Method and apparatus for providing adaptive self-synchronized dynamic address translation as an intrusion detection sensor

US 8,037,530 B1
Filed: 08/10/2001
Issued: 10/11/2011
Est. Priority Date: 08/28/2000
Status: Expired due to Fees

First Claim

Patent Images

1. An apparatus for detecting adversarial activity on a network, comprising:

a memory configured to store a host table;

a key exchanger configured to repeatedly derive a cipher key such that the resulting cipher key changes over time;

a translator configured to restore predetermined portions of packet header information of a data packet, the packet header information including a network portion of a destination address routable over a wide area network and an encrypted host portion of the address identifying a destination host, the restoration including to;

extract, from the packet header information, predetermined portions of packet header data including the encrypted host portion of the address,decrypt, according to a cipher algorithm keyed by the cipher key, the extracted packet header data to determine a restored address, andplace the restored address back into the packet header information of the data packet;

a mapping device configured to map the restored address to the host table;

a host resolution device configured to issue a request to the network to resolve the restored address when the restored address does not match an entry in the host table and to supplement the host table with the restored address upon receipt of a reply to the request that indicates that the restored address is valid; and

an actuator configured to trigger a security device when the restored address does not match an entry in the host table.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A translator is provided for translating predetermined portions of packet header information including an address of a data packet according to a cipher algorithm keyed by a cipher key derived by a key exchanger. A mapping device is also provided for mapping the address to a host table stored in memory. If the address does not match an entry in the host table, a security device is triggered.

55 Citations

View as Search Results

28 Claims

1. An apparatus for detecting adversarial activity on a network, comprising:
- a memory configured to store a host table;
  
  a key exchanger configured to repeatedly derive a cipher key such that the resulting cipher key changes over time;
  
  a translator configured to restore predetermined portions of packet header information of a data packet, the packet header information including a network portion of a destination address routable over a wide area network and an encrypted host portion of the address identifying a destination host, the restoration including to;
  
  extract, from the packet header information, predetermined portions of packet header data including the encrypted host portion of the address,decrypt, according to a cipher algorithm keyed by the cipher key, the extracted packet header data to determine a restored address, andplace the restored address back into the packet header information of the data packet;
  
  a mapping device configured to map the restored address to the host table;
  
  a host resolution device configured to issue a request to the network to resolve the restored address when the restored address does not match an entry in the host table and to supplement the host table with the restored address upon receipt of a reply to the request that indicates that the restored address is valid; and
  
  an actuator configured to trigger a security device when the restored address does not match an entry in the host table.
- View Dependent Claims (2, 3, 4, 5, 21, 22)
- - 2. An apparatus as set forth in claim 1, wherein the security device is a logging device configured to log the data packet.
  - 3. An apparatus as set forth in claim 1, wherein the security device is configured to signal an alarm when triggered.
  - 4. An apparatus as set forth in claim 1, wherein said host resolution device is configured to derive the host table using an address resolution protocol.
  - 5. An apparatus as set forth in claim 1, further comprising:
    - a network device configured to place the data packet onto a network when the restored address maps to the host table.
  - 21. An apparatus as set forth in claim 1, the host portion of the address having been translated without the network portion also being translated, and wherein said translator is configured to restore the host portion of the address without also restoring the network portion of the address.
  - 22. An apparatus as set forth in claim 1, wherein the data packet includes a translated packet header with a plurality of fields carrying packet header information, the translated packet header including the translated packet header information in one or more predetermined fields of the translated packet header interspersed with un-translated packet header information in fields other than the one or more fields of the translated packet header, andwherein said translator is configured to restore at least a portion of the packet header information in the one or more predetermined fields.

6. A method for detecting adversarial activity on a network, comprising:
- storing a host table;
  
  repeatedly deriving a cipher key such that the resulting cipher key changes over time;
  
  restoring predetermined portions of packet header information of a data packet, the packet header information including a network portion of a destination address routable over a wide area network and an encrypted host portion of the address identifying a destination host, the restoring including;
  
  extracting, from the packet header information, predetermined portions of packet header data including the encrypted host portion of the address,decrypting, according to a cipher algorithm keyed by the cipher key, the extracted packet header data to determine a restored address andplacing the restored address back into the packet header information of the data packet;
  
  mapping the restored address to the host table;
  
  issuing a request to the network to resolve the restored address when the restored address does not match an entry in the host table and supplementing the host table with the restored address upon receipt of a reply to the request that indicates that the restored address is valid; and
  
  triggering a security device when the restored address does not match an entry in the host table.
- View Dependent Claims (7, 8, 9, 10, 23, 24)
- - 7. A method as set forth in claim 6, further comprising:
    - logging the data packet when the address does not match an entry in the host table.
  - 8. A method as set forth in claim 6, further comprising:
    - signaling an alarm when the security device is triggered.
  - 9. A method as set forth in claim 6, further comprising:
    - deriving the host table using an address resolution protocol.
  - 10. A method as set forth in claim 6, further comprising:
    - placing the data packet onto a network when the restored address maps to the host table.
  - 23. A method as set forth in claim 6, the host portion of the address having been translated without the network portion also being translated, and wherein restoring predetermined portions of packet header information includes restoring the host portion of the address without also restoring the network portion of the address.
  - 24. A method as set forth in claim 6, wherein the data packet includes a translated packet header with a plurality of fields carrying packet header information, the translated packet header including the translated packet header information in one or more predetermined fields of the translated packet header interspersed with un-translated packet header information in fields other than the one or more fields of the translated packet header, and wherein restoring predetermined portions of packet header information comprises:
    - restoring at least a portion of the packet header information in the one or more predetermined fields.

