Security alerting system with dynamic buffer size adaptation
First Claim
1. A method performed by a host for transmitting an alert message from a Security Alerting System indicating a potential compromise of a protected resource to a server, comprising:
- obtaining, by at least one processing device of said host, said alert message from said Security Alerting System;
authenticating, by at least one processing device of said host, said alert message using a secret key known by said server, wherein said secret key evolves in a forward-secure manner;
storing, by at least one processing device of said host, said authenticated alert message in a buffer that is local to said host, wherein a size of said buffer is based on a connection history of said Security Alerting System, wherein said connection history comprises a time duration since a last connection with said server, wherein said size of said buffer is increased based on a number of time intervals that have passed since a last alert message transmission and an increment size of the buffer per time interval;
storing a current write pointer index value and a forward secure counter indicating a number of buffer adaptations in said buffer; and
transmitting, by at least one processing device of said host, said authenticated alert message from said buffer over a communication channel to said server.
7 Assignments
0 Petitions
Accused Products
Abstract
A Security Alerting System is provided with dynamic buffer size adaptation. An alert message from a Security Alerting System indicating a potential compromise of a protected resource is transmitted by obtaining the alert message from the Security Alerting System; authenticating the alert message using a secret key known by a server, wherein the secret key evolves in a forward-secure manner; storing the authenticated alert message in a buffer, wherein a size of the buffer is based on a connection history of the Security Alerting System; and transmitting the buffer to the server. The alert message can optionally be encrypted. The buffer can be increased in proportion to a duration of a disruption of a connection. The size of the buffer can be increased by adding buffer slots at a location of a current write pointer index. Techniques are also disclosed for detecting truncation attacks and alert message gaps. The alert messages can have a variable size by writing alert message into consecutive buffer slots.
-
Citations
23 Claims
-
1. A method performed by a host for transmitting an alert message from a Security Alerting System indicating a potential compromise of a protected resource to a server, comprising:
-
obtaining, by at least one processing device of said host, said alert message from said Security Alerting System; authenticating, by at least one processing device of said host, said alert message using a secret key known by said server, wherein said secret key evolves in a forward-secure manner; storing, by at least one processing device of said host, said authenticated alert message in a buffer that is local to said host, wherein a size of said buffer is based on a connection history of said Security Alerting System, wherein said connection history comprises a time duration since a last connection with said server, wherein said size of said buffer is increased based on a number of time intervals that have passed since a last alert message transmission and an increment size of the buffer per time interval; storing a current write pointer index value and a forward secure counter indicating a number of buffer adaptations in said buffer; and transmitting, by at least one processing device of said host, said authenticated alert message from said buffer over a communication channel to said server.
-
-
2. The method of claim 1, wherein said authenticating step further comprises the step of encrypting said alert message.
-
3. The method of claim 1, wherein said size of said buffer is increased in proportion to a time duration of a disruption of said connection.
-
4. The method of claim 1, wherein said size of said buffer is increased to a size R S(l 1), where R is an initial size of said buffer, l denotes said number of time intervals that have passed since said last alert message transmission and S denotes said increment of the buffer size per time interval.
-
5. The method of claim 1, wherein said size of said buffer is increased by adding buffer slots at a location of a current write pointer index.
-
6. The method of claim 1, further comprising the step of evaluating sequence numbers of a plurality of said alert messages to detect a gap in said alert messages.
-
7. The method of claim 1, further comprising the step of detecting a truncation attack based on generating different cryptographic keys for protection of inserted messages into said buffers and transmitted contents of said buffers, wherein said cryptographic keys for protection of inserted messages into said buffers are generated in a forward-secure manner in a same order that said messages are inserted in the buffer and wherein said cryptographic keys for protection of transmitted contents of said buffers are generated in a forward-secure manner in a same order that said contents of said buffers are transmitted over a network, wherein each cryptographic key is identified as being one of a “
- message”
protection key and a “
buffer”
protection key.
- message”
-
8. The method of claim 1, further comprising the step of detecting a truncation attack based on an alert message m* written in the buffer when a said size of said buffer is adjusted.
-
9. The method of claim 1, wherein said alert message has a variable size by writing said alert message into a plurality of consecutive slots of said buffer.
