Agile network protocol for secure communications with assured system availability

US 7,996,539 B2
Filed: 12/13/2005
Issued: 08/09/2011
Est. Priority Date: 10/30/1998
Status: Expired due to Fees

First Claim

Patent Images

1. A method of anonymously communicating data between a first node and a second node coupled via a network, comprising the steps of:

at the first node,(a) using a first algorithm to select from among a first plurality of different network addresses each of which is mapped in the network to the first node, and using each selected network address in a header of a packet that is transmitted from the first node over the network to the second node;

(b) evaluating the headers of received packets received at the first node to determine whether each header contains a network address that conforms to a second algorithm used by the second node to select from among a second plurality of different network addresses each of which is mapped in the network to the second node,(c) upon determining that the header of a received packet received at the first node contains a network address that conforms to the second algorithm, accepting the received packet for processing; and

upon determining that the header does not contain a network address that conforms to the second algorithm, rejecting the received packet for further processing; and

(d) wherein each selected network address is selected by hopping among the first plurality and second plurality of different network addresses so that the network addresses selected in each header of received packet appears random; and

wherein the first and second algorithms select each network address on a quasi-random basis.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A plurality of computer nodes communicates using seemingly random IP source and destination addresses and (optionally) a seemingly random discriminator field. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are rejected. In addition to “hopping” of IP addresses and discriminator fields, hardware addresses such as Media Access Control addresses can be hopped. The hopped addresses are generated by random number generators having non-repeating sequence lengths that are easily determined a-priori, which can quickly jump ahead in sequence by an arbitrary number of random steps and which have the property that future random numbers are difficult to guess without knowing the random number generator'"'"'s parameters. Synchronization techniques can be used to re-establish synchronization between sending and receiving nodes.

151 Citations

20 Claims

1. A method of anonymously communicating data between a first node and a second node coupled via a network, comprising the steps of:
- at the first node,(a) using a first algorithm to select from among a first plurality of different network addresses each of which is mapped in the network to the first node, and using each selected network address in a header of a packet that is transmitted from the first node over the network to the second node;
  
  (b) evaluating the headers of received packets received at the first node to determine whether each header contains a network address that conforms to a second algorithm used by the second node to select from among a second plurality of different network addresses each of which is mapped in the network to the second node,(c) upon determining that the header of a received packet received at the first node contains a network address that conforms to the second algorithm, accepting the received packet for processing; and
  
  upon determining that the header does not contain a network address that conforms to the second algorithm, rejecting the received packet for further processing; and
  
  (d) wherein each selected network address is selected by hopping among the first plurality and second plurality of different network addresses so that the network addresses selected in each header of received packet appears random; and
  
  wherein the first and second algorithms select each network address on a quasi-random basis.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the network comprises an Internet Protocol (IP) network, and wherein each network address comprises an Internet Protocol (IP) source or destination address.
  - 3. The method of claim 2, wherein:
    - step (1) comprises the step of using each selected IP address as the destination address of the second node; and
      
      step (2) comprises the step of using each selected IP address as the destination address of the first node.
  - 4. The method of claim 2, wherein:
    - step (1) comprises the step of using each selected IP address as the source address of the first node; and
      
      step (2) comprises the step of using each selected IP address as the source address of the second node.
  - 5. The method of claim 1, wherein the first and second algorithms select a different network address for each outgoing packet.

6. A method of anonymously communicating data between first and second nodes in a network, comprising the steps of:
- at the first node,(1) storing a transmit netblock comprising a plurality of pairs of source and destination IP addresses that will be used for communicating with the second node, and an algorithm for selecting pairs of source and destination IP addresses from among the plurality of pairs of source and destination IP addresses;
  
  (2) generating a plurality of IP packets each comprising one of the selected pairs or source and destination IP addresses;
  
  (3) transmitting each IP packet generated in step (2) to the second node, wherein each pair of source and destination IP addresses of the netblock are selected by hopping among the source and destination IP addresses so that the source and destination network addresses selected for each IP packet appears random; and
  
  wherein upon receipt by the first node of a plurality of IP packets from the second node, for each IP packet received;
  
  (a) determining whether the received IP packet contains a valid source and destination IP address, wherein the validity of each address is determined with reference to a second algorithm;
  
  (b) upon determining that the received IP packet contains a valid source and destination IP address, accepting the IP packet for further processing; and
  
  upon determining that the received IP packet does not contain a valid source and destination IP address, rejecting the IP packet; and
  
  wherein the first and second algorithms select each network address on a quasi-random basis.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6, wherein the algorithm selects a different pair of source and destination addresses for each IP packet transmitting in step (3).
  - 8. The method of claim 6, further comprising the step of receiving the transmit netblock and the algorithm from the second node.
  - 9. The method of claim 6, wherein the second algorithm determines whether each address is valid by generating a range of predictions encompassing a plurality of possible transmitted source and destination addresses, and comparing each address to the range of predictions.
  - 10. The method of claim 9, further comprising the step of discarding received IP packets containing an IP address that was previously received.

