Agile network protocol for secure communications with assured system availability

US 7,010,604 B1
Filed: 10/29/1999
Issued: 03/07/2006
Est. Priority Date: 10/30/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method of transmitting information between a first computer and a second computer over a network comprising the steps of:

(1) embedding in a header of each of a plurality of data packets a network address that periodically changes between successive data packets, wherein each network address is used to route packets over the network;

(2) transmitting the plurality of data packets between the first computer and the second computer;

(3) receiving the transmitted data packets at the second computer; and

(4) for each received data packet, comparing the network address to a moving window of valid network addresses and, in response to detecting a match within the moving window, accepting the received data packet for further processing, and otherwise rejecting the received data packet.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A plurality of computer nodes communicates using seemingly random IP source and destination addresses and (optionally) a seemingly random discriminator field. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are rejected. In addition to “hopping” of IP addresses and discriminator fields, hardware addresses such as Media Access Control addresses can be hopped. The hopped addresses are generated by random number generators having non-repeating sequence lengths that are easily determined a-priori, which can quickly jump ahead in sequence by an arbitrary number of random steps and which have the property that future random numbers are difficult to guess without knowing the random number generator'"'"'s parameters. Synchronization techniques can be used to re-establish synchronization between sending and receiving-nodes. These techniques include a self-synchronization technique in which a sync field is transmitted as part of each packet, and a “checkpoint” scheme by which transmitting and receiving nodes can advance to a known point in their hopping schemes. A fast-packet reject technique based on the use of presence vectors is also described. A distributed transmission path embodiment incorporates randomly selected physical transmission paths.

Citations

52 Claims

1. A method of transmitting information between a first computer and a second computer over a network comprising the steps of:
- (1) embedding in a header of each of a plurality of data packets a network address that periodically changes between successive data packets, wherein each network address is used to route packets over the network;
  
  (2) transmitting the plurality of data packets between the first computer and the second computer;
  
  (3) receiving the transmitted data packets at the second computer; and
  
  (4) for each received data packet, comparing the network address to a moving window of valid network addresses and, in response to detecting a match within the moving window, accepting the received data packet for further processing, and otherwise rejecting the received data packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 48, 49)
- - 2. The method of claim 1, wherein step (1) comprises the step of using an Internet Protocol address in an Internet Protocol header as the network address, wherein the Internet Protocol address is used to route the data packets over the Internet.
  - 3. The method of claim 1, further comprising the step of embedding an additional quasi-random value in a data field external to an Internet Protocol header of each data packet.
  - 4. The method of claim 1, wherein steps (1) and (4) are performed in a data link layer of an ISO standard communication protocol.
  - 5. The method of claim 1, wherein step (1) comprises the step of using a Media Access Control (MAC) hardware address as the network address, wherein the MAC hardware address is used to route the data packets on a local area network.
  - 6. The method of claim 1, wherein step (1) comprises the step of using a different network address for each successive data packet.
  - 7. The method of claim 1, further comprising the step of moving the window as each successive data packet is received.
  - 8. The method of claim 1, further comprising the step of sharing between the first computer and the second computer information sufficient to generate the moving window of valid network addresses.
  - 9. The method of claim 1, further comprising the step of transmitting from the first computer to the second computer an algorithm for selecting successively valid network addresses.
  - 10. The method of claim 1, wherein step (4) comprises the step of using a presence vector to determine whether to accept each data packet.
  - 11. The method of claim 1, wherein step (4) comprises the step of using a hashing function to determine whether the network address is valid.
  - 12. The method of claim 1, further comprising the step of transmitting a synchronization request between the first computer and the second computer, wherein the second computer uses the synchronization request to maintain synchronization of valid network addresses.
  - 13. The method of claim 12, further comprising the step of, in response to failure to receive a synchronization acknowledgement from the second computer, shutting off transmission of data packets to the second computer.
  - 14. The method of claim 12, further comprising the step of embedding a synchronization value in each data packet that permits the second computer to re establish synchronization in a set of potentially valid network addresses.
  - 15. The method of claim 12, further comprising the step of moving the window of valid network addresses in the second computer in response to receiving the synchronization request from the first computer.
  - 16. The method of claim 1, wherein step (1) comprises the steps of embedding a periodically-changing Internet Protocol source address in an Internet Protocol header and embedding a periodically-changing Internet Protocol destination address in the Internet Protocol header, wherein the source and destination addresses are used to route each data packet over the Internet.
  - 17. The method of claim 16, further comprising the steps of:
    - embedding a plurality of the data packets into a frame; and
      
