Multiple level security adapter

US 7,873,071 B2
Filed: 05/15/2006
Issued: 01/18/2011
Est. Priority Date: 05/15/2006
Status: Active Grant

First Claim

Patent Images

1. A computer executable method of exchanging data, the method comprising:

receiving data to be transmitted from a first protected enclave on behalf of a first application of the first protected enclave using a first protocol standard, the data having information content in a first format that is compatible with the first protocol standard, wherein the first protected enclave is associated with a first security level that limits information that can be sent from the first protect enclave;

determining whether a security gateway service that enforces the first security level is operable to determine whether the information content of the data is authorized to be accessed outside the first protected enclave based on the first security level, wherein when the first format of the data is compatible with a second protocol standard that is associated with the security gateway service, the security gateway service is operable to determine whether the information content is authorized to be accessed outside the first protected enclave;

when the first format of the data is not compatible with the second protocol standard, automatically transforming the data to a second format that enables the security gateway service to parse the information content; and

transmitting the data using the second format, to the security gateway service to determine whether the information content is authorized to be accessed outside the first protected enclave based on the first security level.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In exemplary embodiments, data with a format compatible with a first protocol standard is received on behalf of a first application. When the format of the data is not compatible with a second protocol standard, the format of the data is automatically transformed to a format that is compatible with the second protocol standard. The data is transmitted to a second application service using the second protocol standard. The data may be received from the second application. When the format of the data is not compatible with a third protocol standard, the format of the data is automatically transformed to a format that is compatible with the third protocol standard. The data is transmitted on behalf of a third application using the third protocol standard. The first and third applications may be in first and second protected enclaves. The second application may include a security gateway service.

Citations

29 Claims

1. A computer executable method of exchanging data, the method comprising:
- receiving data to be transmitted from a first protected enclave on behalf of a first application of the first protected enclave using a first protocol standard, the data having information content in a first format that is compatible with the first protocol standard, wherein the first protected enclave is associated with a first security level that limits information that can be sent from the first protect enclave;
  
  determining whether a security gateway service that enforces the first security level is operable to determine whether the information content of the data is authorized to be accessed outside the first protected enclave based on the first security level, wherein when the first format of the data is compatible with a second protocol standard that is associated with the security gateway service, the security gateway service is operable to determine whether the information content is authorized to be accessed outside the first protected enclave;
  
  when the first format of the data is not compatible with the second protocol standard, automatically transforming the data to a second format that enables the security gateway service to parse the information content; and
  
  transmitting the data using the second format, to the security gateway service to determine whether the information content is authorized to be accessed outside the first protected enclave based on the first security level.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 20, 21, 22, 23, 24, 25, 26, 27, 29)
- - 2. The method of claim 1, further comprising:
    - receiving the data from the security gateway service after the security gateway service parses the information content and filters the information content based on the first security level, the data having the second format;
      
      determining whether the second format is compatible with a third protocol standard, wherein the third protocol standard is associated with a second protected enclave;
      
      when the second format is not compatible with the third protocol standard, automatically transforming the data from the second format to a third format that is compatible with the third protocol standard; and
      
      transmitting the data to a second application associated with the second protected enclave using the third format.
  - 3. The method of claim 2, wherein:
    - the security gateway service filters the information content sent from the first protected enclave by parsing the information content of the data to determine whether user-generated text in the information content is authorized to be transmitted to the second protected enclave from the first protected enclave based on the first security level.
  - 4. The method of claim 1, further comprising:
    - determining whether an application layer protocol is intermixed with the data received on behalf of the first application; and
      
      when the application layer protocol is intermixed with the data received on behalf of the first application, automatically removing the intermixed application layer protocol from the data.
  - 5. The method of claim 2, wherein the first protocol standard, the second protocol standard, and the third protocol standard each include a respective transport layer protocol and a respective application layer protocol.
  - 6. The method of claim 1, wherein determining whether the security gateway service is operable to determine whether the information content of the data is authorized to be accessed outside the first protected enclave includes:
    - identifying a type of the first application; and
      
      comparing the type of the first application to a list of predetermined application types that are compatible with the security gateway service.
  - 7. The method of claim 6, wherein determining whether the security gateway service is operable to determine whether the information content of the data is authorized to be accessed outside the first protected enclave includes:
    - identifying a type of the data received on behalf of the first application; and
      
      comparing the type of the data received on behalf of the first application to a list of predetermined data types that are compatible with the security gateway service.
  - 8. The method of claim 1, wherein automatically transforming the first format of the data to the second format that is compatible with the second protocol standard is performed by an Extensible Stylesheet Language Transformations (XSLT) transformation engine.
  - 20. The method of claim 2, wherein the second protected enclave is associated with a second security level that is different than the first security level.
  - 21. The method of claim 1, wherein the security gateway service determines whether the information content is authorized to be accessed outside the first protected enclave by keyword searching the information content of the data.
  - 22. The method of claim 1, wherein the security gateway service determines whether the information content is authorized to be accessed outside the first protected enclave by applying text classification to the information content of the data.
  - 23. The method of claim 1, wherein the security gateway service determines whether the information content is authorized to be accessed outside the first protected enclave by applying data mining to the information content of the data.
  - 24. The method of claim 1, wherein determining whether the first format is compatible with the second protocol standard comprises determining whether the first format is a format recognized by the security gateway service.
  - 25. The method of claim 1, wherein the data is transformed using a generic transformation routine.
  - 26. The method of claim 1, further comprising:
    - adding a new application within the first protected enclave, wherein the new application sends second data having a new format that is not compatible with the second protocol standard; and
      
      adding a new application proxy to the first protected enclave, wherein the new application proxy receives the second data from the new application and automatically transforms the second data to the second format for transmission to the security gateway service.
  - 27. The method of claim 1, further comprising:
    - installing a new security gateway service, wherein the new security gateway service is associated with a fourth protocol standard; and
      
      adding new transformation information to a transformation service within the first protected enclave, wherein the new transformation information is usable to transform data received in the fourth protocol standard to the first format.
  - 29. The method of claim 1, wherein the first security level is associated with confidentiality of the information content, wherein the confidentiality of the information content relates to whether the information content is one of national security information, financial information, business information and personal information.

9. A non-transitory computer readable storage medium, comprising:
- computer readable program code executable by a processor to receive data to be sent from a first protected enclave on behalf of a first application using a first protocol standard, the data having information content in a first format that is compatible with the first protocol standard, wherein the first protected enclave is associated with a first security level that limits information that can be sent from the first protected enclave;
  
  computer readable program code executable by the processor to determine whether a security gateway that enforces the first security level is operable to determine whether the information content is authorized to be accessed outside the first protected enclave, wherein when the first format is compatible with a second protocol standard the security gateway is operable to determine whether the information content is authorized to be accessed outside the first protected enclave;
  
  computer readable program code executable by the processor to transform the data to a second format that is compatible with the second protocol standard when the first format is not compatible with the second protocol standard; and
  
  computer readable program code executable by the processor to transmit the data using the second format to the security gateway to determine whether the information content is authorized to be accessed outside the first protected enclave based on the first security level.
- View Dependent Claims (10, 11)
- - 10. The non-transitory computer readable storage medium of claim 9, further comprising:
    - computer readable program code executable by the processor to receive the data from the security gateway after the security gateway determines that the information content is authorized to be accessed outside the first protected enclave based on the first security level, the data having the second format;
      
      computer readable program code executable by the processor to determine whether the second format is compatible with a third protocol standard, wherein the third protocol standard is related to a second protected enclave;
      
      computer readable program code executable by the processor to transform the data to a third format that is compatible with the third protocol standard when the second format is not compatible with the third protocol standard; and
      
      computer readable program code executable by the processor to transmit the data to a second application associated with the second protected enclave using the third format.
  - 11. The non-transitory computer readable storage medium of claim 9, further comprising:
    - computer readable program code executable by the processor to determine whether an application layer protocol is intermixed with the data received on behalf of the first application; and
      
      computer readable program code executable by the processor to remove the intermixed application layer protocol from the data when the application layer protocol is intermixed with the data.

12. A system comprising:
- a first computer processing component configured to receive data to be sent out of a first protected enclave from a first application, the data having a first format compatible with a first protocol standard, wherein the first protected enclave is associated with a first security level that limits information that can be sent from the first protected enclave;
  
  a second computer processing component configured to determine whether the first format is compatible with a second protocol standard, wherein the second protocol standard is associated with a security gateway that determines whether the information content is authorized to be transmitted outside the first protected enclave based on the first security level, wherein the security gateway is operable to determine whether the information content is authorized to be accessed outside the first protected enclave when the first format of the data is compatible with a second protocol standard that is associated with the security gateway;
  
  a third computer processing component configured to automatically transform the data to a second format that is compatible with the second protocol standard when the first format is not compatible with the second protocol standard; and
  
  a fourth computer processing component configured to transmit the data using the second format to the security gateway to determine whether the information content of the data is authorized to be transmitted outside the first protected enclave based on the first security level.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 28)
- - 13. The system of claim 12, further comprising:
    - a fifth computer processing component configured to receive the data from the security gateway after the security gateway determines that the information content is authorized to be transmitted outside the first protected enclave, the data having the second format;
      
      a sixth computer processing component configured to determine whether the second format is compatible with a third protocol standard, wherein the third protocol standard defines a second security level associated with a second protected enclave;
      
      a seventh computer processing component configured to automatically transform the data to a third format that is compatible with the third protocol standard when the second format is not compatible with the third protocol standard; and
      
      an eighth computer processing component configured to transmit the data to a second application associated with the second protected enclave using the third format.
  - 14. The system of claim 13, wherein the first, second, third, and fourth computer processing components are provided within the first protected enclave and the security gateway is outside the first protected enclave.
  - 15. The system of claim 14, wherein the security gateway implements a security gateway service that parses the data to determine the information content of the data, and filters the data based on the information content of the data and based on the first security level.
  - 16. The system of claim 15, wherein the fifth, sixth, seventh, and eighth computer processing components are provided within the first protected enclave.
  - 17. The system of claim 12, further comprising:
    - a ninth computer processing component configured to determine whether an application layer protocol is intermixed with the data received from the first application; and
      
      a tenth computer processing component configured to, when the application layer protocol is intermixed with the data received from the first application, automatically remove the intermixed application layer protocol from the data.
  - 18. The system of claim 12, wherein the second computer processing component includes:
    - an eleventh computer processing component configured to identify a type of the first application; and
      
      a twelfth computer processing component configured to compare the type of the first application to a list of predetermined application types that are compatible with the security gateway to determine whether the first format is compatible with the second protocol standard.
  - 19. The system of claim 18, wherein the second computer processing component further includes:
    - a thirteenth computer processing component configured to identify a type of the data received from the first application; and
      
      a fourteenth computer processing component configured to compare the type of the data to a list of predetermined data types that are compatible with the security gateway to determine whether the first format is compatible with the second protocol standard.
  - 28. The system of claim 12, wherein the first computer processing component, the second computer processing component, the third computer processing component, and the fourth computer processing component reside in a router separate from the security gateway.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
The Boeing Co.
Inventors
Arnold, Steven L., Hartman, Brett, Murphy, Michael J., Kwok, Samuel C., Donofrio, Thomas E., Balza, Richard M., Ung, Kevin Y.
Primary Examiner(s)
Ngo; Ricky
Assistant Examiner(s)
Zaidi; Iqbal

Application Number

US11/434,313
Publication Number

US 20070263658A1
Time in Patent Office

1,709 Days
Field of Search

370200-253, 370272-309, 370431-546
US Class Current

370/466
CPC Class Codes

H04L 63/105 Multiple levels of security

H04L 69/08 Protocols for interworking;...

Multiple level security adapter

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Multiple level security adapter

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links