11. A system comprising:
- a first node configured and arranged so that data can be anonymously communicated between the first node and a second node;
  
  wherein the first node is configured and arranged so as to (a) use a first algorithm to select from among a first plurality of different network addresses each of which is mapped in the network to the first node, and (b) use each selected network address in a header of a packet that is transmitted over the network to the second node;
  
  wherein each selected network address is selected by hopping among the first plurality and second plurality of different network addresses so that the source and destination network addresses selected in each header of a packet appear random;
  
  wherein the first node is further configured and arranged so as to evaluate a the headers of received packets received at the first node to determine whether each header contains a network address that conforms to a second algorithm used by the second node; and
  
  upon determining that a header of a received packet contains a network address that conforms to the second algorithm, accept the packet for processing; and
  
  upon determining that the header does not contain a network address that conforms to the second algorithm, reject the packet for processing; and
  
  wherein the first and second algorithms select each network address on a quasi-random basis.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11, wherein the network comprises an Internet Protocol (IP) network, and wherein each network address comprises an Internet Protocol (IP) source or destination address.
  - 13. The system of claim 12, wherein the first node is further configured and arranged so as to use each selected IP address as the destination address of the second node;
    - and the second node is further configured and arranged so as to use each selected IP address as the destination address of the first node.
  - 14. The system of claim 12, wherein the first node is further configured and arranged so as to use each selected IP address as the source address of the first node;
    - and second node is further configured and arranged so as to use each selected IP address as the source address of the second node.
  - 15. The system of claim 11, wherein the first and second algorithms are configured and arranged so as to select a different network address for each outgoing packet.

16. A system for anonymously communicating data between first and second nodes in a network, comprising:
- wherein the first node is configured and arranged so as to (a) store a transmit netblock comprising a plurality of pairs of source and destination IP addresses that will be used for communicating with the second node, (b) perform a first algorithm so as to select pairs of source and destination IP addresses from among the plurality of pairs of source and destination IP addresses;
  
  (c) generate a plurality of IP packets each comprising one of the selected pairs or source and destination IP addresses; and
  
  (d) transmit each IP packet generated in (c) to the second node; and
  
  wherein each pair of source and destination IP addresses of the netblock are selected by hopping among the source and destination IP addresses so that the source and destination network addresses selected for each IP packet appears random,wherein the first node is further configured and arranged so as to receive a plurality of IP packets at the first node and, for each received IP packet;
  
  (a) determine whether the received IP packet contains a valid source and destination IP address so as to indicate that the received IP packet is from the second node, and(b) the validity of each address is determined with reference to a second algorithm configured and arranged so as to determine whether the received IP packet contains a valid source and destination IP address so that (i) if valid the IP packet is further processed; and
  
  (ii) if not valid the IP packet is rejected; and
  
  wherein the first and second algorithms select each network address on a quasi-random basis.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein the algorithm selects a different pair of source and destination addresses for each IP packet transmitted in (d).
  - 18. The system of claim 16, wherein the first node is further configured and arranged so as to receive the transmit netblock and the algorithm from the second node.
  - 19. The system of claim 16, wherein the second algorithm is configured and arranged so as to determine whether each address is valid by generating a range of predictions encompassing a plurality of possible transmitted source and destination addresses, and compare each address to the range of predictions.
  - 20. The system of claim 19, wherein the first node is further configured and arranged so as to further discard received IP packets containing an IP address that was previously received.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VirnetX Inc. (Virnetx Holding Corporation)
Original Assignee
VirnetX Inc. (Virnetx Holding Corporation)
Inventors
Munger, Edmund Colby, Sabio, Vincent J., Short, III, Robert Dunham, Gligor, Virgil D., Schmidt, Douglas Charles
Primary Examiner(s)
Etienne, Ario
Assistant Examiner(s)
Kim, Hee Soo

Application Number

US11/301,022
Publication Number

US 20060123134A1
Time in Patent Office

2,065 Days
Field of Search

709/226, 709/227
US Class Current

709/227
CPC Class Codes

H04L 2101/604   Address structures or formats

H04L 45/20   Hop count for routing purpo...

H04L 45/24   Multipath

H04L 61/2539   Hiding addresses; Keeping a...

H04L 61/30   Managing network names, e.g...

H04L 61/5007   Internet protocol [IP] addr...

H04L 61/5076   Update or notification mech...

H04L 61/5092   by self-assignment, e.g. pi...

H04L 63/0272   Virtual private networks

H04L 63/04   for providing a confidentia...

H04L 63/0407   wherein the identity of one...

H04L 63/0421   Anonymous communication, i....

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

H04L 69/14   Multichannel or multilink p...

H04L 9/065   Encryption by serially and ...

H04M 3/42008   Systems for anonymous commu...

Agile network protocol for secure communications with assured system availability

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

151 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Agile network protocol for secure communications with assured system availability

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

151 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links