System and method for preventing computer malware from exfiltrating data from a user computer in a network via the internet
    1.
    发明授权
    System and method for preventing computer malware from exfiltrating data from a user computer in a network via the internet 有权
    用于防止计算机恶意软件通过因特网从网络中的用户计算机中渗出数据的系统和方法

    公开(公告)号:US08631244B1

    公开(公告)日:2014-01-14

    申请号:US13207651

    申请日:2011-08-11

    IPC分类号: H04L29/06

    摘要: A system for preventing computer malware from exfiltrating data from a user computer in a network via the internet. A host-based network process monitor intercepts network traffic information from the user computer and transmits a network request including user and application information including the network traffic information. An authorization server cooperates with the host-based network process monitor for i) verifying whether the user and process in the network request should have network access, and ii) cryptographically signing the intercepted network traffic information with an authorization server key, to authorize network access for the intercepted network traffic information. A firewall system is operably connected to the user computer and the authorization server configured to inspect the network traffic information from the user computer and reject any traffic information not signed with the authorization server key.

    摘要翻译: 一种用于防止计算机恶意软件经由因特网从网络中的用户计算机中渗出数据的系统。 基于主机的网络进程监视器拦截来自用户计算机的网络流量信息,并发送包括用户的网络请求和包括网络流量信息的应用信息。 授权服务器与基于主机的网络进程监视器协作,i)验证网络请求中的用户和进程是否应具有网络访问,以及ii)使用授权服务器密钥加密地对被拦截的网络流量信息进行签名,以授权网络访问 用于拦截网络流量信息。 防火墙系统可操作地连接到用户计算机,授权服务器被配置为检查来自用户计算机的网络业务信息,并且拒绝没有用授权服务器密钥签名的任何业务信息。

    Scalable distributed software defined radio (SDR) and mission computing architecture
    2.
    发明授权
    Scalable distributed software defined radio (SDR) and mission computing architecture 有权
    可扩展分布式软件定义无线电(SDR)和任务计算架构

    公开(公告)号:US08160251B1

    公开(公告)日:2012-04-17

    申请号:US11488995

    申请日:2006-07-19

    IPC分类号: G06F21/00

    CPC分类号: H04L63/0485

    摘要: A system providing a scalable distributed operating environment is provided. The system may include a cryptographic module for encrypting communications for transmission over an external network. Further, more than one classified processor may be communicatively coupled to the cryptographic module for handling classified processes and information. In addition, more than one unclassified processor may also be communicatively coupled to the cryptographic module for handling unclassified processes and information. The number of classified and unclassified processors activated upon selection of a waveform is dependent upon the degree of complexity of the waveform.

    摘要翻译: 提供了一种提供可扩展的分布式操作环境的系统。 该系统可以包括用于加密通信以在外部网络上传输的加密模块。 此外,多于一个的分类处理器可以通信地耦合到加密模块,用于处理分类的处理和信息。 此外,多于一个未分类的处理器还可以通信地耦合到加密模块,以处理未分类的进程和信息。 在选择波形时激活的分类和未分类处理器的数量取决于波形的复杂程度。

    System for extending Multiple Independent Levels of Security (MILS) partitioning to input/output (I/O) devices
    4.
    发明授权
    System for extending Multiple Independent Levels of Security (MILS) partitioning to input/output (I/O) devices 有权
    用于将多个独立级别的安全(MILS)分区扩展到输入/输出(I / O)设备的系统

    公开(公告)号:US07676608B1

    公开(公告)日:2010-03-09

    申请号:US11637489

    申请日:2006-12-12

    IPC分类号: G06F3/00

    摘要: The present invention is a system for providing Multiple Independent Levels of Security (MILS) partitioning. The system includes a memory, a bus controller communicatively coupled to the memory via a memory bus, and a MILS controller communicatively coupled to the bus controller via a host-side bus, the MILS controller configured for monitoring and controlling system transactions. The system further includes a plurality of input/output (I/O) devices communicatively coupled to the MILS controller via a plurality of corresponding device-side buses. The system further includes a MILS separation kernel configured for mapping regions of the memory to a plurality of user partitions. Each I/O device included in the plurality of I/O devices is allocated to a partition included in the plurality of partitions and is isolated from MILS separation kernel space. The MILS separation kernel is configured for guaranteeing isolation of the partitions of the memory. The system further includes a processor connected to the bus controller via a processor front-side bus. The MILS controller is configured for extending MILS partitioning to the plurality of I/O devices.

