WO2022256866A1 - Systems, methods and devices for secure communication - Google Patents

Systems, methods and devices for secure communication Download PDF

Info

Publication number
WO2022256866A1
WO2022256866A1 PCT/AU2022/050562 AU2022050562W WO2022256866A1 WO 2022256866 A1 WO2022256866 A1 WO 2022256866A1 AU 2022050562 W AU2022050562 W AU 2022050562W WO 2022256866 A1 WO2022256866 A1 WO 2022256866A1
Authority
WO
WIPO (PCT)
Prior art keywords
data packet
module
network
security module
security
Prior art date
Application number
PCT/AU2022/050562
Other languages
French (fr)
Inventor
Robert Potter
Patrick Hamilton
Original Assignee
Internet 2.0 Pty Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2021901725A external-priority patent/AU2021901725A0/en
Application filed by Internet 2.0 Pty Limited filed Critical Internet 2.0 Pty Limited
Publication of WO2022256866A1 publication Critical patent/WO2022256866A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/50Secure pairing of devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators

Definitions

  • the present invention relates to secure communications. More particularly, the invention relates to devices, systems and methods for providing secure network communications between a first network and second network.
  • the invention has been developed primarily for use as a system for providing secure communications between a first network and a second network using multi-layer encryption and decryption of data packets. Whilst some embodiments will be described herein with particular reference to that application, it will be appreciated that the invention is not limited to such a field of use, and is applicable in broader contexts.
  • HAIPE High Assurance Internet Protocol Encryptor
  • US Patent No. 9,083,683 which provides an encryption/decryption device for secure communications between a protected network and an unprotected network. Such a device interfaces with the protected network to perform encapsulation of data from the protected network to define outgoing data packets, and perform decapsulation of incoming data packets.
  • Further examples of using HAIPE devices for secure network communications include the system of US Patent No. 7,904,711. This system is a scalable internet protocol encryption system to support HAIPE, and includes processing sensitive data for packet encryption/decryption and data authentication.
  • embodiments of the invention aim to provide a technical solution of providing protection to the transmission of data between two networks
  • embodiments of the invention address limitations of existing secure communications technologies at least by means of encrypting both the payload and the metadata of a data packet.
  • embodiments of the present invention seek to provide double encrypted communications which, when deployed, create a trusted and secure layer to network communications. Some embodiments are capable of securing and performing obfuscation to the protected network, which aims to prevent malicious actors from accessing system data. Along with this, the double encryption system aims to protect both the data packet’s metadata and content data from unauthorised entities.
  • a security system for secure communication between a first network and a second network, the system comprising: an inner security module in communication with the first network, including: a first cryptographic module configured to encrypt a first portion of at least one data packet to define a partially encrypted data packet; and a first firewall connected to the first cryptographic module, the first firewall configured to process the partially encrypted data packet; an outer security module in communication with the inner security module and the second network, the outer security module including: a second cryptographic module configured to encrypt a second portion of the partially encrypted data packet to provide a fully encrypted data packet.
  • the outer security module includes a second firewall in communication with the second network.
  • the inner security module preferably includes an inner analysis module, configured to receive and process the at least one data packet. More preferably, the inner analysis module is at least one of an intrusion detection system and an intrusion prevention system.
  • the outer security module includes an outer analysis module, configured to receive and process incoming and outgoing traffic between the outer security module and the second network. More preferably, the outer analysis module is at least one of an intrusion detection system and an intrusion prevention system.
  • the first cryptographic module and/or the second cryptographic module are configured to perform encryption using symmetric encryption.
  • the symmetric encryption includes symmetric block encryption.
  • the first network is an internal network.
  • the second network is an external network.
  • the first network is an electronic device.
  • the at least one data packet includes a header and a payload.
  • the first portion of the at least one data packet is preferably the header.
  • the second portion of the at least one data packet is preferably the payload.
  • the second cryptographic module is configured to apply new metadata to the fully encrypted data packet.
  • a security system for secure communication between a first network and a second network, the system comprising: an outer security module in communication with the second network, the outer security module including: a second cryptographic module configured to decrypt a second portion of at least one fully encrypted data packet to provide a partially decrypted data packet.
  • an inner security module in communication with the outer security module and the first network, including: a first cryptographic module configured to decrypt a first portion of the partially decrypted data packet to provide a fully decrypted data packet; and a first firewall in communication with the first cryptographic module and the outer security module, the first firewall configured to process the partially decrypted data packet;
  • a device for secure communication between a first network and a second network comprising: an inner security module in communication with the first network, including: a first cryptographic module configured to encrypt or decrypt a first portion of at least one data packet to define a partially encrypted or partially decrypted data packet; and a first firewall connected to the first cryptographic module, the first firewall configured to process the partially encrypted or partially decrypted data packet; an outer security module in communication with the inner security module and the second network, the outer security module including: a second cryptographic module configured to encrypt or decrypt a second portion of the data packet to provide a fully encrypted or fully decrypted data packet.
  • a method for secure communication between a first network and a second network comprising: a) receiving at least one data packet at an inner security module; b) encrypting a first portion of the data packet with a first cryptographic module, disposed within the inner security module; c) processing the data packet through a first firewall in communication with the first cryptographic module and an outer security module; d) receiving the data packet at the outer security module; and e) encrypting a second portion of the data packet with a second cryptographic module to provide a fully encrypted data packet.
  • the method further includes the step of processing the data packet through a second firewall in communication with the second network and the outer security module.
  • the inner security module includes an inner analytical process module, configured to inspect the at least one data packet. More preferably, the inner analytical process module is at least one of an intrusion detection system and an intrusion prevention system.
  • the first cryptographic module and/or the second cryptographic module are configured to perform encryption using symmetric encryption.
  • the symmetric encryption includes symmetric block encryption.
  • the first network is an internal network
  • the second network is an external network
  • the first network is an electronic device.
  • At least one data packet includes a header and a payload. More preferably, the first portion of the at least one data packet is the payload. More preferably, the second portion of the at least one data packet is the header. [0028] In further embodiments, the method further includes the step of applying new metadata to the fully encrypted data packet.
  • a method for secure communication between a first network and a second network comprising: a) receiving at least one data packet at an outer security module; b) decrypting a second portion of the data packet with a second cryptographic module, disposed within the outer security module; c) processing the data packet through an outer firewall in communication with the second cryptographic module and an inner security module; d) receiving the data packet at the inner security module; and e) decrypting a first portion of the data packet with a first cryptographic module to provide a fully decrypted data packet.
  • Figure 1 is a data flow process diagram of the secure communication system according to a preferred embodiment
  • Figure 2 Is a data flow process diagram of the secure communication system according to a preferred embodiment
  • Figure 3 is a data flow process diagram showing the state of a data packet during encryption by a method of secure communication according to a preferred embodiment
  • Figure 4 is a data flow process diagram showing the state of a data packet during decryption by a method of secure communication according to a preferred embodiment
  • Figure 5 is a data flow process diagram of the method of encryption performed by the secure communication system of Figure 1 ;
  • Figure 6 is a data flow process diagram of the method of decryption performed by the secure communication system of Figure 1.
  • the devices, systems and methods described herein make use of a series of cryptographic modules and firewalls that provide a dual security layer within an operating environment of a secure device in a first network.
  • the device can be physical or virtualised.
  • Data packets are sent from an internal network into an inner security module, and the data packets are partially encrypted and passed on to an outer security module. This outer security module is connected to the external side of the network.
  • the data packets are then fully encrypted, before sending the encrypted packet for routing to another secure device in a second network.
  • the process is completed by using two separate security modules. These may be two separate security virtual machines within a virtual environment. Alternatively, in other embodiments, the invention can be executed in a single operating system, which executes the two separate security modules. In further embodiments, an inner security module and outer security module may be optimised to operate within one operating system and not in a virtualised environment. In other embodiments, two separate security modules may instead be a single security module. In yet further embodiments, a single security module may be used instead of segmenting into an outer and inner security module. In other embodiments, two sets of physical security modules may be used together instead of being confided within a single physical device.
  • the system includes an inner security module 4 in communication with the first network 2.
  • the inner security module 4 includes a first cryptographic module 6 configured to encrypt a first portion 8A of at least one data packet 8 to provide a partially encrypted data packet 9 and a first firewall 11 connected to the first cryptographic module 6, the first firewall configured to inspect the partially encrypted data packet 9.
  • the system further includes an outer security module 5 in communication with the inner security module 4 and the second network 3.
  • the outer security module includes a second cryptographic module 7 configured to encrypt a second portion 8B of the at least one data packet 9.
  • the inner security module 4 includes an inner analytical process module 13 in communication with the first cryptographic module 6.
  • the outer security module 5 includes an outer analytical process module 14 in communication with the second cryptographic module 7.
  • the invention works by taking a data packet and encrypting the data packet through two rounds of encryption, which protects both the data payload and the metadata to secure communications between a first network 2, such as a computer, and a second network 3, such as the internet.
  • a data packet 8 refers to an unencrypted plaintext data packet.
  • a single encrypted data packet 9 may also be referred to as a partially encrypted or partially decrypted data packet.
  • a fully encrypted data packet 10 may also be referred to as a double encrypted data packet.
  • a data packet 8 is initiated from a computer system 15 or electronic device, and transmitted to the inner security module 4.
  • the inner security module includes a first cryptographic module 6.
  • the first cryptographic module encrypts a first portion 8A of the data packet 8 to provide a partially encrypted data packet 9.
  • the first portion is the payload 16.
  • the data packet 9 is first inspected by an inner analytical process module 13 to determine whether it is authorised to progress through the system 1.
  • the data packet 8 is then transmitted to the first firewall 11 for inspection before being passed to the outer security module 5.
  • the outer security module includes a second cryptographic module 7.
  • the second cryptographic module encrypts a second portion 8B of the data packet 8 to provide a multi-layer encrypted data packet 10.
  • the second portion is the metadata 18.
  • New metadata 20 is applied to the multi-layer encrypted data packet 10 in order to route the encrypted data packet to its destination.
  • the outer security module 5 may additionally include an outer analytical process module 14 to analyse incoming packets 22 from external networks 3.
  • the outer security module may additionally include a second firewall 12 to inspect incoming and outgoing traffic 22 and 24.
  • a data packet 8 is initiated from a computer system 15 to an inner security module 4 (S101). Once in the inner security module, the data packet 8 is inspected and determined whether or not it is authorised (S102). If it is not authorised, then the packet 8 is prevented from going further through the inner security module (S102N). If it is authorised, the data packet 8 is sent to an inner analytical process module 13 (S102Y). The inner analytical process module 13 performs a deep packet inspection to determine if there is anything suspicious about the content 16 or if there is an anomaly (S103).
  • the packet is blocked, and an alert may be issued (S103N). If it is cleared, the packet 8 is transmitted to a first cryptographic module 6 (S103Y).
  • the first cryptographic module 6 then initiates an asymmetric block encryption to establish a connection (S201), then applies a symmetrical block encryption 52 (S202), and encrypts the payload 16 of the data packet 8 (S203) to define a partially encrypted data packet 9.
  • the partially encrypted data packet is then transmitted to the outer security module 5 through a first firewall 11 (S301). If the data packet belongs to a trusted or high routing site 36, 38 then a further round of encryption is applied (S301Y).
  • the partially encrypted data packet 9 is passed through the firewall to the network 3 (S301N).
  • Stage 4 of encryption once the partially encrypted data packet is received at the outer security module 5, it is transmitted to a second cryptographic module 7 which applied a second round of encryption which is the same as steps S201 and S202 (S401, S402).
  • the second cryptographic module encrypts the header 18 of the partially encrypted data packet 9 (S403), and then applies a new header 20 with routing information 21 (S404) to define a fully encrypted data packet 10.
  • the fully encrypted data packet is then passed through an outer analytical process module 14 (S405).
  • Stage 5 of encryption the packet is passed through an outer firewall 12 (S501) before being send to the external network 3 (S601) in Stage 6 of encryption.
  • a multi-layer encrypted data packet 10 is received from an external network 3, and transmitted to the outer security module 5.
  • the encrypted data packet 10 is passed through the second firewall 12.
  • the data packet 8 is inspected by the outer analytical process module 14 before being transmitted to the second cryptographic module 7.
  • the second cryptographic module decrypts a second portion 8B of the multi-layer encrypted data packet 10, to provide a partially decrypted data packet 9.
  • the second portion 8B is the metadata 18.
  • the partially decrypted data packet 9 is transmitted to the inner security module 4.
  • the partially decrypted data packet is inspected by the first firewall 11 before being passed to the first cryptographic module 6.
  • the first cryptographic module decrypts the first portion 8A of the data packet 9, which is the payload 16 of the data packet 9. Once decrypted, the data packet 10 is a fully decrypted data packet 8 in its original state . In some embodiments, the original data packet 8 is transmitted to the inner analytical process module 13 for inspection. The original data packet is then transmitted to the computer 15.
