Method and apparatus for providing adaptive self-synchronized dynamic address translation
First Claim
1. A network security apparatus for securing packet header information of a data packet, comprising:
- a key exchanger adapted to derive a cipher key;
a translator adapted to translate predetermined portions of said packet header information according to a cipher algorithm keyed by the cipher key into translated packet header information, and replace said predetermined portions of said packet header information with the translated packet header information in the data packet; and
a communication device adapted to communicate the data packet between a first enclave and a second enclave through a wide area network;
wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis.
9 Assignments
0 Petitions
Accused Products
Abstract
A communication device is provided for a local enclave. The communication device processes packets to be transferred from the local enclave to a wide area network. The communication device intercepts packets originating from a host on the local enclave, the packets being destined for transmission over the wide area network, extracts predetermined portions from each packet header to form one or more blocks for translation, applies a predetermined encryption algorithm to translate the one or more blocks after masking; and reinserts bits from the translated block back into the packet header. The purpose of the invention is to obfuscate network machine identities to TCP/IP packets traversing the public Internet to prevent traffic mapping.
134 Citations
52 Claims
-
1. A network security apparatus for securing packet header information of a data packet, comprising:
-
a key exchanger adapted to derive a cipher key; a translator adapted to translate predetermined portions of said packet header information according to a cipher algorithm keyed by the cipher key into translated packet header information, and replace said predetermined portions of said packet header information with the translated packet header information in the data packet; and a communication device adapted to communicate the data packet between a first enclave and a second enclave through a wide area network; wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A network security apparatus for securing packet header information of a data packet, comprising:
-
a random number generator adapted to generate a random number; a translator adapted to translate predetermined portions of said packet header information according to a cipher algorithm seeded by the random number into translated packet header information, and replace said predetermined portions of said packet header information with the translated packet header information in the data packet; and a communication device adapted to communicate the data packet between a first enclave and a second enclave through a wide area network; wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis. - View Dependent Claims (7, 8, 9)
-
-
10. A network security system for securing packet header information of a data packet communicated between a first enclave and a second enclave through a wide area network, the system comprising:
-
a first communication device in communication with the first enclave and the wide area network, said first communication device adapted to receive the data packet, translate predetermined portions of said packet header information into translated packet header information and replace said predetermined portions of said packet header information with the translated packet header information in the data packet, and place the data packet on the wide area network; and a second communication device in communication with the second enclave and the wide area network, said second communication device adapted to receive and restore the predetermined portions of the data packet from the translated packet header information and place the data packet onto the second enclave; wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A method for securing packet header information of a data packet, comprising:
-
deriving a cipher key; translating predetermined portions of said packet header information according to a cipher algorithm keyed by the cipher key into translated packet header information; replacing said predetermined portions of said packet header information with the translated packet header information in the data packet; and communicating the data packet between a first enclave and a second enclave through a wide area network; wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A method for securing packet header information of a data packet, comprising:
-
generating a random number; translating predetermined portions of said packet header information according to a cipher algorithm seeded by the random number into translated packet header information; replacing said predetermined portions of said packet header information with the translated packet header information in the data packet; and communicating the data packet between a first enclave and a second enclave through a wide area network; wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis. - View Dependent Claims (22, 23, 24)
-
-
25. A method for securing packet header information of a data packet, comprising:
-
receiving the data packet at a first communication device; translating predetermined portions of packet header information into translated packet header information; replacing said predetermined portions of said packet header information with the translated packet header information in the data packet; sending the data packet to a second enclave through a wide area network; receiving the data packet at a second communication device on the second enclave; restoring translating the predetermined portions of the data packet from the translated packet header information at the second communication device; and placing the data packet onto the second enclave; wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis. - View Dependent Claims (26, 27, 28, 29)
-
-
30. A communication device adapted for processing packet header information of a data packet, the communication device being operable to:
-
derive a cipher key; translate predetermined portions of said packet header information according to a cipher algorithm keyed by the cipher key into translated packet header information; replace said predetermined portions of said packet header information with the translated packet header information in the data packet; and communicate the data packet between a first enclave and a second enclave through a wide area network; wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis. - View Dependent Claims (31, 32, 33, 34)
-
-
35. A communication device adapted for processing packet header information of a data packet, the communication device being operable to:
-
generate a random number; translate predetermined portions of said packet header information according to a cipher algorithm seeded by the random number into translated packet header information; replace said predetermined portions of said packet header information with the translated packet header information in the data packet; and communicate the data packet between a first enclave and a second enclave through a wide area network; wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis. - View Dependent Claims (36, 37, 38)
-
-
39. A device for securing packet header information of a data packet, comprising:
-
means for deriving a cipher key; means for translating predetermined portions of said packet header information according to a cipher algorithm keyed by the cipher key into translated packet header information; means for replacing said predetermined portions of said packet header information with the translated packet header information in the data packet; and means for communicating the data packet between a first enclave and a second enclave through a wide area network; wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis. - View Dependent Claims (40, 41, 42, 43)
-
-
44. A device for securing packet header information of a data packet, comprising:
-
means for generating a random number; means for translating predetermined portions of said packet header information according to a cipher algorithm seeded by the random number into translated packet header information; means for replacing said predetermined portions of said packet header information with the translated packet header information in the data packet; and means for communicating the data packet between a first enclave and a second enclave through a wide area network; wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis. - View Dependent Claims (45, 46, 47)
-
-
48. A device for securing packet header information of a data packet, comprising:
-
means for receiving the data packet at a first communication device; means for translating predetermined portions of packet header information into translated packet header information; means for replacing said predetermined portions of said packet header information with the translated packet header information in the data packet; means for sending the data packet to a second enclave through a wide area network; means for receiving the data packet at a second communication device on the second enclave; means for translating the predetermined portions of the data packet at the second communication device; and means for placing the data packet onto the second enclave; wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis. - View Dependent Claims (49, 50, 51, 52)
-
Specification