WO2003032608A1 - Active intrusion resistant environment of layered object and compartment keys - Google Patents
Active intrusion resistant environment of layered object and compartment keys Download PDFInfo
- Publication number
- WO2003032608A1 WO2003032608A1 PCT/US2002/024997 US0224997W WO03032608A1 WO 2003032608 A1 WO2003032608 A1 WO 2003032608A1 US 0224997 W US0224997 W US 0224997W WO 03032608 A1 WO03032608 A1 WO 03032608A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- node
- digital network
- network
- recited
- communications
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Definitions
- the present invention generally relates to digital communications networks and, more particularly, to the development of the properties of high levels of security and fault tolerance to permit network functionality in the presence of denial of service and other attacks.
- a given processor may be effectively connected to more than one network at a time and thus a publicly accessible network can be used to access another network, potentially through a sequence of processors.
- limiting access of processors to only secure or unsecure networks reduces functionality of the processor to levels which may be unacceptable due to the reduction of accessible resources.
- any security feature that may be devised may also be defeated and protection of sensitive resources is entirely grounded in the difficulty of defeating the security measures utilized.
- restriction of access is usually provided only at individual processors or resources (e.g. applications) and not within the network, itself.
- Computer attacks may take the form of gaining access to sensitive data (to either learn its contents or to corrupt it) resident on individual systems or in the form of a so-called virus or worm to damage or destroy processors or resources in a largely indiscriminate manner.
- DOS denial of service
- Networks are inherently susceptible to attack by exploitation of security weaknesses in network protocols and infrastructure components.
- security controls of the operating systems and applications installed on the network may be circumvented, network firewalls (used extensively at network boundaries) may be penetrated, network functions may be disrupted, sessions of authorized users (after they have been authenticated) can be stolen and routing functions of the network can be disrupted to misdirect network data.
- a concerted attack on military network infrastructure can compromise military operations or force network shutdown.
- Identification and authentication (I&A) capabilities provided by recently developed forms of identification certificates does not provide technical mechanisms to respond to attacks against network protocols.
- the first layer is the extensive use of firewalls to control access to the network from outside the network.
- firewalls become geometrically more difficult to manage as the number and variety of authorized accesses increases. This difficulty is particularly evident in military networks which become particularly susceptible to penetration through exploitation of errors in configuration of their access control rule set.
- firewalls are not fully effective since the manner in which TCP/IP manages packet fragmentation can be exploited for "punching through” the packet filtering system of firewalls.
- Session Hijacking although complex, can be automated to negate effective use of strong user authentication. Further, it is difficult to force all network access to be made only through the firewall. The availability of commercial modems that interface to digital PBX systems and the
- Remote Access Server included in Microsoft Windows (TM) software makes control of the use of dial-up connections to the network through firewalls impractical .
- the second layer of protection is strong user authentication such as biometric systems and digital certificates.
- biometric systems and digital certificates are costly and generally implemented on only the most sensitive systems and can, nevertheless, be rendered ineffective by session hijacking attacks, alluded to above, because of the inability of TCP/IP to authenticate the source address packets, to close out "half-open" connections and to protect the session sequence numbers contained in the TCP header.
- the third layer of protection is to maintain separate networks for each level of security classification or class of access authorization and to depend on personnel clearances.
- This approach is extremely costly, limits the functionality of each separate system, presents problems of maintaining data integrity and provides no protection from misuse or damage by persons having access to any given system.
- it is generally desirable to be able to accommodate both mandatory access control (MAC) in which access is controlled based on classification of the information or resource and discretionary access control (DAC) which is based on a correlation of anticipated user function and the nature of data that may be needed to perform that function.
- MAC and DAC may each be complex and overlap with much increased complexity, greatly multiplying the number of separate systems which may be required among which data integrity must be maintained.
- Detection of an attack before substantial damage is done is often difficult, particularly when the attack is of the denial of service type. Viruses, for example, cannot be detected before at least some of their basic characteristics (e.g. a filename by which they are executed) is known; by which time the virus may have been widely proliferated, causing some degree of damage to each computer it has reached.
- a denial of service attack is, by its nature, indistinguishable from other intended functions of the system except for the volume of transactions it presents and possible similarities of requested services necessitated by the volume of requests required for a successful attack.
- at least a major portion of network services must be disrupted in order to respond to the attack. Therefore, achieving a degree of certainty that an attack is in progress commensurate with the magnitude of necessary system disruption often unacceptably delays action and thus does not acceptably limit damage or prevent access to critical data or resources.
- a security device for respective network nodes and a network secured thereby including at least two locking devices at each of a plurality of nodes of the digital network, a security policy manager device for detecting network communications or activity having some characteristics different from characteristics of normal usage and providing a signal to another network node, and a routing arrangement responsive to a user transparent signal from another node for controlling the locking devices to isolate a node selecting redundant communication paths in the digital network to maintain network communications between other network nodes .
- a method of operating a digital network including steps of detecting communications having characteristics differing from characteristics of normal usage, communicating a user transparent signal to another node responsive to the detection, and controlling communications at the node from another node with a user transparent signal .
- Figure 1 is a schematic diagram of a basic element of the network in accordance with the invention and including a lock circuit including two routers providing communications from different networks,
- Figure 2 is a schematic diagram of the lock circuit of Figure 1 as embodied on a VME circuit cars, as is preferred,
- Figure 3 is a schematic diagram of a preferred form security encryption engine of Figure 2 ,
- FIG. 4 is a schematic illustration of a redundant hierarchy of independently secured security domains in accordance with the invention.
- FIG. 5 is a schematic illustration of a system and software architecture in accordance with the present invention.
- Figure 6 schematically illustrates a network transaction performed as a plurality of secure sessions in accordance with the invention
- Figure 7 schematically illustrates an exemplary preferred operation of the redundant hierarchy of Figure 4, and Figure 8 illustrates application of the invention to both trusted and untrusted nodes of a heterogenous digital network.
- routers are well-understood network elements for controlling communications between nodes of a network although only a single router (but which may have an arbitrary number of ports) would normally be associated with a given node of the network.
- Use of a lock in combination with routers is also well-understood in the art.
- no portion of any Figure is admitted to be prior art in regard to the present invention.
- the present invention provides a secure, fault-tolerant network than can implement an arbitrary security policy with arbitrarily fine granularity and continue to provide service in the presence of a variety of hardware failures and security penetration attacks.
- This is accomplished by developing a networking subsystem by inclusion of enhancements which accommodate existing elements of network architecture and software and integrate fault olerant extensions of object oriented programming architecture, strong encryption strong authentication at the node and data packet level and real-time active responses to detection of faults and attacks with enhanced sensitivity.
- CORBA common object request broker architecture
- CMIP common management information protocol
- OSI open system interconnection
- CMIS common management information services
- the basic principle of the invention is the use of a highly secure user transparent subsystem infrastructure which can detect failures and questionable activity and communicate, in a secure and encrypted form, the potential condition of a network node to adjacent nodes which can then isolate or encapsulate a potentially compromised node while rerouting normal network traffic to integrate the extended and fault tolerant CORBA architecture with strong encryption, enhanced intrusion detection and an effective security policy to support effective active responses to faults and potential attacks.
- This reporting supports fine-grained control of network access as well as logging of information concerning network activity and node status to limit damage, improve detection and facilitate recovery from a wide variety of failures and attacks.
