Method and system for algorithm-based address-evading network snoop avoider
First Claim
Patent Images
1. A method for communicating on a wide area network between a first data processing system and a second data processing system, the method comprising the computer-implemented steps of:
- establishing a virtual private network (VPN) tunnel using a first network address for the first data processing system and a second network address for the second data processing system, wherein the first network address and the second network address are addresses used to route data over the wide area network;
transmitting data packets on the wide area network from the first data processing system to the second data processing system using the VPN tunnel; and
automatically selecting, during a same session between the first data processing system and the second data processing system, an alternate VPN tunnel for transmitting data packets on the wide area network from the first data processing system to the second data processing system by selecting alternate network addresses for the first data processing system and the second data processing system, wherein the alternate network addresses are addresses used to route data over the wide area network, and wherein the alternate network addresses are different from the first network address and the second network address.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system for an algorithm-based network snoop avoider is provided. A first data processing system and a second data processing system communicate on a physical network by transmitting data packets on the network using a virtual private network (VPN). Data packets are transmitted through a first VPN tunnel between the first data processing system with a first network address terminating a first end of the VPN tunnel and the second data processing system with a second network address terminating a second end of the first VPN tunnel. The VPN is automatically reconfigured to use alternate addresses on the network for the tunnel endpoints by automatically determining, in accordance with a predetermined algorithm, a third network address and a fourth network address and by automatically assigning the third network address to the first data processing system and the fourth network address to the second data processing system. Data packets may then be transmitted through a second VPN tunnel in which a first end of the second VPN tunnel is terminated by the first data processing system using the third network address and a second end of the second VPN tunnel is terminated by the second data processing system using the fourth network address. The data packets may be transmitted using Internet Protocol (IP), and a portion of the network may include the Internet.
-
Citations
27 Claims
-
1. A method for communicating on a wide area network between a first data processing system and a second data processing system, the method comprising the computer-implemented steps of:
-
establishing a virtual private network (VPN) tunnel using a first network address for the first data processing system and a second network address for the second data processing system, wherein the first network address and the second network address are addresses used to route data over the wide area network;
transmitting data packets on the wide area network from the first data processing system to the second data processing system using the VPN tunnel; and
automatically selecting, during a same session between the first data processing system and the second data processing system, an alternate VPN tunnel for transmitting data packets on the wide area network from the first data processing system to the second data processing system by selecting alternate network addresses for the first data processing system and the second data processing system, wherein the alternate network addresses are addresses used to route data over the wide area network, and wherein the alternate network addresses are different from the first network address and the second network address. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
automatically determining, in accordance with a predetermined algorithm, a third network address for the first data processing system and a fourth network address for the second data processing system, wherein the third network address and the fourth network address are addressed used to route data over the wide area network; and
automatically assigning the third network address to the first data processing system and the fourth network address to the second data processing system.
-
-
3. The method of claim 1 wherein the predetermined algorithm is a function which maps a network address to another network address.
-
4. The method of claim 3 wherein the first network address and the third network address are members of a first predetermined set of network addresses.
-
5. The method of claim 2 further comprising:
transmitting data packets through the alternate VPN tunnel between the first data processing system and the second data processing system, wherein a first end of the alternate VPN tunnel is terminated by the first data processing system using the third network address and a second end of the alternate VPN tunnel is terminated by the second data processing system using the fourth network address.
-
6. The method of claim 1 wherein the data packets are transmitted using Internet Protocol (IP).
-
7. The method of claim 1 wherein the wide area network comprises the Internet.
-
8. The method of claim 1 wherein the first data processing system is a secure gateway for connecting the wide area network to another network.
-
9. The method of claim 1, wherein automatically reconfiguring the VPN to use alternate addresses on the network for the first data processing system and the second data processing system includes:
-
determining which of a plurality of reconfiguring algorithms is currently active; and
assigning an alternate address to the first data processing system and the second data processing system based on which of the plurality of reconfiguring algorithms is currently active.
-
-
10. The method of claim 1, further comprising:
activating one of a plurality of reconfiguring algorithms based on information from one or more avoider algorithm modules indicating when to switch between VPN tunnels.
-
11. The method of claim 10, wherein the information from one or more avoider algorithm modules indicating when to switch between VPN tunnels includes information indicating that VPN tunnels should be switched based on a maximum number of data packets that may be sent over a currently active VPN tunnel.
-
12. The method of claim 10, wherein the information from one or more avoider algorithm modules indicating when to switch between VPN tunnels includes information indicating a specified time period a current VPN tunnel may be active.
-
13. A distributed data processing system for communicating on a wide area network, the distributed data processing system comprising:
-
establishing means for establishing a virtual private network (VPN) tunnel using a first network address for a first data processing system and a second network address for a second data processing system, wherein the first network address and the second network address are addresses used to route data over the wide area network;
transmitting means for transmitting data packets on the wide area network from the first data processing system to the second data processing system using the VPN tunnel; and
reconfiguring means for automatically selecting, during a same session between the first data processing system and the second data processing system, an alternate VPN tunnel for transmitting data packets on the wide area network from the first data processing system to the second data processing system by selecting alternate network addresses for the first data processing system and the second data processing system, wherein the alternate network addresses are addresses used to route data over the wide area network, and wherein the alternate network addresses are different from the first network address and the second network address. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
determining means for automatically determining, in accordance with a predetermined algorithm, a third network address for the first data processing system and a fourth network address for the second data processing system, wherein the third network address and the fourth network address are addressed used to route data over the wide area network; and
assigning means for automatically assigning the third network address to the first data processing system and the fourth network address to the second data processing system.
