Adaptive data security system and method

US 6,108,583 A
Filed: 10/28/1998
Issued: 08/22/2000
Est. Priority Date: 10/28/1997
Status: Expired due to Term

First Claim

Patent Images

1. A send host employing adaptive security, comprising:

a processor coupled to a data bus;

a memory coupled to the data bus;

an input device coupled to the data bus to input a desired security configuration for a data stream to be communicated to a receive host;

an output device coupled to the data bus to display an actual security configuration for the data stream, the actual security configuration being received from the receive host; and

adaptive security logic stored on the memory and executable by the processor, the adaptive security logic including logic to generate a plurality of data packets associated with the data stream, the data packets including an authentication data block with an authentication header containing the actual security configuration and a signature, the actual security configuration being based upon a number of available security operations in the receive host.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for data communication with adaptive security in which a send host transmits a data stream to a receive host in packets which contain an authentication data block with an authentication header and a signature block. The authentication header advantageously contains various fields including a verification type, a security algorithm, a minimum security level, a target security level, and an actual security level. The receive host adaptively performs verification of the data packets using varying security levels based in part on the availability of security operations per second (SOPS) in the receive host. Where a data stream in the receive host is delayed by a security processing bottleneck, the receive host may alter the verification type, security algorithm, or the actual security level to speed up the processing of the data stream by reducing the amount of security processing performed. The receive host further allocates the SOPS among the data streams received based on a priority assigned to each data stream.

134 Citations

34 Claims

1. A send host employing adaptive security, comprising:
- a processor coupled to a data bus;
  
  a memory coupled to the data bus;
  
  an input device coupled to the data bus to input a desired security configuration for a data stream to be communicated to a receive host;
  
  an output device coupled to the data bus to display an actual security configuration for the data stream, the actual security configuration being received from the receive host; and
  
  adaptive security logic stored on the memory and executable by the processor, the adaptive security logic including logic to generate a plurality of data packets associated with the data stream, the data packets including an authentication data block with an authentication header containing the actual security configuration and a signature, the actual security configuration being based upon a number of available security operations in the receive host.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The send host of claim 1, wherein the desired security configuration is displayed on the output device.
  - 3. The send host of claim 1, wherein the actual security configuration is displayed on the output device.
  - 4. The send host of claim 1, wherein the minimum verification level in the authentication header indicates a minimum percentage of the data packets that are decrypted.
  - 5. The send host of claim 1, wherein the minimum verification level in the authentication header indicates a minimum percentage of the data packets that are authenticated to verify a source of the data packets.

6. A send host employing adaptive security, comprising:
- a processor coupled to a data bus;
  
  a memory coupled to the data bus;
  
  an input device coupled to the data bus to input a desired security configuration for a data stream to be communicated to a receive host;
  
  an output device coupled to the data bus to display an actual security configuration for the data stream, the actual security configuration being received from the receive host; and
  
  adaptive security logic stored on the memory and executable by the processor, the adaptive security logic including;
  
  logic to generate a plurality of data packets associated with the data stream, the data packets including an authentication data block with an authentication header containing the actual security configuration and a signature; and
  
  security thermostat logic to control an actual security level, the actual security level being included in the authentication header.

7. A send host employing adaptive security, comprising:
- a processor coupled to a data bus;
  
  a memory coupled to the data bus;
  
  an input device coupled to the data bus to input a desired security configuration for a data stream to be communicated to a receive host;
  
  an output device coupled to the data bus to display an actual security configuration for the data stream, the actual security configuration being received from the receive host; and
  
  adaptive security logic stored on the memory and executable by the processor, the adaptive security logic including;
  
  logic to generate a plurality of data packets associated with the data stream, the data packets including an authentication data block with an authentication header containing the actual security configuration and a signature; and
  
  logic to place a minimum security level in the authentication header.

8. A send host employing adaptive security, comprising:
- a processor coupled to a data bus;
  
  a memory coupled to the data bus;
  
  an input device coupled to the data bus to input a desired security configuration for a data stream to be communicated to a receive host;
  
  an output device coupled to the data bus to display an actual security configuration for the data stream, the actual security configuration being received from the receive host; and
  
  adaptive security logic stored on the memory and executable by the processor, the adaptive security logic including logic to generate a plurality of data packets associated with the data stream, the data packets including an authentication data block with an authentication header containing the actual security confirmation and a signature, wherein the desired security configuration comprises a desired verification type, a minimum security level, a target security level, a security algorithm, and an actual security level.

