Cross-domain object models for securely sharing information between network security domains

US 9,191,391 B1
Filed: 12/19/2014
Issued: 11/17/2015
Est. Priority Date: 12/19/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a plurality of network domains, each of the domains comprising a respective set of client computing devices comprising a respective one or more processors executing respective instances of at least one software application;

a cross-domain object model specification that specifies object classes for cross-domain objects, each of the objects having methods comprising code executable by the applications for accessing a plurality of data fields of the object;

a protected and distributed object repository positioned within each of the network domains; and

a controller within each of the network domains,wherein, for each of the object classes, the cross-domain object model specification defines the plurality of data fields and specifies which of the data fields of the respective object class can be exposed to each of the respective network domains,wherein each of the object repositories stores an authorized portion of each of the cross-domain objects in accordance with the cross-domain object model specification, andwherein the controller within each of the network domains detects changes to the portions of the cross-domain objects within the respective one of the network domains and propagates versions of the changes to the controllers of the other ones of the network domains in compliance with cross-domain model specification.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for controlling transfer of information in a secure manner across multiple network security domains. As described herein, cross-domain sharing may be facilitated by use of a common model that is shared by participants from the different network security domains. An example system is described in which a plurality of network domains comprises a respective set of client computing devices. A cross-domain object model specification specifies object classes for cross-domain objects accessible to the client computing devices. For each of the object classes, the cross-domain object model specification defines a plurality of data fields and specifies which of the data fields of the respective object class can be exposed to each of the respective network domains. A protected object repository positioned within each of the network domains stores an authorized portion of each of the cross-domain objects in accordance with the cross-domain object model specification.

6 Citations

View as Search Results

30 Claims

1. A system comprising:
- a plurality of network domains, each of the domains comprising a respective set of client computing devices comprising a respective one or more processors executing respective instances of at least one software application;
  
  a cross-domain object model specification that specifies object classes for cross-domain objects, each of the objects having methods comprising code executable by the applications for accessing a plurality of data fields of the object;
  
  a protected and distributed object repository positioned within each of the network domains; and
  
  a controller within each of the network domains,wherein, for each of the object classes, the cross-domain object model specification defines the plurality of data fields and specifies which of the data fields of the respective object class can be exposed to each of the respective network domains,wherein each of the object repositories stores an authorized portion of each of the cross-domain objects in accordance with the cross-domain object model specification, andwherein the controller within each of the network domains detects changes to the portions of the cross-domain objects within the respective one of the network domains and propagates versions of the changes to the controllers of the other ones of the network domains in compliance with cross-domain model specification.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the cross-domain object model specification conforms to a syntax having an annotation for designating an object class as a cross-domain object class for which objects created according to the object class are to have a scope that spans the network domains.
  - 3. The system of claim 1, wherein the cross-domain object model specification conforms to a syntax having an annotation for specifying which one or more of the network domains an associated field of the object class is to be exposed.
  - 4. The system of claim 1, wherein the cross-domain object model specification conforms to a syntax having an annotation for specifying a degree of precision a data field is to be exposed to a specific one of the network domains.
  - 5. The system of claim 1, wherein the cross-domain object model specification conforms to a syntax having an annotation for specifying which actions may be applied to the cross domain object class within each of the respective network domains.
  - 6. The system of claim 1, wherein the cross-domain object model specification conforms to a syntax having an annotation for specifying that the existence of cross-domain objects created in accordance with the object class can only be known in specified ones of the network domains.
  - 7. The system of claim 1 further comprising a controller within each of the network domains that detects changes to the portions of the cross-domain objects within the respective one of the network domains and propagates versions of the changes to the controllers of the other ones of the network domains in compliance with cross-domain model specification.
  - 8. The system of claim 7, further comprising a compiler configured to compile the cross-domain object model specification and generate object code for execution within each of the plurality of domains.
  - 9. The system of claim 7,wherein each of the controllers operate to create new cross-domain objects in conformance with the cross-domain object model, andwherein, when creating the new objects, the controllers provide default values for any of the data fields not exposed to the respective domain in accordance with the cross-domain model specification.
  - 10. The system of claim 1,wherein each of the cross-domain objects is defined within the model specification to include a data structure to store identifiers for all instances of objects of that object class created throughout the plurality of network domains, andwherein the data structure is accessible in each of the network domains.
  - 11. The system of claim 1, wherein, for at least one of the cross-domain objects, none of the object repositories contain a complete portion of the object such that the entire object only exists as an aggregation of the portions of the cross-domain object stored within the plurality of network domains.