- the interface element 103 including two locking devices 109, 111 and two routers 105, 107 is to support communications with and between networks 115, 117 through routers 105, 107 and with network node 119 which may or may not also include a similar interface element.
- interface element 103 can control the connectivity of three network nodes.
- locking devices 109, 111 communicate with each other to provide connectivity between networks 115, 117 as well as with processor 119.
- the interface element 103 can function as a lock to interrupt communications between networks, nodes or terminals at a particular network node.
- Locking devices are generally implemented on separate cards (a preferred form of which is known as a VME card) which are connectable to other circuits through a rack or "motherboard” arrangement or the like. Therefore, it is convenient to provide additional security structure at a location electrically between the two locking devices (e.g. connected to a common bus) . In accordance with the invention, this is preferably accomplished with a processor on a separate card (represented by 113 of Figure 1) processing fault and intrusion detection objects as well as encryption and decryption algorithms for communication of data regarding potential faults and attacks to similar cards at other network nodes.
- a processor on a separate card represented by 113 of Figure 1
- processing fault and intrusion detection objects processing fault and intrusion detection objects as well as encryption and decryption algorithms for communication of data regarding potential faults and attacks to similar cards at other network nodes.
- implementation of the invention can be performed incrementally and scalably to any desired degree including global implementation.
- the processor arrangement 113 can implement any number of objects for fault or intrusion detection and which may be of any arbitrary design, including a number of algorithms which are commercially available for the purpose. Results of the execution of these objects can be communicated over normal network links to other nodes and used to exercise any desired control over the locking devices and/or to log any desired information concerning the status or operations of any node .
- All of these communications are preferably encrypted in accordance with any desired encryption algorithm (DES, DES-3 or Type 1 algorithms implemented in hardware for highest speed being preferred) which may also be altered and keys arbitrarily exchanged and altered by the same type of communications which are entirely transparent to all users and may be made arbitrarily difficult to intercept by any of a number of known techniques which will be evident to those skilled in the art.
- DES DES-3 or Type 1 algorithms implemented in hardware for highest speed being preferred
- keys arbitrarily exchanged and altered by the same type of communications which are entirely transparent to all users and may be made arbitrarily difficult to intercept by any of a number of known techniques which will be evident to those skilled in the art.
- each transmission or group of transmissions for a given user may be supplied with identification information (e.g.
- processor 113 even if the user is not identified and any desired tracking or logging information may be transmitted to other nodes for error recovery and determination of the source of any detected potential attack as well as continuous monitoring and authentication of the source node for all communications, potentially to the data packet level .
- processor card 113 is referred to as a security policy manager card. It should be appreciated that implementation of such capabilities in combination with routers which also support a high level of security (e.g. cards supporting audit, MAC, DAC, user identification and authentication security functions) enables active network response to security alerts and isolation of compromised nodes from uncompromised nodes in substantially real time as will be discussed in more detail below.
- a security policy manager card e.g. cards supporting audit, MAC, DAC, user identification and authentication security functions
- Processor 203 may be any of several commercially available types but processors having clock speeds of 300 MHz or higher are preferred to support high speed communications and rapid response of attack detection and fault reporting software which preferably are configured as objects that communicate with each other in accordance with CORBA architecture 210 alluded to above .
- communications bit rates can be much higher than processor clock rates since messages may be assembled at any clock rate and transmitted as a burst at arbitrarily high bit rates.
- the specifics of fault and attack detection objects are not important to the practice of the invention and many commercially available applications may be used to practice the invention. Since these objects are essentially software modules that communicate with each other but may or may not be run in a particular sequence, a high clock rate is desirable to enhance response time and achieve effective concurrency of execution of these objects.
- attack detection objects be provided which will detect activity which may have a relatively low or moderate likelihood of representing an actual attack since the architecture of Figure 1 allows very fine-grained isolation of nodes which may potentially be compromised and thus minimizes system disruption, possibly for only a very short and possibly even unnoticeable period. That is, since the scope and duration of system disruption in response to a real or potential attack can be held to a minimum, the level of certainty of an attack that may be represented in network activity detected by an object can also be correspondingly low; yielding a much enhanced level of security and damage avoidance and an arbitrarily high degree of sensitivity to questionable characteristics of communication which may differ from characteristics of normal usage by an arbitrarily small degree.
- SPM embedded security policy manager
- managed objects include network interface managed objects, intrusion detection managed objects and network service managed objects.
- a manager object 215 or a plurality thereof is also provided. The articulation of the objects in software is not particularly important to the practice of the invention but the concept of manager and managed objects will be helpful in understanding the principles of the invention.
- the security policy manager (SPM) card also preferably includes a memory 209 associated with the processor particularly for storing processor programs, logging processor activity and loading the CORBA wrapper and embedded objects, including manager objects upon processor initialization or on an "as needed" basis when an object is missing or damaged by replication from another node, as alluded to above.
- a peripheral component interconnect (PCI) bridge 207 is also provided to interface processor 203 to the network communication interface 211 and a VME/PCI (peripheral component interconnect) interface 213 which, in turn, provides connectivity to local peripherals 223, 225 and 227 of any desired type or nature .
- PCI peripheral component interconnect
- the network communication interface preferably includes a random access memory (RAM) 221 serving as a buffer between the processor 203 and the remainder of the network interface.
- RAM random access memory
- Two or more communications ports 217, 219 are provided as discussed above in connection with Figure 1.
- a security/encryption engine 231 is provided to connect the network ports 217, 219 to the buffer RAM 221. This element is referred to as a security/encryption engine since it is preferred that its function be embodied in hardware in order to achieve the desired extremely high bit rate for the communications between security controller cards at different network nodes.
- Such high bit rates are particularly desirable since they substantially contribute to the security of the system in accordance with the invention by allowing the overall message to be sent with an extremely short duty cycle; increasing difficulty of interception, as well as being beyond the capacity of software-based processors to receive, process or simulate.
- high bit rates are not critical to the successful practice of the invention in accordance with its basic principles.
- encryption is desirable in implementations of the invention where communications are conducted between SPM cards with signals which may be known, these communications are entirely transparent to the user and it is only necessary for the SPM cards to use compatible signals in order to communicate and for the signals to be relatively insusceptible to decoding or simulation. Therefore, as long as the coded signals used in these user transparent communications (which could be changed at will or as necessary without hardware changes through use of an EEPROM or the like) are relatively secure, an additional encryption/decryption process is not necessary to the practice of the invention.
- FIG. 3 A preferred form and construction of the network communication interface 211 is shown in Figure 3. Specifically, it is preferred to construct this module of the SPM card 201 as a daughter card which is preferably configured as a PCI mezzanine card (PMC) within the VME module.
- PMC PCI mezzanine card
- Such an articulation facilitates replacement of this card as technical developments make greater data rate accelerations possible and to change encryption hardware (or maintenance and/or re- programming of internal codes, objects and the like) , as may be desired from time to time as well as to add to the range of secure performance alternatives supported by the PMC card.
- PMC PCI mezzanine card
- the PMC card 301 includes a dual ported RAM 309 to support simultaneous read and write operations from the PCI bus or the v security encryption engine.
- the security/encryption engine 307 preferably has a B2 or better security rating and is configured to require authorization and authentication of the SPM board or network nodes with which it communicates.
