Side channel attack deterrence in networks
First Claim
Patent Images
1. An apparatus to prevent attack on a network by a potential attacker, the apparatus comprising:
- at least one processor;
at least one non-transitory computer readable medium coupled to the at least one processor, the at least one non-transitory computer readable medium encoded with instructions that are executable by the at least one processor to;
obtain a plurality of incoming packets configured to be routed to a target virtual machine (VM) within the network;
identify a packet size for each of the plurality of incoming packets;
obtain target statistics that include information to aggregate at least some of the plurality of incoming packets into groups, wherein the information to aggregate the at least some of the plurality of incoming packets into the groups is based on;
acceptable delays in distribution of the plurality of incoming packets, and service levels associated with the network;
aggregate the at least some of the plurality of incoming packets into the groups, based on the obtained target statistics;
determine, based on the identified packet size for each of the plurality of incoming packets, a normalized size for the groups, wherein the normalized size varies over time, and wherein the normalized size is selected to prevent information regarding the packet size for each of the plurality of incoming packets from being discerned by the potential attacker; and
wrap the groups into one or more wrapped packages of the normalized size such that statistic data, associated with a shared router path between an attacker VM and the target VM and received by the potential attacker during distribution of the one or more wrapped packages, matches with the target statistics.
3 Assignments
0 Petitions
Accused Products
Abstract
The present disclosure relates to technologies to deter side channel data center attacks. An example method may include receiving an incoming packets destined for a network, grouping, at a gateway, the incoming packets into groups, wherein a size of the groups is based on predetermined statistics, and wrapping the groups into packages of normalized size.
-
Citations
20 Claims
-
1. An apparatus to prevent attack on a network by a potential attacker, the apparatus comprising:
-
at least one processor; at least one non-transitory computer readable medium coupled to the at least one processor, the at least one non-transitory computer readable medium encoded with instructions that are executable by the at least one processor to; obtain a plurality of incoming packets configured to be routed to a target virtual machine (VM) within the network; identify a packet size for each of the plurality of incoming packets; obtain target statistics that include information to aggregate at least some of the plurality of incoming packets into groups, wherein the information to aggregate the at least some of the plurality of incoming packets into the groups is based on;
acceptable delays in distribution of the plurality of incoming packets, and service levels associated with the network;aggregate the at least some of the plurality of incoming packets into the groups, based on the obtained target statistics; determine, based on the identified packet size for each of the plurality of incoming packets, a normalized size for the groups, wherein the normalized size varies over time, and wherein the normalized size is selected to prevent information regarding the packet size for each of the plurality of incoming packets from being discerned by the potential attacker; and wrap the groups into one or more wrapped packages of the normalized size such that statistic data, associated with a shared router path between an attacker VM and the target VM and received by the potential attacker during distribution of the one or more wrapped packages, matches with the target statistics. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method to prevent an attack by a potential attacker on a network, the method comprising:
-
receiving a plurality of incoming packets destined for distribution to a target virtual machine (VM) within the network; identifying a packet size for each of the plurality of incoming packets; obtaining target statistics that include information to group the plurality of incoming packets into one or more groups, wherein the information to group the plurality of incoming packets into the one or more groups is based on;
acceptable delays in distribution of the plurality of incoming packets, and service levels associated with the network;grouping, at a gateway, the plurality of incoming packets into the one or more groups, based on the obtained target statistics; and wrapping the one or more groups into one or more packages of a normalized size, wherein the normalized size is determined based on the identified packet size for each of the plurality of incoming packets, and wherein the one or more groups are wrapped into the one or more packages of the normalized size such that statistic data, associated with a shared router path between an attacker VM and the target VM and received by the potential attacker during distribution of the one or more packages, matches with the target statistics. - View Dependent Claims (12, 13, 14, 15)
-
-
16. An apparatus, comprising:
-
at least one processor; at least one non-transitory computer readable medium coupled to the at least one processor and encoded with executable instructions that are executable by the at least one processor to; obtain one or more wrapped packages to be distributed to a target virtual machine (VM) within a network, wherein each of the one or more wrapped packages comprises a group of packets, wherein the packets are grouped based on target statistics that include information to group the packets into one or more groups, and wherein the information to group the packets into the one or more groups is based on;
acceptable delays in distribution of the packets, and service levels associated with the network; anddistribute the one or more wrapped packages to the target VM within the network, such that statistic data, associated with a shared router path between an attacker VM and the target VM and received by a potential attacker during distribution of the one or more wrapped packages, matches with the target statistics. - View Dependent Claims (17, 18)
-
-
19. A method to deter attack by a potential attacker in a network, the method comprising:
-
receiving incoming packets at a gateway of the network; identifying a packet size for each of the incoming packets; obtaining target statistics that include information to group the incoming packets into one or more groups of packets, wherein the information to group the incoming packets into the one or more groups of packets is based on;
acceptable delays in distribution of the incoming packets, and service levels associated with the network;grouping, at the gateway and based on the obtained target statistics, the incoming packets into the one or more groups of packets for a same destination, wherein the one or more groups of packets are sized in accordance with normalized sizes that are determined based on the identified packet size for each of the incoming packets and are selected to prevent information regarding the packet size for each of the received incoming packets from being discerned by the potential attacker; and wrapping, at the gateway, the one or more groups of packets into one or more packages in preparation for transport to a target virtual machine (VM) within the network, wherein the one or more groups of packets are wrapped such that statistic data, associated with a shared router path between an attacker VM and the target VM and received by the potential attacker during the transportation of the one or more packages, matches with the target statistics. - View Dependent Claims (20)
-
Specification