Active intrusion resistant environment of layered object and compartment keys (airelock)

US 7,225,467 B2
Filed: 10/11/2001
Issued: 05/29/2007
Est. Priority Date: 11/15/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A security device for installation at a node of a digital network, said security device comprising:

a security engine for providing user transparent communications to another node of said digital network;

at least two locking devices, wherein each locking device is coupled to the other locking devices and the security engine, and each locking device is configured to communicate with the other locking devices and with the security engine; and

a programmed data processor including a memory to store data corresponding to said user communications and to store an embedded security policy manager and a manager object and at least one managed object, wherein the managed object is configured to detect communications at a first node having a characteristic which differs from a normal usage characteristic and to send an alarm through the manager object to said security engine for communication to a managed object of a second node, the managed object corresponding to said first node, as said user transparent communications and for responding to user transparent communications from said second node of said digital network and controlling of routing of communications in said digital network wherein said first node and said second node are hierarchically arranged locally in said digital network and arranged to provide redundant connections between nodes at different hierarchical levels.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A high level of security and fault tolerance is provided in a digital network by use of highly secure infrastructure of user transparent signalling for communicating detection of signals at a network node having characteristics of a potential attack to another node and controlling communications at routers at the node from another node in response to the user transparent signals. A processor is connected to the routers and the network through an encryption engine and includes a manager object to issue control commands to nodes of a locally lower hierarchy tier and managed objects to detect potential attacks and exercise control over the routers responsive to signals from a node of a locally higher hierarchy tier. Identifications are provided for communications between nodes regardless of whether or not a corresponding user is identified and communications are logged. Thus any network session comprises one or more secure sessions in a plurality of security domains and any fault or potential attack can be compartmentalized to a node or sector of the network and isolated while normal communications are continued over redundant network links.

Citations

15 Claims

1. A security device for installation at a node of a digital network, said security device comprising:
- a security engine for providing user transparent communications to another node of said digital network;
  
  at least two locking devices, wherein each locking device is coupled to the other locking devices and the security engine, and each locking device is configured to communicate with the other locking devices and with the security engine; and
  
  a programmed data processor including a memory to store data corresponding to said user communications and to store an embedded security policy manager and a manager object and at least one managed object, wherein the managed object is configured to detect communications at a first node having a characteristic which differs from a normal usage characteristic and to send an alarm through the manager object to said security engine for communication to a managed object of a second node, the managed object corresponding to said first node, as said user transparent communications and for responding to user transparent communications from said second node of said digital network and controlling of routing of communications in said digital network wherein said first node and said second node are hierarchically arranged locally in said digital network and arranged to provide redundant connections between nodes at different hierarchical levels.

2. A digital network for active intrusion resistance, said digital network comprising:
- a plurality of nodes arranged in a tiered hierarchy, each node includingat least two locking devices;
  
  a security policy manager device for detecting network communications or activity having a characteristic different from a normal usage characteristic and providing a signal to other network nodes; and
  
  a communication module responsive to a user transparent signal from another node for controlling said at least two locking devices to isolate a node by selecting from among redundant communication paths in said digital network to maintain network communications between nodes that are not to be isolated and restricting communications with a node to be isolated, whereby the digital network actively resists intrusion by isolating one or more nodes that are determined to have become untrusted.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10)
- - 3. A digital network as recited in claim 2, wherein each node further includes a memory to store data corresponding to said user transparent communications and to store an embedded security policy manager, a manager object, and managed objects corresponding to each connected node.
  - 4. A digital network as recited in claim 2, wherein said controlling of said at least two locking devices to isolate a node of said digital network is performed in real time.
  - 5. A digital network as recited in claim 2, wherein said tiered hierarchy includes redundant connections between nodes at different levels in the hierarchy.
  - 6. A digital network as recited in claim 2, wherein each node further includes a module for defining a secure session between nodes.
  - 7. A digital network as recited in claim 6, wherein said module for defining a secure session includes a portion to transmit information corresponding to one of an authenticated user and an identification of a communicating node, wherein the identification of the communicating node can be used to isolate nodes corresponding to the secure session such that the digital network actively resists intrusion by compartmentalizing untrusted nodes within the secure session.
  - 8. A digital network as recited in claim 2, wherein said characteristic which differs from said normal usage characteristics is a potential attack characteristic.
  - 9. A digital network as recited in claim 2, wherein said characteristic that differs from said normal usage characteristic corresponds to a fault at a node or link of said digital network.
  - 10. A digital network as recited in claim 2, wherein said manager object manages said managed object, and wherein each managed object corresponds to any external node coupled to each node.

11. A method of actively resisting intrusion in a digital network using extensions to an object request broker, said method comprising:
- providing object request broker software;
  
  extending the object request broker software to include encryption, intrusion detection, and security policy management and enforcement;
  
  generating a manager object on one or more nodes and at least one managed object on each node;
  
  detecting, with a managed object, a communication having a characteristic differing from a normal usage characteristic at a first node of said digital network, said communication received from a second node of said digital network;
  
  communicating a user transparent signal from a managed object of the first node to a managed object of a third digital network node responsive to said detection; and
  
  controlling communications, through coordinated managed and manager objects, at said first node and said third node to restrict communications from said second node with a user transparent signal.
- View Dependent Claims (12, 13, 14, 15)
- - 12. A method as recited in claim 11, wherein said step of controlling communications includes steps ofisolating said second node from said digital network to restrict untrusted communications from the second node from being allowed onto the digital network, androuting other digital network communications through redundant links between nodes of said digital network so as to bypass and isolate the second node.
  - 13. A method as recited in claim 11, wherein said detecting step is performed by the managed object at the first node of said digital network and said controlling step is performed responsive to the managed object at said third node of said digital network.
  - 14. A method as recited in claim 11, wherein said detecting, communicating and controlling steps are performed in substantially real time.
  - 15. A method as recited in claim 11, including a further step of defining a secure session between a plurality of nodes in a communication path in said digital network, wherein said secure session allows compartmentalization of any untrusted nodes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lockheed Martin Corporation (Martin Marietta Corporation)
Original Assignee
Lockheed Martin Corporation (Martin Marietta Corporation)
Inventors
Dapp, Michael C.
Primary Examiner(s)
Barron; Gilberto
Assistant Examiner(s)
HENEGHAN, MATTHEW E

Application Number

US09/973,769
Publication Number

US 20020066035A1
Time in Patent Office

2,056 Days
Field of Search

709220-226, 709/229, 709238-244, 713/153, 713/154, 713/200, 713/201, 726 22- 24
US Class Current

726/23
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/20 for managing network securi...

Active intrusion resistant environment of layered object and compartment keys (airelock)

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Active intrusion resistant environment of layered object and compartment keys (airelock)

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links