      embedding a source and destination hardware address in the frame, wherein the source and destination hardware address are quasi-randomly generated and used to route the frame on the network.
  - 18. The method of claim 1, further comprising the step of maintaining in the first computer a first transmit table and a first receive table, and maintaining in the second computer a second transmit table and a second receive table,wherein each transmit table comprises a list of valid network addresses that are to be inserted into outgoing data packets;
    - wherein each receive table comprises a list of valid network addresses that are to be compared against incoming data packets; and
      
      wherein the first transmit table in the first computer matches the second receive table in the second computer; and
      
      wherein the first receive table in the first computer matches the second transmit table in the second computer.
  - 48. The method of claim 1, wherein steps (1) and (4) are performed in a data link layer of a standard communication protocol.
  - 49. The method of claim 1, wherein step (1) comprises the step of using a hardware address as the network address, wherein the hardware address is used to route the data packets on a local area network.

19. A method of transmitting data packets over a network comprising a plurality of computers connected to each other through a plurality of physical transmission paths, the method comprising the steps of:
- (1) for each of a plurality of data packets, randomly selecting one of the plurality of physical transmissions paths through the plurality of computers;
  
  (2) selecting a next pair of source and destination network addresses generated from an algorithm that generates a plurality of pairs of source and destination network addresses each associated with the one randomly selected physical transmission path; and
  
  (3) transmitting each data packet over the randomly selected physical transmission path using the selected next pair of source and destination network addresses.
- View Dependent Claims (20)
- - 20. The method of claim 19 wherein step (1) comprises the step of avoiding selection of a path that is not operational.

21. A system comprising:
- a first computer that embeds into each of a plurality of data packets a network address that periodically changes between successive data packets, wherein each network address is used to route packets over a network, anda second computer coupled to the first computer through the network,wherein the first computer transmits the plurality of data packets to the second computer, andwherein the second computer receives the transmitted data packets, compares the network address in each received data packet to a moving window of valid network addresses and, in response to detecting a match, accepts the received data packet for further processing, and otherwise rejects the received data packet.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 50, 51)
- - 22. The system of claim 21, wherein the first computer embeds into each of the plurality of data packets an Internet Protocol address in an Internet Protocol header as the network address, wherein the Internet Protocol address is used to route the data packets over the Internet.
  - 23. The system of claim 21, wherein the first computer embeds an additional quasi-random value in a data field external to an Internet Protocol header of each data packet.
  - 24. The system of claim 21, wherein the first computer embeds each network address in a first data link layer of an ISO standard communication protocol, and wherein the second computer compares each network address in a second data link layer of the ISO standard communications protocol.
  - 25. The system of claim 21, wherein the first computer embeds a Media Access Control (MAC) hardware address as the network address, wherein the MAC hardware address is used to route the data packets on a local area network.
  - 26. The system of claim 21, wherein the first computer embeds a different network address for each successive data packet.
  - 27. The system of claim 21, wherein the second computer moves the window as each successive data packet is received.
  - 28. The system of claim 21, wherein the first and second computers share common information sufficient to generate the moving window of valid network addresses.
  - 29. The system of claim 21, wherein the first computer transmits to the second computer an algorithm for selecting successively valid network addresses.
  - 30. The system of claim 21, wherein the second computer uses a presence vector to determine whether to accept each data packet.
  - 31. The system of claim 21, wherein the second computer uses a hashing function to determine whether the network address is valid.
  - 32. The system of claim 21, wherein the first computer transmits to the second computer a synchronization request, wherein the second computer uses the synchronization request to maintain synchronization of valid network addresses.
  - 33. The system of claim 32, wherein the first computer, in response to failure to receive a synchronization acknowledgement from the second computer, shuts off transmission of data packets to the second computer.
  - 34. The system of claim 32, wherein the first computer embeds a synchronization value in each data packet that permits the second computer to re-establish synchronization in a set of potentially valid network addresses.
  - 35. The system of claim 32, wherein the second computer moves a window of valid network addresses in response to receiving the synchronization request from the first computer.
  - 36. The system of claim 21, wherein the first computer embeds a periodically-changing Internet Protocol source address in an Internet Protocol header and embeds a periodically-changing Internet Protocol destination address in the Internet Protocol header, wherein the source and destination addresses are used to route each data packet over the Internet.
  - 37. The system of claim 36, wherein the first computer embeds a plurality of the data packets into a frame and embeds a source and destination hardware address in the frame, wherein the source and destination hardware address are quasi-randomly generated and used to mute the frame on the network.
  - 38. The system of claim 21,wherein the first computer comprises a first transmit table and a first receive table,wherein the second computer comprises a second transmit table and a second receive table,wherein each transmit table comprises a list of valid network addresses that are to be inserted into outgoing data packets,wherein each receive table comprises a list of valid network addresses that are to be compared against incoming data packets,wherein the first transmit table in the first computer matches the second receive table in the second computer, andwherein the first receive table in the first computer matches the second transmit table in the second computer.
  - 50. The system of claim 21, wherein the first computer embeds each network address in a first data link layer of a standard communication protocol, and wherein the second computer compares each network address in a second data link layer of the standard communications protocol.
  - 51. The system of claim 21, wherein the first computer embeds a hardware address as the network address, wherein the hardware address is used to route the data packets on a local area network.

