| CPC H04L 63/1425 (2013.01) [H04L 63/20 (2013.01)] | 16 Claims |
|
1. A computer-implemented method of analysing anomalous network traffic in a telecommunications network, said telecommunications network comprising a plurality of network entities and a security analyser, wherein the method comprises the steps of:
receiving at the security analyser a network communication from a first network entity;
identifying the first network entity;
by means of the security analyser:
analysing the network communication and/or a performance of the first network entity thereby to identify the network communication as an anomalous communication;
in response to identifying the network communication as an anomalous communication, communicating an instruction to the identified first network entity to respond with origin information regarding the anomalous communication, wherein the origin information identifies a preceding network entity from which the anomalous communication was directly received by the first network entity; and
commencing with the preceding network entity, iteratively communicating an instruction to a preceding network entity to respond with origin information for identifying another preceding network entity from which the anomalous communication was directly received until a source network entity from which the anomalous communication originated is identified; and
applying a security policy to the identified source network entity; and
generating the security policy in dependence on a signature of the anomalous communication that is generated in dependence on each origin information;
wherein communicating each instruction is performed in response to determining that only an incomplete signature of the anomalous communication can be generated.
|