US20150067796A1 - Method for statistical object identification - Google Patents

Method for statistical object identification Download PDF

Info

Publication number
US20150067796A1
US20150067796A1 US13/987,747 US201313987747A US2015067796A1 US 20150067796 A1 US20150067796 A1 US 20150067796A1 US 201313987747 A US201313987747 A US 201313987747A US 2015067796 A1 US2015067796 A1 US 2015067796A1
Authority
US
United States
Prior art keywords
statistical
original
objects
soi
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US13/987,747
Inventor
John William Hayes
Christopher Luis Hamlin
Charles Andrew Gram
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BlackRidge Tech Holdings Inc
Original Assignee
BlackRidge Tech Holdings Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BlackRidge Tech Holdings Inc filed Critical BlackRidge Tech Holdings Inc
Priority to US13/987,747 priority Critical patent/US20150067796A1/en
Assigned to BLACKRIDGE TECHNOLOGY HOLDINGS, INC. reassignment BLACKRIDGE TECHNOLOGY HOLDINGS, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: GRAM, CHARLES ANDREW, HAMLIN, CHRISTOPHER LUIS, HAYES, JOHN WILLIAM
Publication of US20150067796A1 publication Critical patent/US20150067796A1/en
Priority to US14/544,987 priority patent/US20160269421A1/en
Priority to US15/998,262 priority patent/US11095687B2/en
Priority to US17/353,117 priority patent/US11503079B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2151Time stamp

