Methods and apparatus for secure, stealthy and reliable transmission of alert messages from a security alerting system

US 9,160,539 B1
Filed: 06/29/2012
Issued: 10/13/2015
Est. Priority Date: 09/30/2011
Status: Active Grant

First Claim

Patent Images

1. A method performed by a host for transmitting an alert message from a Security Alerting System indicating a potential compromise of a protected resource, comprising the steps of:

obtaining said alert message from said Security Alerting System;

encrypting said alert message using a single function that implements an authenticated encryption scheme that employs a secret key known by a server, wherein said secret key evolves in a forward-secure manner;

storing said encrypted alert message in a buffer, wherein said buffer is local to said host and has a fixed size; and

transmitting said encrypted alert message from said buffer over a communication channel to said server.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus are provided for secure transmission of alert messages over a message locking channel. An alert message is transmitted from a Security Alerting System indicating a potential compromise of a protected resource by obtaining the alert message from the Security Alerting System; authenticating the alert message using a secret key known by a server, wherein the secret key evolves in a forward-secure manner; storing the authenticated alert message in a buffer; and transmitting the buffer to the server. The alert message is authenticated by digitally signing the alert message or applying a message authentication code and is possibly encrypted using a secret key known by a server, wherein the secret key evolves in a forward-secure manner. The authenticated alert message can be maintained in the buffer after the transmitting step. The buffer optionally has a fixed-size and alert messages can be stored in a round-robin manner, for example, from a random position. The buffer can be encrypted prior to transmission to the server.

Citations

52 Claims

1. A method performed by a host for transmitting an alert message from a Security Alerting System indicating a potential compromise of a protected resource, comprising the steps of:
- obtaining said alert message from said Security Alerting System;
  
  encrypting said alert message using a single function that implements an authenticated encryption scheme that employs a secret key known by a server, wherein said secret key evolves in a forward-secure manner;
  
  storing said encrypted alert message in a buffer, wherein said buffer is local to said host and has a fixed size; and
  
  transmitting said encrypted alert message from said buffer over a communication channel to said server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 50)
- - 2. The method of claim 1, wherein said alert messages permit real-time detection of said potential compromise of said protected resource.
  - 3. The method of claim 1, further comprising the steps of deleting said secret key after use and storing a new secret key.
  - 4. The method of claim 1, wherein said encrypted alert message is maintained in said buffer after said transmitting step.
  - 5. The method of claim 4, further comprising the step of redundantly transmitting said encrypted alert message from said buffer to said server.
  - 6. The method of claim 1, further comprising the step of periodically transmitting one or more encrypted alert messages from said buffer to said server.
  - 7. The method of claim 6, further comprising the step of determining whether said periodic transmissions of said one or more encrypted alert messages from said buffer reach said server.
  - 8. The method of claim 6, wherein said periodic transmissions of said one or more encrypted alert messages from said buffer are transmitted with a period.
  - 9. The method of claim 1, wherein a plurality of said encrypted alert messages is stored in said buffer in a round-robin manner.
  - 10. The method of claim 9, wherein said plurality of said encrypted alert messages is stored in said buffer in said round-robin manner starting from a random entry in said buffer.
  - 11. The method of claim 1, further comprising the step of encrypting a content of said buffer prior to said transmitting step.
  - 12. The method of claim 1, wherein a size and transmission rate of said buffer are selected such that a stream of said encrypted alert messages received by said server introduces a gap that satisfies one or more predefined criteria.
  - 13. The method of claim 1, further comprising the step of detecting a gap rule failure if said server receives two consecutive non-overlapping buffer contents.
  - 14. The method of claim 1, further comprising the step of said server evaluating sequence numbers of a plurality of decrypted alert messages to detect a gap in received alert messages, wherein a content of said buffer is sent to said server using a push transmission model.
  - 15. The method of claim 1, further comprising the step of performing said method in a plurality of enterprise devices and wherein said server comprises a Security Information Event Management (SIEM) system.
  - 50. The method of claim 1, wherein said buffer has said fixed size regardless of a number of said alert messages.

16. A method performed by a host for transmitting an alert message from a Security Alerting System indicating a potential compromise of a protected resource, comprising the steps of:
- obtaining said alert message;
  
  encrypting said alert message using a single function that implements an authenticated encryption scheme that employs a secret key known by a server, wherein said secret key evolves in a forward-secure manner;
  
  storing said encrypted alert message in a buffer, wherein said encrypted alert message is maintained in said buffer after a transmitting step, wherein said buffer is local to said host and has a fixed size; and
  
  transmitting said encrypted alert message from said buffer over a communication channel to said server.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 17. The method of claim 16, wherein said step of encrypting said alert message comprises one or more of digitally signing said alert message and applying a message authentication code to said alert message.
  - 18. The method of claim 16, wherein said alert messages permit real-time detection of said potential compromise of said protected resource.
  - 19. The method of claim 16, further comprising the step of redundantly transmitting said encrypted alert message from said buffer to said server.
  - 20. The method of claim 16, further comprising the step of periodically transmitting one or more encrypted alert messages from said buffer to said server.
  - 21. The method of claim 16, wherein a plurality of said encrypted alert messages is stored in said buffer in a round-robin manner.
  - 22. The method of claim 21, wherein said plurality of said encrypted alert messages is stored in said buffer in said round-robin manner starting from a random entry in said buffer.
  - 23. The method of claim 16, further comprising the step of encrypting a content of said buffer prior to said transmitting step.
  - 24. The method of claim 16, further comprising the step of detecting a gap rule failure if said server receives contents of two consecutive non-overlapping buffers, wherein said content of said buffer is sent to said server using a push transmission model.
  - 25. The method of claim 16, further comprising the step of said server evaluating sequence numbers of a plurality of decrypted alert messages to detect a gap in received alert messages.

