Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing – Network resources access controlling
Reexamination Certificate
1998-06-26
2001-05-22
Geckil, Mehmet B. (Department: 2152)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
Network resources access controlling
C709S225000, C713S152000
Reexamination Certificate
active
06237037
ABSTRACT:
BACKGROUND
The present invention relates to a method and arrangement for detecting and preferably tracking a non-authorised client stations attempt to access a host in a communications network. The communication network comprises connection devices at least each having a unique identity.
The invention also relates to a telecommunications network having a security arrangement.
During recent years, the art of digitalised communications using for example computers, mobile phones etc., has changed dramatically. The changes, besides of being an aid for users and allowing faster and better communication, have given some people opportunity to use the benefits and possibilities of essentially advanced communication means to carry out, more or less, criminal acts, such as fraudulence, e.g. by accessing the company or government computer networks and retrieving, changing or deleting information, or using telephones, switchboards etc. to obtain felonious privileges.
Internet, the global network for computers and computer networks have also contributed to the global communications, by allowing transference of images, voices and other data in a simple and inexpensive way. The result is that companies, government offices, universities and so on, have connected their networks through Internet to supply the internal and external users with relevant information and also to communicate with each other.
As the Internet is a public network, i.e. everybody having a computer and a communication device, such as a modem, may through an Internet Provider Server (IPS) access the Internet and communicate with others or just retrieve information. Internet is, in a superior manner, the fastest and most effective way to distribute a large amount of information for a large number of people.
The “core” of the Internet includes a very large number of computers, standalone or connected in networks, which can exchange information substantially directly using some predetermined protocols, especially Transmission Control Protocol/Internet Protocol (TCP/IP).
Each computer or connecting device in the core is separated from each other by means of an IP address. The IP address consists of a network number. In some cases the IP address is permanently assigned to a device (computer) in other cases the IP address is assigned to a computer temporarily. The IP address provides each connected computer/device a unique identity in the network.
The data transmission may be carried out via, for example fiber-optic lines, satellite links and telephone lines.
At present, obtaining full identification of a client or a user workstation connected or trying to connect to a host system is not possible. Also, It is not possible, in a simple and fast way, to identify the fraud workstation and thereby the user, even though a partial identification is possible.
When accessing a network, usually a login procedure is executed for authentication of the user. The authentication works, by the client first declaring the user name to be used to access the network. The service providing server then responds with a set of authentication methods, which are acceptable. The client then sends an authentication request, and this dialogue continues until an access has been granted or denied. The authentication methods can vary from system to system. Some methods are:
none
checks if no authentication is ok,
password
a conventional password authentication, which requires
a password for access,
secureid
secureID authentication is a timing-based hardware token
identification, where the user enters a code displayed on
the token as authentication.
Also, on-time passwords and similar methods are available. As other methods public key can be mentioned, in which the possession of a privet key is the authentication.
Great efforts are made to develop methods and algorithms to secure the authentication procedures, but no system is more secure than the user of the system, as passwords and keys may come in possession of non authorised persons. In the Internet case, also the IP addresses can be forged which allows accessing the network without problem.
By forged IP address, it is also possible to attack the Internet service providers, for example by flooding or the like. Flooding is a method where an unreachable source (IP) address is used against a target host computer, which attempts to reserve resources waiting for a response. The attacker repeatedly changes the bogus source address on each new access packet sent, thus exhausting additional host resources. Then, if the attacker uses some valid address as the source address the attacked system responds by sending a large number of reply packages, which at end, results in a degraded performance and even system crash.
U.S. Pat. No. 5,619,657 teaches a method for providing security facility for a network of management servers utilising a database of trust relations to verify mutual relations between management servers. The method relates specially to creating accounts on a system over a network. The management operation (MO) also contains the identity of the user lunching the operation. Through an interface the MO is transferred to a dispatcher of the management server (MS). The MS, in addition to administrating, requests for management services provided by a local system is also responsible for routing MOs on secure paths to other local systems in the network and managing the security of the local system. The MS determines a proper link by means of a database, which maintains trusted relations between the management servers. The trusted relation lists are generated independent from the execution of a communication protocol by an autonomous network utility. Each MS contains a list. The lists are divided into two categories, trusted receivers and trusted senders. Based on the trusted list, forwarding the operations are executed. In summary, the database provides a means for routing MOs from one MS to another MS along a secure path determined by the trust relations of the MSs at each link in the route in the network performing the MO.
SUMMARY
There is a need for a method and arrangement in communications system, specially in a computer network, which provides a simple, effective and straightforward way to increase the security.
There is also a need for a method and arrangement, which allow to detect an unauthorized access attempt to a service providing device or the like in a communications system by a user station or process, by using substantially available procedures.
Through implementation of the method and arrangement, according to the invention there is provided a fast way to trace the position of the fraud user stations.
Therefore the method according to the invention, in case of a first approved control of the identity of a client station trying to access the network, further comprises steps of: retrieving the unique identity of each of said devices in said route, by propagating an identity inquiry, collecting an identity inquiry response message, including the identity of at least each device having a unique identity, sent by each device having an identity and arranged to response, comparing each unique identity of each device and/or station included in said response message with a list of approved identities, and rejecting or accepting the access, based on the comparison result.
In an advantageous embodiment the first verification includes controlling the client station identity and comparing it with a list of approved identities and/or number of accesses made by the client station. If the clients' identity approves and a first time access is detected the method further comprises the steps of: retrieving the unique identity of each of said devices in said route, arranging a database for said client station for storing the connection route by, and including the identity of each device having a unique identity sent by each device having an identity and arranged to response in the database.
It is possible that the identity of each device is collected by propagating an identity requirement and collecting the
Burns Doane Swecker & Mathis L.L.P.
Geckil Mehmet B.
Telefonaktiebolaget LM Ericsson (publ)
LandOfFree
Method and arrangement relating to communications systems does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and arrangement relating to communications systems, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and arrangement relating to communications systems will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2518557