Definitions

  • the present invention pertains to methods for uniquely identifying an original object from a series of statistical objects by receiving and identifying the original object from which the statistical objects were generated.
  • Statistical objects are used where conventional secured communications of an original object cannot be used due to protocol constraints or communications bandwidth limitations. Using a statistical object instead of an original object achieves much greater bandwidth efficiency due to the use of a deterministic statistical representation of the original object.
  • the term “statistical object” is a string of values mapped by a random or “hash” function.
  • the output of this function points to a string of values which stands for or represents the input to the function.
  • the output string of values is shown as x 1 , x 2 , x 3 . . . x n .
  • the input of the function is an original object, while the output is a statistical object.
  • a collision results when two or more different inputs produce the same output, and is generally considered detrimental.
  • additional inputs are added to the function. These inputs vary over time, enabling different streams of statistical object to eventually diverge from their colliding tendencies.
  • a clock may be employed to add a time value as an input.
  • a counter may serve as an input. Multiple additional inputs may be used together in the generation of the statistical object.
  • the terms “function,” “random function” and “hash function” are intended to encompass any procedure or mathematical method that converts a large amount of data into a smaller amount of data.
  • the output may be a single integer or value which serves as an index to an array or database.
  • the output values of a hash function may be called hash values, hash codes, hash sums, checksums or hashes.
  • the inputs to a hash function may be referred to as keys.
  • FIG. 2 illustrates a simple example of the operation of a hash function.
  • a set of four inputs or keys are shown as the names Joe, Moe, Sam and Charlie.
  • the hash function F(x) associates a hash or output with each name.
  • the input of Joe causes the hash function to point to output “03”.
  • the input of Moe causes the hash function to point to the output of “01”.
  • the input of Sam causes the hash function to point to the output of “06”.
  • the input of Charlie causes the hash function to point to the output of “03”. Because the Joe and Charlie inputs both return a hash of “03”, this pair of hashes is said to cause a collision.
  • this collision may be avoided by adding a clock or a counter as an additional input to the hash function. So, in an alternative embodiment, if the input of Joe is provided to the hash function at 1:00 p.m., and the input of Charlie is provided to the hash function at 2:00 p.m., the different inputs would lessen the probability that this collision would occur.
  • One advantage of using statistical objects is that information may be “concentrated” in a relatively smaller number of transmitted bits, which increases the efficiency of communication across a network.
  • the consequence of using a deterministic statistical representation is that the representation is not guaranteed to identify uniquely the source original object.
  • the deterministic statistical representation, the statistical object may be generally considered to be the output of a hash or similar function of the original object along with one or more varying deterministic inputs such as a clock or counter. These varying deterministic inputs are necessary so that the cumulative stream of output statistical objects generated from a single original object is unique across a large number of generated statistical objects. Unambiguously identifying a statistical object to a unique original object is essentially an exercise in mitigating the effects of the birthday problem.
  • the birthday problem is the probability that output of the hash of different original objects and their respective deterministic inputs produce identical statistical objects.
  • the generation of a single statistical object by two or more original objects causes a collision.
  • FIG. 3 supplies a graph that illustrates the birthday problem.
  • the number of individuals in any given group is shown on the x-axis.
  • the y-axis shows an approximate probability, on a scale from zero to one, that two people in the group will share the same birthday. As an example, in a group of twenty-three people, the probability that two persons in this group will have the same birthday is about fifty percent.
  • the birthday problem may be understood as an example of the hash function depicted in FIG. 2 .
  • the keys or inputs are the names of the individuals in the group.
  • the hash function maps these inputs to one of the hashes or outputs, which represent the days of the year. If two persons in the group share the same birthday, the hash function points to the same day for two different individuals, and a collision occurs.
  • a statistical object the deterministic statistical representation of an original object, may be generally considered to be the output of a hash or similar function coupled with additional inputs of clocks, counters and other varying deterministic inputs.
  • Unambiguously identifying a statistical object to a unique original object is essentially an exercise in mitigating the effects of the birthday problem.
  • the birthday problem is the probability that outputs of the hashes of different original objects and their deterministic inputs produce identical statistical objects.
  • the generation of a single statistical object by two or more original objects causes a collision. Given a uniform distribution, the probability of a collision increases with the number of statistical objects in use.
  • Statistical objects are designed to be used as components of security devices.
  • the overall probability of guessing any valid statistical object must also be considered.
  • the amount of space available to carry a statistical object will vary with the communications mechanism, but the size of an individual statistical object is expected to remain small, generally less than the number of bits required to uniquely identify an original object when large numbers of objects are in use. This requires the aggregation of two or more related statistical objects into a larger aggregate statistical object. Aggregating multiple related statistical objects into a single aggregate statistical object requires that all possible original object resolution matches are tracked and maintained. Multiple statistical objects from the same original object can be associated together by using information associated with the communication and reception of the statistical objects.
  • This information can include networking information, such as the source address or network session information including source and destination addresses and source and destination port numbers. Communications characteristics can also include physical information such as the physical port upon which the statistical object was received or the logical channel upon which the statistical object was received.
  • the device performing the identity must maintain a table of all valid statistical objects. This table may contain collisions where multiple original objects generate the same statistical object.
  • a statistical object is received, it is first looked up in the table of all statistical objects to determine if the received statistical object is valid. If the received statistical object is not found in the table, then no further processing occurs with respect to identifying the original object on that reception.
  • the communications characteristics associated with the reception of the statistical object and the list of all potential original objects are recorded. If the list of potential original objects has exactly a single entry, then the original object is identified and the process moves on to calculating the statistical probability.
  • the partially identified statistical object and the list of potential original objects are recorded along with the communications characteristics associated with the reception of the statistical object.
  • the list of potential original objects is pruned of original objects that cannot generate the complete set of received statistical objects found in the aggregate statistical object.
  • the process moves on to calculating the statistical probability of guessing the information in the aggregate statistical object. If the original object is not unambiguously identified, nothing further is done at this time and the system awaits the reception of another statistical object with related communications characteristics to increase the number of bits of information received and again aggregates this information into the aggregate statistical object and the process repeats itself.
  • Calculating the probability of guessing the information in the aggregate statistical object requires the number of bits of statistical objects that have been received and aggregated and the number of statistical objects maintained in the table of all valid statistical objects.
  • the specific probability p of a collision is
  • n is the number of statistical objects in the table of valid statistical objects and d is the total number of unique statistical objects available.
  • p(n; d) ⁇ 1 ⁇ e ⁇ 2/(2 ⁇ d) is used.
  • the probability is compared against the probability threshold. If the calculated probability is less than the probability threshold, then the statistical object has been identified with a confidence that the aggregate information received does not exceed the probability threshold set beforehand. If the probability exceeds the threshold, nothing further is done and the system awaits the reception of another statistical object with related communications characteristics to increase the number of bits of information received and aggregates into the aggregate statistical object and the process repeats itself.
  • a further optimization can be made by associating communications characteristics across multiple identifications of statistical objects.
  • a statistical object When a statistical object is identified and does not exceed the probability threshold, thereby confirming that it was generated from the original object, the communications characteristics are temporarily associated with that original object.
  • the received statistical object is checked against the associated original object. If the associated original object could produce the received statistical object, the statistical object is identified as being produced by the associated original object.
  • the identification of the statistical object proceeds by aggregating the statistical object information and pruning the list of potential original objects until only a single original object remains. The statistical object is still aggregated in an aggregated statistical object to enable the aggregation of information for the probability calculation.
  • the probability calculation is made using the number of bits of information received in the aggregate statistical object and the number of statistical objects that are associated with the communications characteristics that are associated with the original object. This results in a lesser amount of statistical object information being required to not exceed the probability threshold, because the communications criterion is being used as an additional discriminator.
  • Multiple sets of communications characteristics can be associated with the original object and multiple original objects can be associated with a single set of communications characteristics.
  • a timestamp or other mechanism for indicating recent activity is updated in the communications characteristics associated with the original object.
  • the original object association should be removed after such periods of inactivity exceed a threshold. Subsequent statistical object reception with those removed communications characteristics will proceed as unassociated communications until those communications are again associated with an original object.
  • the algorithms used to generate the statistical objects use additional information in addition to the original object as inputs.
  • This additional information may include clocks, counters and other deterministic inputs.
  • this additional information is also identified and used to further validate the identity of the original object.
  • the probability threshold has several unique uses. Firstly, the use of a probability threshold enables the system for statistical object identity to be used with varying numbers of statistical objects contained within the table of all valid statistical objects without having the probability of guessing a statistical object increase as statistical objects are added to the valid statistical object table. The system employed here simply requires additional statistical objects, thus increasing the amount of information available to maintain the desired probability.
  • the second unique attribute of using the probability threshold is that the probability threshold can be changed by the entity performing statistical object identification without communication, knowledge or coordination of the change by the entity generating the statistical object. This is especially important in the context of cyber security where knowledge of a threat or attack may raise the level of security desired. This can be used by the entity receiving and performing statistical object identification to decrease the threshold, requiring more statistical information before the original object identity is confirmed. The ability to perform this function without requiring any communication or notification to the entity producing the statistical object is especially useful and novel.
  • Additional information can also be conveyed using statistical objects.
  • this information can be extracted during the statistical object identification process. Examples of such additional information includes, but is not limited to, information regarding the state of some system or process, an index into a table of information or other types of data.
  • FIG. 1 illustrates the general operation of a hash function.
  • FIG. 2 shows how the hash function illustrated in FIG. 1 maps a set of inputs to a set of outputs.
  • FIG. 3 is a graph that illustrates the birthday problem.
  • FIG. 4 is an illustration which shows an embodiment of the present invention.
  • FIG. 5 is an illustration which shows an alternate embodiment of the present invention.
  • FIG. 6 illustrates certificates that are used to authenticate a communication.
  • FIG. 7 shows certificates stored in a remote system.
  • FIG. 8 shows that certificates are too large to send to the remote system in their original form.
  • FIG. 9 depicts a solution: converting the certificates, which are original objects, to cryptographic hashes, or statistical objects.
  • FIG. 10 shows how statistical objects and a time value from a clock are sent to the remote system.
  • FIG. 11 illustrates the result of the conversion of three original objects to three statistical objects.
  • FIG. 12 furnishes a view of Ben's first communication with the remote system.
  • FIG. 13 depicts the comparison process that occurs within a statistical object matcher.
  • FIG. 14 illustrates the role of an accumulated statistical object selector.
  • FIG. 15 illustrates the function of an accumulated statistical object selector.
  • FIG. 16 illustrates the task of an original object identifier.
  • FIG. 17 shows that Ben's first communication has failed to be authenticated.
  • FIG. 18 supplies a schematic view of Ben's second attempt to communicate with the remote system.
  • FIG. 19 depicts the second communication, and the resulting match that is produced in the statistical object matcher.
  • FIG. 20 illustrates the process of finding a match.
  • FIG. 21 shows how the accumulated statistical object selector discards statistical objects that do not lead to an authenticating match.
  • FIG. 22 furnishes a view of a probability calculator, which computes the probability of a successful guess of accumulated statistical object information.
  • FIG. 23 reveals the function of a threshold comparator, which compares the calculated probability to a probability threshold value.
  • FIG. 24 exhibits the final result, the authentication of Ben's second communication.
  • FIG. 25 is an illustration which shows an embodiment of the present invention, an integrated SOI system.
  • FIG. 26 is an illustration which shows an alternate embodiment of the present invention, an integrated SOI system.
  • FIG. 27 is an illustration which shows an alternate embodiment of the present invention, an integrated SOI policy system and integrated SOI services.
  • FIG. 28 is an illustration which shows an alternate embodiment of the present invention with a simple hierarchy.
  • FIG. 29 is an illustration which shows an alternate embodiment of the present invention with a more complex hierarchy.
  • FIG. 30 is an illustration which shows a network client connected to a network.
  • FIG. 31 is an illustration which shows an embodiment of the present invention, a network SOI client.
  • FIG. 32 is an illustration which shows an embodiment of the present invention, an SOI insertion device.
  • FIG. 33 is an illustration which shows a system of SOI devices.
  • FIG. 34 is an illustration which shows an alternate system of SOI devices.
  • One embodiment of the present invention provides a method for authenticating a communication.
  • a communication between a user (Ben) and a remote system is described. Communications received by the remote system must be authenticated before they are allowed.
  • the terms authenticate and authentication are intended to mean that the identity of a communicator or an initiator of a communication has been verified, and that a particular communication is permitted, allowed or otherwise approved to proceed into the remote system.
  • One embodiment of the present invention solves this problem by reducing the information in the certificate which is used to authenticate the communication before it is allowed to proceed by converting the certificate to a much smaller “statistical object.”
  • the method allows the network to determine the identity of the initiator of the communication before the communication is given access to the network. This method provides a security feature that substantially eliminates potentially detrimental and malicious attacks that could be perpetrated on the network using conventional technology.
  • Aggregate Statistical Object A data structure containing one or more statistical objects, a list of potential original objects that may have created the original object(s) and the communications characteristics that provide the association between multiple statistical objects.
  • Authentication Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.
  • Authenticating Device A device that verifies the identity of a user, process or device.
  • Authentication Information Information provided for the purpose of verifying the identity of a user, process or device.
  • Communications Characteristics Any of the characteristics, both physical and logical, that are available to distinguish one communication from another and to group discrete communication events into one or more related sequences of communications events.
  • Connection A logical pairing of two devices that enable them to communicate.
  • a connection utilizes a series of packets to accomplish this.
  • a TCP connection is an example of a connection.
  • Connection Request A request by one device to another device to create a connection.
  • a device is any object that is capable of being attached or wirelessly connected to and communicating on a network.
  • Examples of devices include computers, servers, clients, laptops, PDAs, cell phones, smart phones, network appliances, storage systems, virtual appliances, switches, routers, load balancers, caches, intrusion detection systems, VPNs, authentication devices, intrusion prevention systems, and firewalls.
  • Digital Identity A digital representation of a set of characteristics by which a user, process or device is uniquely recognized.
  • Hash or Hashing function Any procedure or mathematical method that converts are large amount of data into a smaller amount of data.
  • the output may be a single integer or value which serves as an index to an array or database.
  • IP—IP is the Internet Protocol.
  • the Internet Protocol is a data oriented protocol used by devices to communicate across a packet switched network.
  • IP information is carried by an IP header in an IP packet.
  • the IP header contains device address information, protocol control information and user data information.
  • Network A network is a collection of computers, servers, clients, routers and devices that are connected together such that they can communicate with each other.
  • the Internet is an example of a network.
  • Original Object An original object 12 S is a string of bits. It is also an input to the function that generates a statistical object.
  • Protocol In the field of telecommunications, a protocol is the set of standard rules for data representation, signaling, authentication, error detection and other features required to send information over a communications channel. Not all protocols provide all of these features. Protocols with different features may be layered on top of one another to provide a more robust feature set. Examples of protocols are the IP protocol and the TCP protocol. These protocols are often used together and referred to as the TCP/IP protocol.
  • Protocol Entity A device, function, process or procedure that implements a communications protocol.
  • Statistical Object The output of a function that has a statistical distribution. Commonly, a statistical object is the output of a hashing function.
  • Symmetric Key A cryptographic key that is used to perform both the cryptographic operation and its inverse, for example to encrypt and decrypt, or create a message authentication code and to verify the code.
  • Symmetric Key Authentication An authentication algorithm that uses a symmetric key to create a message authentication code and to verify the code.
  • TCP Transmission Control Protocol
  • networked devices can create connections to one another, over which they can send data.
  • the TCP protocol guarantees that data sent by one endpoint will be received in the same order by the other, and without any pieces missing.
  • the TCP protocol also distinguishes data for different applications (such as a Web server and an email server) on the same device.
  • FIG. 1 is an illustration which shows one particular embodiment of the present invention, which includes a device 10 .
  • a device 10 stores and/or processes at least one original object 12 S and at least one statistical object 14 S.
  • the device 10 includes a plurality of original objects 12 P and a plurality of statistical objects 14 P.
  • a single original object is identified as 12 S (S for singular), while a plurality of original objects is accompanied by 12 P (P for plurality).
  • a single statistical object is identified as 14 S (S for singular), while a plurality of statistical objects is accompanied by 14 P (P for plurality).
  • device is intended to encompass any suitable means for conveying and/or storing information or data.
  • the device 10 is a remote system.
  • device 10 includes all the other components subsequently described in the Specification.
  • the device 10 includes a communications receiver 16 which is connected to an external network and to a statistical object matcher 18 .
  • the statistical matcher 18 is connected to an accumulated statistical object selector 20 , and has access to the plurality of statistical objects 14 P stored in the device 10 .
  • the accumulated statistical object selector 20 is connected to an original object identifier 26 and has access to a plurality of accumulated statistical objects 14 AP.
  • the original object identifier 26 is connected to a probability calculator 30 and has access to the plurality of original objects 12 P.
  • the probability calculator 30 is connected to the threshold comparator 32 and has access to the plurality of statistical objects 14 P.
  • the probability comparator 32 is connected to the output of the device 10 , and has access to a probability threshold value 27 .
  • FIG. 2 is an illustration which shows an alternate embodiment of the present invention.
  • a plurality of original objects 12 P is used to generate a plurality of statistical objects 14 P.
  • a communications receiver 16 is located within device 10 , and is connected to the output of device 10 and to a statistical matcher 18 .
  • the statistical object matcher 18 is connected to an accumulated statistical object selector 20 and an associated original object selector 20 and has access to the plurality of statistical objects 14 P.
  • the accumulated statistical object selector 20 is connected to an associated original object identifier 28 and has access to a plurality of accumulated statistical objects 42 .
  • the associated original object selector 46 is connected to an associated original object identifier 28 and has access to a plurality of original objects 12 P.
  • the associated original object identifier 28 is connected to the probability calculator 30 and has access to the plurality of statistical objects 14 P.
  • the probability calculator 30 is connected to the threshold comparator 32 and has access to the plurality of statistical objects 14 P.
  • the probability calculator is connected to the external XXX of the device 10 , and has access to a threshold probability value 27 and the plurality of original objects 12 P.
  • a device 10 contains a plurality of original objects 12 P.
  • For each original object 12 S at least one statistical object 14 S is generated. Multiple statistical objects 14 P may be generated from a single original object 14 S and each statistical object 14 S has a name, pointer or other indication of the original object 12 S from which it was created. Since multiple statistical objects 14 P may be created from a single original object 12 S, multiple pointers or other indicators of additional inputs to the statistical object generator may also be provided. These additional inputs may include clock information, keying information, state information, and other relevant and useful information.
  • the plurality of statistical objects 14 P generated from the plurality of original objects 12 P is maintained and is available within the device 10 .
  • the plurality of statistical objects 14 P may be individually or as a group, periodically removed, added to, invalidated or otherwise refreshed. Likewise, the plurality of original objects 12 P may be individually or as a group removed, added to, invalidated or otherwise refreshed.
  • a first statistical object 14 F When a first statistical object 14 F is received by a communications receiver 16 , it is received within the context of a communication and has communications characteristics 22 associated with it.
  • These communications characteristics 22 may include the network address of the sender of the communication, the physical interface or port upon which the communication was received, the logical interface upon which the communication was received.
  • the communications characteristics 22 may include the IPv4 or IPv6 address of the sender, session information including local and remote addresses and local and remote port numbers, VLAN identifiers and other network, protocol stack and application information.
  • Communications characteristics 22 may also include security association information.
  • Physical characteristics of the communications characteristics 22 may include the frequency or frequencies at which the communication was received. Physical characteristics of communications characteristics 22 may also include phase information, time information and amplitude information.
  • the first statistical object 14 F is compared against the plurality of statistical objects 14 P. If a matching statistical object 14 M is not found, the first statistical object 14 F is not identified and no further statistical object resolution activity occurs on this reception of a statistical object. If there is at least one statistical object 14 S in the plurality of statistical objects 14 P that matches the first statistical object 14 F, then the first statistical object 14 F, all matching statistical objects 14 M and indicators of their respective original objects 12 P and the communications characteristics 22 are passed to an accumulated statistical object selector 20 .
