Abstract: An apparatus and method for detecting potentially-improper call behavior (e.g., SPIT, etc.) are disclosed. The illustrative embodiment of the present invention is based on finite-state machines (FSMs) that represent the legal states and state transitions of a communications protocol at a node during a Voice over Internet Protocol (VoIP) call. In accordance with the illustrative embodiment, a library of FSM execution profiles associated with improper call behavior is maintained. When there is a match between the behavior of a finite-state machine during a call and an execution profile in the library, an alert is generated.

Abstract: Network topology information is determined in a network-based communication system by generating communications between, for example, selected pairs of endpoint devices each associated with a network. A given one of the communications is sent from a first one of the endpoint devices to a second one of the endpoint devices and returned from the second endpoint device to the first endpoint device. Information contained in the communication as received at the first endpoint device from the second endpoint device is processed to determine network topology information characterizing at least a portion of the network.

Abstract: Techniques for determining a problem location or otherwise characterizing a network comprising a plurality of processing elements, including at least one processing element associated with performance of a packet encapsulation operation of an encapsulation protocol. The packet encapsulation operation is performed on a test packet to generate an encapsulated packet, the test packet having a time to live (TTL) value and an identifier. In conjunction with performance of the packet encapsulation operation, the TTL value and the identifier of the test packet are copied to a header of the encapsulated packet. The encapsulated packet is transmitted, and a determination is made as to whether a reply packet has been received responsive to transmission of the encapsulated packet. The reply packet, if any, is processed to obtain information utilizable in determining the problem location or otherwise characterizing the network.

Abstract: An apparatus and method are disclosed for detecting intrusions in Voice over Internet Protocol systems, without the use of an attack signature database. In particular, the illustrative embodiment is based on the observation that some VoIP-related protocols (e.g., the Session Initiation Protocol [SIP], etc.) are simple enough to be represented by a finite-state machine (FSM) of compact size. A finite-state machine is maintained for each session/node/protocol combination, and any illegal state or state transition—which might be the result of a malicious attack—is flagged as a potential intrusion.

Abstract: An apparatus and method are disclosed for detecting intrusions in Voice over Internet Protocol systems without an attack signature database. The illustrative embodiment is based on two observations: (1) various VoIP-related protocols are simple enough to be represented by a finite-state machine (FSM) of compact size, thereby avoiding the disadvantages inherent in signature-based intrusion-detection systems.; and (2) there exist intrusions that might not be detectable locally by the individual finite-state machines (FSMs) but that can be detected with a global (or distributed) view of all the FSMs. The illustrative embodiment maintains a FSM for each session/node/protocol combination representing the allowed (or “legal”) states and state transitions for the protocol at that node in that session, as well as a “global” FSM for the entire session that enforces constraints on the individual FSMs and is capable of detecting intrusions that elude the individual FSMs.

Abstract: A method is disclosed that enables the transmission of a digital message along with a corresponding media information signal, such as audio or video. A telecommunications device that is processing the information signal from its user, such as a speech signal, encodes the information signal by using a model-based compression coder. One such device is a telecommunications endpoint. Then, based on an evaluation of the perceptual significance of each encoded bit, or on some other meaningful characteristic of the signal, the endpoint's processor: (i) determines which encoded bits can be overwritten; and (ii) intersperses the digital message bits throughout the encoded signal in place of the overwritten bits. The endpoint then transmits those digital message bits as part of the encoded information signal. In this way, no additional bits are appended to the packet to be transmitted, thereby addressing the issue of compatibility with existing protocols and firewalls.

Abstract: A method is disclosed that enables the transmission of a digital message along with a corresponding information signal, such as audio or video. The supplemental information contained in digital messages can be used for a variety of purposes, such as enabling or enhancing packet authentication. In particular, a telecommunications device that is processing an information signal from its user, such as a speech signal, encrypts the information signal by performing a bitwise exclusive-or of an encryption key stream with the information signal stream. The device, such as a telecommunications endpoint, then intersperses the bits of the digital message throughout the encrypted signal in place of those bits overwritten, in a process referred to as “watermarking.” The endpoint then transmits the interspersed digital message bits as part of a composite signal that also comprises the encrypted information bits. No additional bits are appended to the packet to be transmitted, thereby addressing compatibility issues.

Abstract: A method is disclosed that enables mitigating at least some of the problems caused by a packet attack. When a first Internet Protocol (IP)-capable device is subjected to a packet attack, it indicates periodically to a second IP-capable device that certain communications with the first device are to be suspended. The periodic transmitting of the indication is performed at a slower rate than the keep-alive mechanism that is normally used to detect loss of connectivity. When the second device receives the transmitted indication, it refrains from transmitting keep-alive messages to the first device for a predetermined interval. Meanwhile, the first device also refrains from transmitting keep-alive messages to the second device for a similar interval. In transmitting the suspend indication, the illustrative embodiment seeks to prevent pairs of communicating devices that are experiencing packet attacks from continuing their operation under the erroneous assumption that each device is unavailable.