- the SPM card assigns security association/identification information to data packets regardless of whether or not such an identification is made of a given user. Therefore, each operation or data packet through the node is authenticated as to originating with a known node of the network and the information so collected can be used for detection of "foreign" data packets and tracking of the origin of any attack to at least the boundary of any connected and similarly secured network.
- a network 401 is shown hierarchically arranged in tiers 403, 405, 407 with communications paths (e.g. 415, 423) shown connecting respective adjacent tiers.
- any given tier have more than one node or a communication path past that tier and a tier at a locally higher hierarchical level. Even these requirements are only necessary to the extent of providing an orderly correspondence between manager objects and managed objects; which correspondencce could be accommodated in other ways that provide a locally hierarchically higher node for each node except for the highest tier.
- a communication link depicted by dashed line 430 could be used as a communication link through tier 405 with tier 407 above tier 403 or to place a node of tier 403 hierarchically above tier 407.
- an organization containing communications links such as 430 may engender unjustified complexity although some advantages may accrue such as establishing further redundant communication paths and/or avoiding a top level of the hierarchy which might be an excessively attractive target for attack.
- the network shown in Figure 4 (without link 430) provides redundant communication links between all nodes of the network even though there are no links between nodes of the same tier, as is also preferred for practice of the invention. (In this regard, however, it should be recognized that the assignment of any given tier to any given node is arbitrary.) For example, node 440 can communicate with node 450 over communication links 427, 423, 419 and 421; 427, 415, 418 and 425; or 427, 419, 417 and 425. Other redundant paths would exist if the network were extended to more tiers and/or more nodes per tier.
- routers monitoring traffic on the network can assign any of a number of convenient paths between any two nodes of the network.
- Conventional network protocols allow a plurality of different paths that may be of differing latency to be employed for a given message with the bit packets being reassembled in proper order after receipt by the intended destination node.
- the invention provides the additional functionality of eliminating and substituting paths for isolation of questionable or compromised nodes at the portal or gateway to each node to maintain substantially full network functionality while preventing proliferation of faults or damage from attacks as well as the attacks themselves.
- the locally hierarchical architecture described above greatly enhances security throughout the network since a response to an attack on one node will be controlled by another node which should respond correctly unless that node is simultaneously under attack, as well (prior faults throughout the network having been previously encapsulated and isolated) .
- a manager object at yet another node at a locally higher hierarchical level would control the active response, and so on, while establishing a plurality of secure sessions and security domains over which control can be exercised through user transparent communications from a manager object at a node which remains trusted.
- These communications and control can be carried out very rapidly (about twenty milliseconds per tier or less) and thus an active response to a potential attack can be made in substantially real time. This is in sharp contrast to security arrangements in prior networks which typically could only log operations during an attack for later analysis long after the attack and damage resulting therefrom are completed.
- This capability provided by the present invention is particularly important is avoiding the effects of denial of service attacks which, by their nature, are difficult to distinguish from ordinary usage except by volume and possibly some similarity of transactions before such attacks are well under way and may have captured a significant portion of available resources.
- an attack to be successful, would require simultaneous attacks on virtually all nodes of the system, all nodes of the hierarchically highest tier of the system or an attack on the hierarchically highest node (if such a singular node is permitted in the network design; which is preferably avoided but should, in any case, be difficult to identify within the network since the relationships and dependencies in the network are identified only in the highly secure user-transparent communications between SPM cards which are preferably made difficult to intercept and analyze through high bit rate, low duty cycle transmissions and effective encryption) .
- FIG. 5 shows a node 501 connected to a local area network 511 which is, in turn, connected to client nodes 503, 505 and server node 507.
- node 501 is substantially as illustrated in Figure 2, including an SPM board 201/509, processor 203 and PMC/interface card 231/301 and that node 501 and LAN 511 may represent any two directly communicating network nodes of Figure 4, such as nodes 460 and 409, respectively.
- the embedded managed objects 517, 519, 521 for respective nodes 503, 505, 507 of LAN 511 and the SPM manager object 515, while part of the embedded SPM functions in the CORBA wrapper 523, are separately illustrated in order to illustrate communications therebetween.
- a processor such as 203 will be provided in LAN 511 and/or respective nodes as indicated at 201A, 201B and 201C and will generate and transmit identifications corresponding to the node (e.g. A, B or C and/or LAN 511) from which any particular communication originates along with the message.
- This identification can also include similar identifications from downstream or other signals indicative of a potential fault or attack (e.g. other connections to nodes 503, 505 or 507).
- the communication e.g. the identification, other signals and/or the communication
- the manager object 515 in node 501 can monitor the user transparent signals transmitted from nodes A, B and/or C corresponding to detection of faults and/or potential attacks detected at the processors of the respective nodes A, B and/or C which are also logged in memory 209. Assuming the latter scenario and a fault or attack message originating at client node B, the manager object would determine that a fault or an attack was present at node B and send an encrypted or otherwise secure message (at a preferably high bit rate) that isolates client node B at either or both of port 531 or SPM board 201B by calling an appropriate managed object (e.g. 519 at one or more nodes or gateways thereto) to do so.
- an appropriate managed object e.g. 519 at one or more nodes or gateways thereto
- the fault or potential attack occurring at node B would be detected by managed objects B at node 501 and communicated to manager object 515 or the manager object of the hierarchically upstream node
- node 611 is the client node and node 617 is the server node and each has its own routers and SPM card 611', 617'.
- SPM cards 601, 603, 605 and 607 are at different respective nodes as are routers 613 and 615.
- the SPM and CMIP manager objects possess the ability to arbitrarily define security domains and principals/users of the system (which may, in effect, include other security domains) to selectively allow access to trusted network components since the layers or tiers in the hierarchy which extends (at least locally) throughout the network environment or desired regions thereof.
- the layers or tiers provide constraint capabilities that include the sending workstation, the embedded SPM device and the target workstation for each defined security domain.
- the originating node of each communication is continuously authenticated, known and monitored (a capability not provided by the TCP/IP protocol) potentially to the data packet level to provide simplified and more rapid detection of potential attacks and closure of "half-open" connections as well as attack tracking and recovery.
- a user In prior networks, a user, once identified and authenticated, has access to the entire network insofar as the authorization for that user extends and a session would extend from the client node to the server node. In accordance with the invention, however, that session is divided into a plurality of secure sessions of different, serially connected security domains, as illustrated in Figure 6. If any security domain (e.g. security domain A, B or C) involved in the connectivity thus established is then compromised in any detectable manner or a fault occurs, that compromise and/or fault is reported and logged, the node at which the fault or attack occurs is isolated and the routers controlled to establish other secure sessions over redundant communication links, as shown in Figure 7.
- security domain e.g. security domain A, B or C
- CMIP managers possess the ability (in the manager objects) to instruct the SPM device to enable and disable network ports to isolate network nodes or segments/sectors and notifies other trusted entities in the CMIP manager and managed object hierarchy of changes in trust for potentially contaminated or compromised network devices while the remainder of the trusted devices of the network continue to provide services while denying connection requests from untrusted sources, as can be seen from a comparison of Figures 4 and 7.
- Figure 8 illustrates application of the invention to a heterogenous network including both trusted and untrusted nodes. It should be appreciated that such a system could result during incremental retrofitting of the invention into an existing network system or as a final configuration of a network intended to include both trusted and untrusted nodes. In the former case, the invention would generally be employed at the locations were considered to be most critical for security although, as alluded to above, firewalls can be defeated with relative ease at the present state of the art. It will also be recognized that the deployment of the structure discussed above in connection with Figures 1 and 2 essentially forms a router interface device 835 at the edge of a secure network protected in accordance with the invention as a plurality of standard router network interface controllers (NIC) 837.