  • a decryption method for secure communication In Stage 1 of decryption, a data packet 10 is received from a computer system or network 3 to an outer firewall 12 (S701) of an outer security module 5. If blocked, the outer firewall prevents the data packet from entering the system (S701N). If it is authorised to proceed (S701Y), the data packet is passed through the outer security module, and received by the outer analytical process module 14 (S801) in Stage 2 of decryption. Authorised packets are inspected to determine if there are any suspicious anomalies, such as malware signatures (S802).
  • the header 18 is decrypted to define a partially decrypted data packet 9 (S803), which is then passed to the inner security module 4.
  • Low or unsecured routing packets 40, 42 are sent directly to the inner security module 4 (S803N).
  • the partially decrypted data packet 9 is passed through an inner firewall 11 (S901) for inspection.
  • the data packet is then transmitted to the first cryptographic module 6 (S1001), where the payload 16 of the data packet 9 is decrypted to define a fully decrypted data packet 10 (and thereby has returned to its original state) (S1002).
  • the decrypted data packet is transmitted to an inner analytical process module 13, which performs a deep packet inspection of the payload 16 to determine if there are any suspicious anomalies (S1101). If a packet is found to violate any predefined rules or contain any malicious anomalies, the packet is blocked (S1101N). If authorised (S1101Y), in Stage 6 of decryption, the decrypted data packet is sent through to the internal network or computer system 15 (S1201).
  • the systems, devices and methods of the invention are configurable for providing secure communications.
  • the systems, devices and methods described herein provide secure communication between devices and networks.
  • the secure communication is provided between a device and a network.
  • the secure communication is provided between a first and second network.
  • the networks or network devices may be within the same local area (for example, they may be within the same building), the primary purpose is for the systems and methods to provide secure communications in networks and devices which utilise the internet.
  • the first network is an internal network. In other embodiments the first network is an external network. In some embodiments, the second network is an external network. In other embodiments, the second network is an internal network. In some embodiments, the internal network may be an ethernet. Additionally or alternatively, the first or second network may include at least one of a local area network (LAN), a personal area network (PAN), a wireless local area network (WLAN), a campus area network (CAN), a metropolitan area network (MAN), a wide area network (WAN), a storage-area network (StAN), a system-area network (SAN), a passive optical local area network (POLAN), an enterprise private network (EPN), and/or a virtual private network (VPN). In some embodiments, the first network or the second network may be the Internet.
  • LAN local area network
  • PAN personal area network
  • WLAN wireless local area network
  • CAN campus area network
  • MAN metropolitan area network
  • WAN wide area network
  • StAN storage-area network
  • SAN system-area
  • the first or second network may include a device.
  • the device may include at least one of a network device, electronic device or terminal device.
  • the device may include at least one of a workstation, desktop computer, laptop, tablet, notebook computer, display interface and/or smartphone.
  • the device may be a secure device.
  • Data which is intended to be routed to a specific destination is initiated from a computer system, electronic device or network.
  • the data is sent to the system in the form of at least one data packet 8.
  • the data packet may also be referred to as a datagram, segment, block, cell or frame.
  • Data packets have two types of data components, the data content 16 (which may also be referred to herein as the payload) and the header 18 (which may also be referred to herein as the metadata).
  • the payload 16 contains the data that is processed into useful information for humans or machines (For example, a credit card number).
  • the metadata 18 contains information primarily associated with networking and communication (For example, computer names, data tags, IP addresses, and SSH keys).
  • the data packet 8 includes a header 18 and a payload 16.
  • the header identifies at least the source and the destination of the packet.
  • the header may also be referred to as metadata.
  • the payload may also be referred to as the actual data or data content.
  • the data packet is a standard Internet Protocol packet.
  • the internet packet includes at least one of raw IP, ICMP, UDP, and TCP.
  • the inner security module 4 is disposed within a virtual environment 32. This may be referred to as a security environment.
  • the inner security module is in communication with the first network.
  • the first network may be an internal network.
  • the first network may include a device. It will be appreciated that the inner security module may be in communication with any type of network.
  • the inner security module is configured to receive data packets from a first network.
  • the first network includes a device.
  • the device may be a user workstation.
  • the inner security module includes an inner cryptographic module and an inner firewall.
  • the inner security module includes an inner analytical process module 13.
  • the inner analytical process module 13 is an intrusion detection/prevention system (ID/PS) 34.
  • ID/PS intrusion detection/prevention system
  • the data packet 8 is transmitted to the inner cryptographic module 6.
  • the data packet is only sent to the inner cryptographic module if it meets at least one predefined criteria. For example, in some embodiments, data packets that are inspected by the inner analytical process module 13 and found to contain an IP address which belongs to a trusted 36, high 38 or low routing list 40 are sent to the inner cryptographic module 6 for encryption. In other embodiments, data packets which are determined to be unsecure are not encrypted by the inner cryptographic module at this stage. If the data packet is not encrypted at this stage, it may be encrypted at the outer security module.
  • the inner cryptographic module is configured to encrypt a first portion 8A of the data packet 8. In the preferred embodiment, the data packet’s payload 16 is encrypted by the inner cryptographic module 6 to provide a partially encrypted data packet 9.
  • the partially encrypted data packet 9 is then transmitted to the inner firewall 11.
  • the inner firewall inspects the partially encrypted packet. After inspection, the partially encrypted data packet may be passed through to the outer security module 5.
  • the inner security module 4 is configured to receive data packets from the outer security module 5.
  • the inner security module is configured to receive partially decrypted data packets from the outer security module.
  • the partially decrypted packets preferably include an encrypted payload and a decrypted header.
  • the partially decrypted data packets are passed through the inner firewall, and inspected before being passed to the inner cryptographic module 6.
  • the inner cryptographic module decrypts the first portion 8A of the data packet 9. In this case, the first portion is the first portion to be encrypted, that is, the payload 16. Once the payload is decrypted, the data packet returns to its original state. This may be referred to as its plaintext form.
  • the original data packet 8 is then transmitted to the inner analytical process module 13.
  • the inner analytical process module 13 performs deep packet inspection of the decrypted data packet. Once determined to be authorised, the data packet is transmitted from the inner security module 4 to the first network or destination device.
  • the system also includes an outer security module 5.
  • the outer security module is disposed within a virtual environment 32.
  • the inner security module and the outer security module are both disposed within a virtual environment.
  • the inner security module and outer security module may be disposed in a single operating system.
  • the outer security module is in communication with the second network 3.
  • the second network may be an external network.
  • the second network may include a device. It will be appreciated that the outer security module may be in communication with any type of network.
  • the outer security module 5 is configured to receive data packets from the inner security module 4.
  • the outer security module is configured to receive partially encrypted data packets from the inner security module.
  • the partially encrypted data packets preferably include an encrypted payload.
  • the outer security module 5 includes an outer cryptographic module 7. It may additionally include an outer firewall 12.
  • the outer security module 5 may also include an outer analytical process module 14.
  • the outer analytical process module 14 is an intrusion detection/prevention system (ID/PS).
  • ID/PS intrusion detection/prevention system
  • the outer security module 5 receives a partially encrypted data packet 9 from the inner security module 4.
  • the outer security module is configured to perform encryption on the received partially encrypted data packet 9.
  • the outer security module may process some or all data packets for further encryption. In some cases, data packets which meet at least one predefined criteria are processed for further encryption, whilst others may be transmitted directly to the second network 3 without further encryption.
  • the outer security module receives the partially encrypted data packet 9, it is sent to the outer cryptographic module 7, which is configured to encrypt a second portion 8B of the data packet 9.
  • the data packet ’s header 18 or metadata is encrypted by the outer cryptographic module 7 to provide a multi-layer encrypted data packet.
  • the multi-layer encrypted data packet is then transmitted through the outer analytical process module 14.
  • the multi-layer encrypted data packet 10 is transmitted through the outer firewall 12.
  • the multi-layer encrypted data packet may be sent directly to the second network.
  • the outer security module 5 is configured to receive data packets from the second network.
  • the outer security module is configured to receive encrypted data packets. These data packets are preferably multi-layer encrypted data packets.
  • the encrypted data packet 10 is passed through the outer firewall 12, which inspects the packet and passes it through to the outer analytical process module 14.
  • the encrypted data packet is processed through the outer analytical process module 14. Once it is determined to be authorised to proceed, the encrypted data packet is transmitted to the outer cryptographic module.
  • the outer cryptographic module 7 decrypts the second portion 8B of the multi-layer encrypted data packet 10, thereby to provide a partially decrypted data packet 9.
  • the partially decrypted data packet may also be referred to as a partially encrypted data packet.
  • the outer cryptographic module decrypts the header of the encrypted data packet. Once partially decrypted, the data packet is transmitted to the inner security module 4.
  • the outer security module 5 is configured to receive data packets from the second network. Alternatively or additionally, the outer security module is configured to transmit partially decrypted data packets to the inner security module. In further embodiments, a system could perform the full serial encryption process by doubling the encryption of the packet at the exit of the outer security module.
  • Quantum computers are projected to defeat encryption systems of standard computers at an exponential rate. Standard computers do not have the hardware capability to deal with quantum computers. To mitigate this, the systems, methods and devices of the present invention, are capable of utilising quantum resistant algorithms, coded into the system, thereby extending the usefulness of current conventional computers. By using multiple rounds of encryption, this provides an added later of resistance against the quantum computer’s ability to defeat the encryption system.
  • the inner security module 4 may include an inner analytical process module 13, in communication with inner cryptographic module.
  • the outer security module 5 may include an outer analytical process module 14, disposed between, and in communication with the outer cryptographic module 7 and the outer firewall 12.
  • the inner analytical process module 13 may also be referred to as a first analysis module.
  • the outer analytical process module 14 may also be referred to as a second analysis module.
  • the inner analytical process module 13 and the outer analytical process module 14 may be referred to collectively as the analytical process modules.
  • the analytical process modules may also be referred to as analytical process modules.
  • the analytical process modules 13 and 14 preferably include an intrusion detection system (IDS) or an intrusion prevention system (IPS). In other embodiments, the analytical process modules include an intrusion detection/prevention system (ID/PS). The analytical process modules may include a signature-based intrusion detection system or an anomaly- based intrusion detection system. In some embodiments, the analytical process modules 13 and 14 may include a combination of a signature-based and anomaly-based intrusion detection systems.
  • the analytical process modules determine whether or not the received data packet is authorised to be transmitted through the system. In a preferred embodiment, this determination is carried out by first analysing the data packet’s metadata or header 18. This may include determining if the destination IP Address meets at least one predefined criteria. In one embodiment, the destination IP address read from the packet’s metadata is compared with the following example criteria:
  • IP address is on a list of trusted IP addresses. This is the highest level of trust, which could be addresses owned by an organisation.
  • IP addresses may be external to an organisation but utilise a multi-layered encryption capability. This could be the same system as the invention, or it may be another system determined to meet specific security requirements for a communication channel.
  • Unsecure Routing 42: Unencrypted for legacy sites. These IP addresses have no form of encryption capable, which represents the majority of nodes in the Internet today.
  • Blacklist, 44 Blacklisted sites include unauthorised sites blocked by an organisation or unsafe sites which are considered unsafe by threat intelligence, historical data or by reputation.
  • predefined criteria is not limited to the above examples, and that these may be customised as per an organisation’s requirements.
  • the inner analytical process module 13 may additionally perform a deep packet inspection of the data packet’s payload 16 to determine if the data packet is authorised to proceed through the system for encryption, or authorised to proceed to the first network after being decrypted. As the packet is not encrypted, the inner analytical process module 13 can perform its inspection to a high degree.
  • Authorisation of the data packet based on payload inspection may include determining whether the payload content violates at least one predetermined rule, and/or whether a suspicious anomaly is present within the payload 16. The suspicious anomaly may be determined based on recognition of a signature or profile relating to malicious activity or known malware. Alternatively, the anomaly may be determined by using anomaly-based detection.
  • Packets that are found to be clear are allowed to proceed to their designated destination. If an anomaly or rule violation is detected, the data packet is blocked by the inner analytical process module 13 and an alert may be issued.
  • the data packet 8 may simply be transmitted through to the second network 3 without further processing by the inner security module 4 and/or the outer security module 5 when the inner analytical process module 13 does not authorise it for encryption. Some data packets which only cause alerts may be allowed to proceed through the system. In other embodiments, packets found to breach a rule will be blocked.
  • the functionality of the inner analytical process module protects the first network.
  • the two processes applied by the inner analytical process module 13 help to minimise the resources needed to provide encryption to all data packets moving through the system. If a packet is determined to be not valid or authorised, it can be sent forward to another network without encryption or additional processing.
  • the outer analytical process module 14 is tasked to analyse incoming packets from the second network or external networks. It is primarily set to prevent botnets and malicious packets from entering. Artificial intelligence may be used to allow for the system to detect and adapt to latest threats and attacks that are in progress.
  • the inner security module 4 includes an inner cryptographic module 6.
  • the inner cryptographic may be disposed between, and in communication with, the inner analytical process module 13 and the inner firewall 11.
  • the outer security module 5 includes an outer cryptographic module 7.