  • the accumulated statistical object selector 20 takes the input communications characteristics 22 and looks for an accumulated statistical object 14 A within the plurality of accumulated statistical objects 14 AP that has matching communication characteristics 22 .
  • the first statistical object 14 F and the list of all original objects 12 P associated with the matched statistical objects 14 M are added to the matched accumulated statistical object 14 MA. This increases the amount of statistical object information. If a matching accumulated statistical object 14 MA is not found, a new accumulated statistical object 14 NA is created and added to the plurality of accumulated statistical objects 14 AP. The communications characteristics of the accumulated statistical object is copied from the communications characteristics 22 , the first statistical object 14 F and the list of all original objects 12 P associated with the matched statistical objects 14 M are added to the accumulated statistical object 14 A. In both cases, the resulting accumulated statistical object 14 A is passed to the original object identifier 26 .
  • an accumulated statistical object 14 A may be removed from the plurality of accumulated statistical objects 14 AP.
  • An accumulated statistical object 14 A may be considered inactive if it has not unambiguously selected a unique original object 12 S and first statistical objects 14 FP with matching communications characteristics 22 have not been received for a period of time.
  • An accumulated statistical object 14 A may also be considered inactive if it has selected a unique original object 12 S, but the accumulated statistical object exceeds the probability threshold value 27 and first statistical objects with matching communications characteristics 22 have not been received for a period of time.
  • the original object identifier 26 takes the given accumulated statistical object 14 A and determines if the accumulated statistical information within the accumulated statistical object could only be generated by a single, unique original object 12 S. This determination is made by successively pruning associated original objects that, as additional statistical object information is added, fail to be able to generate the stream of statistical objects that matches the received statistical objects until only a single original object remains. If a unique original object 12 S is not determined, the accumulated statistical object 14 A is updated with the pruned list of associated original objects 12 P, and no further statistical object resolution activity occurs on this reception of a statistical object. If a unique original object 12 S is determined, the selected original object 12 SEL is indicated in the accumulated statistical object 14 A and the accumulated statistical object 14 A is sent to a probability calculator 30 .
  • the probability calculator 30 takes the given accumulated statistical object 22 and based on the number of bits of statistical object information that has been accumulated in the accumulated statistical object 22 and the number of statistical objects in the plurality of statistical objects 14 P calculates the probability of guessing the accumulated statistical object information.
  • the calculated probability 36 is sent to the threshold comparator 32 .
  • the threshold comparator 32 takes the given calculated probability 36 and compares that value with the threshold value 28 .
  • the threshold value may be taken from an original object 12 S, may be a configurable value for the plurality of original objects 12 P within device 10 , or may be controlled by an outside entity.
  • the threshold value may be associated with the device 10 .
  • the threshold comparator 32 determines that the calculated probability 36 exceeds the probability threshold value 27 , no further statistical object resolution activity occurs on this reception of a statistical object 14 S. If the threshold comparator 32 determines that the calculated probability 36 is less than the probability threshold value 27 , an indication 34 is produced that includes the selected original object 26 SEL.
  • the indication 30 may also include the communications characteristics 22 and any other available information required by the receiver of the indication 34 .
  • the indication may also contain additional inputs to the statistical object generator, which may be provided by a pointer from a statistical object 14 S. These additional inputs may include clock information, keying information, state information, and other relevant and useful information.
  • the probability of guessing an accumulated statistical object is held constant while the number of statistical objects present in the plurality of statistical objects 14 P can vary.
  • the probability of guessing a first statistical object 14 F is also held constant.
  • the probability threshold value 27 can be changed at any time. The change in probability threshold value 27 does not require the communication or coordination with the generator of the first statistical object 18 . Because of this, the probability threshold value 27 can be adjusted, and the system for statistical object identification will not provide any response until the threshold value has been met. This effectively allows the statistical object identification system to silently increase or decrease the probability threshold value 27 without providing any detectable indication of the change in the probability threshold value 27 .
  • a device 10 contains a plurality of original objects 12 P.
  • For each original object 12 S at least one statistical object 14 is generated. Multiple statistical objects 14 may be generated from a single original object 6 and each statistical object 14 contains a name, pointer or other indication of the original object 16 from which it was created.
  • the plurality of statistical objects 14 P generated from the plurality of original objects 14 P is maintained and is available within the device 10 .
  • the plurality of statistical objects 14 P may be individually or as a group periodically removed, added to, invalidated or otherwise refreshed.
  • the plurality of original objects 12 P may be individually or as a group removed, added to, invalidated or otherwise refreshed.
  • a first statistical object 14 S When a first statistical object 14 S is received by a communications receiver 16 , it is received within the context of a communication and has communications characteristics 22 associated with it. After a first statistical object 18 has been received, using a statistical matcher 18 , the first statistical object 18 is compared against the plurality of statistical objects 14 P. If a matching statistical object 14 is not found, the first statistical object 18 is not identified and no further statistical object resolution activity occurs on this reception of a statistical object. If there is at least one statistical object 14 S in the plurality of statistical objects 14 P that matches the first statistical object 14 F, all matching statistical objects 14 P and indicators of their respective original objects 12 P and the communications characteristics 22 are passed to an accumulated statistical object selector 20 . The communications characteristics 22 are also passed to an associated original object selector 24 .
  • the accumulated statistical object selector 20 takes the input communications characteristics 22 and looks for an accumulated statistical object 14 A within the plurality of accumulated statistical objects 14 AP that has matching communication characteristics 22 . If a matching accumulated statistical object 14 A is found, the first statistical object 14 F and the list of all original objects 12 P associated with the matched statistical objects 14 M are added to the matched accumulated statistical object 14 MA. This increases the amount of statistical object information. If a matching accumulated statistical object 14 MA is not found, a new accumulated statistical object 14 NA is created and added to the plurality of accumulated statistical objects 14 PA.
  • the communications characteristics 22 of the accumulated statistical object 14 A are copied from the communications characteristics 22 , the first statistical object 14 F and the list of all original objects 12 P associated with the matched statistical objects 14 M are added to the accumulated statistical object 14 A. In both cases, the resulting accumulated statistical object 14 A is passed to the original object identifier 26 .
  • the associated original object selector 24 takes the input communications characteristics 22 and looks for an original object 12 S within the plurality of original objects 12 P that has matching communications characteristics. If a matching original object 12 M is found, that original object is selected, becoming a selected original object 12 S and is passed to the associated original object identifier 26 . If there is no matching original object 12 M, then nothing is passed to the associated original object identifier 28 . If an original object 16 is inactive for a period of time, the association with communications characteristics 22 may be removed from the original object 16 . An original object 16 may be considered inactive if first statistical objects 18 with matching communications characteristics 22 have not been received for a period of time. An original object 16 may also be considered inactive if first statistical objects 18 produced by the associated original object 16 have not been received for a period of time.
  • the associated original object identifier 28 takes the given accumulated statistical object 22 and the selected original object 26 and determines if the accumulated statistical information within the accumulated statistical object 22 could have been produced by the selected original object 26 . If the information contained within the accumulated statistical object 14 A could have been generated by the selected original object 12 SEL, the selected original object 12 SEL is indicated in the accumulated statistical object 22 and the accumulated statistical object 22 is sent to the probability calculator 30 . If the information contained within the accumulated statistical object 22 could not have been produced by the selected original object 12 SEL, the selected original object 12 SEL is discarded and the following processing occurs.
  • the associated original object identifier 28 takes the given accumulated statistical object 22 and determines if the accumulated statistical information within the accumulated statistical object could only be generated by a single, unique original object 12 S. This determination is made by successively pruning associated original objects that, as additional statistical object information is added, fail to be able to generate the stream of statistical objects that matches the received statistical objects until only a single original object remains. If a unique original object 12 S is not determined, the accumulated statistical object 14 A is updated with the pruned list of associated original objects 12 P and no further statistical object resolution activity occurs on this reception of a statistical object. If a unique original object 12 S is determined, the selected original object 12 SEL is indicated in the accumulated statistical object 14 A and the accumulated statistical object 14 A is sent to the probability calculator 30 .
  • the probability calculator 30 takes the given accumulated statistical object 14 A and based on the number of bits of statistical object information that has been accumulated in the accumulated statistical object 14 A and the number of statistical objects 14 in the plurality of statistical objects 12 P that have matching communications characteristics 22 , calculates the probability of guessing the accumulated statistical object information.
  • the calculated probability 36 is sent to the threshold comparator 32 .
  • the threshold comparator 32 takes the given calculated probability 36 and compares that value with the probability threshold value 27 .
  • the threshold value may be taken from an original object 12 S, may be a configurable value for the plurality of original objects 12 P within device 10 or may be controlled by an outside entity.
  • the threshold comparator 32 determines that the calculated probability 36 is greater than the probability threshold value 27 , no further statistical object resolution activity occurs on this reception of a statistical object. If the threshold comparator 32 determines that the calculated probability 36 is less than the probability threshold value 27 , an indication 30 is produced that includes the selected original object 12 SEL and an association is made within the plurality of original objects 12 P between the selected original object 12 SEL and the communications characteristics 22 . The indication 30 may also include the communications characteristics 22 and any other available information required by the receiver of the indication 30 . The association between an original object 12 S and communications characteristics 22 can also be created prior to receiving a first statistical object 14 F. This allows the system to be pre-populated with associations that should accelerate the selection of original objects and make staying beneath the probability threshold value 27 easier.
  • each accumulated statistical object 14 A should have a timestamp or similar aging construct that will enable the system to periodically age out idle, orphaned and otherwise unused objects. This includes the removal of communication characteristics 22 that have been associated with original objects 12 P after matching communications have been idle for a period of time.
  • each statistical object 14 S should also expire after a period of time if that statistical object 14 S has not been matched and invalidated.
  • the association of communications characteristics 22 is usually performed after the successful identification of an original object 12 S and after the calculated probability 36 is determined to be less than the probability threshold value 27 . It is also possible to pre-assign communications characteristics 22 to original objects 12 P. This will decrease the amount of statistical object information necessary to identify the associated original object. Unlike dynamically associated communication characteristics, pre-assigned associations should not expire after periods of inactivity.
  • This method of statistical object identity allows the system to maintain a constant probability threshold, regardless of the number of statistical objects that are contained within the plurality of statistical objects. This is accomplished by always calculating the probability of guessing the information contained in the accumulated statistical object with respect to both the number of statistical objects that are contained within the plurality of statistical objects and the accumulated statistical object information. As the number of statistical objects in the plurality of statistical objects increases, the probability of guessing increases as the amount of statistical object information accumulates, the probability of guessing decreases. By comparing the result of the probability calculation against the probability threshold after each reception of a statistical object that results in an identified original object, adherence to the probability threshold is enforced.
  • This method of statistical object identity is designed to specifically enable the changing of the probability threshold and not require that the changed probability threshold be coordinated or otherwise communicated with the entities that are generating and sending the statistical objects.
  • the device can change the probability threshold in response to other external factors such as the threat or presence of attack or other security or integrity event.
  • the apparatus that performs statistical object identification is varied and diverse. It ranges from a simple, single function device that receives statistical objects via a network or other communications medium, and identifies the original object. Once the identification is made, the communication may be forwarded to its intended destination. Before identification is made, no communications are allowed to pass across the device. It is expected that in many cases, the apparatus will be a module or subsystem within a larger system. This module may take the form of a state machine in a application specific integrated circuit (ASIC) or other form of integrated circuit or semiconductor implementation. This module may also take the form of logic coding provided to a programmable logic device such as a field programmable gate array (FPGA), programmable array logic (PAL) and other forms of programmable logic. This module may also take the form of instructions for a microprocessor. This module may also take the form of instructions to a synthetic or virtual processor or machine.
  • ASIC application specific integrated circuit
  • PAL programmable array logic
  • This module may also take the form of instructions for a microprocessor
  • the apparatus that performs statistical object identification may be used in communications devices, security devices, network routing devices, application routing devices, service delivery devices and other devices that are enabled by the addition of the efficient communication of an original object through the reception of a statistical object which is identified as being generated from an original object.
  • the letter “S” is used to signify a single object, while the letter “P” is used to signify a plurality.
  • the reference character that refers to an original object always includes the numeral “12”, while the numeral “14” is always used to refer to a statistical object.
  • an original object 12 S is an X.509 certificate.
  • An X.509 certificate is used to provide identity, and is digitally signed to prove its authenticity.
  • the X.509 certificates are 1 KB in size (1024 bytes, 8192 bits).
  • a cryptographic hash 32 bits in length, is generated for each X.509 certificate and a common clock.
  • the cryptographic hash is a statistical object 14 S generated from an original object 12 S. Now let us assume that we have 100 of these X.509 certificates, that is 100 original objects 12 S. And let us assume that for each original object 12 S, we generate a cryptographic hash of each X.509 certificate and a common clock to produce 100 statistical objects 14 S each 32 bits in length. For descriptive purposes, three of these X.509 certificates and their corresponding statistical objects will be described.
  • X.509 certificate #1 identifies Sally, and generates a statistical object 14 S of value 22443.
  • X.509 certificate #2 identifies Ben, and generates a statistical object 14 S of value 32415.
  • X.509 certificate #3 identifies Greg, and also generates a statistical object 14 S of value 32415.
  • the device 10 has generated the plurality of statistical objects 14 P corresponding to the plurality of original objects 12 P.
  • Ben's communication includes Ben's statistical object (first statistical object 14 F) and communications characteristics 22 .
  • the communications occurred over a TCP/IP network and the IP source and destination addresses and the TCP source and destination port numbers are used as communications characteristics 22 .
  • the source IP address is 1.1.1.2 and the destination IP address is 1.1.1.3.
  • the source TCP port number is 2000 and the destination TCP port number is 3000.
  • the communications receiver 16 sends the received communications characteristics 22 and Ben's statistical object 14 F to the statistical object matcher 18 .
  • the statistical object matcher 18 compares Ben's statistical object 14 F with the plurality of statistical objects 14 P, and determines that there it matches two statistical objects, Ben's and Greg's.
  • the statistical object matcher 18 sends Ben's statistical object 14 F, the two matched statistical objects 14 M (Ben's and Greg's) and the communications characteristics 22 to the accumulated statistical object selector 20 .
  • the accumulated statistical object selector 20 compares Ben's communications characteristics 22 with the plurality of accumulated statistical objects 14 AP and finds no matches.
  • the accumulated statistical object selector 20 creates a new accumulated statistical object 14 A including Ben's statistical object 14 F, the two matched statistical objects 14 M and the communications characteristics 22 .
  • the new accumulated statistical object 14 A is added to the plurality of accumulated statistical objects 14 AP.
  • the accumulated statistical object information is set to 32 bits to reflect the information contained in statistical object 14 F.
  • the accumulated statistical object 14 AP is passed to the original object identifier 26 .
  • the original object identifier 26 determines that the accumulated statistical object 14 AP does not unambiguously identify a single original object 12 S. This concludes the operation of the device 10 for the reception of Ben's statistical object.
  • the device 10 does not respond to Ben's communication because it cannot unambiguously determine who sent the communication.
  • X.509 certificate #1 identifies Sally and generates a statistical object 14 S of value 84256.
  • X.509 certificate #2 identifies Ben and also generates a statistical object 14 S of value 84256.
  • X.509 certificate #3 identifies Greg and generates a statistical object 14 S of value 10845. Due to time passing, device 10 regenerates the plurality of statistical objects 14 P corresponding to the plurality of original objects 12 P which match Sally, Ben and Greg.
  • Ben sends a second communication containing Ben's current statistical object to device 10 .
  • Device 10 receives Ben's communication using a communications receiver 16 .
  • Ben's communication includes Ben's statistical object 14 F and communications characteristics 22 .
  • the communications characteristic 22 is source IP address of 1.1.1.2, destination IP address of 1.1.1.3, source TCP port number of 2000 and destination TCP port number of 3000.
  • the communications receiver 16 sends the received communications characteristics 22 and Ben's statistical object 14 F to the statistical object matcher 18 .
  • the statistical object matcher 18 compares Ben's statistical object 14 F with the plurality of statistical objects 14 P and determines that there it matches two statistical objects, Ben's and Sally's.
  • the statistical object matcher 18 sends Ben's statistical object 14 F, the two matched statistical objects 14 M (Ben's and Sally's) and the communications characteristics 22 to the accumulated statistical object selector 20 .
  • the accumulated statistical object selector 20 compares Ben's communications characteristics 22 with the plurality of accumulated statistical objects 14 AP, and finds a match with Ben's previous communication.
  • the matched accumulated statistical object 14 A includes the previous matched statistical object 14 M containing Ben's and Greg's statistical objects and is compared against the two matched statistical objects 14 M matching Ben's statistical object 14 F containing Ben's and Sally's statistical objects. The intersection of both matched statistical sets is Ben. Greg and Sally are removed from the accumulated statistical object 14 A.
  • the accumulated statistical object information increases from 32 bits to 64 bits with the addition of statistical object 14 F.
  • the accumulated statistical object 14 A is passed to the original object identifier 26 .
  • the original object identifier 26 takes the given accumulated statistical object 14 A and determines if the accumulated statistical information within the accumulated statistical object could only be generated by a single, unique original object 12 S.
  • Original object 12 S is Ben's X.509 certificate.
  • Original object 12 S is now indicated as selected original object 12 SEL, and is passed to the probability calculator 30 .
  • the probability calculator 30 takes the given accumulated statistical object 14 A, and, based on the number of bits of statistical object information that has been accumulated in the accumulated statistical object 14 A and the number of statistical objects in the plurality of statistical objects 14 P, calculates the probability of guessing the accumulated statistical object information.
  • n is the number of statistical objects in the table of valid statistical objects
  • d is the total number of unique statistical objects available
  • the probability of guessing those 64 bits of accumulated statistical object information is vanishingly small, approaching zero.
  • This calculated probability 36 and the accumulated statistical object 22 are passed to the threshold comparator 32 .
  • the threshold comparator 32 takes the calculated probability 36 and compares it with the probability threshold value 27 .
  • the probability threshold value 27 is 1 in a million.
  • the threshold comparator 32 determines that our calculated probability 27 of zero is less than the probability threshold value of 1 in a million. Having not exceeded our probability threshold value 27 , the threshold comparator 32 makes an indication 30 that includes the selected original object 12 SEL Ben. This indication 30 communicates to other functions within the device 10 that the communication was sent by Ben and has not exceeded the probability threshold value 27 , and that the device 10 should now respond to Ben's communication.
  • the communications characteristic 22 is source IP address of 1.1.1.2, destination IP address of 1.1.1.3, source TCP port number of 2000 and destination TCP port number of 3000.
  • the communications receiver 16 sends the received communications characteristics 22 and Ben's statistical object 14 F to the statistical object matcher 18 .
  • the statistical object matcher 18 compares Ben's statistical object 14 F with the plurality of statistical objects 14 P and determines that there it matches only a single statistical object, Ben's.
  • the statistical object matcher 18 sends Ben's statistical object 14 F, the matched statistical object 14 M (Ben's) and the communications characteristics 22 to the accumulated statistical object selector 20 .
  • the accumulated statistical object selector 20 compares Ben's communications characteristics 22 with the plurality of accumulated statistical objects 14 AP, and finds a match with Ben's previous communication.
  • the matched accumulated statistical object 14 A includes the previous matched statistical object 14 M containing only Ben and is compared against the matched statistical object 14 M matching Ben's statistical object 14 F containing Ben. The intersection of both matched statistical sets is Ben.
  • the accumulated statistical object information increases from 64 bits to 96 bits with the addition of statistical object 14 F.
  • the accumulated statistical object 14 A is passed to the original object identifier 26 .
  • the original object identifier 26 takes the given accumulated statistical object 14 A and determines if the accumulated statistical information within the accumulated statistical object could only be generated by a single, unique original object 12 S.
  • Original object 12 S is Ben's X.509 certificate.
  • Original object 12 S is now indicated as selected original object 12 SEL, and is passed to the probability calculator 30 .
  • the probability calculator 30 takes the given accumulated statistical object 22 , and, based on the number of bits of statistical object information that has been accumulated in the accumulated statistical object 22 and the number of statistical objects in the plurality of statistical objects 14 P, calculates the probability of guessing the accumulated statistical object information.
  • the probability 36 of guessing the accumulated statistical object 14 A with 96 bits of information is again vanishingly small, approaching zero. This calculated probability 36 and the accumulated statistical object 22 are passed to the threshold comparator 32 .
  • the threshold comparator 32 takes the calculated probability 36 and compares it with the probability threshold value 27 .
  • the threshold comparator 32 determines that our calculated probability 27 of 0 is less than the probability threshold value of 1 in a million. Having not exceeded our probability threshold value 27 , the threshold comparator 32 makes an indication 30 that includes the selected original object 12 SEL Ben. This indication 30 communicates to other functions within the device 10 that the communication was send by Ben and has not exceeded the probability threshold value 27 and that the device 10 should now respond to Ben's communication.
  • Ben makes another communication to device 10 during which within device 10 an association exists between Ben's original object and the communications characteristics 22 of Ben's previous communication.
  • Device 10 receives Ben's communication using a communications receiver 16 .
