SIDE CHANNEL ATTACK DETERRENCE IN NETWORKS

US 20160156561A1
Filed: 12/02/2014
Published: 06/02/2016
Est. Priority Date: 12/02/2014
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

at least one processing unit;

at least one non-transitory computer readable medium, the at least one non-transitory computer readable medium encoded with instructions comprising instructions for causing the at least one processing unit to;

receive a plurality of incoming packets configured for routing by a network;

aggregate at least some of the packets of the incoming packets into groups; and

wrap the groups into packages of a normalized size for distribution to destinations within the network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure relates to technologies to deter side channel data center attacks. An example method may include receiving an incoming packets destined for a network, grouping, at a gateway, the incoming packets into groups, wherein a size of the groups is based on predetermined statistics, and wrapping the groups into packages of normalized size.

7 Citations

View as Search Results

27 Claims

1. An apparatus comprising:
- at least one processing unit;
  
  at least one non-transitory computer readable medium, the at least one non-transitory computer readable medium encoded with instructions comprising instructions for causing the at least one processing unit to;
  
  receive a plurality of incoming packets configured for routing by a network;
  
  aggregate at least some of the packets of the incoming packets into groups; and
  
  wrap the groups into packages of a normalized size for distribution to destinations within the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The apparatus of claim 1, wherein the normalized size is determined in accordance with predetermined statistics.
  - 3. The apparatus of claim 2, wherein the predetermined statistics are adjusted based on a busyness of the network.
  - 4. The apparatus of claim 2, wherein the statistics vary over time.
  - 5. The apparatus of claim 4, wherein the statistics are configured to change a distribution of the normalized size of the groups.
  - 6. The apparatus of claim 5, wherein the distribution of the normalized size has a Gaussian profile.
  - 7. The apparatus of claim 3, wherein the predetermined statistics are adjusted from within a data center that hosts the network.
  - 8. The apparatus of claim 2, wherein the predetermined statistics are selected to increase entropy in packet flow to the network.
  - 9. The apparatus of claim 1, wherein the one or more packets further comprise one or more of multiple packets, split packets, single packets, redundant data, or false data.
  - 10. The apparatus of claim 1, wherein observable traffic on the network comprises a normalized distribution of wrapped packets of the normalized size.
  - 11. The apparatus of claim 1, wherein the network comprises a software defined network.

12. A method comprising:
- receiving a plurality of incoming packets destined for a network;
  
  grouping, at a gateway, the plurality of incoming packets into groups, wherein a size of the groups is based on predetermined statistics; and
  
  wrapping the groups into packages of normalized size.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The method of claim 12, wherein the normalized size is selected to obscure packet size information.
  - 14. The method of claim 12, wherein the normalized size varies over time.
  - 15. The method of claim 12, wherein the groups include multiple packets, split packets, single packets, false data, or combinations thereof.
  - 16. The method of claim 12, wherein the normalized size is selected in accordance with a Gaussian distribution.
  - 17. The method of claim 12, wherein individual packets in each of the groups are destined for a same destination.
  - 18. The method of claim 12, wherein the network comprises a software defined network.

19. An apparatus comprising:
- at least one processing unit;
  
  at least one non-transitory computer readable medium encoded with executable instructions comprising instructions for the at least one processing unit to;
  
  unwrap one or more wrapped packages received at a virtual machine in a network,wherein the wrapped packages are distributed in a normalized distribution and comprise an aggregation of one or more packets.
- View Dependent Claims (20, 21, 22)
- - 20. The apparatus of claim 19 wherein the apparatus includes a virtual router associated with a hypervisor.
  - 21. The apparatus of claim 20 wherein the virtual router is one of an authentication server and a transaction server.
  - 22. The apparatus of claim 20 wherein the wrapped packages further comprise one or more of multiple packets, split packets, single packets, or false data.

23. A method to deter attack in a network, the method comprising:
- selecting a distribution of normalized sizes for distribution in the network;
  
  receiving incoming packets at a gateway of the network;
  
  grouping, at the gateway, the packets into groups of packets for a same destination, wherein the groups of packets are sized in accordance with the normalized sizes;
  
  wrapping, at the gateway, the groups of packets into packages for transport to respective destinations.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The method of claim 23, wherein the distribution of normalized sizes comprises a normalized distribution.
  - 25. The method of claim 23, further comprising varying the distribution of normalized sizes in accordance with a busyness of the network.
  - 26. The method of claim 23, further comprising selecting the distribution of normalized sizes at a data center associated with the network.
  - 27. The method of claim 23, wherein the network comprises a software defined network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Empire Technology Development LLC (Allied Inventors Management, LLC)
Original Assignee
Empire Technology Development LLC (Allied Inventors Management, LLC)
Inventors
Kruglick, Ezekiel

Granted Patent

US 9,961,104 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1441 Countermeasures against mal...

H04L 63/20 for managing network securi...

SIDE CHANNEL ATTACK DETERRENCE IN NETWORKS

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

7 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

SIDE CHANNEL ATTACK DETERRENCE IN NETWORKS

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links