12. A method comprising:
- storing, within a protected and distributed object repository positioned within each of a plurality of network domains, a plurality of cross-domain objects, wherein each of the object repositories stores an authorized portion of each of the objects in accordance with the cross-domain object model specification, each of the objects having methods comprising code executable by the applications for accessing a plurality of data fields of the object;
  
  detecting, with respective controllers within each of the network domains, changes made to any of the cross-domain objects within the respective protect object repository; and
  
  propagating, with the respective controllers, versions of the changes to the controllers of the other domains in accordance with a cross-domain object model specification, wherein, for each of the object classes, the cross-domain object model specification defines a plurality of data fields and specifies which of the data fields of the respective object class can be exposed to each of the respective network domains.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The method of claim 12, further comprisingreceiving, with each of the controllers, requests from client computing devices within the network domain for actions to be applied to the respective portions of the cross-domain objects stored within the repositories of the respective network domains;
    - andcontrolling, with the controllers, application of the actions to the respective portions of the cross-domain objects in accordance with the cross-domain model specification.
  - 14. The method of claim 13,wherein the cross-domain object model specification conforms to a syntax having an annotation for designating an object class as a cross-domain object class for which objects created according to the object class are to have a scope that spans the network domains, andwherein controlling, with the controllers, application of the actions comprises instantiating the objects as cross-domain objects in accordance with the annotation.
  - 15. The method of claim 13,wherein the cross-domain object model specification conforms to a syntax having an annotation for specifying which one or more of the network domains an associated field of the object class is to be exposed, andwherein controlling, with the controllers, application of the actions comprises controlling reading and writing of the field of the cross-domain object in accordance with the annotation.
  - 16. The method of claim 13,wherein the cross-domain object model specification conforms to a syntax having an annotation for specifying a degree of precision a data field is to be exposed to a specific one of the network domains, andwherein controlling, with the controllers, application of the actions comprises controlling reading and writing of an attribute of the field of the cross-domain object in accordance with the annotation.
  - 17. The method of claim 13, wherein the cross-domain object model specification conforms to a syntax having an annotation for specifying which actions may be applied to the cross domain object class within each of the respective network domains.
  - 18. The method of claim 13,wherein the cross-domain object model specification conforms to a syntax having an annotation for specifying that the existence of cross-domain objects created in accordance with the object class can only be known in specified ones of the network domains, andwherein controlling, with the controllers, application of the actions comprises controlling, in each of the network domains, access to an identifier indicative of an existence of the cross-domain object in accordance with the annotation.

19. A cross-domain object model controller comprising a processor configured to:
- detect changes made to any of a plurality of cross-domain objects in a protected and distributed object repository, wherein each of the objects comprises an authorized portion of a cross-domain object for a respective one of a plurality of network domains in accordance with the cross-domain object model specification, each of the objects having methods comprising code executable by the applications for accessing a plurality of data fields of the object;
  
  propagate versions of changes to controllers of the other network domains in accordance with the cross-domain object model specification, wherein, for each of the object classes, the cross-domain object model specification defines a plurality of data fields and specifies which of the data fields of the respective object class can be exposed to each of the respective network domains.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 20. The controller of claim 19, wherein the processor is configured to:
    - receive requests from client computing devices within the network domain for actions to be applied to the respective portions of the cross-domain objects stored within the repositories of the respective network domains; and
      
