Method and apparatus for providing adaptive self-synchronized dynamic address translation as an intrusion detection sensor

US 9,300,638 B2
Filed: 06/06/2013
Issued: 03/29/2016
Est. Priority Date: 08/28/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A system, comprising:

a bastion host configured to;

determine, based on a destination address included in packet header information of a data packet, whether a remote bastion host is configured to perform adaptive self-synchronized dynamic address translation (ASD);

generate a cipher key by the bastion host when the remote bastion host is not configured to perform ASD;

generate the cipher key according to a handshake with the remote bastion host when the remote bastion host is configured to perform ASD; and

add an entry to an active connection table including the generated cipher key and at least a subset of the packet header information of the data packet.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A translator is provided for translating predetermined portions of packet header information including an address of a data packet according to a cipher algorithm keyed by a cipher key derived by a key exchanger. A mapping device is also provided for mapping the address to a host table stored in memory. If the address does not match an entry in the host table, a security device is triggered.

32 Citations

View as Search Results

20 Claims

1. A system, comprising:
- a bastion host configured to;
  
  determine, based on a destination address included in packet header information of a data packet, whether a remote bastion host is configured to perform adaptive self-synchronized dynamic address translation (ASD);
  
  generate a cipher key by the bastion host when the remote bastion host is not configured to perform ASD;
  
  generate the cipher key according to a handshake with the remote bastion host when the remote bastion host is configured to perform ASD; and
  
  add an entry to an active connection table including the generated cipher key and at least a subset of the packet header information of the data packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 15, 16, 17)
- - 2. The system of claim 1, wherein the bastion host is further configured to:
    - encrypt predetermined portions of the packet header information into translated packet header information according to a cipher algorithm keyed by the cipher key; and
      
      replace the predetermined portions of the packet header information with the translated packet header information in the data packet.
  - 3. The system of claim 2, wherein the bastion host is further configured to transmit the data packet from the bastion host to the remote bastion host after replacing the predetermined portions of the packet header information with the translated packet header information.
  - 4. The system of claim 1, wherein the bastion host is further configured to query a host table for an address of the remote bastion host, and determine based on the query whether the destination address is associated with a remote bastion host configured to perform ASD.
  - 5. The system of claim 1, wherein the bastion host is further configured to:
    - generate a second cipher key according to a second handshake with the remote bastion host when the remote bastion host is configured to perform ASD; and
      
      update the entry in the active connection table to replace the cipher key with the second cipher key.
  - 6. The system of claim 5, wherein the bastion host is further configured to initiate the generation of the second cipher key after expiration of a timeout value.
  - 7. The system of claim 5, wherein the bastion host is further configured to:
    - encrypt predetermined portions of packet header information of a second data packet according to the cipher algorithm keyed by the second cipher key into second translated packet header information; and
      
      replace the predetermined portions of the packet header information of the second data packet with the second translated packet header information.
  - 8. The system of claim 1, wherein the bastion host is further configured to:
    - receive a second data packet from the remote bastion host;
      
      perform a lookup in the active connection table for predetermined portions of packet header information of the second data packet; and
      
      when a matching entry is found in the active connection table, restore predetermined portions of packet header information of the second data packet using a cipher key included in the matching entry of the active connection table.
  - 15. The system of claim 2, wherein the bastion host is further configured to at least one of:
    - replace at least predetermined portions of a source address and the destination address of the packet header information in the data packet with the translated packet header information when the remote bastion host is configured to perform ASD; and
      
      replace at least predetermined portions of the source address but not the destination address of the packet header information in the data packet with the translated packet header information when the remote bastion host is not configured to perform ASD.
  - 16. The system of claim 8, wherein the bastion host is further configured to, when the matching entry is not found in the active connection table, at least one of:
    - (i) drop the second data packet, and (ii) return an obfuscated reply disguising that the second data packet is identified by the bastion host as not being found in the active connection table.
  - 17. The system of claim 8, wherein the second data packet is a reply to the data packet, and the bastion host is further configured to restore the predetermined portions of the packet header information of the second data packet based on the at least a subset of the packet header information of the data packet included in the matching entry of the active connection table.

9. A method, comprising:
- receiving, at a bastion host, a packet including packet header information, the packet information including a destination address;
  
  determining, by a bastion host, whether the destination address is associated with a remote bastion host configured to perform adaptive self-synchronized dynamic address translation (ASD);
  
  generating a cipher key by the bastion host based on a determination that the remote bastion host is not configured to perform ASD;
  
  generating the cipher key according to a handshake with the remote bastion host based on a determination that the remote bastion host is configured to perform ASD; and
  
  adding an entry to an active connection table including the cipher key and destination address.
- View Dependent Claims (10, 11, 12, 13, 14, 18, 19, 20)
- - 10. The method of claim 9, further comprising:
    - translating predetermined portions of the packet header information according to a cipher algorithm keyed by the cipher key into translated packet header information; and
      
      replacing the predetermined portions of the packet header information with the translated packet header information in the data packet.
  - 11. The method of claim 10, further comprising transmitting the packet from the bastion host to the remote bastion host after replacing the predetermined portions of the packet header information.
  - 12. The method of claim 9, further comprising:
    - generating a second cipher key according to a second handshake with the remote bastion host;
      
      translating predetermined portions of packet header information of a second packet according to the cipher algorithm keyed by the second cipher key into second translated packet header information; and
      
      replacing the predetermined portions of the packet header information of the second packet with the second translated packet header information.
  - 13. The method of claim 12, wherein generating a second cipher key according to a second handshake with the remote bastion host is performed after expiration of a handshake timeout.
  - 14. The method of claim 9, further comprising:
    - receiving a second data packet from the remote bastion host;
      
      performing a lookup in the active connection table for predetermined portions of packet header information of the second data packet; and
      
      when a matching entry is found in the active connection table, restoring predetermined portions of packet header information of the second data packet using a cipher key included in the matching entry of the active connection table.
  - 18. The method of claim 10, further comprising:
    - replacing at least predetermined portions of a source address and the destination address of the packet header information in the data packet with the translated packet header information when the remote bastion host is configured to perform ASD; and
      
      replacing at least predetermined portions of the source address but not the destination address of the packet header information in the data packet with the translated packet header information when the remote bastion host is not configured to perform ASD.
  - 19. The method of claim 14, further comprising, when the matching entry is not found in the active connection table, at least one of:
    - (i) dropping the second data packet, and (ii) returning an obfuscated reply disguising that the second data packet is identified as not being found in the active connection table.
  - 20. The method of claim 14, wherein the second data packet is a reply to the data packet, and further comprising restoring the predetermined portions of the packet header information of the second data packet based on the at least a subset of the packet header information of the data packet included in the matching entry of the active connection table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Ratheon BBN Technologies Corporation, Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
Evans, Shelby Alana, Fink, Russell Andrew, Brannigan, Matthew Aloysius, Almeida, Aswin Morgan
Primary Examiner(s)
Kyle, Tamara T

Application Number

US13/911,584
Publication Number

US 20130275751A1
Time in Patent Office

1,027 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2101/659   Internet protocol version 6...

H04L 61/103   across network layers, e.g....

H04L 61/2539   Hiding addresses; Keeping a...

H04L 61/5014   using dynamic host configur...

H04L 63/0428   wherein the data content is...

H04L 63/068   using time-dependent keys, ...

H04L 63/1416   Event detection, e.g. attac...

H04L 9/0841   involving Diffie-Hellman or...

Method and apparatus for providing adaptive self-synchronized dynamic address translation as an intrusion detection sensor

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for providing adaptive self-synchronized dynamic address translation as an intrusion detection sensor

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others