    摘要翻译: 本发明是一种用于提供多重独立安全级别(MILS)分区的系统。 该系统包括存储器,总线控制器,其通过存储器总线通信地耦合到存储器,以及MILS控制器,MILS控制器经由主机侧总线通信地耦合到总线控制器,MILS控制器被配置用于监视和控制系统事务。 该系统还包括多个输入/输出(I / O)设备,其经由多个对应的设备侧总线通信地耦合到MILS控制器。 该系统还包括配置用于将存储器的区域映射到多个用户分区的MILS分离内核。 包括在多个I / O设备中的每个I / O设备被分配给包括在多个分区中的分区,并且与MILS分离内核空间隔离。 MILS分离内核配置为保证内存分区的隔离。 该系统还包括经由处理器前端总线连接到总线控制器的处理器。 MILS控制器被配置为将MILS分区扩展到多个I / O设备。

    Software defined radio computing architecture
    5.
    发明授权
    Software defined radio computing architecture 有权
    软件定义无线电计算架构

    公开(公告)号:US07509141B1

    公开(公告)日:2009-03-24

    申请号:US11239668

    申请日:2005-09-29

    IPC分类号: G06F13/00 H04Q11/00

    摘要: An improved architectural approach for implementation of a low power, scalable topology for a software defined radio (SDR). Low power processors and switching elements forming building blocks are employed in an embedded switched fabric architecture network having a repeating building block topology that advantageously employs wormhole routing and has self-healing, fail-safe properties. Differential signaling is used and data rates in excess of 250 Mbps are possible. In one embodiment a dual civilian and military channel SDR is disclosed; in other embodiments, a plurality of independent SDR channels, with or without encryption, are disclosed. A plurality of different topologies are disclosed including torodial topologies having a planar topology with orthogonal connections, a planar topology with orthogonal and diagonal connections, and a cube topology with both orthogonal and/or diagonal connections.

    摘要翻译: 用于实现软件定义无线电(SDR)的低功率,可扩展拓扑的改进的架构方法。 在具有重复构建块拓扑的嵌入式交换结构体系结构网络中采用形成构建块的低功率处理器和交换元件,其有利地采用虫洞路由并具有自愈,故障安全性质。 使用差分信令,数据速率超过250 Mbps是可能的。 在一个实施例中,公开了一种双重民用和军事通道SDR; 在其他实施例中,公开了具有或不具有加密的多个独立SDR信道。 公开了多个不同的拓扑结构,包括具有正交连接的平面拓扑的结构拓扑结构,具有正交和对角连接的平面拓扑以及具有正交和/或对角连接的立方体拓扑。

    Mechanism to enhance and enforce multiple independent levels of security in a microprocessor memory and I/O bus controller
    6.
    发明授权
    Mechanism to enhance and enforce multiple independent levels of security in a microprocessor memory and I/O bus controller 有权
    在微处理器存储器和I / O总线控制器中增强和实施多个独立级别的安全性的机制

    公开(公告)号:US07779254B1

    公开(公告)日:2010-08-17

    申请号:US11314981

    申请日:2005-12-21

    IPC分类号: H04L29/06

    CPC分类号: G06F21/85 G06F21/74

    摘要: The present invention is a system and a method for extending multiple independent levels of security to a plurality of input/output buses and components connected to the buses. In an exemplary embodiment, the system may include a processing unit suitable for operation in a plurality of security level. A bus controller including security control logic may be coupled to the processing unit for restricting access and flow of information between the physical memory and the plurality of buses. The bus controller may employ base address registers to allocate and map the physical memory to control which partitions of the physical memory are accessible to each of the plurality of buses and thus, a device connected to at least one of the plurality of buses.

