Dynamic defense and network randomization for computer systems

Title: Dynamic defense and network randomization for computer systems

Full Record
Other Related Research

The various technologies presented herein relate to determining a network attack is taking place, and further to adjust one or more network parameters such that the network becomes dynamically configured. A plurality of machine learning algorithms are configured to recognize an active attack pattern. Notification of the attack can be generated, and knowledge gained from the detected attack pattern can be utilized to improve the knowledge of the algorithms to detect a subsequent attack vector(s). Further, network settings and application communications can be dynamically randomized, wherein artificial diversity converts control systems into moving targets that help mitigate the early reconnaissance stages of an attack. An attack(s) based upon a known static address(es) of a critical infrastructure network device(s) can be mitigated by the dynamic randomization. Network parameters that can be randomized include IP addresses, application port numbers, paths data packets navigate through the network, application randomization, etc.

Inventors:: Chavez, Adrian R.; Stout, William M. S.; Hamlet, Jason R.; Lee, Erik James; Martin, Mitchell Tyler

Issue Date:: 2018-05-29

OSTI Identifier:: 1452909

Assignee:: National Technology & Engineering Solutions of Sandia, LLC (Albuquerque, NM) SNL-A

Patent Number(s):: 9,985,984

Application Number:: 14/923,049

Contract Number:: AC04-94AL85000

Resource Relation:: Patent File Date: 2018 May 29

Research Org:: Sandia National Lab. (SNL-NM), Albuquerque, NM (United States)

Sponsoring Org:: USDOE

Country of Publication:: United States

Language:: English

Subject:: 97 MATHEMATICS AND COMPUTING

Full Text
View Full Text

Have feedback or suggestions for a way to improve these results? !

Save / Share this Record no
Export Metadata
- Endnote
- RIS
- Excel
- CSV
- XML
Send to Email

Send to Email

Email address:

Content:

Similar Records

Similar records in DOepatents and OSTI.GOV collections:

Computer network defense system

Patent Urias, Vincent ; Stout, William M. S. ; Loverro, Caleb

A method and apparatus for protecting virtual machines. A computer system creates a copy of a group of the virtual machines in an operating network in a deception network to form a group of cloned virtual machines in the deception network when the group of the virtual machines is accessed by an adversary. The computer system creates an emulation of components from the operating network in the deception network. The components are accessible by the group of the cloned virtual machines as if the group of the cloned virtual machines was in the operating network. The computer system moves networkmore »« less
Full Text Available August 2017
Methods, systems, and computer program products for network firewall policy optimization

Patent Fulp, Errin W ; Tarsa, Stephen J

Methods, systems, and computer program products for firewall policy optimization are disclosed. According to one method, a firewall policy including an ordered list of firewall rules is defined. For each rule, a probability indicating a likelihood of receiving a packet matching the rule is determined. The rules are sorted in order of non-increasing probability in a manner that preserves the firewall policy.
Full Text Available October 2011
Method, systems, and computer program products for implementing function-parallel network firewall

Patent Fulp, Errin W ; Farley, Ryan J

Methods, systems, and computer program products for providing function-parallel firewalls are disclosed. According to one aspect, a function-parallel firewall includes a first firewall node for filtering received packets using a first portion of a rule set including a plurality of rules. The first portion includes less than all of the rules in the rule set. At least one second firewall node filters packets using a second portion of the rule set. The second portion includes at least one rule in the rule set that is not present in the first portion. The first and second portions together include all ofmore » the rules in the rule set.« less
Full Text Available October 2011
Co-scheduling of network resource provisioning and host-to-host bandwidth reservation on high-performance network and storage systems

Patent Yu, Dantong ; Katramatos, Dimitrios ; Sim, Alexander ; Shoshani, Arie

A cross-domain network resource reservation scheduler configured to schedule a path from at least one end-site includes a management plane device configured to monitor and provide information representing at least one of functionality, performance, faults, and fault recovery associated with a network resource; a control plane device configured to at least one of schedule the network resource, provision local area network quality of service, provision local area network bandwidth, and provision wide area network bandwidth; and a service plane device configured to interface with the control plane device to reserve the network resource based on a reservation request and themore »« less
Full Text Available April 2014
Signaling communication events in a computer network

Patent Bender, Carl A. ; DiNicola, Paul D. ; Gildea, Kevin J. ; Govindaraju, Rama K. ; Kim, Chulho ; Mirza, Jamshed H. ; Shah, Gautam H. ; Nieplocha, Jaroslaw

A method, apparatus and program product for detecting a communication event in a distributed parallel data processing system in which a message is sent from an origin to a target. A low-level application programming interface (LAPI) is provided which has an operation for associating a counter with a communication event to be detected. The LAPI increments the counter upon the occurrence of the communication event. The number in the counter is monitored, and when the number increases, the event is detected. A completion counter in the origin is associated with the completion of a message being sent from the originmore »« less
Full Text Available January 2000