[go: up one dir, main page]

WO2022017582A1 - Method and system for securing data communication in a computing environment - Google Patents

Method and system for securing data communication in a computing environment Download PDF

Info

Publication number
WO2022017582A1
WO2022017582A1 PCT/EP2020/070523 EP2020070523W WO2022017582A1 WO 2022017582 A1 WO2022017582 A1 WO 2022017582A1 EP 2020070523 W EP2020070523 W EP 2020070523W WO 2022017582 A1 WO2022017582 A1 WO 2022017582A1
Authority
WO
WIPO (PCT)
Prior art keywords
data packet
node
terminal node
nodes
request
Prior art date
Application number
PCT/EP2020/070523
Other languages
French (fr)
Inventor
Sourabh SUMAN
Original Assignee
Siemens Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Aktiengesellschaft filed Critical Siemens Aktiengesellschaft
Priority to PCT/EP2020/070523 priority Critical patent/WO2022017582A1/en
Publication of WO2022017582A1 publication Critical patent/WO2022017582A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]

Definitions

  • the present invention generally relates to the field of computing systems, and more particularly relates to a method and system for securing data communication in a computing environment.
  • IDS Intrusion Detection System
  • the IDS is associated with an enterprise and has a list of known signatures of known viruses and worms, and other common attacks.
  • the IDS search each packet it receives for the known signatures, and thereby detects when the enterprise is being "attacked” by virus, worm or any other attack which has a known signature.
  • the IDS notify a security operations center (“SOC”), and the SOC will check that the proper anti-virus, anti-worm or other intrusion protection software is currently installed in the enterprise or customer network.
  • SOC security operations center
  • a terminal server in a technical installation may be connected to a centralized server via one or more routers for communication and exchange of data packets or files.
  • file transfer protocols such as FTP or SFTP protocol are used.
  • the connection between the terminal server and the centralized server is point to point which uses TCP/IP protocol.
  • the FTP connection between these two points are based on user defined credentials and sometimes for remote assistance public key infrastructure (PKI) is used.
  • PKI public key infrastructure
  • SFTP communication the pre-shared public private key pair based on RSA encryption is used for authentication. In such cases, security of data in transit, which is transport communication, is not highly secured and hence is vulnerable to 'man in middle' attack or any other kind of data hacks.
  • a skilled hacker can track and sniff the data traffic flow between the centralized server node and the terminal node of any industry.
  • the eavesdropped traffic can be analyzed and decoded to such extent that it can give enough information about the deployed systems.
  • the details of terminal servers, operating system and other details of the terminal node can be fetched.
  • the antivirus pattern or patch can be replaced or modified with some malware, malicious codes or malicious executables.
  • these patterns then are installed on the terminal servers, application servers and other technical servers of the several technical installation in one go, and hence causing severe consequences and drawbacks.
  • the extent of damage can be calculated. However, it definitely shall end up with serious damage to critical infrastructure and reputation of the enterprise as well.
  • the object of the present invention is achieved by a method for securing data communication in a computing environment.
  • the method comprises establishing a communication session with a terminal node based on a first request from the terminal node. Further, the method comprises receiving a second request for transmission of a data packet from the terminal node when the communication session is established with the terminal node. Also, the method comprises determining corresponding data packet requested for transmission based on the received second request. Furthermore, the method comprises modifying the determined data packet before transmission based on one or more security criteria. Additionally, the method comprises transmitting the modified data packet to the terminal node in response to the received second request.
  • the method comprises receiving an acknowledgement packet from the terminal node in response to the transmission of modified data packet. Also, the method comprises validating the acknowledgement packet received from the terminal node based on one or more set criteria. The method comprises providing access to the modified data packet based on the successful validation. Further, the method comprises rejecting the second request if the validation of the acknowledgment packet received from terminal node fails. Furthermore, the method comprises denying access to the modified data packet upon rejecting the second request.
  • the method in establishing the communication session with the terminal node based on the first request from the terminal node, comprises receiving the first request for establishing the communication session from the terminal node via a network.
  • the method comprises extracting one or more parameters associated with the terminal node from the received first request.
  • the method comprises authenticating the extracted one or more parameters associated with the terminal node based on a prestored corresponding one or more parameters associated with the terminal node.
  • the method comprises establishing the communication session with the terminal node upon successful authentication of the extracted one or more parameters associated with the terminal node.
  • the method in determining corresponding data packet requested for transmission based on the received second request, comprises obtaining information related to the requested data packet by parsing the received second request. The method further comprises comparing the obtained information related to the requested data packet with one or more lists of data packets. Also, the method comprises retrieving the data packet matching the obtained information related to the requested data packet based on comparison.
  • the method in modifying the determined data packet before transmission based on the one or more security criteria, comprises determining one or more properties associated with the determined data packet. The method further comprises determining whether the one or more properties associated with the determined data packet meets the one or more security criteria. Also, the method comprises appending a temporary security bit to the determined data packet if the one or more properties associated with the determined data packet meets the one or more security criteria.
  • the method comprises rejecting the second request for transmission of data packet if the one or more properties associated with the determined data packet fails to meet the one or more security criteria.
  • the method in transmitting the modified data packet to the terminal node in response to the received second request, comprises determining a first random path for transmission of the modified data packet to a relay node.
  • the first random path comprises an encryption key, one or more addresses and an identifier of one or more network nodes in a predefined manner.
  • the one or more network nodes routes the modified data packet to the relay node.
  • the method further comprises transmitting the modified data packet to the relay node based on the determined first random path.
  • the method comprises determining a second random path for transmission of modified data packet from the relay node to the terminal node (110A-N) based on address of terminal node and one or more random communication channels existing between the relay node and the terminal node.
  • the method further comprises transmitting the modified data packet from the relay node to the terminal node based on the determined second random path.
  • the method in transmitting the modified data packet to the relay node based on the determined first random path, comprises transmitting the modified data packet to one of the radio node based on the determined first random path. Further, the method comprises obtaining address of subsequent radio node for routing the modified data packet to the subsequent node by parsing content of the modified data packet. Also, the method comprises repeating the steps above until the modified data packet reaches the relay node.
  • the one or more addresses of the one or more radio nodes (204A-N) comprised in the first random path comprises a multi-layer network domain extension.
  • the method in determining the first random path for transmission of the modified data packet to the relay node, comprises verifying the determined first random path based on one or more validation conditions. Also, the method comprises determining whether the verified first random path is non repetitive from previously used paths.
  • the object of the present invention is also be achieved by a computing system for securing data communication in a computing environment.
  • the computing system may comprise one or more processors and a memory coupled to the one or more processors.
  • the memory comprises a communication management module stored in the form of machine-readable instructions and executable by the one or more processors.
  • the communication management module is configured for performing the method described above.
  • the object of the invention can also be achieved by a multi layer communication network.
  • the multi-layer communication network comprises a computing system communicatively coupled to a source node and one or more radio nodes via a communication channel.
  • the computing system comprises a communication management module configured for securing communication between the source node and a terminal node.
  • the multi-layer communication network also comprises one or more radio nodes communicatively coupled to the computing system and one or more relay nodes.
  • the one or more radio nodes is configured for routing a data packet from the source node to the one or more relay nodes.
  • the multi-layer communication network comprises the one or more relay nodes communication coupled to the one or more radio nodes and the terminal node.
  • the one or more relay nodes is configured for delivering the data packet to the terminal node via a communication channel.
  • the object of the invention can also be achieved by a computing environment comprising one or more technical installations.
  • the one or more technical installations further comprises one or more terminal nodes configured for receiving one or more data packets from one or more source nodes.
  • the computing environment comprises a multilayer network of nodes communicatively coupled to the one or more technical installations and the one or more source nodes. Additionally, the computing environment comprises one or more source nodes communicatively coupled to the multilayer network of nodes.
  • the object of the invention can also be achieved by a computer- program product, having machine-readable instructions stored therein, that when executed by a processor, causes the processor to perform method steps as described above.
  • FIG 1 is a schematic representation of a computing environment capable of securing data communication, according to an embodiment of the present invention
  • FIG 2 is a detailed view of schematic representation of a computing environment capable of securing data communication, according to an embodiment of the present invention
  • FIG 3 is a block diagram of a multilayer network of nodes such as those shown in FIG 1 and FIG 2, depicting various components to implement embodiments of the present invention
  • FIG 4 is a block diagram of a computing system such as those shown in FIG 2 and FIG 3, depicting various components to implement embodiments of the present invention
  • FIG 5 is a block diagram of a communication management module, such as those shown in FIG 3 and 4, capable of securing data communication, according to the embodiment of the present invention.
  • FIG 6 is a process flowchart illustrating an exemplary method of securing data communication, according to the embodiment of the present invention.
  • FIG 1 is a schematic representation of a computing environment 100 capable of securing data communication, according to an embodiment of the present invention. Particularly, FIG 1 depicts a source computing system 106A-N which is capable of delivering data packets for managing a technical installation 108A-N.
  • the source computing system 106A-N is connected to one or more terminal modes 110A-N at the technical installation 108A-N via a multilayer network of nodes 104A-N and a network 106A-N.
  • the network 106A-N may comprise virtual private network (VPN).
  • the source computing system 106A-N may be a server, such as a common remote service platform.
  • the source computing system 106A-N are used for patch transfer, antivirus signature transfer and remote support to the technical installation 108A- N.
  • each of the source computing system 106A-N from geographical locations A-N are connected by the multilayer network of nodes 104A-N (also referred herein as a beehive network). Such connectivity is powered by strong algorithms and network architecture to attend the vulnerabilities of the existing network.
  • the multilayer network of nodes 104A-N also referred herein as beehive network, is represented as a generally hexagonal planform; however, other shapes may be used depending on particular functional and aesthetic requirements of a given installation. Usable shapes include, without limitation, rectangular, circular, or octagonal planforms.
  • a beehive network of nodes 104A-N may serve a variety of communication needs, depending in part on the type of modules installed.
  • the beehive network of nodes 104A-N may be configured to serve wireless data networking needs.
  • the beehive network of nodes 104A-N may also serve mobile telephony needs, such as cell phones.