  • Ben's communication includes Ben's statistical object (first statistical object 14 F) and communications characteristics 22 .
  • the communications characteristics 22 is source IP address of 1.1.1.2, destination IP address of 1.1.1.3, source TCP port number of 5000 and destination TCP port number of 7000.
  • the source IP address is the same source IP address that was used in the prior, accepted communications.
  • the statistical object matcher 18 compares Ben's statistical object 14 F with the plurality of statistical objects 14 P, and determines that there it matches two statistical objects, Ben's and Greg's.
  • the statistical object matcher 18 sends Ben's statistical object 14 F, the two matched statistical objects 14 M (Ben's and Greg's) and the communications characteristics 22 to the accumulated statistical object selector 20 and sends the communications characteristics 22 to the associated original object selector 24 .
  • the accumulated statistical object selector 20 compares Ben's communications characteristics 22 with the plurality of accumulated statistical objects 14 AP and finds no matches. Because no matches were found, the accumulated statistical object selector 20 creates a new accumulated statistical object 14 A including Ben's statistical object 14 F, the two matched statistical objects 14 M and the communications characteristics 22 .
  • the new accumulated statistical object 14 A is added to the plurality of accumulated statistical objects 14 AP.
  • the accumulated statistical object information is set to 32 bits to reflect the information contained in statistical object 14 F.
  • the accumulated statistical object selector 20 sends the accumulated statistical object 14 A to the associated original object identifier 28 .
  • the associated original object selector 24 receives the communications characteristics 22 and compares them with the communications characteristics 22 associated with the plurality of original objects 12 P. Because an association exists between Ben's original object and Ben's communications characteristics 22 , the associated original object selector 24 selects Ben's original object, indicated as 12 SEL and passes the selected original object 12 SEL to the associated original object identifier 28 .
  • the associated original object identifier 28 takes the accumulated statistical object 14 A and the selected original object 12 SEL (Ben) and insures that the accumulated statistical object 14 A could have been generated from the selected original object 12 SEL.
  • the intersection of the original objects 14 is calculated using the original objects associated with the matched statistical objects 14 M (Ben and Greg) and the selected original object 12 SEL (Ben) resulting in Ben. This intersection is indicated in the accumulated statistical object 14 A. Since there is exactly one original object now contained in the accumulated statistical object 14 A, the accumulated statistical object 14 A is sent to the probability calculator 30 .
  • the probability calculator 30 takes the given accumulated statistical object 14 A, and, based on the number of bits of statistical object information that has been accumulated in the accumulated statistical object 14 A and the number of statistical objects in the plurality of statistical objects 14 P, calculates the probability of guessing the accumulated statistical object information.
  • the threshold comparator 32 takes the calculated probability 36 and compares it with the probability threshold value 27 .
  • This indication 30 communicates to other functions within the device 10 that the communication was sent by Ben and has exceeded the probability threshold value 27 and that the device 10 should now respond to Ben's communication. It should be noted that in this third example, because we are using the communications characteristics 22 associated with the original object 12 , we can arrive at a selected original object 12 SEL and not exceed the probability threshold value 27 while receiving fewer bits of information from the received statistical object 14 F.
  • an original object 12 S is a string of bits.
  • the string “Hello, my name is John” is an original object 12 S.
  • An original object 12 S could be signed by a third party to insure its authenticity.
  • a digital signature is bound to the original object 12 S.
  • the resulting signed original object 12 S is itself another original object 12 S.
  • a digital signature is generated by a trusted third party and is bound to the original object 12 S with metadata. This metadata usually is related to or derived from the original object 12 S, but may also be unrelated to the original object such as geographic, biometric, physical, logical, temporal, dimensional and virtual data.
  • An original object 12 S may also be associated with a cryptographic key or set of keys.
  • An original object associated with a set of cryptographic keys is called a keyed original object.
  • a keyed original object is itself an original object 12 S. The present invention can use any of these original object forms.
  • a statistical object or an original object can be communicated through a wide variety of mechanisms. When statistical or original objects are communicated, the easiest way is to have the communications mechanism designed to support the required information requirements of the original or statistical objects.
  • an original or statistical object can replace other information in the original message. Generally, this approach only works when the original or statistical object fits within an unused field or a field that can be regenerated to make up for the information lost during the replacement.
  • An example of this is Transport Access Control (TAC).
  • TAC Transport Access Control
  • a network session is created.
  • the messages are communicated within this tunnel.
  • Original or statistical objects can be communicated during session establishment or during tunnel operation.
  • IPsec IPsec in tunnel mode.
  • Packet encapsulation wraps each message with another encapsulating message.
  • Original or statistical objects can be communicated in the encapsulating message. Examples of encapsulation include VLAN tagging and MPLS tagging. If neither of these mechanisms is suitable, a parallel communications channel can be created and the original or statistical objects can be communicated by the parallel channel.
  • An example of a parallel channel is Internet Key Exchange (IKE) where an original object is communicated by the IKE protocol and the resulting security association is used by the IPsec protocol.
  • IKE Internet Key Exchange
  • FIG. 25 is an illustration which shows one particular embodiment of the present invention, which includes an integrated SOI system 51 .
  • the integrated SOI system 51 receives messages through two network interfaces 67 .
  • one of the network interfaces 67 is connected to a network 64 and the other network interface 67 is connected to a network resource 62 . All traffic that is communicated between the network interfaces 67 must traverse the SOI policy service 40 .
  • the SOI policy service 40 is aided by an SOI resolution service 46 .
  • the SOI resolution service 46 is internally aided by a bootstrap keying service 44 , a clock 47 and an object activation service 50 .
  • the SOI policy service 40 also has access to a dynamic blacklist table 56 and a policy table 59 . Alternate embodiments of an integrated SOI system 51 may choose not to include a bootstrap keying service 44 , or an object activation service 50 .
  • FIG. 26 is an illustration which shows an alternate embodiment of the present invention, which includes an integrated SOI system 51 .
  • the SOI policy service 40 is also aided directly by an object activation service 50 .
  • FIG. 27 is an illustration which shows an alternate embodiment of the present invention, a system of an integrated SOI policy system 53 and integrated SOI services 55 .
  • the integrated SOI policy system 53 receives messages through two network interfaces 67 .
  • one of the network interfaces 67 is connected to a network 64 and the other network interface 67 is connected to a network resource 62 . All traffic that is communicated between the network interfaces 67 must traverse the SOI policy service 40 .
  • the SOI policy service 40 is aided locally by an SOI resolution service 46 , which is in turn aided by a local clock 47 .
  • the SOI policy service 40 is also aided by integrated SOI services 55 .
  • the integrated SOI services 55 is composed of a bootstrap keying service 44 , an SOI resolution service 46 , a clock 47 and an object activation service 50 .
  • the SOI policy service 40 also has access to a dynamic blacklist table 56 and a policy table 59 . Alternate embodiments of integrated SOI services 55 may choose not to include a bootstrap keying service 44 , or an object activation service 50 .
  • FIG. 28 is an illustration which shows an alternate embodiment of the present invention, a system of multiple instances of an integrated SOI policy system 53 and a single instance of integrated SOI services 55 .
  • FIG. 29 is an illustration which shows an alternate embodiment of the present invention, a system of multiple instances of an integrated SOI policy system 53 and multiple instances of integrated SOI services 55 .
  • the top level instance of integrated SOI services 55 does not include a bootstrap keying service 44 , or an object activation service 50 .
  • the top level instance of integrated SOI services 55 includes an SOI resolution service 46 and a clock 47 .
  • FIG. 31 is an illustration which shows one particular embodiment of the present invention, which includes an SOI network client 69 .
  • the SOI network client 69 receives messages through a network interface 67 and from a computer application 65 . All traffic that is communicated between the computer application 65 and the network interfaces 67 must traverse the SOI insertion policy service 42 .
  • the SOI insertion policy service 42 is aided by a bootstrap keying agent 45 , a clock 47 and an object activation agent 48 .
  • Alternate embodiments of an SOI network client 69 may choose not to include a bootstrap keying agent 45 , or an object activation agent 48 .
  • FIG. 32 is an illustration which shows an alternate embodiment of the present invention; a system of a network client 66 and an SOI insertion device 70 .
  • the SOI insertion device 70 receives messages from two network interfaces 67 .
  • one of the network interfaces 67 is connected to a network 64 and the other network interface 67 is connected to a network client 66 .
  • All traffic that is communicated between the network interfaces 67 must traverse the SOI insertion policy service 42 .
  • the SOI policy insertion service 42 is aided by a bootstrap keying agent 45 , an SOI resolution service 46 , a clock 47 and an object activation agent 48 .
  • the SOI policy insertion service 42 also has access to an insertion object table 57 .
  • Alternate embodiments of an SOI network client 69 may choose not to include a bootstrap keying agent 45 , an SOI resolution service 46 or an object activation agent 48 .
  • FIG. 33 is an illustration of an embodiment of an SOI system.
  • An SOI network client 69 is connected to a network 64 .
  • Other SOI network clients 69 are connected through a SOI insertion device 70 .
  • a series of network client 66 are connected to SOI insertion devices 70 .
  • the networks 64 are connected to a series of integrated SOI systems 51 and integrated SOI policy systems 53 .
  • the integrated SOI systems 51 and the integrated SOI policy systems are connected to a series of integrated SOI policy services 55 .
  • FIG. 34 is an illustration of an alternate embodiment of an SOI system.
  • the SOI systems presented here operate on the principle that original objects 12 S that are known to both an SOI network client 69 or an SOI insertion device 70 and an integrated SOI policy service 40 or an SOI resolution service 46 . All other information, including the source address of an SOI network client 69 or a network client 66 , the state of synchronization of a clock 47 within an SOI network client 69 or an SOI insertion device 70 and knowledge of secure, shared keying material are presumed to be unknown. Furthermore, it is expected that all services contained within integrated SOI systems 51 , integrated SOI policy systems 53 and integrated SOI service 55 are protected against discovery, attack and compromise and thus require a secure, measured approach to obtaining this unknown information which is required for proper SOI operation. Operating an SOI system has up to three phases for each original object. These three phases of operation are bootstrap keying, object activation and statistical object identification.
  • the objective of the first phase of operation, bootstrap keying is to provide a set of statistical objects 14 S to an SOI network client 69 or an SOI insertion device 70 to enable the authenticated accessing of the object activation service 50 .
  • a bootstrap keying agent 45 communicates with a bootstrap keying service 44 .
  • the bootstrap keying agent 45 sends an original object 12 S to the bootstrap keying service 44 .
  • the bootstrap keying service 44 responds by sending a set of statistical objects 14 S to the bootstrap keying agent 45 to use in the object activation phase.
  • the communication between the bootstrap keying agent 45 and the bootstrap keying service 44 must be secure and private, so that an eavesdropper cannot obtain the statistical objects 14 S.
  • the Internet Engineering Task Force (IETF) protocol Internet Key Exchange version 2 (IKEv2) is used to provide bootstrap keying.
  • object activation is to provide an SOI network client 69 or an SOI insertion device 70 with the necessary information to generate statistical objects 14 S from original object 12 S such that the statistical objects 14 S will be resolved by an integrated SOI system 51 or an SOI resolution service 46 .
  • an object activation agent 48 communicates with an object activation service 50 .
  • the object activation agent 48 sends one or more original objects 12 S, metadata associated with the original objects 12 S and the time from a clock 47 local to the SOI network client 69 or SOI insertion device 70 to the object activation service 50 .
  • the object activation service 50 responds 44 sending a set of keying information 61 and expiration criterion 63 to the object activation agent 48 .
  • the keying information 61 provided to the object activation agent 48 includes a clock offset. This is used to provide synchronization between the clock 47 that is local to the SOI network client 69 or SOI insertion device 70 and the clock 47 that is local to the integrated SOI system 51 or the SOI resolution service 46 . This is necessary because many clocks in networking and computing devices lack the ability to maintain high degrees of accuracy over long periods of time.
  • the clocks are synchronized during the object activation phase and must only remain in synchronization until the provided expiration criterion is met.
  • the expiration criterion should be met before the clocks lose synchronization due to clock drift.
  • the synchronized clock is used as an input to the hashing algorithm that is used to generate statistical object 14 S.
  • the keying information 61 provided to the object activation agent 48 also includes a session key.
  • This session key is used as an input to the hashing algorithm that is used to generate statistical objects 14 S.
  • the use of session keys eliminates the need to securely store keys.
  • the keying information 61 provided to the object activation agent 48 also includes an asynchronous clock reset value.
  • This asynchronous clock reset value is used as an input to the hashing algorithm that is used to generate statistical objects 14 S.
  • the use of an asynchronous clock reset value eliminates the need for a high frequency clock. Higher frequency clocks can be more difficult to synchronize.
  • Using an asynchronous clock with a reset value enables statistical objects 14 S to be generated at a rate greater than the clock frequency while still maintaining unique statistical objects 14 S.
  • the asynchronous clock is set to the asynchronous clock reset value. Whenever a statistical object is generated, the synchronous clock is incremented. In this way, the combination of the synchronized clock and the asynchronous clock will always result in a unique value.
  • the object activation agent 48 may also communicate metadata associated with the original object 12 S.
  • This metadata may be geophysical information, biometric information, application metadata or any other metadata that an object activation service 50 may use in its activation process.
  • the object activation service 50 may be presented with more than one original object 12 S from the object activation agent 48 .
  • the keying information 61 associated with the original object 12 S is provided at the discretion of the object activation service 50 .
  • the object activation service 50 may provide keying information 61 for only a subset of the original objects 12 S or the object activation service 50 may not provide keying information 61 for any of the original objects 12 S.
  • the object activation service 50 may have policies or rules that govern what original objects 12 S or original objects 12 S and their associated metadata will be given keying information 61 . These policies or rules can be as simple as “IF the original object is Ben THEN provide keying information” or they can be more complex such as “IF the original object is Ben and the associated metadata indicates that Ben is in California THEN provide keying information” or “IF the original object is Ben and the associated metadata indicates that the requesting application is Email THEN provide keying information”. A single original object 12 S with multiple metadata associations may be given multiple sets of keying information 61 corresponding to the different metadata associations.
  • the communication between the object activation agent 48 and the object activation service 50 must be secure and private, so that an eavesdropper cannot obtain the keying information 61 .
  • the communications is secured by using Transport Access Control, which uses a statistical object 14 S to establish a TCP session between the object activation agent 48 and the object activation service 50 .
  • Transport Access Control uses a statistical object 14 S to establish a TCP session between the object activation agent 48 and the object activation service 50 .
  • a TLS session is established to provide privacy for the information.
  • the original object 12 S provided during TLS session establishment should be the same original object that was provided during the bootstrap keying phase.
  • an SOI network client 69 or an SOI insertion device 70 has the information necessary to generate statistical objects 14 S and an integrated SOI system 51 or an SOI resolution service 46 has the same information, enabling them to resolve received statistical objects 14 S generated by an SOI network client 69 or an SOI insertion device 70 to the original objects 12 S.
  • An SOI system has two primary components, an SOI insertion policy service 42 and an SOI policy service 40 . Both of these services can reside in a single device.
  • the SOI insertion policy service 42 is responsible for generating statistical objects 14 S from an original object 12 S and inserting the statistical object 14 S into a message 68 .
  • the SOI policy service 40 is responsible for receiving the message 68 , extracting the statistical object 14 S and using a local SOI resolution service 46 , performing statistical object identification to determine the original object 12 S.
  • the SOI resolution service 46 operates as device 10 .
  • the original object 12 S is communicated to the SOI policy service 40 where the original object 12 S used as a key to locate policy information 60 in a policy table 59 .
  • the policy information 60 describes what to do with the message 68 . Common policies include forwarding the message 68 to its intended destination, discarding the message 68 , or rewriting the message 68 or its corresponding communications characteristics 22 .
  • the SOI resolution service 46 cannot find a matching statistical object 14 M that matches the statistical object 14 S associated with the message 68 , then the original object 12 S associated with the message 68 is a special original object called “the unknown object”.
  • the unknown object is communicated to the SOI policy service 40 where it is used as a key to locate policy information 60 in a policy table 59 .
  • the policy information 60 describes what to do with the message 68 .
  • the SOI resolution service 46 when the SOI resolution service 46 cannot find a matching statistical object 14 M that matches the statistical object 14 S associated with the message 68 , the SOI resolution service 46 sends the message 68 and the associated statistical object 14 S to a second SOI resolution service 49 .
  • the entire message 68 is sent so that the SOI resolution service 46 can operate statelessly with respect to the message 68 .
  • the second SOI resolution service 49 operates as device 10 .
  • the second SOI resolution service 49 receives the message 68 and the associated statistical object 14 S and performs statistical object identification.
  • the original object 12 S, the associated message 68 , keying information 61 , policy information 60 and expiration criterion are all communicated to the SOI resolution service 46 .
  • the SOI resolution service 46 received the information and generates statistical objects 14 S until the expiration criterion 63 is met.
  • the original object 12 S, the message 68 and policy information 60 is communicated to the SOI policy service 40 where the policy information 60 is placed in the policy table 59 .
  • the message 68 is processed in accordance with the policy information 60 .
  • Subsequent messages 68 with statistical objects 14 S generated from the same original object 12 S will be processed solely by the SOI resolution service 46 until the expiration criterion 63 is met and this process does not require the assistance of the second SOI resolution service 49 .
  • a local instance of an SOI resolution service 46 can learn original objects 12 S and their associated keying information 61 , their associated policy information 60 and their expiration criterion 63 .
  • This process can also be extended with additional levels of SOI resolution services 46 .
  • the SOI system is vulnerable to brute force attacks unless defenses are made to detect and mitigate them.
  • a brute force attack on SOI is when an attacker generates a large number of statistical objects 14 S in an attempt to guess a valid statistical object.
  • a statistical object can only be tested for validity by presenting it to an SOI resolution service 46 .
  • the SOI resolution service 46 maintains a count of failed statistical object resolutions and the communications characteristics 22 associated with each failed resolution.
  • a dynamic blacklisting table 56 When the number of failed resolutions exceeds a threshold, then an entry containing the communications characteristics 22 is made in a dynamic blacklisting table 56 .
  • the dynamic blacklisting table 56 is used by the SOI policy service 40 and is queried first. If the communications characteristics 22 associated with a received message 68 match an entry in the dynamic blacklisting table 56 , then the message is discarded before any additional work is performed.
  • Each entry in the dynamic blacklisting table 56 has an expiration criterion 63 . When the expiration criterion is met, then the entry is removed from the dynamic blacklisting table 56 .
  • the expiration criterion 63 should insure that all statistical object 14 S in the plurality of statistical objects 14 P have aged out before the expiration criterion 63 is met. New entries to the dynamic blacklisting table 56 should be communicated to all integrated SOI system 51 and integrated SOI policy system 53 entities.
  • An SOI insertion policy service 42 is used by an SOI network client 69 and an SOI insertion device 70 .
  • the SOI policy insertion service 42 operates on the same device as the computer application 65 .
  • An SOI network client 69 generally presents a single original object 12 S during object activation, but may present multiple associated metadata relationships, which may result in multiple sets of keying information 61 .
  • the SOI policy insertion service 42 in an SOI network client 69 only performs object activation and statistical object identification for itself and does not generate statistical objects on behalf of network clients 66 .
  • the policy insertion service 42 operates on a separate device, logical or physical, as the computer application 65 .
  • the SOI policy insertion service 42 in an SOI insertion device 70 performs object activation and SOI on behalf of other network clients 66 .
  • the object activation agent 45 of an SOI network client 69 may communicate metadata in addition to communicating an original object 12 S to the object activation service 50 .
  • the object activation service 50 communicates sets of keying information 61 and expiration criterion 63 to the object activation agent 45 .
  • the SOI insertion policy service 42 intercepts the message 68 , generates a statistical object 14 S based on the keying information 61 provided to the object activation agent 45 and inserts the statistical object 14 S into the message 68 .
  • the message 68 is then forwarded to the network resource 62 .
  • the SOI insertion policy service 42 must select the appropriate keying information 61 when generating the statistical object 14 S. For example, if the object activation agent 45 uses a certificate showing the Identity of “Ben” as the original object 12 S and also sends a list of application signatures as metadata components associated with the original object 12 S to the object activation service 50 as follows:
  • the object activation service 50 may return a set of keying information 61 , with each element of the set being associated with a different metadata components as follows:
  • the SOI insertion device 70 When an SOI insertion device 70 is used in place of an SOI network client 69 , the SOI insertion device 70 must be able to associate communications characteristics 22 with an original object 12 S before being able to generate a statistical object 14 S.
  • a network client 66 sends a message 68 to a network resource 62 , it is received by an SOI insertion device 70 .
  • the communications characteristics 22 associated with the received message 68 are compared to entries in an insertion object table 57 by the SOI policy insertion service 42 . If a matching entry is found, the corresponding keying information 61 is used by the SOI policy insertion service 42 to generate a statistical object 14 S and the statistical Object 14 S is inserted into the message 68 which is forwarded to the network resource 62 .
  • the provisioning of entries of communications characteristics 22 and associated keying information 61 in the insertion object table 57 can be accomplished manually or statically or can be automated and self learning.
  • the SOI policy insertion service 42 can query an external service, using the communications characteristics 22 as the query key.
  • the external service may return an original object 12 S associated with the communications characteristics 22 .
  • the source MAC address may be used as the query key and the external service would return the authenticated identity associated with the source MAC address.
  • an object activation agent 48 will communicate the original object 12 S to an object activation service 50 , which may return keying information 61 and expiration criterion 63 back to the object activation agent 48 .
  • This information is added to the insertion object table 57 .
  • the insertion object table 57 must be checked to determine if any of the expiration criterion 63 has been satisfied and if so, the entry corresponding to the satisfied expiration criterion is removed from the insertion object table 57 .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention provides a mechanism to activate an original object (12S) so that statistical objects (14S) generated from the original object can be recognized using statistical object identification. An object activation agent (48) with a clock (47) and at least one original object (12S) communicates the original object (12S) and time from the clock (47) to an object activation service (50). The object activation service (50) provides and communicates keying information (61) and expiration criterion (63) for at least one of said original objects (12S) back to the object activation agent (48).

