KR20170085529A - Autonomous systems and methods for secure access - Google Patents

Abstract

The protected electronic access may be provided by receiving at least one electronic certificate from an electronic device seeking access to the secure resource in a protected device comprising at least one secure processor, Provide device information related to security; And comparing the device information and the security requirement information by at least one autonomous processor of the autonomous control system. The at least one autonomic processor may include instructing the at least one secure processor to provide security resources to the device when the device information matches the security requirement information. In response to the command, the protected device may provide security resources to the electronic device.

Description

[0001] AUTONOMOUS SYSTEMS AND METHODS FOR SECURE ACCESS FOR SECURITY ACCESS [0002]

This application claims priority from U.S. Provisional Application No. 62 / 078,137, entitled " Autonomous System for Secure Electronic System Access, " filed November 11, 2014, the entirety of which is incorporated herein by reference. This disclosure also incorporates U.S. Patent Application Serial No. 14 / 523,577, filed October 14, 2014, and U.S. Patent Application No. 14 / 634,562, the entireties of which are incorporated herein by reference.

Electronic, mechanical, chemical and biochemical systems can have a series of conditions or states that can lead to catastrophic failure. These fatal conditions can arise from internal natural forces, external accidental forces, or unexpected hostile forces outside. In an industrial system, a remote control and monitoring type of operating device or system may have a malfunction that can be tolerated by the control system as a result of muldunction, user error or malicious or hostile behavior. The actuation device may accept or execute such an instruction or out-of-boundary signal that an entire associated system may be corrupted, degraded, or destroyed from an induced state, such as an instruction, or an out-bound signal. For example, the induced harmful condition may be too fast or slow process speed, too late opening or too tight closing, too high or too slow pressure or temperature. Many devices may lack their own internal safeguards to physically or electronically prevent out-of-limit operation.

The systems and methods described herein can provide autonomous control that can monitor and change or block input and / or output signals in connection with business and / or security rules to protect system critical components. Signal changes and / or interrupts can ensure that out-of-bound connections between devices or systems or within them do not occur to prevent or minimize unwanted system effects, or occur only during negligible times. (The connection state can be any sensed signal level or command between two or more devices or systems at a specific instant in time at the physical layer level. The physical layer may be, for example, a device or a system It may be the lowest hardware layer.) If a signal that violates a rule is detected, an autonomous control system (e.g., a circuit) may block the violation signal by internally turning these devices or systems off. This circuit may instead send a no signal or failsafe signal to the protection system, which may be any device (DUP) or system under protection by an autonomous control system. The circuitry may be configured for use with a legacy system, for example, by designing a system upgrade or retrofitting the system.

In some embodiments, autonomous control may be based on a quantum security model (QSM). QSM is a security measurement and comparison methodology. QSM can provide a canonicalization methodology that allows systems to be disassembled and interdependencies to be understood and measured more accurately by evaluating the first components in a consistent manner. The QSM provides a way to normalize the final evaluation of the first component to a quantifiable score. The Q SM allows a resource owner to specify what evaluation (signing) organizations are aware of and accepting. The QSM method can be used to evaluate both the current and anticipated future security status of the system or device. The QSM can allow an individual resource owner to specify and verify the security score of an asset before allowing access. QSM has the ability to operate to mutually authenticate assets before they share resources or services.

A common measurement can be achieved through an evaluation process performed on a device, system or entity ("asset") in the QSM, where the agreed renewable, independently verifiable security level determination is required. ("qS"), and the quantum security unit pronounced as ("qSec") may be a standard unit of measurement for security of the system based on QSM. qSec is a time value similar to the position of a particle in quantum physics so that it can be optimally evaluated and optimally known only at the moment the measurement is performed by the observer. After the measurement, the position of the particles can only be measured with a certain degree of accuracy with deterioration with time. The quantum measure qSec can share this property. It is assumed that the system can be viewed as a waveform system in terms of security security and quantum mechanics can be applied. System security is a characteristic of this system. Depending on the normal function and operation of the system and its environment, the passage of time can have an impact on the security of the system. As a result, the security of the system can be dynamic and the known state of security can be naturally temporary. Thus, the system can be expressed as a waveform system and the system security as a quantum characteristic. Similar to the position of the particle, the security of the system can be defined to be quantifiable using the principle of quantum mechanics for measurement. The measurement result may provide a security measure expressed as a quantum security unit, where a zero value indicates that the system is completely free of any security, and increasing the value increases security.

The value represented by a qSec can be derived from the criteria that must be evaluated during the system security measurement process. Each criterion may have a range of common values associated with their impact on security. Each criterion may also have a corresponding evaluation process that produces results within that range. The reference weighting method may be applied to each criterion and the common value range may be a security value scale for what the quantum security measure indicated as qSec represents. For example, the qSec value may represent a unique value in matrix dynamics. Different observers at different time periods may interpret this value differently in their viewpoints and may wish to apply their own probability filters to the qSec value or to perform their own measurement process to determine the qSec value of the system have. The value can thus be predetermined to use qSec measurements in a meaningful manner when classifying system security. This pre-decision can be performed automatically, can be set by the user, and / or can be set at system initialization or before.

The systems and methods described herein may include one or more computers, which may also be referred to as processors. The computer may be a programmable machine or machines capable of performing arithmetic and / or logic operations. In some embodiments, the computer may include a processor, a memory, a data storage device, and / or other generally known or new components. The computer may also include software that directly directs the operation of the components described above. The computer can be referenced by terms commonly used by those skilled in the art in related arts such as servers, PCs, mobile devices, routers, switches, data sensors, distributed computers and other forms. The computer can facilitate communication between users and / or other computers, provide a database, perform analysis and / or modification of data, and / or perform other functions. It will be understood by those skilled in the art that the terms used herein are interchangeable and that any computer capable of performing the described functions may be used. The computers may be interconnected via a network or networks. Networks can communicate with each other. Those skilled in the art will appreciate that connections between computers may in some cases be wired (e.g., Ethernet, coaxial, optical or other wired connection) or wireless (e.g., Wi-Fi, WiMax, It will be appreciated. Connection between computers can use any protocol such as connection oriented protocol such as TCP or connectionless protocol such as UDP. Any connection over which at least two computers can exchange data may be network based.

In some embodiments, the computer used in the described systems and methods may be a special purpose computer specifically configured for autonomic security. For example, the server may comprise specialized processors, memory, communication components, etc., which are configured to work together to perform functions related to an autonomous security electronic system as described in detail below.

1 shows a protection system, an autonomous control system and an input device according to an embodiment of the present invention.
Figure 2 illustrates a serial interfaced autonomous control system in accordance with an embodiment of the present invention.
3 is a flow chart describing a control method according to an embodiment of the present invention.
4 illustrates a serial-interfaced autonomous control system in accordance with an embodiment of the present invention.
5 is a schematic diagram illustrating operation of a serially interfaced autonomous control system in accordance with one embodiment of the present invention.
Figure 6 illustrates a serial interfaced autonomous control system in accordance with an embodiment of the present invention.
FIG. 7 illustrates a parallel-interfaced autonomous control system in accordance with an embodiment of the present invention.
Figure 8 illustrates a parallel-interfaced autonomous control system in accordance with an embodiment of the present invention.
9 is a schematic diagram illustrating the operation of a parallel-interfaced autonomous control system in accordance with an embodiment of the present invention.
Figure 10 illustrates a serial and parallel interfaced autonomous control system in accordance with one embodiment of the present invention.
Figure 11 illustrates an autonomous control system including a communication bus in accordance with an embodiment of the present invention.
12 illustrates an autonomous control system including a semiconductor multi-chip module according to an embodiment of the present invention.
Figure 13 illustrates an autonomous control system mounted externally on an interposer PCB according to an embodiment of the present invention.
FIG. 14 is a flow chart illustrating an anti-tamper feature of an automatic control system according to an embodiment of the present invention.
15 is a diagram illustrating a process flow using an autonomous control system as a system service for a host CPUDP for secure co-processing according to an embodiment of the present invention.
16 illustrates a security module according to an embodiment of the present invention.
17 shows a security score fetcher according to an embodiment of the present invention.
18 shows an asset according to an embodiment of the present invention.
Figure 19 illustrates an asset assessment in accordance with an embodiment of the present invention.
20-23 illustrate asset subdivisions according to an embodiment of the present invention.
4 illustrates a basic score security certificate according to an embodiment of the present invention.
25 illustrates a basic score security certificate according to an embodiment of the present invention.
26 illustrates a security score deterioration according to an embodiment of the present invention.
27 illustrates a security requirement certificate according to an embodiment of the present invention.
28 illustrates a basic score security certificate according to an embodiment of the present invention.
29 illustrates a security requirement certificate according to an embodiment of the present invention.
30 shows a normalized security score comparison according to an embodiment of the present invention.
31 illustrates a normalized security score comparison according to an embodiment of the present invention.
32 illustrates security verification in accordance with an embodiment of the present invention.
33 illustrates a security comparison according to an embodiment of the present invention.
Figure 34 illustrates security verification in accordance with an embodiment of the present invention.
Figure 35 illustrates security cross-validation in accordance with an embodiment of the present invention.
Figure 36 illustrates network access verification with reassessment in accordance with an embodiment of the present invention.
37 illustrates network access verification with fallback network access according to one embodiment of the present invention.
38 illustrates client side network access verification in accordance with an embodiment of the present invention.