  • the outer cryptographic module may be in communication with the outer analytical process module 14.
  • the inner cryptographic module and the outer cryptographic module may be referred to collectively as the cryptographic modules 6 and 7.
  • the inner cryptographic module 6 is configured to encrypt a received data packet 8. Alternatively, or additionally, the inner cryptographic module 6 is configured to decrypt a received data packet.
  • the inner cryptographic module may be configured to perform encryption and decryption simultaneously.
  • the inner cryptographic module 6 may include an encryption module 46 and a decryption module 48, configured to encrypt and/or decrypt data packets, respectively.
  • the inner cryptographic module is configured to receive authorised data packets from the inner analytical process module 13.
  • the inner cryptographic module encrypts a received data packet if the data packet meets at least one predefined criteria. For example, if the IP address obtained from the data packet’s metadata is a trusted IP address 36, 38, 40.
  • the inner cryptographic module 6 is configured to encrypt a first portion 8A of a received data packet 8 to provide a partially-encrypted data packet 9.
  • This first portion may include the payload 16 of the data packet. Alternatively, the first portion may include at least part of the payload.
  • the inner cryptographic module 6 is in communication with the inner firewall 11, and configured to transmit the partially encrypted data packet 9 to the inner firewall for processing and/or inspection.
  • the inner cryptographic module 6 is additionally configured to decrypt a first portion 8A of a received partially decrypted data packet 9. This first portion may include the payload 16 of the data packet 9. Alternatively, the first portion may include at least part of the payload.
  • the inner cryptographic module may be configured to decrypt an encrypted data packet to provide at least one of a partially decrypted data packet 9 or a completely decrypted data packet 8.
  • the inner cryptographic module is in communication with the inner analytical process module 13, and configured to transmit the decrypted data packet to the inner analytical process module 13 for deep packet inspection.
  • the outer cryptographic 7 module is configured to encrypt a received partially encrypted data packet 9 to provide a multi-layer encrypted data packet 10. Alternatively, or additionally, the outer cryptographic module is configured to decrypt a received data packet 9.
  • the outer cryptographic module may be configured to perform encryption and decryption simultaneously.
  • the outer cryptographic module may include an encryption module 46 and a decryption module 48, configured to encrypt and/or decrypt data packets, respectively.
  • the outer cryptographic module is configured to receive partially encrypted data packets from the inner security module 4.
  • the outer cryptographic module encrypts a received partially encrypted data packet if the data packet meets at least one predefined criteria. For example, if the IP address obtained from the data packet’s metadata is a trusted IP address 36, 38, 40.
  • the outer cryptographic module 7 is configured to encrypt a second portion 8B of a received partially-encrypted data packet 9. This second portion may include the header 18 of the data packet 8 or 9. Alternatively, the second portion may include at least part of the header.
  • the outer cryptographic module is in communication with the external network 3, and configured to transmit the multi-layer encrypted data packet to the external network. After the outer cryptographic module encrypts the second portion of the data packet, it applies a secondary or new metadata 20 to the fully encrypted data packet 10, in order to facilitate routing between the first network and second network.
  • the outer cryptographic module 7 is additionally configured to decrypt a second portion 8B of a received multi-layer encrypted data packet 10. This second portion may include the header 18 of the data packet. Alternatively, the second portion may include at least part of the header.
  • the outer cryptographic module may be configured to decrypt an encrypted data packet to provide at a partially decrypted data packet.
  • the outer cryptographic module 7 is in communication with the inner security module 4, and configured to transmit the partially- decrypted data packet 9 to the inner security module 4. In some embodiments, the outer cryptographic module may be configured to fully encrypt/decrypt the outgoing/incoming data packet by doubling the encryption/decryption.
  • the encryption process uses a symmetric block encryption, such as the Advanced Encryption Standard (AES), for the transmission of the data packets.
  • AES Advanced Encryption Standard
  • the cryptographic modules 6 and 7 utilise an initiation process to establish a connection.
  • the initial connection also referred to as a handshake, is performed by an asymmetric encryption, and once established, the symmetric encryption is utilised.
  • the initiation process includes using an asymmetric encryption.
  • the asymmetric encryption is an asymmetric block encryption.
  • the asymmetric block encryption is used to establish a connection. Once the connection has been established, a symmetric encryption is used to encrypt the data packet.
  • the symmetric encryption is a symmetric block encryption.
  • the symmetric encryption may include a stream cipher.
  • the symmetric encryption may include at least one of, but is not limited to, an Advanced Encryption Standard (AES) algorithm, a Data Encryption Standard (DES) algorithm, and International Data Encryption Algorithm (IDEA), a blowfish algorithm, a Rivest Cipher 4 (RC4) algorithm, Rivest Cipher 5 (RC5) algorithm, or Rivest Cipher 6 (RC6) algorithm.
  • AES Advanced Encryption Standard
  • DES Data Encryption Standard
  • IDEA International Data Encryption Algorithm
  • RC4 Rivest Cipher 4
  • RC5 Rivest Cipher 5
  • RC6 Rivest Cipher 6
  • the inner and outer cryptographic modules 6 and 7 thereby enable serial encryption.
  • serial encryption both the metadata and content data of packets are protected and can only be decrypted by another such system or device including cryptographic modules.
  • no data packet can be decrypted by conventional means by entities using other forms of systems. This keeps the information of the data packet secure and to its intended target.
  • serial encryption enabled the devices will automatically drop nondouble encrypted packets before processing, thus reducing the chances of success, and mitigating the effect, of a Denial of Service (DoS) and/or Distributed Denial of Service (DDoS) attack.
  • DoS Denial of Service
  • DoS Distributed Denial of Service
  • CPUs Central Processing Units
  • 3DES Triple Data Encryption Systems
  • DES Data Encryption Standard
  • the systems and methods described herein are capable of performing greater encryption algorithms with multiple rounds (or serial encryption) without experiencing significant performance loss.
  • the method of encryption performs two rounds of an encrypted algorithm in which the data payload is first encrypted, and then both the payload and the metadata are encrypted. After this, a new packet header is applied to the double encrypted packet.
  • the original metadata of the data packet is encrypted, and new metadata is created for routing.
  • This further protects any additional information about the origin of the data packet being obtained or useful to malicious actors.
  • serial encryption method it would only be possible to ascertain the information contained for routing purposes between the networks or devices. This allows for the data packets to remain encrypted even if the first encryption is compromised.
  • the data packet is encrypted in two rounds, with each round of encryption being performed by a separate cryptographic module.
  • the use of two separate cryptographic modules thereby enables both the data payload and the metadata of the data packet to be encrypted.
  • the data payload is encrypted by the inner cryptographic module and transmitted to the outer cryptographic module, from which it is then encrypted with newly created metadata (or added router information) for routing to another secure network or device.
  • the result of the serial encryption means that the transmitted information is protected by more than one layer of encryption.
  • the only information made available of the data packets are the device/network IP addresses. Whilst the encryption and decryption described herein refers to two rounds of encryption, it will be appreciated that the system may be configured to perform multiple rounds or encryption.
  • routing tables are required for local peer networks and to remote site networks.
  • the tables can be provided by trusted peer networks and/or by a trusted central server acting similar to a standard Domain Name System (DNS) server.
  • DNS Domain Name System
  • each site that is to use double encryption must communicate to another secure device or network which utilised serial encryption or a similar level of secure communication.
  • the inner security module 4 includes an inner firewall 11 configured to monitor incoming and outgoing traffic between the inner security module and the outer security module 5.
  • the inner firewall 11 acts a secondary firewall should the outer firewall 12 become compromised or successfully penetrated.
  • the inner firewall may also be referred to herein as the first firewall.
  • the outer security module 5 includes an outer firewall 12 configured to monitor incoming and outgoing traffic between the outer security module and the external network.
  • the outer firewall 12 provides the outer most protection for the internal network.
  • the outer firewall may also be referred to herein as the second firewall.
  • the primary purpose of the outer firewall is to block all forms of traffic unless an exception has been made, or is returning traffic from an ongoing session. In some embodiments, the default setting is to block all incoming traffic from external origins, which were not requested.
  • the outer firewall 12 may operate in the following modes:
  • Shadow operation mode Also referred to as bridge mode or stealth mode.
  • the outer firewall does not obtain an IP address and helps provide obfuscation.
  • the inner firewall 11 and outer firewall 12 may be configured with a set of predetermined criteria for filtering traffic.
  • firewalls obscures the ports and services, it is still possible to provide routing with peer networks or devices.
  • Other systems and methods may use firewalls with VPN capabilities to form a secure tunnel of communication.
  • the second level of encryption does not exist. This can lead to the data payload being obtained or exposed to malicious actors should the communication line be compromised.
  • the system of the present invention provides a dual firewall capability which aids in both blocking any unauthorised connection or incoming/outgoing transmissions.
  • the device provides added security by means of utilising two sets of firewalls, which allows for obfuscation.
  • Obfuscation may refer to the capability to obscure the Protocol Ports (for example: TCP 22, UDP 8080) of a network or a network connected device, against unauthorised reconnaissance actions. This assists in masking information about the device/network being used, the purpose of the network, and the systems which may be in use.
  • the obfuscation provided by the firewalls, along with the serial encryption creates a secure backbone and node that facilitates more secure communications, makes the traffic more secure and the device or network less discoverable.
  • Obfuscation hides the internal network’s IP ports threats such as port scanning.
  • attackers or botnets will perform reconnaissance through means such as port scans, trying to find a vulnerability that they can then exploit.
  • the preferred method of reconnaissance by unauthorised entities is executed by the use of port scanning.
  • Port scanning checks which protocol ports are opened and therefore determine, which communication or computer services are in use and even identify the operating system of a device.
  • the outer firewall 12 is configured to obscure/resist port scan requests by denying the results of the port scan to the unauthorised entity.
  • the outer firewall may act in a stealth mode, which blocks most unauthorised traffic which does not having an IP or MAC address assigned.
  • the inner firewall is assigned an address to conduct normal Internet activity. With this arrangement, ports that are opened on either firewall to allow for external traffic are not identified by external sources.
  • the obfuscation provided by the firewalls may utilise static detection, which determines the behaviour of port scans and attempts to mask the results.
  • obfuscation may adaptive, with the use of machine learning to detect behaviours and anomalies in real time traffic to block the ports.
  • the systems and methods of serial encryption provided by the invention create a platform which scales easily, provides interlinked encryption across distributed networks and adds key technological innovations to the field of cyber security technology. While many firewalls presently allow for basic ports to be scanned, providing obfuscation and making cyber appliances operate with a lower signature is a key technical advantage over existing systems.
  • the adoption of encryption to the field of secure communications enables users to communicate with confidence over an increasingly untrusted hardware environment.
  • the present invention provides a counter technology which returns confidence to the transmission medium.
  • One of the foremost concerns around network collection of data relates to user metadata.
  • Large tracts of legislation have been introduced globally around data collection and state actors find it highly useful.
  • Obfuscating user metadata through hardware integration creates a simple and scalable approach to increasing privacy and security in a highly contested space.
  • the double layer serial encryption provided by the present invention is highly preferable to a VPN which still transmits metadata across infrastructure, even if it is obscured at the proxy server.
  • the obfuscation of the ports and protocols by the firewalls provides protection against scans and an added measure should the communication encryption be defeated.
  • the double encryption of the packets in transmission provides protection of both the data payload and metadata of a data packet. Accordingly, the combination of obfuscation and serial encryption enables the invention to provide improved security and privacy for communications between networks and devices.
  • Embodiments of the invention can provide a secure means of communication over the Internet.
  • the methodologies described herein are, in one embodiment, performable by one or more processors that accept computer-readable (also called machine-readable) code containing a set of instructions that when executed by one or more of the processors carry out at least one of the methods described herein.
  • Any processor capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken are included.
  • a typical processing system that includes one or more processors.
  • Each processor may include one or more of a CPU, a graphics processing unit, and a programmable DSP unit.
  • the processing system further may include a memory subsystem including main RAM and/or a static RAM, and/or ROM.
  • a bus subsystem may be included for communicating between the components.
  • the processing system further may be a distributed processing system with processors coupled by a network. If the processing system requires a display, such a display may be included, e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT) display. If manual data entry is required, the processing system also includes an input device such as one or more of an alphanumeric input unit such as a keyboard, a pointing control device such as a mouse, and so forth.
  • the processing system in some configurations may include a sound output device, and a network interface device.
  • the memory subsystem thus includes a computer-readable carrier medium that carries computer-readable code (e.g., software) including a set of instructions to cause performing, when executed by one or more processors, one or more of the methods described herein.
  • computer-readable code e.g., software
  • the software may reside in the hard disk, or may also reside, completely or at least partially, within the RAM and/or within the processor during execution thereof by the computer system.
  • the memory and the processor also constitute computer-readable carrier medium carrying computer-readable code.
  • any one of the terms comprising, comprised of or which comprises is an open term that means including at least the elements/features that follow, but not excluding others.
  • the term comprising, when used in the claims should not be interpreted as being limitative to the means or elements or steps listed thereafter.
  • the scope of the expression a device comprising A and B should not be limited to devices consisting only of elements A and B.
  • Any one of the terms including or which includes or that includes as used herein is also an open term that also means including at least the elements/features that follow the term, but not excluding others. Thus, including is synonymous with and means comprising.