39. A router coupled to a network comprising a plurality of computers connected to each other through a plurality of physical transmission paths,wherein the router receives a plurality of data packets for transmission across the network;
- andwherein the router, for each data packet, randomly selects one of the plurality of physical transmission paths through the plurality of computers and transmits each data packet over the randomly selected physical transmission path using a pair of source and destination network addresses generated from an algorithm that generates a plurality of pairs of source and destination addresses each associated with the one randomly selected physical transmission path.
- View Dependent Claims (40)
- - 40. The router of claim 39, wherein the router avoids selection of a non-operational path.

41. A system comprising in combination:
- a transmitting node that generates pseudo-random network addresses and embeds the pseudo-random network addresses into headers of data packets for transmission; and
  
  a receiving node that receives data packets transmitted by the transmitting node, wherein the receiving node, for each received packet, extracts each pseudo-randomly generated network address, compares it to a moving window of potentially valid network addresses shared between the transmitting node and the receiving node and, in response to detecting a match, accepts the data packet, and otherwise discards the packet.
- View Dependent Claims (42, 43, 44, 45, 52)
- - 42. The system of claim 41, wherein the receiving node maintains a window of valid network addresses, wherein the window is moved in response to detecting a match.
  - 43. The system of claim 41, wherein each pseudo-randomly generated network address comprises a valid Internet Protocol address that is assigned to the receiving node.
  - 44. The system of claim 41, wherein each pseudo-randomly generated network address comprises a valid Media Access Control (MAC) hardware address that is assigned to the receiving node.
  - 45. The system of claim 41, wherein the transmitting node generates a different pseudo-randomly generated network address for each successive data packet.
  - 52. The system of claim 41, wherein each pseudo-randomly generated network address comprises a valid hardware address that is assigned to the receiving node.

46. A receiving computer that receives data packets from a transmitting computer, wherein the receiving computer comprises computer instructions that execute the steps of(1) for each received data packet, extracting a discriminator value inserted by the transmitting computer;
- (2) comparing the extracted discriminator value to a set of valid discriminator values on the basis of information previously shared with the transmitting computer; and
  
  (3) in response to detecting a match in step (2), accepting the received data packet for further processing and otherwise rejecting the data packet, wherein the receiving computer maintains a sliding window of valid discriminator values, wherein the window slides to encompass a next range of valid discriminator values in response to detecting matches, wherein the receiving computer further comprises computer instructions that extract as the discriminator value an Internet Protocol address from a header portion of each data packet.
- View Dependent Claims (47)
- - 47. The receiving computer of claim 46, wherein the receiving computer receives information from the transmitting computer sufficient to establish the set of valid discriminator values.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VirnetX Inc. (Virnetx Holding Corporation)
Original Assignee
Science Applications International Corporation
Inventors
Munger, Edmund Colby, Sabio, Vincent J., Short, III, Robert Dunham, Gligor, Virgil D., Schmidt, Douglas Charles
Primary Examiner(s)
Dinh, Dung C.
Assistant Examiner(s)
STRANGE, AARON N

Application Number

US09/429,643
Time in Patent Office

2,321 Days
Field of Search

709/225, 709/223, 709/238, 709/227, 709241- 4, 709/250, 709/245, 713/201, 713/160
US Class Current

709/227
CPC Class Codes

H04L 2101/604   Address structures or formats

H04L 45/20   Hop count for routing purpo...

H04L 45/24   Multipath

H04L 61/2539   Hiding addresses; Keeping a...

H04L 61/30   Managing network names, e.g...

H04L 61/5007   Internet protocol [IP] addr...

H04L 61/5076   Update or notification mech...

H04L 61/5092   by self-assignment, e.g. pi...

H04L 63/0272   Virtual private networks

H04L 63/04   for providing a confidentia...

H04L 63/0407   wherein the identity of one...

H04L 63/0421   Anonymous communication, i....

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

H04L 69/14   Multichannel or multilink p...

H04L 9/065   Encryption by serially and ...

H04M 3/42008   Systems for anonymous commu...

Agile network protocol for secure communications with assured system availability

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

Agile network protocol for secure communications with assured system availability

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links