US2021185071A1PendingUtilityA1

Providing security through characterizing mobile traffic by domain names

58
Assignee: AT & T IP I LPPriority: Jul 22, 2016Filed: Mar 1, 2021Published: Jun 17, 2021
Est. expiryJul 22, 2036(~10 yrs left)· nominal 20-yr term from priority
H04L 61/4511H04W 4/12H04L 63/1425H04L 63/1458H04L 47/2441H04W 12/128
58
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A method, computer-readable medium, and apparatus for classifying mobile traffic for securing a network or a mobile user endpoint device are disclosed. For example, a method may include a processor for classifying mobile network traffic using a probabilistic model for a plurality of mobile software applications based on a distribution of domain names, detecting an anomaly associated with a mobile software application of the plurality of mobile software applications, and performing a remedial action to address the anomaly.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A device comprising:
 a processor; and   a computer-readable medium storing instructions which, when executed by the processor, cause the processor to perform operations, the operations comprising:
 classifying mobile network traffic of a network as being associated with one or more mobile software applications of a plurality of mobile software applications using a probabilistic model for the plurality of mobile software applications, wherein the probabilistic model is based on a distribution of internet protocol addresses; 
 detecting an anomaly associated with a mobile software application of the plurality of mobile software applications based on the mobile network traffic classified as being associated with the one or more mobile software applications, wherein the anomaly comprises at least one of: a security event or a performance issue; 
 verifying a set of one or more of the internet protocol addresses is associated with the mobile software application in response to the detecting of the anomaly; and 
 performing one or more remedial actions to address the anomaly based on the verifying, wherein the one or more remedial actions comprise sending a notification to a mobile endpoint device having the mobile software application, wherein the notification contains a request to a user of the mobile endpoint device having the mobile software application to deactivate or deinstall the mobile software application, blocking mobile traffic from a functional internet protocol address correlated to the mobile software application, or throttling the mobile traffic from the functional internet protocol address correlated to the mobile software application. 
   
     
     
         2 . The device of  claim 1 , wherein the one or more remedial actions further comprise sending a notification to a developer of the mobile software application. 
     
     
         3 . The device of  claim 1 , wherein the one or more remedial actions further comprise sending a notification to an entity responsible for the mobile endpoint device having the mobile software application. 
     
     
         4 . The device of  claim 3 , wherein the entity comprises a business entity, a governmental agency, a guardian or a parent. 
     
     
         5 . The device of  claim 1 , wherein the one or more remedial actions further comprise allocating an additional network resource to address the anomaly. 
     
     
         6 . The device of  claim 1 , wherein the one or more remedial actions further comprise blocking mobile traffic from the mobile endpoint device having the mobile software application. 
     
     
         7 . The device of  claim 1 , the operations further comprising:
 retraining the probabilistic model on a periodic basis.   
     
     
         8 . A method comprising:
 classifying, by a processor, mobile network traffic as being associated with one or more mobile software applications of a plurality of mobile software applications using a probabilistic model for the plurality of mobile software applications, wherein the probabilistic model is based on a distribution of internet protocol addresses;   detecting, by the processor, an anomaly associated with a mobile software application of the plurality of mobile software applications based on the mobile network traffic classified as being associated with the one or more mobile software applications, wherein the anomaly comprises at least one of: a security event or a performance issue;   verifying, by the processor, a set of one or more of the internet protocol addresses is associated with the mobile software application in response to the detecting of the anomaly; and   performing, by the processor, one or more remedial actions to address the anomaly based on the verifying, wherein the one or more remedial actions comprise: sending a notification to a mobile endpoint device having the mobile software application, wherein the notification contains a request to a user of the mobile endpoint device having the mobile software application to deactivate or deinstall the mobile software application, blocking mobile traffic from a functional internet protocol address correlated to the mobile software application, or throttling the mobile traffic from the functional internet protocol address correlated to the mobile software application.   
     
     
         9 . The method of  claim 8 , wherein the one or more remedial actions further comprise sending a notification to a developer of the mobile software application. 
     
     
         10 . The method of  claim 8 , wherein the one or more remedial actions further comprise sending a notification to an entity responsible for the mobile endpoint device having the mobile software application. 
     
     
         11 . The method of  claim 10 , wherein the entity comprises a business entity, a governmental agency, a guardian or a parent. 
     
     
         12 . The method of  claim 8 , wherein the one or more remedial actions further comprise allocating an additional network resource to address the anomaly. 
     
     
         13 . The method of  claim 8 , wherein the one or more remedial actions further comprise blocking mobile traffic from the mobile endpoint device having the mobile software application. 
     
     
         14 . The method of  claim 8 , further comprising:
 retraining the probabilistic model on a periodic basis.   
     
     
         15 . A tangible computer-readable medium storing instructions which, when executed by a processor, cause the processor to perform operations, the operations comprising:
 classifying mobile network traffic as being associated with one or more mobile software applications of a plurality of mobile software applications using a probabilistic model for the plurality of mobile software applications, wherein the probabilistic model is based on a distribution of internet protocol addresses;   detecting an anomaly associated with a mobile software application of the plurality of mobile software applications based on the mobile network traffic classified as being associated with the one or more mobile software applications, wherein the anomaly comprises at least one of: a security event or a performance issue;   verifying a set of one or more of the internet protocol addresses is associated with the mobile software application in response to the detecting of the anomaly; and   performing one or more remedial actions to address the anomaly based on the verifying, wherein the one or more remedial actions comprise sending a notification to a mobile endpoint device having the mobile software application, wherein the notification contains a request to a user of the mobile endpoint device having the mobile software application to deactivate or deinstall the mobile software application, blocking mobile traffic from a functional internet protocol address correlated to the mobile software application, or throttling the mobile traffic from the functional internet protocol address correlated to the mobile software application.   
     
     
         16 . The tangible computer-readable medium of  claim 15 , wherein the one or more remedial actions further comprise sending a notification to a developer of the mobile software application. 
     
     
         17 . The tangible computer-readable medium of  claim 15 , wherein the one or more remedial actions further comprise sending a notification to an entity responsible for the mobile endpoint device having the mobile software application. 
     
     
         18 . The tangible computer-readable medium of  claim 17 , wherein the entity comprises a business entity, a governmental agency, a guardian or a parent. 
     
     
         19 . The tangible computer-readable medium of  claim 15 , wherein the one or more remedial actions further comprise allocating an additional network resource to address the anomaly. 
     
     
         20 . The tangible computer-readable medium of  claim 15 , wherein the one or more remedial actions further comprise blocking mobile traffic from the mobile endpoint device having the mobile software application.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.