11. A device for detecting adversarial activity on a network, comprising:
- means for storing a host table;
  
  means for repeatedly deriving a cipher key such that the resulting cipher key changes over time;
  
  means for restoring predetermined portions of packet header information of a data packet, the packet header information including a network portion of a destination address routable over a wide area network and an encrypted host portion of the address identifying a destination host, the means for restoring including;
  
  means for extracting, from the packet header information, predetermined portions of packet header data including the encrypted destination host portion of the address,means for decrypting, according to a cipher algorithm keyed by the cipher key, the extracted packet header data to determine a restored address andmeans for placing the restored address back into the packet header information of the data packet;
  
  means for mapping the restored address to the host table;
  
  means for issuing a request to the network to resolve the restored address when the restored address does not match an entry in the host table and supplementing the host table with the restored address upon receipt of a reply to the request that indicates that the restored address is valid; and
  
  means for triggering a security device when the restored address does not match an entry in the host table.
- View Dependent Claims (12, 13, 14, 15, 25, 26)
- - 12. A device as set forth in claim 11, further comprising:
    - means for logging the data packet when the restored address does not match an entry in the host table.
  - 13. A device as set forth in claim 11, further comprising:
    - means for signaling an alarm when the security device is triggered.
  - 14. A device as set forth in claim 11, further comprising:
    - means for deriving the host table using an address resolution protocol.
  - 15. A device as set forth in claim 11, further comprising:
    - means for placing the data packet onto a network when the restored address maps to the host table.
  - 25. A device as set forth in claim 11, the host portion of the address having been translated without the network portion also being translated, and wherein said means for translating predetermined portions of packet header information is configured to restore the host portion of the address without also restore the network portion of the address.
  - 26. A device as set forth in claim 11, wherein the data packet includes a translated packet header with a plurality of fields carrying packet header information, the translated packet header including the translated packet header information in one or more predetermined fields of the translated packet header interspersed with un-translated packet header information in fields other than the one or more fields of the translated packet header, and wherein said means for restoring predetermined portions of packet header information is configured to restore at least a portion of the packet header information in the one or more predetermined fields.

16. A bastion host comprising at least one computing device adapted for processing packet header information of a data packet, the bastion host being configured to:
- store a host table;
  
  repeatedly derive a cipher key such that the resulting cipher key changes over time;
  
  restore predetermined portions of packet header information of a data packet, the packet header information including a network portion of a destination address routable over a wide area network and an encrypted host portion of the address identifying a destination host, the restoring including to;
  
  extract, from the packet header information, predetermined portions of packet header data including the encrypted host portion of the address,decrypt, according to a cipher algorithm keyed by the cipher key, the extracted packet header data to determine a restored address andplace the restored address back into the packet header information of the data packet;
  
  map the restored address to the host table;
  
  issuing a request to the network to resolve the restored address when the restored address does not match an entry in the host table and supplement the host table with the restored address upon receipt of a reply to the request that indicates that the restored address is valid; and
  
  trigger a security device when the restored address does not match an entry in the host table.
- View Dependent Claims (17, 18, 19, 20, 27, 28)
- - 17. The bastion host as set forth in claim 16, the bastion host being further configured to log the data packet when the restored address does not match an entry in the host table.
  - 18. The bastion host as set forth in claim 16, the bastion host being further configured to signal an alarm when the security device is triggered.
  - 19. The bastion host as set forth in claim 16, the bastion host being further configured to derive the host table using an address resolution protocol.
  - 20. The bastion host as set forth in claim 16, the bastion host being further configured to place the data packet onto a network when the restored address maps to the host table.
  - 27. A bastion host as set forth in claim 16 the host portion of the address having been translated without the network portion also being translated, and wherein the bastion host is further configured to restore predetermined portions of packet header information including restoring the host portion of the address without also restoring the network portion of the address.
  - 28. A bastion host as set forth in claim 16, wherein the data packet includes a translated packet header with a plurality of fields carrying packet header information, the translated packet header including the translated packet header information in one or more predetermined fields of the translated packet header interspersed with un-translated packet header information in fields other than the one or more fields of the translated packet header, and wherein the bastion host is further configured to restore predetermined portions of packet header information including:
    - restoring at least a portion of the packet header information in the one or more predetermined fields of the header.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Raytheon BBN Technlogies Corp. (Rtx Corporation), Verizon Corporate Services Group Incorporated (Verizon Communications Inc.)
Inventors
Fink, Russell Andrew, Brannigan, Matthew Aloysius, Evans, Shelby Alana, Almeida, Aswin Morgan
Primary Examiner(s)
Shiferaw; Eleni
Assistant Examiner(s)
Teslovich; Tamara

Application Number

US09/928,133
Time in Patent Office

3,714 Days
Field of Search

713/162, 713/154, 713/200, 713/201, 713/153, 713/160, 380/255, 726 12- 14, 726/23
US Class Current

726/23
CPC Class Codes

H04L 2101/659   Internet protocol version 6...

H04L 61/103   across network layers, e.g....

H04L 61/2539   Hiding addresses; Keeping a...

H04L 61/5014   using dynamic host configur...

H04L 63/0428   wherein the data content is...

H04L 63/068   using time-dependent keys, ...

H04L 63/1416   Event detection, e.g. attac...

H04L 9/0841   involving Diffie-Hellman or...

Method and apparatus for providing adaptive self-synchronized dynamic address translation as an intrusion detection sensor

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

55 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing adaptive self-synchronized dynamic address translation as an intrusion detection sensor

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links