REAL TIME ACTIVE NETWORK COMPARTMENTALIZATION

US 20070169196A1
Filed: 03/30/2007
Published: 07/19/2007
Est. Priority Date: 11/15/2000
Status: Abandoned Application

First Claim

Patent Images

1. A method of operating a digital communication network having a plurality of nodes which have a locally hierarchical relationship, comprising the steps of:

supplying identification information at a first node to a transmission received from the network even if a sender of the transmission is not identified;

tracking network transmissions at the first node using the identification information and logging the identification information and a characteristic of the network transmission as traffic log information;

communicating the traffic log information to another node;

detecting a condition at the first node and communicating the condition to a trusted second node locally higher in said hierarchical relationship;

disconnecting one or more nodes in the network to test for the origin and scope of a potential attack and reconnecting disconnected nodes not associated with the potential attack; and

controlling a response at said first node in response to said information, wherein the controlling step includes switching a critical segment of the network to a secure mode when a threat is detected, and wherein the hierarchical relationship of the plurality of nodes is hidden to users of the network.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security policy manager devices are leveraged by manager objects to use highly secure user transparent communications to provide detection of questionable activities at every node, automatic collection of information related to any potential attack, isolation of the offending object with arbitrary flexibility of response (e.g. flexibly determining the level of certainty of an attack for initiation of a response in accordance with the number of nodes to be partitioned that is determined by the collected data concerning the potential attack), changing trust relationships between security domains, limiting the attack and launching offensive information warfare capabilities (e.g. outbound from the compromised node while limiting or eliminating inbound communications) in log time and simultaneously and/or concurrently in different but possibly overlapping sections or segments of a digital network of arbitrary configuration.

106 Citations

View as Search Results

20 Claims

1. A method of operating a digital communication network having a plurality of nodes which have a locally hierarchical relationship, comprising the steps of:
- supplying identification information at a first node to a transmission received from the network even if a sender of the transmission is not identified;
  
  tracking network transmissions at the first node using the identification information and logging the identification information and a characteristic of the network transmission as traffic log information;
  
  communicating the traffic log information to another node;
  
  detecting a condition at the first node and communicating the condition to a trusted second node locally higher in said hierarchical relationship;
  
  disconnecting one or more nodes in the network to test for the origin and scope of a potential attack and reconnecting disconnected nodes not associated with the potential attack; and
  
  controlling a response at said first node in response to said information, wherein the controlling step includes switching a critical segment of the network to a secure mode when a threat is detected, and wherein the hierarchical relationship of the plurality of nodes is hidden to users of the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method as recited in claim 1, wherein said communicating of the traffic log and the condition is performed over said digital communication network separately from user data communications.
  - 3. A method as recited in claim 1, wherein said communicating and said controlling step are performed by user transparent communications over said digital network.
  - 4. A method as recited in claim 1, wherein said communicating and said controlling step are performed at bit rates of at least 10 Gbps.
  - 5. A method as recited in claim 2, wherein said communicating and said controlling step are performed preferentially to said user data communications.
  - 6. A method as recited in claim 1, wherein said controlling step establishes a virtual private network.
  - 7. A method as recited in claim 1, wherein said controlling step implements at least one of a mandatory access control policy and a discretionary access control policy.
  - 8. A method as recited in claim 1, wherein said communicating establishes a trust level for a node of said digital network.
  - 9. A method as recited in claim 1, wherein said communicating establishes a secure session between contiguous nodes of said digital network.
  - 10. A method as recited in claim 1, including the further step of detecting a foreign security policy manager connection.

11. A system comprising:
- a plurality of nodes arranged to form a hierarchical tiered network;
  
  wherein each said node is associated with an assigned tier and is connected, by two or more redundant communication links, to another node assigned to an adjacent tier; and
  
  wherein each said node further comprises a manager object configured to control a response to a communications service attack at another node when said node is not under attack and in response to a signal received from said another node assigned to a higher network tier.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11, in which said node comprises a trusted node and wherein said manager object is configured to establish a plurality of secure sessions, each said secure session providing an alternative communication path, using said two or more redundant communication links.
  - 13. The system of claim 12, in which said manager object establishes at least one of said plurality of secure sessions in less than or equal to 20 milliseconds per tier.
  - 14. The system of claim 13, in which said response throughout said tiered hierarchical network to a communications service attack is accomplished within a fixed multiple of the logarithm of the number of said plurality of nodes secured.
  - 15. The system of claim 11, further comprising a plurality of trusted network devices and a plurality of compromised network devices, said compromised network devices constituting untrusted network devices.
  - 16. The system of claim 11, wherein said hierarchical tiered network has a pyramidal organization.
  - 17. The system of claim 15, wherein said each said trusted network device is assigned one of a plurality of levels of trust, and wherein said manager object is configured to notify each said trusted network device of a change in said level of trust associated with any other said trusted network device, wherein said change indicates a potentially compromised network device.
  - 18. The system of claim 11, in which the communications service attack is a hijacked session.
  - 19. The system of claim 11, wherein a hierarchically highest tier of the hierarchical tiered network consists of a single node.

20. A computer readable medium upon which is embodied a sequence of programmable instructions which, when executed by a processor, cause the processor to perform operations comprising:
- assigning each of a plurality of nodes of a hierarchical tiered network to a tier of said hierarchical tiered network;
  
  connecting, using two or more redundant communication links, each said node to at least one other of said nodes assigned to an adjacent tier of said hierarchical tiered network;
  
  outputting a signal from a first node assigned to a first tier to a second node assigned to a second tier, said second tier having a higher hierarchical relationship in said hierarchical tiered network with respect to said first tier; and
  
  controlling, at said second node, a response to a communications service attack occurring at a third node assigned to said second tier;
  
  wherein said first and second nodes are not experiencing a communications service attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lockheed Martin Corporation (Martin Marietta Corporation)
Original Assignee
Lockheed Martin Corporation (Martin Marietta Corporation)
Inventors
Dapp, Michael

Application Number

US11/694,415
Publication Number

US 20070169196A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 11/1482   by means of middleware or O...

H04L 63/0272   Virtual private networks

H04L 63/1458   Denial of Service

REAL TIME ACTIVE NETWORK COMPARTMENTALIZATION

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

106 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

REAL TIME ACTIVE NETWORK COMPARTMENTALIZATION

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

106 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links