- NIC router network interface controller
- Each NIC thus includes the capability of functioning to provide encapsulation in the same manner as a bottom tier node (see Figures 4 and 7) in regard to connections 839 to untrusted nodes.
- NICs 837 will also function as a higher tier node when connected to the network security device 201 of another node and from that node to other trusted nodes .
- the invention can be implemented globally or to any lesser degree in any network system and thus may be used to secure any desired portion of any network as criticality of security may dictate either by design or during a gradual and incremental retrofit into existing networks.
- Different protocols and different bit rates of the user transparent signalling may be accommodated in different branches of the network illustrated in Figure 8. Thus full compatibility between branches is not required and a secure network portions employing the invention will maintain security during upgrades or changes in other branches.
- the invention provides a high degree of fault tolerance as well as a high degree of security protection from a wide variety of attacks from sources that may include authorized and authenticated users and through hijacked authorized sessions. These meritorious effects can be achieved within an arbitrary existing hardware and software environment and without modification of existing protocols. Fine-grained compartmentalization of any fault or detected potential attack is provided in a manner very difficult to intercept or emulate and entirely transparent to the user while providing logging of information which facilitate error recovery and tracking of the source of any attack.
Abstract
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP02759285A EP1435161A1 (en) | 2001-10-11 | 2002-08-07 | Active intrusion resistant environment of layered object and compartment keys |
CA002463054A CA2463054A1 (en) | 2001-10-11 | 2002-08-07 | Active intrusion resistant environment of layered object and compartment keys |
JP2003535440A JP2005535150A (en) | 2001-10-11 | 2002-08-07 | Hierarchical object active intrusion resistant environment and compartment key (AIRELOCK) |
AU2002324631A AU2002324631B2 (en) | 2001-10-11 | 2002-08-07 | Active intrusion resistant environment of layered object and compartment keys |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/973,769 | 2001-10-11 | ||
US09/973,769 US7225467B2 (en) | 2000-11-15 | 2001-10-11 | Active intrusion resistant environment of layered object and compartment keys (airelock) |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2003032608A1 true WO2003032608A1 (en) | 2003-04-17 |
Family
ID=25521208
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2002/024997 WO2003032608A1 (en) | 2001-10-11 | 2002-08-07 | Active intrusion resistant environment of layered object and compartment keys |
Country Status (6)
Country | Link |
---|---|
US (2) | US7225467B2 (en) |
EP (1) | EP1435161A1 (en) |
JP (1) | JP2005535150A (en) |
AU (1) | AU2002324631B2 (en) |
CA (1) | CA2463054A1 (en) |
WO (1) | WO2003032608A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2006086824A (en) * | 2004-09-16 | 2006-03-30 | Fuji Electric Holdings Co Ltd | Information medium and security system |
Families Citing this family (53)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7213265B2 (en) * | 2000-11-15 | 2007-05-01 | Lockheed Martin Corporation | Real time active network compartmentalization |
US7225467B2 (en) | 2000-11-15 | 2007-05-29 | Lockheed Martin Corporation | Active intrusion resistant environment of layered object and compartment keys (airelock) |
AU2002363958B2 (en) * | 2001-11-30 | 2008-12-11 | Oracle International Corporation | Real composite objects for providing high availability of resources on networked systems |
US20030105973A1 (en) * | 2001-12-04 | 2003-06-05 | Trend Micro Incorporated | Virus epidemic outbreak command system and method using early warning monitors in a network environment |
US7062553B2 (en) * | 2001-12-04 | 2006-06-13 | Trend Micro, Inc. | Virus epidemic damage control system and method for network environment |
KR100468232B1 (en) * | 2002-02-19 | 2005-01-26 | 한국전자통신연구원 | Network-based Attack Tracing System and Method Using Distributed Agent and Manager Systems |
US7287275B2 (en) * | 2002-04-17 | 2007-10-23 | Moskowitz Scott A | Methods, systems and devices for packet watermarking and efficient provisioning of bandwidth |
US7146643B2 (en) | 2002-10-29 | 2006-12-05 | Lockheed Martin Corporation | Intrusion detection accelerator |
US20040083466A1 (en) * | 2002-10-29 | 2004-04-29 | Dapp Michael C. | Hardware parser accelerator |
US20070061884A1 (en) * | 2002-10-29 | 2007-03-15 | Dapp Michael C | Intrusion detection accelerator |
US7080094B2 (en) * | 2002-10-29 | 2006-07-18 | Lockheed Martin Corporation | Hardware accelerated validating parser |
WO2004046844A2 (en) * | 2002-11-18 | 2004-06-03 | Nokia Corporation | Faster authentication with parallel message processing |
US20040128539A1 (en) * | 2002-12-30 | 2004-07-01 | Intel Corporation | Method and apparatus for denial of service attack preemption |
AU2003277247A1 (en) * | 2003-02-28 | 2004-09-28 | Lockheed Martin Corporation | Hardware accelerator state table compiler |
US7281270B2 (en) * | 2003-04-01 | 2007-10-09 | Lockheed Martin Corporation | Attack impact prediction system |
EP1712064A1 (en) * | 2004-01-20 | 2006-10-18 | Intrusic, Inc | Systems and methods for monitoring data transmissions to detect a compromised network |
US7716726B2 (en) * | 2004-02-13 | 2010-05-11 | Microsoft Corporation | System and method for protecting a computing device from computer exploits delivered over a networked environment in a secured communication |
US7814543B2 (en) * | 2004-02-13 | 2010-10-12 | Microsoft Corporation | System and method for securing a computer system connected to a network from attacks |
US20050188222A1 (en) * | 2004-02-24 | 2005-08-25 | Covelight Systems, Inc. | Methods, systems and computer program products for monitoring user login activity for a server application |
US20050187934A1 (en) * | 2004-02-24 | 2005-08-25 | Covelight Systems, Inc. | Methods, systems and computer program products for geography and time monitoring of a server application user |
US20050188080A1 (en) * | 2004-02-24 | 2005-08-25 | Covelight Systems, Inc. | Methods, systems and computer program products for monitoring user access for a server application |
US7373524B2 (en) * | 2004-02-24 | 2008-05-13 | Covelight Systems, Inc. | Methods, systems and computer program products for monitoring user behavior for a server application |
US20050188221A1 (en) * | 2004-02-24 | 2005-08-25 | Covelight Systems, Inc. | Methods, systems and computer program products for monitoring a server application |
US7860096B2 (en) * | 2004-06-08 | 2010-12-28 | Oracle America, Inc. | Switching method and apparatus for use in a communications network |
US7602712B2 (en) * | 2004-06-08 | 2009-10-13 | Sun Microsystems, Inc. | Switch method and apparatus with cut-through routing for use in a communications network |