Abstract

According to a first aspect of the invention, there is provided a security system for secure communication between a first network and a second network, the system comprising: an inner security module in communication with the first network, including: a first cryptographic module configured to encrypt a first portion of at least one data packet to define a partially encrypted data packet; and a first firewall connected to the first cryptographic module, the first firewall configured to process the partially encrypted data packet; an outer security module in communication with the inner security module and the second network, the outer security module including: a second cryptographic module configured to encrypt a second portion of the partially encrypted data packet to provide a fully encrypted data packet.

Description

Systems, methods and devices for secure communication
FIELD OF THE INVENTION
[0001] The present invention relates to secure communications. More particularly, the invention relates to devices, systems and methods for providing secure network communications between a first network and second network.
[0002] The invention has been developed primarily for use as a system for providing secure communications between a first network and a second network using multi-layer encryption and decryption of data packets. Whilst some embodiments will be described herein with particular reference to that application, it will be appreciated that the invention is not limited to such a field of use, and is applicable in broader contexts.
BACKGROUND
[0003] The following discussion of the prior art is intended to facilitate an understanding of the invention and to enable the advantages of it to be more fully understood. It should be appreciated, however, that any reference to prior art throughout the specification in no way be considered as an admission that such art is widely known or forms part of the common general knowledge in the field.
[0004] The internet revolutionised information sharing and communication, providing a great benefit to society. However, the Internet was not designed with security in mind and, as such, to this day has suffered from various forms of attacks from many threats. Increasing utilisation of the Internet for network communications has exposed the less secure side of wireless communications, and the need for providing a secure Internet to secure against malicious hackers, malware and other cyber security threats.
[0005] In response to this security threat, the National Security Agency (NSA) developed the United States high Assurance Internet Protocol Encryptor (HAIPE) devices. Examples of using HAIPE devices in secure network communications include US Patent No. 9,083,683, which provides an encryption/decryption device for secure communications between a protected network and an unprotected network. Such a device interfaces with the protected network to perform encapsulation of data from the protected network to define outgoing data packets, and perform decapsulation of incoming data packets. Further examples of using HAIPE devices for secure network communications include the system of US Patent No. 7,904,711. This system is a scalable internet protocol encryption system to support HAIPE, and includes processing sensitive data for packet encryption/decryption and data authentication.
[0006] However, there are some difficulties in the manner in which this encryption is performed. The existing devices and systems typically perform encryption once, to the data packet or only to the lines of communications. For example, the above referenced documents use typical encryption/decryption of data packets which typically includes processing plain text through a cryptographic unit into ciphertext such that outgoing data is encrypted and incoming data is decrypted. This is done by means of a single layer of encapsulation, in which data packets are encapsulated into a single frame, usually involving a header and a trailer. This usually involves the use of a data packet’s original header, or the creation of a new header based on the original header.
[0007] Other methods include a manual method of performing encryption for a file (but not a packet) and then using a secure line of communication, such as a Virtual Private network (VN) to secure the communications. However, there is no known device or process that is configured to perform serial encryption on data packets using symmetric key algorithms.
[0008] As such, these existing systems are not able to provide security measures which protect both the header and the content data of data packets. Furthermore, they are not enabled to provide enhanced security features for the system such as obfuscation.
[0009] It is an objection of the present invention to overcome or ameliorate at least one of the disadvantages of the prior art, or to provide a useful alternative.
[0010] As will be shown herein, embodiments of the invention aim to provide a technical solution of providing protection to the transmission of data between two networks embodiments of the invention address limitations of existing secure communications technologies at least by means of encrypting both the payload and the metadata of a data packet.
[0011] To aid in enhancing security for the Internet, embodiments of the present invention seek to provide double encrypted communications which, when deployed, create a trusted and secure layer to network communications. Some embodiments are capable of securing and performing obfuscation to the protected network, which aims to prevent malicious actors from accessing system data. Along with this, the double encryption system aims to protect both the data packet’s metadata and content data from unauthorised entities.
SUMMARY OF THE INVENTION
[0012] According to a first aspect of the invention, there is provided a security system for secure communication between a first network and a second network, the system comprising: an inner security module in communication with the first network, including: a first cryptographic module configured to encrypt a first portion of at least one data packet to define a partially encrypted data packet; and a first firewall connected to the first cryptographic module, the first firewall configured to process the partially encrypted data packet; an outer security module in communication with the inner security module and the second network, the outer security module including: a second cryptographic module configured to encrypt a second portion of the partially encrypted data packet to provide a fully encrypted data packet.
[0013] Preferably, the outer security module includes a second firewall in communication with the second network.
[0014] The inner security module preferably includes an inner analysis module, configured to receive and process the at least one data packet. More preferably, the inner analysis module is at least one of an intrusion detection system and an intrusion prevention system.
[0015] Preferably, the outer security module includes an outer analysis module, configured to receive and process incoming and outgoing traffic between the outer security module and the second network. More preferably, the outer analysis module is at least one of an intrusion detection system and an intrusion prevention system.
[0016] In some embodiments, the first cryptographic module and/or the second cryptographic module are configured to perform encryption using symmetric encryption. Preferably, the symmetric encryption includes symmetric block encryption.
[0017] In further embodiments, the first network is an internal network. In some embodiments, the second network is an external network. In yet further embodiments, the first network is an electronic device.
[0018] Preferably, the at least one data packet includes a header and a payload. The first portion of the at least one data packet is preferably the header. The second portion of the at least one data packet is preferably the payload.
[0019] More preferably, the second cryptographic module is configured to apply new metadata to the fully encrypted data packet.
[0020] According to a second aspect of the invention, there is provided a security system for secure communication between a first network and a second network, the system comprising: an outer security module in communication with the second network, the outer security module including: a second cryptographic module configured to decrypt a second portion of at least one fully encrypted data packet to provide a partially decrypted data packet. an inner security module in communication with the outer security module and the first network, including: a first cryptographic module configured to decrypt a first portion of the partially decrypted data packet to provide a fully decrypted data packet; and a first firewall in communication with the first cryptographic module and the outer security module, the first firewall configured to process the partially decrypted data packet;
[0021] According to a third aspect of the invention, there is provided a device for secure communication between a first network and a second network, the device comprising: an inner security module in communication with the first network, including: a first cryptographic module configured to encrypt or decrypt a first portion of at least one data packet to define a partially encrypted or partially decrypted data packet; and a first firewall connected to the first cryptographic module, the first firewall configured to process the partially encrypted or partially decrypted data packet; an outer security module in communication with the inner security module and the second network, the outer security module including: a second cryptographic module configured to encrypt or decrypt a second portion of the data packet to provide a fully encrypted or fully decrypted data packet.
[0022] According to a fourth aspect of the invention, there is provided a method for secure communication between a first network and a second network, the method comprising: a) receiving at least one data packet at an inner security module; b) encrypting a first portion of the data packet with a first cryptographic module, disposed within the inner security module; c) processing the data packet through a first firewall in communication with the first cryptographic module and an outer security module; d) receiving the data packet at the outer security module; and e) encrypting a second portion of the data packet with a second cryptographic module to provide a fully encrypted data packet.
[0023] In some embodiments, the method further includes the step of processing the data packet through a second firewall in communication with the second network and the outer security module.
[0024] Preferably, the inner security module includes an inner analytical process module, configured to inspect the at least one data packet. More preferably, the inner analytical process module is at least one of an intrusion detection system and an intrusion prevention system.
[0025] In some embodiments, the first cryptographic module and/or the second cryptographic module are configured to perform encryption using symmetric encryption. Preferably, the symmetric encryption includes symmetric block encryption.
[0026] In further embodiments, the first network is an internal network, and the second network is an external network. In other embodiments, the first network is an electronic device.
[0027] Preferably, at least one data packet includes a header and a payload. More preferably, the first portion of the at least one data packet is the payload. More preferably, the second portion of the at least one data packet is the header. [0028] In further embodiments, the method further includes the step of applying new metadata to the fully encrypted data packet.
[0029] According to a fifth aspect of the invention, there is provided a method for secure communication between a first network and a second network, the method comprising: a) receiving at least one data packet at an outer security module; b) decrypting a second portion of the data packet with a second cryptographic module, disposed within the outer security module; c) processing the data packet through an outer firewall in communication with the second cryptographic module and an inner security module; d) receiving the data packet at the inner security module; and e) decrypting a first portion of the data packet with a first cryptographic module to provide a fully decrypted data packet.
FIGURES
[0030] A preferred embodiment of the invention will now be described, by way of example only, with reference to the accompanying drawings in which:
[0031] Figure 1 is a data flow process diagram of the secure communication system according to a preferred embodiment;
[0032] Figure 2 Is a data flow process diagram of the secure communication system according to a preferred embodiment;
[0033] Figure 3 is a data flow process diagram showing the state of a data packet during encryption by a method of secure communication according to a preferred embodiment;
[0034] Figure 4 is a data flow process diagram showing the state of a data packet during decryption by a method of secure communication according to a preferred embodiment;
[0035] Figure 5 is a data flow process diagram of the method of encryption performed by the secure communication system of Figure 1 ; and
[0036] Figure 6 is a data flow process diagram of the method of decryption performed by the secure communication system of Figure 1.
DESCRIPTION
[0037] The devices, systems and methods described herein make use of a series of cryptographic modules and firewalls that provide a dual security layer within an operating environment of a secure device in a first network. The device can be physical or virtualised. Data packets are sent from an internal network into an inner security module, and the data packets are partially encrypted and passed on to an outer security module. This outer security module is connected to the external side of the network. The data packets are then fully encrypted, before sending the encrypted packet for routing to another secure device in a second network.
[0038] In a preferred embodiment, the process is completed by using two separate security modules. These may be two separate security virtual machines within a virtual environment. Alternatively, in other embodiments, the invention can be executed in a single operating system, which executes the two separate security modules. In further embodiments, an inner security module and outer security module may be optimised to operate within one operating system and not in a virtualised environment. In other embodiments, two separate security modules may instead be a single security module. In yet further embodiments, a single security module may be used instead of segmenting into an outer and inner security module. In other embodiments, two sets of physical security modules may be used together instead of being confided within a single physical device.
[0039] Referring to Figure 1 , a system 1 for secure communication between a first network 2 and a second network 3 is described. The system includes an inner security module 4 in communication with the first network 2. The inner security module 4 includes a first cryptographic module 6 configured to encrypt a first portion 8A of at least one data packet 8 to provide a partially encrypted data packet 9 and a first firewall 11 connected to the first cryptographic module 6, the first firewall configured to inspect the partially encrypted data packet 9. The system further includes an outer security module 5 in communication with the inner security module 4 and the second network 3. The outer security module includes a second cryptographic module 7 configured to encrypt a second portion 8B of the at least one data packet 9. The inner security module 4 includes an inner analytical process module 13 in communication with the first cryptographic module 6. The outer security module 5 includes an outer analytical process module 14 in communication with the second cryptographic module 7. [0040] In essence, as shown in Figure 2, the invention works by taking a data packet and encrypting the data packet through two rounds of encryption, which protects both the data payload and the metadata to secure communications between a first network 2, such as a computer, and a second network 3, such as the internet. A data packet 8 refers to an unencrypted plaintext data packet. A single encrypted data packet 9 may also be referred to as a partially encrypted or partially decrypted data packet. A fully encrypted data packet 10 may also be referred to as a double encrypted data packet.