      control application of the actions to the respective portions of the cross-domain objects in accordance with the cross-domain model specification.
  - 21. The controller of claim 20,wherein the cross-domain object model specification conforms to a syntax having an annotation for designating an object class as a cross-domain object class for which objects created according to the object class are to have a scope that spans the network domains;
    - andwherein, in response to the requests, the controller instantiates the objects as cross-domain objects in accordance with the annotation.
  - 22. The controller of claim 20,wherein the cross-domain object model specification conforms to a syntax having an annotation for specifying which one or more of the network domains an associated field of the object class is to be exposed, andwherein, in response to the requests, the controller controls reading and writing of the field of the cross-domain object in accordance with the annotation.
  - 23. The controller of claim 20,wherein the cross-domain object model specification conforms to a syntax having an annotation for specifying a degree of precision a data field is to be exposed to a specific one of the network domains, andwherein, in response to the requests, the controller is configured to control reading and writing of an attribute of the field of the cross-domain object in accordance with the annotation.
  - 24. The controller of claim 20, wherein the cross-domain object model specification conforms to a syntax having an annotation for specifying which actions may be applied to the cross domain object class within each of the respective network domains.
  - 25. The controller of claim 20,wherein the cross-domain object model specification conforms to a syntax having an annotation for specifying that the existence of cross-domain objects created in accordance with the object class can only be known in specified ones of the network domains, andwherein, in response to the request, the controller controls access to an identifier indicative of an existence of the cross-domain object in accordance with the annotation.
  - 26. The controller of claim 19, wherein each of the controllers includes an annotation processor that parses the model specification and enforces specifications set forth therein.
  - 27. The controller of claim 19,wherein controller operates to create new cross-domain objects in conformance with the cross-domain object model, andwherein, when creating the new objects, the controller provides default values for any of the data fields not exposed to the respective domain in accordance with the cross-domain model specification.
  - 28. The controller of claim 19,wherein each of the cross-domain objects is defined within the model specification to include a data structure to store identifiers for all instances of objects of that object class created throughout the plurality of network domains, andwherein the data structure is accessible in each of the network domains.
  - 29. The controller of claim 19, wherein, for at least one of the cross-domain objects, none of the object repositories contain a complete portion of the object such that the entire object only exists as an aggregation of the portions of the cross-domain object stored within the plurality of network domains.

30. A non-transitory computer-readable storage medium storing commands that, when executed, cause one or more processors of a computing device to:
- receive requests from client computing devices within a network domain for application of actions to portions of cross-domain objects stored within the network domain in a protected and distributed object repository, wherein each of the cross-domain objects comprises an authorized portion of a respective cross-domain object in accordance with a cross-domain object model specification, each of the objects having methods comprising code executable by the applications for accessing a plurality of data fields of the object, wherein the cross-domain object model specification defines a plurality of data fields for object classes for the cross-domain objects and specifies which of the data fields of the respective object class can be exposed to each of the respective network domains;
  
  control application of the actions to the portion of the cross-domain objects stored within the network domain in accordance with the cross-domain model specification;
  
  detects changes to the portion of the cross-domain objects within the network domain; and
  
  propagate versions of the changes of the portion of the cross-domain objects stored within the network domain to one or more controllers of the other network domains in accordance with the cross-domain object model specification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Architecture Technology Corporation
Original Assignee
Architecture Technology Corporation
Inventors
Stillerman, Matthew A.
Primary Examiner(s)
Reza, Mohammad W

Application Number

US14/577,741
Time in Patent Office

333 Days
Field of Search

726/30
US Class Current

1/1
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06F 21/6218   to a system of files or obj...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Cross-domain object models for securely sharing information between network security domains

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

6 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Cross-domain object models for securely sharing information between network security domains

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links