US7443860B2 (en) * | 2004-06-08 | 2008-10-28 | Sun Microsystems, Inc. | Method and apparatus for source authentication in a communications network |
US8964547B1 (en) | 2004-06-08 | 2015-02-24 | Oracle America, Inc. | Credit announcement |
US7733855B1 (en) | 2004-06-08 | 2010-06-08 | Oracle America, Inc. | Community separation enforcement |
US7639616B1 (en) | 2004-06-08 | 2009-12-29 | Sun Microsystems, Inc. | Adaptive cut-through algorithm |
US7441272B2 (en) * | 2004-06-09 | 2008-10-21 | Intel Corporation | Techniques for self-isolation of networked devices |
US8154987B2 (en) * | 2004-06-09 | 2012-04-10 | Intel Corporation | Self-isolating and self-healing networked devices |
US7665119B2 (en) | 2004-09-03 | 2010-02-16 | Secure Elements, Inc. | Policy-based selection of remediation |
US7761920B2 (en) | 2004-09-03 | 2010-07-20 | Fortinet, Inc. | Data structure for policy-based remediation selection |
US7672948B2 (en) * | 2004-09-03 | 2010-03-02 | Fortinet, Inc. | Centralized data transformation |
US7703137B2 (en) * | 2004-09-03 | 2010-04-20 | Fortinet, Inc. | Centralized data transformation |
US20060080738A1 (en) * | 2004-10-08 | 2006-04-13 | Bezilla Daniel B | Automatic criticality assessment |
US7716727B2 (en) * | 2004-10-29 | 2010-05-11 | Microsoft Corporation | Network security device and method for protecting a computing device in a networked environment |
US20060095961A1 (en) * | 2004-10-29 | 2006-05-04 | Priya Govindarajan | Auto-triage of potentially vulnerable network machines |
US7310669B2 (en) | 2005-01-19 | 2007-12-18 | Lockdown Networks, Inc. | Network appliance for vulnerability assessment auditing over multiple networks |
US7810138B2 (en) | 2005-01-26 | 2010-10-05 | Mcafee, Inc. | Enabling dynamic authentication with different protocols on the same port for a switch |
US8520512B2 (en) | 2005-01-26 | 2013-08-27 | Mcafee, Inc. | Network appliance for customizable quarantining of a node on a network |
US20060164199A1 (en) * | 2005-01-26 | 2006-07-27 | Lockdown Networks, Inc. | Network appliance for securely quarantining a node on a network |
US7832006B2 (en) | 2005-08-09 | 2010-11-09 | At&T Intellectual Property I, L.P. | System and method for providing network security |
US7934255B1 (en) * | 2005-11-08 | 2011-04-26 | Nvidia Corporation | Apparatus, system, and method for offloading packet classification |
US7818806B1 (en) * | 2005-11-08 | 2010-10-19 | Nvidia Corporation | Apparatus, system, and method for offloading pattern matching scanning |
US20070210909A1 (en) * | 2006-03-09 | 2007-09-13 | Honeywell International Inc. | Intrusion detection in an IP connected security system |
KR100789722B1 (en) * | 2006-09-26 | 2008-01-02 | 한국정보보호진흥원 | The method and system for preventing malicious code spread using web technology |
WO2010140093A1 (en) * | 2009-06-02 | 2010-12-09 | Koninklijke Philips Electronics N.V. | Method and system for identifying compromised nodes |
US8335853B2 (en) * | 2009-12-17 | 2012-12-18 | Sonus Networks, Inc. | Transparent recovery of transport connections using packet translation techniques |
GB2500720A (en) * | 2012-03-30 | 2013-10-02 | Nec Corp | Providing security information to establish secure communications over a device-to-device (D2D) communication link |
US10581914B2 (en) * | 2016-06-03 | 2020-03-03 | Ciena Corporation | Method and system of mitigating network attacks |
CN106534063B (en) | 2016-09-27 | 2019-11-12 | 上海红阵信息科技有限公司 | A kind of device, method and apparatus encapsulating isomery function equivalence body |
US10735459B2 (en) | 2017-11-02 | 2020-08-04 | International Business Machines Corporation | Service overload attack protection based on selective packet transmission |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002095543A2 (en) * | 2001-02-06 | 2002-11-28 | En Garde Systems | Apparatus and method for providing secure network communication |
Family Cites Families (129)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4279034A (en) | 1979-11-15 | 1981-07-14 | Bell Telephone Laboratories, Incorporated | Digital communication system fault isolation circuit |
US4527270A (en) | 1983-05-04 | 1985-07-02 | Allen-Bradley Company | Communications network with stations that detect and automatically bypass faults |
US4622546A (en) | 1983-12-23 | 1986-11-11 | Advanced Micro Devices, Inc. | Apparatus and method for displaying characters in a bit mapped graphics system |
US4556972A (en) | 1983-12-27 | 1985-12-03 | At&T Bell Laboratories | Arrangement for routing data packets through a circuit switch |
US4879716A (en) | 1987-12-23 | 1989-11-07 | Bull Hn Information Systems Inc. | Resilient data communications system |
US5280577A (en) | 1988-01-19 | 1994-01-18 | E. I. Du Pont De Nemours & Co., Inc. | Character generation using graphical primitives |
US5027342A (en) | 1989-05-03 | 1991-06-25 | The University Of Toronto Innovations Foundation | Local area network |
US5003531A (en) | 1989-08-11 | 1991-03-26 | Infotron Systems Corporation | Survivable network using reverse protection ring |
US5193192A (en) | 1989-12-29 | 1993-03-09 | Supercomputer Systems Limited Partnership | Vectorized LR parsing of computer programs |
EP0436194A3 (en) | 1990-01-02 | 1992-12-16 | National Semiconductor Corporation | Media access controller |
US5214778A (en) | 1990-04-06 | 1993-05-25 | Micro Technology, Inc. | Resource management in a multiple resource system |
US5319776A (en) | 1990-04-19 | 1994-06-07 | Hilgraeve Corporation | In transit detection of computer virus with safeguard |
EP0459912B1 (en) | 1990-05-30 | 1996-09-11 | Fujitsu Limited | An issue processing system for a right to use a resource |
US5327159A (en) * | 1990-06-27 | 1994-07-05 | Texas Instruments Incorporated | Packed bus selection of multiple pixel depths in palette devices, systems and methods |
US5247664A (en) | 1991-03-28 | 1993-09-21 | Amoco Corporation | Fault-tolerant distributed database system and method for the management of correctable subtransaction faults by the global transaction source node |
US5511213A (en) | 1992-05-08 | 1996-04-23 | Correa; Nelson | Associative memory processor architecture for the efficient execution of parsing algorithms for natural language processing and pattern recognition |
DE69331064T2 (en) | 1992-12-14 | 2002-07-18 | Commw Of Australia Canberra | SECURITY OF AN ELECTRONIC MESSAGE |
JPH06282527A (en) | 1993-03-29 | 1994-10-07 | Hitachi Software Eng Co Ltd | Network control system |
FR2706652B1 (en) | 1993-06-09 | 1995-08-18 | Alsthom Cge Alcatel | Device for detecting intrusions and suspicious users for a computer system and security system comprising such a device. |
US5519830A (en) | 1993-06-10 | 1996-05-21 | Adc Telecommunications, Inc. | Point-to-multipoint performance monitoring and failure isolation system |
US5414833A (en) | 1993-10-27 | 1995-05-09 | International Business Machines Corporation | Network security system and method using a parallel finite state machine adaptive active monitor and responder |