Autonomous control system and method

FIG. 1 illustrates a protection system 2100, which is capable of communicating with an input device 2102. FIG. The input device 2102 sends a signal to and / or receives a signal from the protection system 2100. The input device may be, for example, an analog or digital signal port, a control knob, a touch display, a keyboard, a mouse and / or some other peripheral device. The input device 2102 may be a host device for the protection system 2100 or a device on a network. An autonomous control system 2104, which may be referred to as a dedicated monitoring and operation device (DMAD), may be located in series between the input device 2102 and the protection system 2100 and / 2102, respectively. As described in detail below, the autonomous control system 2104 in various embodiments may include electronic circuits, processors and memories configured to execute software, or a combination thereof. The autonomic control system 2104 may be internally secure (e.g., including encryption and anti-tamper capabilities). The autonomic control system 2104 may also be represented in series or in parallel between the input device / host 2102 and the protection system 2100 for bi-directional data flow, Monitor the input signal and also monitor the output signal coming from the protection system 2100.

In some embodiments, the autonomous control system 2104 may generate a deterministic race condition to enforce the rule. A critical race condition may be an intentionally induced race condition between the injected signal and the incoming signal so that the injected signal has a high level of confidence that affects the output. Since signals that violate the rules appear on the data bus to or from the protection system, the autonomous control system 2104 may compete to detect violations and may switch off the signal internally, , Or may attempt to change the signal if it is interfaced in parallel. The incoming and / or outgoing signals may be buffered to provide more detection time and may ensure that only valid signals to or from the protection system 2100 are transmitted by the autonomous control system 2104.

In some embodiments, the autonomous control system 2104 may be physically specified in the protection system 2100, or may be implemented as a silicon die-on die, an integrated circuit package on package, a modular system module on module, an optical fiber, , Printed circuit board traces, quantum entanglement, or in various ways, such as by molecular, thermal, atomic or chemical bonding, to the protection system 2100 or to the control device.

In some embodiments, autonomous control system 2104 may be implemented in one or more devices or systems (e.g., input device 2102 and protection system 2100) in serial, parallel, or both serial and parallel manner And may include a physical interface for connection. Each physical connection type may have a different set of design considerations and tradeoffs in a given application and may also have a system type such as organic, electronic or radio frequency. For example, in an electronic system, voltage interface level, signal integrity, drive strength, anti-tamper and / or induced propagation delay can be evaluated to determine the connection method.

In some embodiments, the autonomous control system 2104 may be a computer system having an anti-tamper feature and a cryptographic memory storage device that may be designed, programmed and positioned to autonomously enforce specific security and business rules on a host system or device Lt; / RTI > The autonomous control system 2104 may include components such as processing logic, memory storage devices, input / output buffers, communication ports, and / or reprogramming ports. The autonomic control system 2104 can constantly analyze connection status in real time between any number of devices or systems and enforce predefined business and security rules. When an out-of-limit condition is detected, the autonomous control system 2104 may block or disable the prohibited connection state or change it to a known good state. Similar methods can be applied, for example, to electrical, optical, electromechanical, electromagnetic, thermal, biochemical, chemical, molecular, gravity, atomic, or quantum mechanical systems.

In some embodiments, the autonomous control system 2104 may include a programmable device that can be programmed to act critically autonomously in response to a stimulus. For example, the autonomous control system 2104 may be a field programmable gate array (FPGA), a microcontroller (MCU), a microprocessor (MPU), a software defined radio, an electronic optics, a quantum computing device, Programmable biochemical viruses can be included. The autonomous control system 2104 may be implemented using any of a variety of communication technologies including, but not limited to, a silicon die-on die, an integrated circuit package on package, a modularized system module on module, an optical fiber, radio frequency, wired, printed circuit board trace, quantum entanglement, And may be physically connected by atoms or chemical means.

In some embodiments, the autonomous control system 2104 may be configured to provide an isolated (encryption) certificate from the protection system 2100 memory so that the system can be accessed or changed with stronger authentication methods and access controls than those provided by the protection system 2100. [ Or system logs) can be stored reliably. For example, the autonomous control system 2104 may be used by a computer system to enforce security to record the technology (e.g., the autonomous control system 2104 may be used to store a security certificate and the necessary information ). Moreover, the security score method may utilize the autonomous control system 2104 for validation / verification, authentication, and authorization of external resources based on security score information. The stored data may be used, for example, to verify security integrity in combination with other systems.

In some embodiments, the autonomous control system 2104 may include an electronic cryptographic public key infrastructure (PKI) within the electronic system to ensure integrity and authentication of, for example, internal system components, data and / ). ≪ / RTI > In addition, these certificates may be utilized for secure communications, thus ensuring confidentiality, integrity and / or certainty of the message. For example, an autonomic control system 2104 that implements and enforces an electronic encryption PKI may be a read-only memory (ROM) that includes a public key or globally unique identifier (GUID) that can be programmed at initial manufacture of the system, . ≪ / RTI > The private key may then be generated internally by the autonomous control system using, for example, RSA and X.509 certificates at the first boot-up of the autonomous control system 2104. This private key can then be used to generate a certificate request that can be signed by the manufacturer's certification authority (CA) or an authorized third-party CA. The signed certificate can be securely stored on the ROM of the autonomous control system 2104. This certificate can then be used to enable digital signing and encryption / decryption of the data. An autonomous control system 2104 implementing an electronic encryption PKI may be incorporated into the protection system 2100 that does not implement an electronic encryption PKI to add such capability. This may have the benefit of having a private key stored in a location inaccessible to the protection system 2100 for added security.

In some embodiments, the autonomous control system 2104 may be used with an electronic encryption PKI to validate that the internal protection system 2100 part is genuine, and may be used with other (internal protection components 2100 and / Device 2102) component may also implement a PKI such that the public key can be exchanged, stored and verified. If the protection system 2100 or the input device 2102 implementing the PKI has been tampered with a counterfeit version and this counterfeit version has been replaced, then the autonomic control system 2104 may determine that the signer of the counterfeit device is non- Since it is different from the signer, it is possible to detect the forged version.

In some embodiments, the autonomous control system 2104 utilizes an encryption method (such as PKI) to ensure data integrity within the protection system 2100 and other (e.g., external input device 2102) system components . The autonomous control system may also implement an encryption method that ensures that the data is not altered in any way. The integrity of the data can also be assured, since the creator of the data can prove or validate it. For example, the autonomous control system 2104 may encrypt the intended message for the perimeter and use the surrounding public key to verify the message received from the perimeter.

In some embodiments, the autonomic control system 2104 may implement an electronic encryption PKI and may also generate a signed hash of the virtual machine (or a part thereof) and store these hashes in a virtual machine and / but also the integrity and authenticity of the hypervisor (commonly referred to as a virtual system). The autonomic control system 2104 can then validate the authenticity and integrity of the virtual system by recalculating the hash and comparing it with the stored value. In addition, the autonomous control system 2104 may emulate the protection system 2100 in full or in a randomized period of time and / or a predetermined or randomized duration, 2100 in order to prevent the effect on the protection system 2100. This mode of operation may be used to give the attacker a successful impression, even for testing, or even if the malicious Internet was never activated in the protection system 2100. The autonomic control system 2104 may include aggressive means that may invalidate the threat when a prohibited connection state, command and / or sequence of commands is detected. For example, if an unauthorized connection is detected on the USB port, the autonomous control system 2104 may inject signals into the USB peripheral input device to damage or invalidate it.

In some embodiments, the autonomous control system 2104 may include an electronic circuit design on an integrated circuit chip that may be serially connected to the physical interface of a second integrated circuit chip in the controller in a manner that has negligible impact on system performance and functionality Lt; / RTI > At the same time, the first integrated circuit chip can prohibit any connection state to the second integrated circuit chip. This connection state may be the signal level at all connection points between two devices, such as the voltage level at all digital I / O connections at a given moment in time. Alternatively, the electronic device may be inserted or added on a signal interface that includes external or constant monitoring of some or all of the signal levels or states between the one or more electronic devices and the system, Occur only for a small amount of time such that no system effects occur or undesirable system effects occur. An electronic device that implements this method may be connected in serial, parallel, or both serial and parallel between one or more devices or systems, and may function independently or may be implemented by external mon- itoring and control Can function in conjunction with.

In some embodiments, the autonomous control system 2104 may operate based on a hardware-based serial "man inmiddle (MITM)." Communication between the protection system 2100 and the input device (e.g., a peripheral device) may be controlled by the monitoring logic of the autonomous control system 2104 detecting a preprogrammed forbidden signal pattern, detecting a packet, You can continue normally until you access it. If a forbidden signal is detected, the autonomous control system 2104 may invalidate the primary signal by selecting an alternative signal bus (i.e., a disturb bus). An alternate signal bus may be used to record, interfere, or otherwise entirely separate from the peripheral device. Alternate signal buses may be selected, for example, while communication with protection system 2100 is maintained to notify the protection system that it is under attack. An autonomous control system can maintain this communication using a multiplexer instantiation, represented by internal parameters, which are controlled by specific application monitoring and operation logic programmed into the protection system, for example.

Figure 2 illustrates one embodiment of an autonomous control system 2104 that includes a processor 200 and a memory 202 in tandem with an input device 2102 (not shown) and a protection system (not shown). The processor 200 may receive an input signal on a node 204 that may be connected to the input device 2102. The processor may generate an output signal on node 206 that may be routed to protection system 2100. The memory 202 may store the forbidden input signal state. The processor 200 may compare the input signal and the inhibited input signal state to generate a match signal or an unmatch signal. The input signal may be supplied to the protection system 2100 in response to an unmatch signal. An alternate input signal may be provided to the protection system 2100 in response to the match signal. The alternate input signal may be a signal that does not cause any damage to the protection system 2100. For example, the input to the protection system 2100 that is directed to the motor of the protection system to operate at full speed is not permitted because it is detrimental to certain process operations. When such an instruction is input from the input device 2102, the autonomous control system 2104 can intercept the signal and take an intermediate action to prevent the unauthorized state. In this example, the autonomous control system 2104 may exclusively perform rate selection control and may transmit appropriate signals to a protection system that maintains the previously authorized rate selection. In addition, the autonomous control system 2104 may generate a long entry to send an alert that an unauthorized connection has been attempted. The response of the autonomous control system 2104 is application dependent and can be preprogrammed. The autonomic control system 2104 may also be programmed to stop the physical process, for example, instead of maintaining the current speed.

3 is a flow chart describing a control method according to an embodiment of the present invention. This diagram shows the process flow of an example of the serial autonomous control system 2104 described above. The exemplary process flow may also be applied to additional serial and / or parallel autonomous control system embodiments described below, which include processor 200 and memory 202 of FIG. 2 . The autonomous control system 2104 may monitor the connection status 3405 between the protection system 2100 and the input device 2102. [ The state may be checked to determine whether the state is outside the boundary 3410 (e.g., the maximum speed command in the example of FIG. 2 described above). If the status is allowed, monitoring may continue normally (3405). If the state is outside the boundary, the autonomous control system 2104 can take action on the state (e.g., by setting the speed at a speed lower than the command speed or by commanding the protection system to maintain its current speed) (3415). The autonomic control system 2104 may determine whether the intervention is set or returned the protection system 2100 to an acceptable state 3420. [ For example, the autonomous control system 2104 may determine whether the motor has actually returned to a lower speed without corruption. If the protection system 2100 is OK, monitoring may continue normally (3405). However, in some cases, the protection system may not be able to return to an acceptable state. For example, a lock-controlled door (e.g., in a parallel arrangement as described below with respect to FIG. 7) before the protection system 2100 is locked and the autonomous control system 2104 intervenes It may already be open. Locking the lock again will not fix this state again. In this case, the protection system 2100 may be isolated from other external inputs so that a change may be generated (3425).

4 is a block diagram of an autonomous control system coupled to a serial interface between a protection system 2100 and an input device 2102, in accordance with an embodiment of the present invention. This embodiment functions similarly to the embodiment of FIG. 2 described above, but may include other elements in addition to and / or as an alternative to the processor 200 and the memory 202 within the autonomous control system 2104. In this example, autonomous control system 2104 may include a programmable logic device (PLD) or other device (e.g., circuit, processor, etc.) that provides monitoring logic 2140. The monitoring logic 2140 normally passes all signals between the protection system 2100 and the peripheral device via the bidirectional multiplexer 2160. The same signal may also be part of a PLD, circuit, or processor that provides monitoring logic 2140 or may include control logic 2150 that may be separate from the monitoring logic 2140 (e.g., a discrete PLD, circuit, processor, In the monitoring and operating circuit. The embodiment shown in this figure is a hardware based serial "man in the middle (MITM)" of the autonomous control system 2104. In this embodiment, communication between the protection system 2100 and the peripheral device 2102 can normally continue until the monitoring device 2140 detects an inhibited signal pattern, packet or access preprogrammed on the signal line. The control logic 2150 of the autonomous control device 2104 selects the alternate internal I / O bus (or interfering bus) for writing, interrupting, or disconnecting from the peripheral device 2102, / O bus can be completely disabled. This method may be implemented within the autonomic control system 2104 while communication is with the protection system 2100 to notify that the protection system 2100 is under attack. The autonomous control system 2104 may maintain this communication using a multiplexer instantiation represented by internal parameters, which may be controlled, for example, by application specific monitoring and operation logic programmed into the protection system 2100 do.

The autonomous control system 2104 of FIG. 4 may be serially connected in the physical layer between the connection peripheral device 2102, which may be inside or outside the protection system 2100, and the protection system 2100 CPU. The communication bus may pass through an autonomous control system 2104 including a monitored monitor logic 2140 and a MUX 2160 to detect signals that violate the rules for a given application. If such a signal is detected, the autonomous control system 2104 can stop these signals from reaching the protection system 2100, or at least prevent them from asserting in the protection system 2100 for an undesirable time during the process Can be prevented. In the example of FIG. 4, the bus A normally passes through the autonomous control system 2104 between the CPU 2100 and the peripheral device, and transfers signals to and from the protection system 2100 Receive. In this way, the bus A can pass through the output multiplexer of the autonomous control system 2104. Whether the bus A or B reaches the protection system 2100 can be determined by the "SO" control port of the multiplexer. When the SO port is logic 0, the bus A can pass. When the SO port is logic 1, the bus B can pass. The value of each line of bus B may be controlled by state machine control logic 2150 of autonomous control system 2104, which may be configured to enforce the rules. In this example, S0 may be assigned to logic one when all of the lines of bus A are high. The four input AND gate may toggle in response to switch SO to bus B. [ The AND gate can be a hardware gate, and the propagation time through the hardware AND gate can be almost nanoseconds, so that almost instantaneous switching can be performed. S0 may be directly controlled by state machine logic 2150 of autonomous control system 2104 via a two input OR gate providing S0. Multiple examples of the autonomous control system 2104 may be interposed between various inputs and / or outputs of the protection system 2100 and the device 2102 to enforce various rules at various interfaces.

As shown in Fig. 4, there is provided a security memory capable of storing and encrypting data. This memory may be used as an autonomous control system 2104 system service for the host CPU and / or may include data isolated from the host CPU, such as a log of rule violation events that may be read from a security application or external peripheral device can do.

The autonomic control system 2104 shown in FIG. 4 uses a programmable logic device with the feature that the induced signal propagation delay through the autonomous control system 2104 for the monitored line can be ignored for system timing requirements Lt; / RTI > interface. The PLD of the autonomous control system 2104 may include a normal "pass-through" mode that adds a small amount of propagation delay, for example, a delay of almost 20 nanoseconds. The added delay is insignificant in many systems and may not affect normal system operation.

The serial interface of the autonomous control system 2104 shown in the example of FIG. 4 may partially or completely disconnect the protection system 2100 from the peripheral device 2102 to electrically isolate the protection system 2100 as anti-tamper means Can be used. The autonomic control system 2104 may then output an aggressive, defensive or diagnostic / repair signal for the peripheral device 2102 to attack or malfunction or simply for the hold condition.

5 is a schematic diagram describing the operation of an electronic autonomous control system 2104 having a serial interface to prevent unauthorized access according to one embodiment of the present invention. The autonomic control system 2104 may be located between a starter (protection system 2100) and a speed selection input device (peripheral device 2102) that accommodates a binary coding rate to apply a physical process. The autonomous control system 2104 may include a monitoring device 2140 that monitors inputs and passes these inputs to a multiplexer (MUX) or switch 2160. If input is allowed, these inputs may go from the MUX 2160 to the protection system 2100. The state machine monitor and control operation logic 2150 can intervene so that the MUX 2160 can send the output generated by the state machine monitor and control operation logic 2150 to the protection system 2100 instead . In this example, the highest rate denoted by the binary "1111" should not be allowed because it is detrimental to certain process operations. The apparatus shown in Fig. 5 can monitor a number of connection states encoding a wide variety of different functions and can be standardized to operate in that state. In this example, the autonomous control system 2104 may be programmed to prevent unauthorized speed selection sequences such as, for example, jumping to the highest allowed speed at the lowest speed. The autonomous control system 2104 logic may be of a specific use so that while other inputs are prohibited, other inputs may be prohibited while "1111" is an inhibited input in this example. The input to the autonomous control system 2104 is not limited to the 4-bit embodiment of this example.