9. A receive host employing adaptive security, comprising:
- a processor coupled to a data bus;
  
  a memory coupled to the data bus;
  
  a data communications interface coupled to the data bus, the data communications interface being configured to receive at least one data stream comprising a number of data packets, the data packets including an authentication data block, the authentication data block having an authentication header and a signature; and
  
  adaptive security logic stored on the memory and executable by the processor, the adaptive security logic including logic including;
  
  logic to decompose the authentication header in the data packets;
  
  logic to perform a variable percentage verification on the data packets from the data stream; and
  
  logic to determine an actual verification percentage performed based on a number of available security operations in the receive host, a minimum security level, and a target security level, the minimum security level and the target security level being contained in the authentication header.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The receive host of claim 9, wherein the logic to determine an actual security level further comprises logic to determine the number of available security operations by examining the at least one data stream received by the data communications interface for a non-critical processor time usage.
  - 11. The receive host of claim 9, wherein the adaptive security logic further comprises:
    - logic to perform a delayed verification on a bundle of data packets from the data stream; and
      
      logic to enable one of the delayed verification and the variable percentage verification based on a verification type field contained in the authentication header and on the number of available security operations in the receive host.
  - 12. The receive host of claim 9, wherein the adaptive security logic further comprises logic to maintain a resource tracking table which indicates the number of security operations required to accomplish the minimum security level, the target security level, and the actual security level, as well as a priority level of the at least one data stream.
  - 13. The receive host of claim 9, wherein the logic to perform a variable percentage verification on the data packets from the data stream further comprise logic to decrypt a variable percentage of the data packets.
  - 14. The receive host of claim 9, wherein the logic to perform a variable percentage verification on the data packets from the data stream further comprise logic to authenticate a variable percentage of the data packets.

15. A send host employing adaptive security, comprising:
- means for inputting a desired security configuration for a data stream to be communicated to a receive host;
  
  means for displaying the desired security configuration and an actual security configuration for the data stream, the actual security configuration being received from the receive host; and
  
  means for generating a plurality of data packets associated with the data stream, the data packets including a data block and an authentication data block having an authentication header containing the actual security configuration and a signature the actual security configuration being based upon a number of available security operations in the receive host.

16. A receive host employing adaptive security, comprising:
- means for receiving at least one data stream comprising a number of data packets, the data packets including an authentication data block, the authentication data block having an authentication header and a signature;
  
  means for decomposing the authentication header in the data packets;
  
  means for performing a percentage based verification on the data packets from the data stream;
  
  means for determining an actual security level performed based on a number of available security operations, a minimum security level, and a target security level, and a desired actual security level, the minimum security level and the target security level being contained in the authentication header; and
  
  means for communicating the actual security level to a send host.
- View Dependent Claims (17, 18)
- - 17. The receive host of claim 16, wherein the means for determining an actual security level further comprises means for determining the number of available security operations by examining a resource tracking table for a non-critical processor time usage of at least one existing data stream.
  - 18. The receive host of claim 16, further comprising:
    - means for performing a delayed verification on a bundle of data packets from the data stream; and
      
      means for enabling one of the delayed verification and the variable percentage verification based on a verification type field contained in the authentication header and on the number of available security operations in the receive host.

19. A method for communicating a data stream employing adaptive security, comprising the steps of:
- identifying a desired verification type, a desired security algorithm, a minimum security level, a target security level, and a desired actual security level in a send host for communicating a data stream from the send host to a receive host;
  
  determining an actual verification type, an actual security algorithm, and an actual security level in the receive host based on the desired verification type, desired security algorithm, minimum security level, target security level, and a number of available security operations;
  
  communicating the actual verification type, the actual security algorithm, and the actual security level from the receive host to the send host;
  
  generating a plurality of data packets associated with the data stream in the send host, the data packets having an authentication data block with an authentication header, the authentication header containing the actual verification type, actual security algorithm, minimum security level, the target security level, and the actual security level;
  
  verifying the data packets using percentage based verification if the actual verification type is percentage based verification, the percentage based verification being performed at the actual security level which is greater than or equal to the minimum security level and less than or equal to the target security level; and
  
  performing a delayed verification on the data packets if the actual verification type is delayed verification.
- View Dependent Claims (20, 21)
- - 20. The method of claim 19, further comprising the step of altering the actual security level in the send host using a security thermostat.
  - 21. The method of claim 19, further comprising the step of identifying the number of available security operations by identifying a number of non-critical security operations employed by a plurality of second data streams received by the receive host, and by identifying a number of unused security operations in the receive host.

22. A computer program embodied on a computer-readable medium for operation in a send host to facilitate data communication with adaptive security, comprising:
- logic to input a desired security configuration for a data stream to be communicated to a receive host;
  
  logic to display a desired security configuration and an actual security configuration for the data stream, the actual security configuration being received from the receive host; and
  
  logic to generate a plurality of data packets associated with the data stream, the data packets including an authentication data block having an authentication header containing the actual security configuration and a signature, the actual security configuration being based upon a number of available security operations in the receive host.

23. A computer program embodied on a computer-readable medium for operation in a receive host to facilitate data communication with adaptive security, comprising:
- logic to receive at least one data stream comprising a number of data packets, the data packets including an authentication data block, the authentication data block having an authentication header and a signature;
  
  logic to decompose the authentication header in the data packets;
  
  logic to perform a percentage based verification on the data packets from the data stream;
  
  logic to determine an actual security level performed based on a number of available security operations in a receive host, a minimum security level, and a target security level, the minimum security level and the target security level being contained in the authentication header; and
  
  logic to communicate the actual security level to a send host.
- View Dependent Claims (24, 25)
- - 24. The computer program embodied on a computer-readable medium of claim 23, wherein the logic to determine the actual security level further comprises logic to determine the number of available security operations by examining a resource tracking table for a non-critical processor time usage of at least one existing data stream.
  - 25. The computer program embodied on a computer-readable medium of claim 23, further comprising:
    - logic to perform a delayed verification on a bundle of data packets from the data stream; and
      
      logic to enable one of the delayed verification and the variable percentage verification based on a verification type field contained in the authentication header and on the number of available security operations in the receive host.

26. A computer program embodied in a modulated data signal for transmission across a network, the computer program being for operation in a send host to facilitate data communication with adaptive security, comprising:
- logic to input a desired security configuration for a data stream to be communicated to a receive host;
  
  logic to display the desired security configuration and an actual security configuration for the data stream, the actual security configuration being received from the receive host; and
  
  logic to generate a plurality of data packets associated with the data stream, the data packets including an authentication data block having an authentication header containing the actual security configuration and a signature, the actual security configuration being based upon a number of available security operations in the receive host.

27. A computer program embodied in a modulated data signal for transmission across a network, the computer program being for operation in a receive host to facilitate data communication with adaptive security, comprising:
- logic to receive at least one data stream comprising a number of data packets, the data packets including an authentication data block, the authentication data block having an authentication header and a signature;
  
  logic to decompose the authentication header in the data packets;
  
  logic to perform a percentage based verification on the data packets from the data stream;
  
  logic to determine an actual security level performed based on a number of available security operations, a minimum security level, and a target security level, the minimum security level, the target security level being contained in the authentication header; and
  
  logic to communicate the actual security level to a send host.
- View Dependent Claims (28, 29)
- - 28. The computer program embodied in a modulated data signal of claim 27, wherein the logic to determine an actual security level further comprises logic to determine the number of available security operations by examining said at least one data stream received by the input device for a non-critical processor time usage.
  - 29. The computer program embodied in a modulated data signal of claim 27, further comprising:
    - logic to perform a delayed verification on a bundle of data packets from the data stream; and
      
      logic to enable one of the delayed verification and the variable percentage verification based on the number of available security operations and on a verification type in the authentication header.

30. A send host employing adaptive security, comprising:
- logical circuitry to input a desired security configuration for a data stream to be communicated to a receive host;
  
  logical circuitry to receive an actual security configuration for the data stream, the actual security configuration being received from the receive host, the actual security configuration being based upon a number of available security operations in the receive host; and
  
  logical circuitry to generate a plurality of data packets associated with the data stream, the data packets including a data block and an authentication data block having an authentication header containing the actual security configuration and a signature.

31. A receive host employing adaptive security, comprising:
- logical circuitry to receive at least one data stream comprising a number of data packets, the data packets including an authentication data block, the authentication data block having an authentication header and a signature;
  
  logical circuitry to decompose the authentication header in the data packets;
  
  logical circuitry to perform a percentage based verification on the data packets from the data stream;
  
  logical circuitry to determine an actual security level performed based on a number of available security operations, a minimum security level, and a target security level, and a desired actual security level, the minimum security level and the target security level being contained in the authentication header; and
  
  logical circuitry to communicate the actual security level to a send host.

32. A receive host employing adaptive security, comprising:
- a processor coupled to a data bus;
  
  a memory coupled to the data bus; and
  
  a data communications interface electrically coupled to the data bus, the data communications interface being configured to receive at least one data stream comprising a number of data packets;
  
  adaptive security logic stored on the memory and executable by the processor, the adaptive security logic including;
  
  logic to determine a number of available security operations in the receive host; and
  
  logic to allocate the number of available security operations in the receive host to perform a verification of a number of the data packets in the at least one data stream.
- View Dependent Claims (33, 34)
- - 33. The receive host of claim 32, wherein the logic to determine a number of available security operations in the receive host further comprises logic to determine the number of available security operations based upon a priority assigned to the at least one data stream.
  - 34. The receive host of claim 32, wherein the logic to determine a number of available security operations in the receive host further comprises logic to determine a number of non-critical security operations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Georgia Tech Research Corporation (University System of Georgia)
Original Assignee
Georgia Tech Research Corporation (University System of Georgia)
Inventors
Chokhani, Santosh, Schwan, Karsten, Schneck, Phyllis A.
Primary Examiner(s)
Gordon, Paul P.
Assistant Examiner(s)
PATEL, RAMESH B

Application Number

US09/181,304
Time in Patent Office

664 Days
Field of Search

380/1, 380/2, 380/26, 380/30, 713/186, 713/187, 713/188, 700/2, 700/8, 700/9, 700/68, 700/67, 709/229, 709/230, 709/213
US Class Current

700/9
CPC Class Codes

H04L 63/105   Multiple levels of security

H04L 63/12   Applying verification of th...

H04L 63/20   for managing network securi...

H04L 69/22   Parsing or analysis of headers

Adaptive data security system and method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

134 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Adaptive data security system and method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

134 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links