-
-
15. The distributed data processing system of claim 14 wherein the predetermined algorithm is a function which maps a network address to another network address.
-
16. The distributed data processing system of claim 15 wherein the first network address and the third network address are members of a first predetermined set of network addresses.
-
17. The distributed data processing system of claim 14 wherein the transmitting means further comprises:
second sending means for sending data packets through VPN tunnel between the first data processing system and the second data processing system, wherein a first end of the alternate VPN tunnel is terminated by the first data processing system using the third network address and a second end of the alternate VPN tunnel is terminated by the second data processing system using the fourth network address.
-
18. The distributed data processing system of claim 13 wherein the data packets are transmitted using Internet Protocol (IP).
-
19. The distributed data processing system of claim 13 wherein the wide area network comprises the Internet.
-
20. The distributed data processing system of claim 13 wherein the first data processing system is a secure gateway for connecting the wide area network to another network.
-
21. The distributed data processing system of claim 13, wherein the reconfiguring means includes:
-
means for determining which of a plurality of reconfiguring algorithms is currently active; and
means for assigning an alternate address to the first data processing system and the second data processing system based on which of the plurality of reconfiguring algorithms is currently active.
-
-
22. The distributed data processing system of claim 13, further comprising:
means for activating one of a plurality of reconfiguring algorithms based on information from one or more avoider algorithm modules indicating when to switch between VPN tunnels.
-
23. The distributed data processing system of claim 22, wherein the information from one or more avoider algorithm modules indicating when to switch between VPN tunnels includes information indicating that VPN tunnels should be switched based on a maximum number of data packets that may be sent over a currently active VPN tunnel.
-
24. The distributed data processing system of claim 22, wherein the information from one or more avoider algorithm modules indicating when to switch between VPN tunnels includes information indicating a specified time period a current VPN tunnel may be active.
-
25. A computer program product on a computer-readable medium for use in a data processing system for communicating on a network, the computer program product comprising:
-
instructions for establishing a virtual private network (VPN) tunnel using a first network address for a first data processing system and a second network address for a second data processing system, wherein the first network address and the second network address are addresses used to route data over the wide area network;
instructions for transmitting data packets on the wide area network from the first data processing system to the second data processing system using the VPN tunnel; and
instructions for automatically selecting, during a same session between the first data processing system and the second data processing system, an alternate VPN tunnel for transmitting data packets on the wide area network from the first data processing system to the second data processing system by selecting alternate network addresses for the first data processing system and the second data processing system, wherein the alternate network addresses are addresses used to route data over the wide area network, and wherein the alternate network addresses are different from the first network address and the second network address. - View Dependent Claims (26)
-
-
27. A method for communicating on a network between a first data processing system and a second data processing system, the method comprising the computer-implemented steps of:
-
transmitting data packets on the network from the first data processing system to the second data processing system using a first virtual private network (VPN) tunnel, wherein the first VPN tunnel has endpoints at the first data processing system and the second data processing system and the first data processing system and second data processing system have original respective addresses; and
automatically selecting a second VPN tunnel, during a same session between the first data processing system and the second data processing system, wherein the second VPN tunnel has endpoints at the first data processing system and the second data processing system and wherein the second VPN tunnel uses alternate addresses different from the original respective addresses for the first data processing system and the second data processing system.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeTrend Micro Inc.
-
Original AssigneeInternational Business Machines Corporation
-
InventorsMullen, Shawn Patrick, Shieh, Johnny Meng-Han, Unnikrishnan, Ramachandran, Genty, Denise Marie, McBrearty, Gerald Francis
-
Primary Examiner(s)Burgess, Glenton B.
-
Assistant Examiner(s)KUPSTAS, TOD A
-
Application NumberUS09/383,740Time in Patent Office1,594 DaysField of Search709/221, 709/225, 709/227, 709/239, 709/245US Class Current709/245CPC Class CodesH04L 12/4641 Virtual LANs, VLANs, e.g. v...H04L 61/00 Network arrangements, proto...H04L 61/35 involving non-standard use ...H04L 63/0272 Virtual private networksH04L 63/0428 wherein the data content is...H04L 63/1475 Passive attacks, e.g. eaves...H04L 63/18 using different networks or...H04Q 11/04 for time-division multiplex...H04Q 2213/13056 Routines, finite state mach...H04Q 2213/13093 Personal computer, PCH04Q 2213/13097 Numbering, addressingH04Q 2213/13103 MemoryH04Q 2213/13106 Microprocessor, CPUH04Q 2213/13196 Connection circuit/link/tru...H04Q 2213/13299 BusH04Q 2213/13339 Ciphering, encryption, secu...H04Q 2213/13384 Inter-PBX traffic, PBX netw...H04Q 2213/13389 LAN, internetH04Q 2213/13399 Virtual channel/circuits
