Side channel attack deterrence in networks

US 9,961,104 B2
Filed: 12/02/2014
Issued: 05/01/2018
Est. Priority Date: 12/02/2014
Status: Active Grant

First Claim

Patent Images

1. An apparatus to prevent attack on a network by a potential attacker, the apparatus comprising:

at least one processor;

at least one non-transitory computer readable medium coupled to the at least one processor, the at least one non-transitory computer readable medium encoded with instructions that are executable by the at least one processor to;

obtain a plurality of incoming packets configured to be routed to a target virtual machine (VM) within the network;

identify a packet size for each of the plurality of incoming packets;

obtain target statistics that include information to aggregate at least some of the plurality of incoming packets into groups, wherein the information to aggregate the at least some of the plurality of incoming packets into the groups is based on;

acceptable delays in distribution of the plurality of incoming packets, and service levels associated with the network;

aggregate the at least some of the plurality of incoming packets into the groups, based on the obtained target statistics;

determine, based on the identified packet size for each of the plurality of incoming packets, a normalized size for the groups, wherein the normalized size varies over time, and wherein the normalized size is selected to prevent information regarding the packet size for each of the plurality of incoming packets from being discerned by the potential attacker; and

wrap the groups into one or more wrapped packages of the normalized size such that statistic data, associated with a shared router path between an attacker VM and the target VM and received by the potential attacker during distribution of the one or more wrapped packages, matches with the target statistics.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure relates to technologies to deter side channel data center attacks. An example method may include receiving an incoming packets destined for a network, grouping, at a gateway, the incoming packets into groups, wherein a size of the groups is based on predetermined statistics, and wrapping the groups into packages of normalized size.

Citations

20 Claims

1. An apparatus to prevent attack on a network by a potential attacker, the apparatus comprising:
- at least one processor;
  
  at least one non-transitory computer readable medium coupled to the at least one processor, the at least one non-transitory computer readable medium encoded with instructions that are executable by the at least one processor to;
  
  obtain a plurality of incoming packets configured to be routed to a target virtual machine (VM) within the network;
  
  identify a packet size for each of the plurality of incoming packets;
  
  obtain target statistics that include information to aggregate at least some of the plurality of incoming packets into groups, wherein the information to aggregate the at least some of the plurality of incoming packets into the groups is based on;
  
  acceptable delays in distribution of the plurality of incoming packets, and service levels associated with the network;
  
  aggregate the at least some of the plurality of incoming packets into the groups, based on the obtained target statistics;
  
  determine, based on the identified packet size for each of the plurality of incoming packets, a normalized size for the groups, wherein the normalized size varies over time, and wherein the normalized size is selected to prevent information regarding the packet size for each of the plurality of incoming packets from being discerned by the potential attacker; and
  
  wrap the groups into one or more wrapped packages of the normalized size such that statistic data, associated with a shared router path between an attacker VM and the target VM and received by the potential attacker during distribution of the one or more wrapped packages, matches with the target statistics.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The apparatus of claim 1, wherein the normalized size is determined in accordance with the target statistics.
  - 3. The apparatus of claim 1, wherein the target statistics are adjusted based on a busyness of the network.
  - 4. The apparatus of claim 1, wherein the target statistics vary over time.
  - 5. The apparatus of claim 1, wherein the target statistics are configured to change a distribution of the normalized size.
  - 6. The apparatus of claim 1, wherein the target statistics are adjusted from within a data center that hosts the network.
  - 7. The apparatus of claim 1, wherein the target statistics are selected to increase entropy in packet flow to the network.
  - 8. The apparatus of claim 1, wherein the groups comprise one or more of multiple packets, split packets, single packets, redundant data, or false data.
  - 9. The apparatus of claim 1, wherein observable traffic on the network comprises a normalized distribution of wrapped packets of the normalized size.
  - 10. The apparatus of claim 1, wherein the network comprises a software defined network.