EP0974912B1 (en) | 1993-12-01 | 2008-11-05 | Marathon Technologies Corporation | Fault resilient/fault tolerant computing |
US5606668A (en) * | 1993-12-15 | 1997-02-25 | Checkpoint Software Technologies Ltd. | System for securing inbound and outbound data packet flow in a computer network |
JP3339741B2 (en) | 1994-01-13 | 2002-10-28 | 株式会社リコー | Language analyzer |
JP3438105B2 (en) | 1994-03-18 | 2003-08-18 | 富士通株式会社 | Detour route search method |
FR2721781B1 (en) | 1994-06-28 | 1996-07-19 | Thomson Csf | Method for ensuring the confidentiality of a phonic link and local telecommunication network implementing the method. |
US5737526A (en) * | 1994-12-30 | 1998-04-07 | Cisco Systems | Network having at least two routers, each having conditional filter so one of two transmits given frame and each transmits different frames, providing connection to a subnetwork |
US5729665A (en) * | 1995-01-18 | 1998-03-17 | Varis Corporation | Method of utilizing variable data fields with a page description language |
TW278292B (en) | 1995-03-17 | 1996-06-11 | Advanced Micro Devices Inc | Intrusion control for secure networks |
US5696486A (en) | 1995-03-29 | 1997-12-09 | Cabletron Systems, Inc. | Method and apparatus for policy-based alarm notification in a distributed network management environment |
US5794177A (en) * | 1995-07-19 | 1998-08-11 | Inso Corporation | Method and apparatus for morphological analysis and generation of natural language text |
US6006019A (en) | 1995-08-10 | 1999-12-21 | Nec Corporation | Network system capable of managing a network unit from an agent |
KR100244836B1 (en) | 1995-11-02 | 2000-02-15 | 포만 제프리 엘 | Error recovery by isolation of peripheral components in a data processing system |
JP3165366B2 (en) | 1996-02-08 | 2001-05-14 | 株式会社日立製作所 | Network security system |
US6233704B1 (en) * | 1996-03-13 | 2001-05-15 | Silicon Graphics, Inc. | System and method for fault-tolerant transmission of data within a dual ring network |
JPH09311806A (en) | 1996-05-24 | 1997-12-02 | Hitachi Ltd | Method for detecting illegal update of data |
US5768501A (en) | 1996-05-28 | 1998-06-16 | Cabletron Systems | Method and apparatus for inter-domain alarm correlation |
US5798706A (en) | 1996-06-18 | 1998-08-25 | Raptor Systems, Inc. | Detecting unauthorized network communication |
US5995963A (en) | 1996-06-27 | 1999-11-30 | Fujitsu Limited | Apparatus and method of multi-string matching based on sparse state transition list |
US6119236A (en) * | 1996-10-07 | 2000-09-12 | Shipley; Peter M. | Intelligent network security device and method |
US6182029B1 (en) | 1996-10-28 | 2001-01-30 | The Trustees Of Columbia University In The City Of New York | System and method for language extraction and encoding utilizing the parsing of text data in accordance with domain parameters |
US5958015A (en) | 1996-10-29 | 1999-09-28 | Abirnet Ltd. | Network session wall passively listening to communication session, with use of access rules, stops further communication between network devices by emulating messages to the devices |
US5991881A (en) | 1996-11-08 | 1999-11-23 | Harris Corporation | Network surveillance system |
US5969632A (en) | 1996-11-22 | 1999-10-19 | Diamant; Erez | Information security method and apparatus |
US5922049A (en) * | 1996-12-09 | 1999-07-13 | Sun Microsystems, Inc. | Method for using DHCP and marking to override learned IP addesseses in a network |
US5920698A (en) | 1997-01-06 | 1999-07-06 | Digital Equipment Corporation | Automatic detection of a similar device at the other end of a wire in a computer network |
US5905859A (en) | 1997-01-09 | 1999-05-18 | International Business Machines Corporation | Managed network device security method and apparatus |
US5805801A (en) | 1997-01-09 | 1998-09-08 | International Business Machines Corporation | System and method for detecting and preventing security |
US6173333B1 (en) | 1997-07-18 | 2001-01-09 | Interprophet Corporation | TCP/IP network accelerator system and method which identifies classes of packet traffic for predictable protocols |
US5919257A (en) | 1997-08-08 | 1999-07-06 | Novell, Inc. | Networked workstation intrusion detection system |
US5848410A (en) | 1997-10-08 | 1998-12-08 | Hewlett Packard Company | System and method for selective and continuous index generation |
US6182202B1 (en) * | 1997-10-31 | 2001-01-30 | Oracle Corporation | Generating computer instructions having operand offset length fields for defining the length of variable length operand offsets |
US6021510A (en) | 1997-11-24 | 2000-02-01 | Symantec Corporation | Antivirus accelerator |
US6094731A (en) | 1997-11-24 | 2000-07-25 | Symantec Corporation | Antivirus accelerator for computer networks |
US6151624A (en) | 1998-02-03 | 2000-11-21 | Realnames Corporation | Navigating network resources based on metadata |
US6279113B1 (en) | 1998-03-16 | 2001-08-21 | Internet Tools, Inc. | Dynamic signature inspection-based network intrusion detection |
US6393386B1 (en) * | 1998-03-26 | 2002-05-21 | Visual Networks Technologies, Inc. | Dynamic modeling of complex networks and prediction of impacts of faults therein |
US6865672B1 (en) * | 1998-05-18 | 2005-03-08 | Spearhead Technologies, Ltd. | System and method for securing a computer communication network |
US6083276A (en) | 1998-06-11 | 2000-07-04 | Corel, Inc. | Creating and configuring component-based applications using a text-based descriptive attribute grammar |
US6167448A (en) | 1998-06-11 | 2000-12-26 | Compaq Computer Corporation | Management event notification system using event notification messages written using a markup language |
US6282546B1 (en) | 1998-06-30 | 2001-08-28 | Cisco Technology, Inc. | System and method for real-time insertion of data into a multi-dimensional database for network intrusion detection and vulnerability assessment |
US6304973B1 (en) | 1998-08-06 | 2001-10-16 | Cryptek Secure Communications, Llc | Multi-level security network system |
US6421656B1 (en) | 1998-10-08 | 2002-07-16 | International Business Machines Corporation | Method and apparatus for creating structure indexes for a data base extender |
US6366934B1 (en) | 1998-10-08 | 2002-04-02 | International Business Machines Corporation | Method and apparatus for querying structured documents using a database extender |
US8006177B1 (en) | 1998-10-16 | 2011-08-23 | Open Invention Network, Llc | Documents for commerce in trading partner networks and interface definitions based on the documents |
US6321338B1 (en) | 1998-11-09 | 2001-11-20 | Sri International | Network surveillance |
US6370648B1 (en) | 1998-12-08 | 2002-04-09 | Visa International Service Association | Computer network intrusion detection |
US6301668B1 (en) * | 1998-12-29 | 2001-10-09 | Cisco Technology, Inc. | Method and system for adaptive network security using network vulnerability assessment |
US6487666B1 (en) | 1999-01-15 | 2002-11-26 | Cisco Technology, Inc. | Intrusion detection signature analysis using regular expressions and logical operators |