Abstract: A method is disclosed that enables the avoidance of a processor overload of a telecommunications endpoint device that is susceptible to traffic floods. An enhanced network switch sets the speed on one of its data ports as a specific function of the speeds of the devices that are connected to one or more of its other data ports. This behavior is different from that of network switches in the prior art, in which the data rate of a port in the prior art is auto-negotiated to the highest speed that can be supported by the network elements at either end of the port's connection, regardless of the other devices present. By considering the specific devices that are connected, the enhanced network switch is able to limit the amount of traffic that is directed by an upstream device, such as a router, towards a device with limited processor capability, such as a packet-based phone.

Abstract: A method is disclosed that enables the implementation of an embedded firewall at a telecommunications endpoint. In particular, the illustrative embodiment of the present invention addresses the relationship between the application, firewall engine, and packet-classification rules database that are all resident at the endpoint. In the variations of the illustrative embodiment that are described herein, the application: (i) directly communicates with the co-resident firewall engine such as through local message passing, (ii) shares memory with the firewall engine, and (iii) makes socket calls to the operating system that are intercepted by a middleware layer that subsequently modifies the rules database, depending on the socket call. The common thread to these techniques is that the application, firewall engine, and rules database are co-resident at the endpoint, which is advantageous in the implementation of the embedded firewall.

Abstract: Performance problems or other conditions are analyzed in a system comprising a plurality of endpoint devices and an associated centralized or distributed controller. End-to-end measurements are obtained for respective paths through the network, for example, using communications between the endpoint devices. For a given end-to-end measurement obtained for a particular one of the paths, a value of a performance indicator for the path is determined and the performance indicator value is assigned to each of a plurality of links of the path. The determining and assigning operations are repeated for additional ones of the end-to-end measurements, the links are grouped into one or more exculpation or inculpation sets based on how many times a particular performance indicator value has been assigned to each of the links, and the one or more sets are utilized to determine, for example, the location of a performance problem in the network.

Abstract: A method of transporting authentication information in a media stream packet includes embedding the authentication information in one of a heading and a payload of the media stream packet.

Abstract: A method of authenticating a communications between a sender and a receiver includes agreeing, by a sender and receiver, on a shared secret, computing a first sequence of numbers at the sender using the shared secret, and computing a second sequence of numbers at the receiver using the shared secret. Successive values of the first sequence are respectively embedded in successive messages by the sender. Upon receiving a message, the receiver compares the embedded value of the first sequence with a list of values including at least one corresponding value from the second sequence and the received message to considered to originate from an authentic sender if the value of the first sequence matches the value of the second sequence. The method value is removed from a list of values in the second sequence for comparing.

Abstract: Techniques are disclosed for improved monitoring and analysis of VoIP communications, multimedia communications or other types of network traffic in a network-based communication system. In accordance with one aspect of the invention, endpoint devices of the network-based communication system are configurable so as to collectively implement a distributed monitoring and analysis system which does not require a centralized testing server or other centralized controller. Distributed test units associated with the endpoint devices may be utilized in implementing the distributed monitoring and analysis system, and are preferably configured to support a web-based user interface providing access to measurement data. The endpoint devices may be advantageously organized into a hierarchy comprising a plurality of zones, with each of the endpoint devices belonging to at least one zone.

Abstract: Techniques for determining a problem location or otherwise characterizing a network comprising a plurality of processing elements, including at least one processing element associated with performance of a packet encapsulation operation of an encapsulation protocol. The packet encapsulation operation is performed on a test packet to generate an encapsulated packet, the test packet having a time to live (TTL) value and an identifier. In conjunction with performance of the packet encapsulation operation, the TTL value and the identifier of the test packet are copied to a header of the encapsulated packet. The encapsulated packet is transmitted, and a determination is made as to whether a reply packet has been received responsive to transmission of the encapsulated packet. The reply packet, if any, is processed to obtain information utilizable in determining the problem location or otherwise characterizing the network.

Abstract: Network topology information is determined in a network-based communication system by generating communications between, for example, selected pairs of endpoint devices each associated with a network. A given one of the communications is sent from a first one of the endpoint devices to a second one of the endpoint devices and returned from the second endpoint device to the first endpoint device. Information contained in the communication as received at the first endpoint device from the second endpoint device is processed to determine network topology information characterizing at least a portion of the network.

Abstract: Techniques are disclosed for improved monitoring and analysis of VoIP communications, multimedia communications or other types of network traffic in a network-based communication system. In accordance with one aspect of the invention, endpoint devices of the network-based communication system are configurable so as to collectively implement a distributed monitoring and analysis system which does not require a centralized testing server or other centralized controller. Distributed test units associated with the endpoint devices may be utilized in implementing the distributed monitoring and analysis system, and are preferably configured to support a web-based user interface providing access to measurement data. The endpoint devices may be advantageously organized into a hierarchy comprising a plurality of zones, with each of the endpoint devices belonging to at least one zone.