11. A method to prevent an attack by a potential attacker on a network, the method comprising:
- receiving a plurality of incoming packets destined for distribution to a target virtual machine (VM) within the network;
  
  identifying a packet size for each of the plurality of incoming packets;
  
  obtaining target statistics that include information to group the plurality of incoming packets into one or more groups, wherein the information to group the plurality of incoming packets into the one or more groups is based on;
  
  acceptable delays in distribution of the plurality of incoming packets, and service levels associated with the network;
  
  grouping, at a gateway, the plurality of incoming packets into the one or more groups, based on the obtained target statistics; and
  
  wrapping the one or more groups into one or more packages of a normalized size, wherein the normalized size is determined based on the identified packet size for each of the plurality of incoming packets, and wherein the one or more groups are wrapped into the one or more packages of the normalized size such that statistic data, associated with a shared router path between an attacker VM and the target VM and received by the potential attacker during distribution of the one or more packages, matches with the target statistics.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein wrapping the one or more groups into the one or more packages of the normalized size includes wrapping the one or more groups into one or more packages of a normalized size that varies over time.
  - 13. The method of claim 11, wherein grouping the plurality of incoming packets into the one or more groups includes grouping the plurality of incoming packets into one or more groups that include multiple packets, split packets, single packets, false data, or combinations thereof.
  - 14. The method of claim 11, wherein individual packets in each of the one or more groups are destined for a same destination.
  - 15. The method of claim 11, wherein receiving the plurality of incoming packets destined for the distribution to the target VM within the network comprises receiving incoming packets destined for distribution to one or more target VMs within a software defined network.

16. An apparatus, comprising:
- at least one processor;
  
  at least one non-transitory computer readable medium coupled to the at least one processor and encoded with executable instructions that are executable by the at least one processor to;
  
  obtain one or more wrapped packages to be distributed to a target virtual machine (VM) within a network, wherein each of the one or more wrapped packages comprises a group of packets, wherein the packets are grouped based on target statistics that include information to group the packets into one or more groups, and wherein the information to group the packets into the one or more groups is based on;
  
  acceptable delays in distribution of the packets, and service levels associated with the network; and
  
  distribute the one or more wrapped packages to the target VM within the network, such that statistic data, associated with a shared router path between an attacker VM and the target VM and received by a potential attacker during distribution of the one or more wrapped packages, matches with the target statistics.
- View Dependent Claims (17, 18)
- - 17. The apparatus of claim 16, wherein the apparatus includes a virtual router associated with a hypervisor.
  - 18. The apparatus of claim 17, wherein the one or more wrapped packages comprise one or more of multiple packets, split packets, single packets, or false data.

19. A method to deter attack by a potential attacker in a network, the method comprising:
- receiving incoming packets at a gateway of the network;
  
  identifying a packet size for each of the incoming packets;
  
  obtaining target statistics that include information to group the incoming packets into one or more groups of packets, wherein the information to group the incoming packets into the one or more groups of packets is based on;
  
  acceptable delays in distribution of the incoming packets, and service levels associated with the network;
  
  grouping, at the gateway and based on the obtained target statistics, the incoming packets into the one or more groups of packets for a same destination, wherein the one or more groups of packets are sized in accordance with normalized sizes that are determined based on the identified packet size for each of the incoming packets and are selected to prevent information regarding the packet size for each of the received incoming packets from being discerned by the potential attacker; and
  
  wrapping, at the gateway, the one or more groups of packets into one or more packages in preparation for transport to a target virtual machine (VM) within the network, wherein the one or more groups of packets are wrapped such that statistic data, associated with a shared router path between an attacker VM and the target VM and received by the potential attacker during the transportation of the one or more packages, matches with the target statistics.
- View Dependent Claims (20)
- - 20. The method of claim 19, further comprising varying distribution of the normalized sizes in accordance with a busyness of the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Empire Technology Development LLC (Allied Inventors Management, LLC)
Original Assignee
Empire Technology Development LLC (Allied Inventors Management, LLC)
Inventors
Kruglick, Ezekiel
Primary Examiner(s)
Cheng, Peter

Application Number

US14/558,447
Publication Number

US 20160156561A1
Time in Patent Office

1,246 Days
Field of Search

370230
US Class Current
CPC Class Codes

H04L 63/1441 Countermeasures against mal...

H04L 63/20 for managing network securi...

Side channel attack deterrence in networks

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Side channel attack deterrence in networks

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links