US6374207B1 (en) | 1999-02-10 | 2002-04-16 | International Business Machines Corporation | Methods, data structures, and computer program products for representing states of interaction in automatic host access and terminal emulation using scripts |
US6418446B1 (en) | 1999-03-01 | 2002-07-09 | International Business Machines Corporation | Method for grouping of dynamic schema data using XML |
US6405318B1 (en) | 1999-03-12 | 2002-06-11 | Psionic Software, Inc. | Intrusion detection system |
US6446110B1 (en) | 1999-04-05 | 2002-09-03 | International Business Machines Corporation | Method and apparatus for representing host datastream screen image information using markup languages |
US7188168B1 (en) * | 1999-04-30 | 2007-03-06 | Pmc-Sierra, Inc. | Method and apparatus for grammatical packet classifier |
US6408311B1 (en) | 1999-06-30 | 2002-06-18 | Unisys Corp. | Method for identifying UML objects in a repository with objects in XML content |
US6763499B1 (en) * | 1999-07-26 | 2004-07-13 | Microsoft Corporation | Methods and apparatus for parsing extensible markup language (XML) data streams |
US6684335B1 (en) | 1999-08-19 | 2004-01-27 | Epstein, Iii Edwin A. | Resistance cell architecture |
US6363489B1 (en) | 1999-11-29 | 2002-03-26 | Forescout Technologies Inc. | Method for automatic intrusion detection and deflection in a network |
US6721727B2 (en) | 1999-12-02 | 2004-04-13 | International Business Machines Corporation | XML documents stored as column data |
US6772413B2 (en) | 1999-12-21 | 2004-08-03 | Datapower Technology, Inc. | Method and apparatus of data exchange using runtime code generator and translator |
US6697950B1 (en) | 1999-12-22 | 2004-02-24 | Networks Associates Technology, Inc. | Method and apparatus for detecting a macro computer virus using static analysis |
US6295276B1 (en) * | 1999-12-31 | 2001-09-25 | Ragula Systems | Combining routers to increase concurrency and redundancy in external network access |
US20020073091A1 (en) | 2000-01-07 | 2002-06-13 | Sandeep Jain | XML to object translation |
US20020108059A1 (en) | 2000-03-03 | 2002-08-08 | Canion Rodney S. | Network security accelerator |
US7159237B2 (en) | 2000-03-16 | 2007-01-02 | Counterpane Internet Security, Inc. | Method and system for dynamic network intrusion monitoring, detection and response |
US6768716B1 (en) * | 2000-04-10 | 2004-07-27 | International Business Machines Corporation | Load balancing system, apparatus and method |
JP2001296881A (en) | 2000-04-14 | 2001-10-26 | Sony Corp | Device and method for information processing and recording medium |
WO2001090921A2 (en) * | 2000-05-25 | 2001-11-29 | Kanisa, Inc. | System and method for automatically classifying text |
US7496637B2 (en) | 2000-05-31 | 2009-02-24 | Oracle International Corp. | Web service syndication system |
US7007301B2 (en) | 2000-06-12 | 2006-02-28 | Hewlett-Packard Development Company, L.P. | Computer architecture for an intrusion detection system |
AUPQ849500A0 (en) | 2000-06-30 | 2000-07-27 | Canon Kabushiki Kaisha | Hash compact xml parser |
FR2811782B1 (en) | 2000-07-12 | 2003-09-26 | Jaxo Europ | DOCUMENT CONVERSION SYSTEM WITH TREE STRUCTURE BY SELECTIVE PATHWAY OF SAID STRUCTURE |
US20020035619A1 (en) | 2000-08-02 | 2002-03-21 | Dougherty Carter D. | Apparatus and method for producing contextually marked-up electronic content |
CN1195278C (en) | 2000-08-02 | 2005-03-30 | 菲利普·库特 | XML-robot |
US20020120697A1 (en) | 2000-08-14 | 2002-08-29 | Curtis Generous | Multi-channel messaging system and method |
US7475405B2 (en) | 2000-09-06 | 2009-01-06 | International Business Machines Corporation | Method and system for detecting unusual events and application thereof in computer intrusion detection |
US6799248B2 (en) | 2000-09-11 | 2004-09-28 | Emc Corporation | Cache management system for a network data node having a cache memory manager for selectively using different cache management methods |
US8108543B2 (en) | 2000-09-22 | 2012-01-31 | Axeda Corporation | Retrieving data from a server |
US7225467B2 (en) | 2000-11-15 | 2007-05-29 | Lockheed Martin Corporation | Active intrusion resistant environment of layered object and compartment keys (airelock) |
US7213265B2 (en) | 2000-11-15 | 2007-05-01 | Lockheed Martin Corporation | Real time active network compartmentalization |
US20020099734A1 (en) | 2000-11-29 | 2002-07-25 | Philips Electronics North America Corp. | Scalable parser for extensible mark-up language |
US6687897B2 (en) | 2000-12-01 | 2004-02-03 | Microsoft Corporation | XML based script automation |
US6754785B2 (en) | 2000-12-01 | 2004-06-22 | Yan Chiew Chow | Switched multi-channel network interfaces and real-time streaming backup |
US7146334B2 (en) * | 2000-12-08 | 2006-12-05 | Xerox Corporation | System and method of determining latent demand for at least one of a plurality of commodities |
US20020152244A1 (en) | 2000-12-22 | 2002-10-17 | International Business Machines Corporation | Method and apparatus to dynamically create a customized user interface based on a document type definition |
US6671689B2 (en) | 2001-01-19 | 2003-12-30 | Ncr Corporation | Data warehouse portal |
EP1225516A1 (en) | 2001-01-22 | 2002-07-24 | Sun Microsystems, Inc. | Storing data of an XML-document in a relational database |
US6959416B2 (en) | 2001-01-30 | 2005-10-25 | International Business Machines Corporation | Method, system, program, and data structures for managing structured documents in a database |
US20020116644A1 (en) | 2001-01-30 | 2002-08-22 | Galea Secured Networks Inc. | Adapter card for wirespeed security treatment of communications traffic |
US6850515B2 (en) * | 2001-01-30 | 2005-02-01 | The Regents Of The University Of California | Optical layer multicasting using a single sub-carrier header and a multicast switch with active header insertion via light circulation |
US6631379B2 (en) | 2001-01-31 | 2003-10-07 | International Business Machines Corporation | Parallel loading of markup language data files and documents into a computer database |
US20020111963A1 (en) | 2001-02-14 | 2002-08-15 | International Business Machines Corporation | Method, system, and program for preprocessing a document to render on an output device |
US7194683B2 (en) | 2001-03-02 | 2007-03-20 | International Business Machines Corporation | Representing and managing dynamic data content for web documents |
US6862588B2 (en) | 2001-07-25 | 2005-03-01 | Hewlett-Packard Development Company, L.P. | Hybrid parsing system and method |
US20020010715A1 (en) | 2001-07-26 | 2002-01-24 | Garry Chinn | System and method for browsing using a limited display device |
US20030041302A1 (en) | 2001-08-03 | 2003-02-27 | Mcdonald Robert G. | Markup language accelerator |
US7024351B2 (en) * | 2001-08-21 | 2006-04-04 | Microsoft Corporation | Method and apparatus for robust efficient parsing |
US20030229846A1 (en) | 2002-06-07 | 2003-12-11 | Anil Sethi | System and method for capturing digital data directly from an electronic device and processing the data into XML form on a computer chip |
US7639257B2 (en) * | 2002-07-31 | 2009-12-29 | Adobe Systems Incorporated | Glyphlets |
