Real time active network compartmentalization

US 7,213,265 B2
Filed: 10/11/2001
Issued: 05/01/2007
Est. Priority Date: 11/15/2000
Status: Active Grant

First Claim

Patent Images

1. A method of operating a digital communication network having a plurality of nodes which have a locally hierarchical relationship, comprising the steps of:

supplying identification information at a first node to a transmission received from the network even if a sender of the transmission is not identified;

tracking network transmissions at the first node using the identification information and logging the identification information and a characteristic of the network transmission as traffic log information;

communicating the traffic log information to another node;

detecting a condition at the first node and communicating the condition to a trusted second node locally higher in said hierarchical relationship;

disconnecting one or more nodes in the network to test for the origin and scope of a potential attack and reconnecting disconnected nodes not associated with the potential attack;

collecting information regarding said condition and said traffic log through nodes at the same or higher hierarchical level as said trusted second node; and

controlling a response at said first node in response to said information, wherein the controlling step includes switching a critical segment of the network to a secure mode when a threat is detected, and wherein the hierarchical relationship of the plurality of nodes is hidden to users of the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security policy manager devices are leveraged by manager objects to use highly secure user transparent communications to provide detection of questionable activities at every node, automatic collection of information related to any potential attack, isolation of the offending object with arbitrary flexibility of response (e.g. flexibly determining the level of certainty of an attack for initiation of a response in accordance with the number of nodes to be partitioned that is determined by the collected data concerning the potential attack), changing trust relationships between security domains, limiting the attack and launching offensive information warfare capabilities (e.g. outbound from the compromised node while limiting or eliminating inbound communications) in log time and simultaneously and/or concurrently in different but possibly overlapping sections or segments of a digital network of arbitrary configuration.

Citations

19 Claims

1. A method of operating a digital communication network having a plurality of nodes which have a locally hierarchical relationship, comprising the steps of:
- supplying identification information at a first node to a transmission received from the network even if a sender of the transmission is not identified;
  
  tracking network transmissions at the first node using the identification information and logging the identification information and a characteristic of the network transmission as traffic log information;
  
  communicating the traffic log information to another node;
  
  detecting a condition at the first node and communicating the condition to a trusted second node locally higher in said hierarchical relationship;
  
  disconnecting one or more nodes in the network to test for the origin and scope of a potential attack and reconnecting disconnected nodes not associated with the potential attack;
  
  collecting information regarding said condition and said traffic log through nodes at the same or higher hierarchical level as said trusted second node; and
  
  controlling a response at said first node in response to said information, wherein the controlling step includes switching a critical segment of the network to a secure mode when a threat is detected, and wherein the hierarchical relationship of the plurality of nodes is hidden to users of the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method as recited in claim 1, wherein said communicating of the traffic log and the condition is performed over said digital communication network separately from user data communications.
  - 3. A method as recited in claim 2, wherein said communicating and said controlling step are performed preferentially to said user data communications.
  - 4. A method as recited in claim 1, wherein said communicating and said controlling step are performed by user transparent communications over said digital network.
  - 5. A method as recited in claim 1, wherein said communicating and said controlling step are performed at bit rates of at least 10 Gbps.
  - 6. A method as recited in claim 1, wherein said controlling step establishes a virtual private network.
  - 7. A method as recited in claim 1, wherein said controlling step implements at least one of a mandatory access control policy and a discretionary access control policy.
  - 8. A method as recited in claim 1, wherein said communicating establishes a trust level for a node of said digital network.
  - 9. A method as recited in claim 1, wherein said communicating establishes a secure session between contiguous nodes of said digital network.
  - 10. A method as recited in claim 1, including the further step of detecting a foreign security policy manager connection.

11. A computer readable medium upon which is embodied a sequence of programmable instructions which, when executed by a processor, cause the processor to perform operations comprising:
- detecting a condition at the first node and communicating the condition to a trusted second node locally higher in said hierarchical relationship;
  
  disconnecting one or more nodes in the network to test for the origin and scope of a potential attack and reconnecting disconnected nodes not associated with the potential attack;
  
  collecting information regarding said condition through nodes at the same or higher hierarchical level as said trusted second node; and
  
  controlling a response at said first node in response to said information.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer program of claim 11, wherein the controlling step includes switching a critical segment of the network to a secure mode when a threat is detected.
  - 13. The computer program of claim 12, wherein the secure mode is a virtual private network.
  - 14. The computer program of claim 11, wherein the predetermined operations include the steps of:
    - supplying identification information at a first node to a transmission received from the network even if a sender of the transmission is not identified;
      
      tracking network transmissions at the first node using the identification information and logging the identification information and a characteristic of the network transmission as traffic log information; and
      
      communicating the traffic log information to another node.
  - 15. The computer program of claim 11, wherein the hierarchical relationship of the plurality of nodes is hidden to users of the network.

16. A method of actively compartmentalizing a network in real time using manager objects and managed objects arranged in a locally hierarchically relationship, said method comprising:
- providing a plurality of nodes, each node having at least one manager object and one or more managed objects, wherein each manager object corresponds to one or more managed objects and each managed object corresponds to a network connection to another node;
  
  adding identification information to a transmission received at a first node from the network even if a sender of the transmission is not identified;
  
  tracking network transmissions at the first node using the identification information and logging the identification information and a characteristic of the network transmission as traffic log information;
  
  communicating the traffic log information to another node in a form that is transparent to users of the network;
  
  detecting a condition at the first node and communicating the condition, in a form that is transparent to users of the network, to a trusted second node locally higher in said hierarchical relationship;
  
  collecting information regarding said condition and said traffic log through nodes at the same or higher hierarchical level as said trusted second node;
  
  controlling a response at said first node in response to said information; and
  
  disconnecting one or more nodes in the network to test for the origin and scope of a potential attack and reconnecting disconnected nodes not associated with the potential attack.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16, wherein the controlling step includes switching a critical segment of the network to a secure mode when a threat is detected.
  - 18. The method of claim 17, wherein the secure mode is a virtual private network.
  - 19. The method of claim 16, wherein the locally hierarchically relationship of manager nodes and managed nodes is hidden to users of the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lockheed Martin Corporation (Martin Marietta Corporation)
Original Assignee
Lockheed Martin Corporation (Martin Marietta Corporation)
Inventors
Dapp, Michael C.
Primary Examiner(s)
Barroń, Jr.; Gilberto
Assistant Examiner(s)
HENEGHAN, MATTHEW E

Application Number

US09/973,776
Publication Number

US 20020059528A1
Time in Patent Office

2,028 Days
Field of Search

709223-225, 709/238, 713/200, 713/201, 714/4, 726 22- 25, 370/217
US Class Current

726/23
CPC Class Codes

G06F 11/1482   by means of middleware or O...

H04L 63/0272   Virtual private networks

H04L 63/1458   Denial of Service

Real time active network compartmentalization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Real time active network compartmentalization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links