLVANIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:MODY, NIRMAL;O'REIRDAN, MICHAEL J.;SCULLY, MATT;SIGNING DATES FROM 20061116 TO 20061130;REEL/FRAME:062450/0639

Owner name: COMCAST CABLE COMMUNICATIONS, LLC, PENNSYLVANIA

Free format text: MERGER;ASSIGNOR:COMCAST CABLE HOLDINGS, LLC;REEL/FRAME:062450/0654

Effective date: 20150930

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE AFTER FINAL ACTION FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: ADVISORY ACTION MAILED