| Sonstiges: |
- Nachgewiesen in: USPTO Patent Grants
- Sprachen: English
- Patent Number: 10999,309
- Publication Date: May 04, 2021
- Appl. No: 15/972521
- Application Filed: May 07, 2018
- Assignees: 802 Secure, Inc. (Pleasanton, CA, US)
- Claim: 1. A security threat monitoring and vulnerability management system for protecting a project 25 (P25) network, the system comprising: a plurality of sensors distributed to cover a project 25 (P25) network coverage region and comprising software defined radios configured to scan a frequency spectrum of the P25 network and to collect data communicated on the P25 network; and a server implemented within a cloud environment and coupled to the plurality of sensors and configured to receive the collected data from the plurality of sensors, compare the collected data with previously stored historical data to determine whether an anomaly indicating a security threat exists within data patterns of the collected data, responsive to determining that the anomaly indicating the security threat exists, determine whether the security threat is at least one of: use of a cloned radio that mimics an authorized connection to gain access to the P25 network coverage region, jamming of a radio frequency (RF) communication, by an unauthorized device, within the P25 network coverage region, or jamming of a voice communication, by the unauthorized device, within the P25 network coverage region, by comparing the collected data with preset thresholds, and send a real-time alert to a dispatch and control console unit coupled to the server and the P25 network in response to determining that some of the collected data exceeds at least one of the preset thresholds, thereby indicating an unauthorized system access or a system degradation with security impact, such that the dispatch and control console unit provides one or more corrective actions to the P25 network to respond to the security threat.
- Claim: 2. The system of claim 1 , wherein to determine whether use of the cloned radio occurs, the server is further configured to receive a P25 message from the collected data, to extract a source subscriber unit identifier (SU ID) and signal strength information from the P25 message, to determine whether the SU ID is valid, and to determine whether the signal strength information exceeds a signal strength threshold included in the preset thresholds, to determine whether jamming of the RF communication occurs, the server is further configured to compare signal interference information from the collected data with a signal interference threshold included in the preset thresholds, and to determine whether there is increased interference based on the comparison, or to determine whether jamming of the voice communication occurs, the server is further configured to compare noise information from the collected data with a noise threshold included in the preset thresholds, and to determine whether the noise information exceeds the noise threshold, thereby reducing a signal to noise ratio (SNR), based on the comparison.
- Claim: 3. The system of claim 1 , wherein the server is further configured to triangulate on some of the sensors in order to obtain a location within the P25 network where the use of the cloned radio, the jamming of the RF communication, or the jamming of the voice communication within the P25 network coverage region occurs, and send the location to the control console unit.
- Claim: 4. The system of claim 1 , wherein the server sends the real-time alert to the dispatch and control console unit via a communication link that is different than communication links used to receive the collected data from the sensors.
- Claim: 5. The system of claim 2 , wherein the server is further configured to display information associated with use of the cloned radio, jamming of the RF communication, or jamming of the voice communication on a display device coupled to the server.
- Claim: 6. The system of claim 1 , wherein the preset thresholds are set by a user via a graphical user interface (GUI) generated by the server.
- Claim: 7. The system of claim 1 , wherein the collected data comprises network characteristics of the P25 network and activity information of one or more communication devices associated with the P25 network, the historical data comprises activity information of one or more communication devices that meets expectation of the P25 network when the communication device(s) connect to the P25 network from one or more locations within the P25 network, received signal strength indication (RSSI) values of the one or more locations within the P25 network, problems identified and corrected within the P25 network, locations of the problems, corrective procedures of the problems, and degradation trends within the P25 network.
- Claim: 8. The system of claim 5 , wherein the server is further configured to display received signal strength indication (RSSI) mapping, bit error rate (BER) mapping, system degradation trends, and P25 control channel validation.
- Claim: 9. The system of claim 1 , wherein the real-time alert includes a short message service (SMS), a multimedia messaging service (MMS), or an email.
- Claim: 10. A computer-implemented method for threat monitoring and vulnerability management, comprising: receiving, by a server implemented within a cloud environment, collected data from a plurality of sensors, wherein the sensors comprise one or more software defined radios that scan a frequency spectrum of a project 25 (P25) network and collect the data communicated on the P25 network; comparing, by the server, the collected data with previously stored historical data to determine whether an anomaly indicating a security threat exists within data patterns of the collected data; responsive to determining that the anomaly indicating the security threat exists, determining, by the server, whether the security threat is at least one of: use of a cloned radio that mimics an authorized connection to gain access to the P25 network, jamming of a radio frequency (RF) communication, by an unauthorized device, within the P25 network, or jamming of a voice communication, by the unauthorized device, within the P25 network by comparing the collected data with preset thresholds, and sending, by the server, a real-time alert to a dispatch and control console unit coupled to the server and the P25 network in response to determining that some of the collected data exceeds at least one of the preset thresholds, thereby indicating an existence of the security threat, such that the dispatch and control console unit provides one or more corrective actions to the P25 network to respond to the security threat.
