skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Intrusion detection using secure signatures

Abstract

A method and device for intrusion detection using secure signatures comprising capturing network data. A search hash value, value employing at least one one-way function, is generated from the captured network data using a first hash function. The presence of a search hash value match in a secure signature table comprising search hash values and an encrypted rule is determined. After determining a search hash value match, a decryption key is generated from the captured network data using a second hash function, a hash function different form the first hash function. One or more of the encrypted rules of the secure signatures table having a hash value equal to the generated search hash value are then decrypted using the generated decryption key. The one or more decrypted secure signature rules are then processed for a match and one or more user notifications are deployed if a match is identified.

Inventors:
;
Publication Date:
Research Org.:
Idaho National Lab. (INL), Idaho Falls, ID (United States)
Sponsoring Org.:
USDOE
OSTI Identifier:
1159917
Patent Number(s):
8,850,583
Application Number:
13/785,349
Assignee:
U.S. Department of Energy (Washington, DC) IDO
DOE Contract Number:
AC07-05ID14517
Resource Type:
Patent
Country of Publication:
United States
Language:
English
Subject:
97 MATHEMATICS AND COMPUTING

Citation Formats

Nelson, Trent Darnel, and Haile, Jedediah. Intrusion detection using secure signatures. United States: N. p., 2014. Web.
Nelson, Trent Darnel, & Haile, Jedediah. Intrusion detection using secure signatures. United States.
Nelson, Trent Darnel, and Haile, Jedediah. Tue . "Intrusion detection using secure signatures". United States. doi:. https://www.osti.gov/servlets/purl/1159917.
@article{osti_1159917,
title = {Intrusion detection using secure signatures},
author = {Nelson, Trent Darnel and Haile, Jedediah},
abstractNote = {A method and device for intrusion detection using secure signatures comprising capturing network data. A search hash value, value employing at least one one-way function, is generated from the captured network data using a first hash function. The presence of a search hash value match in a secure signature table comprising search hash values and an encrypted rule is determined. After determining a search hash value match, a decryption key is generated from the captured network data using a second hash function, a hash function different form the first hash function. One or more of the encrypted rules of the secure signatures table having a hash value equal to the generated search hash value are then decrypted using the generated decryption key. The one or more decrypted secure signature rules are then processed for a match and one or more user notifications are deployed if a match is identified.},
doi = {},
journal = {},
number = ,
volume = ,
place = {United States},
year = {Tue Sep 30 00:00:00 EDT 2014},
month = {Tue Sep 30 00:00:00 EDT 2014}
}

Patent:

Save / Share:
  • This paper describes our technical approach to developing and delivering Unix host- and network-based security products to meet the increasing challenges in information security. Today`s global ``Infosphere`` presents us with a networked environment that knows no geographical, national, or temporal boundaries, and no ownership, laws, or identity cards. This seamless aggregation of computers, networks, databases, applications, and the like store, transmit, and process information. This information is now recognized as an asset to governments, corporations, and individuals alike. This information must be protected from misuse. The Security Profile Inspector (SPI) performs static analyses of Unix-based clients and servers to checkmore » on their security configuration. SPI`s broad range of security tests and flexible usage options support the needs of novice and expert system administrators alike. SPI`s use within the Department of Energy and Department of Defense has resulted in more secure systems, less vulnerable to hostile intentions. Host-based information protection techniques and tools must also be supported by network-based capabilities. Our experience shows that a weak link in a network of clients and servers presents itself sooner or later, and can be more readily identified by dynamic intrusion detection techniques and tools. The Network Intrusion Detector (NID) is one such tool. NID is designed to monitor and analyze activity on an Ethernet broadcast Local Area Network segment and produce transcripts of suspicious user connections. NID`s retrospective and real-time modes have proven invaluable to security officers faced with ongoing attacks to their systems and networks.« less
  • The various technologies presented herein relate to the determination of unexpected and/or malicious activity occurring between components communicatively coupled across a backplane. Control data, etc., can be intercepted at a backplane where the backplane facilitates communication between a controller and at least one device in an automation process. During interception of the control data, etc., a copy of the control data can be made, e.g., the original control data can be replicated to generate a copy of the original control data. The original control data can continue on to its destination, while the control data copy can be forwarded tomore » an analyzer system to determine whether the control data contains a data anomaly. The content of the copy of the control data can be compared with a previously captured baseline data content, where the baseline data can be captured for a same operational state as the subsequently captured control data.« less
  • A computer implemented method detects intrusions using a computer by analyzing network traffic. The method includes a semi-supervised learning module connected to a network node. The learning module uses labeled and unlabeled data to train a semi-supervised machine learning sensor. The method records events that include a feature set made up of unauthorized intrusions and benign computer requests. The method identifies at least some of the benign computer requests that occur during the recording of the events while treating the remainder of the data as unlabeled. The method trains the semi-supervised learning module at the network node in-situ, such thatmore » the semi-supervised learning modules may identify malicious traffic without relying on specific rules, signatures, or anomaly detection.« less
  • Apparatus and method for secure communication between an earth station and spacecraft. A laser outputs single pulses that are split into preceding bright pulses and delayed attenuated pulses, and polarized. A Pockels cell changes the polarization of the polarized delayed attenuated pulses according to a string of random numbers, a first polarization representing a "1," and a second polarization representing a "0." At the receiving station, a beamsplitter randomly directs the preceding bright pulses and the polarized delayed attenuated pulses onto longer and shorter paths, both terminating in a beamsplitter which directs the preceding bright pulses and a first portionmore » of the polarized delayed attenuated pulses to a first detector, and a second portion of the polarized delayed attenuated pulses to a second detector to generate a key for secure communication between the earth station and the spacecraft.« less
  • Apparatus and method for secure communication between an earth station and spacecraft. A laser outputs single pulses that are split into preceding bright pulses and delayed attenuated pulses, and polarized. A Pockels cell changes the polarization of the polarized delayed attenuated pulses according to a string of random numbers, a first polarization representing a 1, and a second polarization representing a 0. At the receiving station, a beamsplitter randomly directs the preceding bright pulses and the polarized delayed attenuated pulses onto longer and shorter paths, both terminating in a beamsplitter which directs the preceding bright pulses and a first portionmore » of the polarized delayed attenuated pulses to a first detector, and a second portion of the polarized delayed attenuated pulses to a second detector to generate a key for secure communication between the earth station and the spacecraft.« less