Overview - Encryption
[0041] An overview of the encryption process carried out by the system, device and method is described for routing plaintext data from a device to an external network.
[0042] As shown in Figure 3, a data packet 8 is initiated from a computer system 15 or electronic device, and transmitted to the inner security module 4. The inner security module includes a first cryptographic module 6. The first cryptographic module encrypts a first portion 8A of the data packet 8 to provide a partially encrypted data packet 9. The first portion is the payload 16. In some embodiments, the data packet 9 is first inspected by an inner analytical process module 13 to determine whether it is authorised to progress through the system 1. The data packet 8 is then transmitted to the first firewall 11 for inspection before being passed to the outer security module 5. The outer security module includes a second cryptographic module 7. The second cryptographic module encrypts a second portion 8B of the data packet 8 to provide a multi-layer encrypted data packet 10. The second portion is the metadata 18. New metadata 20 is applied to the multi-layer encrypted data packet 10 in order to route the encrypted data packet to its destination. The outer security module 5 may additionally include an outer analytical process module 14 to analyse incoming packets 22 from external networks 3. The outer security module may additionally include a second firewall 12 to inspect incoming and outgoing traffic 22 and 24.
[0043] As shown in Figure 5, there is provided an embodiment of an encryption method for secure communication according to the invention. In Stage 1 of encryption, a data packet 8 is initiated from a computer system 15 to an inner security module 4 (S101). Once in the inner security module, the data packet 8 is inspected and determined whether or not it is authorised (S102). If it is not authorised, then the packet 8 is prevented from going further through the inner security module (S102N). If it is authorised, the data packet 8 is sent to an inner analytical process module 13 (S102Y). The inner analytical process module 13 performs a deep packet inspection to determine if there is anything suspicious about the content 16 or if there is an anomaly (S103). If there is a suspicious anomaly, the packet is blocked, and an alert may be issued (S103N). If it is cleared, the packet 8 is transmitted to a first cryptographic module 6 (S103Y). In Stage 2 of encryption, the first cryptographic module 6 then initiates an asymmetric block encryption to establish a connection (S201), then applies a symmetrical block encryption 52 (S202), and encrypts the payload 16 of the data packet 8 (S203) to define a partially encrypted data packet 9. In Stage 3 of encryption, the partially encrypted data packet is then transmitted to the outer security module 5 through a first firewall 11 (S301). If the data packet belongs to a trusted or high routing site 36, 38 then a further round of encryption is applied (S301Y). If they are not, then the partially encrypted data packet 9 is passed through the firewall to the network 3 (S301N). In Stage 4 of encryption, once the partially encrypted data packet is received at the outer security module 5, it is transmitted to a second cryptographic module 7 which applied a second round of encryption which is the same as steps S201 and S202 (S401, S402). The second cryptographic module encrypts the header 18 of the partially encrypted data packet 9 (S403), and then applies a new header 20 with routing information 21 (S404) to define a fully encrypted data packet 10. The fully encrypted data packet is then passed through an outer analytical process module 14 (S405). In Stage 5 of encryption, the packet is passed through an outer firewall 12 (S501) before being send to the external network 3 (S601) in Stage 6 of encryption.
Overview - Decryption
[0044] An overview of the decryption process carried out by the system, device and method is described for routing encrypted data from an external network to a device. The decryption process is the reverse process of how the packets are encrypted.
[0045] A shown in Figure 4, a multi-layer encrypted data packet 10 is received from an external network 3, and transmitted to the outer security module 5. In some embodiments, the encrypted data packet 10 is passed through the second firewall 12. In some embodiments, the data packet 8 is inspected by the outer analytical process module 14 before being transmitted to the second cryptographic module 7. The second cryptographic module decrypts a second portion 8B of the multi-layer encrypted data packet 10, to provide a partially decrypted data packet 9. The second portion 8B is the metadata 18. The partially decrypted data packet 9 is transmitted to the inner security module 4. The partially decrypted data packet is inspected by the first firewall 11 before being passed to the first cryptographic module 6. The first cryptographic module decrypts the first portion 8A of the data packet 9, which is the payload 16 of the data packet 9. Once decrypted, the data packet 10 is a fully decrypted data packet 8 in its original state . In some embodiments, the original data packet 8 is transmitted to the inner analytical process module 13 for inspection. The original data packet is then transmitted to the computer 15.
[0046] As shown in Figure 6, there is provided an embodiment of a decryption method for secure communication according to the invention. In Stage 1 of decryption, a data packet 10 is received from a computer system or network 3 to an outer firewall 12 (S701) of an outer security module 5. If blocked, the outer firewall prevents the data packet from entering the system (S701N). If it is authorised to proceed (S701Y), the data packet is passed through the outer security module, and received by the outer analytical process module 14 (S801) in Stage 2 of decryption. Authorised packets are inspected to determine if there are any suspicious anomalies, such as malware signatures (S802). If the data packet is from a trusted or high routing site 36, 38, then the header 18 is decrypted to define a partially decrypted data packet 9 (S803), which is then passed to the inner security module 4. Low or unsecured routing packets 40, 42, are sent directly to the inner security module 4 (S803N). In Stage 3 of decryption, the partially decrypted data packet 9 is passed through an inner firewall 11 (S901) for inspection. In Stage 4 of decryption, the data packet is then transmitted to the first cryptographic module 6 (S1001), where the payload 16 of the data packet 9 is decrypted to define a fully decrypted data packet 10 (and thereby has returned to its original state) (S1002). In Stage 5, the decrypted data packet is transmitted to an inner analytical process module 13, which performs a deep packet inspection of the payload 16 to determine if there are any suspicious anomalies (S1101). If a packet is found to violate any predefined rules or contain any malicious anomalies, the packet is blocked (S1101N). If authorised (S1101Y), in Stage 6 of decryption, the decrypted data packet is sent through to the internal network or computer system 15 (S1201).
Networks and devices
[0047] The systems, devices and methods of the invention are configurable for providing secure communications. In a preferred embodiment, the systems, devices and methods described herein provide secure communication between devices and networks. In one embodiment, the secure communication is provided between a device and a network. In other embodiments, the secure communication is provided between a first and second network. Although the networks or network devices may be within the same local area (for example, they may be within the same building), the primary purpose is for the systems and methods to provide secure communications in networks and devices which utilise the internet.
[0048] In some embodiments, the first network is an internal network. In other embodiments the first network is an external network. In some embodiments, the second network is an external network. In other embodiments, the second network is an internal network. In some embodiments, the internal network may be an ethernet. Additionally or alternatively, the first or second network may include at least one of a local area network (LAN), a personal area network (PAN), a wireless local area network (WLAN), a campus area network (CAN), a metropolitan area network (MAN), a wide area network (WAN), a storage-area network (StAN), a system-area network (SAN), a passive optical local area network (POLAN), an enterprise private network (EPN), and/or a virtual private network (VPN). In some embodiments, the first network or the second network may be the Internet.
[0049] In some embodiments, the first or second network may include a device. The device may include at least one of a network device, electronic device or terminal device. The device may include at least one of a workstation, desktop computer, laptop, tablet, notebook computer, display interface and/or smartphone. In some embodiments, the device may be a secure device.
Data
[0050] Data which is intended to be routed to a specific destination is initiated from a computer system, electronic device or network. The data is sent to the system in the form of at least one data packet 8. The data packet may also be referred to as a datagram, segment, block, cell or frame. Data packets have two types of data components, the data content 16 (which may also be referred to herein as the payload) and the header 18 (which may also be referred to herein as the metadata). The payload 16 contains the data that is processed into useful information for humans or machines (For example, a credit card number). The metadata 18 contains information primarily associated with networking and communication (For example, computer names, data tags, IP addresses, and SSH keys).
[0051] In the preferred embodiment, the data packet 8 includes a header 18 and a payload 16. The header identifies at least the source and the destination of the packet. The header may also be referred to as metadata. The payload may also be referred to as the actual data or data content. In some embodiments, the data packet is a standard Internet Protocol packet. In other embodiments, the internet packet includes at least one of raw IP, ICMP, UDP, and TCP. Inner security module
[0052] In a preferred embodiment, the inner security module 4 is disposed within a virtual environment 32. This may be referred to as a security environment. The inner security module is in communication with the first network. In some embodiments, the first network may be an internal network. In other embodiments, the first network may include a device. It will be appreciated that the inner security module may be in communication with any type of network.
[0053] During the encryption process, the inner security module is configured to receive data packets from a first network. In a preferred embodiment, the first network includes a device. For example, the device may be a user workstation. The inner security module includes an inner cryptographic module and an inner firewall. In some embodiments, the inner security module includes an inner analytical process module 13. In a preferred embodiment, the inner analytical process module 13 is an intrusion detection/prevention system (ID/PS) 34. Once the inner security module 4 receives a data packet, the data packet is processed through the inner analytical process module 13 to determine whether it is authorised for transmission. If the data packet is not authorised for transmission, the data packet is prevented from going any further through the system. In some embodiments, the data packet 8 is blocked from being transmitted. Alternatively or additionally, an alert or notification may be issued by the inner analytical process module 13, advising that the data packet 8 has been blocked.
[0054] If the data packet is authorised to proceed, the data packet 8 is transmitted to the inner cryptographic module 6. In some embodiments, the data packet is only sent to the inner cryptographic module if it meets at least one predefined criteria. For example, in some embodiments, data packets that are inspected by the inner analytical process module 13 and found to contain an IP address which belongs to a trusted 36, high 38 or low routing list 40 are sent to the inner cryptographic module 6 for encryption. In other embodiments, data packets which are determined to be unsecure are not encrypted by the inner cryptographic module at this stage. If the data packet is not encrypted at this stage, it may be encrypted at the outer security module. The inner cryptographic module is configured to encrypt a first portion 8A of the data packet 8. In the preferred embodiment, the data packet’s payload 16 is encrypted by the inner cryptographic module 6 to provide a partially encrypted data packet 9.
[0055] The partially encrypted data packet 9 is then transmitted to the inner firewall 11. The inner firewall inspects the partially encrypted packet. After inspection, the partially encrypted data packet may be passed through to the outer security module 5. [0056] During the decryption process, the inner security module 4 is configured to receive data packets from the outer security module 5. In some embodiments, the inner security module is configured to receive partially decrypted data packets from the outer security module. The partially decrypted packets preferably include an encrypted payload and a decrypted header. The partially decrypted data packets are passed through the inner firewall, and inspected before being passed to the inner cryptographic module 6. The inner cryptographic module decrypts the first portion 8A of the data packet 9. In this case, the first portion is the first portion to be encrypted, that is, the payload 16. Once the payload is decrypted, the data packet returns to its original state. This may be referred to as its plaintext form.
[0057] The original data packet 8 is then transmitted to the inner analytical process module 13. The inner analytical process module 13 performs deep packet inspection of the decrypted data packet. Once determined to be authorised, the data packet is transmitted from the inner security module 4 to the first network or destination device.
Outer security module
[0058] The system also includes an outer security module 5. In a preferred embodiment, the outer security module is disposed within a virtual environment 32. Preferably, the inner security module and the outer security module are both disposed within a virtual environment. In other embodiments, the inner security module and outer security module may be disposed in a single operating system. The outer security module is in communication with the second network 3. In some embodiments, the second network may be an external network. In other embodiments, the second network may include a device. It will be appreciated that the outer security module may be in communication with any type of network.
[0059] During the encryption process, the outer security module 5 is configured to receive data packets from the inner security module 4. In some embodiments, the outer security module is configured to receive partially encrypted data packets from the inner security module. The partially encrypted data packets preferably include an encrypted payload. In a preferred embodiment, the outer security module 5 includes an outer cryptographic module 7. It may additionally include an outer firewall 12. The outer security module 5 may also include an outer analytical process module 14. In a preferred embodiment, the outer analytical process module 14 is an intrusion detection/prevention system (ID/PS). [0060] The outer security module 5 receives a partially encrypted data packet 9 from the inner security module 4. Then, the outer security module is configured to perform encryption on the received partially encrypted data packet 9. The outer security module may process some or all data packets for further encryption. In some cases, data packets which meet at least one predefined criteria are processed for further encryption, whilst others may be transmitted directly to the second network 3 without further encryption.
