公开(公告)号：US09766986B2

公开(公告)日：2017-09-19

申请号：US14011642

申请日：2013-08-27

Applicant: Architecture Technology Corporation

Inventor： Stephen K. Brueckner ,  Robert A. Joyce ,  Carl Manson ,  Hajime Inoue ,  Kenneth J. Thurber

IPC: H04L29/06 ,  G06F11/14 ,  G06F9/455 ,  G06F9/46 ,  G06F21/60

CPC classification number: G06F11/1469 ,  G06F9/45533 ,  G06F9/466 ,  G06F21/606 ,  H04L63/145

Abstract: A server system receives messages from client computing devices. Each of the messages corresponds to a transaction. The server system assigns each respective transaction to a respective fresh virtual machine. Furthermore, the server system performs, as part of a respective virtual machine processing a respective transaction, a modification associated with the respective transaction to a shared database. The shared database is persisted independently of the plurality of virtual machines. In response to determining that processing of the respective transaction is complete, the server system discards the respective virtual machine. In response to determining that the respective transaction is associated with a cyber-attack, the server system uses checkpoint data associated with the respective transaction to roll back the modifications associated with the respective transaction to the shared database.

公开(公告)号：US20150046405A1

公开(公告)日：2015-02-12

申请号：US14011642

申请日：2013-08-27

Applicant: Architecture Technology Corporation

Inventor： Stephen K. Brueckner ,  Robert A. Joyce ,  Carl Manson ,  Hajime Inoue ,  Kenneth J. Thurber

IPC: G06F11/14 ,  G06F9/46 ,  G06F21/60 ,  G06F9/455

CPC classification number: G06F11/1469 ,  G06F9/45533 ,  G06F9/466 ,  G06F21/606 ,  H04L63/145

Abstract: A server system receives messages from client computing devices. Each of the messages corresponds to a transaction. The server system assigns each respective transaction to a respective fresh virtual machine. Furthermore, the server system performs, as part of a respective virtual machine processing a respective transaction, a modification associated with the respective transaction to a shared database. The shared database is persisted independently of the plurality of virtual machines. In response to determining that processing of the respective transaction is complete, the server system discards the respective virtual machine. In response to determining that the respective transaction is associated with a cyber-attack, the server system uses checkpoint data associated with the respective transaction to roll back the modifications associated with the respective transaction to the shared database.

Abstract translation: 服务器系统从客户端计算设备接收消息。 每个消息都对应一个事务。 服务器系统将每个相应的事务分配给相应的新鲜虚拟机。 此外，服务器系统作为处理相应事务的相应虚拟机的一部分执行与相应事务相关联的修改到共享数据库。 独立于多个虚拟机来保持共享数据库。 响应于确定相应交易的处理完成，服务器系统丢弃相应的虚拟机。 响应于确定相应的交易与网络攻击相关联，服务器系统使用与相应交易相关联的检查点数据来将与相应交易相关联的修改回滚到共享数据库。

公开(公告)号：US09473526B2

公开(公告)日：2016-10-18

申请号：US14809926

申请日：2015-07-27

Applicant: Architecture Technology Corporation

Inventor： Stephen K. Brueckner ,  Kenneth J. Thurber

IPC: H04L9/00 ,  H04L29/06 ,  G06F9/455 ,  G06F21/55

CPC classification number: H04L63/1441 ,  G06F9/45533 ,  G06F9/45558 ,  G06F21/552 ,  G06F2009/45587 ,  H04L63/1416 ,  H04L63/20

Abstract: A survivable network is described in which one or more network device includes enhanced functionality to fight through cyber attacks. A Fight-Through Node (FTN) is described, which may be a combined hardware/software system that enhances existing networks with survivability properties. A network node comprises a hardware-based processing system having a set of one or more processing units, a hypervisor executing on each one of the processing units, and a plurality of virtual machines executing on each of the hypervisor. The network node includes an application-level dispatcher to receive a plurality of transaction requests from a plurality of network communication session with a plurality of clients and distribute a copy of each of the transaction requests to the plurality of virtual machines executing on the network node over a plurality of time steps to form a processing pipeline of the virtual machines.

