WO2008093314A2 - Procédé et appareil pour transférer des données - Google Patents

Procédé et appareil pour transférer des données Download PDF

Info

Publication number
WO2008093314A2
WO2008093314A2 PCT/IL2007/000112 IL2007000112W WO2008093314A2 WO 2008093314 A2 WO2008093314 A2 WO 2008093314A2 IL 2007000112 W IL2007000112 W IL 2007000112W WO 2008093314 A2 WO2008093314 A2 WO 2008093314A2
Authority
WO
WIPO (PCT)
Prior art keywords
pattern
information
computing platform
capturing
outputting
Prior art date
Application number
PCT/IL2007/000112
Other languages
English (en)
Other versions
WO2008093314A3 (fr
Inventor
Avi Zigdon
Eyal Kedem
Original Assignee
Techmind Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Techmind Ltd. filed Critical Techmind Ltd.
Priority to PCT/IL2007/000112 priority Critical patent/WO2008093314A2/fr
Publication of WO2008093314A2 publication Critical patent/WO2008093314A2/fr
Publication of WO2008093314A3 publication Critical patent/WO2008093314A3/fr
Priority to IL199886A priority patent/IL199886A0/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones

Definitions

  • the present invention relates to data transfer in general, and to transferring control data from a secure system in particular.
  • Transferring data between computers is an essential part of daily work in almost any organization.
  • the transfer is possibly limited according to the source and destination computer, the characteristics of a network associated with the source or the destination computer, the data to be transferred, encryption and others.
  • an apparatus for transmitting information from a secure source computing platform to a destination computing platform wherein the transmitting is unidirectional comprising: a data collection module for collecting data from the source computing platform to be transmitted to the destination computing platform; a pattern generation component for generating a pattern representing the collected data; a signal outputting device for outputting the pattern; a capturing device for capturing the pattern output by the outputting device, said capturing device separated from said signal outputting device by a medium; and a pattern decoding component for retrieving the information from the pattern captured by the capturing device.
  • the pattern is optionally a barcode pattern
  • the capturing device is optionally a barcode reader
  • the signal outputting device is optionally a display.
  • the pattern is optionally a sound signal
  • the outputting device is optionally a loudspeaker
  • the capturing device is optionally a microphone.
  • the apparatus can further comprise a watchdog module for monitoring the functionality of said data collection module or of said pattern generation component, or a watchdog module for monitoring the functionality of said data collection module or of said capturing device or of said pattern decoding component.
  • the apparatus can further comprise a message simulation module for simulating a message to be sent to the destination computing platform.
  • the apparatus can further comprise an information distribution component for distributing the information to a target.
  • the target is optionally selected from the group consisting of: a file; a database; an optical representation, a visual representation, an audio presentation; a printer; a short message to be sent to a telephone, an e-mail, a fax, an alert to be generated; or a notification to be sent to a telephone recipient.
  • the medium is optionally fluid.
  • Another aspect of the disclosed invention relates to a method for transmitting information from a secure source computing platform to a destination computing platform wherein the transmitting is unidirectional, the method comprising the steps of: collecting information to be transmitted from the secure source computing platform to the destination computing platform; generating a pattern from the collected information; outputting the pattern by a first device; capturing the pattern by a second device, wherein the first device and the second device are separated by a medium; and decoding the pattern to retrieve the collected information.
  • the pattern is optionally an optical pattern such as a visual pattern, a barcode pattern, or a vocal pattern.
  • the method can further comprise a step of generating control information and generating a pattern from said control information, a step of distributing the information, or a step of encoding the information and a step of decoding the information.
  • the medium is fluid.
  • FIG. 1 is a schematic illustration of the apparatus of the disclosed invention and a typical environment in which the apparatus is used;
  • Fig. 2 is a schematic illustration of a two-dimensional barcode
  • Fig. 3 is a block diagram of the components of an apparatus implementing the disclosed invention
  • Fig. 4 is a flowchart of the main steps of the method of the disclosed invention.
  • the present invention overcomes the problem of transferring data from a secure system to another system, wherein no transfer channel such as a network connection, wireless connection, writable disk or diskette drive or the like is available.
  • An apparatus comprises components connected to or executed by the source computer or network, i.e. the computer or network from which it is required to transfer the information, and a second part which is connected to or executed by the destination computer or network, i.e. the computer or network to which it is required to transfer the information.
  • the source components include software for gathering the information to be transferred, and for encoding the information into a pattern.
  • the pattern is sent to a device connected to the source computer or network, which outputs the signal.
  • the destination components include an input device for capturing the signal describing the pattern, and software for decoding the pattern and transferring the information to a predetermined destination, or application or another usage.
  • the source and destination components are disconnected so that no other data can be transferred from the source to the destination, and certainly not the other way around.
  • the pattern generation and capturing rate depends on the type of the pattern and additional parameters.
  • a preferred embodiment of the disclosed invention includes software on the source side for gathering the information, generating an optical such as a graphic pattern and displaying the pattern on a display.
  • the destination components include a camera or another device capable of optical or visual capturing, and software for retrieving the information from the captured graphic pattern.
  • the display and the camera are separated by medium such as fluid, for example air, gas or another medium that enables light to pass.
  • the information is coded into a barcode pattern on the source side, and a barcode reader and interpreter captures and retrieves the information on the destination side.
  • network 124 and network 144 are any type of networks such as local area network (LAN), wide area network (WAN), or the like.
  • a multiplicity of computing platforms and resources is connected to each of network 124 or network 144, such as computing platforms 132, 136, or 148, laptop computer 128, displays 140 or 156, printer 152 or any other device or resource.
  • Computing platforms 104 or 108 can be of any type including a desktop computer, a laptop computer, personal computer, a mainframe computer, a network computer, a telephone with computing capabilities, or any other type of computing platform that is provisioned with a memory device (not shown) and a CPU or microprocessor device.
  • Computing platform 104 executes software 106 for receiving or collecting the information to be transferred.
  • the information can be, for example, security information related to an intrusion attempt, resource failure notice or the like.
  • the information can originate at any component connected to network 124, such as computing platforms 128, 132 or 136, display device 140 or network 124 itself.
  • Software 106 receives the information through an API, or actively collects it for example through a file or data base, and generates a graphic pattern from the information.
  • the graphic pattern is displayed on display 112 connected to computing platform 104 by any cable and using any format for connecting a display to a computing platform.
  • Display 112 can be any type of display, such as LCD, CRT, or the like.
  • the graphic pattern is preferably a barcode, and specifically a two- or three-dimensional barcode 116.
  • Fig. 2 shows an example of a two-dimensional barcode which can be displayed on display 1 12.
  • software 106 can be stored on any storage device, and installed or executed on any component connected to network 124.
  • Display 112 can be connected to computing platform 104 in addition to one or more additional displays used by users of platform 104, preferably using a VGA, DVI, or s-Video connectors.
  • Apparatus 100 of the disclosed invention further comprises a camera, a barcode reader or another capturing device 120 for capturing pattern 116 displayed on device 112.
  • Capturing device 120 and display 116 are preferably separated by air or another medium which enables the capturing of the pattern displayed on display 112.
  • the required physical distance, or distance range, between camera 120 and display 112 depends on the size and resolution of display 112, the size, density, or resolution of pattern 112, the amount of light shed on the gap between camera 120, and the characteristics of camera 120, and should generally follow the instructions provided by the barcode reader's manufacturer.
  • Capturing device 120 is connected to platform 108 via any connecting equipment and using any protocol, such as USB, RJ45, RS232, Ethernet, Bluetooth, infrared, or the like. If capturing device 120 does not receive power from another source, then this connection also provides power to the device.
  • Yet another component of the disclosed invention is software component 110, which captures pattern 116 displayed on display 112, decodes pattern 116 to retrieve the information sent from platform 104 and transfer the information to any destination within network 144 connected to platform 108.
  • the information can be sent to a file or data base stored on computing platform 148, an optical or visual presentation to be displayed on display 156, an audio representation to played; a print to be output by printer 152, a short message to be sent to a telephone, an alert of any kind to be generated, a database or a software to be updated, or any other action.
  • Software components 106 and 110 can be implemented in any programming language, such as C, C++, V#, Java, Visual basic, Perl, Python or any other, using any development environment, such as Microsoft .Net, J2EE, LAMP or the like.
  • display 112 and capturing device 120 are packed in a case, such as a substantially opaque box so that no external light interferes camera 120 in capturing pattern 116.
  • the pattern generating component of software 106 and the pattern decoding component of software 110 can be a part of a barcode product which comprises also barcode reader 120.
  • Such product can be, for example, IDAutomation.NET manufactured by IDAutomation (www.idautomation.com).
  • IDAutomation.NET manufactured by IDAutomation (www.idautomation.com).
  • Fig. 3 showing a block diagram of the software components of the disclosed invention.
  • the software is generally divided into components installed on the transmitting side 300, referenced as software 106 of
  • Transmitting side components comprise data collecting module 308, for collecting the information that has to be transmitted to the receiving side.
  • the information can be any binary information, including but not limited to alphanumeric strings.
  • the quantity of the information is optionally limited not to exceed a maximal threshold, for example about 5 kilobyte per minute so that transferring significant amount of data out of the secure system will not be possible.
  • the collection can be done actively, for example by reading from a file, querying another component on the transmitting side or otherwise accessing the information. Alternatively, the collection can be passive, by providing an application program interface (API) which is used by one or more applications that have to transmit information.
  • API application program interface
  • pattern generation module 312 codes the information into a pattern, such as a barcode pattern.
  • the pattern can be one-, two- or three-dimensional pattern, a string, or any other representation of the information. If the pattern is a barcode pattern, pattern generation module 312 is optionally supplied with the barcode reader connected to the receiving side. Once the pattern is generated, it is displayed by pattern display module 316 on display 112 of Fig. 1. Transmitting side components 300 further comprise an optional message simulation module 320, for simulating messages to be sent to the receiving side. Sending simulated messages are required for a number of reasons. A simulated message can be sent periodically for ensuring that the system is functional. If no message is received on the receiving side during a certain period of time, it might be the case the system is not functioning rather than there is no new message to transmit, so a periodical simulated message provides a functionality indication.
  • Transmitting side components 300 further comprise an optional watchdog module 324, which monitors the activity and functionality of the other components by receiving periodical indications from the other components. If an indication is not received, the relevant component is re-invoked, and if the problem persists an error message is sent through message simulation module 324, if possible, or to an operator or another entity in charge of platform 104 or another platform connected to network 124 of Fig. 1.
  • Receiving side components 304 comprise a pattern capturing module 328 for capturing the pattern displayed on display 112 of Fig.
  • pattern decoding nodule 332 for decoding the pattern and retrieving the information collected by data collecting module 308 and coded by pattern generation module 312.
  • pattern capturing module 328 pattern decoding nodule 332 are optionally supplied with the capturing device, such as barcode reader 120 of Fig. 1.
  • Pattern capturing module 328 optionally scans display 112 in a continuous manner and thus captures every displayed pattern, as long as the pattern update rate is below the scanning rate of the device, which is typically about five to six times a second, or more. Identical messages are distinguished due to the simulated separating messages generated by message simulation module 320.
  • Information distribution module 336 receives the decoded information and transfers it to a target according to the user's will, such as creating or updating a file, updating a database, sending a short message, a fax or an e-mail to a recipient, or any other action. Preferably, information distribution module 336 disregards messages simulated by message simulation module 320.
  • Receiving side components 304 further comprise a watchdog module 340 similar to watchdog module 324 of the transmitting side. Watchdog module 340 monitors the components of the receiving side and notifies if any component malfunctions, or if a periodical simulated message is not received.
  • the notification can also be of any form, including generating an alert, updating a File or a database or sending a notification. If either software components 300 or software components 304 were developed using an environment that requires a platform in order to run, such as Java virtual Machine for applications developed in Java, or Microsoft .Net platform for applications developed in .NET, the relevant execution platform is supplied and installed with the software.
  • Fig. 4 showing a flowchart of the method of the disclosed invention.
  • the method starts at step 400 wherein information is collected, either actively or passively through an API, as detailed in association with data collecting module 308 of Fig. 3. Additionally, control information is generated on step 404, reflecting either periodically generated control information, or informative data such as malfunction information.
  • patterns such as barcode patterns are generated on step 408, and output on step 412, for example by displaying the pattern on display 112 of Fig. 1.
  • the patterns are captured by a capturing device such as a camera or a barcode reader on the receiving side.
  • the device outputting the pattern on step 412 and the device capturing the information on step 416 are set apart from each other wherein a medium separates them, since no physical connection is allowed between the outputting device connected to a secure system and a device not connected to the same system.
  • the pattern capturing rate is limited by the limitations of the manufacturer of the reader, on the required transfer rate, and on the certainty required for assuring that particular pattern, representing a particular message to be conveyed is indeed captured. For example, if the scan rate of the device of about five to six times per second, then designing the source side to send new messages not more frequently than three seconds apart, provides certainty of over 99 percent that the information is not missed or misread.
  • the patterns are decoded to retrieve the original information, and on step 428 the information is distributed to its destination.
  • different types of information are transmitted to different destinations. For example, indications concerning intrusion attempts in the source platform or network are notified to security personnel, while malfunction notifications are sent to maintenance personnel.
  • control information or non-required types of information are ignored.
  • the disclosed method and apparatus provide for unidirectional transfer of information from a secure source computing platform to a destination platform. The information is limited in quantity to disable massive transfer of sensitive information, and enable the transfer of information such as maintenance and control information. Numerous embodiments, modifications and alternatives may be designed for the disclosed invention.
  • the information may be transferred via optical means such as infra-red or other optical transmitting and receiving methods.
  • the pattern generated for the information may be auditory, such as tones, speech, dual tone multi frequency (DTMF) or any other auditory format.
  • DTMF dual tone multi frequency
  • pattern generation module 312 of Fig. 2 will generate sound rather than a visual pattern
  • display 112 and camera 120 of Fig. 1 will be replaced by a sound emitting and sound receiving devices, such as a loudspeaker and a microphone, respectively
  • pattern decoding module 332 of Fig. 1 will be replaced by a sound analysis module.
  • the information can be transmitted and received using any other means that enable a medium between the transmitting and receiving systems, such as smell, signaling, or the like.
  • the information may be further encrypted and decrypted, so that even if the displayed pattern is captured and decoded by a non-legitimate user, the real information can not be accessed.
  • the additional encryption is preferably performed prior to pattern generation step 412, and the decryption is performed after pattern decoding step 420 of Fig. 4.
  • the software component of the transmitted side can be used as a screen saver. Such usage will avoid the security breach caused by leaving platform 104 of Fig. 1 constantly accessible. This can be done by following the standard actions related to using an application as a screen saver, according to the operating system of platform 104 of Fig. 1.
  • the components described above can be implemented as detailed as one or more applications executed on a general purpose processor, or alternatively as firmware ported for a specific processor such as digital signal processor (DSP) or microcontrollers, or can be implemented as hardware or configurable hardware such as field programmable gate away (FPGA) or application specific integrated circuit (ASIC).
  • DSP digital signal processor
  • FPGA field programmable gate away
  • ASIC application specific integrated circuit

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

L'invention concerne un procédé et un appareil pour transmettre des données à partir d'un système sécurisé qui n'est pas autorisé à se connecter à un réseau, à écrire des informations sur un support ou similaire à un système de destination. L'appareil comprend un composant de génération de motif pour générer un motif à partir des informations devant être transmises, un dispositif pour émettre le motif, un dispositif de capture pour capturer le motif émis, et un composant pour décoder ledit motif et extraire les informations. Le dispositif de sortie et le dispositif de capture sont séparés par un milieu tel que l'air.
PCT/IL2007/000112 2007-01-29 2007-01-29 Procédé et appareil pour transférer des données WO2008093314A2 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/IL2007/000112 WO2008093314A2 (fr) 2007-01-29 2007-01-29 Procédé et appareil pour transférer des données
IL199886A IL199886A0 (en) 2007-01-29 2009-07-15 Method and apparatus for transferring data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IL2007/000112 WO2008093314A2 (fr) 2007-01-29 2007-01-29 Procédé et appareil pour transférer des données

Publications (2)

Publication Number Publication Date
WO2008093314A2 true WO2008093314A2 (fr) 2008-08-07
WO2008093314A3 WO2008093314A3 (fr) 2009-04-16

Family

ID=39674580

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2007/000112 WO2008093314A2 (fr) 2007-01-29 2007-01-29 Procédé et appareil pour transférer des données

Country Status (1)

Country Link
WO (1) WO2008093314A2 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015142841A1 (fr) * 2014-03-17 2015-09-24 Saudi Arabian Oil Company Systèmes, procédés et programmes d'ordinateur pour la communication entre des réseaux de niveaux de sécurité différents, à l'aide de codes-barres
WO2016025402A1 (fr) * 2014-08-11 2016-02-18 Kopel Matthew Communication interactive à base d'image utilisant un codage d'image

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6202060B1 (en) * 1996-10-29 2001-03-13 Bao Q. Tran Data management system
US6811088B2 (en) * 1993-05-28 2004-11-02 Symbol Technologies, Inc. Portable data collection system
US6942151B2 (en) * 2001-05-15 2005-09-13 Welch Allyn Data Collection, Inc. Optical reader having decoding and image capturing functionality
US7111787B2 (en) * 2001-05-15 2006-09-26 Hand Held Products, Inc. Multimode image capturing and decoding optical reader

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6811088B2 (en) * 1993-05-28 2004-11-02 Symbol Technologies, Inc. Portable data collection system
US6202060B1 (en) * 1996-10-29 2001-03-13 Bao Q. Tran Data management system
US6942151B2 (en) * 2001-05-15 2005-09-13 Welch Allyn Data Collection, Inc. Optical reader having decoding and image capturing functionality
US7111787B2 (en) * 2001-05-15 2006-09-26 Hand Held Products, Inc. Multimode image capturing and decoding optical reader

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015142841A1 (fr) * 2014-03-17 2015-09-24 Saudi Arabian Oil Company Systèmes, procédés et programmes d'ordinateur pour la communication entre des réseaux de niveaux de sécurité différents, à l'aide de codes-barres
WO2015142836A1 (fr) * 2014-03-17 2015-09-24 Saudi Arabian Oil Company Systèmes, procédés et programmes d'ordinateur pour communiquer entre des réseaux ayant différents niveaux de sécurité, à l'aide de codes à barres
WO2015142815A1 (fr) * 2014-03-17 2015-09-24 Saudi Arabin Oil Company Systèmes, procédés et programmes d'ordinateur pour communiquer entre des réseaux ayant des niveaux de sécurité différents, à l'aide de codes barres
WO2015142807A1 (fr) * 2014-03-17 2015-09-24 Saudi Arabian Oil Comapny Systèmes, procédés et programmes d'ordinateur pour communiquer entre des réseaux de niveaux de sécurité différents, au moyen de code-barres
US9189637B2 (en) 2014-03-17 2015-11-17 Saudi Arabian Oil Company Systems, methods, and computer medium to securely transfer business transactional data between physically isolated networks having different levels of network protection utilizing barcode technology
US9210179B2 (en) 2014-03-17 2015-12-08 Saudi Arabian Oil Company Systems, methods, and computer medium to securely transfer business transactional data between networks having different levels of network protection using barcode technology with data diode network security appliance
US9223991B2 (en) 2014-03-17 2015-12-29 Saudi Arabian Oil Company Systems, methods, and computer medium to securely transfer large volumes of data between physically isolated networks having different levels of network protection
US9235724B2 (en) 2014-03-17 2016-01-12 Saudi Arabian Oil Company Systems, methods, and computer medium to securely transfer backup data between physically isolated networks having different levels of network protection
WO2016025402A1 (fr) * 2014-08-11 2016-02-18 Kopel Matthew Communication interactive à base d'image utilisant un codage d'image
US10482558B2 (en) 2014-08-11 2019-11-19 Waltz, Inc. Interactive image-based communication using image coding

Also Published As

Publication number Publication date
WO2008093314A3 (fr) 2009-04-16

Similar Documents

Publication Publication Date Title
US11012447B2 (en) Method, system, and storage medium for secure communication utilizing social networking sites
US8966249B2 (en) Data security and integrity by remote attestation
CN101646995B (zh) 用于存储管理器的数据流过滤器和插件
US11544394B2 (en) Information processing apparatus and method for processing information
US9288172B2 (en) Access restriction device, access restriction method, computer readable storage medium
US8478860B2 (en) Device detection system for monitoring use of removable media in networked computers
US9158648B2 (en) Reporting product status information using a visual code
CN107895122B (zh) 一种专用敏感信息主动防御方法、装置及系统
CA2434674A1 (fr) Systeme de gestion et de securite informatique
JP2009277081A (ja) ネットワーク上に配置された構成要素についての情報を検出するためのパスワードを管理するコンピュータ・システム、並びにその方法及びコンピュータ・プログラム
KR20140036444A (ko) 사용자 행위분석 기반 디지털 포렌식 감사 시스템
CN110197707B (zh) 基于区块链的病历信息处理方法、装置、介质及电子设备
CN111611606A (zh) 文件加密、解密方法和装置
US9996545B1 (en) Analytics and deduplication for air-gapped log analysis
WO2008093314A2 (fr) Procédé et appareil pour transférer des données
CN109885985A (zh) 一种在线阅读pdf防下载防截屏的方法及其实现系统
US20100241910A1 (en) Method and system for maintenance of a data-processing apparatus
WO2019073232A1 (fr) Système et procédé de sécurité
CN1584863A (zh) 经由边带信道的信息的传递,以及使用上述内容来验证位置关系
JP6053646B2 (ja) 監視装置及び情報処理システム及び監視方法及びプログラム
JP2008226242A (ja) 電子ドキュメントまたはその一部をロギングするシステムおよび方法
Ko et al. Trends in Mobile Ransomware and Incident Response from a Digital Forensics Perspective
JP2007199813A (ja) ログ収集システム及びログ収集方法
US11176021B2 (en) Messaging systems with improved reliability
US11200107B2 (en) Incident management for triaging service disruptions

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 199886

Country of ref document: IL

NENP Non-entry into the national phase in:

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07706055

Country of ref document: EP

Kind code of ref document: A2

122 Ep: pct application non-entry in european phase

Ref document number: 07706055

Country of ref document: EP

Kind code of ref document: A2