[0061] Once the outer security module receives the partially encrypted data packet 9, it is sent to the outer cryptographic module 7, which is configured to encrypt a second portion 8B of the data packet 9. In the preferred embodiment, the data packet’s header 18 or metadata is encrypted by the outer cryptographic module 7 to provide a multi-layer encrypted data packet. In some embodiments, the multi-layer encrypted data packet is then transmitted through the outer analytical process module 14. In other embodiments, the multi-layer encrypted data packet 10 is transmitted through the outer firewall 12. In further embodiments, the multi-layer encrypted data packet may be sent directly to the second network.
[0062] During the decryption process, the outer security module 5 is configured to receive data packets from the second network. In some embodiments, the outer security module is configured to receive encrypted data packets. These data packets are preferably multi-layer encrypted data packets. Once the outer security module 5 receives a multi-layer encrypted data packet 10, the encrypted data packet 10 is passed through the outer firewall 12, which inspects the packet and passes it through to the outer analytical process module 14. The encrypted data packet is processed through the outer analytical process module 14. Once it is determined to be authorised to proceed, the encrypted data packet is transmitted to the outer cryptographic module.
[0063] The outer cryptographic module 7 decrypts the second portion 8B of the multi-layer encrypted data packet 10, thereby to provide a partially decrypted data packet 9. The partially decrypted data packet may also be referred to as a partially encrypted data packet. In a preferred embodiment, the outer cryptographic module decrypts the header of the encrypted data packet. Once partially decrypted, the data packet is transmitted to the inner security module 4.
[0064] In some embodiments, the outer security module 5 is configured to receive data packets from the second network. Alternatively or additionally, the outer security module is configured to transmit partially decrypted data packets to the inner security module. In further embodiments, a system could perform the full serial encryption process by doubling the encryption of the packet at the exit of the outer security module.
[0065] By using two security modules to apply and analyse the metadata of a data packet and then determine its destination, this helps to provide added security and performance. This is especially advantageous as quantum computers will begin to come online and therefore stronger processes and quantum resistant algorithms will be needed.
[0066] Providing secure encryption against quantum computers can be difficult. Quantum computers are projected to defeat encryption systems of standard computers at an exponential rate. Standard computers do not have the hardware capability to deal with quantum computers. To mitigate this, the systems, methods and devices of the present invention, are capable of utilising quantum resistant algorithms, coded into the system, thereby extending the usefulness of current conventional computers. By using multiple rounds of encryption, this provides an added later of resistance against the quantum computer’s ability to defeat the encryption system.
Analytical process modules
[0067] The inner security module 4 may include an inner analytical process module 13, in communication with inner cryptographic module. Alternatively or additionally, the outer security module 5 may include an outer analytical process module 14, disposed between, and in communication with the outer cryptographic module 7 and the outer firewall 12. The inner analytical process module 13 may also be referred to as a first analysis module. The outer analytical process module 14 may also be referred to as a second analysis module. The inner analytical process module 13 and the outer analytical process module 14 may be referred to collectively as the analytical process modules. The analytical process modules may also be referred to as analytical process modules.
[0068] The analytical process modules 13 and 14 preferably include an intrusion detection system (IDS) or an intrusion prevention system (IPS). In other embodiments, the analytical process modules include an intrusion detection/prevention system (ID/PS). The analytical process modules may include a signature-based intrusion detection system or an anomaly- based intrusion detection system. In some embodiments, the analytical process modules 13 and 14 may include a combination of a signature-based and anomaly-based intrusion detection systems. The analytical process modules determine whether or not the received data packet is authorised to be transmitted through the system. In a preferred embodiment, this determination is carried out by first analysing the data packet’s metadata or header 18. This may include determining if the destination IP Address meets at least one predefined criteria. In one embodiment, the destination IP address read from the packet’s metadata is compared with the following example criteria:
• Trusted Routing, 36: IP address is on a list of trusted IP addresses. This is the highest level of trust, which could be addresses owned by an organisation.
• High routing, 38 : multi-layered encryption listing. These IP addresses may be external to an organisation but utilise a multi-layered encryption capability. This could be the same system as the invention, or it may be another system determined to meet specific security requirements for a communication channel.
• Low Routing, 40: single-layered encryption listing. These IP addresses are not known to have multi-layered encryption capability, but have some form of encryption, such as standard VPN systems. This may include meeting basic security requirements for a communication channel.
• Unsecure Routing, 42: Unencrypted for legacy sites. These IP addresses have no form of encryption capable, which represents the majority of nodes in the Internet today.
• Blacklist, 44: Blacklisted sites include unauthorised sites blocked by an organisation or unsafe sites which are considered unsafe by threat intelligence, historical data or by reputation.
[0069] It will be appreciated that the predefined criteria is not limited to the above examples, and that these may be customised as per an organisation’s requirements.
[0070] In addition to inspecting the metadata 18 of the data packet 8, the inner analytical process module 13 may additionally perform a deep packet inspection of the data packet’s payload 16 to determine if the data packet is authorised to proceed through the system for encryption, or authorised to proceed to the first network after being decrypted. As the packet is not encrypted, the inner analytical process module 13 can perform its inspection to a high degree. Authorisation of the data packet based on payload inspection may include determining whether the payload content violates at least one predetermined rule, and/or whether a suspicious anomaly is present within the payload 16. The suspicious anomaly may be determined based on recognition of a signature or profile relating to malicious activity or known malware. Alternatively, the anomaly may be determined by using anomaly-based detection. Packets that are found to be clear (i.e., that are not determined to contain any suspicious or malicious anomalies) are allowed to proceed to their designated destination. If an anomaly or rule violation is detected, the data packet is blocked by the inner analytical process module 13 and an alert may be issued. In an alternative embodiment, the data packet 8 may simply be transmitted through to the second network 3 without further processing by the inner security module 4 and/or the outer security module 5 when the inner analytical process module 13 does not authorise it for encryption. Some data packets which only cause alerts may be allowed to proceed through the system. In other embodiments, packets found to breach a rule will be blocked. The functionality of the inner analytical process module protects the first network.
[0071] By analysing and inspecting the metadata 18 of the data packet 8 and/or the payload 18 of the data packet 8, the two processes applied by the inner analytical process module 13 help to minimise the resources needed to provide encryption to all data packets moving through the system. If a packet is determined to be not valid or authorised, it can be sent forward to another network without encryption or additional processing.
[0072] The outer analytical process module 14 is tasked to analyse incoming packets from the second network or external networks. It is primarily set to prevent botnets and malicious packets from entering. Artificial intelligence may be used to allow for the system to detect and adapt to latest threats and attacks that are in progress.
Cryptographic modules
[0073] The inner security module 4 includes an inner cryptographic module 6. The inner cryptographic may be disposed between, and in communication with, the inner analytical process module 13 and the inner firewall 11. Alternatively or additionally, the outer security module 5 includes an outer cryptographic module 7. The outer cryptographic module may be in communication with the outer analytical process module 14. The inner cryptographic module and the outer cryptographic module may be referred to collectively as the cryptographic modules 6 and 7.
[0074] The inner cryptographic module 6 is configured to encrypt a received data packet 8. Alternatively, or additionally, the inner cryptographic module 6 is configured to decrypt a received data packet. The inner cryptographic module may be configured to perform encryption and decryption simultaneously. In some embodiments, the inner cryptographic module 6 may include an encryption module 46 and a decryption module 48, configured to encrypt and/or decrypt data packets, respectively. The inner cryptographic module is configured to receive authorised data packets from the inner analytical process module 13. In some embodiments, the inner cryptographic module encrypts a received data packet if the data packet meets at least one predefined criteria. For example, if the IP address obtained from the data packet’s metadata is a trusted IP address 36, 38, 40.
[0075] The inner cryptographic module 6 is configured to encrypt a first portion 8A of a received data packet 8 to provide a partially-encrypted data packet 9. This first portion may include the payload 16 of the data packet. Alternatively, the first portion may include at least part of the payload. The inner cryptographic module 6 is in communication with the inner firewall 11, and configured to transmit the partially encrypted data packet 9 to the inner firewall for processing and/or inspection.
[0076] The inner cryptographic module 6 is additionally configured to decrypt a first portion 8A of a received partially decrypted data packet 9. This first portion may include the payload 16 of the data packet 9. Alternatively, the first portion may include at least part of the payload. The inner cryptographic module may be configured to decrypt an encrypted data packet to provide at least one of a partially decrypted data packet 9 or a completely decrypted data packet 8. The inner cryptographic module is in communication with the inner analytical process module 13, and configured to transmit the decrypted data packet to the inner analytical process module 13 for deep packet inspection.
[0077] The outer cryptographic 7 module is configured to encrypt a received partially encrypted data packet 9 to provide a multi-layer encrypted data packet 10. Alternatively, or additionally, the outer cryptographic module is configured to decrypt a received data packet 9. The outer cryptographic module may be configured to perform encryption and decryption simultaneously. In some embodiments, the outer cryptographic module may include an encryption module 46 and a decryption module 48, configured to encrypt and/or decrypt data packets, respectively. The outer cryptographic module is configured to receive partially encrypted data packets from the inner security module 4. In some embodiments, the outer cryptographic module encrypts a received partially encrypted data packet if the data packet meets at least one predefined criteria. For example, if the IP address obtained from the data packet’s metadata is a trusted IP address 36, 38, 40.
[0078] The outer cryptographic module 7 is configured to encrypt a second portion 8B of a received partially-encrypted data packet 9. This second portion may include the header 18 of the data packet 8 or 9. Alternatively, the second portion may include at least part of the header. The outer cryptographic module is in communication with the external network 3, and configured to transmit the multi-layer encrypted data packet to the external network. After the outer cryptographic module encrypts the second portion of the data packet, it applies a secondary or new metadata 20 to the fully encrypted data packet 10, in order to facilitate routing between the first network and second network.
[0079] The outer cryptographic module 7 is additionally configured to decrypt a second portion 8B of a received multi-layer encrypted data packet 10. This second portion may include the header 18 of the data packet. Alternatively, the second portion may include at least part of the header. The outer cryptographic module may be configured to decrypt an encrypted data packet to provide at a partially decrypted data packet. The outer cryptographic module 7 is in communication with the inner security module 4, and configured to transmit the partially- decrypted data packet 9 to the inner security module 4. In some embodiments, the outer cryptographic module may be configured to fully encrypt/decrypt the outgoing/incoming data packet by doubling the encryption/decryption.
[0080] The encryption process uses a symmetric block encryption, such as the Advanced Encryption Standard (AES), for the transmission of the data packets. During the encryption process, the cryptographic modules 6 and 7 utilise an initiation process to establish a connection. The initial connection, also referred to as a handshake, is performed by an asymmetric encryption, and once established, the symmetric encryption is utilised. The initiation process includes using an asymmetric encryption. In some embodiments the asymmetric encryption is an asymmetric block encryption. The asymmetric block encryption is used to establish a connection. Once the connection has been established, a symmetric encryption is used to encrypt the data packet. In some embodiments, the symmetric encryption is a symmetric block encryption. Alternatively or additionally, the symmetric encryption may include a stream cipher. The symmetric encryption may include at least one of, but is not limited to, an Advanced Encryption Standard (AES) algorithm, a Data Encryption Standard (DES) algorithm, and International Data Encryption Algorithm (IDEA), a blowfish algorithm, a Rivest Cipher 4 (RC4) algorithm, Rivest Cipher 5 (RC5) algorithm, or Rivest Cipher 6 (RC6) algorithm. The system is capable of changing the encryption keys and ports and protocols through a defined synchronised process. This improves the capability of the system to be resistant against machine learning attack systems.
[0081] The inner and outer cryptographic modules 6 and 7 thereby enable serial encryption. In serial encryption, both the metadata and content data of packets are protected and can only be decrypted by another such system or device including cryptographic modules. Through using serial encryption, no data packet can be decrypted by conventional means by entities using other forms of systems. This keeps the information of the data packet secure and to its intended target. With serial encryption enabled, the devices will automatically drop nondouble encrypted packets before processing, thus reducing the chances of success, and mitigating the effect, of a Denial of Service (DoS) and/or Distributed Denial of Service (DDoS) attack.
[0082] The use of strong encryption algorithms can result in performance issues and/or degradation. Although hardware provides the best performance, it must be capable of handling the algorithms. Otherwise, if software alone is utilised the performance suffers. In the present systems and methods, the use of Central Processing Units (CPUs), which provide AES-NI capability thereby enable acceptable performance when implementing serial encryption.