US7493603B2 (en) * | 2002-10-15 | 2009-02-17 | International Business Machines Corporation | Annotated automaton encoding of XML schema for high performance schema validation |
US20070061884A1 (en) * | 2002-10-29 | 2007-03-15 | Dapp Michael C | Intrusion detection accelerator |
US7080094B2 (en) * | 2002-10-29 | 2006-07-18 | Lockheed Martin Corporation | Hardware accelerated validating parser |
US20040083466A1 (en) * | 2002-10-29 | 2004-04-29 | Dapp Michael C. | Hardware parser accelerator |
US7146643B2 (en) * | 2002-10-29 | 2006-12-05 | Lockheed Martin Corporation | Intrusion detection accelerator |
AU2003277247A1 (en) * | 2003-02-28 | 2004-09-28 | Lockheed Martin Corporation | Hardware accelerator state table compiler |
US20040194016A1 (en) * | 2003-03-28 | 2004-09-30 | International Business Machines Corporation | Dynamic data migration for structured markup language schema changes |
US7774386B2 (en) * | 2003-07-24 | 2010-08-10 | International Business Machines Corporation | Applying abstraction to object markup definitions |
US7437374B2 (en) * | 2004-02-10 | 2008-10-14 | International Business Machines Corporation | Efficient XML schema validation of XML fragments using annotated automaton encoding |
US20050177578A1 (en) * | 2004-02-10 | 2005-08-11 | Chen Yao-Ching S. | Efficient type annontation of XML schema-validated XML documents without schema validation |
-
2001
- 2001-10-11 US US09/973,769 patent/US7225467B2/en not_active Expired - Fee Related
-
2002
- 2002-08-07 WO PCT/US2002/024997 patent/WO2003032608A1/en active IP Right Grant
- 2002-08-07 EP EP02759285A patent/EP1435161A1/en not_active Withdrawn
- 2002-08-07 JP JP2003535440A patent/JP2005535150A/en active Pending
- 2002-08-07 AU AU2002324631A patent/AU2002324631B2/en not_active Ceased
- 2002-08-07 CA CA002463054A patent/CA2463054A1/en not_active Abandoned
-
2007
- 2007-05-15 US US11/798,580 patent/US20080209560A1/en not_active Abandoned
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002095543A2 (en) * | 2001-02-06 | 2002-11-28 | En Garde Systems | Apparatus and method for providing secure network communication |
Non-Patent Citations (4)
Title |
---|
FRASER T ET AL: "Hardening COTS software with generic software wrappers", DARPA INFORMATION SURVIVABILITY CONFERENCE AND EXPOSITION, 2000. DISCEX '00. PROCEEDINGS HILTON HEAD, SC, USA 25-27 JAN. 2000, LAS ALAMITOS, CA, USA,IEEE COMPUT. SOC, US, 25 January 2000 (2000-01-25), pages 323 - 337, XP010371134, ISBN: 0-7695-0490-6 * |
NEUMANN M: "Encryption Black Box (SiNic)", ESNET STEERING COMMITTEE MEETING, 11 September 2001 (2001-09-11) - 13 September 2001 (2001-09-13), Santa Fe (US), XP002228417, Retrieved from the Internet <URL:http://www.hep.anl.gov/may/ESSC/Sep2001meeting/Newman-SiNic-SBIRKickoff1.ppt> [retrieved on 20030123] * |
PAL P P ET AL: "Open implementation toolkit for building survivable applications", DARPA INFORMATION SURVIVABILITY CONFERENCE AND EXPOSITION, 2000. DISCEX '00. PROCEEDINGS HILTON HEAD, SC, USA 25-27 JAN. 2000, LAS ALAMITOS, CA, USA,IEEE COMPUT. SOC, US, 25 January 2000 (2000-01-25), pages 197 - 210, XP010371131, ISBN: 0-7695-0490-6 * |
ZADOK E: "Stackable File Systems as a Security Tool", TECHNICAL REPORT CUCS-036-99, December 1999 (1999-12-01), XP002228299, Retrieved from the Internet <URL:http://www.cs.columbia.edu/~ezk/research/security/security.pdf> [retrieved on 20030121] * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2006086824A (en) * | 2004-09-16 | 2006-03-30 | Fuji Electric Holdings Co Ltd | Information medium and security system |
Also Published As
Publication number | Publication date |
---|---|
US20080209560A1 (en) | 2008-08-28 |
AU2002324631B2 (en) | 2007-04-26 |
US7225467B2 (en) | 2007-05-29 |
CA2463054A1 (en) | 2003-04-17 |
JP2005535150A (en) | 2005-11-17 |
US20020066035A1 (en) | 2002-05-30 |
EP1435161A1 (en) | 2004-07-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7225467B2 (en) | Active intrusion resistant environment of layered object and compartment keys (airelock) | |
AU2002324631A1 (en) | Active intrusion resistant environment of layered object and compartment keys | |
US7213265B2 (en) | Real time active network compartmentalization | |
Chica et al. | Security in SDN: A comprehensive survey | |
Scott-Hayward et al. | A survey of security in software defined networks | |
Akhunzada et al. | Securing software defined networks: taxonomy, requirements, and open issues | |
Correia et al. | The design of a COTS real-time distributed security kernel | |
US8356349B2 (en) | Method and system for intrusion prevention and deflection | |
US9043589B2 (en) | System and method for safeguarding and processing confidential information | |
US7930745B2 (en) | Network security system and method | |
Bian et al. | A survey on software-defined networking security | |
Rao et al. | Intrusion detection and prevention systems | |
Cisco | Security Configuration Guide Cisco IOS Release 11.3 | |
Vokorokos et al. | Security of distributed intrusion detection system based on multisensor fusion | |
US8856882B2 (en) | Method of management in security equipment and security entity | |
KR20200098181A (en) | Network security system by integrated security network card | |
KR20050016284A (en) | Active intrusion resistant environment of layered object and compartment keys | |
Sharma et al. | Security Enhancement in Software Defined Networking (SDN): A Threat Model | |
CN114301693B (en) | Hidden channel security defense system for cloud platform data | |
Hofmann et al. | Towards a security architecture for IP-based optical transmission systems | |
Gaur et al. | Enhanced Framework for Energy Conservation and Overcoming Security Threats for Software-Defined Networks | |
Levitt et al. | Common Techniques Panel: Common Techniques in Fault-Tolerance and Security | |
Sharma | Cross-layer design in Software Defined Networks (SDNs): issues and possible solutions. | |
CA2156015A1 (en) | Computer firewall for use between a secure network and a potentially hostile network | |
CN114499817A (en) | Safety protection method facing OPC-UA protocol |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BY BZ CA CH CN CO CR CU CZ DE DM DZ EC EE ES FI GB GD GE GH HR HU ID IL IN IS JP KE KG KP KR LC LK LR LS LT LU LV MA MD MG MN MW MX MZ NO NZ OM PH PL PT RU SD SE SG SI SK SL TJ TM TN TR TZ UA UG UZ VN YU ZA ZM |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ UG ZM ZW AM AZ BY KG KZ RU TJ TM AT BE BG CH CY CZ DK EE ES FI FR GB GR IE IT LU MC PT SE SK TR BF BJ CF CG CI GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2002324631 Country of ref document: AU Ref document number: 2463054 Country of ref document: CA |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2003535440 Country of ref document: JP Ref document number: 1020047005326 Country of ref document: KR |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2002759285 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2002759285 Country of ref document: EP |
|
WWG | Wipo information: grant in national office |
Ref document number: 2002324631 Country of ref document: AU |