In Figure 5.1, the speed selection bus passes a signal on the starter via an autonomous control system 2104, via a "bus switch" The autonomous control system 2104 may monitor the rate selection bus at a programmable unassigned rate (connection state), and may take a pre-programmed operation to control the bus switch in this example. In Figure 5.1, the selected speed is an authorized speed, and therefore the autonomous control system 2104 may optionally proceed to the starting device.

Figure 5.2 shows an unauthorized signal for speed "1111" transmitted to the autonomous control system 2104 through the input device 2102 inadvertently or maliciously. The autonomous control system 2104 may take an intermediate action to intercept the signal to prevent unauthorized conditions. In this example, the autonomous control system 2104 toggles the bus switch to send the appropriate signal to the protection system 2100, where the autonomous control system 2104 exclusively performs rate selection control and maintains the previous allowed rate selection And may include rotationally programmed actuation logic. In addition, the autonomous control system 2104 may generate a logic entry or send an alert that an unauthorized connection has been attempted. The response of the autonomous control system 2104 is application dependent and can be preprogrammed. The autonomic control system 2104 may also be programmed to stop the physical process, for example, instead of maintaining the current speed.

Figure 5.3 shows that when the input device 2102 has been readjusted by the user or control system to select the application rate, the autonomous control system 2104 logic again toggles the switch back to the default steady state position, 2102).

FIG. 6 shows an embodiment of an autonomous control system 2104 similar to the embodiment of FIG. 5, but includes a processor 200 and a memory 202 instead of hardware logic. In this embodiment, the input signal of node 204 is routed to processor 200 via link 300. Processor 200 may compare the input signals to inhibit the state of the input signal stored in memory 202 to generate a match signal or a mismatch signal. The selection signals may be generated on line 302 of processor 200, which may control MUX 304. The signals in line 302 by selection signals may pass through multiplexer 304 and into protection system 2100 in the event of a mismatch signal event. Alternate input signals may be applied to line 306 and alternate attraction signals may be sent to MUX 304 if the select signals on line 302 are match signals.

7 illustrates a block diagram of an autonomous control system 2104 including a programmable logic device (PLD) coupled to a protection system 2100 by a parallel interface of a protection system 2100 in accordance with an embodiment of the present invention. do. The inputs and / or outputs of the protection system 2100 may be monitored via the input of the PLD in the autonomous control system 2104 or through a processor embedded within the autonomous control system 2104. 5, the autonomous control system 2104 may be connected to the protection system 2100 in a parallel interface and may also monitor the input, internally convert the state to an output, and , And at least one bidirectional signal driver capable of inducing interference without requiring the connection of an exception. The driver may be coupled to the monitoring logic 2140 to monitor the input received via its switch 2160. If input is allowed, the driver can maintain that state. If the input is not allowed, the operating logic 2150 places the switch 2160 on the operating bus, which may be at ground or high, for example. Communication between the protection system 2100 and the peripheral device 2102 may proceed normally until the monitoring logic detects an unauthorized signal pattern, such as in the serial interface example described above, and accesses the attempt. In a parallel configuration, the control logic can not internally reroute or isolate the I / O bus by switching in the alternate I / O path for write, interrupt, or full isolation from the peripheral device 2102. Instead, the signal for the device under protection system 2100 is set to ground or high by switch 2160. However, a parallel approach may be useful for very high speed systems (e.g., systems operating in the GHz range) with communication and signal speeds that can not withstand propagation delays. Moreover, the parallel autonomous control system 2104 may not need to pass the signals themselves, and may require a smaller number of I / O connections than a serial interface (requiring a matching output of each input).

8 is a block diagram of a system 200 that is connected to the protection system 2100 by a parallel interface and which is connected to the peripheral bus from an autonomous control system 2104 that may toggle to a logic high or low when an instruction is received in an attempt to cause an I / Is a block diagram of one embodiment of an autonomous control system 2104 that includes at least one tri-state output 2160 (instead of the switch of FIG. 7). This tri-state output can be used for an autonomous control system 2104 that does not have a bidirectional I / O interface.

9 is a schematic diagram for describing operations of an electronic autonomous control system 2104 having a parallel interface according to an embodiment of the present invention. The autonomic control system 2104 may include a parallel interface where signals between the input device 2102 and the guard device 2100 do not directly pass through the autonomous control system 2104. Instead, the autonomous control system 2104 can make an off of each line having an electrically high impedance input to monitor the input signal as shown in Figure 9.1. If an unauthorized entry attempt is made, the parallel autonomous control system 2104 may interfere with unauthorized input by toggling the bus switch to an output bus having suitable drive strength (current sinking and sourcing) to override the host bus. In the example of FIG. 9.2, internally grounding the Speed_Sel_3 line can prevent the Speed_Sel_3 line from reaching a logic high state, which in turn selects the highest speed. 9.2, the control system 2104 may periodically toggle the bus switch back to position 3 so that it can monitor the input from the input device 2102 without interference from the autonomous control system 2104 operation bus output. When the autonomous control system 2104 detects that the authorized speed is selected, the autonomous control system 2104 may return to the normal state again as shown in Figure 9.3. The autonomic control system 2104 can not simultaneously monitor signals by a parallel interface unlike the autonomous control system 2104 having a serial interface.

FIG. 10 is a block diagram of an embodiment in which an autonomous control system 2104 using serial and parallel interfaces is not connected to the protection system 2100. The serial interface may include logic 2140A, operational logic 2150A, and switch 2160A. The parallel interface may include monitor logic 2140B, operating logic 2150B, and switch 2160B. In this embodiment, when any communication path is too fast to degrade normal system operation and can not pass serially, these paths can be adjusted by a parallelized interface. The low path can be controlled by the serial interface.

11 is a block diagram of an embodiment in which an autonomous control system 2104 includes a communication bus 2170 between an autonomous control system 2104 and a protection system 2100. [ Communication bus 2170 may include the ability to selectively flag protection system 2100 if malicious or unauthorized intent is detected. Communication bus 2170 may also autonomously log events and report these events to a computer implemented security score system.

12 is an illustration of an embodiment of an autonomous control system 2104 that includes a semiconductor multi-chip module that may include at least two interconnected processor die functionally connected in a stack or planar array. The module may also include an interposer board and / or direct wire bonding inside a single semiconductor package mounted directly on a printed circuit board (PCB). This arrangement may make it difficult to virtually detect the autonomous control system 2104 that may provide protection against malicious tampering.

Figure 13 is an illustration of an embodiment of an autonomous control system 2104 that is externally mounted on an interposer PCB that may include a custom socket assembly that may be functionally disposed within the stack within the stack above or below the protection system 2100 to be. In this embodiment, the autonomous control system 2104 can be used to fix the current CPU and also use the current motherboard and socket in the case of the CPU. This implementation can be referred to as package-on-package implementation because it involves connecting two individually packaged components to form a single mode.

In some embodiments, the autonomous control system 2104 may include electronic circuitry, which may be a surface mounted on a printed circuit board (PCB), which may include a protection system 2100. The autonomous control system 2104 may be operatively connected to a protection system 2100 using, for example, one or more PCB traces, flying leads, coaxial cables, or optical fibers.

In some embodiments, the autonomous control system 2104 may include a modular stackable single board computing platform that may be operably mounted to the protection system 2100. For example, the platform may be a PC 104, EPIC, EBX, Raspberry Pi, Parallella or similar modular computing platform. In this embodiment, the autonomous control system 2104 may be attached to the computing stack header and, as described above, may include a modular carrier capable of performing security functions. This is called module on module implementation.

FIG. 14 is a flow chart describing an anti-tamper feature of an autonomous control system 2104 in accordance with an embodiment of the present invention. As described above, the data may be stored to enable the encryption anti-tamper check of the autonomous control system 2104. Periodically, or in response to a user request, the anti-tamper check may be inhibited (3305). The autonomic control system 2104 may sign the message for a system that communicates with the autonomic control system 2104 with a private key (i.e., a system that performs a check of the autonomous control system 2104). The system performing the check may attempt to validate the signature (3315). If the signature is not valid, an autonomic control system 2104 may generate an alert indicating that it may have been tampered (3320). If the signature is valid, the system performing the check may sign the message with the private key (3325). The autonomic control system 2104 may attempt to validate the signature (3330). If the signature is not valid, an alert may be generated 3335 indicating that the system performing the check may have been tampered with. If the signature is valid, the tamper check can be declared as all secure (i.e., both the checking system and autonomic control system 2104 can be tamper-free) 3340. Thus, the autonomous control system 2104 can check other systems and can be checked by the system to provide passive security.