公开(公告)号：US09094449B2

公开(公告)日：2015-07-28

申请号：US14165368

申请日：2014-01-27

Applicant: Architecture Technology Corporation

Inventor： Stephen K. Brueckner ,  Kenneth J. Thurber

IPC: H04L29/06 ,  G06F9/455 ,  G06F21/55

CPC classification number: H04L63/1441 ,  G06F9/45533 ,  G06F9/45558 ,  G06F21/552 ,  G06F2009/45587 ,  H04L63/1416 ,  H04L63/20

Abstract: A survivable network is described in which one or more network device includes enhanced functionality to fight through cyber attacks. A Fight-Through Node (FTN) is described, which may be a combined hardware/software system that enhances existing networks with survivability properties. A network node comprises a hardware-based processing system having a set of one or more processing units, a hypervisor executing on each one of the processing units, and a plurality of virtual machines executing on each of the hypervisor. The network node includes an application-level dispatcher to receive a plurality of transaction requests from a plurality of network communication session with a plurality of clients and distribute a copy of each of the transaction requests to the plurality of virtual machines executing on the network node over a plurality of time steps to form a processing pipeline of the virtual machines.

Abstract translation: 描述了一个可行的网络，其中一个或多个网络设备包括增强的功能以打击网络攻击。 描述了直通节点（FTN），其可以是增强具有生存性属性的现有网络的组合硬件/软件系统。 网络节点包括具有一组一个或多个处理单元的硬件处理系统，在每个处理单元上执行的管理程序，以及在每个管理程序上执行的多个虚拟机。 网络节点包括应用级调度器，用于从与多个客户端的多个网络通信会话中接收多个事务请求，并将每个事务请求的副本分发给在网络节点上执行的多个虚拟机 多个时间步骤来形成虚拟机的处理流水线。

公开(公告)号：US09769250B2

公开(公告)日：2017-09-19

申请号：US14791089

申请日：2015-07-02

Applicant: Architecture Technology Corporation

Inventor： Judson Powers ,  Stephen K. Brueckner ,  Robert A. Joyce ,  Kenneth J. Thurber

IPC: H04L29/06 ,  H04L29/08 ,  G06F17/30 ,  G06F11/14 ,  G06F9/46 ,  G06F21/60 ,  G06F21/55 ,  G06F9/455

CPC classification number: H04L67/10 ,  G06F9/466 ,  G06F11/1438 ,  G06F11/1464 ,  G06F11/1469 ,  G06F11/1471 ,  G06F11/1474 ,  G06F11/1484 ,  G06F17/3051 ,  G06F21/55 ,  G06F21/606 ,  G06F2009/4557 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2201/815 ,  H04L63/1441 ,  H04L63/145

Abstract: A server system receives messages from client computing devices. Each of the messages corresponds to a transaction. The server system assigns each respective transaction to a respective fresh virtual machine. Furthermore, the server system performs, as part of a respective virtual machine processing a respective transaction, a modification associated with the respective transaction to a shared database. The shared database is persisted independently of the plurality of virtual machines. In response to determining that processing of the respective transaction is complete, the server system discards the respective virtual machine. In response to a trigger, such as determining that the respective transaction is associated with a cyber-attack, the server system uses checkpoint data associated with the respective transaction to roll back the modifications associated with the respective transaction to the shared database.

公开(公告)号：US20150334130A1

公开(公告)日：2015-11-19

申请号：US14809926

申请日：2015-07-27

Applicant: Architecture Technology Corporation

Inventor： Stephen K. Brueckner ,  Kenneth J. Thurber

IPC: H04L29/06 ,  G06F9/455

CPC classification number: H04L63/1441 ,  G06F9/45533 ,  G06F9/45558 ,  G06F21/552 ,  G06F2009/45587 ,  H04L63/1416 ,  H04L63/20

Abstract: A survivable network is described in which one or more network device includes enhanced functionality to fight through cyber attacks. A Fight-Through Node (FTN) is described, which may be a combined hardware/software system that enhances existing networks with survivability properties. A network node comprises a hardware-based processing system having a set of one or more processing units, a hypervisor executing on each one of the processing units, and a plurality of virtual machines executing on each of the hypervisor. The network node includes an application-level dispatcher to receive a plurality of transaction requests from a plurality of network communication session with a plurality of clients and distribute a copy of each of the transaction requests to the plurality of virtual machines executing on the network node over a plurality of time steps to form a processing pipeline of the virtual machines.

Abstract translation: 描述了一个可行的网络，其中一个或多个网络设备包括增强的功能以打击网络攻击。 描述了直通节点（FTN），其可以是增强具有生存性属性的现有网络的组合硬件/软件系统。 网络节点包括具有一组一个或多个处理单元的硬件处理系统，在每个处理单元上执行的管理程序，以及在每个管理程序上执行的多个虚拟机。 网络节点包括应用级调度器，用于从与多个客户端的多个网络通信会话中接收多个事务请求，并将每个事务请求的副本分发给在网络节点上执行的多个虚拟机 多个时间步骤来形成虚拟机的处理流水线。

公开(公告)号：US20140310810A1

公开(公告)日：2014-10-16

申请号：US14165368

申请日：2014-01-27

Applicant: Architecture Technology Corporation

Inventor： Stephen K. Brueckner ,  Kenneth J. Thurber

IPC: H04L29/06 ,  G06F9/455

CPC classification number: H04L63/1441 ,  G06F9/45533 ,  G06F9/45558 ,  G06F21/552 ,  G06F2009/45587 ,  H04L63/1416 ,  H04L63/20

Abstract: A survivable network is described in which one or more network device includes enhanced functionality to fight through cyber attacks. A Fight-Through Node (FTN) is described, which may be a combined hardware/software system that enhances existing networks with survivability properties. A network node comprises a hardware-based processing system having a set of one or more processing units, a hypervisor executing on each one of the processing units, and a plurality of virtual machines executing on each of the hypervisor. The network node includes an application-level dispatcher to receive a plurality of transaction requests from a plurality of network communication session with a plurality of clients and distribute a copy of each of the transaction requests to the plurality of virtual machines executing on the network node over a plurality of time steps to form a processing pipeline of the virtual machines.

Abstract translation: 描述了一个可行的网络，其中一个或多个网络设备包括增强的功能以打击网络攻击。 描述了直通节点（FTN），其可以是增强具有生存性属性的现有网络的组合硬件/软件系统。 网络节点包括具有一组一个或多个处理单元的硬件处理系统，在每个处理单元上执行的管理程序，以及在每个管理程序上执行的多个虚拟机。 网络节点包括应用级调度器，用于从与多个客户端的多个网络通信会话中接收多个事务请求，并将每个事务请求的副本分发给在网络节点上执行的多个虚拟机 多个时间步骤来形成虚拟机的处理流水线。

公开(公告)号：US20130325889A1

公开(公告)日：2013-12-05

申请号：US13965007

申请日：2013-08-12

Applicant: Architecture Technology Corporation

Inventor： Kenneth J. Thurber ,  Robert A. Joyce ,  Julia A. Baker

IPC: G06F17/30

CPC classification number: G06F17/30011 ,  G06F21/64 ,  H04L29/0687 ,  H04L63/105 ,  H04L63/12

Abstract: This disclosure describes techniques for dynamically assembling and utilizing a pedigree of a resource. A pedigree of a resource is a set of statements that describe a provenance of the resource. As described herein, a document may include local pedigree fragments and optionally one or more pointers to remote pedigree fragments not locally stored in the document. A pedigree fragment, generally, is a data structure that specifies a direct relationship between a first resource, e.g., a primary resource, and a second resource from which an asserted fact of the first resource is derived. Because a pedigree fragment specifies such direct relationships, a set of pedigree fragments may be used to assemble the complete pedigree of resource.