Description

    CROSS-REFERENCE TO A RELATED U.S. PATENT APPLICATION & CLAIM FOR PRIORITY
  • The Present Patent application is a Continuation-in-Part application, and is related to a Parent application U.S. Ser. No. 13/373,586 filed on 18 Nov. 2011. In accordance with the provisions of Sections 119 & 120 of Title 35 of the United States Code of Laws, the Applicant hereby claims the benefit of priority for any and all subject matter that is commonly disclosed in U.S. Ser. No. 13/373,586 and in the Present application.
  • SEQUENCE LISTING
  • Not applicable.
  • FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT
  • None.
  • FIELD OF THE INVENTION
  • The present invention pertains to methods for uniquely identifying an original object from a series of statistical objects by receiving and identifying the original object from which the statistical objects were generated.
  • BACKGROUND OF THE INVENTION
  • Statistical objects are used where conventional secured communications of an original object cannot be used due to protocol constraints or communications bandwidth limitations. Using a statistical object instead of an original object achieves much greater bandwidth efficiency due to the use of a deterministic statistical representation of the original object.
  • In this Specification, and in the Claims that follow, the term “statistical object” is a string of values mapped by a random or “hash” function. The output of this function points to a string of values which stands for or represents the input to the function. In FIG. 1, the output string of values is shown as x1, x2, x3 . . . xn. In this example, the input of the function is an original object, while the output is a statistical object.
  • If the string is shorter than the input, a “collision” occurs. A collision results when two or more different inputs produce the same output, and is generally considered detrimental.
  • To mitigate the effects of collisions, additional inputs are added to the function. These inputs vary over time, enabling different streams of statistical object to eventually diverge from their colliding tendencies. As an example, a clock may be employed to add a time value as an input. As an alternative, a counter may serve as an input. Multiple additional inputs may be used together in the generation of the statistical object.
  • In this Specification, and in the Claims that follow, the terms “function,” “random function” and “hash function” are intended to encompass any procedure or mathematical method that converts a large amount of data into a smaller amount of data. In one embodiment of the invention, the output may be a single integer or value which serves as an index to an array or database. According to Wikipedia, the output values of a hash function may be called hash values, hash codes, hash sums, checksums or hashes. The inputs to a hash function may be referred to as keys.
  • FIG. 2 illustrates a simple example of the operation of a hash function. A set of four inputs or keys are shown as the names Joe, Moe, Sam and Charlie. The hash function F(x) associates a hash or output with each name. The input of Joe causes the hash function to point to output “03”. The input of Moe causes the hash function to point to the output of “01”. The input of Sam causes the hash function to point to the output of “06”. The input of Charlie causes the hash function to point to the output of “03”. Because the Joe and Charlie inputs both return a hash of “03”, this pair of hashes is said to cause a collision.
  • As noted above, this collision may be avoided by adding a clock or a counter as an additional input to the hash function. So, in an alternative embodiment, if the input of Joe is provided to the hash function at 1:00 p.m., and the input of Charlie is provided to the hash function at 2:00 p.m., the different inputs would lessen the probability that this collision would occur.
  • One advantage of using statistical objects is that information may be “concentrated” in a relatively smaller number of transmitted bits, which increases the efficiency of communication across a network.
  • The consequence of using a deterministic statistical representation is that the representation is not guaranteed to identify uniquely the source original object. The deterministic statistical representation, the statistical object, may be generally considered to be the output of a hash or similar function of the original object along with one or more varying deterministic inputs such as a clock or counter. These varying deterministic inputs are necessary so that the cumulative stream of output statistical objects generated from a single original object is unique across a large number of generated statistical objects. Unambiguously identifying a statistical object to a unique original object is essentially an exercise in mitigating the effects of the birthday problem. The birthday problem is the probability that output of the hash of different original objects and their respective deterministic inputs produce identical statistical objects. The generation of a single statistical object by two or more original objects causes a collision.
  • FIG. 3 supplies a graph that illustrates the birthday problem. The number of individuals in any given group is shown on the x-axis. The y-axis shows an approximate probability, on a scale from zero to one, that two people in the group will share the same birthday. As an example, in a group of twenty-three people, the probability that two persons in this group will have the same birthday is about fifty percent.
  • The birthday problem may be understood as an example of the hash function depicted in FIG. 2. In the birthday problem, the keys or inputs are the names of the individuals in the group. The hash function maps these inputs to one of the hashes or outputs, which represent the days of the year. If two persons in the group share the same birthday, the hash function points to the same day for two different individuals, and a collision occurs.
  • Given a uniform distribution, the probability of a collision increases with the number of statistical objects in use. A mechanism to unambiguously identify statistical objects back to their original objects would constitute a major technological advance, and would satisfy long felt needs and aspirations in the cyber security industry.
  • SUMMARY OF THE INVENTION
  • A statistical object, the deterministic statistical representation of an original object, may be generally considered to be the output of a hash or similar function coupled with additional inputs of clocks, counters and other varying deterministic inputs. Unambiguously identifying a statistical object to a unique original object is essentially an exercise in mitigating the effects of the birthday problem. The birthday problem is the probability that outputs of the hashes of different original objects and their deterministic inputs produce identical statistical objects. The generation of a single statistical object by two or more original objects causes a collision. Given a uniform distribution, the probability of a collision increases with the number of statistical objects in use. Statistical objects are designed to be used as components of security devices. As a component to security devices, in addition to uniquely identifying a statistical object back to the original object, the overall probability of guessing any valid statistical object must also be considered. The amount of space available to carry a statistical object will vary with the communications mechanism, but the size of an individual statistical object is expected to remain small, generally less than the number of bits required to uniquely identify an original object when large numbers of objects are in use. This requires the aggregation of two or more related statistical objects into a larger aggregate statistical object. Aggregating multiple related statistical objects into a single aggregate statistical object requires that all possible original object resolution matches are tracked and maintained. Multiple statistical objects from the same original object can be associated together by using information associated with the communication and reception of the statistical objects. This information, called communications characteristics, can include networking information, such as the source address or network session information including source and destination addresses and source and destination port numbers. Communications characteristics can also include physical information such as the physical port upon which the statistical object was received or the logical channel upon which the statistical object was received.
  • To unambiguously identify the original object from which a statistical object or a stream of statistical objects was generated, the device performing the identity must maintain a table of all valid statistical objects. This table may contain collisions where multiple original objects generate the same statistical object. When a statistical object is received, it is first looked up in the table of all statistical objects to determine if the received statistical object is valid. If the received statistical object is not found in the table, then no further processing occurs with respect to identifying the original object on that reception. When a statistical object is received and is matched in the table of all valid statistical objects, the communications characteristics associated with the reception of the statistical object and the list of all potential original objects are recorded. If the list of potential original objects has exactly a single entry, then the original object is identified and the process moves on to calculating the statistical probability.
  • When a statistical object is received and is not unambiguously identified, the partially identified statistical object and the list of potential original objects are recorded along with the communications characteristics associated with the reception of the statistical object. When a another statistical object with related communications characteristics is received, the list of potential original objects is pruned of original objects that cannot generate the complete set of received statistical objects found in the aggregate statistical object. Once the original object is unambiguously identified, the process moves on to calculating the statistical probability of guessing the information in the aggregate statistical object. If the original object is not unambiguously identified, nothing further is done at this time and the system awaits the reception of another statistical object with related communications characteristics to increase the number of bits of information received and again aggregates this information into the aggregate statistical object and the process repeats itself.
  • Calculating the probability of guessing the information in the aggregate statistical object requires the number of bits of statistical objects that have been received and aggregated and the number of statistical objects maintained in the table of all valid statistical objects. The specific probability p of a collision is
  • p ( n ; d ) = d ! d n ( d - n ) !
  • where n is the number of statistical objects in the table of valid statistical objects and d is the total number of unique statistical objects available. For general use, the approximation p(n; d)≈1−e−2/(2×d) is used. The total number of unique statistical objects available d is d=2b where b is the number of bits of statistical object information received.
  • Once the probability has been calculated, it is compared against the probability threshold. If the calculated probability is less than the probability threshold, then the statistical object has been identified with a confidence that the aggregate information received does not exceed the probability threshold set beforehand. If the probability exceeds the threshold, nothing further is done and the system awaits the reception of another statistical object with related communications characteristics to increase the number of bits of information received and aggregates into the aggregate statistical object and the process repeats itself.
  • A further optimization can be made by associating communications characteristics across multiple identifications of statistical objects. When a statistical object is identified and does not exceed the probability threshold, thereby confirming that it was generated from the original object, the communications characteristics are temporarily associated with that original object. When a subsequent statistical object with similar or identical communications characteristics is received, the received statistical object is checked against the associated original object. If the associated original object could produce the received statistical object, the statistical object is identified as being produced by the associated original object. When multiple original objects are associated with the same set of communications characteristics, the identification of the statistical object proceeds by aggregating the statistical object information and pruning the list of potential original objects until only a single original object remains. The statistical object is still aggregated in an aggregated statistical object to enable the aggregation of information for the probability calculation. The probability calculation is made using the number of bits of information received in the aggregate statistical object and the number of statistical objects that are associated with the communications characteristics that are associated with the original object. This results in a lesser amount of statistical object information being required to not exceed the probability threshold, because the communications criterion is being used as an additional discriminator. Multiple sets of communications characteristics can be associated with the original object and multiple original objects can be associated with a single set of communications characteristics. When a statistical object is identified as being produced by an original object, a timestamp or other mechanism for indicating recent activity is updated in the communications characteristics associated with the original object. Upon, the lack of communications characteristics associated with original objects after a period of time, the original object association should be removed after such periods of inactivity exceed a threshold. Subsequent statistical object reception with those removed communications characteristics will proceed as unassociated communications until those communications are again associated with an original object.
  • To insure the security of the statistical objects being produced cannot be readily captured, copied and replayed as original, the algorithms used to generate the statistical objects use additional information in addition to the original object as inputs. This additional information may include clocks, counters and other deterministic inputs. During the identification of a statistical object back to an original object, this additional information is also identified and used to further validate the identity of the original object.
  • The probability threshold has several unique uses. Firstly, the use of a probability threshold enables the system for statistical object identity to be used with varying numbers of statistical objects contained within the table of all valid statistical objects without having the probability of guessing a statistical object increase as statistical objects are added to the valid statistical object table. The system employed here simply requires additional statistical objects, thus increasing the amount of information available to maintain the desired probability. The second unique attribute of using the probability threshold is that the probability threshold can be changed by the entity performing statistical object identification without communication, knowledge or coordination of the change by the entity generating the statistical object. This is especially important in the context of cyber security where knowledge of a threat or attack may raise the level of security desired. This can be used by the entity receiving and performing statistical object identification to decrease the threshold, requiring more statistical information before the original object identity is confirmed. The ability to perform this function without requiring any communication or notification to the entity producing the statistical object is especially useful and novel.
  • Additional information can also be conveyed using statistical objects. When additional inputs are used in the generation of the statistical object, this information can be extracted during the statistical object identification process. Examples of such additional information includes, but is not limited to, information regarding the state of some system or process, an index into a table of information or other types of data.
  • A BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 illustrates the general operation of a hash function.
  • FIG. 2 shows how the hash function illustrated in FIG. 1 maps a set of inputs to a set of outputs.
  • FIG. 3 is a graph that illustrates the birthday problem.
  • FIG. 4 is an illustration which shows an embodiment of the present invention.
  • FIG. 5 is an illustration which shows an alternate embodiment of the present invention.
  • FIG. 6 illustrates certificates that are used to authenticate a communication.
  • FIG. 7 shows certificates stored in a remote system.
  • FIG. 8 shows that certificates are too large to send to the remote system in their original form.
  • FIG. 9 depicts a solution: converting the certificates, which are original objects, to cryptographic hashes, or statistical objects.
  • FIG. 10 shows how statistical objects and a time value from a clock are sent to the remote system.
  • FIG. 11 illustrates the result of the conversion of three original objects to three statistical objects.
  • FIG. 12 furnishes a view of Ben's first communication with the remote system.
  • FIG. 13 depicts the comparison process that occurs within a statistical object matcher.
  • FIG. 14 illustrates the role of an accumulated statistical object selector.
  • FIG. 15 illustrates the function of an accumulated statistical object selector.
  • FIG. 16 illustrates the task of an original object identifier.
  • FIG. 17 shows that Ben's first communication has failed to be authenticated.
  • FIG. 18 supplies a schematic view of Ben's second attempt to communicate with the remote system.
  • FIG. 19 depicts the second communication, and the resulting match that is produced in the statistical object matcher.
  • FIG. 20 illustrates the process of finding a match.
  • FIG. 21 shows how the accumulated statistical object selector discards statistical objects that do not lead to an authenticating match.
  • FIG. 22 furnishes a view of a probability calculator, which computes the probability of a successful guess of accumulated statistical object information.
  • FIG. 23 reveals the function of a threshold comparator, which compares the calculated probability to a probability threshold value.
  • FIG. 24 exhibits the final result, the authentication of Ben's second communication.
  • FIG. 25 is an illustration which shows an embodiment of the present invention, an integrated SOI system.
  • FIG. 26 is an illustration which shows an alternate embodiment of the present invention, an integrated SOI system.
  • FIG. 27 is an illustration which shows an alternate embodiment of the present invention, an integrated SOI policy system and integrated SOI services.
  • FIG. 28 is an illustration which shows an alternate embodiment of the present invention with a simple hierarchy.
  • FIG. 29 is an illustration which shows an alternate embodiment of the present invention with a more complex hierarchy.
  • FIG. 30 is an illustration which shows a network client connected to a network.
  • FIG. 31 is an illustration which shows an embodiment of the present invention, a network SOI client.
  • FIG. 32 is an illustration which shows an embodiment of the present invention, an SOI insertion device.
  • FIG. 33 is an illustration which shows a system of SOI devices.
  • FIG. 34 is an illustration which shows an alternate system of SOI devices.
  • A DETAILED DESCRIPTION OF PREFERRED & ALTERNATIVE EMBODIMENTS I. Overview of the Invention
  • One embodiment of the present invention provides a method for authenticating a communication. In an example contained in Section VI, a communication between a user (Ben) and a remote system is described. Communications received by the remote system must be authenticated before they are allowed. In this Specification, and in the Claims that follow, the terms authenticate and authentication are intended to mean that the identity of a communicator or an initiator of a communication has been verified, and that a particular communication is permitted, allowed or otherwise approved to proceed into the remote system.
  • One limitation of current information networks is that it is difficult to verify or approve a communication before the communication has been allowed to penetrate a network. One reason for this difficulty is that the means of verification, which is called a “certificate,” is too large to send to the network in the initial set of digital information which initiates the communication, and which ultimately leads to an authentication.
  • One embodiment of the present invention solves this problem by reducing the information in the certificate which is used to authenticate the communication before it is allowed to proceed by converting the certificate to a much smaller “statistical object.” The method allows the network to determine the identity of the initiator of the communication before the communication is given access to the network. This method provides a security feature that substantially eliminates potentially detrimental and malicious attacks that could be perpetrated on the network using conventional technology.
  • II. Definition of Terms
  • Aggregate Statistical Object—A data structure containing one or more statistical objects, a list of potential original objects that may have created the original object(s) and the communications characteristics that provide the association between multiple statistical objects.
  • Authentication—Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.
  • Authenticating Device—A device that verifies the identity of a user, process or device.
  • Authentication Information—Information provided for the purpose of verifying the identity of a user, process or device.
  • Communications Characteristics—Any of the characteristics, both physical and logical, that are available to distinguish one communication from another and to group discrete communication events into one or more related sequences of communications events.
  • Connection—A logical pairing of two devices that enable them to communicate. A connection utilizes a series of packets to accomplish this. A TCP connection is an example of a connection.
  • Connection Request—A request by one device to another device to create a connection.
  • Device—A device is any object that is capable of being attached or wirelessly connected to and communicating on a network. Examples of devices include computers, servers, clients, laptops, PDAs, cell phones, smart phones, network appliances, storage systems, virtual appliances, switches, routers, load balancers, caches, intrusion detection systems, VPNs, authentication devices, intrusion prevention systems, and firewalls.
  • Digital Identity—A digital representation of a set of characteristics by which a user, process or device is uniquely recognized.
  • Hash or Hashing function—Any procedure or mathematical method that converts are large amount of data into a smaller amount of data. In one embodiment of the invention, the output may be a single integer or value which serves as an index to an array or database.
  • IP—IP is the Internet Protocol. The Internet Protocol is a data oriented protocol used by devices to communicate across a packet switched network. IP information is carried by an IP header in an IP packet. The IP header contains device address information, protocol control information and user data information.
  • Network—A network is a collection of computers, servers, clients, routers and devices that are connected together such that they can communicate with each other. The Internet is an example of a network.
  • Original Object—An original object 12S is a string of bits. It is also an input to the function that generates a statistical object.
  • Protocol—In the field of telecommunications, a protocol is the set of standard rules for data representation, signaling, authentication, error detection and other features required to send information over a communications channel. Not all protocols provide all of these features. Protocols with different features may be layered on top of one another to provide a more robust feature set. Examples of protocols are the IP protocol and the TCP protocol. These protocols are often used together and referred to as the TCP/IP protocol.
  • Protocol Entity—A device, function, process or procedure that implements a communications protocol.
  • Statistical Object—The output of a function that has a statistical distribution. Commonly, a statistical object is the output of a hashing function.
  • Symmetric Key—A cryptographic key that is used to perform both the cryptographic operation and its inverse, for example to encrypt and decrypt, or create a message authentication code and to verify the code.
  • Symmetric Key Authentication—An authentication algorithm that uses a symmetric key to create a message authentication code and to verify the code.
  • TCP—TCP is the Transmission Control Protocol. Using TCP, networked devices can create connections to one another, over which they can send data. The TCP protocol guarantees that data sent by one endpoint will be received in the same order by the other, and without any pieces missing. The TCP protocol also distinguishes data for different applications (such as a Web server and an email server) on the same device.
  • III. Preferred and Alternative Embodiments
  • FIG. 1 is an illustration which shows one particular embodiment of the present invention, which includes a device 10. A device 10 stores and/or processes at least one original object 12S and at least one statistical object 14S. In another embodiment, the device 10 includes a plurality of original objects 12P and a plurality of statistical objects 14P. In this Specification, and in the Claims that follow, a single original object is identified as 12S (S for singular), while a plurality of original objects is accompanied by 12P (P for plurality). In this Specification, and in the Claims that follow, a single statistical object is identified as 14S (S for singular), while a plurality of statistical objects is accompanied by 14P (P for plurality). The term “device” is intended to encompass any suitable means for conveying and/or storing information or data. In the example described in Section VI, the device 10 is a remote system. In the embodiments described below, device 10 includes all the other components subsequently described in the Specification.
  • In one embodiment, the device 10 includes a communications receiver 16 which is connected to an external network and to a statistical object matcher 18. The statistical matcher 18 is connected to an accumulated statistical object selector 20, and has access to the plurality of statistical objects 14P stored in the device 10. The accumulated statistical object selector 20 is connected to an original object identifier 26 and has access to a plurality of accumulated statistical objects 14AP. The original object identifier 26 is connected to a probability calculator 30 and has access to the plurality of original objects 12P. The probability calculator 30 is connected to the threshold comparator 32 and has access to the plurality of statistical objects 14P. The probability comparator 32 is connected to the output of the device 10, and has access to a probability threshold value 27.
  • FIG. 2 is an illustration which shows an alternate embodiment of the present invention. Within a device 10, a plurality of original objects 12P is used to generate a plurality of statistical objects 14P. A communications receiver 16 is located within device 10, and is connected to the output of device 10 and to a statistical matcher 18. The statistical object matcher 18 is connected to an accumulated statistical object selector 20 and an associated original object selector 20 and has access to the plurality of statistical objects 14P. The accumulated statistical object selector 20 is connected to an associated original object identifier 28 and has access to a plurality of accumulated statistical objects 42. The associated original object selector 46 is connected to an associated original object identifier 28 and has access to a plurality of original objects 12P. The associated original object identifier 28 is connected to the probability calculator 30 and has access to the plurality of statistical objects 14P. The probability calculator 30 is connected to the threshold comparator 32 and has access to the plurality of statistical objects 14P. The probability calculator is connected to the external XXX of the device 10, and has access to a threshold probability value 27 and the plurality of original objects 12P.
  • IV. Methods of Operation for Statistical Object Identification
  • In a preferred embodiment of the invention, a device 10 contains a plurality of original objects 12P. For each original object 12S, at least one statistical object 14S is generated. Multiple statistical objects 14P may be generated from a single original object 14S and each statistical object 14S has a name, pointer or other indication of the original object 12S from which it was created. Since multiple statistical objects 14P may be created from a single original object 12S, multiple pointers or other indicators of additional inputs to the statistical object generator may also be provided. These additional inputs may include clock information, keying information, state information, and other relevant and useful information. The plurality of statistical objects 14P generated from the plurality of original objects 12P is maintained and is available within the device 10. The plurality of statistical objects 14P may be individually or as a group, periodically removed, added to, invalidated or otherwise refreshed. Likewise, the plurality of original objects 12P may be individually or as a group removed, added to, invalidated or otherwise refreshed.
