W0 00/1 7775
`
`PCI‘/US99I21934
`
`SUBSTITUTE SHEET (RULE 25)
`
`864
`
`

`
`W0 00/1 7775
`
`PCT/U599/21934
`
`EmE:2_>cm
`
`>o:mmo
`
`9m._onm=o0
`
`m.onEm_>_
`
`a:o._o
`
`.2o_.8__&m2E5
`
`EmE_._o._>.._w
`
`98.0
`
`mmoaEoU
`
`
`
`u.._wEOw_t®>U<82mm
`
`$8500
`
`co_E_>c_eéo
`
`
`
`m5nEmEI
`
`9.209m_nm__m><
`
`mcozocau
`
`
`
`a:o._mwncowma.
`
`
`
`a:o._m.£EoE.
`
`EmE>mn_.
`
`SUBSTITUTE SHEET (RULE 26)
`
`865
`
`

`
`W0 00/17775
`
`PCT/US99/21934
`
`
`
`
`
`$2,1w4mammoo<m_
`E>$mzo:<o_._&<
`
`_wmm>mwm
`
`mmm>mmm
`
`Q.
`
`n:
`
`.=<§
`
`ea\o§$>mm_m
`j§.m_m¢is mE>$m—||I
`
`j8%3zo:<o:&<
`
`mmm>mmm
`
`mm<m<H<o
`
`-88zo_Eo:&<mozmmzmo32%1£8._:,_ms_zom_>zm
`
`
`
`4m..m_9,n__Umo”.xma
`mm;0
`
`ABa
`
`jssmam23m:m_m$8<n=
`
`Now?—om_
`
`-8
`
`28.
`
`m>_:o¢<
`
`¢oEEm_z_2o<
`
`vom.
`
`83
`
`NF.U_n_
`
`%mm>mmm
`
`w.WmwmmBw
`
`866
`
`

`
`W0 00/] 7775
`
`PC!‘/US99f21934
`
`
`
`
`
`Eta=3229.:mmEo>mn_zemmm9.8:zmucmm.9wEm2:ou_xomm:1@GE®.9.no
`
`
`
`
`
`
`
`
`
`
`
`_eo_..m§..2___§§_2.:,m_s_zo¢_>zmzmzEfimoa<n—.2“.
`
`
`
`
`
`9%m_8H$___2an_5:an22
`
`m_~_
`
`
`
`52.322amao§m_o,maooz_;,”o6§_%<__
`
`
`
`Em2z7o.m_>._,mzmzmcmmo
`
`SUBSTITUTE SHEET (RULE 25)
`
`867
`
`

`
`W0 00/I 7775
`
`PCT/US99/21934
`
` DE
`
`
`
`52.3.22_a_u_§%>23c_mo;mEm3,mmmm2_I6was?
`
`
`Eoom8:8Emm_=omEo_..22.2.865E2.
`
`:_8:9%53:2.asses2$20$_uam
`
`£52:_EmEsau9:898goofim_a_._
`
`._8__om:9:
`
`:,ms_zom_>zmE2Efimo
`
`aofifimmo 92wE982
`
`Mmm_...MWS
`
`
`
`
`
`Eta=2222:mmEo>mu_Eammmac:zmmcmm.2wEmzcomxomm2@GE®.962%28H$__s>flEu,am¢_m_
`
`
`
`
`
`
`
`
`
`
`
`aa_..m_mes...__8§_2.:ms_zom_>zm52E556mm_..U_u_
`
`868
`
`

`
`W0 00/17775
`
`PCT/US99/21934
`
`
`
`
`
`
`
`.:___n___m_222:mB_.o>mn_gemmmoEo_._fiwamm.05Emzcomxomm@G5®.9-a2%,.._8H$___2,@2%.322
`
`
`
`
`
`
`
`
`
`
`
`_eo_..m_552:.%8a__)_.:m_2zom_>zmE2M556um_..U_u_
`
`
`
`
`
`.\\\.§
`
`
`
`e_.:o§2_.E§$>23c_¢o>>m:_§>,mmmmai6§__.u<_
`
`éozmzoxmmoq92¢8252
`
`
`
`mmmmzmznaomo>u_:.2...._n=
`
`
`
`63:8mu_>oa8E.E9.62cm0
`
`
`
`.cmEmm_:m>um98.:500
`
`
`
`=o_§_>=_mmoaeoo0
`
`BUS
`
`MW2ELUMmHS
`
`869
`
`

`
`W0 00/] 7775
`
`PCT/US99/21934
`
`
`
`
`
`Eta__ms_22:m2__o>mn_gemmwQEOIzmmcom.05EmEon_xomm@G8®..
`
`
`
`
`
`
`
`
`
`E2..._8o._fi_!E
`
`V\\\-&“econ:2;9.0:x26
`
`.a_:=EE89:=_.€m9_mmaomaSmmmmeuumcoxu__o
`
`=_8.o_S.xE8©.m___E.m_m5
`
`
`
`9o.=mE_mu_%©.9__m32ma.
`
`9o.:mE$%m©ocm_.m_o_
`
`~_..m...m_n©___2m%8.SE
`
`>a.§..a___._E__©.._%2$o_
`
`
`
`some5%..%m_.._o__oémneoe25:__ommmmeuum.25
`
`
`
`
`
`
`
`mEms_m_s_“some53%
`
`vcoamsoz$2.aaeo_omemz
`
`SBUS
`
`E2ELUmHEHS
`
`870
`
`

`
`W0 00/] 7775
`
`PCT/US99/21 934
`
`
`
`§§=___83fl_H_E
`
`
`
`.6:8:05?xo__o
`
`.m
`
`
`
`
`
`‘\\umnemeca:2_.>=_._w=o_§_>c_T2%9.:25.v
`
`v_:_.£_.m_oo;om:9;:_8:mancos%a%em:5:_o_2u9_>:_em=o>
`
`.53.Bowm25;ms.
`
`
`
`
`
`Umommmmz=o_§_>=_.m
`
`
`
`.22.332_am§$>.E8.mo_,>::o_E>,mEm=E@§_%<
`
`
`
`E8.%_c_n©n8nmmeuufmam
`
`
`
`mmmmzmz%omom:._>z_
`
`
`
`wmwmzmz“somemE>z_
`
`
`
`mmmzmzfi”=o_§_>=:22mu:o_§_9.m.~
`
`
`
`
`
`m..._wn.Em_..._mmWS
`
`
`
`
`
`._>_22:mmEo>m“_gemmwmEoIfimzmm55Ease”.xomm1@GE®.9.snew28H$__§.&E».322
`
`
`
`
`
`
`
`
`
`§o_..msees€8a_s_.:,m_2zom_>zmE2mcmmofime—.u_u_
`
`871
`
`

`
`W0 00/1 7775
`
`PCl'/US99f2 I934
`
`.
`
` DE.w\\.m\\\.
`
`.58.8%m2.22s.25_.m_oogom=9;5mm:
`9%.532..esasoso_2u2_>=_em=o>
`
`
`
`m8:m:Seo_§_>=_.22%S_§_e.m
`
`.
`
`
`
`w=o_.8=__m=_u.2v_o__o
`
`
`
`mfimsmznsomomomm_w_Em>o<
`
`.__8.%_a_..©§
`
`fin$58.2«mecca#53.
`
`mfimsmz%omom.:>z_
`
`UW...TSBUS
`
`62ELUmTF.EHS
`
`
`
`
`
`8%Mn§£o§e=m_“_,smES.o,xmo>>:@3%;29.5:2&1._mm_§.2fi£.§..mem__
`
`
`
`
`
`
`
`
`
`
`
`§o_..m_2_2___€8.22.=,ms_zom_>zm52E556uv_..0.H.
`
`872
`
`

`
`W0 00/I 7775
`
`PCT/US99/21934
`
`
`
`V\,m:o_.mo____m:c~_En:m9can=o_§EoE_GEE.999...o__o
`
`
`
`
`
`asmamammmsm:88.o_<m
`
`
`
`
`$28o:8E.£a>__n:o
`
`
`
`
`.E£.a=o_mm=_E§5u2m92:_esosfioo€o:_E.2Exec.2o_<m
`
`.282E2...o__m.EoE_wasxcmnsoosoi.__o_§o_
`
`.558mo9.8__m...__wEm__u235newEm>om
`
`
`
`mzmzm__><o9
`
`
`
` E$.o8.$2mczmawoezmxwm
`
`W2EUmHEHSTBU5
`
`873
`
`

`
`WO 00117775
`
`PC!‘/US99/21934
`
`
`
`
`
`
`Eta__ms_92...8Eo>mu_zemmmego:zmmcom.o_wEmzcomxomm@GE®.9.3%.I.m_8H8__a>E3%an29
`..m§__2.__.s8a_z.3oo$zo_Eo_z:s_s_ooEmmamp..u_n_
`
`
`
`
`
`ezé2a_”_§$>.ES_mo;:Io_m>>,mEm=E,..§%.<
`
`
`
`
`
`Boo»zoEa_z:2s_oo.Emma
`
`mesemEmmomEaom_._=¢__=m
`
`
`
`ataummEmeauoo
`
`
`
`__m_2-ww:o§€o=<
`
`
`
`wmo_m_oBumefi
`
`
`
`.mzm_mamzanew
`
`
`
`8:9oEooo_u=<
`
`mocemzoo89>
`
`EmEmm_E>u<
`
`
`
`mama.223
`
`
`
`mama;so__m>
`
`9.5._m£O
`
`SUBSTITUTE SHEET (RULE 26)
`
`874
`
`

`
`W0 00/17775
`
`PCT/US99/21934
`
`.22....aosflDE
`
`
`
`.280m:8_==:_m:o_.mz
`
`m_xmz\w_xo._
`
`:8
`
`9E:850
`
`
`
`
`
`cewmmmm8:S=m:_8__&<
`
`
`
`
`
`w=o_S_omEmsmmmcmzxmE
`
`
`
`
`HEEMF¢_=mm§%2§o§mo;,E@m8_%<=3...:
`
`§o_..m_.8_2=_§eo__>_.m._o2mzoE_a_z22s_ooSwdmfiE..U_u_
`
`
`
`
`
`
`
`inwEo_._smefim.o_wu_mEou_xomm_..j3|2GE®0AuDn02
`
`
`
`
`
`Book:o¢<m_m<mmswam
`
`
`
`§m_8_8mmmcoz
`
`.$amum_mEmE5
`
`
`
`.8;__29____m§>
`
`mc__m=_m>
`
`Em._2.<
`
`SUBSTITUTE SHEET (RULE 25)
`
`875
`
`

`
`WO 00117775
`
`PCT/US99l2 I934
`
`
`
`
`
`wEmuc£maseaoa5._.o<n=om._mz<5Emmammcacm.o:o_8m_mmm.§%_u____s:1Em=_m=mEm
`
`
`
`
`mmofimo5.3m:.952cmeoma536___s..Y£8.98m:__:o
`
`.a_.§<.25
`
`:o__o=<ESQ
`
`
`
`:o_§.<mméam
`
`
`
`:o_.o=<mmmcmama
`
`280.2633m
`
`.26cmscam»
`
`_mmoqEn_Em2m
`
`_$o§__§z
`
`_$o_.28_§m
`
`9...:$50
`
`m_E.
`
`Etao.m__._mmEo>mu_zoammOEOIfimémm.9mEmzcomxomm
`
`
`
`
`
`mfiwE@Ga®.eH;
`
`9%.u._8Hmacawas.322
`
`
`
`
`
`5.5:2=E:obam9maooz_2,”o§.%<=
`
`
`
`
`
`mmzazmzo_5<mz<EEmma
`
`SUBSTITUTE SHEET (RULE 26)
`
`
`
`
`
`..m:me2.__§oa_z.29:wzo:<o__,s2_28Bwmmfiw_..u_u_
`
`
`
`
`
`876
`
`

`
`W0 00/17775
`
`PCT/US99/2] 934
`
`_2a__.__aosflDD
`
`
`
`28:smmzmm.2mEmacs“.xomm—EG_u.»«._®.Au.no.._:._
`
`
`
`
`
`we2.2".
`
`
`
`
`
`wmzazm.zoEa_o_E<n_55%
`
`9__._£2.:_$m
`
`
`
`m..=_;>ENE
`
`
`
`>o>Smmc__=o
`
`:28
`
`2.:550
`
`«W2ELUm_..._EHS7BUS
`
`877
`
`

`
`W0 00/l7775
`
`PCT/US99/21 934
`
`
`
`
`
`
`EToe_u§_..§~2=m_u_,§§,$ogmoa:@mmm.ou<= 1m_j.Go:gmmmommww._.afi£xmvm
`
`
`§o_..m__me2.__%8a_2.809mzo_Eo_z2,__2ooSflmmfi<oN.u_u_
`
` DE
`
`Hoemzam:
`
`“Eo2m.....mn_
`
`a_as$8:
`
`
`
`
`
`:om8Ezomfimmm32o._.wzooda
`
`MEWHEmEUmBw
`
`878
`
`

`
`wo oo/17775
`
`PC'l'fUS99I2l934
`
`u.
`
`.25....aosflm
`
`28»__o_mu8mmzazom
`
`mom=29__._m§>
`
`$53o__m>
`
`.m:m_mamz
`
`
`
`
`
`$:_m=wcozommcmc.moaao2__Eo
`
`amoaoiEaEm
`
`
`
`mmsmcm:o=8_o_:mn_>m>5mm:__:o
`
`
`
`
`
`
`
`m_8_=o__8_:=sEooEmom:=m==m
`
`
`
`
`
`
`
`
`
`;m_>o._.2m:o_.8m=2:8muss9:5m:oam>m.___m__§emu.E9585Ema.95:0
`
`
`
`8...9m£=o>8w.2__co
`
`..esmzE23
`
`
`
`:om_.oEIomfimumwmoaO._.m_2o8m=s
`
`
`
`
`
`mom.2“.
`
`«W2ELUm_.._EHSW.mSBUS
`
`879
`
`

`
`W0 00/17775
`
`PCTIUS99/21934
`
`
`
`mmc_mcm:o_fimw:m._._.
`
`
`
`m_o8.zemmmmm
`
`
`
`28...m:o_fiu_::EEoo
`
`mco_«wo__aa<B50
`
`uofiuuauw
`
`moDofiohn
`
`=o_fiu_==EEoU
`
`£08.
`
`mobouoohh
`
`aouommawfi.
`
`mofiwum
`
`mob8oo..5
`
`Auuwomom
`
`.u._oo._.
`
`moEBREQ
`
`m:ow.8:nE<
`
`suasmuns SHEET (nuus 25)
`
`880
`
`

`
`W0 00/I 7775
`
`PCT/US99/21 934
`
`
`
`.5£55commmommafia;Efim
`
`
`
`E0888fiaomzuummoBan
`
`.8289:Emu
`
`.Huufi0Ed.—oO
`
`Eofifioo
`
`uotfimB3oarcanSufi
`
`memo?EmuButcanBaa
`
`25888325
`
`.5D_H=fi.@.~mU
`
`
`
`
`
`Sagancommonmafia.»Exam
`
`
`
`
`
`noumfiuomfl~o>oAcommmum
`
`WSBUS
`
`62ELUmEHS
`
`881
`
`

`
`P»,C.T
`INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT)
`WO 00/70458
`(11) International Publication Number:
`
`WORLD INTELLECIUAL PROPERTY ORGANIZATION
`Internattonal Bureau
`
`(51) International Patent Classification 7 :
`G06F 11/00
`
`(43) International Publication Date:
`
`23 November 2000 (23.11.00)
`
`(21) International Application Number:
`
`PCT/US00/08219
`
`(22) international Filing Date:
`
`15 May 2000 (l5.05.00)
`
`(30) Priority Data:
`60/134,547
`
`17 May 1999 (17.05.99)
`
`US
`
`(71) Applicant: COMSEC CORPORATION [US/US]; 10217 Cedar
`Pond Drive. Vienna, VA 22182 (US).
`
`(72) Inventor: S1-IEYMOV, Victor, 1.; 10217 Cedar Pond Drive,
`Vienna, VA 22182 (US).
`
`(74) Agent: SIXBEY, Daniel, W.; Nixon Peabody LLP, Suite 800.
`8180 Greensboro Drive, McLean, VA 22102 (US).
`
`(81) Designated States: AE, AL, AM, AT, AU, AZ, BA, BB, BG,
`BR, BY, CA, CH, CN, CU, CZ, DE, DK, EE, ES, Fl, GB,
`GD, GE, GH, GM, HR, HU, ID, IL, IN, IS, JP, KE, KG,
`KP, KR, KZ, LC, LK, LR, LS, LT, LU, LV, MD, MG, MK.
`MN, MW, MX. NO. NZ, PL, PT, RO, RU. SD, SE, SG, SI,
`SK, SL, TI, TM, TR, 'I'I‘, UA, UG, U2, VN, YU, ZA. ZW.
`ARIPO patent (GH, GM, KE, LS, MW, SD, SL, SZ, '12,
`UG. ZW). Eurasian patent (AM, AZ, BY, KG, KZ, MD,
`RU, TJ, TM), European patent (AT, BE, CH, CY, DE, DK,
`ES, FI, FR, GB, GR, IE, IT, LU, MC, NL, PT, SE), OAP1
`patent (BF, BJ, CF, CG, CI, CM, GA, GN, GW, ML, MR,
`NE. SN, ‘I'D, TG).
`
`Published
`With international search report.
`
`(54) Ti 1102 METHOD OF COMMUNICATIONS AND COMMUNICATION NETWORK INTRUSION PROTECTION MEI‘!-IODS AND
`INTRUSION ATTEMPT DETECTION SYSTEM
`
`cnara
`cooanmnrs
`
`A
`
`1lElI0’l'E
`USER
`
`scum:
`ADDR
`
`CYBIZR
`COORDIN.
`
`PRDTECIED
`COMPUTER
`
`cmzm
`no
`
`UIERIFILTF-Rssctmrrr
`
`(57) Abstract
`
`The intrusion protection method and system for a communication network provides address agility wherein the cyber coordinates
`of a target host (14) are changed both on a determined time schedule and when an intrusion attempt
`is detected. The system includes
`:1 managment unit (18) which generates a random sequence of cyber coordinates and maintains a series of tables containing the current
`and next set of cyber coordinates. These cyber coordinates are distributed to authorized users (12) under an encryption process to prevent
`unauthorized access,
`
`882
`
`

`
`FOR THE PURPOSES OF INFORMATION ONLY
`
`Codes used to identify States parry to the PCI' on the front pages of pamphlets publishing international applications under the PCI‘.
`Slovenia
`51
`Lesotho
`ES
`IS
`Albania
`Spain
`Slovakia
`SK
`LT
`Lithuania
`Fl
`Finland
`Armenia
`SN
`LU
`FR
`France
`Senegal
`Austria
`Luxembourg
`SZ
`Swaziland
`Latvia
`LV
`GA
`Gabon
`Australia
`TD
`Chad
`Monaco
`GB
`MC
`United Kingdom
`Azerbaijan
`TC
`MD
`GE
`Togo
`Georgia
`Republic of Moldova
`Bosnia and Herzegovina
`'1'}
`MG
`Ghana
`Gll
`Tajikistan
`Barbados
`Madagascar
`Turkmenistan
`TM
`MK
`GN
`Guinea
`The former Yugoslav
`Belgium
`TR
`Greece
`GR
`Turkey
`Burkina Faso
`Republic of Macedonia
`1'!‘
`Mali
`HU
`Trinidad and Tobago
`Hungary
`Bulgaria
`UA
`Ukraine
`IE
`Ireland
`Benin
`Mongolia
`UG
`IL
`Israel
`Mauritania
`Uganda
`Brazil
`US
`United States of America
`Malawi
`lceland
`IS
`Belarus
`Utbckislan
`UZ
`Mexico
`IT
`Canada
`ltaly
`VN
`Viet Nam
`JP
`Niger
`Japan
`Central African Republic
`YU
`Netherlands
`KE
`Yugoslavia
`Kenya
`Congo
`ZW
`Zimbabwe
`KG
`Switzerland
`Norway
`Kyrgyutan
`KP
`New Zealand
`Cote d‘lvoire
`Democratic People's
`Poland
`Cameroon
`Republic of Korea
`China
`Portugal
`Republic of Korea
`Romania
`Kazakstan
`Cuba
`Russian Federation
`Saint Lucia
`Czech Republic
`Liuzhtenslcin
`Sudan
`Germany
`Sweden
`Sri Lanka
`Denmark
`Liberia
`Estonia
`Singapore
`
`ML
`MN
`MR
`MW
`MX
`NB
`NL
`NO
`NZ
`PL
`PT
`RO
`RU
`SD
`SE
`SG
`
`KR
`KZ
`LC
`Ll
`LK
`LR
`
`883
`
`

`
`wo 00/70458
`
`‘ 1 '
`
`PCT/US00/08219
`
`METHOD OF COMMUNICATIONS AND
`
`COMMUNICATION NETWORK INTRUSION PROTECTION METHODS AND
`
`INTRUSION ATTEMPT DETECTION SYSTEM
`
`This application is a continuation-in-part application ofU.S. Serial No. 60/134,547
`
`filed May 17, 1999.
`
`Background Art
`
`Historically, every technology begins its evolution focusing mainly on performance
`
`parameters, and only at a certain developmental stage does it address the security aspects of
`
`its applications. Computer" and communications networks follow this pattern in a classic
`
`way.
`
`For instance,
`
`first priorities in development of the lntemet were reliability,
`
`survivability, optimization ofthe use ofcommunications channels, and maximization oftheir
`
`speed and capacity. With anotable exception ofsome government systems, communications
`
`security was not an early high priority, if at all.
`
`Indeed, with a relatively low number of
`
`users at initial stages of lntemet development, as well as with their exclusive nature,
`
`problems of potential cyber attacks would have been almost unnatural
`
`to address,
`
`considering the magnitude of other technical and organizational problems to overcome at
`
`that time.
`
`Furthermore, one of the ideas of the lntemet was “democratization” of
`
`communications channels and of access to information, which is almost contradictory to the
`
`concept of security. Now we are faced with a situation, which requires adequate levels of
`
`security in communications while preserving already achieved “democratization” of_
`communications channels and access to information.
`
`All the initial objectives ofthe original developers ofthe Internet were achieved with
`
`results spectacular enough to almost certainly surpass their expectations. One of the most
`
`remarkable results of the lntemet development to date is the mentioned “democratization”.
`
`However in its unguarded way “democratization” apparently is either premature to a certain
`
`percentage ofthe lntemet users, or contrary to human nature, or both. The fact remains that
`
`this very percentage of users presents a serious threat to the integrity of national critical
`
`infrastructure, to privacy of information, and to further advance of commerce by utilization
`
`884
`
`

`
`WO 00/70458
`
`PCT/USDO/08219
`
`- 2 -
`
`of the Internet capabilities. At this stage it seems crucial to address security issues but, as
`
`usual,
`
`it
`
`is desirable to be done within already existing structures and technological
`
`conventions.
`
`Existing communications protocols, while streamlining communications, still lack
`
`underlying entropy sufficient for security purposes. One way to increase entropy, ofcourse,
`
`is encryption as illustrated by U.S. Patent No. 5,742,666 to Finley. Here each node in the
`
`Internet encrypts the destination address with a code which only the next node can
`
`unscramble.
`
`Encryption alone has not proven to be a viable security solution for many
`
`communications applications. Even within its core purpose, encryption still retains certain
`
`security problems, including distribution and safeguarding ofthe keys: Besides, encryption
`
`represents a “ballast", substantially reducing information processing speed and transfer time.
`
`These factors discourage its use in many borderline cases.
`
`Another way is the use of the passwords. This method has been sufficient against
`
`humans, but it is clearly not working against computers. Any security success of the
`
`password-based security is temporary at best. Rapid advances in computing power make
`
`even the most sophisticated password arrangement a short-term solution.
`
`Recent studies clearly indicate that the firewall technology, as illustrated by U.S.
`
`Patent No. 5,898,830 to Wesinger et al., also does not provide a sufficient long-term solution
`
`to the security problem. While usefiil to some extent, it cannot alone withstand the modern
`
`levels of intrusion cyber attacks.
`
`On the top of everything else, none of the existing security methods, including
`
`encryption, provides protection against denial of service attacks. Protection against denial
`
`of service attacks has become a critical aspect of communication system security. All
`
`existing log-on security" systems,
`
`including those using encryption, are practically
`
`defenseless against such attacks. Given a malicious intent of a potential attacker, it is
`
`reasonable to assume that, even having failed with an intrusion attempt, the attacker is still
`
`capable ofdoing harm by disabling the system with a denial of service attack. Since existing
`
`systems by definition have to deal with every log-on attempt, legitimate or not, it is certain
`
`that these systems cannot defend themselves against a denial of service attack.
`
`885
`
`

`
`wo oo/70453
`
`' 3 '
`
`PCT/US00/08219
`
`The deficiencies ofexisting security methods for protecting communications systems
`
`leads to the conclusion that a new generation of cyber protection technology is needed to
`
`achieve acceptable levels of security in network communications.
`
`Summary of the Invention
`
`It is a primary object of the present invention to provide a novel and improved
`
`method of communications, and a novel and improved communication network intrusion
`
`protection method and systems and novel and improved intrusion attempt detection method
`
`and systems, adapted for use with a wide variety of communication networks including
`
`Internet based computers, corporate and organizational computer networks (LANS), e-
`
`commerce systems, wireless computer communications networks, telephone dial-up systems,
`
`wireless dial-up systems, wireless telephone and computer communications systems, cellular
`
`and satellite telephone systems, mobile telephone and mobile communications systems,
`
`cable based systems and computer databases, as well as protection of network nodes such
`
`as routers, switches, gateways, bridges, and frame relays.
`
`Another object of the present invention is to provide a novel and improved
`
`communication network intrusion protection method and system which provides address
`
`agility combined with a limited allowable number of log-on attempts.
`
`Yet another object of the present invention is to provide a novel and improved
`
`intrusion protection method for a wide variety of communication and other devices which
`may be accessed by a number, address code, and/or access code. This number, address code,
`
`and/or access code is periodically changed and the new number, address code, or access code
`
`is provided only to authorized users. The new number, address code, or access codeimay be
`
`provided to a computer or "a device for the authorized user and not be accessible to others.
`
`This identifier causes the user's computer to transmit
`
`the otherwise unknown and
`
`inaccessible number, address code, and/or access code.
`
`A still further object of the present invention is to provide a novel and improved
`
`communication network intrusion protection method and system wherein a plurality of
`
`different cyber coordinates must be correctly provided before access is granted to a protected
`
`communications unit or a particular piece of information. If all or some cyber coordinates
`
`886
`
`

`
`wo 00/70458
`
`' 4 '
`
`PCT/US00/08219
`
`are not correctly provided, access is denied, an alarm situation is instigated and the affected
`
`cyber coordinates may be instantly changed.
`
`For the purposes ofthis invention cyber coordinates are defined as a set ofstatements
`
`determining location of an object (such as a computer) or a piece of infonnation (such as a
`
`computer file) in cyber space. Cyber coordinates include but are not limited to private or
`
`public protocol network addresses such as an IP address in the Internet, a computer port
`
`number or designator, a computer or database directory, a file name or designator, a
`
`telephone number , an access number and/or code, etc.
`
`These and other objects of the present invention are achieved by providing a
`
`communication network intrusion protection method and system where a potential intruder
`
`must first guess where a target computer such as a host workstation is in cyber space and
`
`to predict where the target computer such as a workstation will next be located in cyber
`
`space. This is achieved by changing a cyber coordinate (the address) or a plurality of cyber
`
`coordinates for the computers such as workstations on a determined or random time schedule
`
`and making an unscheduled cyber coordinates change when the system detects an intrusion
`
`attempt. A limited number of log-on attempts may be permitted before an intrusion attempt
`
`is confirmed and the cyber coordinates are changed. A management unit is provided for
`
`generating a random sequence of cyber coordinates and which maintains a series of tables
`
`containing current and the next set of addresses. These addresses are distributed to
`
`authorized parties, usually with use of an encryption process.
`
`The present invention further provides for a piece of information, a computer or a
`
`database intrusion protection method and system where a potential intruder must first guess
`
`where a target piece of information such as a computer file or a directory is in cyber space
`
`and to predict where the target piece of infonnation will be next in cyber space. This is
`
`achieved by changing a cyber coordinate or a plurality of cyber coordinates for the piece of
`
`information on a determined or random time schedule and making an unscheduled cyber
`
`coordinates change when the system detects an intrusion attempt. A limited number of 10g-
`
`on attempts may be permitted before an intrusion attempt is confirmed and the coordinates
`
`changed. A management unit is provided for generating a random sequence of cyber
`
`coordinates and which maintains a series of tables containing current and the next set of
`
`cyber coordinates. These coordinates are distributed to authorized parties, usually by means
`
`887
`
`

`
`WO 00/70458
`
`PCT/USO0I082l9
`
`of an encryption process.
`
`The intrusion attempt detection methods and systems are provided to the protected
`
`devices and pieces of information as described above by means of categorizing a log-on
`
`attempt when all or some of the correct cyber coordinates are not present as an intrusion
`
`attempt and by insti gating an alarm situation.
`
`Brief Description of the Drawings
`
`Figure 1 is a block diagram of the communication network protection system of the
`
`present invention;
`
`Figure 2 is a flow diagram showing the operation of the system of Figure 1;
`
`Figure 3 is a block diagram of a second embodiment of the communication network
`
`protection system of the present invention;
`
`Figure 4 is a flow diagram showing the operation of the system of Figure 3;
`
`Figure 5 is a block diagram of a third embodiment of the communication network
`
`protection system of the present invention;
`
`Figure 6 is a flow diagram showing the operation of the system of Figure 5; and
`
`Figure 7 is a block diagram of a fourth embodiment of the communication network
`
`protection system of the present invention.
`
`Description of the Preferred Embodiments
`
`Existing communications systems use fixed coordinates in cyber space for the
`
`communications source and communications receiver. Commonly accepted terminology for
`
`the Internet refers to these cyber coordinates as source and destination IP addresses. For
`
`888
`
`

`
`W0 00/70458
`
`PCT/U500/08219
`
`. 6 .
`
`purposes of an unauthorized intrusion into these communication systems, the situation of
`
`a cyber attack might be described in military terms as shooting at a stationary target
`
`positioned at known coordinates in cyber space. Obviously, a moving target is more secure
`
`than the stationary one, and a moving target with coordinates unknown to the intruder is
`
`more secure yet. The method of the present invention takes advantage of the cyber space
`
`environment and the fact that the correlation between the physical coordinates ofcomputers
`
`or other communication devices and their cyber coordinates is insignificant.
`
`While it
`
`is difficult to change the physical coordinates of computers or other
`
`communications devices, their cyber coordinates (cyber addresses) can be changed much
`
`easier, and in accordance with the present invention, may be variable and changing over
`
`time.
`
`In addition to varying the cyber coordinates over time, the cyber coordinates can
`
`immediately be changed when an-attempted intrusion is sensed. Furthermore, making the
`
`current cyber coordinates available to only authorized parties makes a computer or other
`
`communications device a moving target with cyber coordinates unknown to potential
`
`attackers. In effect, this method creates a device which perpetually moves in cyber space.
`
`Considering first the method of the present invention as applied to computers and
`
`computer networks, the computer’s current cyber address may serve also as its initial log-on
`
`password with a difference that this initial lo g-on password is variable. A user, however, has
`
`to deal only with acomputer’s permanent identifier, which is, effectively its assigned “name”
`
`within a corresponding network. Any permanent identifier system can be used, and an
`
`alphabetic “name” system seems to be reasonably user-friendly. One of such arrangements
`
`would call for using a computer’s alphabetic Domain Name System, as a cyber address
`
`permanent identifier, while subjecting its numeric, or any other cyber address to a periodic
`
`change with regular or irregular intervals. This separation will make the security system
`
`transparent to the user, who will have to deal only with the alphabetic addresses. In effect,
`
`‘
`
`the user’s computer would contain an “address book” where the alphabetic addresses are
`
`permanent, and the corresponding variable addresses are more complex and periodically
`
`updated by a network’s management. While a user is working with other members of the
`
`network on the name or the alphabetic address basis, the computer conducts communications
`
`based on the corresponding variable numeric or other addresses assigned for that particular
`
`time.
`
`889
`
`

`
`.
`
`wo oo/70458
`
`_ 7 _
`
`PCTIUSOO/08219
`
`A variable address system can relatively easily be made to contain virtually any level
`
`of entropy, and certainly enough entropy to defy most sophisticated attacks. Obviously, the
`
`level ofprotection is directly related to the level of entropy contained in the variable address
`
`system and to the frequency of the cyber address change.
`
`This scenario places a potential attacker in a very difficult situation when he has to
`
`find the target before launching an attack. If a restriction on a number of allowable log-on
`
`tries is implemented, it becomes more difficult for an attacker to find the target than to
`
`actually attack it. This task of locating the target can be made difficult if a network’s cyber
`
`address system contains sufficient entropy. This difficulty is greatly increased ifthe security
`
`system also limits the number of allowable log-on tries, significantly raising the entropy
`
`density.
`
`For the purpose of this invention, entropy density is defined as entropy per one
`
`attempt to guess a value of a random variable.
`
`Figure 1 illustrates a simple computer intrusion protection system l O which operates
`
`in accordance with the method of the present invention. Here, a remote user’s computer 12
`
`is connected to a protected computer 14 by a gateway router or bridge 16. A management
`
`system 18 periodically changes the address for the computer 14 by providing a new address
`
`from a cyber address book 20 which stores a plurality of cyber addresses. Each new cyber
`
`address is provided by the management system 18 to the router 16 and to a user computer
`
`address book 22. The address book 22 contains both the alphabetic destination address for
`
`the computer 14 which is available to the user and the variable numeric cyber address which
`
`is not available to the user. When the user wants to transmit a packet of information with
`
`the alphabetic address for the computer 14, this alphabetic address is automatically
`
`substituted for the current numerical cyber address and used in the packet.
`
`With the reference to Figures 1 and 2, when a packet is received by the gateway
`
`router or bridge 16 as indicated at 24, the cyber address is checked by the gateway router or
`
`bridge at 26, and if the destination address is correct, the packet is passed at 28 to the
`
`computer 14. If the destination address is not correct, the packet is directed to a security
`
`analysis section 30 which, at 32 determines if the packet is retransmitted with a correct
`
`address within a limited number of log-in attempts.
`
`If this occurs, the security analysis
`
`section transmits the packet to the computer 14 at 28. However, if no correct address is
`
`890
`
`

`
`wo 00/70458
`
`’ 8 '
`
`PCT/US00/08219
`
`received within the allowed limited number of log-in attempts, the packet is not transmitted
`
`to the computer 14 and the security analysis section activates an alarm section 34 at 36 which
`
`in turn causes the management section to immediately operate at 38 to change the cyber
`
`address.
`
`Sophisticated cyber attacks often include intrusion through computer ports other than
`
`the port intended for a client log-on. If a system principally described in connection with
`
`Figures 1 and 2 is implemented, the port vulnerability still represents an opening for an
`
`attack from within the network, that is if an attacker has even a low-level authorized access
`
`to a particular computer and thus knows its current variable address.
`
`Computer ports can be protected in a way similar to protection ofthe computer itself.
`
`In this case port assignment for the computer becomes variable and is changed periodically
`
`in a manner similar to that described in connection with Figures 1 and 2. Then, a current
`
`assignment of a particular port is communicated only to appropriate parties and is not known
`
`to others. At the same time, similarly to methods described, a computer user would deal
`
`with permanent port assignments, which would serve as the ports’ permanent “names".
`
`This arrangement in itself may not be sufficient, however, to reliably protect against
`
`a port attack using substantial computing power because of a possible insufficient entropy
`
`density. Such a protection can be achieved by implementing an internal computer “port
`
`router” which would serve essentially the same role for port identifiers as the common
`
`gateway router or bridge 16 serves for computer destination addresses.
`
`With reference to Figures 3 and 4 wherein like reference numerals are used for
`
`components and operations which are the same as those previously described in connection
`
`with Figures 1 and 2, a port router 40 is provided prior to the protected computer 14, and this
`
`port router is provided with a port number or designator by the management unit 18. This
`
`port number or designator is also provided to the user address book 22 and will be changed
`
`when the cyber address is changed, or separately. Thus, with reference to Figure 4, once the
`
`cyber address has been cleared at 26, the port number or designator is examined at 42. If the
`
`port number is also correct, the data packet will be passed to the computer 14 at 28. If the
`
`port number is initially incorrect, the packet is directed to the security analysis section 30
`
`which at 32 determines if the packet is retransmitted with the correct port number within the
`
`limited number of log—in attempts.
`
`891
`
`

`
`wo oo/70453
`
`’ 9 '
`
`PCT/US00/08219
`
`The port protection feature can be used independently ofother features ofthe system.
`
`It can effectively protect nodes of the infrastructure such as routers, gateways, bridges, and
`
`frame relays from unauthorized access. This can protect systems from an attacker staging
`
`a cyber attack from such nodes.
`
`The method and system of the present invention may be adapted to provide security
`
`for both Internet based computer networks and private computer networks such as LANS.
`
`Internet structure allows the creation of an Internet based Private Cyber Network
`
`(PCN) among a number of Intemet-connected computers. The main concern for using the
`
`Internet for this purpose as an alternative to the actual private networks with dedicated
`
`communication channels is security of Internet-based networks.
`
`The present invention facilitates establishment of adequate and controllable level of
`security for the PCNs. Furthermore, this new technology provides means for flexible
`structure of a PCN, allowing easy and practically instant changes in its membership.
`
`Furthermore, it allows preservation ofadequate security in an environment where a computer
`
`could be a member of multiple PCNs with different security requirements. Utilizing the
`
`described concept, a protected computer becomes a “moving target” for the potential
`
`intruders where its cyber coordinates are periodically changed and the new coordinates are
`
`communicated on a “need to know” basis only to the other members of the PCN authorized
`
`to access this computer along with appropriate routers and gateways. This change of cyber
`
`coordinates can be performed either by previous arrangement or by communicating future
`
`addresses to the authorized members prior to the change. Feasible frequency of such a
`
`change can range from a low extreme ofa stationary system changing cyber coordinates only
`
`upon detection ofa cyber attack to an extremely high frequency such as with every packet.
`The future coordinates can be transmitted either encrypted or unencrypted. Furthermore,
`
`each change of position of each PCN member can be made random in terms of both its
`
`current cyber coordinates and the time of the coordinates change. These parameters of a
`
`protected PCN member’s cyber moves are known only to the PCN management, other PCN
`
`members with authorization to communicate with this particular member, and appropriate
`
`gateways and routers. PCN management would implement and coordinate periodic cyber
`
`coordinates changes for all members ofthe PCN. While the PCN management is the logical
`
`party to make all the notification of the cyber coordinates changes, in certain instances it
`
`892
`
`

`
`wo oo/70453
`
`' 10 '
`
`PCI‘/US00/08219
`
`could be advantageous to shift apart of this task to a PCN member computer itself. With
`
`certain limitations, the routers and gateways with the “need to know” the current address of
`
`the protected computer are located in cyber space in the general vicinity of the protected
`
`computer. In such instances the protected computer could be in a better position to make the
`
`mentioned notifications of nearby routers and gateways.
`
`The address changes could be done simultaneously for all the members of the PCN,
`
`or separately, particularly ifsecurity requirements for the members substantially differ. The
`
`latter method is advantageous, for instance, if some of the computers within the PCN are
`
`much more likely than others to be targeted by potential intruders. A retail banking PCN
`
`could be an example ofsuch an arrangement where the bank’s computer is much more likely
`
`to be attacked than a custo