  • the beehive network of nodes 104A-N may be configured to provide emergency services communications.
  • the beehive network of nodes 104A-N may route and aggregate telephone, data, emergency services or other communications to one or more communications satellites which forwards the communications to a data network or a voice network.
  • beehive network of nodes 104A-N may route and aggregate telephone or data communications to another beehive, data network 106A-N or voice network directly via wired or wireless connections.
  • beehive network of nodes 104A-N may communicate directly or indirectly with a data network 106A-N, a wide-area network for corporate communications; and a local area network supporting a technical installation.
  • the beehive network of nodes 104A-N works on 16 bit/32 bit character encoded addressing to evade prediction, hacks, address spoofing and traceability.
  • the beehive structure is designed to adjust the congestion as each node 104A-N has at least three paths available to forward the data packets.
  • a detailed view of the beehive network of nodes 104A-N is illustrated in FIG 3.
  • the technical installation 108A-N comprises one or more terminal nodes 110A-N.
  • the terminal nodes 110A-N are network computers configured for communicating data packets and installing one or more network patches or patterns from the source computing system 102A-N.
  • the terminal nodes 110A-N and the source computing system 102A-N may comprise an interface, a hardware and OS, a platform.
  • the hardware and OS may include one or more servers on which an operating system (OS) is installed.
  • the one or more servers comprises one or more processing units, one or more storage devices for storing data, and other peripherals required for providing cloud functionality.
  • the platform is a platform which implements functionalities such as data storage, data analysis, data processing, data management, data validation, data visualization, data communication on the hardware and OS via APIs and algorithms and delivers the aforementioned services using artifacts.
  • the platform may comprise a combination of dedicated hardware and software built on top of the hardware and
  • the source computing system 106A-N and the terminal nodes 110A-N may comprise a plurality of servers or processors (also known as 'infrastructure'), which are geographical distributed, connected with each other via the network 104A-N and the network 106A-N.
  • a dedicated platform is installed on the servers/processors for providing above functionality as an application (hereinafter referred to as ' software application').
  • the platform may comprise a plurality of software programs executed on one or more servers or processors of the source computing system 106A-N and the terminal nodes 110A-N to enable delivery of the requested data packets to each other.
  • FIG 2 is a detailed view of schematic representation of a computing environment 100 capable of securing data communication, according to an embodiment of the present invention.
  • the source computing system 102 at a particular geographically location is connected to the multilayer network of nodes 104 via a firewall 208A-N through the network 210A-B.
  • the multilayer network of nodes 104 comprises a mutation controller 202, one or more radio nodes 204A-N, and one or more relay nodes 206A-N.
  • Detailed view of multilayer network of nodes 104 is illustrated in FIG 3.
  • the one or more multilayer network of nodes 104 further connects the source computing system 102 to the one or more terminal nodes 110A-N via a communication channel 106 and a firewall 208N.
  • the communication channel 106 may be one or more virtual networks 106.
  • the firewall 208A-N restricts or filters the data packet received for security reasons.
  • the terminal nodes 110A-N further receives the data packet transmitted by the source computing system 102.
  • FIG 3 is a block diagram of a multilayer network of nodes 104 such as those shown in FIG 1 and FIG 2, depicting various components to implement embodiments of the present invention.
  • the one or more multilayer network of nodes 104 comprises a mutation controller 202, one or more radio nodes 204A-N, and one or more relay nodes 206A-N.
  • each of the radio nodes 204A-N, which are the beehive nodes is responsive to a beehive node only, having a layered data structure, with one layer each of the beehive routers in the pathway.
  • Each layer of the multi-layer network of nodes, which is the beehive comprises an encryption of the identity of the next beehive router in the pathway.
  • the one or more radio nodes 204A-N are the nodes which transfers the data packets inside the private network 104.
  • the authentication of the data packets is done by a u bit of TCP header of the data packet.
  • the one or more relay nodes 206A-N are the frontline nodes which faces the internet.
  • the one or more relay nodes 206A-N dispatch the data packets/patches and patterns to the site terminal nodes 110A-N.
  • the secure file transfer protocol(SFTP) communication happens between the relay nodes 206A-N and the terminal nodes 110A-N.
  • the one or more relay nodes 206A-N and radio nodes 204A-N are open to receive the patterns traversed from any internal radio nodes 204A-N or relay nodes 206A-N.
  • the data packet adds an additional bit to the TCP data packet.
  • the data packet has a uTCP i.e. unique TCP. Therefore, by addition or alternation of one 'u' bit of the TCP packet, it makes the data packet unique in this aspect.
  • This uniqueness is used by internal communication network 104 to route and accept the packet seamlessly. This is done to make the internal data packets unique and rejection of any alien data packets inside the network 104.
  • the modification of data packets is done using the tools such as Scapy, Ostinato, Netdude.
  • the unique packet which is uTCP after acceptance to relay nodes 206A-N the mutation controller 202 removes the altered bit and then further, the data packet becomes a normal TCP which navigates in the network 104 seamlessly. And then, the data packets are sent to respective terminal nodes 110A-N.
  • One of the methods to create unique TCP identifier is by using the urgent pointer bit of the TCP datagram. By switching this at random instance, the TCP data packet acts as a unique data packet. Another method is to switch the state of reserve bits of the TCP datagram to make it unique for acceptance in the network 104.
  • Another method is to make the size of TCP data variable by switching the creation cycle of the data generator as at one instance all the packets in the network 104 shall have the same size else others shall be rejected.
  • TCP validation is done in the network 104 to avoid the alien packets and evade the network spoof and code injection.
  • the data packet passes between the one or more radio nodes 204A-N, each transfer becomes a transaction.
  • Each transaction is stored for 'h' transactions.
  • the mutation controller 202 is configured for providing secure communication in the computing environment 100.
  • the mutation controller 202 comprises a communication management module 302, which is explained in detail in FIG.4.
  • the mutation controller 202 is designed to control node addresses of the radio nodes 204A-N. After each transaction, the addresses of the radio nodes 204A-N get revised.
  • the addressing is in form of string of characters.
  • the address is randomly taken from a random address generator such as shallot or from a lookup table of pool of addresses.
  • the format of address is for example, 'dhgdg377fh3fff14.beehive'. It is a 16-character address followed by beehive domain extension.
  • the mutation controller 202 also updates the site-specific list in its database.
  • the site specific data comprises information such as terminal node nomenclature, node IP address, MAC address, number and name of patches installed on it, the sequence and timestamp of installed patches.
  • the validation of the authenticity of the data packet patch or pattern is done by the mutation controller 202. Depending on the acknowledgement of the data packets by the terminal nodes 110A-N the data packets are validated for no man in the middle attack.
  • the mutation controller 202 changes the four characters of the node address in random sequence and stores address of each radio node 204A-N in its database.
  • Node to node communication information is being encapsulated to the TCP datagram with a three layer encryption layer, when the packet is released from the mutation controller 202 to the first radio node 204A-N, it opens the packet using the private key and then reads the address of next radio node 204A-N then the process repeats till the data packet reaches the relay nodes 206A-N. Once data packet reaches the relay nodes 206A-N, the mutation controller 202 finally encapsulates the data packet with the encryption which can be decrypted at terminal node 110A-N and then dispatches the packet to the specific terminal node 11-A-N via random VPN tunnel 106.
  • Radio node 204A-N to node communication is only possible if the set criteria by mutation controller 202 is met if the random set criteria is fixed by mutation controller 202 such as the data packet length, urgent pointer, header length or state of reserve bits.
  • the random VPN tunnel 106 is configure for providing safe delivery of the data packets from relay node 206A-N to the terminal nodes 110A-N.
  • the multiple VPN tunnel 106 creates between the relay node 206A-N and single terminal node 110A-N.
  • the selection of the tunnel 106 depends on an algorithm which randomizes the tunnel selection. For example, if there are 'h' number of tunnels created between the relay nodes 206A-N and terminal node 110A-N, then there are 'h' number pathways available.
  • the initiator makes a request to a proxy controller which is mutation controller 202 to establish the virtual circuit through the one or more radio nodes 204A-N.
  • the mutation controller 202 executes the algorithm and defines the pathway itself with the pathway consisting of individual paths between adjacent radio nodes 204A-N.
  • the mutation controller 202 is configured for scanning the one or more radio nodes 204A-N and assigning a beehive address for each of the one or more radio nodes 204A-N. Further, the mutation controller 202 is configured for renewing encryption key required for opening the data packet. Upon renewing the encryption key, key expiry time limit is set to a predefined time interval. Further, the corresponding relay node 206A-N is selected for transmission of the data packet. Later, a transaction time limit and other communication criteria are set. Till the time the transaction is completed, the transaction and the data path are monitored.
  • the one or more radio nodes 204A-N are scanned, again the node address of the one or more radio nodes 204A-N are renewed. Further, it is determined whether the encryption key is valid. If the encryption key is valid then the transaction is said to be completed with successfully transmitting the data packet. Alternately, if the encryption key is not valid, then the encryption keys are renewed, and the above process repeats again.
  • FIG 4 is a block diagram of a computing system 202 such as those shown in FIG 2 and FIG 3, depicting various components to implement embodiments of the present invention.
  • the computing system 202 includes a processor(s) 402, an accessible memory 404, a communication interface 406, a network interface 408, an input/output unit 410, and a bus 412.
  • the processor(s) 402 means any type of computational circuit, such as, but not limited to, a microprocessor unit, microcontroller, complex instruction set computing microprocessor unit, reduced instruction set computing microprocessor unit, very long instruction word microprocessor unit, explicitly parallel instruction computing microprocessor unit, graphics processing unit, digital signal processing unit, or any other type of processing circuit.
  • the processor(s) 402 may also include embedded controllers, such as generic or programmable logic devices or arrays, application specific integrated circuits, single-chip computers, and the like.
  • the memory 404 may be non-transitory volatile memory and non volatile memory.
  • the memory 404 may be coupled for communication with the processor(s) 402, such as being a computer-readable storage medium.
  • the processor(s) 402 may execute machine- readable instructions and/or source code stored in the memory 404.
  • a variety of machine-readable instructions may be stored in and accessed from the memory 404.
  • the memory 404 may include any suitable elements for storing data and machine-readable instructions, such as read only memory, random access memory, erasable programmable read only memory, electrically erasable programmable read only memory, a hard drive, a removable media drive for handling compact disks, digital video disks, diskettes, magnetic tape cartridges, memory cards, and the like.
  • the memory 404 includes a communication management module 302 stored in the form of machine-readable instructions on any of the above-mentioned storage media and may be in communication with and executed by the processor(s) 402.
  • the communication management module 302 When executed by the processor(s) 402, the communication management module 302 causes the processor(s) 402 to establish a communication session with a terminal node 110A-N based on a first request from the terminal node 110A-N. Further, the communication management module 302 causes the processor(s) 402 to receive a second request for transmission of a data packet from the terminal node 110A-N when the communication session is established with the terminal node 110A-N. Furthermore, the communication management module 302 causes the processor(s) 402 to determine corresponding data packet requested for transmission based on the received second request. Also, the communication management module 302 causes the processor(s) 402 to modify the determined data packet before transmission based on one or more security criteria. Further, the communication management module 302 causes the processor(s) 402 to transmit the modified data packet to the terminal node 110A-N in response to the received second request.
  • the communication management module 302 causes the processor(s) 402 to receive an acknowledgement packet from the terminal node 110A-N in response to the transmission of modified data packet. Also, the communication management module 302 causes the processor(s) 402 to validate the acknowledgement packet received from the terminal node 110A-N based on one or more set criteria. Further, the communication management module 302 causes the processor(s) 402 to provide access to the modified data packet based on the successful validation.
  • the communication management module 302 causes the processor(s) 402 to reject the second request if the validation of the acknowledgment packet received from terminal node 110A-N fails. Also, the communication management module 302 causes the processor(s) 402 to deny access to the modified data packet upon rejecting the second request.
  • the communication management module 302 causes the processor(s) 402 to receive the first request for establishing the communication session from the terminal node 110A-N via a network 104 and 106. Further, the communication management module 302 causes the processor(s) 402 to extract one or more parameters associated with the terminal node 110A-N from the received first request. Further, the communication management module 302 causes the processor(s) 402 to authenticate the extracted one or more parameters associated with the terminal node 110A-N based on a prestored corresponding one or more parameters associated with the terminal node 110A-N. Also, the communication management module 302 causes the processor(s) 402 to establish the communication session with the terminal node 110A-N upon successful authentication of the extracted one or more parameters associated with the terminal node 110A-N.
  • the communication management module 302 causes the processor(s) 402 to obtain information related to the requested data packet by parsing the received second request. Further, the communication management module 302 causes the processor(s) 402 to compare the obtained information related to the requested data packet with one or more lists of data packets. Also, the communication management module 302 causes the processor(s) 402 to retrieve the data packet matching the obtained information related to the requested data packet based on comparison.
  • the communication management module 302 causes the processor(s) 402 to determine one or more properties associated with the determined data packet. Further, the communication management module 302 causes the processor(s) 402 to determine whether the one or more properties associated with the determined data packet meets the one or more security criteria. Also, the communication management module 302 causes the processor(s) 402 to append a temporary security bit to the determined data packet if the one or more properties associated with the determined data packet meets the one or more security criteria.
  • the communication management module 302 causes the processor(s) 402 to reject the second request for transmission of data packet if the one or more properties associated with the determined data packet fails to meet the one or more security criteria.
  • the communication management module 302 causes the processor(s) 402 to determine a first random path for transmission of the modified data packet to a relay node 206A-N.
  • the first random path comprises an encryption key, one or more addresses and an identifier of one or more radio nodes 204A-N in a predefined manner.
  • the one or more radio nodes 204A-N routes the modified data packet to the relay node 206A-N.
  • the communication management module 302 causes the processor(s) 402 to transmit the modified data packet to the relay node 206A-N based on the determined first random path.
  • the communication management module 302 causes the processor(s) 402 to determine a second random path for transmission of modified data packet from the relay node 206A-N to the terminal node 110A-N based on address of terminal node 110A-N and one or more random communication channels 106 existing between the relay node 206A-N and the terminal node 110A-N. Also, the communication management module 302 causes the processor(s) 402 to transmit the modified data packet from the relay node 206A-N to the terminal node 110A-N based on the determined second random path.
  • the communication management module 302 causes the processor(s) 402 to transmit the modified data packet to one of the radio node 204A-N based on the determined first random path. Further, the communication management module 302 causes the processor(s) 402 to obtain address of subsequent radio node for routing the modified data packet to the subsequent node by parsing content of the modified data packet. Also, the communication management module 302 causes the processor(s) 402 to repeat the steps above until the modified data packet reaches the relay node 206A-N.
  • the one or more addresses of the one or more network nodes (114A-N) comprised in the first random path comprises a multi layer network domain extension.
  • the communication management module 302 causes the processor(s) 402 to verify the determined first random path based on one or more validation conditions. Also, the communication management module 302 causes the processor(s) 402 to determine whether the verified first random path is non repetitive from previously used paths.
  • the communication interface 406 is configured for establishing communication sessions between the source computing system 102A- N, and terminal nodes 110A-N. In an embodiment, the communication interface 406 interacts with the interface at the terminal node 110A-N for allowing the engineers to access the data packet and perform one or more actions on the data packet.
  • the complete process of data communication is segregated in three zones and divided by barriers. First barrier, which is exposed to internet is having the relay nodes 206A-N assigned. All communications from the terminal nodes 110A-N of several sites occurs here. The communications to this barrier are encrypted.
  • the second barrier is the beehive barrier which lies in the beehive network 104 and the activities such as authentication and validation occurs in this zone.
  • the third and the last barrier is the common remote service platform barrier, which separates the vital source computing system network from all others.
  • the restricted authentication and validation communication occur in this zone.
  • the network interface 408 helps in managing network communications between the source computing system 102A-N, and terminal nodes 110A-N.
  • the input-output unit 410 may include input devices a keypad, touch-sensitive display, camera (such as a camera receiving gesture-based inputs), etc. capable of receiving one or more input signals, such as user commands to process data. Also, the input-output unit 410 may be a display unit for displaying a graphical user interface which visualizes the transmission of data packet. The set of actions may include data entry, data modification or data display.
  • the bus 412 acts as interconnect between the processor 402, the memory 404, and the input-output unit 410.
  • FIG 2 may vary for particular implementations.
  • peripheral devices such as an optical disk drive and the like, Local Area Network (LAN), Wide Area Network (WAN), Wireless (e.g., Wi-Fi) adapter, graphics adapter, disk controller, input/output (I/O) adapter also may be used in addition or in place of the hardware depicted.
  • LAN Local Area Network
  • WAN Wide Area Network
  • Wireless e.g., Wi-Fi
  • graphics adapter e.g., disk controller
  • I/O input/output
  • the depicted example is provided for the purpose of explanation only and is not meant to imply architectural limitations with respect to the present disclosure.
  • FIG 5 is a block diagram of a communication management module 302, such as those shown in FIG 3 and 4, capable of securing data communication, according to the embodiment of the present invention.
  • the communication management module 302 comprises a receiver module 502, an authentication module 504, a packet processing module 506, a validation module 508, packet transmission module 510, an installation module 512, a database 514 and an output module 516.
  • the receiver module 502 is configured to establish a communication session with a terminal node 110A-N based on a first request from the terminal node 110A-N. Specifically, the receiver module 502 is configured for receiving the first request for establishing the communication session from the terminal node 110A-N via the network 106 and 104.
  • the first request comprises information relating to terminal node. For example, information relating to terminal node comprises nomenclature enlisted with a sequence of patches or patterns on a system software. That is, node identifier and list of last n (Ln) patterns installed on the system (Tn+Ln). Further, the receiver module 502 is configured for extracting one or more parameters associated with the terminal node 110A-N from the received first request.
  • the one or more parameters comprises terminal node address, communication path/channel, source node address and the like.
  • the authentication module 504 is configured for authenticating the extracted one or more parameters associated with the terminal node 110A-N based on a prestored corresponding one or more parameters associated with the terminal node 110A-N. This is achieved by matching the one or more parameters with the prestored corresponding one or more parameters. If the authentication fails, then the first request is rejected by the receiver module 502. Also, if the authentication is successful, then the authentication module 504 requests the receiver module 502 for further processing the first request. Further, the authentication module 504 is configured for transmitting an acknowledgement bit to the terminal node 110A-N when once the authentication is completed. Then, the receiver module 502 is configured for establishing the communication session with the terminal node 110A-N.
  • the receiver module 502 is configured for receiving, a second request for transmission of a data packet from the terminal node 110A-N when the communication session is established with the terminal node 110A-N.
  • the second request comprises information relating to transmission of data packet.
  • the terminal node 110A-N After receiving the acknowledgement bit from the mutation controller 202, the terminal node 110A-N requests for latest pattern.
  • the receiver module 502 is configured for rejecting the second request if the validation of the acknowledgment packet received from terminal node 110A-N fails and denying access to the modified data packet upon rejecting the second request.
  • the packet processing module 506 is configured for determining corresponding data packet requested for transmission based on the received second request. In determining the corresponding data packet, the packet processing module 506 is configured for obtaining information related to the requested data packet by parsing the received second request. The information related to requested data packet comprises type of data packet, data packet identifier, time stamp information, and the like. Further, the packet processing module 506 is configured for comparing the obtained information related to the requested data packet with one or more lists of data packets. Also, the packet processing module 506 is configured for retrieving the data packet matching the obtained information related to the requested data packet based on comparison.
  • the packet processing module 506 is configured for modifying the determined data packet before transmission based on one or more security criteria.
  • the one or more security criteria comprises header content, code length, type of data packet, destination node address, communication path and the like.
  • the packet processing module 506 is configured for determining one or more properties associated with the determined data packet.
  • the one or more properties associated with data packet comprises bit size, length, header content, packet identifier and the like. These one or more properties associated with the data packet are passed to the validation module 508.
  • the validation module 508 is configured for determining whether the one or more properties associated with the determined data packet meets the one or more security criteria. If the one or more properties associated with the determined data packet meets the one or more security criteria, then the results of validation are passed to the packet processing module 506 and the packet processing module 506 is configured for appending a temporary security bit to the determined data packet. Alternatively, if the one or more properties associated with the determined data packet fails to meet the one or more security criteria, then the packet processing module 506 is configured for rejecting the second request for transmission of data packet. The modification of the determined data packet is performed by addition or alternation of one 'u' bit to the TCP packet, hence making the packet unique. This uniqueness is used by internal communication network 100 to move and accept the packet seamlessly.
  • the unique packet which is uTCP after acceptance to relay nodes 206A-N the packet processing module 506 removes the altered bit and then again, the packet becomes a normal TCP which navigates in the network 100 seamlessly. Then, the patterns are sent to respective terminal nodes 110A-N.
  • One of the methods to create unique TCP identifier is by using the urgent pointer bit of the TCP datagram. By switching this at random instance the TCP acts as a unique packet. Another method is to switch the state of reserve bits of the TCP datagram to make the packet unique for acceptance in the network 100.
  • Another method is to make the size of TCP data variable by switching the creation cycle of the data generator as at one instance all the packets in the network has the same size else others shall be rejected.
  • the TCP packet validation is done in the network to avoid the alien data packets and evade the network spoof and code injection.
  • the packet transmission module 510 is configured for transmitting the modified data packet to the terminal node 110A- N in response to the received second request. Specifically, the packet transmission module 510 is configured for determining a first random path for transmission of the modified data packet to a relay node 206A-N.
  • the first random path comprises an encryption key, one or more addresses and an identifier of one or more radio nodes 204A-N in a predefined manner.
  • the one or more radio nodes 204A-N routes the modified data packet to the relay node 206A-N.
  • the packet transmission module 510 is configured for verifying the determined first random path based on one or more validation conditions.
  • the one or more validation conditions comprises node address of one or more radio nodes 204A-N, the communication channel, session identifier and the like. Further, the packet transmission module 510 is configured for determining whether the verified first random path is non repetitive from previously used paths. If the first random path is non repetitive from previously used paths, then further, the packet transmission module 510 is configured for transmitting the modified data packet to the relay node 206A-N based on the determined first random path.
  • the packet transmission module 510 is configured for determining a second random path for transmission of modified data packet from the relay node 206A-N to the terminal node 110A-N based on address of terminal node 110A-N and one or more random communication channels 106 existing between the relay node 206A-N and the terminal node 110A-N.
  • the packet transmission module 510 is configured for transmitting the modified data packet from the relay node 206A-N to the terminal node 110A-N based on the determined second random path.
  • the multiple VPN tunnel network 106 is created between the relay node 206A-N and single terminal node, say 110A.
  • the selection of the tunnel depends on an algorithm which randomizes the tunnel selection. For example, suppose if there are n number of tunnels created between the relay nodes 206A-N and terminal node 110A, then there are n number pathways available. Out of these pathways, the randomness is derived and every time a new tunnel gets selected. This is done to evade the packet injection after the packet leaves the relay node 206A-N. This technical addition increases complexity of the transport security and hence making it tough to eavesdrop and manipulation of packets.
  • the packet transmission module 510 is configured for transmitting the modified data packet to one of the radio node 204A-N based on the determined first random path. Also, the packet transmission module 510 is configured for obtaining address of subsequent radio node for routing the modified data packet to the subsequent node by parsing content of the modified data packet. Further, the packet transmission module 510 is configured for repeating the steps above until the modified data packet reaches the relay node 206A-N. In an exemplary embodiment, the packet transmission module 510 is designed to control the node addresses of the radio nodes 204A-N. After each transaction, the addresses of the nodes 204A-N are revised. The addressing is in form of string of characters.
  • the address is randomly taken from a random address generator such as shallot or from a lookup table of pool of addresses.
  • the format of address is such as dhgdg377fh3fff14.beehive. This is 16- character address followed by beehive domain extension.
  • the packet transmission module 510 also updates the site-specific list in its database.
  • the site specific data such as terminal node nomenclature, node Internet Protocol (IP) address, MAC address, number and name of patches installed on it, the sequence and timestamp of installed patches.
  • IP Internet Protocol
  • the validation of the authenticity of the patch or pattern is done by the packet transmission module 510. Depending on the acknowledgement of the packets by the terminal nodes 110A-N, the packets are validated for no MITM attack.
  • the packet transmission module 510 changes the four characters of the address in random sequence and stores the address of each node 204A-N in its database. This address is unique and impossible to predict by normal mathematical algorithms. Node to node communication information is being encapsulated to the TCP datagram with a three layer encryption layer.
  • the radio node 204A opens the packet using the private key and then reads the address of next node, say 204B, and then same process repeats till the data packet reaches the relay nodes 206A-N.
  • packet Once packet reaches the relay nodes 206A-N, it finally encapsulates the data packet with the encryption which can be decrypted at terminal node 110A-N and then dispatches the data packet to the specific terminal node 110A-N via random VPN tunnel 106.
  • Node to node communication is only possible if the set criteria by the packet transmission module 510 is met.
  • the set criteria or the validation condition is fixed by the packet transmission module 510 such as the data packet length, urgent pointer, header length or state of reserve bits.
  • the one or more addresses of the one or more radio nodes 204A-N comprised in the first random path comprises a multi-layer network domain extension.
  • the installation module 512 is configured for receiving an acknowledgement packet from the terminal node 110A-N in response to the transmission of modified data packet.
  • the concept of acknowledgement signal used for confirmation of decryption, unzipping and opening of data packet and receiving a confirmation bit back from the terminal node 110A-N is adding an additional layer for authentic file transfer. It confirms that only specific terminal node 110A-N has received the same pattern packet only. Hence it evades any MITM (man in the middle attack).
  • the installation module 512 is configured for validating the acknowledgement packet received from the terminal node 110A-N based on one or more set criteria.
  • the one or more set criteria comprises expiration of set counter time, bit type and content and the like.
  • the installation module 512 is configured for providing access to the modified data packet based on the successful validation and thereby installing the pattern onto the respective terminal node 110A-N.
  • the terminal node 110A-N opens the data packet or decrypts the data packet or unzips the data packet
  • the terminal node issues a de-package bit as 'DPO' to the installation module 512.
  • the installation module 512 receives the DPO
  • the installation module 512 initiates a delay counter of variable time Setpoint. Once the set time expires, the installation module 512 issues a DPv confirmation bit to terminal node 110A- N.
  • the installation module 512 issues a DPv bit to the terminal node 110A-N, as the terminal node 110A-N receives the DPv bit, the installation and distribution of pattern or patch or data packet is started on the industrial network 100. Once the pattern or data packet is installed, the terminal node 110A- N updates the pattern list as Pn and records the list for the next update.
  • the database 514 is configured to store the first request, second request, the acknowledge bit DPO, the confirmation bit DPv, the modified data packet, the requested data packet pattern, one or more set criteria, one or more validation conditions, one or more properties associated with data packets, one or more parameters associated with the first and second request, counter, node addresses, and the like.
  • the output module 516 is configured for outputting status of data communication between the terminal node 110A-N and the source computing system 102A-N.
  • a user may imitate the patch or patter installation imitation from the terminal node 110A-N using a user interface provided. This is done automatically as well using a task scheduler at specific time.
  • authentication scripts in background starts communication with the relay nodes 206A-N and the status of the process reflects on the user dashboard. Further, only if the terminal node 110A-N is authenticated, the terminal node 110A-N automatically initiates the second request command for patch or pattern.
  • the user interface prompts a message for wait time for validation of data packet.
  • the validation successful message appears on the dashboard.
  • the installation progress appears on the user interface and finally after successful installation of the patch or pattern or packet, the final message as installation successful appears on the user dashboard.
  • the validation fail message appears on the user interface and subsequently the installation aborted message appears to user on the dashboard.
  • FIG 6 is a process flowchart 600 illustrating an exemplary method of securing data communication, according to the embodiment of the present invention.
  • a communication session with a terminal node 110A-N is established based on a first request from the terminal node 110A-N.
  • a second request for transmission of a data packet is received from the terminal node 110A-N when the communication session is established with the terminal node 110A-N.
  • corresponding data packet requested for transmission is determined based on the received second request.
  • the determined data packet is modified before transmission based on one or more security criteria.
  • the modified data packet is transmitted to the terminal node 110A-N in response to the received second request.
  • the present invention provides an efficient mechanism for encryption, vulnerability management, exploit management, intrusion detection, intrusion prevention, anti-spyware, smart switch management, countermeasure deployment.
  • the method provides anonymity to the centralized servers. It helps the centralized servers to evade and reduce the attack surface. Also, the randomization of the TCP packets and node addresses creates a system which is even stronger and intelligently secured.
  • the source node or centralized servers or the central patch server are kept anonymous by adding a multilayer of beehive network in frontline of these servers. The frontline network is exposed to the internet while safeguarding the original servers. Hence, this is a way to reduce the attack surface by anonymizing the attack surface and provide the shielding.
  • the present method of handshaking between the terminal servers and the centralized servers is safeguarding any man in the middle attack.
  • the handshaking process ensures single authentic delivery of the pattern or patch to a terminal server. In case of multiple recipient, the red flag is raised and abort the installation.
  • the multi VPN model for transport of the deliverables and randomization of the VPN tunnel pathways adds an additional layer of security to avoid the eavesdropping of data packet traffic as well as code injection.
  • the present invention can take a form of a computer program product comprising program modules accessible from computer- usable or computer-readable medium storing program code for use by or in connection with one or more computers, processors, or instruction execution system.
  • a computer-usable or computer-readable medium can be any apparatus that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
  • the medium can be electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device) or a propagation mediums in and of themselves as signal carriers are not included in the definition of physical computer-readable medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, random access memory (RAM), a read only memory (ROM), a rigid magnetic disk and optical disk such as compact disk read-only memory (CD-ROM), compact disk read/write, and DVD.
  • RAM random access memory
  • ROM read only memory
  • CD-ROM compact disk read-only memory
  • DVD compact disk read/write
  • Both processors and program code for implementing each aspect of the technology can be centralized or distributed (or a combination thereof) as known to those skilled in the art.
  • 100-computing environment 102-source computing system 104A-N multilayer network of nodes 106-network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates a method and system for securing data communication in a computing environment (100). The method comprises establishing a communication session with a terminal node (110A-N) based on a first request from the terminal node (110A-N). Further, the method comprises receiving a second request for transmission of a data packet from the terminal node (110A-N) when the communication session is established with the terminal node (110A-N). Also, the method comprises determining corresponding data packet requested for transmission based on the received second request. Furthermore, the method comprises modifying the determined data packet before transmission based on one or more security criteria. Additionally, the method comprises transmitting the modified data packet to the terminal node (110A-N) in response to the received second request.

Description

METHOD AND SYSTEM FOR SECURING DATA COMMUNICATION IN A COMPUTING
ENVIRONMENT
The present invention generally relates to the field of computing systems, and more particularly relates to a method and system for securing data communication in a computing environment.
An Intrusion Detection System ("IDS") is currently known and has a known (i.e. "used") address to detect known computer attacks by matching key aspects of that attack to a known "signature". The IDS is associated with an enterprise and has a list of known signatures of known viruses and worms, and other common attacks. The IDS search each packet it receives for the known signatures, and thereby detects when the enterprise is being "attacked" by virus, worm or any other attack which has a known signature. When this occurs, the IDS notify a security operations center ("SOC"), and the SOC will check that the proper anti-virus, anti-worm or other intrusion protection software is currently installed in the enterprise or customer network. While the IDS is effective in safeguarding an enterprise against known "exploits" (for example, computer viruses, worms and exploitation code), it does not identify or safeguard against new exploits for which the signatures are not yet known.
Currently, in an enterprise, a terminal server in a technical installation may be connected to a centralized server via one or more routers for communication and exchange of data packets or files. For this purpose, file transfer protocols such as FTP or SFTP protocol are used. The connection between the terminal server and the centralized server is point to point which uses TCP/IP protocol. The FTP connection between these two points are based on user defined credentials and sometimes for remote assistance public key infrastructure (PKI) is used. In SFTP communication the pre-shared public private key pair based on RSA encryption is used for authentication. In such cases, security of data in transit, which is transport communication, is not highly secured and hence is vulnerable to 'man in middle' attack or any other kind of data hacks. A skilled hacker can track and sniff the data traffic flow between the centralized server node and the terminal node of any industry. The eavesdropped traffic can be analyzed and decoded to such extent that it can give enough information about the deployed systems. After analysis, the details of terminal servers, operating system and other details of the terminal node can be fetched. With help of all the reconnaissance details, the antivirus pattern or patch can be replaced or modified with some malware, malicious codes or malicious executables. As these patterns then are installed on the terminal servers, application servers and other technical servers of the several technical installation in one go, and hence causing severe consequences and drawbacks. Depending on the criticality of malicious code, the extent of damage can be calculated. However, it definitely shall end up with serious damage to critical infrastructure and reputation of the enterprise as well.
Therefore, it is an object of the present invention to provide a method and system for securing data communication in a computing environment.
The object of the present invention is achieved by a method for securing data communication in a computing environment. The method comprises establishing a communication session with a terminal node based on a first request from the terminal node. Further, the method comprises receiving a second request for transmission of a data packet from the terminal node when the communication session is established with the terminal node. Also, the method comprises determining corresponding data packet requested for transmission based on the received second request. Furthermore, the method comprises modifying the determined data packet before transmission based on one or more security criteria. Additionally, the method comprises transmitting the modified data packet to the terminal node in response to the received second request.
Further, the method comprises receiving an acknowledgement packet from the terminal node in response to the transmission of modified data packet. Also, the method comprises validating the acknowledgement packet received from the terminal node based on one or more set criteria. The method comprises providing access to the modified data packet based on the successful validation. Further, the method comprises rejecting the second request if the validation of the acknowledgment packet received from terminal node fails. Furthermore, the method comprises denying access to the modified data packet upon rejecting the second request.
In a preferred embodiment, in establishing the communication session with the terminal node based on the first request from the terminal node, the method comprises receiving the first request for establishing the communication session from the terminal node via a network. The method comprises extracting one or more parameters associated with the terminal node from the received first request. Also, the method comprises authenticating the extracted one or more parameters associated with the terminal node based on a prestored corresponding one or more parameters associated with the terminal node. Also, the method comprises establishing the communication session with the terminal node upon successful authentication of the extracted one or more parameters associated with the terminal node.
In another preferred embodiment, in determining corresponding data packet requested for transmission based on the received second request, the method comprises obtaining information related to the requested data packet by parsing the received second request. The method further comprises comparing the obtained information related to the requested data packet with one or more lists of data packets. Also, the method comprises retrieving the data packet matching the obtained information related to the requested data packet based on comparison.
In yet another preferred embodiment, in modifying the determined data packet before transmission based on the one or more security criteria, the method comprises determining one or more properties associated with the determined data packet. The method further comprises determining whether the one or more properties associated with the determined data packet meets the one or more security criteria. Also, the method comprises appending a temporary security bit to the determined data packet if the one or more properties associated with the determined data packet meets the one or more security criteria.
In an aspect of the preferred embodiment, in determining whether the one or more properties associated with the determined data packet meets the one or more security criteria, the method comprises rejecting the second request for transmission of data packet if the one or more properties associated with the determined data packet fails to meet the one or more security criteria.
In still another preferred embodiment, in transmitting the modified data packet to the terminal node in response to the received second request, the method comprises determining a first random path for transmission of the modified data packet to a relay node. The first random path comprises an encryption key, one or more addresses and an identifier of one or more network nodes in a predefined manner. The one or more network nodes routes the modified data packet to the relay node. The method further comprises transmitting the modified data packet to the relay node based on the determined first random path. Also, the method comprises determining a second random path for transmission of modified data packet from the relay node to the terminal node (110A-N) based on address of terminal node and one or more random communication channels existing between the relay node and the terminal node. The method further comprises transmitting the modified data packet from the relay node to the terminal node based on the determined second random path.
In an aspect of the preferred embodiment, in transmitting the modified data packet to the relay node based on the determined first random path, the method comprises transmitting the modified data packet to one of the radio node based on the determined first random path. Further, the method comprises obtaining address of subsequent radio node for routing the modified data packet to the subsequent node by parsing content of the modified data packet. Also, the method comprises repeating the steps above until the modified data packet reaches the relay node. The one or more addresses of the one or more radio nodes (204A-N) comprised in the first random path comprises a multi-layer network domain extension. In another aspect of the preferred embodiment, in determining the first random path for transmission of the modified data packet to the relay node, the method comprises verifying the determined first random path based on one or more validation conditions. Also, the method comprises determining whether the verified first random path is non repetitive from previously used paths.
The object of the present invention is also be achieved by a computing system for securing data communication in a computing environment. The computing system may comprise one or more processors and a memory coupled to the one or more processors. The memory comprises a communication management module stored in the form of machine-readable instructions and executable by the one or more processors.
The communication management module is configured for performing the method described above.
The object of the invention can also be achieved by a multi layer communication network. The multi-layer communication network comprises a computing system communicatively coupled to a source node and one or more radio nodes via a communication channel. The computing system comprises a communication management module configured for securing communication between the source node and a terminal node. The multi-layer communication network also comprises one or more radio nodes communicatively coupled to the computing system and one or more relay nodes. The one or more radio nodes is configured for routing a data packet from the source node to the one or more relay nodes. Also, the multi-layer communication network comprises the one or more relay nodes communication coupled to the one or more radio nodes and the terminal node. The one or more relay nodes is configured for delivering the data packet to the terminal node via a communication channel.
The object of the invention can also be achieved by a computing environment comprising one or more technical installations. The one or more technical installations further comprises one or more terminal nodes configured for receiving one or more data packets from one or more source nodes. Further, the computing environment comprises a multilayer network of nodes communicatively coupled to the one or more technical installations and the one or more source nodes. Additionally, the computing environment comprises one or more source nodes communicatively coupled to the multilayer network of nodes.
The object of the invention can also be achieved by a computer- program product, having machine-readable instructions stored therein, that when executed by a processor, causes the processor to perform method steps as described above.
The above-mentioned and other features of the invention will now be addressed with reference to the accompanying drawings of the present invention. The illustrated embodiments are intended to illustrate, but not limit the invention.
The present invention is further described hereinafter with reference to illustrated embodiments shown in the accompanying drawings, in which:
FIG 1 is a schematic representation of a computing environment capable of securing data communication, according to an embodiment of the present invention; FIG 2 is a detailed view of schematic representation of a computing environment capable of securing data communication, according to an embodiment of the present invention;
FIG 3 is a block diagram of a multilayer network of nodes such as those shown in FIG 1 and FIG 2, depicting various components to implement embodiments of the present invention;
FIG 4 is a block diagram of a computing system such as those shown in FIG 2 and FIG 3, depicting various components to implement embodiments of the present invention;
FIG 5 is a block diagram of a communication management module, such as those shown in FIG 3 and 4, capable of securing data communication, according to the embodiment of the present invention; and
FIG 6 is a process flowchart illustrating an exemplary method of securing data communication, according to the embodiment of the present invention.
Various embodiments are described with reference to the drawings, wherein like reference numerals are used to refer the drawings, wherein like reference numerals are used to refer to like elements throughout. In the following description, for the purpose of explanation, numerous specific details are set forth in order to provide thorough understanding of one or more embodiments. It may be evident that such embodiments may be practiced without these specific details. FIG 1 is a schematic representation of a computing environment 100 capable of securing data communication, according to an embodiment of the present invention. Particularly, FIG 1 depicts a source computing system 106A-N which is capable of delivering data packets for managing a technical installation 108A-N. The source computing system 106A-N is connected to one or more terminal modes 110A-N at the technical installation 108A-N via a multilayer network of nodes 104A-N and a network 106A-N. The network 106A-N may comprise virtual private network (VPN). For example, the source computing system 106A-N may be a server, such as a common remote service platform. The source computing system 106A-N are used for patch transfer, antivirus signature transfer and remote support to the technical installation 108A- N. In an embodiment, each of the source computing system 106A-N from geographical locations A-N are connected by the multilayer network of nodes 104A-N (also referred herein as a beehive network). Such connectivity is powered by strong algorithms and network architecture to attend the vulnerabilities of the existing network.
The multilayer network of nodes 104A-N, also referred herein as beehive network, is represented as a generally hexagonal planform; however, other shapes may be used depending on particular functional and aesthetic requirements of a given installation. Usable shapes include, without limitation, rectangular, circular, or octagonal planforms. A beehive network of nodes 104A-N may serve a variety of communication needs, depending in part on the type of modules installed. The beehive network of nodes 104A-N may be configured to serve wireless data networking needs. The beehive network of nodes 104A-N may also serve mobile telephony needs, such as cell phones. The beehive network of nodes 104A-N may be configured to provide emergency services communications. The beehive network of nodes 104A-N may route and aggregate telephone, data, emergency services or other communications to one or more communications satellites which forwards the communications to a data network or a voice network. Alternatively, beehive network of nodes 104A-N may route and aggregate telephone or data communications to another beehive, data network 106A-N or voice network directly via wired or wireless connections. In an exemplary application, beehive network of nodes 104A-N may communicate directly or indirectly with a data network 106A-N, a wide-area network for corporate communications; and a local area network supporting a technical installation. The beehive network of nodes 104A-N works on 16 bit/32 bit character encoded addressing to evade prediction, hacks, address spoofing and traceability. The beehive structure is designed to adjust the congestion as each node 104A-N has at least three paths available to forward the data packets. A detailed view of the beehive network of nodes 104A-N is illustrated in FIG 3.
The technical installation 108A-N comprises one or more terminal nodes 110A-N. The terminal nodes 110A-N are network computers configured for communicating data packets and installing one or more network patches or patterns from the source computing system 102A-N.
The terminal nodes 110A-N and the source computing system 102A-N may comprise an interface, a hardware and OS, a platform.
The hardware and OS may include one or more servers on which an operating system (OS) is installed. The one or more servers comprises one or more processing units, one or more storage devices for storing data, and other peripherals required for providing cloud functionality. The platform is a platform which implements functionalities such as data storage, data analysis, data processing, data management, data validation, data visualization, data communication on the hardware and OS via APIs and algorithms and delivers the aforementioned services using artifacts. The platform may comprise a combination of dedicated hardware and software built on top of the hardware and
OS.
The source computing system 106A-N and the terminal nodes 110A-N may comprise a plurality of servers or processors (also known as 'infrastructure'), which are geographical distributed, connected with each other via the network 104A-N and the network 106A-N. A dedicated platform is installed on the servers/processors for providing above functionality as an application (hereinafter referred to as ' software application'). The platform may comprise a plurality of software programs executed on one or more servers or processors of the source computing system 106A-N and the terminal nodes 110A-N to enable delivery of the requested data packets to each other.
FIG 2 is a detailed view of schematic representation of a computing environment 100 capable of securing data communication, according to an embodiment of the present invention. In FIG 2, the source computing system 102 at a particular geographically location is connected to the multilayer network of nodes 104 via a firewall 208A-N through the network 210A-B. The multilayer network of nodes 104 comprises a mutation controller 202, one or more radio nodes 204A-N, and one or more relay nodes 206A-N. Detailed view of multilayer network of nodes 104 is illustrated in FIG 3. The one or more multilayer network of nodes 104 further connects the source computing system 102 to the one or more terminal nodes 110A-N via a communication channel 106 and a firewall 208N. The communication channel 106 may be one or more virtual networks 106. The firewall 208A-N restricts or filters the data packet received for security reasons. The terminal nodes 110A-N further receives the data packet transmitted by the source computing system 102.
FIG 3 is a block diagram of a multilayer network of nodes 104 such as those shown in FIG 1 and FIG 2, depicting various components to implement embodiments of the present invention. In FIG 3, the one or more multilayer network of nodes 104 comprises a mutation controller 202, one or more radio nodes 204A-N, and one or more relay nodes 206A-N. In multilayer network of nodes 104, each of the radio nodes 204A-N, which are the beehive nodes is responsive to a beehive node only, having a layered data structure, with one layer each of the beehive routers in the pathway. Each layer of the multi-layer network of nodes, which is the beehive, comprises an encryption of the identity of the next beehive router in the pathway.
The one or more radio nodes 204A-N are the nodes which transfers the data packets inside the private network 104. The authentication of the data packets is done by a u bit of TCP header of the data packet. The one or more relay nodes 206A-N are the frontline nodes which faces the internet. The one or more relay nodes 206A-N dispatch the data packets/patches and patterns to the site terminal nodes 110A-N. The secure file transfer protocol(SFTP) communication happens between the relay nodes 206A-N and the terminal nodes 110A-N. The one or more relay nodes 206A-N and radio nodes 204A-N are open to receive the patterns traversed from any internal radio nodes 204A-N or relay nodes 206A-N. To verify the internal system, the data packet adds an additional bit to the TCP data packet. Hence, the data packet has a uTCP i.e. unique TCP. Therefore, by addition or alternation of one 'u' bit of the TCP packet, it makes the data packet unique in this aspect. This uniqueness is used by internal communication network 104 to route and accept the packet seamlessly. This is done to make the internal data packets unique and rejection of any alien data packets inside the network 104. The modification of data packets is done using the tools such as Scapy, Ostinato, Netdude. The unique packet which is uTCP after acceptance to relay nodes 206A-N, the mutation controller 202 removes the altered bit and then further, the data packet becomes a normal TCP which navigates in the network 104 seamlessly. And then, the data packets are sent to respective terminal nodes 110A-N. One of the methods to create unique TCP identifier is by using the urgent pointer bit of the TCP datagram. By switching this at random instance, the TCP data packet acts as a unique data packet. Another method is to switch the state of reserve bits of the TCP datagram to make it unique for acceptance in the network 104. Another method is to make the size of TCP data variable by switching the creation cycle of the data generator as at one instance all the packets in the network 104 shall have the same size else others shall be rejected. Hence, such TCP validation is done in the network 104 to avoid the alien packets and evade the network spoof and code injection. Whenever, the data packet passes between the one or more radio nodes 204A-N, each transfer becomes a transaction. Each transaction is stored for 'h' transactions.
The mutation controller 202 is configured for providing secure communication in the computing environment 100. The mutation controller 202 comprises a communication management module 302, which is explained in detail in FIG.4. The mutation controller 202 is designed to control node addresses of the radio nodes 204A-N. After each transaction, the addresses of the radio nodes 204A-N get revised. The addressing is in form of string of characters. The address is randomly taken from a random address generator such as shallot or from a lookup table of pool of addresses. The format of address is for example, 'dhgdg377fh3fff14.beehive'. It is a 16-character address followed by beehive domain extension. The mutation controller 202 also updates the site-specific list in its database. The site specific data comprises information such as terminal node nomenclature, node IP address, MAC address, number and name of patches installed on it, the sequence and timestamp of installed patches. The validation of the authenticity of the data packet patch or pattern is done by the mutation controller 202. Depending on the acknowledgement of the data packets by the terminal nodes 110A-N the data packets are validated for no man in the middle attack. The mutation controller 202 also verifies that the path traversed by the packet should be new every time and no repetition of past 'n' paths. N==0 -10 for the same packet traversal. The mutation controller 202 changes the four characters of the node address in random sequence and stores address of each radio node 204A-N in its database. This address is unique and impossible to predict by normal mathematical algorithms. Node to node communication information is being encapsulated to the TCP datagram with a three layer encryption layer, when the packet is released from the mutation controller 202 to the first radio node 204A-N, it opens the packet using the private key and then reads the address of next radio node 204A-N then the process repeats till the data packet reaches the relay nodes 206A-N. Once data packet reaches the relay nodes 206A-N, the mutation controller 202 finally encapsulates the data packet with the encryption which can be decrypted at terminal node 110A-N and then dispatches the packet to the specific terminal node 11-A-N via random VPN tunnel 106. Radio node 204A-N to node communication is only possible if the set criteria by mutation controller 202 is met if the random set criteria is fixed by mutation controller 202 such as the data packet length, urgent pointer, header length or state of reserve bits. The random VPN tunnel 106 is configure for providing safe delivery of the data packets from relay node 206A-N to the terminal nodes 110A-N. The multiple VPN tunnel 106 creates between the relay node 206A-N and single terminal node 110A-N. The selection of the tunnel 106 depends on an algorithm which randomizes the tunnel selection. For example, if there are 'h' number of tunnels created between the relay nodes 206A-N and terminal node 110A-N, then there are 'h' number pathways available. Out of these pathways, the randomness is derived and every time a new tunnel gets selected. This is done to evade the packet injection after the packet leaves the relay node 206A-N. This technical addition increases complexity of the transport security and hence makes it tough to eave-drop and manipulation of data packets. While operation, the initiator makes a request to a proxy controller which is mutation controller 202 to establish the virtual circuit through the one or more radio nodes 204A-N. The mutation controller 202 executes the algorithm and defines the pathway itself with the pathway consisting of individual paths between adjacent radio nodes 204A-N.
In an embodiment, the mutation controller 202 is configured for scanning the one or more radio nodes 204A-N and assigning a beehive address for each of the one or more radio nodes 204A-N. Further, the mutation controller 202 is configured for renewing encryption key required for opening the data packet. Upon renewing the encryption key, key expiry time limit is set to a predefined time interval. Further, the corresponding relay node 206A-N is selected for transmission of the data packet. Later, a transaction time limit and other communication criteria are set. Till the time the transaction is completed, the transaction and the data path are monitored. Once the final transaction is completed, then the one or more radio nodes 204A-N are scanned, again the node address of the one or more radio nodes 204A-N are renewed. Further, it is determined whether the encryption key is valid. If the encryption key is valid then the transaction is said to be completed with successfully transmitting the data packet. Alternately, if the encryption key is not valid, then the encryption keys are renewed, and the above process repeats again.
FIG 4 is a block diagram of a computing system 202 such as those shown in FIG 2 and FIG 3, depicting various components to implement embodiments of the present invention. In FIG 4, the computing system 202 includes a processor(s) 402, an accessible memory 404, a communication interface 406, a network interface 408, an input/output unit 410, and a bus 412.
The processor(s) 402, as used herein, means any type of computational circuit, such as, but not limited to, a microprocessor unit, microcontroller, complex instruction set computing microprocessor unit, reduced instruction set computing microprocessor unit, very long instruction word microprocessor unit, explicitly parallel instruction computing microprocessor unit, graphics processing unit, digital signal processing unit, or any other type of processing circuit. The processor(s) 402 may also include embedded controllers, such as generic or programmable logic devices or arrays, application specific integrated circuits, single-chip computers, and the like.
The memory 404 may be non-transitory volatile memory and non volatile memory. The memory 404 may be coupled for communication with the processor(s) 402, such as being a computer-readable storage medium. The processor(s) 402 may execute machine- readable instructions and/or source code stored in the memory 404. A variety of machine-readable instructions may be stored in and accessed from the memory 404. The memory 404 may include any suitable elements for storing data and machine-readable instructions, such as read only memory, random access memory, erasable programmable read only memory, electrically erasable programmable read only memory, a hard drive, a removable media drive for handling compact disks, digital video disks, diskettes, magnetic tape cartridges, memory cards, and the like. In the present embodiment, the memory 404 includes a communication management module 302 stored in the form of machine-readable instructions on any of the above-mentioned storage media and may be in communication with and executed by the processor(s) 402.
When executed by the processor(s) 402, the communication management module 302 causes the processor(s) 402 to establish a communication session with a terminal node 110A-N based on a first request from the terminal node 110A-N. Further, the communication management module 302 causes the processor(s) 402 to receive a second request for transmission of a data packet from the terminal node 110A-N when the communication session is established with the terminal node 110A-N. Furthermore, the communication management module 302 causes the processor(s) 402 to determine corresponding data packet requested for transmission based on the received second request. Also, the communication management module 302 causes the processor(s) 402 to modify the determined data packet before transmission based on one or more security criteria. Further, the communication management module 302 causes the processor(s) 402 to transmit the modified data packet to the terminal node 110A-N in response to the received second request.
Further, the communication management module 302 causes the processor(s) 402 to receive an acknowledgement packet from the terminal node 110A-N in response to the transmission of modified data packet. Also, the communication management module 302 causes the processor(s) 402 to validate the acknowledgement packet received from the terminal node 110A-N based on one or more set criteria. Further, the communication management module 302 causes the processor(s) 402 to provide access to the modified data packet based on the successful validation.
Furthermore, the communication management module 302 causes the processor(s) 402 to reject the second request if the validation of the acknowledgment packet received from terminal node 110A-N fails. Also, the communication management module 302 causes the processor(s) 402 to deny access to the modified data packet upon rejecting the second request.
Furthermore, in establishing the communication session with the terminal node 110A-N based on the first request from the terminal node 110A-N, the communication management module 302 causes the processor(s) 402 to receive the first request for establishing the communication session from the terminal node 110A-N via a network 104 and 106. Further, the communication management module 302 causes the processor(s) 402 to extract one or more parameters associated with the terminal node 110A-N from the received first request. Further, the communication management module 302 causes the processor(s) 402 to authenticate the extracted one or more parameters associated with the terminal node 110A-N based on a prestored corresponding one or more parameters associated with the terminal node 110A-N. Also, the communication management module 302 causes the processor(s) 402 to establish the communication session with the terminal node 110A-N upon successful authentication of the extracted one or more parameters associated with the terminal node 110A-N.
Additionally, in determining corresponding data packet requested for transmission based on the received second request , the communication management module 302 causes the processor(s) 402 to obtain information related to the requested data packet by parsing the received second request. Further, the communication management module 302 causes the processor(s) 402 to compare the obtained information related to the requested data packet with one or more lists of data packets. Also, the communication management module 302 causes the processor(s) 402 to retrieve the data packet matching the obtained information related to the requested data packet based on comparison.
Further, in modifying the determined data packet before transmission based on the one or more security criteria, the communication management module 302 causes the processor(s) 402 to determine one or more properties associated with the determined data packet. Further, the communication management module 302 causes the processor(s) 402 to determine whether the one or more properties associated with the determined data packet meets the one or more security criteria. Also, the communication management module 302 causes the processor(s) 402 to append a temporary security bit to the determined data packet if the one or more properties associated with the determined data packet meets the one or more security criteria. Further, in determining whether the one or more properties associated with the determined data packet meets the one or more security criteria, the communication management module 302 causes the processor(s) 402 to reject the second request for transmission of data packet if the one or more properties associated with the determined data packet fails to meet the one or more security criteria.
Further, in transmitting the modified data packet to the terminal node (108) in response to the received second request, the communication management module 302 causes the processor(s) 402 to determine a first random path for transmission of the modified data packet to a relay node 206A-N. The first random path comprises an encryption key, one or more addresses and an identifier of one or more radio nodes 204A-N in a predefined manner. The one or more radio nodes 204A-N routes the modified data packet to the relay node 206A-N. Further, the communication management module 302 causes the processor(s) 402 to transmit the modified data packet to the relay node 206A-N based on the determined first random path. Also, the communication management module 302 causes the processor(s) 402 to determine a second random path for transmission of modified data packet from the relay node 206A-N to the terminal node 110A-N based on address of terminal node 110A-N and one or more random communication channels 106 existing between the relay node 206A-N and the terminal node 110A-N. Also, the communication management module 302 causes the processor(s) 402 to transmit the modified data packet from the relay node 206A-N to the terminal node 110A-N based on the determined second random path.
Further, in transmitting the modified data packet to the relay node 206A-N based on the determined first random path, the communication management module 302 causes the processor(s) 402 to transmit the modified data packet to one of the radio node 204A-N based on the determined first random path. Further, the communication management module 302 causes the processor(s) 402 to obtain address of subsequent radio node for routing the modified data packet to the subsequent node by parsing content of the modified data packet. Also, the communication management module 302 causes the processor(s) 402 to repeat the steps above until the modified data packet reaches the relay node 206A-N. The one or more addresses of the one or more network nodes (114A-N) comprised in the first random path comprises a multi layer network domain extension.
Furthermore, in determining the first random path for transmission of the modified data packet to the relay node 206A- N, the communication management module 302 causes the processor(s) 402 to verify the determined first random path based on one or more validation conditions. Also, the communication management module 302 causes the processor(s) 402 to determine whether the verified first random path is non repetitive from previously used paths.
The communication interface 406 is configured for establishing communication sessions between the source computing system 102A- N, and terminal nodes 110A-N. In an embodiment, the communication interface 406 interacts with the interface at the terminal node 110A-N for allowing the engineers to access the data packet and perform one or more actions on the data packet. The complete process of data communication is segregated in three zones and divided by barriers. First barrier, which is exposed to internet is having the relay nodes 206A-N assigned. All communications from the terminal nodes 110A-N of several sites occurs here. The communications to this barrier are encrypted. The second barrier is the beehive barrier which lies in the beehive network 104 and the activities such as authentication and validation occurs in this zone. The third and the last barrier is the common remote service platform barrier, which separates the vital source computing system network from all others. The restricted authentication and validation communication occur in this zone. The network interface 408 helps in managing network communications between the source computing system 102A-N, and terminal nodes 110A-N.
The input-output unit 410 may include input devices a keypad, touch-sensitive display, camera (such as a camera receiving gesture-based inputs), etc. capable of receiving one or more input signals, such as user commands to process data. Also, the input-output unit 410 may be a display unit for displaying a graphical user interface which visualizes the transmission of data packet. The set of actions may include data entry, data modification or data display. The bus 412 acts as interconnect between the processor 402, the memory 404, and the input-output unit 410.
Those of ordinary skilled in the art will appreciate that the hardware depicted in FIG 2 may vary for particular implementations. For example, other peripheral devices such as an optical disk drive and the like, Local Area Network (LAN), Wide Area Network (WAN), Wireless (e.g., Wi-Fi) adapter, graphics adapter, disk controller, input/output (I/O) adapter also may be used in addition or in place of the hardware depicted. The depicted example is provided for the purpose of explanation only and is not meant to imply architectural limitations with respect to the present disclosure.
Those skilled in the art will recognize that, for simplicity and clarity, the full structure and operation of all data processing systems suitable for use with the present disclosure is not being depicted or described herein. Instead, only so much of a computing system 202 as is unique to the present disclosure or necessary for an understanding of the present disclosure is depicted and described. The remainder of the construction and operation of the computing system 202 may conform to any of the various current implementation and practices known in the art.
FIG 5 is a block diagram of a communication management module 302, such as those shown in FIG 3 and 4, capable of securing data communication, according to the embodiment of the present invention. In FIG. 5, the communication management module 302 comprises a receiver module 502, an authentication module 504, a packet processing module 506, a validation module 508, packet transmission module 510, an installation module 512, a database 514 and an output module 516.
The receiver module 502 is configured to establish a communication session with a terminal node 110A-N based on a first request from the terminal node 110A-N. Specifically, the receiver module 502 is configured for receiving the first request for establishing the communication session from the terminal node 110A-N via the network 106 and 104. The first request comprises information relating to terminal node. For example, information relating to terminal node comprises nomenclature enlisted with a sequence of patches or patterns on a system software. That is, node identifier and list of last n (Ln) patterns installed on the system (Tn+Ln). Further, the receiver module 502 is configured for extracting one or more parameters associated with the terminal node 110A-N from the received first request. The one or more parameters comprises terminal node address, communication path/channel, source node address and the like. Then, the authentication module 504 is configured for authenticating the extracted one or more parameters associated with the terminal node 110A-N based on a prestored corresponding one or more parameters associated with the terminal node 110A-N. This is achieved by matching the one or more parameters with the prestored corresponding one or more parameters. If the authentication fails, then the first request is rejected by the receiver module 502. Also, if the authentication is successful, then the authentication module 504 requests the receiver module 502 for further processing the first request. Further, the authentication module 504 is configured for transmitting an acknowledgement bit to the terminal node 110A-N when once the authentication is completed. Then, the receiver module 502 is configured for establishing the communication session with the terminal node 110A-N.