  • When a first statistical object 14F is received by a communications receiver 16, it is received within the context of a communication and has communications characteristics 22 associated with it. These communications characteristics 22 may include the network address of the sender of the communication, the physical interface or port upon which the communication was received, the logical interface upon which the communication was received. For network communications, the communications characteristics 22 may include the IPv4 or IPv6 address of the sender, session information including local and remote addresses and local and remote port numbers, VLAN identifiers and other network, protocol stack and application information. Communications characteristics 22 may also include security association information. Physical characteristics of the communications characteristics 22 may include the frequency or frequencies at which the communication was received. Physical characteristics of communications characteristics 22 may also include phase information, time information and amplitude information.
  • After a first statistical object 14F has been received, using a statistical matcher 18, the first statistical object 14F is compared against the plurality of statistical objects 14P. If a matching statistical object 14M is not found, the first statistical object 14F is not identified and no further statistical object resolution activity occurs on this reception of a statistical object. If there is at least one statistical object 14S in the plurality of statistical objects 14P that matches the first statistical object 14F, then the first statistical object 14F, all matching statistical objects 14M and indicators of their respective original objects 12P and the communications characteristics 22 are passed to an accumulated statistical object selector 20. The accumulated statistical object selector 20 takes the input communications characteristics 22 and looks for an accumulated statistical object 14A within the plurality of accumulated statistical objects 14AP that has matching communication characteristics 22. If a matching accumulated statistical object 14MA is found, the first statistical object 14F and the list of all original objects 12P associated with the matched statistical objects 14M are added to the matched accumulated statistical object 14MA. This increases the amount of statistical object information. If a matching accumulated statistical object 14MA is not found, a new accumulated statistical object 14NA is created and added to the plurality of accumulated statistical objects 14AP. The communications characteristics of the accumulated statistical object is copied from the communications characteristics 22, the first statistical object 14F and the list of all original objects 12P associated with the matched statistical objects 14M are added to the accumulated statistical object 14A. In both cases, the resulting accumulated statistical object 14A is passed to the original object identifier 26.
  • If an accumulated statistical object 14A is inactive for a period of time, the accumulated statistical object 14A may be removed from the plurality of accumulated statistical objects 14AP. An accumulated statistical object 14A may be considered inactive if it has not unambiguously selected a unique original object 12S and first statistical objects 14FP with matching communications characteristics 22 have not been received for a period of time. An accumulated statistical object 14A may also be considered inactive if it has selected a unique original object 12S, but the accumulated statistical object exceeds the probability threshold value 27 and first statistical objects with matching communications characteristics 22 have not been received for a period of time.
  • The original object identifier 26 takes the given accumulated statistical object 14A and determines if the accumulated statistical information within the accumulated statistical object could only be generated by a single, unique original object 12S. This determination is made by successively pruning associated original objects that, as additional statistical object information is added, fail to be able to generate the stream of statistical objects that matches the received statistical objects until only a single original object remains. If a unique original object 12S is not determined, the accumulated statistical object 14A is updated with the pruned list of associated original objects 12P, and no further statistical object resolution activity occurs on this reception of a statistical object. If a unique original object 12S is determined, the selected original object 12SEL is indicated in the accumulated statistical object 14A and the accumulated statistical object 14A is sent to a probability calculator 30. The probability calculator 30 takes the given accumulated statistical object 22 and based on the number of bits of statistical object information that has been accumulated in the accumulated statistical object 22 and the number of statistical objects in the plurality of statistical objects 14P calculates the probability of guessing the accumulated statistical object information. The calculated probability 36 is sent to the threshold comparator 32. The threshold comparator 32 takes the given calculated probability 36 and compares that value with the threshold value 28. The threshold value may be taken from an original object 12S, may be a configurable value for the plurality of original objects 12P within device 10, or may be controlled by an outside entity. The threshold value may be associated with the device 10. If the threshold comparator 32 determines that the calculated probability 36 exceeds the probability threshold value 27, no further statistical object resolution activity occurs on this reception of a statistical object 14S. If the threshold comparator 32 determines that the calculated probability 36 is less than the probability threshold value 27, an indication 34 is produced that includes the selected original object 26SEL. The indication 30 may also include the communications characteristics 22 and any other available information required by the receiver of the indication 34. The indication may also contain additional inputs to the statistical object generator, which may be provided by a pointer from a statistical object 14S. These additional inputs may include clock information, keying information, state information, and other relevant and useful information.
  • By utilizing a probability threshold value 27, a threshold comparator 32 and calculating, in real time, the present probability of guessing an accumulated statistical object 22 based on the number of statistical objects present in the plurality of statistical objects 14P, the probability of guessing an accumulated statistical object is held constant while the number of statistical objects present in the plurality of statistical objects 14P can vary. Likewise, the probability of guessing a first statistical object 14F is also held constant. It must also be noted that the probability threshold value 27 can be changed at any time. The change in probability threshold value 27 does not require the communication or coordination with the generator of the first statistical object 18. Because of this, the probability threshold value 27 can be adjusted, and the system for statistical object identification will not provide any response until the threshold value has been met. This effectively allows the statistical object identification system to silently increase or decrease the probability threshold value 27 without providing any detectable indication of the change in the probability threshold value 27.
  • In an alternate embodiment of the invention, a device 10 contains a plurality of original objects 12P. For each original object 12S, at least one statistical object 14 is generated. Multiple statistical objects 14 may be generated from a single original object 6 and each statistical object 14 contains a name, pointer or other indication of the original object 16 from which it was created. The plurality of statistical objects 14P generated from the plurality of original objects 14P is maintained and is available within the device 10. The plurality of statistical objects 14P may be individually or as a group periodically removed, added to, invalidated or otherwise refreshed. Likewise, the plurality of original objects 12P may be individually or as a group removed, added to, invalidated or otherwise refreshed.
  • When a first statistical object 14S is received by a communications receiver 16, it is received within the context of a communication and has communications characteristics 22 associated with it. After a first statistical object 18 has been received, using a statistical matcher 18, the first statistical object 18 is compared against the plurality of statistical objects 14P. If a matching statistical object 14 is not found, the first statistical object 18 is not identified and no further statistical object resolution activity occurs on this reception of a statistical object. If there is at least one statistical object 14S in the plurality of statistical objects 14P that matches the first statistical object 14F, all matching statistical objects 14P and indicators of their respective original objects 12P and the communications characteristics 22 are passed to an accumulated statistical object selector 20. The communications characteristics 22 are also passed to an associated original object selector 24.
  • The accumulated statistical object selector 20 takes the input communications characteristics 22 and looks for an accumulated statistical object 14A within the plurality of accumulated statistical objects 14AP that has matching communication characteristics 22. If a matching accumulated statistical object 14A is found, the first statistical object 14F and the list of all original objects 12P associated with the matched statistical objects 14M are added to the matched accumulated statistical object 14MA. This increases the amount of statistical object information. If a matching accumulated statistical object 14MA is not found, a new accumulated statistical object 14NA is created and added to the plurality of accumulated statistical objects 14PA. The communications characteristics 22 of the accumulated statistical object 14A are copied from the communications characteristics 22, the first statistical object 14F and the list of all original objects 12P associated with the matched statistical objects 14M are added to the accumulated statistical object 14A. In both cases, the resulting accumulated statistical object 14A is passed to the original object identifier 26.
  • The associated original object selector 24 takes the input communications characteristics 22 and looks for an original object 12S within the plurality of original objects 12P that has matching communications characteristics. If a matching original object 12M is found, that original object is selected, becoming a selected original object 12S and is passed to the associated original object identifier 26. If there is no matching original object 12M, then nothing is passed to the associated original object identifier 28. If an original object 16 is inactive for a period of time, the association with communications characteristics 22 may be removed from the original object 16. An original object 16 may be considered inactive if first statistical objects 18 with matching communications characteristics 22 have not been received for a period of time. An original object 16 may also be considered inactive if first statistical objects 18 produced by the associated original object 16 have not been received for a period of time.
  • The associated original object identifier 28 takes the given accumulated statistical object 22 and the selected original object 26 and determines if the accumulated statistical information within the accumulated statistical object 22 could have been produced by the selected original object 26. If the information contained within the accumulated statistical object 14A could have been generated by the selected original object 12SEL, the selected original object 12SEL is indicated in the accumulated statistical object 22 and the accumulated statistical object 22 is sent to the probability calculator 30. If the information contained within the accumulated statistical object 22 could not have been produced by the selected original object 12SEL, the selected original object 12SEL is discarded and the following processing occurs.
  • The associated original object identifier 28 takes the given accumulated statistical object 22 and determines if the accumulated statistical information within the accumulated statistical object could only be generated by a single, unique original object 12S. This determination is made by successively pruning associated original objects that, as additional statistical object information is added, fail to be able to generate the stream of statistical objects that matches the received statistical objects until only a single original object remains. If a unique original object 12S is not determined, the accumulated statistical object 14A is updated with the pruned list of associated original objects 12P and no further statistical object resolution activity occurs on this reception of a statistical object. If a unique original object 12S is determined, the selected original object 12SEL is indicated in the accumulated statistical object 14A and the accumulated statistical object 14A is sent to the probability calculator 30. The probability calculator 30 takes the given accumulated statistical object 14A and based on the number of bits of statistical object information that has been accumulated in the accumulated statistical object 14A and the number of statistical objects 14 in the plurality of statistical objects 12P that have matching communications characteristics 22, calculates the probability of guessing the accumulated statistical object information. The calculated probability 36 is sent to the threshold comparator 32. The threshold comparator 32 takes the given calculated probability 36 and compares that value with the probability threshold value 27. The threshold value may be taken from an original object 12S, may be a configurable value for the plurality of original objects 12P within device 10 or may be controlled by an outside entity. If the threshold comparator 32 determines that the calculated probability 36 is greater than the probability threshold value 27, no further statistical object resolution activity occurs on this reception of a statistical object. If the threshold comparator 32 determines that the calculated probability 36 is less than the probability threshold value 27, an indication 30 is produced that includes the selected original object 12SEL and an association is made within the plurality of original objects 12P between the selected original object 12SEL and the communications characteristics 22. The indication 30 may also include the communications characteristics 22 and any other available information required by the receiver of the indication 30. The association between an original object 12S and communications characteristics 22 can also be created prior to receiving a first statistical object 14F. This allows the system to be pre-populated with associations that should accelerate the selection of original objects and make staying beneath the probability threshold value 27 easier.
  • In addition to the preferred and alternate embodiments described above, there are a number of additional processes that assist the process. As the primary mechanism for accumulating information between related statistical objects is driven by the reception of those statistical objects, it is therefore necessary to consider how to handle a partially identified statistical object which is then orphaned. An orphaned partially identified statistical object is an aggregate statistical object that has not been fully identified or has exceeded the probability threshold when the reception of matching communications characteristics ceases, thereby preventing further progress. For this case, each accumulated statistical object 14A should have a timestamp or similar aging construct that will enable the system to periodically age out idle, orphaned and otherwise unused objects. This includes the removal of communication characteristics 22 that have been associated with original objects 12P after matching communications have been idle for a period of time.
  • As the communications of statistical objects is usually performed when the secured transport of an original object cannot be accomplished, it is therefore important that the security and integrity be taken into account in any implementation. To insure that a statistical object cannot be intercepted during transmission and used by the interceptor, once a statistical object 14S matched from the plurality of statistical objects 14P, then that statistical object 14S should be invalidated and the device 10 should generate a new, different statistical object 14S from the same original object 12S. To further protect against attack, each statistical object 14S should also expire after a period of time if that statistical object 14S has not been matched and invalidated.
  • The association of communications characteristics 22 is usually performed after the successful identification of an original object 12S and after the calculated probability 36 is determined to be less than the probability threshold value 27. It is also possible to pre-assign communications characteristics 22 to original objects 12P. This will decrease the amount of statistical object information necessary to identify the associated original object. Unlike dynamically associated communication characteristics, pre-assigned associations should not expire after periods of inactivity.
  • This method of statistical object identity allows the system to maintain a constant probability threshold, regardless of the number of statistical objects that are contained within the plurality of statistical objects. This is accomplished by always calculating the probability of guessing the information contained in the accumulated statistical object with respect to both the number of statistical objects that are contained within the plurality of statistical objects and the accumulated statistical object information. As the number of statistical objects in the plurality of statistical objects increases, the probability of guessing increases as the amount of statistical object information accumulates, the probability of guessing decreases. By comparing the result of the probability calculation against the probability threshold after each reception of a statistical object that results in an identified original object, adherence to the probability threshold is enforced.
  • This method of statistical object identity is designed to specifically enable the changing of the probability threshold and not require that the changed probability threshold be coordinated or otherwise communicated with the entities that are generating and sending the statistical objects. By not requiring any coordination or communication when changing the probability threshold, the device can change the probability threshold in response to other external factors such as the threat or presence of attack or other security or integrity event.
  • V. Apparatus for Statistical Object Identification
  • The apparatus that performs statistical object identification is varied and diverse. It ranges from a simple, single function device that receives statistical objects via a network or other communications medium, and identifies the original object. Once the identification is made, the communication may be forwarded to its intended destination. Before identification is made, no communications are allowed to pass across the device. It is expected that in many cases, the apparatus will be a module or subsystem within a larger system. This module may take the form of a state machine in a application specific integrated circuit (ASIC) or other form of integrated circuit or semiconductor implementation. This module may also take the form of logic coding provided to a programmable logic device such as a field programmable gate array (FPGA), programmable array logic (PAL) and other forms of programmable logic. This module may also take the form of instructions for a microprocessor. This module may also take the form of instructions to a synthetic or virtual processor or machine.
  • The apparatus that performs statistical object identification may be used in communications devices, security devices, network routing devices, application routing devices, service delivery devices and other devices that are enabled by the addition of the efficient communication of an original object through the reception of a statistical object which is identified as being generated from an original object.
  • VI. Examples
  • One specific, simplified example of the present invention is disclosed in this Section of the Specification. The following example offers a description of
      • 1. an original object 12S;
      • 2. how that original object 12S is transformed into a statistical object 14S; and
      • 3. how that statistical object 14S is identified as having been generated by the original object 12S.
  • The numbering convention that is used in this Specification, the Drawings, and the Claims to identify original and statistical objects is presented in Table One:
  • TABLE ONE
    10 Device (In this example, the Remote System)
    12M Matched Original Object
    12P Plurality of Original Objects
    12S Original Object
    12SEL Selected Original Object
    14A Accumulated Statistical Object
    14AP Plurality of Accumulated Statistical Objects
    14F First Statistical Object
    14NA New Accumulated Statistical Object
    14S Statistical Object
  • The letter “S” is used to signify a single object, while the letter “P” is used to signify a plurality. The reference character that refers to an original object always includes the numeral “12”, while the numeral “14” is always used to refer to a statistical object.
  • For these examples, we will consider that an original object 12S is an X.509 certificate. An X.509 certificate is used to provide identity, and is digitally signed to prove its authenticity. For this example, the X.509 certificates are 1 KB in size (1024 bytes, 8192 bits). We need to communicate that we are using a specific X.509 certificate to a remote system that has a copy of each X.509 certificate that is expected to be used. Unfortunately, the system was designed before there was a requirement to communicate the X.509 certificates, and there is only enough space to communicate 32 bits worth of information, certainly not enough to send an entire X.509 certificate which is 256 times larger. But still needing to communicate the X.509 certificate, a cryptographic hash, 32 bits in length, is generated for each X.509 certificate and a common clock. The cryptographic hash is a statistical object 14S generated from an original object 12S. Now let us assume that we have 100 of these X.509 certificates, that is 100 original objects 12S. And let us assume that for each original object 12S, we generate a cryptographic hash of each X.509 certificate and a common clock to produce 100 statistical objects 14S each 32 bits in length. For descriptive purposes, three of these X.509 certificates and their corresponding statistical objects will be described. X.509 certificate #1 identifies Sally, and generates a statistical object 14S of value 22443. X.509 certificate #2 identifies Ben, and generates a statistical object 14S of value 32415. X.509 certificate #3 identifies Greg, and also generates a statistical object 14S of value 32415. The device 10 has generated the plurality of statistical objects 14P corresponding to the plurality of original objects 12P.
  • Now Ben needs to send a communication containing Ben's statistical object to device 10. Device 10 receives Ben's communication using a communications receiver 16. Although we, the narrator, know that it was Ben that sent the communication to device 10, device 10 does not know this. Ben's communication includes Ben's statistical object (first statistical object 14F) and communications characteristics 22. In this case, the communications occurred over a TCP/IP network and the IP source and destination addresses and the TCP source and destination port numbers are used as communications characteristics 22. The source IP address is 1.1.1.2 and the destination IP address is 1.1.1.3. The source TCP port number is 2000 and the destination TCP port number is 3000. The communications receiver 16 sends the received communications characteristics 22 and Ben's statistical object 14F to the statistical object matcher 18. The statistical object matcher 18 compares Ben's statistical object 14F with the plurality of statistical objects 14P, and determines that there it matches two statistical objects, Ben's and Greg's. The statistical object matcher 18 sends Ben's statistical object 14F, the two matched statistical objects 14M (Ben's and Greg's) and the communications characteristics 22 to the accumulated statistical object selector 20. The accumulated statistical object selector 20 compares Ben's communications characteristics 22 with the plurality of accumulated statistical objects 14AP and finds no matches. Because no matches were found, the accumulated statistical object selector 20 creates a new accumulated statistical object 14A including Ben's statistical object 14F, the two matched statistical objects 14M and the communications characteristics 22. The new accumulated statistical object 14A is added to the plurality of accumulated statistical objects 14AP. The accumulated statistical object information is set to 32 bits to reflect the information contained in statistical object 14F. The accumulated statistical object 14AP is passed to the original object identifier 26. The original object identifier 26 determines that the accumulated statistical object 14AP does not unambiguously identify a single original object 12S. This concludes the operation of the device 10 for the reception of Ben's statistical object. The device 10 does not respond to Ben's communication because it cannot unambiguously determine who sent the communication.
  • Now Ben, who sent the original communication, did not receive a response, so he sends another communication. Since time has passed since the first communication attempt, the clock value used to generate the statistical objects has changed. The new statistical objects and their corresponding X.509 certificates are: X.509 certificate #1 identifies Sally and generates a statistical object 14S of value 84256. X.509 certificate #2 identifies Ben and also generates a statistical object 14S of value 84256. X.509 certificate #3 identifies Greg and generates a statistical object 14S of value 10845. Due to time passing, device 10 regenerates the plurality of statistical objects 14P corresponding to the plurality of original objects 12P which match Sally, Ben and Greg.
  • Now Ben sends a second communication containing Ben's current statistical object to device 10. Device 10 receives Ben's communication using a communications receiver 16. Ben's communication includes Ben's statistical object 14F and communications characteristics 22. Again, the communications characteristic 22 is source IP address of 1.1.1.2, destination IP address of 1.1.1.3, source TCP port number of 2000 and destination TCP port number of 3000. The communications receiver 16 sends the received communications characteristics 22 and Ben's statistical object 14F to the statistical object matcher 18. The statistical object matcher 18 compares Ben's statistical object 14F with the plurality of statistical objects 14P and determines that there it matches two statistical objects, Ben's and Sally's. The statistical object matcher 18 sends Ben's statistical object 14F, the two matched statistical objects 14M (Ben's and Sally's) and the communications characteristics 22 to the accumulated statistical object selector 20. The accumulated statistical object selector 20 compares Ben's communications characteristics 22 with the plurality of accumulated statistical objects 14AP, and finds a match with Ben's previous communication. The matched accumulated statistical object 14A includes the previous matched statistical object 14M containing Ben's and Greg's statistical objects and is compared against the two matched statistical objects 14M matching Ben's statistical object 14F containing Ben's and Sally's statistical objects. The intersection of both matched statistical sets is Ben. Greg and Sally are removed from the accumulated statistical object 14A. The accumulated statistical object information increases from 32 bits to 64 bits with the addition of statistical object 14F. The accumulated statistical object 14A is passed to the original object identifier 26. The original object identifier 26 takes the given accumulated statistical object 14A and determines if the accumulated statistical information within the accumulated statistical object could only be generated by a single, unique original object 12S. Original object 12S is Ben's X.509 certificate. Original object 12S is now indicated as selected original object 12SEL, and is passed to the probability calculator 30. The probability calculator 30 takes the given accumulated statistical object 14A, and, based on the number of bits of statistical object information that has been accumulated in the accumulated statistical object 14A and the number of statistical objects in the plurality of statistical objects 14P, calculates the probability of guessing the accumulated statistical object information.
  • In this example, we have 100 statistical objects and have received 64 bits of statistical object information (32 bits×2). The probability of guessing is calculated by using the formula:

  • p(n;d)≈1−e −n 2 /(2×d)
  • where n is the number of statistical objects in the table of valid statistical objects;
  • d is the total number of unique statistical objects available; and
  • d is d=2b where b is the number of bits of statistical object information received.
  • Therefore:
  • d=264,n=100 resulting in p(100,264)≈1−e−100 2 /(2×2 64 )p(100,264)≈0.
  • In this case, with only a few original objects (100) and a relatively large amount of accumulated statistical object information, the probability of guessing those 64 bits of accumulated statistical object information is vanishingly small, approaching zero. This calculated probability 36 and the accumulated statistical object 22 are passed to the threshold comparator 32. The threshold comparator 32 takes the calculated probability 36 and compares it with the probability threshold value 27. In our example, the probability threshold value 27 is 1 in a million. The threshold comparator 32 determines that our calculated probability 27 of zero is less than the probability threshold value of 1 in a million. Having not exceeded our probability threshold value 27, the threshold comparator 32 makes an indication 30 that includes the selected original object 12SEL Ben. This indication 30 communicates to other functions within the device 10 that the communication was sent by Ben and has not exceeded the probability threshold value 27, and that the device 10 should now respond to Ben's communication.
  • In a second example, we continue with the first example but change the number of original objects 12S from 100 to 100,000,000 (one hundred million). The calculated probability 36 of guessing the accumulated statistical object 14A with 64 bits of information is 2.674%, greater than the probability threshold value of 1 in a million. Since this is greater than the threshold, this concludes the operation of the device 10 for the reception of Ben's statistical object. The device 10 does not respond to Ben's communication because it has exceeded the probability threshold value 27. Now Ben, who sent the original communications again did not receive a response, so he sends another communication. Device 10 receives Ben's communication using a communications receiver 16. Ben's communication includes Ben's statistical object 14F and communications characteristics 22. Again, the communications characteristic 22 is source IP address of 1.1.1.2, destination IP address of 1.1.1.3, source TCP port number of 2000 and destination TCP port number of 3000. The communications receiver 16 sends the received communications characteristics 22 and Ben's statistical object 14F to the statistical object matcher 18. The statistical object matcher 18 compares Ben's statistical object 14F with the plurality of statistical objects 14P and determines that there it matches only a single statistical object, Ben's. The statistical object matcher 18 sends Ben's statistical object 14F, the matched statistical object 14M (Ben's) and the communications characteristics 22 to the accumulated statistical object selector 20. The accumulated statistical object selector 20 compares Ben's communications characteristics 22 with the plurality of accumulated statistical objects 14AP, and finds a match with Ben's previous communication. The matched accumulated statistical object 14A includes the previous matched statistical object 14M containing only Ben and is compared against the matched statistical object 14M matching Ben's statistical object 14F containing Ben. The intersection of both matched statistical sets is Ben. The accumulated statistical object information increases from 64 bits to 96 bits with the addition of statistical object 14F. The accumulated statistical object 14A is passed to the original object identifier 26. The original object identifier 26 takes the given accumulated statistical object 14A and determines if the accumulated statistical information within the accumulated statistical object could only be generated by a single, unique original object 12S. Original object 12S is Ben's X.509 certificate. Original object 12S is now indicated as selected original object 12SEL, and is passed to the probability calculator 30. The probability calculator 30 takes the given accumulated statistical object 22, and, based on the number of bits of statistical object information that has been accumulated in the accumulated statistical object 22 and the number of statistical objects in the plurality of statistical objects 14P, calculates the probability of guessing the accumulated statistical object information. In a second example, we continue with the first example but change the number of original objects 12S from 100 to 100,000,000 (one hundred million). The calculated probability 36 of guessing the accumulated statistical object 14A with 96 bits of information is again vanishingly small, approaching zero. This calculated probability 36 and the accumulated statistical object 22 are passed to the threshold comparator 32. The threshold comparator 32 takes the calculated probability 36 and compares it with the probability threshold value 27. The threshold comparator 32 determines that our calculated probability 27 of 0 is less than the probability threshold value of 1 in a million. Having not exceeded our probability threshold value 27, the threshold comparator 32 makes an indication 30 that includes the selected original object 12SEL Ben. This indication 30 communicates to other functions within the device 10 that the communication was send by Ben and has not exceeded the probability threshold value 27 and that the device 10 should now respond to Ben's communication.
  • In a third example, we continue with the second example and add an association of the selected original object 12SEL (Ben) and the communications characteristics 22. This allows for the optimization of subsequent communication requests from Ben.
  • Continuing with the third example, Ben makes another communication to device 10 during which within device 10 an association exists between Ben's original object and the communications characteristics 22 of Ben's previous communication. Device 10 receives Ben's communication using a communications receiver 16. Ben's communication includes Ben's statistical object (first statistical object 14F) and communications characteristics 22. This time, the communications characteristics 22 is source IP address of 1.1.1.2, destination IP address of 1.1.1.3, source TCP port number of 5000 and destination TCP port number of 7000. The source IP address is the same source IP address that was used in the prior, accepted communications. The statistical object matcher 18 compares Ben's statistical object 14F with the plurality of statistical objects 14P, and determines that there it matches two statistical objects, Ben's and Greg's. The statistical object matcher 18 sends Ben's statistical object 14F, the two matched statistical objects 14M (Ben's and Greg's) and the communications characteristics 22 to the accumulated statistical object selector 20 and sends the communications characteristics 22 to the associated original object selector 24. The accumulated statistical object selector 20 compares Ben's communications characteristics 22 with the plurality of accumulated statistical objects 14AP and finds no matches. Because no matches were found, the accumulated statistical object selector 20 creates a new accumulated statistical object 14A including Ben's statistical object 14F, the two matched statistical objects 14M and the communications characteristics 22. The new accumulated statistical object 14A is added to the plurality of accumulated statistical objects 14AP. The accumulated statistical object information is set to 32 bits to reflect the information contained in statistical object 14F. The accumulated statistical object selector 20 sends the accumulated statistical object 14A to the associated original object identifier 28.
  • The associated original object selector 24 receives the communications characteristics 22 and compares them with the communications characteristics 22 associated with the plurality of original objects 12P. Because an association exists between Ben's original object and Ben's communications characteristics 22, the associated original object selector 24 selects Ben's original object, indicated as 12SEL and passes the selected original object 12SEL to the associated original object identifier 28.
  • The associated original object identifier 28 takes the accumulated statistical object 14A and the selected original object 12SEL (Ben) and insures that the accumulated statistical object 14A could have been generated from the selected original object 12SEL. Upon determining that the accumulated statistical object 14A was producable by the selected original object 12SEL, the intersection of the original objects 14 is calculated using the original objects associated with the matched statistical objects 14M (Ben and Greg) and the selected original object 12SEL (Ben) resulting in Ben. This intersection is indicated in the accumulated statistical object 14A. Since there is exactly one original object now contained in the accumulated statistical object 14A, the accumulated statistical object 14A is sent to the probability calculator 30.
  • The probability calculator 30 takes the given accumulated statistical object 14A, and, based on the number of bits of statistical object information that has been accumulated in the accumulated statistical object 14A and the number of statistical objects in the plurality of statistical objects 14P, calculates the probability of guessing the accumulated statistical object information.
  • In this example, we have 100,000,000 statistical objects and have received 32 bits of statistical object information, but we have only a single statistical object that is associated with the Ben's communications characteristics 22. Therefore, instead of using 100,000,000 as the number of statistical objects, the number of statistical objects is 1, resulting in a calculated probability 36 of p=½32. This calculated probability 36 and the accumulated statistical object 22 are passed to the threshold comparator 32. The threshold comparator 32 takes the calculated probability 36 and compares it with the probability threshold value 27. The threshold comparator 32 determines that our calculated probability 27 of p=½32 is less than the probability threshold value of 1 in a million. Having not exceeded our probability threshold value 27, the threshold comparator 32 makes an indication 30 that includes the selected original object 12SEL Ben. This indication 30 communicates to other functions within the device 10 that the communication was sent by Ben and has exceeded the probability threshold value 27 and that the device 10 should now respond to Ben's communication. It should be noted that in this third example, because we are using the communications characteristics 22 associated with the original object 12, we can arrive at a selected original object 12SEL and not exceed the probability threshold value 27 while receiving fewer bits of information from the received statistical object 14F.
  • VII. Objects, Binding, Metadata and Communications
  • The present invention describes original objects 12S and statistical objects 14S. In its simplest form, an original object 12S is a string of bits. For example, the string “Hello, my name is John” is an original object 12S. An original object 12S could be signed by a third party to insure its authenticity. When an original object 12S is signed, a digital signature is bound to the original object 12S. The resulting signed original object 12S is itself another original object 12S. A digital signature is generated by a trusted third party and is bound to the original object 12S with metadata. This metadata usually is related to or derived from the original object 12S, but may also be unrelated to the original object such as geographic, biometric, physical, logical, temporal, dimensional and virtual data. An original object 12S may also be associated with a cryptographic key or set of keys. An original object associated with a set of cryptographic keys is called a keyed original object. A keyed original object is itself an original object 12S. The present invention can use any of these original object forms.
  • A statistical object or an original object can be communicated through a wide variety of mechanisms. When statistical or original objects are communicated, the easiest way is to have the communications mechanism designed to support the required information requirements of the original or statistical objects. When a communications system is being retrofitted to communicate original or statistical objects, there are several approaches that can be used. In a preferred embodiment, an original or statistical object can replace other information in the original message. Generally, this approach only works when the original or statistical object fits within an unused field or a field that can be regenerated to make up for the information lost during the replacement. An example of this is Transport Access Control (TAC). When this approach is not feasible, there are other methods that can be used, including tunneling, packet encapsulation and establishing a secondary communications channel. In tunneling, a network session is created. The messages are communicated within this tunnel. Original or statistical objects can be communicated during session establishment or during tunnel operation. An example of this is IPsec in tunnel mode. Packet encapsulation wraps each message with another encapsulating message. Original or statistical objects can be communicated in the encapsulating message. Examples of encapsulation include VLAN tagging and MPLS tagging. If neither of these mechanisms is suitable, a parallel communications channel can be created and the original or statistical objects can be communicated by the parallel channel. An example of a parallel channel is Internet Key Exchange (IKE) where an original object is communicated by the IKE protocol and the resulting security association is used by the IPsec protocol.
  • VIII. System Architecture
  • FIG. 25 is an illustration which shows one particular embodiment of the present invention, which includes an integrated SOI system 51. The integrated SOI system 51 receives messages through two network interfaces 67. In this embodiment, one of the network interfaces 67 is connected to a network 64 and the other network interface 67 is connected to a network resource 62. All traffic that is communicated between the network interfaces 67 must traverse the SOI policy service 40. The SOI policy service 40 is aided by an SOI resolution service 46. The SOI resolution service 46 is internally aided by a bootstrap keying service 44, a clock 47 and an object activation service 50. The SOI policy service 40 also has access to a dynamic blacklist table 56 and a policy table 59. Alternate embodiments of an integrated SOI system 51 may choose not to include a bootstrap keying service 44, or an object activation service 50.
  • FIG. 26 is an illustration which shows an alternate embodiment of the present invention, which includes an integrated SOI system 51. In this alternate embodiment, the SOI policy service 40 is also aided directly by an object activation service 50.
  • FIG. 27 is an illustration which shows an alternate embodiment of the present invention, a system of an integrated SOI policy system 53 and integrated SOI services 55. The integrated SOI policy system 53 receives messages through two network interfaces 67. In this embodiment, one of the network interfaces 67 is connected to a network 64 and the other network interface 67 is connected to a network resource 62. All traffic that is communicated between the network interfaces 67 must traverse the SOI policy service 40. The SOI policy service 40 is aided locally by an SOI resolution service 46, which is in turn aided by a local clock 47. The SOI policy service 40 is also aided by integrated SOI services 55. The integrated SOI services 55 is composed of a bootstrap keying service 44, an SOI resolution service 46, a clock 47 and an object activation service 50. The SOI policy service 40 also has access to a dynamic blacklist table 56 and a policy table 59. Alternate embodiments of integrated SOI services 55 may choose not to include a bootstrap keying service 44, or an object activation service 50.
  • FIG. 28 is an illustration which shows an alternate embodiment of the present invention, a system of multiple instances of an integrated SOI policy system 53 and a single instance of integrated SOI services 55.
  • FIG. 29 is an illustration which shows an alternate embodiment of the present invention, a system of multiple instances of an integrated SOI policy system 53 and multiple instances of integrated SOI services 55. In this embodiment, the top level instance of integrated SOI services 55 does not include a bootstrap keying service 44, or an object activation service 50. The top level instance of integrated SOI services 55 includes an SOI resolution service 46 and a clock 47.
  • FIG. 31 is an illustration which shows one particular embodiment of the present invention, which includes an SOI network client 69. The SOI network client 69 receives messages through a network interface 67 and from a computer application 65. All traffic that is communicated between the computer application 65 and the network interfaces 67 must traverse the SOI insertion policy service 42. The SOI insertion policy service 42 is aided by a bootstrap keying agent 45, a clock 47 and an object activation agent 48. Alternate embodiments of an SOI network client 69 may choose not to include a bootstrap keying agent 45, or an object activation agent 48.
  • FIG. 32 is an illustration which shows an alternate embodiment of the present invention; a system of a network client 66 and an SOI insertion device 70. The SOI insertion device 70 receives messages from two network interfaces 67. In this embodiment, one of the network interfaces 67 is connected to a network 64 and the other network interface 67 is connected to a network client 66. All traffic that is communicated between the network interfaces 67 must traverse the SOI insertion policy service 42. The SOI policy insertion service 42 is aided by a bootstrap keying agent 45, an SOI resolution service 46, a clock 47 and an object activation agent 48. The SOI policy insertion service 42 also has access to an insertion object table 57. Alternate embodiments of an SOI network client 69 may choose not to include a bootstrap keying agent 45, an SOI resolution service 46 or an object activation agent 48.
  • FIG. 33 is an illustration of an embodiment of an SOI system. An SOI network client 69 is connected to a network 64. Other SOI network clients 69 are connected through a SOI insertion device 70. A series of network client 66 are connected to SOI insertion devices 70. The networks 64 are connected to a series of integrated SOI systems 51 and integrated SOI policy systems 53. The integrated SOI systems 51 and the integrated SOI policy systems are connected to a series of integrated SOI policy services 55.
  • FIG. 34 is an illustration of an alternate embodiment of an SOI system.
  • IX. System Operation
  • The SOI systems presented here operate on the principle that original objects 12S that are known to both an SOI network client 69 or an SOI insertion device 70 and an integrated SOI policy service 40 or an SOI resolution service 46. All other information, including the source address of an SOI network client 69 or a network client 66, the state of synchronization of a clock 47 within an SOI network client 69 or an SOI insertion device 70 and knowledge of secure, shared keying material are presumed to be unknown. Furthermore, it is expected that all services contained within integrated SOI systems 51, integrated SOI policy systems 53 and integrated SOI service 55 are protected against discovery, attack and compromise and thus require a secure, measured approach to obtaining this unknown information which is required for proper SOI operation. Operating an SOI system has up to three phases for each original object. These three phases of operation are bootstrap keying, object activation and statistical object identification.
  • The objective of the first phase of operation, bootstrap keying, is to provide a set of statistical objects 14S to an SOI network client 69 or an SOI insertion device 70 to enable the authenticated accessing of the object activation service 50. During the bootstrap keying phase, a bootstrap keying agent 45 communicates with a bootstrap keying service 44. During this communications, the bootstrap keying agent 45 sends an original object 12S to the bootstrap keying service 44. The bootstrap keying service 44 responds by sending a set of statistical objects 14S to the bootstrap keying agent 45 to use in the object activation phase. The communication between the bootstrap keying agent 45 and the bootstrap keying service 44 must be secure and private, so that an eavesdropper cannot obtain the statistical objects 14S. In a preferred embodiment, the Internet Engineering Task Force (IETF) protocol Internet Key Exchange version 2 (IKEv2) is used to provide bootstrap keying.
  • Once bootstrap keying has been completed, operation moves to the second phase, object activation. The objective of the object activation phase is to provide an SOI network client 69 or an SOI insertion device 70 with the necessary information to generate statistical objects 14S from original object 12S such that the statistical objects 14S will be resolved by an integrated SOI system 51 or an SOI resolution service 46. During the object activation phase, an object activation agent 48 communicates with an object activation service 50. During this communication, the object activation agent 48 sends one or more original objects 12S, metadata associated with the original objects 12S and the time from a clock 47 local to the SOI network client 69 or SOI insertion device 70 to the object activation service 50.
  • The object activation service 50 responds 44 sending a set of keying information 61 and expiration criterion 63 to the object activation agent 48. The keying information 61 provided to the object activation agent 48 includes a clock offset. This is used to provide synchronization between the clock 47 that is local to the SOI network client 69 or SOI insertion device 70 and the clock 47 that is local to the integrated SOI system 51 or the SOI resolution service 46. This is necessary because many clocks in networking and computing devices lack the ability to maintain high degrees of accuracy over long periods of time. In the present invention, the clocks are synchronized during the object activation phase and must only remain in synchronization until the provided expiration criterion is met. In a preferred embodiment, the expiration criterion should be met before the clocks lose synchronization due to clock drift. The synchronized clock is used as an input to the hashing algorithm that is used to generate statistical object 14S.
  • The keying information 61 provided to the object activation agent 48 also includes a session key. This session key is used as an input to the hashing algorithm that is used to generate statistical objects 14S. The use of session keys eliminates the need to securely store keys. When an SOI network client 69 or an SOI insertion device 70 is powered off, or if the link fails connecting to the network 64, then the session key is lost and the SOI network client 69 or SOI insertion device 70 must perform object activation again to obtain a new session key.
  • The keying information 61 provided to the object activation agent 48 also includes an asynchronous clock reset value. This asynchronous clock reset value is used as an input to the hashing algorithm that is used to generate statistical objects 14S. The use of an asynchronous clock reset value eliminates the need for a high frequency clock. Higher frequency clocks can be more difficult to synchronize. Using an asynchronous clock with a reset value enables statistical objects 14S to be generated at a rate greater than the clock frequency while still maintaining unique statistical objects 14S. On each tick of the synchronized clock 47, the asynchronous clock is set to the asynchronous clock reset value. Whenever a statistical object is generated, the synchronous clock is incremented. In this way, the combination of the synchronized clock and the asynchronous clock will always result in a unique value.
  • When the object activation agent 48 communicates original objects 12S to the object activation service 50, the object activation agent 48 may also communicate metadata associated with the original object 12S. This metadata may be geophysical information, biometric information, application metadata or any other metadata that an object activation service 50 may use in its activation process. The object activation service 50 may be presented with more than one original object 12S from the object activation agent 48. The keying information 61 associated with the original object 12S is provided at the discretion of the object activation service 50. The object activation service 50 may provide keying information 61 for only a subset of the original objects 12S or the object activation service 50 may not provide keying information 61 for any of the original objects 12S. The object activation service 50 may have policies or rules that govern what original objects 12S or original objects 12S and their associated metadata will be given keying information 61. These policies or rules can be as simple as “IF the original object is Ben THEN provide keying information” or they can be more complex such as “IF the original object is Ben and the associated metadata indicates that Ben is in California THEN provide keying information” or “IF the original object is Ben and the associated metadata indicates that the requesting application is Email THEN provide keying information”. A single original object 12S with multiple metadata associations may be given multiple sets of keying information 61 corresponding to the different metadata associations.
  • The communication between the object activation agent 48 and the object activation service 50 must be secure and private, so that an eavesdropper cannot obtain the keying information 61. In a preferred embodiment, the communications is secured by using Transport Access Control, which uses a statistical object 14S to establish a TCP session between the object activation agent 48 and the object activation service 50. Once the TCP session has been established, a TLS session is established to provide privacy for the information. In a preferred embodiment, the original object 12S provided during TLS session establishment should be the same original object that was provided during the bootstrap keying phase.
  • Once object activation has been completed, operation moves to the third phase, statistical object identification. As this point, an SOI network client 69 or an SOI insertion device 70 has the information necessary to generate statistical objects 14S and an integrated SOI system 51 or an SOI resolution service 46 has the same information, enabling them to resolve received statistical objects 14S generated by an SOI network client 69 or an SOI insertion device 70 to the original objects 12S.
  • An SOI system has two primary components, an SOI insertion policy service 42 and an SOI policy service 40. Both of these services can reside in a single device. The SOI insertion policy service 42 is responsible for generating statistical objects 14S from an original object 12S and inserting the statistical object 14S into a message 68. The SOI policy service 40 is responsible for receiving the message 68, extracting the statistical object 14S and using a local SOI resolution service 46, performing statistical object identification to determine the original object 12S.
  • The SOI resolution service 46 operates as device 10. When a statistical object 14S is successfully resolved to an original object 12S and the probability threshold value 27 has been met, the original object 12S is communicated to the SOI policy service 40 where the original object 12S used as a key to locate policy information 60 in a policy table 59. The policy information 60 describes what to do with the message 68. Common policies include forwarding the message 68 to its intended destination, discarding the message 68, or rewriting the message 68 or its corresponding communications characteristics 22. In a preferred embodiment, when the SOI resolution service 46 cannot find a matching statistical object 14M that matches the statistical object 14S associated with the message 68, then the original object 12S associated with the message 68 is a special original object called “the unknown object”. The unknown object is communicated to the SOI policy service 40 where it is used as a key to locate policy information 60 in a policy table 59. The policy information 60 describes what to do with the message 68.
  • In an alternate preferred embodiment, when the SOI resolution service 46 cannot find a matching statistical object 14M that matches the statistical object 14S associated with the message 68, the SOI resolution service 46 sends the message 68 and the associated statistical object 14S to a second SOI resolution service 49. The entire message 68 is sent so that the SOI resolution service 46 can operate statelessly with respect to the message 68. The second SOI resolution service 49 operates as device 10. The second SOI resolution service 49 receives the message 68 and the associated statistical object 14S and performs statistical object identification. When a statistical object 14S is successfully resolved to an original object 12S and the probability threshold value 27 has been met, the original object 12S, the associated message 68, keying information 61, policy information 60 and expiration criterion are all communicated to the SOI resolution service 46. The SOI resolution service 46 received the information and generates statistical objects 14S until the expiration criterion 63 is met. The original object 12S, the message 68 and policy information 60 is communicated to the SOI policy service 40 where the policy information 60 is placed in the policy table 59. The message 68 is processed in accordance with the policy information 60. Subsequent messages 68 with statistical objects 14S generated from the same original object 12S will be processed solely by the SOI resolution service 46 until the expiration criterion 63 is met and this process does not require the assistance of the second SOI resolution service 49. In this way, a local instance of an SOI resolution service 46 can learn original objects 12S and their associated keying information 61, their associated policy information 60 and their expiration criterion 63. This process can also be extended with additional levels of SOI resolution services 46.
  • The SOI system is vulnerable to brute force attacks unless defenses are made to detect and mitigate them. A brute force attack on SOI is when an attacker generates a large number of statistical objects 14S in an attempt to guess a valid statistical object. In the present invention, a statistical object can only be tested for validity by presenting it to an SOI resolution service 46. Although the statistical objects 14S are generated with a timing component that enables then to be automatically expired, multiple attempts to guess a valid statistical object 14S can still be made, with sophisticated attackers generating hundreds of thousands or millions of attempts per second. To combat this, in a preferred embodiment, the SOI resolution service 46 maintains a count of failed statistical object resolutions and the communications characteristics 22 associated with each failed resolution. When the number of failed resolutions exceeds a threshold, then an entry containing the communications characteristics 22 is made in a dynamic blacklisting table 56. The dynamic blacklisting table 56 is used by the SOI policy service 40 and is queried first. If the communications characteristics 22 associated with a received message 68 match an entry in the dynamic blacklisting table 56, then the message is discarded before any additional work is performed. Each entry in the dynamic blacklisting table 56 has an expiration criterion 63. When the expiration criterion is met, then the entry is removed from the dynamic blacklisting table 56. The expiration criterion 63 should insure that all statistical object 14S in the plurality of statistical objects 14P have aged out before the expiration criterion 63 is met. New entries to the dynamic blacklisting table 56 should be communicated to all integrated SOI system 51 and integrated SOI policy system 53 entities.
  • An SOI insertion policy service 42 is used by an SOI network client 69 and an SOI insertion device 70. In an SOI network client 69, the SOI policy insertion service 42 operates on the same device as the computer application 65. An SOI network client 69 generally presents a single original object 12S during object activation, but may present multiple associated metadata relationships, which may result in multiple sets of keying information 61. The SOI policy insertion service 42 in an SOI network client 69 only performs object activation and statistical object identification for itself and does not generate statistical objects on behalf of network clients 66. In an SOI insertion device 70, the policy insertion service 42 operates on a separate device, logical or physical, as the computer application 65. The SOI policy insertion service 42 in an SOI insertion device 70 performs object activation and SOI on behalf of other network clients 66.
  • The object activation agent 45 of an SOI network client 69 may communicate metadata in addition to communicating an original object 12S to the object activation service 50. In response, the object activation service 50 communicates sets of keying information 61 and expiration criterion 63 to the object activation agent 45. Subsequently, when the computer application 65 in an SOI network client 69 attempts to communicate with a network resource 62 by sending a message 68, the SOI insertion policy service 42 intercepts the message 68, generates a statistical object 14S based on the keying information 61 provided to the object activation agent 45 and inserts the statistical object 14S into the message 68. The message 68 is then forwarded to the network resource 62. If the object activation agent 45 sent metadata to the object activation service 50, the SOI insertion policy service 42 must select the appropriate keying information 61 when generating the statistical object 14S. For example, if the object activation agent 45 uses a certificate showing the Identity of “Ben” as the original object 12S and also sends a list of application signatures as metadata components associated with the original object 12S to the object activation service 50 as follows:
  • Index Application Signature
    1 email application signature 1
    2 safari application signature 2
    3 facebook application signature 3

    The object activation service 50 may return a set of keying information 61, with each element of the set being associated with a different metadata components as follows:
  • Index Keying Information
    1 keying information 1
    2 keying information 2
    3 no keying information

    With this keying information 61, and the computer application 65 being “safari”, when a message 68 is received by the SOI policy insertion service 42, the SOI policy insertion service 42 will determine that the computer application 65 that sent the message 68 was “safari” and will then generate a statistical object 14S based on the keying information 61 “keying information 2”. This enables an integrated SOI system 51 or an integrated SOI policy system 53 to determine that the message 68 was sent by “Ben” using the application “safari”.
  • When an SOI insertion device 70 is used in place of an SOI network client 69, the SOI insertion device 70 must be able to associate communications characteristics 22 with an original object 12S before being able to generate a statistical object 14S. When a network client 66 sends a message 68 to a network resource 62, it is received by an SOI insertion device 70. The communications characteristics 22 associated with the received message 68 are compared to entries in an insertion object table 57 by the SOI policy insertion service 42. If a matching entry is found, the corresponding keying information 61 is used by the SOI policy insertion service 42 to generate a statistical object 14S and the statistical objet 14S is inserted into the message 68 which is forwarded to the network resource 62. The provisioning of entries of communications characteristics 22 and associated keying information 61 in the insertion object table 57 can be accomplished manually or statically or can be automated and self learning. In a preferred embodiment, when a message 68 with associated communications characteristics 22 is received by an SOI policy insertion service 42 and the communications characteristics 22 do not match any entries in the insertion object table 57, the SOI policy insertion service 42 can query an external service, using the communications characteristics 22 as the query key. The external service may return an original object 12S associated with the communications characteristics 22. For example, for networks using IEEE 802.1x port authentication, the source MAC address may be used as the query key and the external service would return the authenticated identity associated with the source MAC address. Once the SOI policy insertion service 42 has received an original object 12S from the external service, an object activation agent 48 will communicate the original object 12S to an object activation service 50, which may return keying information 61 and expiration criterion 63 back to the object activation agent 48. This information is added to the insertion object table 57. Periodically, the insertion object table 57 must be checked to determine if any of the expiration criterion 63 has been satisfied and if so, the entry corresponding to the satisfied expiration criterion is removed from the insertion object table 57.
  • CONCLUSION
  • Although the present invention has been described in detail with reference to one or more preferred embodiments, persons possessing ordinary skill in the art to which this invention pertains will appreciate that various modifications and enhancements may be made without departing from the spirit and scope of the claims that follow. The various alternatives for providing an efficient means for statistical object identity that have been disclosed above are intended to educate the reader about preferred embodiments of the invention, and are not intended to constrain the limits of the invention or the scope of Claims. The List of Reference Characters which follows is intended to provide the reader with a convenient means of identifying elements of the invention in the Specification and Drawings. This list is not intended to delineate or narrow the scope of the Claims.
  • LIST OF REFERENCE CHARACTERS
    • 10 Device (Remote System)
    • 12M Matched Original Object
    • 12P Plurality of Original Objects
    • 12S Original Object
    • 12SEL Selected Original Object
    • 14A Accumulated Statistical Object
    • 14AP Plurality of Accumulated Statistical Objects
    • 14F First Statistical Object
    • 14M Matching Statistical Object
    • 14MA Matching Accumulated Statistical Object
    • 14MP Plurality of Matching Statistical Objects
    • 14NA New Accumulated Statistical Object
    • 14P Plurality of Statistical Objects
    • 14S Statistical Object
    • 16 Communications Receiver
    • 18 Statistical Object Matcher
    • 20 Accumulated Statistical Object Selector
    • 22 Communications Characteristics
    • 24 Associated Original Object Selector
    • 26 Original Object Identifier
    • 27 Probability Threshold Value
    • 28 Associated Original Object Identifier
    • 30 Probability Calculator
    • 32 Threshold Comparator
    • 34 Indication
    • 36 Calculated Probability
    • (All components from 12M to 36 are included in device 10).
    • 40 SOI Policy Service
    • 42 SOI Insertion Policy Service
    • 44 Bootstrap Keying Service
    • 45 Bootstrap Keying Agent
    • 46 SOI Resolution Service
    • 47 Clock
    • 48 Object Activation Agent
    • 49 Second SOI Resolution Service
    • 50 Object Activation Service
    • 51 Integrated SOI System
    • 52 Identity Management System
    • 53 Integrated SOI Policy System
    • 55 Integrated SOI Services
    • 56 Dynamic Blacklisting Table
    • 57 Insertion Object Table
    • 59 Policy Table
    • 60 Policy Information
    • 61 Keying information
    • 62 Network Resource
    • 63 Expiration Criterion
    • 64 Computer Network
    • 65 Computer Application
    • 66 Network Client
    • 67 Network Interface
    • 68 Message
    • 69 SOI Network Client
    • 70 SOI Insertion Device

Claims (20)

What is claimed is:
1. A method comprising the steps of:
an object activation agent (48) having access to a clock (47) and having at least one original object (12S);
said object activation agent (48) communicating said original object (12S) and time from said clock (47) to an object activation service (50); and
said object activation service (50) providing and communicating keying information (61) and expiration criterion (63) for at least one of said original objects (12S) to said object activation agent (48).
2. A method as recited in claim 1, where
said original object (12S) is obtained from an external service.
3. A method as recited in claim 1, where
said object activation service (50) determines if network address translation was performed between said object activation agent (48) and said object activation service (50).
4. A method as recited in claim 3, where
said object activation service (50) communicates said determination of network address translation to said object activation agent (48).
5. A method as recited in claim 1, further comprising the additional steps of:
providing an SOI policy service (40), an SOI Insertion Policy service (42) and a network resource (66);
said object activation agent (48) communicating said keying information (61), and expiration criterion (63) for each of the said original objects (12S) to said SOI insertion service (40);
said network client (66) sending a message (68) to said network resource (62);
said message (68) being communicated through said SOI insertion service (42);
said SOI insertion service (42) selecting one of said original objects (12S) and generating a statistical object (14S) using said keying information (61) associated with said selected original object (12S);
said SOI insertion service (42) inserting said statistical object (14S) into said message (68) and forwarding said message (68) to said network resource (62);
6. A method as recited in claim 1, further comprising the additional steps of:
said object activation agent (48) communicating said keying information (61), and said expiration criterion (63) for each of said original objects (12S) to an SOI identification service (40);
said SOI Policy service (40) generating a plurality of statistical objects (14S) using said keying information (61) for each of the said original objects (12S).
7. A method as recited in claim 6, further comprising the additional steps of:
said SOI Policy service (40) ceasing generation of statistical objects (14S) after said expiration criterion (63) has been met;
8. A method as recited as claim 6 in which:
said expiration criterion (63) is expressed as a function of time;
9. A method as recited in claim 7 in which:
said expiration criterion (63) is expressed as a function of statistical objects (14S);
10. A method as recited in claim 7 in which:
said expiration criterion (63) is expressed as a function of messages (68);
11. A method as recited in claim 1, further comprising the additional steps of:
said object activation agent (48) communicating said keying information (61), and said expiration criterion (61) for each of said original objects (12S) to an SOI resolution service (46);
said SOI resolution service (46) generating a plurality of statistical objects (14S) using said keying information (61) for each of the said original objects (12S).
12. A method as recited in claim 11, further comprising the additional steps of:
said identity fault resolution service (46) ceasing generation of statistical objects (14S) after said expiration criterion (63) has been met;
13. A method as recited as claim 11 in which:
said expiration criterion (63) is expressed as a function of time;
14. A method as recited in claim 11 in which:
said expiration criterion (63) is expressed as a function of statistical objects (14S);
15. A method as recited in claim 11 in which:
said expiration criterion (63) is expressed as a function of messages (68);
16. A method comprising the steps of:
An SOI Policy service (40) receiving a statistical object (14S) associated with a message (68)
using statistical object identification, determining that said received statistical object (14S) is not present in a plurality of statistical object (14S); and
sending said statistical object (14S) and said associated message (68) to an SOI resolution service (46);
17. A method as recited in claim 16, further comprising the additional steps of:
accumulating a statistic of failed statistical object resolutions on a per source address basis;
determining that said count of failed statistical object resolutions exceeds a threshold; and
discarding messages received from said source address until an expiration criterion is met;
18. A method as recited in claim 16, further comprising the additional steps of:
accumulating a statistic of failed statistical object resolutions on a per source address basis;
determining that said count of failed statistical object resolutions exceeds a threshold; and
adjusting the probability threshold for messages received from said source address until an expiration criterion is met;
19. A method comprising the steps of:
An SOI resolution service (46) receiving an original object (12S), keying information (61), expiration criterion (63), a message (68) and policy information (60) from a second SOI resolution service (49); and
said SOI resolution service (46) generating statistical objects (14S) from said original objects (12S) until said expiration criterion (63) is satisfied;
20. A method as recited in claim 19, further comprising the additional steps of:
said SOI resolution service (46) associating a source IP address contained in said message (68) with said original object (12S);
US13/987,747 2011-11-18 2013-08-27 Method for statistical object identification Abandoned US20150067796A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
US13/987,747 US20150067796A1 (en) 2011-11-18 2013-08-27 Method for statistical object identification
US14/544,987 US20160269421A1 (en) 2011-11-18 2015-03-11 Method for network security using statistical object identification
US15/998,262 US11095687B2 (en) 2011-11-18 2018-07-24 Network security system using statistical object identification
US17/353,117 US11503079B2 (en) 2011-11-18 2021-06-21 Network security system using statistical object identification

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US13/373,586 US8572697B2 (en) 2011-11-18 2011-11-18 Method for statistical object identification
US13/987,747 US20150067796A1 (en) 2011-11-18 2013-08-27 Method for statistical object identification

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US13/373,586 Continuation-In-Part US8572697B2 (en) 2005-09-30 2011-11-18 Method for statistical object identification

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US14/544,987 Continuation-In-Part US20160269421A1 (en) 2011-11-18 2015-03-11 Method for network security using statistical object identification

Publications (1)

Publication Number Publication Date
US20150067796A1 true US20150067796A1 (en) 2015-03-05

Family

ID=48428269

Family Applications (3)

Application Number Title Priority Date Filing Date
US13/373,586 Active 2031-11-25 US8572697B2 (en) 2005-09-30 2011-11-18 Method for statistical object identification
US13/987,747 Abandoned US20150067796A1 (en) 2011-11-18 2013-08-27 Method for statistical object identification
US14/544,987 Abandoned US20160269421A1 (en) 2011-11-18 2015-03-11 Method for network security using statistical object identification

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US13/373,586 Active 2031-11-25 US8572697B2 (en) 2005-09-30 2011-11-18 Method for statistical object identification

Family Applications After (1)

Application Number Title Priority Date Filing Date
US14/544,987 Abandoned US20160269421A1 (en) 2011-11-18 2015-03-11 Method for network security using statistical object identification

Country Status (1)

Country Link
US (3) US8572697B2 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10361859B2 (en) 2017-10-06 2019-07-23 Stealthpath, Inc. Methods for internet communication security
US10367811B2 (en) 2017-10-06 2019-07-30 Stealthpath, Inc. Methods for internet communication security
US10374803B2 (en) 2017-10-06 2019-08-06 Stealthpath, Inc. Methods for internet communication security
US10375019B2 (en) 2017-10-06 2019-08-06 Stealthpath, Inc. Methods for internet communication security
US10397186B2 (en) 2017-10-06 2019-08-27 Stealthpath, Inc. Methods for internet communication security
US10630642B2 (en) 2017-10-06 2020-04-21 Stealthpath, Inc. Methods for internet communication security
US11558423B2 (en) 2019-09-27 2023-01-17 Stealthpath, Inc. Methods for zero trust security with high quality of service
US20230047229A1 (en) * 2021-08-16 2023-02-16 Bank Of America Corporation Enhanced authentication framework using multi-dimensional hashing

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9424067B2 (en) * 2014-12-11 2016-08-23 Amazon Technologies, Inc. Managing virtual machine instances utilizing an offload device
US9400674B2 (en) 2014-12-11 2016-07-26 Amazon Technologies, Inc. Managing virtual machine instances utilizing a virtual offload device
US9292332B1 (en) 2014-12-11 2016-03-22 Amazon Technologies, Inc. Live updates for virtual machine monitor
US9886297B2 (en) 2014-12-11 2018-02-06 Amazon Technologies, Inc. Systems and methods for loading a virtual machine monitor during a boot process
US9535798B1 (en) 2014-12-19 2017-01-03 Amazon Technologies, Inc. Systems and methods for maintaining virtual component checkpoints on an offload device
US9667414B1 (en) 2015-03-30 2017-05-30 Amazon Technologies, Inc. Validating using an offload device security component
US10187299B2 (en) * 2016-04-22 2019-01-22 Blackridge Technology Holdings, Inc. Method for using authenticated requests to select network routes
CN107480544A (en) * 2017-08-07 2017-12-15 成都牵牛草信息技术有限公司 Count list operation permission grant method
US10416967B2 (en) * 2017-10-13 2019-09-17 Internationa Business Machines Corporation Method of optimizing vargs in object-oriented programming languages
US11093638B2 (en) 2019-04-05 2021-08-17 Online Media Holdings Ltd Distributed management of user privacy information
US11140170B2 (en) 2019-04-05 2021-10-05 Online Media Holdings Ltd Network-based partial and full user identification techniques
US20230291548A1 (en) * 2022-03-08 2023-09-14 Western Digital Technologies, Inc. Authorization requests from a data storage device to multiple manager devices

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030033276A1 (en) * 2001-08-09 2003-02-13 Integrated Silicon Solution, Inc. Search engine for large database search using CAM and hash
US6754662B1 (en) * 2000-08-01 2004-06-22 Nortel Networks Limited Method and apparatus for fast and consistent packet classification via efficient hash-caching
US8086860B2 (en) * 2007-10-01 2011-12-27 Tata Consultancy Services Limited Method for preventing and detecting hash collisions of data during the data transmission

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6807632B1 (en) * 1999-01-21 2004-10-19 Emc Corporation Content addressable information encapsulation, representation, and transfer
US20070078978A1 (en) * 1998-06-01 2007-04-05 Sri International Method and apparatus for updating information in a low-bandwidth client/server object-oriented system
US7016956B2 (en) * 2000-07-31 2006-03-21 Ellacoya Networks, Inc. Directory-enabled intelligent broadband service switch
CN1235408C (en) * 2001-02-12 2006-01-04 皇家菲利浦电子有限公司 Generating and matching hashes of multimedia content
US7212527B2 (en) * 2001-05-09 2007-05-01 Intel Corporation Method and apparatus for communicating using labeled data packets in a network
JP2003030145A (en) * 2001-07-16 2003-01-31 Fujitsu Ltd Information processing method and program
JP3878193B2 (en) * 2002-06-18 2007-02-07 株式会社エヌ・ティ・ティ・ドコモ Gateway device and signal processing method in gateway device
US20040221158A1 (en) * 2003-05-02 2004-11-04 Secure Data In Motion, Inc. Digital signature and verification system for conversational messages
US7366170B2 (en) * 2003-09-25 2008-04-29 Kabushiki Kaisha Toshiba Communication connection method, authentication method, server computer, client computer and program
US9154512B2 (en) * 2006-03-30 2015-10-06 Cisco Technology, Inc. Transparently proxying transport protocol connections using an external server
KR100748937B1 (en) * 2006-08-04 2007-08-13 주식회사 이노와이어리스 Method for extracting wap data by mobile identification number
WO2008064719A1 (en) * 2006-11-30 2008-06-05 Telefonaktiebolaget Lm Ericsson (Publ) Packet handling in a mobile ip architecture
US9294389B2 (en) * 2011-06-23 2016-03-22 Cisco Technology, Inc. Method to select interface for IP packets when destination subnet is reachable on multiple interfaces
KR101258845B1 (en) * 2011-10-10 2013-05-06 고려대학교 산학협력단 Information save method and system using TCP communication

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6754662B1 (en) * 2000-08-01 2004-06-22 Nortel Networks Limited Method and apparatus for fast and consistent packet classification via efficient hash-caching
US20030033276A1 (en) * 2001-08-09 2003-02-13 Integrated Silicon Solution, Inc. Search engine for large database search using CAM and hash
US8086860B2 (en) * 2007-10-01 2011-12-27 Tata Consultancy Services Limited Method for preventing and detecting hash collisions of data during the data transmission

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10965646B2 (en) 2017-10-06 2021-03-30 Stealthpath, Inc. Methods for internet communication security
US10361859B2 (en) 2017-10-06 2019-07-23 Stealthpath, Inc. Methods for internet communication security
US10374803B2 (en) 2017-10-06 2019-08-06 Stealthpath, Inc. Methods for internet communication security
US10375019B2 (en) 2017-10-06 2019-08-06 Stealthpath, Inc. Methods for internet communication security
US10397186B2 (en) 2017-10-06 2019-08-27 Stealthpath, Inc. Methods for internet communication security
US10630642B2 (en) 2017-10-06 2020-04-21 Stealthpath, Inc. Methods for internet communication security
US10367811B2 (en) 2017-10-06 2019-07-30 Stealthpath, Inc. Methods for internet communication security
US11245529B2 (en) 2017-10-06 2022-02-08 Stealthpath, Inc. Methods for internet communication security
US11930007B2 (en) 2017-10-06 2024-03-12 Stealthpath, Inc. Methods for internet communication security
US11729143B2 (en) 2017-10-06 2023-08-15 Stealthpath, Inc. Methods for internet communication security
US11463256B2 (en) 2017-10-06 2022-10-04 Stealthpath, Inc. Methods for internet communication security
US11558423B2 (en) 2019-09-27 2023-01-17 Stealthpath, Inc. Methods for zero trust security with high quality of service
US11757649B2 (en) * 2021-08-16 2023-09-12 Bank Of America Corporation Enhanced authentication framework using multi-dimensional hashing
US20230047229A1 (en) * 2021-08-16 2023-02-16 Bank Of America Corporation Enhanced authentication framework using multi-dimensional hashing

Also Published As

Publication number Publication date
US20160269421A1 (en) 2016-09-15
US8572697B2 (en) 2013-10-29
US20130133039A1 (en) 2013-05-23

Similar Documents

Publication Publication Date Title
US20150067796A1 (en) Method for statistical object identification
US9973499B2 (en) Method for statistical object indentification
US10505961B2 (en) Digitally signed network address
US10187299B2 (en) Method for using authenticated requests to select network routes
US9118644B2 (en) Method for directing requests to trusted resources
RU2530691C1 (en) Method for protected remote access to information resources
Sani et al. Xyreum: A high-performance and scalable blockchain for iiot security and privacy
US7139679B1 (en) Method and apparatus for cryptographic protection from denial of service attacks
Zhang et al. Shortmac: efficient data-plane fault localization.
CN111726346B (en) Data secure transmission method, device and system
CN101304407A (en) Method, system and apparatus for authentication of source address
US11503079B2 (en) Network security system using statistical object identification
CN101867473A (en) Connection establishment method and access authentication system for blocking-attacking resistant shared media terminal
EP4013004A1 (en) Data processing method and device
Lagutin Redesigning internet-the packet level authentication architecture
WO2020202780A1 (en) Computational puzzles against dos attacks
EP2753043B1 (en) Reverse authorized syn cookie
US11095687B2 (en) Network security system using statistical object identification
Hu et al. TrueID: A practical solution to enhance Internet accountability by assigning packets with creditable user identity code
Ma et al. A new architecture for anonymous use of services in distributed computing networks
Younes Modeling and performance analysis of a new secure address resolution protocol
CN115086069B (en) DDoS attack recognition method and device
Ming-Hao The security analysis and attacks detection of OSPF routing protocol
Lagutin Securing the Internet with digital signatures
Annessi Securing group communication in critical Infrastructures

Legal Events

Date Code Title Description
AS Assignment

Owner name: BLACKRIDGE TECHNOLOGY HOLDINGS, INC., NEVADA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:HAYES, JOHN WILLIAM;HAMLIN, CHRISTOPHER LUIS;GRAM, CHARLES ANDREW;REEL/FRAME:031463/0296

Effective date: 20131003

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION