Multi-level security systems

US 7,779,255 B2
Filed: 06/27/2007
Issued: 08/17/2010
Est. Priority Date: 08/01/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method of providing multi-level security systems, comprising:

defining, for each of a plurality of security classifications to be used by a multi-level security (“

MLS”

) system when sending outbound packets to at least one communication partner system, a unique source address; and

for each of the outbound packets sent from the MLS system, using the unique source address defined for a particular one of the security classifications which is associated with the outbound packet as a source address in the outbound packet, thereby conveying the security classification of each of the outbound packets through the source address used in the outbound packet, further comprising;

determining the security classification associated with the outbound packet;

determining the unique source address defined for the determined security classification;

replacing a source address field of a packet header of the outbound packet with the determined unique source address; and

forwarding the outbound packet for transmission to one of the at least one communication partner system.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for multi-level security (“MLS”) in computing systems. Communication between MLS systems in the prior art requires explicitly tagging each packet with its security classification. The packet tags comprise variable-length bit patterns inserted into packet headers. This results in a number of drawbacks, including increased path length and code complexity, as well as reduced interoperability. An MLS system according to the present invention simulates a cluster or collection of single-level security systems, and thereby avoids packet tagging. For each security classification used by an MLS system, a distinct source address is defined. This source address is used for outbound packets having that security classification, such that the packet'"'"'s source address implicitly identifies the packet'"'"'s security classification.

13 Citations

View as Search Results

15 Claims

1. A computer-implemented method of providing multi-level security systems, comprising:
- defining, for each of a plurality of security classifications to be used by a multi-level security (“
  
  MLS”
  
  ) system when sending outbound packets to at least one communication partner system, a unique source address; and
  
  for each of the outbound packets sent from the MLS system, using the unique source address defined for a particular one of the security classifications which is associated with the outbound packet as a source address in the outbound packet, thereby conveying the security classification of each of the outbound packets through the source address used in the outbound packet, further comprising;
  
  determining the security classification associated with the outbound packet;
  
  determining the unique source address defined for the determined security classification;
  
  replacing a source address field of a packet header of the outbound packet with the determined unique source address; and
  
  forwarding the outbound packet for transmission to one of the at least one communication partner system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, wherein the unique source address used for one of the security classifications is identical to a network address of the MLS system.
  - 3. The method according to claim 1, wherein the unique source addresses are Internet Protocol (“
    - IP”
      
      ) addresses.
  - 4. The method according to claim 1, wherein the security classifications classify data and/or access rights.
  - 5. The method according to claim 4, wherein the security classifications follow a hierarchical classification structure.
  - 6. The method according to claim 1, wherein the security classifications comprise a security level and a category.
  - 7. The method according to claim 1, wherein the security classifications comprise a security level and one or more categories.
  - 8. The method according to claim 1, wherein the defining and using obviate a need to explicitly specify security classification information in the outbound packets.
  - 9. The method according to claim 1, wherein the defining and using obviate a need to explicitly specify security classification information in packet headers of the outbound packets.
  - 10. The method according to claim 1, wherein the unique source addresses are aliases for the MLS system.

11. A computer program product for providing multi-level security systems, the computer program product embodied on one or more computer-usable storage media and comprising:
- computer-usable program code for defining, for each of a plurality of different security classifications to be used by a multi-level security (“
  
  MLS”
  
  ) system when sending outbound packets to at least one communication partner system, a unique source address; and
  
  computer-usable program code for using, for each of the outbound packets sent from the MLS system, the unique source address defined for a particular one of the security classifications which is associated with the outbound packet as a source address value in a source address field of a packet header for the outbound packet, thereby conveying the security classification of each of the outbound packets through the source address value in the packet header, further comprising computer-usable program code for;
  
  determining the security classification associated with the outbound packet;
  
  determining the unique source address defined for the determined security classification;
  
  replacing a source address field of a packet header of the outbound packet with the determined unique source address; and
  
  forwarding the outbound packet for transmission to one of the at least one communication partner system.
- View Dependent Claims (12, 13, 14)
- - 12. The computer program product according to claim 11, wherein the unique source addresses are each Internet Protocol (“
    - IP”
      
      ) addresses.
  - 13. The computer program product according to claim 11, wherein the security classifications comprise a security level and a category.
  - 14. The computer program product according to claim 11, wherein the unique source addresses are aliases for the MLS system.

15. A computer-implemented method of communicating security classifications, comprising:
- defining, for a multi-level security (“
  
  MLS”
  
  ) system that supports user sessions with a communication partner, the supported user sessions having a plurality of different security classifications, a unique source address to represent each unique one of the security classifications, wherein each of the unique source addresses is associated with the MLS system; and
  
  using the defined unique source addresses in outbound packets sent from the MLS system to the communication partner, further comprising;
  
  selecting, for each outbound packet to be sent from the MLS system to the communication partner, the unique source address defined to represent the security classification of the outbound packet;
  
  replacing a source address field of the outbound packet with the selected unique source address; and
  
  sending the outbound packet to the communication partner, wherein the communication partner is adapted for associating the selected unique source address with the security classification of the packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
LiVecchi, Patrick Michael
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
PAN, PEILIANG

Application Number

US11/769,348
Publication Number

US 20070250921A1
Time in Patent Office

1,147 Days
Field of Search

713/1, 713/2, 713/188, 713/194, 380/200, 380/201, 380/255, 380/277, 726/2, 709/230, 725/25, 725/27
US Class Current

713/166
CPC Class Codes

H04L 63/105 Multiple levels of security

Multi-level security systems

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-level security systems

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links