Method and apparatus for providing adaptive self-synchronized dynamic address translation as an intrusion detection sensor
First Claim
Patent Images
1. An apparatus for detecting adversarial activity on a network, comprising:
- a memory configured to store a host table;
a key exchanger configured to repeatedly derive a cipher key such that the resulting cipher key changes over time;
a translator configured to restore predetermined portions of packet header information of a data packet, the packet header information including a network portion of a destination address routable over a wide area network and an encrypted host portion of the address identifying a destination host, the restoration including to;
extract, from the packet header information, predetermined portions of packet header data including the encrypted host portion of the address,decrypt, according to a cipher algorithm keyed by the cipher key, the extracted packet header data to determine a restored address, andplace the restored address back into the packet header information of the data packet;
a mapping device configured to map the restored address to the host table;
a host resolution device configured to issue a request to the network to resolve the restored address when the restored address does not match an entry in the host table and to supplement the host table with the restored address upon receipt of a reply to the request that indicates that the restored address is valid; and
an actuator configured to trigger a security device when the restored address does not match an entry in the host table.
9 Assignments
0 Petitions
Accused Products
Abstract
A translator is provided for translating predetermined portions of packet header information including an address of a data packet according to a cipher algorithm keyed by a cipher key derived by a key exchanger. A mapping device is also provided for mapping the address to a host table stored in memory. If the address does not match an entry in the host table, a security device is triggered.
55 Citations
28 Claims
-
1. An apparatus for detecting adversarial activity on a network, comprising:
-
a memory configured to store a host table; a key exchanger configured to repeatedly derive a cipher key such that the resulting cipher key changes over time; a translator configured to restore predetermined portions of packet header information of a data packet, the packet header information including a network portion of a destination address routable over a wide area network and an encrypted host portion of the address identifying a destination host, the restoration including to; extract, from the packet header information, predetermined portions of packet header data including the encrypted host portion of the address, decrypt, according to a cipher algorithm keyed by the cipher key, the extracted packet header data to determine a restored address, and place the restored address back into the packet header information of the data packet; a mapping device configured to map the restored address to the host table; a host resolution device configured to issue a request to the network to resolve the restored address when the restored address does not match an entry in the host table and to supplement the host table with the restored address upon receipt of a reply to the request that indicates that the restored address is valid; and an actuator configured to trigger a security device when the restored address does not match an entry in the host table. - View Dependent Claims (2, 3, 4, 5, 21, 22)
-
-
6. A method for detecting adversarial activity on a network, comprising:
-
storing a host table; repeatedly deriving a cipher key such that the resulting cipher key changes over time; restoring predetermined portions of packet header information of a data packet, the packet header information including a network portion of a destination address routable over a wide area network and an encrypted host portion of the address identifying a destination host, the restoring including; extracting, from the packet header information, predetermined portions of packet header data including the encrypted host portion of the address, decrypting, according to a cipher algorithm keyed by the cipher key, the extracted packet header data to determine a restored address and placing the restored address back into the packet header information of the data packet; mapping the restored address to the host table; issuing a request to the network to resolve the restored address when the restored address does not match an entry in the host table and supplementing the host table with the restored address upon receipt of a reply to the request that indicates that the restored address is valid; and triggering a security device when the restored address does not match an entry in the host table. - View Dependent Claims (7, 8, 9, 10, 23, 24)
-
-
11. A device for detecting adversarial activity on a network, comprising:
-
means for storing a host table; means for repeatedly deriving a cipher key such that the resulting cipher key changes over time; means for restoring predetermined portions of packet header information of a data packet, the packet header information including a network portion of a destination address routable over a wide area network and an encrypted host portion of the address identifying a destination host, the means for restoring including; means for extracting, from the packet header information, predetermined portions of packet header data including the encrypted destination host portion of the address, means for decrypting, according to a cipher algorithm keyed by the cipher key, the extracted packet header data to determine a restored address and means for placing the restored address back into the packet header information of the data packet; means for mapping the restored address to the host table; means for issuing a request to the network to resolve the restored address when the restored address does not match an entry in the host table and supplementing the host table with the restored address upon receipt of a reply to the request that indicates that the restored address is valid; and means for triggering a security device when the restored address does not match an entry in the host table. - View Dependent Claims (12, 13, 14, 15, 25, 26)
-
-
16. A bastion host comprising at least one computing device adapted for processing packet header information of a data packet, the bastion host being configured to:
-
store a host table; repeatedly derive a cipher key such that the resulting cipher key changes over time; restore predetermined portions of packet header information of a data packet, the packet header information including a network portion of a destination address routable over a wide area network and an encrypted host portion of the address identifying a destination host, the restoring including to; extract, from the packet header information, predetermined portions of packet header data including the encrypted host portion of the address, decrypt, according to a cipher algorithm keyed by the cipher key, the extracted packet header data to determine a restored address and place the restored address back into the packet header information of the data packet; map the restored address to the host table; issuing a request to the network to resolve the restored address when the restored address does not match an entry in the host table and supplement the host table with the restored address upon receipt of a reply to the request that indicates that the restored address is valid; and trigger a security device when the restored address does not match an entry in the host table. - View Dependent Claims (17, 18, 19, 20, 27, 28)
-
Specification