Secure Layered Iterative Gateway

US 20130298219A1
Filed: 05/02/2012
Published: 11/07/2013
Est. Priority Date: 05/02/2012
Status: Active Grant

First Claim

Patent Images

1. A method for intercepting and blocking cyber activity between computers via an intermediary distributed device, the method comprising:

a) activating, by a physical machine resource manager of the intermediary distributed device, one of at least two gateway components of the intermediary distributed device;

b) communicatively coupling a first network node and a second network node via the activated gateway component to allow data to be bi-directionally transmitted between the first and second network nodes for a finite time period;

c) de-activating, by the physical machine resource manager, the activated gateway component at the termination of the finite time period;

d) analyzing data obtained by the activated gateway component during the finite time period by an attestation server to determine if cyber activity has occurred;

e) rebooting the activated gateway component; and

f) repeating steps (a)-(e) utilizing another one of the at least two gateway components not previously selected in the most recent finite time period.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In methods and a device for mitigating against cyber-attack on a network, a distributed intermediary device is placed into a network between computers or network nodes of the network to mitigate cyber-attacks between the computers or nodes of a network from remote systems. Threats are assessed by utilizing internal information assurance mechanisms of the device to detect such cyber-attacks without requiring external modification of the software and/or hardware of the computers or nodes of the network to be protected. The device prevents attacks at the platform level against the OS and network resources.

16 Citations

View as Search Results

18 Claims

1. A method for intercepting and blocking cyber activity between computers via an intermediary distributed device, the method comprising:
- a) activating, by a physical machine resource manager of the intermediary distributed device, one of at least two gateway components of the intermediary distributed device;
  
  b) communicatively coupling a first network node and a second network node via the activated gateway component to allow data to be bi-directionally transmitted between the first and second network nodes for a finite time period;
  
  c) de-activating, by the physical machine resource manager, the activated gateway component at the termination of the finite time period;
  
  d) analyzing data obtained by the activated gateway component during the finite time period by an attestation server to determine if cyber activity has occurred;
  
  e) rebooting the activated gateway component; and
  
  f) repeating steps (a)-(e) utilizing another one of the at least two gateway components not previously selected in the most recent finite time period.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the activating step (a) further comprises:
    - i) identifying, at the physical machine resource manager, all available gateway components from among the at least two gateway components;
      
      ii) selecting, at the physical machine resource manager, one of the available gateway components for activation.
  - 3. The method of claim 2, wherein the identifying step further comprises:
    - sending initialization parameters from the physical machine resource manager to the identified active gateway component.
  - 4. The method of claim 3, whereby the initialization parameters comprise at least one of:
    - an identifier of an allowed port on the identified active gateway component, one or more temporal filtering parameters, packet size constraints, and a gateway state.
  - 5. The method of claim 2, further comprising performing an initialization procedure prior to said identifying step, at the physical machine resource manager, by all available gateway components, said initialization procedure comprising:
    - i) verifying control connections to a first data bus coupled to a first networkii) node and to a second data bus coupled to the second network node,iii) performing at least one static measurement, by the at least two gateway components upon boot up to ensure that the at least two gateway components are in a known good state, andiv) verifying the at least one static measurement by the attestation server component.
  - 6. The method of claim 1, further comprising, prior to said activating step:
    - performing a self-boot procedure by the at least two gateway components;
      
      creating a static measurement by the at least two gateway components;
      
      sending the static measurements of the at least two gateway components to the attestation serverstoring the static measurements at the attestation server.
  - 7. The method of claim 6, wherein the analyzing step further comprises:
    - measuring, by the deactivated gateway component, the state of the de-activated gateway component to generate a dynamic run-time measurement of the state of the de-activated gateway component;
      
      sending the dynamic run-time measurement to the attestation server;
      
      comparing the previously stored static measurement with the dynamic run-time measurement for the de-activated gateway server to determine if cyber activity has occurred during the finite time period.
  - 8. The method of claim 4, wherein the comparison further comprises:
    - determining that both the static and dynamic run-time measurements are available for comparison; and
      
      comparing the static and dynamic run-time measurements to insure that the inertial message pointers point to valid areas of activity.
  - 9. The method of claim 1, wherein the network is one of an internet protocol (IP)network, aserial interface, a non-internet protocol (IP) network, and a spanning tree.
  - 10. The method of claim 1, further comprising recording, at the intermediary distributed device, the occurrence of any cyber activity which occurred during the finite time period.
  - 11. The method of claim 1, further comprising alerting an operator to the occurrence of cyber activity in accordance with determine if cyber activity has occurred during the finite time period;
  - 12. The method of claim 1, wherein the finite time period is from approximately 1 second to approximately 5 seconds.

13. A method for intercepting and blocking cyber activity between network nodes of a network via an intermediary distributed device, the method comprising:
- a) activating, by a physical machine resource manager of the intermediary distributed device, one of at least two gateway components of the intermediary distributed device;
  
  b) communicatively coupling a first network node and a second network node via the activated gateway component to allow data to be bi-directionally transmitted between the first and second network nodes for a finite time period;
  
  c) de-activating, by the physical machine resource manager, the activated gateway component at the termination of the finite time period;
  
  d) analyzing data obtained by the activated gateway component during the finite time period by an attestation server to determine if cyber activity has occurred;
  
  e) rebooting the activated gateway component; and
  
  f) repeating steps (a)-(e) utilizing another one of the at least two gateway components not previously selected in the most recent finite time period.

14. A system for intercepting and blocking cyber activity between one of computers and network nodes of a network via an intermediary distributed device, the system comprising:
- a secure layered iterative gateway device (SLIG) comprising;
  
  at least two or more gateway components configured toi) Provide packet routing access across the intermediary distributed device between said computers or network nodes,ii) Use internal sensors to determine if changes have occurred to the operating system, system memory or firmware associated with network interface cards, hard drives and video cards of the at least two or more gateway devices,iii) Produce a hash of the state of the at least two or more gateway devices upon deactivation of the at least two or more gateway devices,an attestation sever configured to;
  
  i) receive messages from each of the at least two or more gateway components at the beginning of each boot cycle,ii) examine the hashes produced by the at least two or more gateway devices upon de-activation,a physical machine resource manager configured to;
  
  i) open the intermediary network device to network traffic,ii) control traffic flow from one gateway network device to a next gateway network device,iii) continuously monitor network connections to determine when the gateway devices are available to be opened.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The system of claim 14, wherein the physical machine resource manager is further configured to monitor the state of network connections for power.
  - 16. The system of claim 14, wherein the resource manage is further configured to recognize an active port for the at least two gateway components.
  - 17. The system of claim 14, wherein the physical machine resource manager is further configured to receive from the at least two gateway components initialization parameters that include allowed port protocols and any temporal filtering parameters, packet size constraints and gateway state.
  - 18. The system of claim 14, wherein the physical machine resource manager is further configured to send a set of initialization parameters to a gateway computer component whose state is recognized by the resource manager as being active.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Johns Hopkins University
Original Assignee
Johns Hopkins University
Inventors
Byrkit, Mark E., Murray, Francis W.

Granted Patent

US 8,973,138 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/12
CPC Class Codes

G06F 21/567   using dedicated hardware

G06F 21/57   Certifying or maintaining t...

H04L 63/02   for separating internal fro...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 65/102   Gateways arrangements for c...

Secure Layered Iterative Gateway

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Secure Layered Iterative Gateway

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others