Abstract translation: 本公开描述了用于动态组合和利用资源谱系的技术。 资源的血统是描述资源来源的一组语句。 如本文所述，文档可以包括本地谱系片段和可选地一个或多个指向远程谱系片段的指向，而不是本地存储在文档中。 通常，谱系片段是指定第一资源（例如，主资源）和从其导出第一资源的断言事实的第二资源之间的直接关系的数据结构。 因为一个谱系片段指定了这样的直接关系，所以可以使用一组谱系片段来组合完整的资源谱系。

公开(公告)号：US09838415B2

公开(公告)日：2017-12-05

申请号：US15295778

申请日：2016-10-17

Applicant: Architecture Technology Corporation

Inventor： Judson Powers ,  Stephen K. Brueckner ,  Kenneth J. Thurber

IPC: G06F21/00 ,  H04L29/06 ,  G06F21/55 ,  G06F9/455

CPC classification number: H04L63/1441 ,  G06F9/45558 ,  G06F21/552 ,  G06F2009/45587 ,  H04L63/02 ,  H04L63/1416 ,  H04L63/20

Abstract: A network node includes enhanced functionality to fight through cyber-attacks. A plurality of virtual machines run at the network node. The network node receives a plurality of transaction requests and distributes a copy of each of the transaction requests to the plurality of virtual machines over a plurality of time steps. Based on the first virtual machine having executed (n) transaction requests in the plurality of transaction requests, the node detects whether any of the virtual machines has been compromised. In response to detecting the plurality of virtual machines includes a compromised virtual machine, the network node isolates the compromised virtual machine. Furthermore, after isolating the compromised virtual machine, the network node may receive a subsequent transaction request and dispatch the subsequent transaction request to the compromised virtual machine. The compromised virtual machine may execute the subsequent transaction request.

公开(公告)号：US20170034198A1

公开(公告)日：2017-02-02

申请号：US15295778

申请日：2016-10-17

Applicant: Architecture Technology Corporation

Inventor： Judson Powers ,  Stephen K. Brueckner ,  Kenneth J. Thurber

IPC: H04L29/06

CPC classification number: H04L63/1441 ,  G06F9/45558 ,  G06F21/552 ,  G06F2009/45587 ,  H04L63/02 ,  H04L63/1416 ,  H04L63/20

Abstract: A network node includes enhanced functionality to fight through cyber-attacks. A plurality of virtual machines run at the network node. The network node receives a plurality of transaction requests and distributes a copy of each of the transaction requests to the plurality of virtual machines over a plurality of time steps. Based on the first virtual machine having executed (n) transaction requests in the plurality of transaction requests, the node detects whether any of the virtual machines has been compromised. In response to detecting the plurality of virtual machines includes a compromised virtual machine, the network node isolates the compromised virtual machine. Furthermore, after isolating the compromised virtual machine, the network node may receive a subsequent transaction request and dispatch the subsequent transaction request to the compromised virtual machine. The compromised virtual machine may execute the subsequent transaction request.

Abstract translation: 网络节点包括增强的功能，以打击网络攻击。 多个虚拟机在网络节点运行。 网络节点接收多个事务请求，并且通过多个时间步骤将每个事务请求的副本分发给多个虚拟机。 基于在多个事务请求中执行（n）个事务请求的第一虚拟机，该节点检测虚拟机中的任一个是否已被破坏。 响应于检测到多个虚拟机包括受损的虚拟机，网络节点隔离受损的虚拟机。 此外，在隔离受损的虚拟机之后，网络节点可以接收后续的事务请求，并将后续的事务请求发送到受感染的虚拟机。 被破坏的虚拟机可以执行后续的事务请求。