-
10. The method of claim 1, further comprising the step of reducing said size of said buffer when said connection is re-established.
-
11. The method of claim 10, wherein said reduction is delayed until a predefined number of said buffers have been transmitted on said re-established connection.
-
12. A non-transitory machine-readable recordable storage medium for transmitting by a host an alert message from a Security Alerting System indicating a potential compromise of a protected resource to a server, wherein said non-transitory machine-readable recordable storage medium stores one or more software programs, wherein the one or more software programs when executed by one or more processing devices implement steps comprising:
-
obtaining, by at least one processing device of said host, said alert message from said Security Alerting System; authenticating, by at least one processing device of said host, said alert message using a secret key known by said server, wherein said secret key evolves in a forward-secure manner; storing, by at least one processing device of said host, said authenticated alert message in a buffer that is local to said host, wherein a size of said buffer is based on a connection history of said Security Alerting System, wherein said connection history comprises a time duration since a last connection with said server, wherein said size of said buffer is increased based on a number of time intervals that have passed since a last alert message transmission and an increment size of the buffer per time interval; storing a current write pointer index value and a forward secure counter indicating a number of buffer adaptations in said buffer; and transmitting, by at least one processing device of said host, said authenticated alert message from said buffer over a communication channel to said server.
-
-
13. An apparatus of a host for transmitting an alert message from a Security Alerting System indicating a potential compromise of a protected resource to a server, the apparatus comprising:
-
a memory; and at least one processing device, coupled to the memory, operative to implement the following steps; obtaining, by said at least one processing device of said host, said alert message from said Security Alerting System; authenticating, by at least one processing device of said host, said alert message using a secret key known by said server, wherein said secret key evolves in a forward-secure manner; storing, by at least one processing device of said host, said authenticated alert message in a buffer that is local to said host, wherein a size of said buffer is based on a connection history of said Security Alerting System, wherein said connection history comprises a time duration since a last connection with said server, wherein said size of said buffer is increased based on a number of time intervals that have passed since a last alert message transmission and an increment size of the buffer per time interval, wherein said at least one processing device is further configured to store a current write pointer index value and a forward secure counter indicating a number of buffer adaptations in said buffer; and transmitting, by at least one processing device of said host, said authenticated alert message from said buffer over a communication channel to said server.
-
-
14. The apparatus of claim 13, wherein said authentication of said alert message further comprises an encryption of said alert message.
-
15. The apparatus of claim 13, wherein said size of said buffer is increased in proportion to a time duration of a disruption of said connection.
-
16. The apparatus of claim 13, wherein said size of said buffer is increased to a size R S(l 1), where R is an initial size of said buffer, l denotes said number of time intervals that have passed since said last alert message transmission and S denotes said increment of the buffer size per time interval.
-
17. The apparatus of claim 13, wherein said size of said buffer is increased by adding buffer slots at a location of a current write pointer index.
-
18. The apparatus of claim 13, wherein said at least one processing device is further configured to evaluate sequence numbers of a plurality of said alert messages to detect a gap in said alert messages.
-
19. The apparatus of claim 13, wherein said at least one processing device is further configured to detect a truncation attack based on generating different cryptographic keys for protection of inserted messages into said buffers and transmitted contents of said buffers, wherein said cryptographic keys for protection of inserted messages into said buffers are generated in a forward-secure manner in a same order that said messages are inserted in the buffer and wherein said cryptographic keys for protection of transmitted contents of said buffers are generated in a forward-secure manner in a same order that said contents of said buffers are transmitted over a network, wherein each cryptographic key is identified as being one of a “
- message”
protection key and a “
buffer”
protection key.
- message”
-
20. The apparatus of claim 13, wherein said at least one processing device is further configured to detect a truncation attack based on an alert message m* written in the buffer when said size of said buffer is adjusted.
-
21. The apparatus of claim 13, wherein said alert message has a variable size by writing said alert message into a plurality of consecutive slots of said buffer.
-
22. The apparatus of claim 13, further comprising the step of reducing said size of said buffer when said connection is re-established.
-
23. The apparatus of claim 22, wherein said reduction is delayed until a predefined number of said buffers have been transmitted on said re-established connection.
Specification