    摘要翻译: 本发明是一种用于将多个独立级别的安全性扩展到连接到总线的多个输入/输出总线和组件的系统和方法。 在示例性实施例中,系统可以包括适于在多个安全级别中操作的处理单元。 包括安全控制逻辑的总线控制器可以耦合到处理单元,用于限制物理存储器和多个总线之间的信息的访问和流动。 总线控制器可以采用基地址寄存器来分配和映射物理存储器,以控制物理存储器的哪些分区可被多个总线中的每一个访问,并且因此连接到多个总线中的至少一个总线的设备。

    Power manageable scalable distributed multiple independent levels of security (MILS) computing platform
    7.
    发明授权
    Power manageable scalable distributed multiple independent levels of security (MILS) computing platform 有权
    电力可管理的可扩展分布式多个独立级别的安全(MILS)计算平台

    公开(公告)号:US07607032B1

    公开(公告)日:2009-10-20

    申请号:US11489007

    申请日:2006-07-19

    IPC分类号: G06F1/00 H04L29/06

    摘要: A multiple security level power managed processing system and method of managing power consumption in a multi security level system is disclosed. The system includes a plurality of nodes having a processor, associated memory and a processor interface. A plurality of processors individually may include multiple independent processing security levels, such as a first processing level and a second processing level. A MILS processor-to-processor network connects the plurality of processors. The system may be configured to distribute the application among the processing levels corresponding to a specific level of security. Power management profiles are used to control operation of the processors to maximize power efficiency while meeting security criteria.

    摘要翻译: 公开了一种多安全级功率管理处理系统和多安全级系统中的功耗管理方法。 该系统包括具有处理器,相关联的存储器和处理器接口的多个节点。 单独的多个处理器可以包括多个独立的处理安全级别,诸如第一处理级别和第二处理级别。 MILS处理器到处理器网络连接多个处理器。 该系统可以被配置为在与特定安全级别相对应的处理级别内分发应用。 电源管理配置文件用于控制处理器的操作,以最大限度地提高功率效率,同时满足安全标准。

    Embedded MILS network
    8.
    发明授权
    Embedded MILS network 有权
    嵌入式MILS网络

    公开(公告)号:US07509434B1

    公开(公告)日:2009-03-24

    申请号:US11340096

    申请日:2006-01-26

    IPC分类号: G06F15/173

    CPC分类号: H04L63/105

    摘要: A method for transmitting information having different classification levels within an interconnection network includes transmitting a data word having encoded information that indicates a classification level to a processing environment having a classification level. The encoded information is examined to ascertain the indicated classification level. The classification level of the processing environment is verified by comparing it with the indicated classification level, and the data word is delivered to the processing environment upon verification. An interconnection network for transmitting the data words includes a switched fabric topology with serializer/deserializer devices interconnected by router blocks. A node for connecting to the interconnection network includes a network interface module linking the interconnection network and the processing environment. The network interface module examines data words to ascertain their classification level and verifies the classification level of the processing environment. The network interface module delivers the data words to the processing environment upon verification.

    摘要翻译: 一种用于在互连网络内发送具有不同分类级别的信息的方法包括:向具有分类级别的处理环境发送具有指示分类级别的编码信息的数据字。 检查编码信息以确定指示的分类水平。 处理环境的分类级别通过与指定的分类级别进行比较来验证,并且在验证时将数据字传送到处理环境。 用于发送数据字的互连网络包括具有通过路由器块互连的串行器/解串器设备的交换结构拓扑。 用于连接到互连网络的节点包括链接互连网络和处理环境的网络接口模块。 网络接口模块检查数据字以确定其分类级别,并验证处理环境的分类级别。 验证后,网络接口模块将数据字传送到处理环境。