Moving target defenses for data storage devices

US 10,552,607 B2
Filed: 08/03/2017
Issued: 02/04/2020
Est. Priority Date: 08/03/2017
Status: Active Grant

First Claim

Patent Images

1. A moving target defense system for at least one data storage device, comprising:

the at least one data storage device;

a host computer, comprising a storage communications protocol initiator, an advanced storage programming interface (ASPI), a moving target defense framework (MTDF), and an authorized application, wherein the ASPI selectively enables the MTDF and the authorized application to send read and/or write commands to the at least one data storage device, wherein the MTDF comprises an MTDF library that is utilized by the authorized application; and

a storage appliance, comprising a storage communications protocol target, a device plug-in module, and MTDF extensions, wherein the device plug-in module emulates the at least one data storage device and provides the emulation to the storage communications protocol initiator, wherein the MTDF extensions mirror the MTDF library,wherein, during a session initiated by a user of the host computer and based on at least one algorithm embodied in the MTDF library, the storage communications protocol target presents a plurality of logical unit numbers (LUNs) to the storage communications protocol initiator, wherein the plurality of LUNs comprises an active LUN assigned to the at least one storage device by a storage communications protocol and at least one dummy LUN, wherein the active LUN is known to the ASPI, the MTDF, and the authorized application,wherein, after the user-initiated session terminates and based on the at least one algorithm, at least one of the device plug-in module and MTDF extensions randomly changes the LUN assigned to the at least one data storage device by the storage communications protocol target.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for actively securing data storage devices utilize the technique of storage virtualization. In embodiments, would-be cyberattackers are presented with many possible “ports” or “channels” by which to communicate over a network with a data storage device. Unknown to the attacker, at any given time, only one of these ports or channels is the “correct,” or “active,” port; all of the other ports are dummies that do not permit communication with the storage device. The active port is dynamically, randomly, and/or continually reconfigured, seriously impeding the ability of the attacker to access the data storage device through the active port.

12 Citations

11 Claims

1. A moving target defense system for at least one data storage device, comprising:
- the at least one data storage device;
  
  a host computer, comprising a storage communications protocol initiator, an advanced storage programming interface (ASPI), a moving target defense framework (MTDF), and an authorized application, wherein the ASPI selectively enables the MTDF and the authorized application to send read and/or write commands to the at least one data storage device, wherein the MTDF comprises an MTDF library that is utilized by the authorized application; and
  
  a storage appliance, comprising a storage communications protocol target, a device plug-in module, and MTDF extensions, wherein the device plug-in module emulates the at least one data storage device and provides the emulation to the storage communications protocol initiator, wherein the MTDF extensions mirror the MTDF library,wherein, during a session initiated by a user of the host computer and based on at least one algorithm embodied in the MTDF library, the storage communications protocol target presents a plurality of logical unit numbers (LUNs) to the storage communications protocol initiator, wherein the plurality of LUNs comprises an active LUN assigned to the at least one storage device by a storage communications protocol and at least one dummy LUN, wherein the active LUN is known to the ASPI, the MTDF, and the authorized application,wherein, after the user-initiated session terminates and based on the at least one algorithm, at least one of the device plug-in module and MTDF extensions randomly changes the LUN assigned to the at least one data storage device by the storage communications protocol target.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The moving target defense system of claim 1, wherein the storage communications protocol is selected from the group consisting of ATA, SATA, eSATA, NVMe, NVMe-oF, SCSI, iSCSI, SAS, USB, USB 3.0, IEEE 1394, Fibre Channel, ATA over Ethernet (AoE), and HyperSCSI.
  - 3. The moving target defense system of claim 1, wherein the at least one data storage device is interconnected to the storage appliance in a direct-attached storage (DAS) arrangement.
  - 4. The moving target defense system of claim 3, wherein the storage communications protocol is an SCSI protocol.
  - 5. The moving target defense system of claim 1, wherein the at least one data storage device is interconnected to the storage appliance in a storage area network (SAN) arrangement.
  - 6. The moving target defense system of claim 5, wherein the storage communications protocol is selected from the group consisting of a Fibre Channel protocol and an iSCSI protocol.
  - 7. The moving target defense system of claim 1, wherein at least one of the device plug-in module and the MTDF extensions is configured to detect and log at least one attempt to access the at least one data storage device via a dummy LUN.
  - 8. The moving target defense system of claim 7, wherein, after the at least one attempt, the device plug-in module and the MTDF extensions allow further commands to be sent to the at least one data storage device from the host computer via the storage appliance.
  - 9. The moving target defense system of claim 7, wherein, after the at least one attempt, the device plug-in module and the MTDF extensions prevent further commands from being sent to the at least one data storage device from the host computer via the storage appliance.
  - 10. The moving target defense system of claim 1, wherein the system implements at least one additional data storage security technique.
  - 11. The moving target defense system of claim 10, wherein the at least one additional data storage security technique is selected from the group consisting of CHAP and IPsec.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NexiTech, Inc.
Original Assignee
NexiTech, Inc.
Inventors
Matthews, Donald E.
Primary Examiner(s)
Tabor, Amare F

Application Number

US15/668,127
Publication Number

US 20190042742A1
Time in Patent Office

915 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/556   involving covert channels, ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/78   to assure secure storage of...

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/162   at the data link layer

H04L 63/18   using different networks or...

H04L 67/1097   for distributed storage of ...

Moving target defenses for data storage devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

12 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Moving target defenses for data storage devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links