Serial encryption/decryption of data
[0083] As discussed herein, the ability for existing systems to provide secure communications by only encrypting the payload or content of the data packet, or only encrypting the data packet by encrypting the lines of communication, such as through a VPN, is a particular disadvantage. Although an encrypted line of communication has often been considered sufficient for providing secure communication, especially if hardware systems are required, this is not particularly secure. Once the encryption of such a communication line has been compromised, the data packets become vulnerable to exposure. By performing encryption once, only the payload or content of the data packet is protected. Unfortunately, this enables unauthorised entities to study the metadata of the data packet and find possibilities and information to help in breaking the encryption.
[0084] Typically, multiple rounds of encryption have been avoided in the past as this has led to performance degradation, as was demonstrated with the Triple Data Encryption Systems (3DES). 3DES uses the Data Encryption Standard (DES) with three processing rounds. The systems and methods described herein are capable of performing greater encryption algorithms with multiple rounds (or serial encryption) without experiencing significant performance loss. In a preferred embodiment, the method of encryption performs two rounds of an encrypted algorithm in which the data payload is first encrypted, and then both the payload and the metadata are encrypted. After this, a new packet header is applied to the double encrypted packet.
[0085] The original metadata of the data packet is encrypted, and new metadata is created for routing. By having the original metadata of the data packet encrypted, this further protects any additional information about the origin of the data packet being obtained or useful to malicious actors. Through this serial encryption method, it would only be possible to ascertain the information contained for routing purposes between the networks or devices. This allows for the data packets to remain encrypted even if the first encryption is compromised.
[0086] The data packet is encrypted in two rounds, with each round of encryption being performed by a separate cryptographic module. The use of two separate cryptographic modules thereby enables both the data payload and the metadata of the data packet to be encrypted. The data payload is encrypted by the inner cryptographic module and transmitted to the outer cryptographic module, from which it is then encrypted with newly created metadata (or added router information) for routing to another secure network or device. The result of the serial encryption means that the transmitted information is protected by more than one layer of encryption. The only information made available of the data packets are the device/network IP addresses. Whilst the encryption and decryption described herein refers to two rounds of encryption, it will be appreciated that the system may be configured to perform multiple rounds or encryption.
[0087] Given the serial encryption, packets cannot be sent in a normal manner through the networks, such as the Internet. Routing issues arise when utilising a multi-encryption system. Accordingly, routing tables are required for local peer networks and to remote site networks. The tables can be provided by trusted peer networks and/or by a trusted central server acting similar to a standard Domain Name System (DNS) server. Additionally, each site that is to use double encryption must communicate to another secure device or network which utilised serial encryption or a similar level of secure communication.
Firewalls
[0088] The inner security module 4 includes an inner firewall 11 configured to monitor incoming and outgoing traffic between the inner security module and the outer security module 5. The inner firewall 11 acts a secondary firewall should the outer firewall 12 become compromised or successfully penetrated. The inner firewall may also be referred to herein as the first firewall. The outer security module 5 includes an outer firewall 12 configured to monitor incoming and outgoing traffic between the outer security module and the external network. The outer firewall 12 provides the outer most protection for the internal network. The outer firewall may also be referred to herein as the second firewall. The primary purpose of the outer firewall is to block all forms of traffic unless an exception has been made, or is returning traffic from an ongoing session. In some embodiments, the default setting is to block all incoming traffic from external origins, which were not requested.
[0089] In some embodiments, the outer firewall 12 may operate in the following modes:
• High Guard operation mode: Only allow traffic from other multi-layer encrypted devices;
• Low guard operation mode: Allow all traffic from acceptable origins;
• Shadow operation mode: Also referred to as bridge mode or stealth mode. In this capacity, the outer firewall does not obtain an IP address and helps provide obfuscation.
[0090] The inner firewall 11 and outer firewall 12 may be configured with a set of predetermined criteria for filtering traffic.
[0091] Although the use of firewalls obscures the ports and services, it is still possible to provide routing with peer networks or devices. Other systems and methods may use firewalls with VPN capabilities to form a secure tunnel of communication. However, in these systems, the second level of encryption does not exist. This can lead to the data payload being obtained or exposed to malicious actors should the communication line be compromised.
[0092] The system of the present invention provides a dual firewall capability which aids in both blocking any unauthorised connection or incoming/outgoing transmissions. The device provides added security by means of utilising two sets of firewalls, which allows for obfuscation. Obfuscation may refer to the capability to obscure the Protocol Ports (for example: TCP 22, UDP 8080) of a network or a network connected device, against unauthorised reconnaissance actions. This assists in masking information about the device/network being used, the purpose of the network, and the systems which may be in use. Ultimately, the obfuscation provided by the firewalls, along with the serial encryption, creates a secure backbone and node that facilitates more secure communications, makes the traffic more secure and the device or network less discoverable.
[0093] Obfuscation hides the internal network’s IP ports threats such as port scanning. Typically, attackers or botnets will perform reconnaissance through means such as port scans, trying to find a vulnerability that they can then exploit. The preferred method of reconnaissance by unauthorised entities is executed by the use of port scanning. Port scanning checks which protocol ports are opened and therefore determine, which communication or computer services are in use and even identify the operating system of a device. The outer firewall 12 is configured to obscure/resist port scan requests by denying the results of the port scan to the unauthorised entity. The outer firewall may act in a stealth mode, which blocks most unauthorised traffic which does not having an IP or MAC address assigned. The inner firewall is assigned an address to conduct normal Internet activity. With this arrangement, ports that are opened on either firewall to allow for external traffic are not identified by external sources.
[0094] The obfuscation provided by the firewalls may utilise static detection, which determines the behaviour of port scans and attempts to mask the results. Alternatively or additionally, obfuscation may adaptive, with the use of machine learning to detect behaviours and anomalies in real time traffic to block the ports.
Advantages
[0095] The systems and methods of serial encryption provided by the invention create a platform which scales easily, provides interlinked encryption across distributed networks and adds key technological innovations to the field of cyber security technology. While many firewalls presently allow for basic ports to be scanned, providing obfuscation and making cyber appliances operate with a lower signature is a key technical advantage over existing systems.
[0096] Further, the adoption of encryption to the field of secure communications enables users to communicate with confidence over an increasingly untrusted hardware environment. With the introduction of concerns around vendors such as Huawei, the present invention provides a counter technology which returns confidence to the transmission medium. One of the foremost concerns around network collection of data relates to user metadata. Large tracts of legislation have been introduced globally around data collection and state actors find it highly useful. Obfuscating user metadata through hardware integration creates a simple and scalable approach to increasing privacy and security in a highly contested space. The double layer serial encryption provided by the present invention is highly preferable to a VPN which still transmits metadata across infrastructure, even if it is obscured at the proxy server.
[0097] The obfuscation of the ports and protocols by the firewalls provides protection against scans and an added measure should the communication encryption be defeated. The double encryption of the packets in transmission provides protection of both the data payload and metadata of a data packet. Accordingly, the combination of obfuscation and serial encryption enables the invention to provide improved security and privacy for communications between networks and devices.
[0098] The systems and methods allow for convention computer systems to compete against quantum computers by utilising quantum resistant algorithms. This will allow organisations and individuals to protect their data against well financed state actors utilising quantum computers, as well as extending the service life of convention computing systems.
As the systems, methods and devices are used, bandwidth across networks will be improved as botnets and malware will be countered. Embodiments of the invention can provide a secure means of communication over the Internet.
Interpretation
[0099] Unless specifically stated otherwise, as apparent from the following discussions, it is appreciated that throughout the specification discussions utilising terms such as "processing," "computing," "calculating," “determining”, “analysing” or the like, refer to the action and/or processes of a computer or computing system, or similar electronic computing device, that manipulate and/or transform data represented as physical, such as electronic, quantities into other data similarly represented as physical quantities.
[00100] The methodologies described herein are, in one embodiment, performable by one or more processors that accept computer-readable (also called machine-readable) code containing a set of instructions that when executed by one or more of the processors carry out at least one of the methods described herein. Any processor capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken are included. Thus, one example is a typical processing system that includes one or more processors. Each processor may include one or more of a CPU, a graphics processing unit, and a programmable DSP unit. The processing system further may include a memory subsystem including main RAM and/or a static RAM, and/or ROM. A bus subsystem may be included for communicating between the components. The processing system further may be a distributed processing system with processors coupled by a network. If the processing system requires a display, such a display may be included, e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT) display. If manual data entry is required, the processing system also includes an input device such as one or more of an alphanumeric input unit such as a keyboard, a pointing control device such as a mouse, and so forth. The term memory unit as used herein, if clear from the context and unless explicitly stated otherwise, also encompasses a storage system such as a disk drive unit. The processing system in some configurations may include a sound output device, and a network interface device. The memory subsystem thus includes a computer-readable carrier medium that carries computer-readable code (e.g., software) including a set of instructions to cause performing, when executed by one or more processors, one or more of the methods described herein. Note that when the method includes several elements, e.g., several steps, no ordering of such elements is implied, unless specifically stated. The software may reside in the hard disk, or may also reside, completely or at least partially, within the RAM and/or within the processor during execution thereof by the computer system. Thus, the memory and the processor also constitute computer-readable carrier medium carrying computer-readable code.
[00101] Reference throughout this specification to “one embodiment”, “some embodiments” or “an embodiment” means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present disclosure. Thus, appearances of the phrases “in one embodiment”, “in some embodiments” or “in an embodiment” in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures or characteristics may be combined in any suitable manner, as would be apparent to one of ordinary skill in the art from this disclosure, in one or more embodiments.
[00102] As used herein, unless otherwise specified the use of the ordinal adjectives "first", "second", "third", etc., to describe a common object, merely indicate that different instances of like objects are being referred to, and are not intended to imply that the objects so described must be in a given sequence, either temporally, spatially, in ranking, or in any other manner.
[00103] In the claims below and the description herein, any one of the terms comprising, comprised of or which comprises is an open term that means including at least the elements/features that follow, but not excluding others. Thus, the term comprising, when used in the claims, should not be interpreted as being limitative to the means or elements or steps listed thereafter. For example, the scope of the expression a device comprising A and B should not be limited to devices consisting only of elements A and B. Any one of the terms including or which includes or that includes as used herein is also an open term that also means including at least the elements/features that follow the term, but not excluding others. Thus, including is synonymous with and means comprising.
[00104] It should be appreciated that in the above description of exemplary embodiments of the disclosure, various features of the disclosure are sometimes grouped together in a single embodiment, Figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claims require more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this disclosure.
[00105] Furthermore, while some embodiments described herein include some, but not other, features included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the disclosure, and form different embodiments, as would be understood by those skilled in the art. For example, in the following claims, any of the claimed embodiments can be used in any combination.
[00106] In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the disclosure may be practiced without these specific details. In other instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
[00107] Thus, while there has been described what are believed to be the preferred embodiments of the disclosure, those skilled in the art will recognise that other and further modifications may be made thereto without departing from the spirit of the disclosure, and it is intended to claim all such changes and modifications as fall within the scope of the disclosure. For example, any formulas given above are merely representative of procedures that may be used. Functionality may be added or deleted from the block diagrams and operations may be interchanged among functional blocks. Steps may be added or deleted to methods described within the scope of the present disclosure.

