Self-shielding dynamic network architecture

US 10,447,710 B1
Filed: 06/03/2015
Issued: 10/15/2019
Est. Priority Date: 06/03/2014
Status: Active Grant

First Claim

Patent Images

1. A method for self-shielding a dynamic network architecture system for preventing or reducing the impact of attacks thereon including the steps of:

modifying the manner in which network requests are performed using a process that makes re-routing invisible to a host machine, including assigning a customer non routable Internet Protocol for each user, at each session on each operating dynamic network architecture system;

automatically conveying identify across the dynamic network architecture system to determine an appropriate policy;

uniquely identifying a user and limiting an amount of network information the user is entitled to see;

enforcing devise and user specific policy based on ports, protocols, and destinations;

automatically encapsulating and de-encapsulating traffic as needed to support communication with non-protected systems and/or protocols not native to the dynamic network architecture system; and

automatically translating traffic as needed to support communication with non-protected systems and/or protocols not native to the dynamic network architecture system.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A shielding is provided to prevent attacks on network architecture or reduce the impact thereof. The system reconfigures the network differently for each user, operating system, and host and the configuration changes as time passes. The system can use dynamic redirection to create a reconfigurable network, and include intermediary nodes to dynamically reconfigure the network infrastructure for all traffic.

Citations

17 Claims

1. A method for self-shielding a dynamic network architecture system for preventing or reducing the impact of attacks thereon including the steps of:
- modifying the manner in which network requests are performed using a process that makes re-routing invisible to a host machine, including assigning a customer non routable Internet Protocol for each user, at each session on each operating dynamic network architecture system;
  
  automatically conveying identify across the dynamic network architecture system to determine an appropriate policy;
  
  uniquely identifying a user and limiting an amount of network information the user is entitled to see;
  
  enforcing devise and user specific policy based on ports, protocols, and destinations;
  
  automatically encapsulating and de-encapsulating traffic as needed to support communication with non-protected systems and/or protocols not native to the dynamic network architecture system; and
  
  automatically translating traffic as needed to support communication with non-protected systems and/or protocols not native to the dynamic network architecture system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method for self-shielding the dynamic network architecture system as set forth in claim 1, further including the step of using virtual addresses as exposed targets.
  - 3. The method for self-shielding the dynamic network architecture system as set forth in claim 2, including the step of converting the virtual addresses to real Internet Protocol addresses with processing nodes.
  - 4. The method for self-shielding the dynamic network architecture system as set forth in claim 3, wherein the processing nodes cannot be logged into or accessed by attackers and are transparent for real users.
  - 5. The method for self-shielding the dynamic network architecture system as set forth in claim 4, including the step of controlling the processing nodes through a secure protocol in a control center of the dynamic network architecture system.
  - 6. The method for self-shielding the dynamic network architecture system as set forth in claim 5, wherein packets sent by an attacker which do not correctly follow network dynamics stand out as unauthorized and allow intermediate blocking or alert generation.
  - 7. The method for self-shielding the dynamic network architecture system as set forth in claim 6, wherein the dynamic network architecture system uses the ports and internet protocols in a redirection process guided by a hypervisor in the processing nodes.
  - 8. The method for self-shielding the dynamic network architecture system as set forth in claim 7, wherein the dynamic network architecture system uses cryptographically imbedded states for network redirection inside larger Internet Protocol addresses.

9. A self-shielding dynamic network architecture system enclave for preventing or reducing the impact of attacks thereon including:
- a dynamic network architecture system, and a host machine, the dynamic network architecture system configured to modify the manner in which network requests are performed using a process that makes re-routing invisible to the host machine, including assigning a custom non routable Internet Protocol for each user, at each session on each operating dynamic network architecture system, the dynamic network architecture system further configured to automatically convey identity to determine an appropriate policy and uniquely identifies a user and limits an amount of network information the user is entitled to see, and enforce device and user specific policy based on ports, protocols, and destinations; and
  
  the dynamic network architecture system further configured to automatically encapsulate and de-encapsulate traffic as needed to support communication with non-protected systems and/or protocols not native to the dynamic network architecture system.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The self-shielding dynamic network architecture system enclave for preventing or reducing the impact of attacks thereon as set forth in claim 9 wherein, the dynamic network architecture system uses virtual addresses as exposed targets.
  - 11. The self-shielding dynamic network architecture system enclave for preventing or reducing the impact of attacks thereon as set forth in claim 10 wherein, the dynamic network architecture system converts the virtual addresses to real Internet Protocol addresses using processing nodes.
  - 12. The self-shielding dynamic network architecture system enclave for preventing or reducing the impact of attacks thereon as set forth in claim 11 wherein, the processing nodes cannot be logged into or accessed by attackers and are transparent for real users.
  - 13. The self-shielding dynamic network architecture system enclave for preventing or reducing the impact of attacks thereon as set forth in claim 12 including, a control center of the dynamic network architecture system, the control center controlling the processing nodes through a secure protocol.
  - 14. The self-shielding dynamic network architecture system enclave for preventing or reducing the impact of attacks thereon as set forth in claim 13 wherein, packets sent by an attacker which do not correctly follow network dynamics stand out as unauthorized and allow intermediate blocking or alert generation.
  - 15. The self-shielding dynamic network architecture system enclave for preventing or reducing the impact of attacks thereon as set forth in claim 14 wherein, the dynamic network architecture system uses the ports and internet protocols in a redirection process guided by a hypervisor in the processing nodes.
  - 16. The self-shielding dynamic network architecture system enclave for preventing or reducing the impact of attacks thereon as set forth in claim 15 wherein, the dynamic network architecture system uses cryptographically imbedded states for network redirection inside larger Internet Protocol addresses.

17. A self-shielding dynamic network architecture system enclave for preventing or reducing the impact of attacks thereon including:
- a dynamic network architecture system, and a host machine, the dynamic network architecture system configured to modify the manner in which a network requests are performed using a process that makes re-routing invisible to the host machine, including assigning a custom non routable Internet Protocol for each user, at each session on each operating dynamic network architecture system, the dynamic network architecture system further configured to automatically convey identity to determine an appropriate policy and uniquely identifies a user and limits an amount of network information the user is entitled to see, and enforce device and user specific policy based on ports, protocols, and destinations; and
  
  the dynamic network architecture system further configured to automatically translate traffic as needed to support communication with non-protected systems and/or protocols not native to the dynamic network architecture system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bluehalo Labs LLC
Original Assignee
Cryptonite, LLC
Inventors
Li, Jason, Yackoski, Justin, Kambach, Brian, Levy, Renato, Evancich, Nicholas
Primary Examiner(s)
Traore, Fatoumata

Application Number

US14/729,521
Time in Patent Office

1,595 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2101/604   Address structures or formats

H04L 2101/659   Internet protocol version 6...

H04L 2101/668   Internet protocol [IP] addr...

H04L 61/2514   between local and global IP...

H04L 61/4511   using domain name system [DNS]

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0209   Architectural arrangements,...

H04L 63/0281   Proxies

H04L 63/0407   wherein the identity of one...

H04L 63/0876   based on the identity of th...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Self-shielding dynamic network architecture

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Self-shielding dynamic network architecture

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links