Moving target defenses for data storage devices
First Claim
1. A moving target defense system for at least one data storage device, comprising:
- the at least one data storage device;
a host computer, comprising a storage communications protocol initiator, an advanced storage programming interface (ASPI), a moving target defense framework (MTDF), and an authorized application, wherein the ASPI selectively enables the MTDF and the authorized application to send read and/or write commands to the at least one data storage device, wherein the MTDF comprises an MTDF library that is utilized by the authorized application; and
a storage appliance, comprising a storage communications protocol target, a device plug-in module, and MTDF extensions, wherein the device plug-in module emulates the at least one data storage device and provides the emulation to the storage communications protocol initiator, wherein the MTDF extensions mirror the MTDF library,wherein, during a session initiated by a user of the host computer and based on at least one algorithm embodied in the MTDF library, the storage communications protocol target presents a plurality of logical unit numbers (LUNs) to the storage communications protocol initiator, wherein the plurality of LUNs comprises an active LUN assigned to the at least one storage device by a storage communications protocol and at least one dummy LUN, wherein the active LUN is known to the ASPI, the MTDF, and the authorized application,wherein, after the user-initiated session terminates and based on the at least one algorithm, at least one of the device plug-in module and MTDF extensions randomly changes the LUN assigned to the at least one data storage device by the storage communications protocol target.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for actively securing data storage devices utilize the technique of storage virtualization. In embodiments, would-be cyberattackers are presented with many possible “ports” or “channels” by which to communicate over a network with a data storage device. Unknown to the attacker, at any given time, only one of these ports or channels is the “correct,” or “active,” port; all of the other ports are dummies that do not permit communication with the storage device. The active port is dynamically, randomly, and/or continually reconfigured, seriously impeding the ability of the attacker to access the data storage device through the active port.
12 Citations
11 Claims
-
1. A moving target defense system for at least one data storage device, comprising:
-
the at least one data storage device; a host computer, comprising a storage communications protocol initiator, an advanced storage programming interface (ASPI), a moving target defense framework (MTDF), and an authorized application, wherein the ASPI selectively enables the MTDF and the authorized application to send read and/or write commands to the at least one data storage device, wherein the MTDF comprises an MTDF library that is utilized by the authorized application; and a storage appliance, comprising a storage communications protocol target, a device plug-in module, and MTDF extensions, wherein the device plug-in module emulates the at least one data storage device and provides the emulation to the storage communications protocol initiator, wherein the MTDF extensions mirror the MTDF library, wherein, during a session initiated by a user of the host computer and based on at least one algorithm embodied in the MTDF library, the storage communications protocol target presents a plurality of logical unit numbers (LUNs) to the storage communications protocol initiator, wherein the plurality of LUNs comprises an active LUN assigned to the at least one storage device by a storage communications protocol and at least one dummy LUN, wherein the active LUN is known to the ASPI, the MTDF, and the authorized application, wherein, after the user-initiated session terminates and based on the at least one algorithm, at least one of the device plug-in module and MTDF extensions randomly changes the LUN assigned to the at least one data storage device by the storage communications protocol target. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
Specification