Figure 15 illustrates a process flow using an autonomous control system 2104 as a system service for a host CPU for secure co-processing in accordance with an embodiment of the present invention. The above-described structure for the autonomous control system 2104 also allows the autonomous control system 2104 processor to have multiple instantiations of the autonomous control system 2104, thus enabling security processing as a system service to the host CPU It is possible. In this embodiment, the autonomous control system 2104 may receive an instruction (3505). The autonomic control system 2104 is coupled to the autonomic control system 2104 by a compiler or OP code to obtain a match to the preprogrammed OP code residing in memory associated with the memory subsystem 2104 (e.g., (From input device 2102). If there is a match, then the autonomous control system 2104 can execute (3515) the pre-programmed function of the OP code and the protection system 2100 can not receive the OP code. The autonomic control system 2104 accesses the secure storage device 3520 and returns 3525 the result. Alternatively, if there is no match with the OP code received in the autonomous control system 2104 preprogrammed memory, the OP code is passed to the protection system 2100 for execution, and the protection system 2100 returns the result (3535). A software application specifically designed to work with the autonomic control system 2104 running on the input device 2102 includes an autonomic control system 2104 OP code or instruction set to access the secure co- Needs to be. For example, if such an autonomous control system 2104 specific OP code or OP code series requires a cryptographic command in the data set, the processor 200 may respond by performing a cryptographic hash on the data set primarily. The processor 2200 can then digitally sign the hashed data set using the private key (stored in secure storage 2202) and then send the signed data set back to the input device 2102. [ To the autonomic control system 2104 specific application that generated the OP code in question.

QSM ≪ / RTI >

16 is a security module 2100 according to an embodiment of the present invention. The security module 2100 may include a processor 2100 and a physical memory 2115, such as a rules database 2122 and / or a certificate database 2124, for example. Thus, the processor 2110 and modules 2132, 2134, and 2136 may be coupled to or part of the autonomous control system 2104 or may be an element such as the processor 2200. Similarly, the rules database 2122 and / or the certificate database 2124 and / or the memory 2115 may be stored in the secure storage device 2202 of the autonomous control system 2104.

The rules database 2122 may store various access control rules as described in detail below. The certificate database 2124 may store various certificates for devices, documents, users, etc., as described in detail below. The security module 2100 may include a scoring module 2132 that can derive and / or update a security score, a validation module 2134 that may determine whether a security rule is met, and / or a security rule and / And may include submodules, such as the manually defineable module 2136, which may be manually defined. Any device described herein as performing a security verification, or as a QSM enable device or a QSM device, may include a security module 2100 and may also perform verification and / or other processes associated with the QSM described And a security module 2100 for the user.

17 is a security score fetcher 2200 according to an embodiment of the present invention. An evaluation process may be performed on the asset to determine its security level. To obtain this result, a normalized security score indicating the security level of the asset can be generated at the conclusion of the evaluation. ("Security objective") 2220 for a primitive function (its purpose, its purpose) of the isolated asset by a predefined grouping ("security category") 2220 for assembly purposes 2210). ≪ / RTI > For each security objective 2210, an evaluation may be performed for each of the security category of the asset and the security score, and a security score ("objective score") within the range assigned to the security objective may be generated. The importance of each score can vary from asset to asset, even by example. When all objective scores have been generated, they are combined using a predefined objective score set method (e.g., weighted average) to generate a normalized security score ("NSS ") 2230.

18 is an asset (and its specification) 2230 in accordance with an embodiment of the present invention that illustrates specific examples of security categories 2220 and security objectives 2210 that may be used in some embodiments. For example, the asset 2230 can store, process, and transport a security category 2220 that may correspond to the raw functions (e.g., data storage, data processing, and data transfer) performed by the asset 2230 have. Each security category 2220 may have authorization (AZ), confidentiality (C), integrity (I), usability (AV), nonrepudiation (NR), and authentication (AI) security objectives 2210. The ASS for the asset 2230 provides an indication of how well the asset 2230 conforms to the security objective 2210 based on the degree to which each functional category associated with the security category 2220 scores in the security objective 2210 .

FIG. 19 is a flow diagram of an asset assessment 2300 in accordance with an embodiment of the present invention.

Any assets are complex (for example, composed of many subcomponents). In the case of these complex assets, a measurement technique such as that of Fig. 19 can be performed independently on each sub-component to derive the NSS value for each sub-component. These sub-component values may be combined to produce the NSS of the top-level asset. The asset may be selected for evaluation, and the evaluation may begin at step 2305. One or more security categories may be identified, and each security category 2220 may be evaluated 2310. Each security category 2220 may include one or more security objectives 2210, and each security objective 2210 may be evaluated at step 2315. Security module 2100 may determine whether a security objective score can be computed for security objective 2210. [ In the affirmative case, a security objective score calculation may be initiated at 2325, and the security objective score may be generated at 2330. Examples of security objective score calculations are described in more detail below. When the score is calculated (2335), the next security objective may be selected (2330). If a security objective score can not be computed for security objective 2210 (2320), then security module 2100 may determine 2340 whether the asset should be parted. Some assets may be too complex to directly derive security objective scores, or may include components, devices and / or systems that have already been evaluated. To accommodate these situations, assets can be part of the.

20-23 are asset portion instances 3200 and 3250 in accordance with embodiments of the present invention. Figure 20 illustrates this principle using a laptop as an example, wherein the laptop is divided into a CPU, an operating system, and a GPU component. Fig. 21 shows, as another example, a water purification plant, in which a water purification plant is divided into a collection system, a purification system and a drinking water system component. As shown, some sub-assets may only contribute to a single security category score, while other assets may be able to contribute to multiple security categories. Figure 22 illustrates how the sub-assets in Figure 20 can be further decomposed into specific sub-drivers under the driver sub-asset and specific applications under the application sub-asset. In the city, the virtual machine (VM) sub-asset of the application sub-asset is further decomposed into applications running under the VM. This process can be repeated as needed until all sub-assets are accurately evaluated. FIG. 23 illustrates further decomposition of the integer sub-asset of the integer subsystem in FIG. 21, indicating that the QSM may be applied to any reference infrastructure component or asset that requires evaluation regardless of the type of asset. Anyone with knowledge of the domain to which the asset belongs may follow this method and may recursively add any complex system until the system is composed of a raw component (the evaluation can be performed or the sub-assets performed) It can be decomposed into assets. In water plant plant examples, these may be fences, guards, and fasteners that can be closely analyzed and quantified to affect physical security.

Referring again to FIG. 19, if partial alerting is not possible, the default security objective score may be reassigned 2345 and evaluation 2300 may also be moved to the next security objective 2315. Once the subdivision is done 2340, the security module 2100 may define a sub-asset 2350 and define a sub-asset weighting equation 2355. As described above, the sub-asset can also be divided into itself, in which case the analysis can be performed on further divided assets. For each sub-asset 2360, an asset equation 365 may be performed and a security objective score 2370 may be generated. All objective scores can be evaluated 2375, and the security category scores can also be evaluated 2380. If there are many security categories 2220 for evaluation, the next security category 2220 may be selected 2310 and the above evaluation may be performed for the security objectives 2210 of the next security category 2220 have. When all the security categories 2220 have been evaluated, the asset evaluation can end (2385). In the case of the asset 2230 of FIG. 18, a full 18 evaluation may be performed by three security categories 2220, each with six security objectives 2210.

The NSS can securely store the security level according to the time at which the digital assets are evaluated in the base security score certificate (BSSC), using the objective score set and derived security rules based on encryption techniques such as public personal certificates . 24 is a BSSC 2700 in accordance with an embodiment of the present invention. The BSSC 2700 may include a score for each security objective 2210 and category 2220. In the case of the example asset 2230 of FIG. 18, the BSSC 2700 may be three of the security category 2220 scores (SCS), each of which in turn may be the six of the security objectives 2210. 25 is an example BSSC 2700 of the asset 2230 of FIG. The example of BSSC (2700) is the base security score (BSS) represented by the BSS = (transfer SCS), (storage SCS), (processing SCS) or _{BSS = ((Tc, T I} , T AZ, T AI, T _{AV, T NR), (S} C, S I, S AZ, S AI, S AV, S NR), (P C, P I, P AZ, P AI, P AV, P NR)), where C = Confidentiality, I = integrity, AZ = authorization, AI = authentication, AV = availability, and NR = non-repudiation. The BSSC 700 may be signed by, for example, an individual, enterprise, regulatory agency, or government agency. The BSSC 2700 may include the date / time the certificate was issued and the date / time at which the certificate expires. The BSSC 2700 may also include a decay rate of the NSS as described in detail below.

Taking into account the transient nature of security, the meaning of security can be used in the computation of the security degradation of the probability that the high degradation probability of the post measurement, the security decay rate (ROD) algorithm, occurs because the final NSS evaluation indicated in the BSSC has been performed. The ROD can be used to determine the actual security score for the system given the elapsed time since the BSSC was originally issued. The algorithm for calculating the ROD can be based on the metric selected for system scoring. Final evaluation (and optionally other security rules or recorded asset usage history) By using the NSS and the objective score set as inputs over time, a new NSS score can be calculated for more accurate general security comparisons.

The security objective score can provide a probability based evaluation determined by computing security metrics that can describe the likelihood of compromise. This probability equation can be expressed as SOS = P (compromise | security measure ≠ concern). SOS is a probabilistic probability of compromising an asset due to an enforced security measure that does not protect against anxiety, where the concern is a stochastic representation of the time that an actor with a given motivation can use the achievement. Concern = P (Time | Actor | Motivation | Achievement).