- Claim: 11. The method of claim 10 , wherein determining whether the security threat is the use of the cloned radio to gain access to the P25 network comprises receiving by the server a P25 message from the collected data, extracting by the server a source subscriber unit identifier (SU ID) and signal strength information from the P25 message, determining by the server whether the SU ID is valid, and determining by the server whether the signal strength information exceeds a signal strength threshold included in the preset thresholds, determining whether the security threat is the jamming of the RF communication within the P25 network comprises comparing by the server signal interference information from the collected data with a signal interference threshold included in the preset thresholds, and determining by the server whether there is increased interference based on the comparison, or determining whether the security threat is the jamming of the voice communication within the P25 network comprises comparing by the server noise information from the collected data with a noise threshold included in the preset thresholds, and determining by the server whether the noise information exceeds the noise threshold, thereby reducing a signal to noise ratio (SNR), based on the comparison.
- Claim: 12. The method of claim 10 , further comprising triangulating, by the server, on some of the sensors in order to obtain a location within the P25 network where use of the cloned radio, jamming of the RF communication, or jamming of the voice communication occurs, and sending by the server the location to the control console unit.
- Claim: 13. The method of claim 10 , wherein sending the real-time alert to the dispatch and control console unit via a communication link that is different than communication links used to receive the collected data from the sensors.
- Claim: 14. The method of claim 11 , further comprising displaying by the server information associated with use of the cloned radio, jamming of the RF communication, or jamming of the voice communication on a display device coupled to the server.
- Claim: 15. The method of claim 10 , wherein the preset thresholds are set by a user via a graphical user interface (GUI) generated by the server.
- Claim: 16. The method of claim 10 , wherein the collected data comprises network characteristics of the P25 network and activity information of one or more communication devices associated with the P25 network, the historical data comprises activity information of one or more communication devices that meets expectation of the P25 network when the communication device(s) connect to the P25 network from one or more locations within the P25 network, received signal strength indication (RSSI) values of the one or more locations within the P25 network, problems identified and corrected within the P25 network, locations of the problems, corrective procedures of the problems, and degradation trends within the P25 network.
- Claim: 17. The method of claim 14 , further comprising displaying by the server received signal strength indication (RSSI) mapping, bit error rate (BER) mapping, system degradation trends, and P25 control channel validation on the display device.
- Claim: 18. The method of claim 10 , wherein the real-time alert includes a short message service (SMS), a multimedia messaging service (MMS), or an email.
- Claim: 19. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor of a server implemented within a cloud environment, cause the processor to perform operations, the operations comprising: receiving, by the server, collected data from a plurality of sensors, wherein the sensors comprise one or more software defined radios that scan a frequency spectrum of a project 25 (P25) network and collect the data communicated on the P25 network; comparing, by the server, the collected data with previously stored historical data to determine whether an anomaly indicating a security threat exists within data patterns of the collected data; responsive to determining that the anomaly indicating the security threat exists, determining, by the server, whether the anomaly is at least one of: use of a cloned radio that mimics an authorized connection for access to the P25 network, jamming of a radio frequency (RF) communication, by an unauthorized device, within the P25 network, or jamming of a voice communication, by the unauthorized device, within the P25 network by comparing the collected data with preset thresholds, and sending, by the server, a real-time alert to a dispatch and control console unit coupled to the server and the P25 network in response to determining that some of the collected data exceeds at least one of the preset thresholds, thereby indicating an existence of the security threat, such that the dispatch and control console unit provides one or more corrective actions to the P25 network to respond to the security threat.
- Claim: 20. The non-transitory machine-readable medium of claim 19 , wherein determining whether the anomaly is the use of the cloned radio for access to the P25 network comprises receiving by the server a P25 message from the collected data, extracting by the server a source subscriber unit identifier (SU ID) and signal strength information from the P25 message, determining by the server whether the SU ID is valid, and determining by the server whether the signal strength information exceeds a signal strength threshold included in the preset thresholds, determining whether the anomaly is the jamming of the RF communication within the P25 network comprises comparing by the server signal interference information from the collected data with a signal interference threshold included in the preset thresholds, and determining by the server whether there is increased interference based on the comparison, or determining whether the anomaly is the jamming of the voice communication within the P25 network comprises comparing by the server noise information from the collected data with a noise threshold included in the preset thresholds, and determining by the server whether the noise information exceeds the noise threshold, thereby reducing a signal to noise ratio (SNR), based on the comparison.
- Patent References Cited: 10169119 January 2019 Snyder ; 2003/0228857 December 2003 Maeki ; 2017/0374573 December 2017 Kleinbeck ; 2018/0211179 July 2018 Dzierwa
- Other References: Federal Partnership for Interoperable Communications (FPIC) Security Working Group et al., “Best Practices for Encryption in P25 Public Safety Land Mobile Radio Systems”, Sep. 2016, pp. 1-20. cited by applicant ; Public Safety Wireless Network (PSWN), “Digital Land Mobile Radio (DLMR) System Security Guidelines Recommendations”, Oct. 1998, 33 pp. total. cited by applicant ; Yeh, Hen-Geul et al., “Survey of Port Communication Equipment for Safety, Security, and Interoperability”, https://www.researchgate.net/publication/238094538, Oct. 29, 2014, pp. 1-23. cited by applicant
- Primary Examiner: Idowu, Olugbenga O
- Attorney, Agent or Firm: Womble Bond Dickinson (US) LLP
|