26. A host system for transmitting an alert message from a Security Alerting System indicating a potential compromise of a protected resource, comprising:
- a bufferer to;
  
  (i) obtain said alert message from an alerter that generates said alert message when one or more predefined alert rules are violated;
  
  (ii) encrypt said alert message using a single function that implements an authenticated encryption scheme that employs a secret key known by a server, wherein said secret key evolves in a forward-secure manner; and
  
  (iii) store said encrypted alert message in a buffer, wherein said buffer is local to said host system and has a fixed size; and
  
  a transmitter to transmit said encrypted alert message from said buffer over a communication channel to said server, wherein said server comprises a receiver for receiving said buffer from said transmitter and a decrypter for processing said buffer.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 51)
- - 27. The host system of claim 26, further comprising a message locking channel between said bufferer and said decrypter, wherein said message locking channel comprises a cryptographic communication channel between said transmitting system and said server.
  - 28. The host system of claim 27, wherein said message locking channel is agnostic to a content of said alert message.
  - 29. The host system of claim 27, wherein said message locking channel provides a mechanism for detection of one or more of modification, reordering and tampering of a plurality of said alert messages in said buffer.
  - 30. The host system of claim 27, wherein said bufferer is further configured to encrypt a content of said buffer prior to transmission by said transmitter.
  - 31. The host system of claim 30, wherein said bufferer encrypts said content of said buffer in response to a Wrap operation from said transmitter.
  - 32. The host system of claim 27, wherein said bufferer updates said secret key in said forward-secure manner.
  - 33. The host system of claim 27, wherein said bufferer receives a Write operation from said alerter to insert said alert message in said buffer.
  - 34. The host system of claim 27, wherein said decrypter performs a cryptographic unwrapping of a received transmitted encrypted alert message.
  - 35. The host system of claim 27, wherein said decrypter verifies an integrity of a received transmitted encrypted alert message.
  - 36. The host system of claim 35, wherein said decrypter generates a message indicating a corruption of said received transmitted encrypted alert message.
  - 37. The host system of claim 35, wherein said decrypter labels constituent encrypted alert messages from said transmitter with buffer sequence numbers.
  - 38. The host system of claim 27, wherein said transmitter interacts with a gap checker at said server that identifies a lost alert message.
  - 39. The host system of claim 38, wherein said lost alert message is generated for one or more of a dropped buffer content and a suppressed buffer content.
  - 40. The host system of claim 38, wherein said lost alert message is generated if an alert message in said buffer is overwritten.
  - 41. The host system of claim 38, wherein said gap checker evaluates sequence numbers of a plurality of decrypted alert messages.
  - 51. The host system of claim 26, wherein said buffer has said fixed size regardless of a number of said alert messages.

42. A host apparatus for transmitting an alert message from a Security Alerting System indicating a potential compromise of a protected resource, the apparatus comprising:
- a memory; and
  
  at least one hardware device, coupled to the memory, operative to implement the following steps;
  
  obtain said alert message from said Security Alerting System;
  
  encrypt said alert message using a single function that implements an authenticated encryption scheme that employs a secret key known by a server, wherein said secret key evolves in a forward-secure manner;
  
  store said encrypted alert message in a buffer, wherein said buffer is local to said host apparatus and has a fixed size; and
  
  transmit said encrypted alert message from said buffer over a communication channel to said server.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 52)
- - 43. The host apparatus of claim 42, wherein said alert messages permit real-time detection of said potential compromise of said protected resource.
  - 44. The host apparatus of claim 42, wherein said encrypted alert message is maintained in said buffer after said transmitting step.
  - 45. The host apparatus of claim 44, wherein one or more encrypted alert messages from said buffer is one or more of redundantly and periodically transmitted to said server.
  - 46. The host apparatus of claim 42, wherein a plurality of said alert messages is stored in said buffer in a round-robin manner.
  - 47. The host apparatus of claim 42, wherein a content of said buffer is encrypted prior to said transmission.
  - 48. The host apparatus of claim 42, wherein said at least one hardware device is further configured to interact with a gap checker at said server that evaluates sequence numbers of a plurality of said alert messages to detect a gap in said alert messages.
  - 52. The host apparatus of claim 42, wherein said buffer has said fixed size regardless of a number of said alert messages.

49. An article of manufacture comprising a non-transitory machine-readable recordable storage medium for storing one or more software programs to transmit by a host an alert message from a Security Alerting System indicating a potential compromise of a protected resource, wherein the one or more software programs when executed by one or more processing devices implement the following steps:
- obtaining said alert message from said Security Alerting System;
  
  encrypting said alert message using a single function that implements an authenticated encryption scheme that employs a secret key known by a server, wherein said secret key evolves in a forward-secure manner;
  
  storing said encrypted alert message in a buffer, wherein said buffer is local to said host and has a fixed size; and
  
  transmitting said encrypted alert message from said buffer over a communication channel to said server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Juels, Ari, Triandopoulos, Nikolaos, Bowers, Kevin, Hart, Catherine
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
BELL, KALISH K

Application Number

US13/537,981
Time in Patent Office

1,201 Days
Field of Search

713150-152, 713/160, 713/161, 713/168, 713/176
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 2221/2107   File encryption

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

Methods and apparatus for secure, stealthy and reliable transmission of alert messages from a security alerting system

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for secure, stealthy and reliable transmission of alert messages from a security alerting system

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links