Claims

1. A security system for secure communication between a first network and a second network, the system comprising: an inner security module in communication with the first network, including: a first cryptographic module configured to encrypt a first portion of at least one data packet to define a partially encrypted data packet; and a first firewall connected to the first cryptographic module, the first firewall configured to process the partially encrypted data packet; an outer security module in communication with the inner security module and the second network, the outer security module including: a second cryptographic module configured to encrypt a second portion of the partially encrypted data packet to provide a fully encrypted data packet.
2. A security system according to claim 1, wherein the outer security module includes a second firewall in communication with the second network.
3. A security system according to claim 1 or claim 2, wherein the inner security module includes an inner analysis module, configured to receive and process the at least one data packet.
4. A security system according to claim 3, wherein the inner analysis module is at least one of an intrusion detection system and an intrusion prevention system.
5. A security system according to any one of the preceding claims, wherein the outer security module includes an outer analysis module, configured to receive and process incoming and outgoing traffic between the outer security module and the second network.
6. A security system according to claim 5, wherein the outer analysis module is at least one of an intrusion detection system and an intrusion prevention system.
7. A security system according to any one of the preceding claims wherein the first cryptographic module and/or the second cryptographic module are configured to perform encryption using symmetric encryption.
8. A security system according to claim 7 wherein the symmetric encryption includes symmetric block encryption.
9. A security system according to any one of the preceding claims wherein the first network is an internal network.
10. A security system according to any one of the preceding claims wherein the second network is an external network.
11. A security system according any one of the preceding claims wherein the first network is an electronic device.
12. A security system according to any one of the preceding claims wherein the at least one data packet includes a header and a payload.
13. A security system according to claim 12 wherein the first portion of the at least one data packet is the header.
14. A security system according to claim 12 or claim 13 wherein the second portion of the at least one data packet is the payload.
15. A security system according to any one of the preceding claims, wherein the second cryptographic module is configured to apply new metadata to the fully encrypted data packet.
16. A security system for secure communication between a first network and a second network, the system comprising: an outer security module in communication with the second network, the outer security module including: a second cryptographic module configured to decrypt a second portion of at least one fully encrypted data packet to provide a partially decrypted data packet. an inner security module in communication with the outer security module and the first network, including: a first cryptographic module configured to decrypt a first portion of the partially decrypted data packet to provide a fully decrypted data packet; and a first firewall in communication with the first cryptographic module and the outer security module, the first firewall configured to process the partially decrypted data packet;
17. A device for secure communication between a first network and a second network, the device comprising: an inner security module in communication with the first network, including: a first cryptographic module configured to encrypt or decrypt a first portion of at least one data packet to define a partially encrypted or partially decrypted data packet; and a first firewall connected to the first cryptographic module, the first firewall configured to process the partially encrypted or partially decrypted data packet; an outer security module in communication with the inner security module and the second network, the outer security module including: a second cryptographic module configured to encrypt or decrypt a second portion of the data packet to provide a fully encrypted or fully decrypted data packet.
18. A method for secure communication between a first network and a second network, the method comprising: f) receiving at least one data packet at an inner security module; g) encrypting a first portion of the data packet with a first cryptographic module, disposed within the inner security module; h) processing the data packet through a first firewall in communication with the first cryptographic module and an outer security module; i) receiving the data packet at the outer security module; and j) encrypting a second portion of the data packet with a second cryptographic module to provide a fully encrypted data packet.
19. A method according to claim 18, further including the step of processing the data packet through a second firewall in communication with the second network and the outer security module.
20. A method according to claim 18 or 19, wherein the inner security module includes an inner analytical process module, configured to inspect the at least one data packet.
21. A method according to any one of claims 18 to 20, wherein the inner analytical process module is at least one of an intrusion detection system and an intrusion prevention system.
22. A method according to any one of claims 18 to 21 wherein the first cryptographic module and/or the second cryptographic module are configured to perform encryption using symmetric encryption.
23. A method according to claim 22 wherein the symmetric encryption includes symmetric block encryption.
24. A method according to any one of claims 18 to 23 wherein the first network is an internal network, and the second network is an external network.
25. A method according any one of claims 18 to 24 wherein the first network is an electronic device.
26. A method according to any one of claims 18 to 25 wherein the at least one data packet includes a header and a payload.
27. A method according to claim 26 wherein the first portion of the at least one data packet is the payload.
28. A method according to claim 26 or claim 27 wherein the second portion of the at least one data packet is the header.
29. A method according to any one of claims 18 to 28, further including the step of applying new metadata to the fully encrypted data packet.
30. A method for secure communication between a first network and a second network, the method comprising: f) receiving at least one data packet at an outer security module; g) decrypting a second portion of the data packet with a second cryptographic module, disposed within the outer security module; h) processing the data packet through an outer firewall in communication with the second cryptographic module and an inner security module; i) receiving the data packet at the inner security module; and j) decrypting a first portion of the data packet with a first cryptographic module to provide a fully decrypted data packet.
PCT/AU2022/050562 2021-06-09 2022-06-08 Systems, methods and devices for secure communication WO2022256866A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AU2021901725 2021-06-09
AU2021901725A AU2021901725A0 (en) 2021-06-09 Systems, methods and devices for secure communication

Publications (1)

Publication Number Publication Date
WO2022256866A1 true WO2022256866A1 (en) 2022-12-15

Family

ID=84424470

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU2022/050562 WO2022256866A1 (en) 2021-06-09 2022-06-08 Systems, methods and devices for secure communication

Country Status (1)

Country Link
WO (1) WO2022256866A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100191958A1 (en) * 2006-09-29 2010-07-29 Panasonic Corporation Method and network device for processing nested internet protocol security tunnels
US20180227395A9 (en) * 2011-11-11 2018-08-09 Pismo Labs Technology Limited Methods and systems for creating protocol header for embedded layer two packets
US20200036610A1 (en) * 2018-07-24 2020-01-30 Cisco Technology, Inc. Secure traffic visibility and analytics for encrypted traffic
US20200304477A1 (en) * 2019-03-21 2020-09-24 ColorTokens, Inc. Fully cloaked network communication model for remediation of traffic analysis based network attacks

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100191958A1 (en) * 2006-09-29 2010-07-29 Panasonic Corporation Method and network device for processing nested internet protocol security tunnels
US20180227395A9 (en) * 2011-11-11 2018-08-09 Pismo Labs Technology Limited Methods and systems for creating protocol header for embedded layer two packets
US20200036610A1 (en) * 2018-07-24 2020-01-30 Cisco Technology, Inc. Secure traffic visibility and analytics for encrypted traffic
US20200304477A1 (en) * 2019-03-21 2020-09-24 ColorTokens, Inc. Fully cloaked network communication model for remediation of traffic analysis based network attacks

Similar Documents

Publication Publication Date Title
US9832227B2 (en) System and method for network level protection against malicious software
US9866528B2 (en) System and method for interlocking a host and a gateway
US8806572B2 (en) Authentication via monitoring
JP4892554B2 (en) Automatic generation of rules for connection security
Adeyinka Internet attack methods and internet security technology
US20130097692A1 (en) System and method for host-initiated firewall discovery in a network environment
US20140282843A1 (en) Creating and managing a network security tag
Rahman et al. Security attacks on wireless networks and their detection techniques
Khan Securing network infrastructure with cyber security
US11190490B2 (en) Embedded virtual private network
KR20210001728A (en) Ship security system for Ethernet network based ship network protection.
WO2022256866A1 (en) Systems, methods and devices for secure communication
Banoth et al. Modern cryptanalysis methods, advanced network attacks and cloud security
Bottino Security measures in a secure computer communications architecture
US20240146754A1 (en) Network security
Sadiku et al. Network Security
Ganapathy Virtual Dispersive Network in the Prevention of Third Party Interception: A Way of Dealing with Cyber Threat
Lincke Planning for Network Security
Kotzanikolaou et al. Computer network security: Basic background and current issues
Mohseni Network Security for Small Businesses
AU2015255263A1 (en) System and method for interlocking a host and a gateway
Alimi Effective Multi-Layer Security for Campus Network
Ali et al. Cyber Security: Challenges, Threats and Protective Measures of an Organization
Kasurde et al. Cybersecurity: Firewalls, Protocols, Needs & Algorithm
Singh et al. COMPARATIVE ANALYSIS OF DATA SECURITY TECHNIQUES IN NETWORK ENVIRONMENT

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22818988

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE