MULTI-LEVEL SECURITY SYSTEMS

US 20070277034A1
Filed: 08/01/2002
Published: 11/29/2007
Est. Priority Date: 08/01/2002
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of providing multi-level security systems, comprising steps of:

defining, for each of a plurality of different security classifications to be used by a first multi-level security (“

MLS”

) system when sending outbound packets to a second MLS system, a unique source address; and

for each of the outbound packets sent from the first MLS system to the second MLS system, performing steps of;

determining, by the first MLS system, a particular one of the security classifications that applies to the outbound packet;

locating, by the first MLS system, the unique source address defined for the determined particular one;

replacing, the first MLS system, a source address in a packet header of the outbound packet with the located unique source address, thereby conveying the security classification that applies to the outbound packet through the source address in the packet header; and

sending, by the first MLS system responsive to the replacing step, the outbound packet to the second MLS system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for improving multi-level security (“MLS”) in computing systems. Communication between MLS systems in the prior art requires explicitly tagging each packet with its security classification. The packet tags comprise variable-length bit patterns inserted into packet headers. This results in a number of drawbacks, including increased path length and code complexity, as well as reduced interoperability. An MLS system according to the present invention simulates a cluster or collection of single-level security systems, and thereby avoids packet tagging. For each security classification used by an MLS system, a distinct source address is defined. This source address is used for outbound packets having that security classification, such that the packet'"'"'s source address implicitly identifies the packet'"'"'s security classification.

27 Citations

View as Search Results

21 Claims

1. A computer-implemented method of providing multi-level security systems, comprising steps of:
- defining, for each of a plurality of different security classifications to be used by a first multi-level security (“
  
  MLS”
  
  ) system when sending outbound packets to a second MLS system, a unique source address; and
  
  for each of the outbound packets sent from the first MLS system to the second MLS system, performing steps of;
  
  determining, by the first MLS system, a particular one of the security classifications that applies to the outbound packet;
  
  locating, by the first MLS system, the unique source address defined for the determined particular one;
  
  replacing, the first MLS system, a source address in a packet header of the outbound packet with the located unique source address, thereby conveying the security classification that applies to the outbound packet through the source address in the packet header; and
  
  sending, by the first MLS system responsive to the replacing step, the outbound packet to the second MLS system.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method according to claim 1, wherein the unique source address used for one of the security classifications is identical to a network address of the first MLS system.
  - 3. The method according to claim 1, wherein the unique source addresses are Internet Protocol (“
    - IP”
      
      ) addresses.
  - 4. The method according to claim 1, wherein the security classifications classify data and/or access rights.
  - 5. The method according to claim 4, wherein the security classifications follow a hierarchical classification structure.
  - 6. The method according to claim 1, wherein the security classifications comprise a security level and a category.

7-11. -11. (canceled)

12. A system for providing multi-level security systems, comprising:
- a unique source address defined for each of a plurality of different security classifications to be used by a first multi-level security (“
  
  MLS”
  
  ) system when sending outbound packets to a second MLS system; and
  
  means for processing each of the outbound packets sent from the first MLS system to the second MLS system, further comprising;
  
  means for determining, by the first MLS system, a particular one of the security classifications that applies to the outbound packet;
  
  means for locating, by the first MLS system, the unique source address defined for the determined particular one;
  
  means for replacing, by the first MLS system, a source address in a packet header of the outbound packet with the located unique source address classification that applies to the outbound packet through the source address in the packet header; and
  
  means for sending, by the first MLS system responsive to operation of the means for replacing, the outbound packet to the second MLS system.
- View Dependent Claims (13, 14)
- - 13. The system according to claim 12, wherein the different source addresses are Internet Protocol (“
    - IP”
      
      ) addresses.
  - 14. The system according to claim 12, wherein the security classifications comprise a security level and one or more categories.

15-16. -16. (canceled)

17. A computer program product for providing multi-level security systems, the computer program product embodied on one or more computer-usable storage media and comprising computer-usable program code for:
- defining, for each of a plurality of different security classifications to be used by a first multi-level security (“
  
  MLS”
  
  ) system when sending outbound packets to a second MLS system, a unique source address; and
  
  processing each of the outbound packets sent from the first MLS system to the second MLS system, further comprising;
  
  determining, by the first MLS system, a particular one of the security classifications that applies to the outbound packet;
  
  locating, by the first MLS system, the unique source address defined for the determined particular one;
  
  the outbound packet through the source address in the packet header; and
  
  replacing, by the first MLS system, a source address in a packet header of the outbound packet with the located unique source address, thereby conveying the security classification that applies to the outbound packet through the source address in the packet header; and
  
  sending, by the first MLS system responsive to the replacing, the outbound packet to the second MLS system.
- View Dependent Claims (18, 19, 20)
- - 18. The computer program product according to claim 17, wherein the unique source addresses are Internet Protocol (“
    - IP”
      
      ) addresses.
  - 19. The computer program product according to claim 17, wherein the security classifications comprise a security level and a category.
  - 20. The computer program product according to claim 17, wherein the security classifications comprise a security level and one or more categories.

21-23. -23. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
LiVecchi, Patrick

Granted Patent

US 7,356,695 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/166
CPC Class Codes

H04L 63/105 Multiple levels of security

MULTI-LEVEL SECURITY SYSTEMS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

MULTI-LEVEL SECURITY SYSTEMS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links