The time can be extended and transferred in the BSSC, as represented by the ROD, so that the SOS can be a set of values. ROD can indicate how sensitive SOS is to time exposure. A high ROD indicates that the concern for the asset increases more over time than the low ROD.

For example, the NSS can range from 0 to 10, where 0 is unsecured and 10 is completely secure. If a given asset has a validity period of 770 days (or the time until a patch or update is needed), and there are no factors contributing to reducing or extending this expiration date, one way to calculate the ROD is 10 It could be to take the maximum NSS value and divide it by 770 days. ROD = (maximum NSS value) / (100% compromise possibility date) = 10/770 = 0.13 days. The score is zero at the end of 770 days, regardless of the security of the system, by reducing the NSS calculated by the ROD x time change (date). In other words, the system can be considered unsafe without any action. In practice, there may be some minimum value somewhere above zero where the system can be considered insecure, and this value can be represented as the minimum NSS in the SRC.

Other examples may include ammunition bunkers in military installations. An arched door in a bunker can contribute to a component of security ("S ₁ "). Arched doors are assessed at the 6-hour penetration level, and vendor testing is limited to access, resulting in a 60% rate for skilled attackers, which increases by 5% every hour after the 6 hour cycle. Therefore, S ₁ is 0.95 at the ROD stage, 0.6 at 6 hours, and then decays normal 0,05 per hour thereafter. By this explicitly stated in the BSS of the arched door, the commander commands the guard to traverse the bunkers every three hours to reset the boundaries (basically reset the door ROD). Together these two factors can contribute to S ₁ in the case of a constant 0.95 door.

26 is a security score detuning 900 according to an embodiment of the present invention. Line 910 illustrates system security without having an ROD value that remains constant over time. However, the longer the system is running, the more compromised the system can become. This deterioration in security is shown in line 920, where line 920 shows a linear ROD of 0.01 per unit of time. Lines 930 and 940 illustrate the security of the system over time, taking into account events that may adversely affect the security of the system. Line 930 represents four security events that degrade system security, but does not cause a change in ROD. Line 940 describes the same four events, but it is assumed that each of these events also changes the ROD value. The event shown in Fig. 26 may be, for example, the result of connecting a USB device to the system, connecting the system to an untrusted network, browsing to a malicious web site, or installing a download application.

To allow assets to maintain a history of important events, the QSM can support the concept of certificate chains or the Security Score Chain (SSC). The BSSC can provide a base certificate from any SSC. The asset can change the score and sign a new certificate as a BSSC. When creating the SSC, the asset may contain a record of why the modification was made. In FIG. 8, an update to the SSC may be made to reflect changes to the ROD after each event on lines 930, 940, and to document the events that caused these changes. If the BSSC is given as an ROD, the new security score can make adjustments for any attenuation (e.g., as shown in line 940) since it has a date / time newly issued on this connection . The expiration date / time can not be extended beyond the expiration of the BSSC, but can be shortened appropriately. Also, where appropriate, the ROD can be modified to reflect new risks and concerns.

Figure 27 is a security requirements certificate (SRC) 3400 in accordance with an embodiment of the present invention. Similar to the BSSC, the SRC includes a security requirement weight (SRW) for each security objective 2210 score (SOS), a security weight for each security objective 221O, an authorized BSSC and SSC signer, and / And may be a securely signed document with a password containing

The SRC can specify which signer is recognized and accepted by the resource when evaluating the BSSC of the asset being sought to gain access to the resource. This can protect the resource against attempts to falsify the security score by creating a BSSC signed by an unauthorized signer. In addition, the ability to specify a trusted signer may allow for changes in the security metric used and an assessment scale for the NSS. For example, security measures may be based on the Sandia RAM Series evaluation, and the specifications of this Sandia RAM series allow conversion from Sandia RAM series evaluation to NSS in the range of 0-100. can do. Similarly, other embodiments may use the CARVER methodology or a couple of comparative evaluations, and may also use the QSM0-10 scale. Similarly, one embodiment may utilize proprietary metrics and scales from 0.00 to 1.00. Any combination and all combinations described above may be used in the evaluation of the composite system and the NSS and QSM methodologies may allow inclusion thereof. The QSM can take into account known deficiencies in the methodology by increasing the damping factor and reducing the NSS due to any measurement criterion. Thus, the current system and evaluation can be used in the short term until valid QSM evaluation can be performed.

The improved authentication and authorization process between assets can take advantage of the common security measurement and comparison methods described above. This can be done by forcing the real-time evaluation to derive the NSS and the objective score set of the asset or by using the information stored in the BSSC from the historical evaluation as well as using the asset's damping rate algorithm. Additional security rules, such as those stored in the BSSC, may be used as authentication and authorization criteria. Security level provisioning may be performed in one manner for one of the assets used in the authentication or authorization process, as described in the example security verification described above. In some embodiments, two validations (or all forms of verification when two or more assets attempt to authenticate or authorize each other) may be performed, each validating the security level of another asset.

The NSS can be the highest level score within the QSM and can also be calculated by applying the security requirement weight in the security requirement certificate to the drafting objective score of the base security score. Mathematically, the SRW may be implemented, for example, in a BSSC (three security category weights (SCW) (which may be a weighting percentage that contributes to each category contributing to the NSS), SCW each security objective weight (SOW) For example, in the case of the examples of Figures 18 and 25, SRW = (transport SCW (transport SOW), store SCW (store SOW), process SCW (treatment SOW)) or _{SRW = (SCW (T C,} T I, T AZ, T AI, T AV, T NR), SCW (S C, S I, S AZ, S AI, S AV, S NR) , SCW (P _C , P _I , P _AZ , P _AI , P _AV , P _NR ).

The NSS can be used to evaluate the security posture of a given asset over time ([Delta] T). This score can be used, for example, to authenticate an asset, grant access, compare the security utility of the asset, or determine whether an improvement should be made to a given asset. The NSS can be calculated as follows. NSS = (BSS * SRW) - (ROD *? T). Therefore, NSS NSS = the case of the example of Figs. 3 and _{7 (SCW T * (T C} * TW C + T I * TW I + T AZ * TW AZ + T AI * TW AI + T AV * TW AV + T NR _{* TW NR) + SCW S *} (S C * SW C + S I * SW I + S AZ * SW AZ + S AI * SW AI + S AV * SW AV + S NR * SW NR) + SCW P * ( P _C * PW _C + P _I * PW _I + P _AZ * PW _AZ + P _AI * PW _AI + P _AV * PW _AV + P _NR * PW _NR ) * (ROD * (T _CURRENT -T _ISSUED )) Can be calculated.

28 is a bass security score certificate 150 according to an embodiment of the present invention. In this example, BSS = ((6.05, 3.47, 3.83, 4.89, 5.42, 3.46), (6.52, 4.45, 5.78, 5.09, 6.43, 4.80), (4.52, 4.89, 2.69, 3.68, 6.79, 2.64). The ROD was 0.13 / day, and the certificate was issued on February 22, 2014, and expired on August 24, 2014.

29 is a security requirement certificate 1600 according to an embodiment of the present invention. In this example, SRW = (0%, 0%, 0%, 0%, 0%, 0%, 0%), 65% (25%, 40%, 5%, 5%, 25% , 35% (17%, 17%, 17%, 16%, 17%, 16%)). A weighting of 0.0 for weighted transport security objectives indicates that this special property owner is indifferent to the transfer activity or does not use the transfer activity. Such a scenario may exist in the form of a stand-alone machine or a smart card, which has no storage means for data storage but has storage and processing capabilities. The minimum required NSS listed in the SRC and the current date or TCURRENT = March 23, 2014. Detailed calculations for the storage portion are described below, and other detailed calculations are omitted.

Storage portion = 0.65 * (0.25 * 6.05 + 0.4 * 3.47 + 0.05 * 3.83 + 0.05 * 4.89 + 0.25 * 5.42 + 0.0 * 3.46) = 3.05

NSS = (0 + 3.05 + 1.93) - (0.013 * (March 23, 2014 - February 22, 2014) = (4.98 - (0.013 * 29)) = 4.6

The calculated NSS can be compared with the stored minimum NSS value, and if the value is greater than or equal to the minimum NSS value, the value can be approved. In this example, the device is rejected because the calculated 4.6 NSS is below the SRC tolerance (5.0).

The NSS values can be compared and collated so that the security level index can be applied to the security of the asset. 30 is a NSS comparison according to an embodiment of the present invention. The NSS value 2410 may be compared to the NSS index 2420 to determine whether the NSS for the asset represents the minimum required security level. For example, the NSS index 2420 may indicate that an asset with a value of 5.5 or higher has an acceptable security level, and an asset with a score of 5.5 or less does not have an acceptable security level. In the example of FIG. 30, the asset has a NSS of 6.8 and therefore exceeds requirement 5.5. In addition, two or more assets may be compared to determine whether they have the same or a similar security level, or which of the assets is more secure. 31 is an NSS comparison 500 in accordance with an embodiment of the present invention. In this example, Asset 1 has a 6.8 NSS value 510 and Asset 2 has a NSS value of 520 (520), Asset 2 may be considered more secure than Asset 1. Based on a given set of scores and a agreed upon security objective and category according to a generic security measurement method, the transitivity can provide a reproducible, independently verifiable security comparison in which the security comparison is agreed have.

Extended security comparisons can be performed that can measure more specific security contributions of an asset, typically using an NSS and an objective score set. 14 is a security verification 2600 according to an embodiment of the present invention. Assets 2610 (e.g., USB devices) may have a calculated NSS (e.g., 6.8) and QSM enable system 2620 may verify asset security 2600 before interacting with the asset . The system 2620 is asked to perform an operation (e.g., a write operation to the USB device) that utilizes the asset, e.g., via user input. Asset 2610 sends its NSS 2640 to system 2620. The system 2620 may evaluate the NSS (e.g., by performing a comparison as shown in FIG. 30). If the NSS evaluation indicates adequate security, the operation can proceed. Otherwise, the operation can be prevented.

In one example of FIG. 33, another security comparison 2100 is shown in an embodiment of the present invention, where two different systems are compared. System # 1 has a lower NSS score than System # 2, but System # 1 has a higher category score for storage confidentiality than System # 2. Such comparisons can be used to determine which product to buy (e.g., which product best suits your security needs) or determine which system should be upgraded first, or to make other decisions about system security Can be used.

Figure 34 is a security validation 2800 in accordance with an embodiment of the present invention in which the BSSC of an asset 2810 may be used to interact with the enterprise network 2820. The asset 2810 may be a network 2820, And may also provide a BSSC 2830. The network 2820 can evaluate the BSSC and determine if the asset 2810 is secure 2840. In this example, the asset 2810 Has an NSS in its BSSC below the threshold that the network 2820 requires and the network 2820 denies access to the asset 2810. [

35 is a cross-security verification 3000 according to an embodiment of the present invention. In this example, the laptop 3010 validates the corporate network 3020 and the enterprise network 3020 can validate the BSSC of the laptop 3020, and each asset is sufficient for other assets to allow interaction You can decide individually whether you have security.

In some embodiments, the enforcement of security rules during the validation process may attempt to re-evaluate one or more assets participating in authentication or authorization.

36 is a security verification 3100 according to an embodiment of the present invention. The BSSC of the asset (laptop 3110) may be used to interact with the enterprise network 3120. Asset 3110 may attempt to connect to network 3120 and may provide the BSSC 3130 to the network. The network 3120 can evaluate the BSSC and determine if the asset 3110 is secure. In this example, the asset 3110 has a NSS below the threshold required by the network 3120 in its BSSC, and the network 3120 denies access to the asset 3110. Asset 3110 may be evaluated by security module 2100 in response 3150. As described above, the NSS value may deteriorate with time. In addition, new security features can be implemented on the asset over time. Thus, a reassessment (3150) for the updated BSSC may generate a new NSS value. In this example, the new value indicates that the asset 3110 is secure enough to communicate with the network 3120. The asset 3110 may perform a second attempt to connect to the network 3120 and may provide the updated BSSC 3160 to the network 3120. [ Network 3120 may determine whether asset 3110 is secure (3170).

The QSM evaluation of devices such as servers, PCs, and routers, such as built-in processing capabilities, can be performed automatically. This can be accomplished by performing a combination of backend databases, scanning of configuration information on the computer, and / or QSM processing using an automated penetration testing tool to generate an NSS. Whereby the service provider or network may require at least a minimum security state for the devices that wish to access the service that may be subject to a full QSM evaluation.

This automation can take steps to further preemptively protect the QSM devices. If a new behavior or other concern is identified, the trailing database can be searched for registered devices that are susceptible to pre-operations and can take pre-operations. This action can be, for example, a NSS of a lower device, invalidating the certificate and / or advising the property owner that the devices must disable certain services or install patches or updates, I can advise my concern. Due to the nature of any computer network, these prior services may require periodic communication between the devices and the back-end services in some embodiments.

Automated evaluation and certificate generation can also allow real-time evaluation to be performed for access to systems where even a few days old certificates can have, for example, high security requirements that are unacceptable, for example. These high security systems may require current (e.g., the day, week, etc.) certificates. Which may be automatically adjusted in some embodiments. With this automated QSM evaluation, the system may require re-evaluation and re-authentication for every request to use system resources in some embodiments.

The following additional examples illustrate scenarios in which the QSM may be used for authentication and / or authorization. For the purposes of this section, it may be assumed that the devices in the QSM have an SSC. Devices or systems with their own computational resources may also be assumed to have an SMC. An example of a device that may not have SRC is a USB memory stick. Since many USB memory sticks do not have their own computational resources, they can not compare the SRC with the SSC they received, so there is no reason for them to have an SRC. Also, for devices that do not have their own computational resources, the SSC may simply be a BSSC since this device can not update the SSC from the BSSC.

Devices using QSM can use SSC to perform device authentication and authorization network access. Such authentication and authorization may be reciprocal so that each entity can mutually authenticate and authorize as described above. By using automated QSM assessment tools, these mutual authentication can be extended to external devices that may require temporary or temporary access to network resources, such as connecting access points in corporate offices and accessing online stores. have. The resource owner may not require physical evaluation of all devices that may require temporary access to the resources of all devices to meet the need for downloading or accessing the QSM evaluation as part of the registration or signing process. The QSM tool can then generate an automated BSSC based on automated scans as described above and then the device can participate in a mutual authentication exchange before access to the network resources is granted.

37 is a security validation 3800 in accordance with an embodiment of the present invention. Upon connection to the network, the device may provide the SSC to the network (3810). Since the SSC is a password-signed certificate, the SSC can be device-specific. Thus, authentication for the network of the device (rather than the user) can be used. The network can use the SSC for logging purposes to identify any device that can act in a malicious or suspicious manner. The network administrator may, in some embodiments, use the SSC to determine whether the connection to the network is allowed based on the current security level of the device. Devices that meet this requirement may be allowed to connect to the network 3820. In addition to simply granting or denying access, the SSC can be used to determine which network segments the device is authorized to access. For example, a device in which a network fails to meet security requirements of the enterprise may be deployed in the guest network so that the device can access the Internet, but access to enterprise resources is prevented (3830).

38 is a security validation 3900 in accordance with an embodiment of the present invention. The devices use the SSC to authorize or authorize the network itself. The networks themselves may have password-signed SSCs so that the device can identify the network to which the device is attempting to connect. This methodology can eliminate network spoofing whether it is wired, wireless or cellular. The user and / or system administrator can use the SSC to define which network the device will use. For example, a business administrator can configure a laptop so that it only has access to a corporate network, a designated home-work router at an employee's home, and a designated cellular network. Employees can not connect their devices to any other network. In this example, the laptop can send the SSC to the network (3910). The network may ignore the SSC if the SSC is not evaluated for NSS compliance. In this case, the laptop may refuse to connect to the network (3930) because the SRC is not satisfied.

In addition, the SSC can be provisionally updated, so the system administrator can allow the network to connect to a less secure network. The SSC of the device may be updated to indicate that the network to which it is connected is not secure. With the resulting reduction in SSC, the corporate network can force the device to re-evaluate before allowing the device to reconnect to the network. For example, these techniques can be useful when employees travel with their laptops. In addition, the user or system administrator can use the network SSC to authorize which device resources the network can be allowed to access. For example, the firewall of the device may prevent a network that does not meet the security level from being allowed to access the file share, and may prevent the web server from running on that device.

39 is a security verification 4000 according to an embodiment of the present invention. In addition to authentication and authorization of the network, the computer can authenticate and authorize devices based on the SSC. For example, the USB storage device may include an SSC and may transmit the SSC to the computer upon connection to the computer (4010). If the SSC does not match any criteria (e.g., does not adequately encrypt data at rest), the host computer may prevent the user from copying information to the USB stick (4020). In addition, if the host computer is able to detect the nature of the data being copied, decision 4020 as to whether to allow it to be copied may be based on a combination of the data itself and the SSC of the destination device. Similar examples may be present in many different types of devices. In some embodiments, handshaking between devices may be changed to ensure that SSCs are always transmitted. For example, as part of the USB handshaking protocol, both host and slave devices may share their SSC. Whereby the devices can perform mutual authentication and authorization.

Devices can also use the SSC to allow access to sensitive information of the device itself. For example, a device with a trusted computing space may be configured to only allow access to the encryption information for that device if the SSC meets any criteria. The trust computing processor may detect an attempt to access the encrypted volume and then determine whether the current SSC meets the criteria for the encrypted volume. Even if the user knows the decryption key, the device can prevent the device (which can be compromised) from decrypting the information because it is no longer trusted. Specially designed computing devices that utilize discrete components for sensitive storage devices that may require an SSC to comply with SRC can thereby be implemented. Basically, sensitive storage components can be viewed as individual devices by the system.

The hardware and software products may use the user provided SRC and the desired SSC provided (within the available range) to automatically configure the parameters and settings to configure the SOS to ensure compliance. And can provide functionality and security by removing responsibility from the user to determine which combination of parameters is available in the product configuration. Similarly, resource owners may require any services or devices that are disabled or stopped while accessing their resources. By utilizing both the automatic configuration and the QSM automatic evaluation process, this type of dynamic configuration can meet security requirements.

SSC can provide products to purchase information. Product manufacturers can provide SSCs for their products online, enabling customers to make direct comparisons between products in their secure environment. Similarly, Web sites can let potential customers submit SRCs to learn which products meet their security requirements. This allows customers to determine which products offer the desired security enhancement or performance before making a purchase decision. A system may be developed to perform simulations of the system to learn how to implement new products or configurations. Manufacturers can determine the total number of security they can provide to the user and also present a security amount to add to their competitors for a given security SRC.

While various embodiments have been described above, it should be understood that they have been presented by way of example only, and not limitation. It will be apparent to those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention. Indeed, it will be clear to those skilled in the art, after having read the foregoing description, that other embodiments may be practiced.

In addition, it should be understood that any drawings emphasizing functions and advantages are provided by way of example. The above described methodologies and systems are sufficiently flexible and configurable so that each can be used in a different way than they represent.

At least one "or" at least one "in the description, claims and drawings, where" at least one "is often used in the specification, claims and drawings, do.

Finally, the claims that include the expression language "means for" or "for the purpose of" It is the intention of the applicant to be interpreted under 112 (f). Claims that do not explicitly include the phrase "means for" or "step for," 112 (f).

Claims (34)

A system for secure electronic access,
Wherein the at least one certificate is a protected device comprising at least one security process for receiving at least one electronic certificate from an electronic device seeking access to a secure resource on a protected device, A protected device providing; And
Wherein the at least one autonomic memory stores security required information, the at least one autonomous processor compares the device information with the security required information, and the at least one autonomous processor The autonomic processor instructs the at least one security processor to provide security resources to the device when the device information matches the security required information,
Wherein the protected device provides security resources to the electronic device in response to the command.
The method according to claim 1,
Wherein the secure resource comprises a collection of digital files or digital files.
The method according to claim 1,
Wherein the secure resource comprises hardware resources.
The method according to claim 1,
Wherein the at least one autonomic processor controls usage conditions of the security resource by an electronic device based on the comparison.
3. The method of claim 2,
Wherein the at least one autonomic processor is operable to generate a security requirement certificate comprising a compression archive and a security requirement information and a set of authorization key value pairs comprising a collection of digital files or digital files, A secure electronic access system that validates electronic certificates.
6. The method of claim 5,
Wherein the at least one autonomic processor applies a cryptographic digital signature to each of the digital files or digital files in the collection of digital files to provide evidence of trustworthiness and proof of authorship, Wherein the signature is updated or applied as a second encrypted digital signature whenever the signature of the digital file or digital files is changed.
3. The method of claim 2,
Wherein the at least one autonomic processor enforces properties, settings and permissions to control printing, copying, displaying, editing and / or transferring of a collection of digital files or digital files based on security requirement information.
The method according to claim 1,
Wherein the autonomous system comprises an autonomous system private key located within the autonomous system, the autonomous system signing the message with the autonomous system private key, sending an autonomous system signed message to the source, Or a secure electronic access system that determines whether autonomous systems and tampering are authorized.
9. The method of claim 8,
Said source comprising a source private key located within said source, said source signing the message with said source private key and sending a source signed message to said autonomous system, said autonomous system having access to said source or source A secure electronic access system that determines whether tampering is authorized.
A system for secure electronic access,
A protected device, comprising: at least one security processor for receiving at least one electronic certificate describing the security of the device under protection, wherein the protected device comprises at least one electronic certificate, A device under protection that outputs resource and security requirement information;
At least one autonomous processor and at least one autonomous memory for storing the at least one electronic certificate, the at least one autonomous processor providing an autonomous certificate to the device under protection; And
Receiving at least one electronic certificate, a resource in a form not usable in the protected device and security requirement information from the protected device, comparing the at least one electronic certificate with the security requirement information, Transmitting a resource in a form usable to the protected device when the certificate indicates that it is in conformity with the security requirement certificate and providing the resource to the protected device in a form usable in the protected device, ≪ / RTI > wherein the authorized system comprises an authorized system configured and arranged to perform a process.
11. The method of claim 10,
Wherein the resource comprises a collection of digital files or digital files.
11. The method of claim 10,
Wherein the at least one autonomic process controls the use condition of the resource by the security system based on the comparison.
12. The method of claim 11,
Wherein the collection of digital files or digital files in a form not usable by the protected device is stored in at least one autonomous memory.
11. The method of claim 10,
Wherein the at least one autonomic processor controls the use condition of the resource by the device under protection based on information from the autonomous system.
12. The method of claim 11,
Wherein the at least one autonomic processor enforces properties, settings and permissions to control printing, copying, displaying, editing and / or transferring of a collection of digital files or digital files based on security requirement information.
11. The method of claim 10,
Wherein the autonomous system comprises an autonomous system private key located within the autonomous system, the autonomous system signing the message with the autonomous system private key, sending an autonomous system signed message to the source, Or a secure electronic access system that determines whether autonomous systems and tampering are authorized.
17. The method of claim 16,
Said source comprising a source private key located within said source, said source signing the message with said source private key and sending a source signed message to said autonomous system, said autonomous system having access to said source or source A secure electronic access system that determines whether tampering is authorized.
As a method of protecting electronic access,
Receiving at least one electronic certificate from an electronic device seeking access to a secure resource in a protected device comprising at least one secure processor, wherein the at least one certificate provides device information associated with the security of the electronic device and;
Comparing the device information and the security requirement information by at least one autonomous processor of the autonomous control system;
Directing the at least one secure processor to provide security resources to the device when the device information matches the security requirement information; And
And in response to the command, the protected device providing security resources to the electronic device.
The method according to claim 1,
Wherein the secure resource comprises a collection of digital files or digital files.
19. The method of claim 18,
Wherein the secure resource comprises a hardware resource.
19. The method of claim 18,
Wherein the at least one autonomic processor controls usage conditions of the security resource by the electronic device based on the comparison.
20. The method of claim 19,
Wherein the at least one autonomic processor generates a compression archive comprising a collection of digital files or digital files, security requirement information and a set of authorized key value pairs, The electronic access protection method.
23. The method of claim 22,
Wherein the at least one autonomic processor applies a cryptographic digital signature to each of the digital files or digital files in the collection of digital files to provide evidence of trustworthiness and proof of authorship, Wherein the digital signature is updated or applied as a second encrypted digital signature whenever the signature of the digital file or digital files is changed.
20. The method of claim 19,
Wherein the at least one autonomic processor enforces attributes, settings and permissions to control printing, copying, displaying, editing and / or transferring of a collection of digital files or digital files based on security requirement information.
19. The method of claim 18,
Wherein the autonomous system signs the message with an autonomous system private key and sends the autonomous system signed message to the source and the source determines whether access to the autonomous system or autonomous system and tampering has been granted.
26. The method of claim 25,
Wherein the source sends a source signed message to the autonomous system by signing the message with a source private key, and wherein the autonomous system determines whether access to the source or source and tampering is permitted.
CLAIMS 1. A method for electronic access protection,
Scoring at least one electronic certificate describing the security of the protected device in at least one autonomic memory of the autonomous system;
The at least one autonomous processor of the autonomous system providing the at least one certificate to a protected device;
Outputting at least one electronic certificate, resource and security requirement information in a form unusable to the device under protection to the authorizing system;
At least one licensing process of the licensing system comparing the security requirement information with the at least one certificate;
Modifying the resource in a form available to the protected device when the at least one licensing process indicates that the at least one electronic certificate indicates that the protected device conforms to the security requirement information; And
The at least one licensing process providing the resource to the protected device in a form available to the autonomous system.
28. The method of claim 27,
Wherein the resource comprises a collection of digital files or digital files.
28. The method of claim 27,
Wherein the at least one autonomous process controls usage conditions of resources of the device under protection based on the comparison.
29. The method of claim 28,
Further comprising storing resources in a form usable in the electronic system in the at least one autonomic memory.
28. The method of claim 27,
Wherein the at least one autonomic processor further comprises controlling the use condition of the resource by the device under protection based on information from the authorizer system.
29. The method of claim 28,
The autonomous system enforces properties, settings and permissions to control printing, copying, displaying, editing and / or transferring of a collection of digital files or digital files based on security requirement information.
28. The method of claim 27,
Wherein the autonomous system signs the message with the autonomous system private key and sends the autonomous system signed message to the source and the source determines whether access to the autonomous system or tampering with the autonomous system is granted, .
34. The method of claim 33,
Wherein the source sends a source signed message to the autonomous system by signing the message with a source private key, and wherein the autonomous system determines whether access to the source or source and tampering is permitted.

Images