Furthermore, the receiver module 502 is configured for receiving, a second request for transmission of a data packet from the terminal node 110A-N when the communication session is established with the terminal node 110A-N. The second request comprises information relating to transmission of data packet. After receiving the acknowledgement bit from the mutation controller 202, the terminal node 110A-N requests for latest pattern.
Also, the receiver module 502 is configured for rejecting the second request if the validation of the acknowledgment packet received from terminal node 110A-N fails and denying access to the modified data packet upon rejecting the second request.
The packet processing module 506 is configured for determining corresponding data packet requested for transmission based on the received second request. In determining the corresponding data packet, the packet processing module 506 is configured for obtaining information related to the requested data packet by parsing the received second request. The information related to requested data packet comprises type of data packet, data packet identifier, time stamp information, and the like. Further, the packet processing module 506 is configured for comparing the obtained information related to the requested data packet with one or more lists of data packets. Also, the packet processing module 506 is configured for retrieving the data packet matching the obtained information related to the requested data packet based on comparison.
Furthermore, the packet processing module 506 is configured for modifying the determined data packet before transmission based on one or more security criteria. The one or more security criteria comprises header content, code length, type of data packet, destination node address, communication path and the like. Specifically, the packet processing module 506 is configured for determining one or more properties associated with the determined data packet. The one or more properties associated with data packet comprises bit size, length, header content, packet identifier and the like. These one or more properties associated with the data packet are passed to the validation module 508.
Further, the validation module 508 is configured for determining whether the one or more properties associated with the determined data packet meets the one or more security criteria. If the one or more properties associated with the determined data packet meets the one or more security criteria, then the results of validation are passed to the packet processing module 506 and the packet processing module 506 is configured for appending a temporary security bit to the determined data packet. Alternatively, if the one or more properties associated with the determined data packet fails to meet the one or more security criteria, then the packet processing module 506 is configured for rejecting the second request for transmission of data packet. The modification of the determined data packet is performed by addition or alternation of one 'u' bit to the TCP packet, hence making the packet unique. This uniqueness is used by internal communication network 100 to move and accept the packet seamlessly. This is done to make the internal packets unique and rejection of any alien packets inside the network 100. The modification of packets is done using tools such as Scapy, Ostinato, Netdude. The unique packet which is uTCP after acceptance to relay nodes 206A-N, the packet processing module 506 removes the altered bit and then again, the packet becomes a normal TCP which navigates in the network 100 seamlessly. Then, the patterns are sent to respective terminal nodes 110A-N. One of the methods to create unique TCP identifier is by using the urgent pointer bit of the TCP datagram. By switching this at random instance the TCP acts as a unique packet. Another method is to switch the state of reserve bits of the TCP datagram to make the packet unique for acceptance in the network 100. Another method is to make the size of TCP data variable by switching the creation cycle of the data generator as at one instance all the packets in the network has the same size else others shall be rejected. Hence, the TCP packet validation is done in the network to avoid the alien data packets and evade the network spoof and code injection.
The packet transmission module 510 is configured for transmitting the modified data packet to the terminal node 110A- N in response to the received second request. Specifically, the packet transmission module 510 is configured for determining a first random path for transmission of the modified data packet to a relay node 206A-N. The first random path comprises an encryption key, one or more addresses and an identifier of one or more radio nodes 204A-N in a predefined manner. The one or more radio nodes 204A-N routes the modified data packet to the relay node 206A-N. In determining the first random path, the packet transmission module 510 is configured for verifying the determined first random path based on one or more validation conditions. The one or more validation conditions comprises node address of one or more radio nodes 204A-N, the communication channel, session identifier and the like. Further, the packet transmission module 510 is configured for determining whether the verified first random path is non repetitive from previously used paths. If the first random path is non repetitive from previously used paths, then further, the packet transmission module 510 is configured for transmitting the modified data packet to the relay node 206A-N based on the determined first random path. Also, the packet transmission module 510 is configured for determining a second random path for transmission of modified data packet from the relay node 206A-N to the terminal node 110A-N based on address of terminal node 110A-N and one or more random communication channels 106 existing between the relay node 206A-N and the terminal node 110A-N.
Further, the packet transmission module 510 is configured for transmitting the modified data packet from the relay node 206A-N to the terminal node 110A-N based on the determined second random path. For providing safe delivery of the packets from relay node 206A-N to the terminal nodes 110A-N, the multiple VPN tunnel network 106 is created between the relay node 206A-N and single terminal node, say 110A. The selection of the tunnel depends on an algorithm which randomizes the tunnel selection. For example, suppose if there are n number of tunnels created between the relay nodes 206A-N and terminal node 110A, then there are n number pathways available. Out of these pathways, the randomness is derived and every time a new tunnel gets selected. This is done to evade the packet injection after the packet leaves the relay node 206A-N. This technical addition increases complexity of the transport security and hence making it tough to eavesdrop and manipulation of packets.
Further, the packet transmission module 510 is configured for transmitting the modified data packet to one of the radio node 204A-N based on the determined first random path. Also, the packet transmission module 510 is configured for obtaining address of subsequent radio node for routing the modified data packet to the subsequent node by parsing content of the modified data packet. Further, the packet transmission module 510 is configured for repeating the steps above until the modified data packet reaches the relay node 206A-N. In an exemplary embodiment, the packet transmission module 510 is designed to control the node addresses of the radio nodes 204A-N. After each transaction, the addresses of the nodes 204A-N are revised. The addressing is in form of string of characters. The address is randomly taken from a random address generator such as shallot or from a lookup table of pool of addresses. The format of address is such as dhgdg377fh3fff14.beehive. This is 16- character address followed by beehive domain extension. The packet transmission module 510 also updates the site-specific list in its database. The site specific data such as terminal node nomenclature, node Internet Protocol (IP) address, MAC address, number and name of patches installed on it, the sequence and timestamp of installed patches. The validation of the authenticity of the patch or pattern is done by the packet transmission module 510. Depending on the acknowledgement of the packets by the terminal nodes 110A-N, the packets are validated for no MITM attack. The packet transmission module 510 also verifies that the path traversed by the packet should be new every time and no repetition of past n paths. N==0 -10 for the same packet traversal. The packet transmission module 510 changes the four characters of the address in random sequence and stores the address of each node 204A-N in its database. This address is unique and impossible to predict by normal mathematical algorithms. Node to node communication information is being encapsulated to the TCP datagram with a three layer encryption layer. When the packet is released from the packet transmission module 510 to the first radio node 204A, the radio node 204A opens the packet using the private key and then reads the address of next node, say 204B, and then same process repeats till the data packet reaches the relay nodes 206A-N. Once packet reaches the relay nodes 206A-N, it finally encapsulates the data packet with the encryption which can be decrypted at terminal node 110A-N and then dispatches the data packet to the specific terminal node 110A-N via random VPN tunnel 106. Node to node communication is only possible if the set criteria by the packet transmission module 510 is met. The set criteria or the validation condition is fixed by the packet transmission module 510 such as the data packet length, urgent pointer, header length or state of reserve bits. The one or more addresses of the one or more radio nodes 204A-N comprised in the first random path comprises a multi-layer network domain extension.
The installation module 512 is configured for receiving an acknowledgement packet from the terminal node 110A-N in response to the transmission of modified data packet. The concept of acknowledgement signal used for confirmation of decryption, unzipping and opening of data packet and receiving a confirmation bit back from the terminal node 110A-N is adding an additional layer for authentic file transfer. It confirms that only specific terminal node 110A-N has received the same pattern packet only. Hence it evades any MITM (man in the middle attack). Further, the installation module 512 is configured for validating the acknowledgement packet received from the terminal node 110A-N based on one or more set criteria. The one or more set criteria comprises expiration of set counter time, bit type and content and the like. Further, the installation module 512 is configured for providing access to the modified data packet based on the successful validation and thereby installing the pattern onto the respective terminal node 110A-N. In an embodiment, as the terminal node 110A-N opens the data packet or decrypts the data packet or unzips the data packet, the terminal node issues a de-package bit as 'DPO' to the installation module 512. When the installation module 512 receives the DPO, the installation module 512 initiates a delay counter of variable time Setpoint. Once the set time expires, the installation module 512 issues a DPv confirmation bit to terminal node 110A- N. When the installation module 512 issues a DPv bit to the terminal node 110A-N, as the terminal node 110A-N receives the DPv bit, the installation and distribution of pattern or patch or data packet is started on the industrial network 100. Once the pattern or data packet is installed, the terminal node 110A- N updates the pattern list as Pn and records the list for the next update.
The database 514 is configured to store the first request, second request, the acknowledge bit DPO, the confirmation bit DPv, the modified data packet, the requested data packet pattern, one or more set criteria, one or more validation conditions, one or more properties associated with data packets, one or more parameters associated with the first and second request, counter, node addresses, and the like.
The output module 516 is configured for outputting status of data communication between the terminal node 110A-N and the source computing system 102A-N. In an exemplary embodiment, a user may imitate the patch or patter installation imitation from the terminal node 110A-N using a user interface provided. This is done automatically as well using a task scheduler at specific time. Once the first request triggers from the terminal node 110A-N, authentication scripts in background starts communication with the relay nodes 206A-N and the status of the process reflects on the user dashboard. Further, only if the terminal node 110A-N is authenticated, the terminal node 110A-N automatically initiates the second request command for patch or pattern. As the terminal node 110A-N receives the pattern or packet, the user interface prompts a message for wait time for validation of data packet. Once the system validates the data packet, the validation successful message appears on the dashboard. And subsequently, the installation progress appears on the user interface and finally after successful installation of the patch or pattern or packet, the final message as installation successful appears on the user dashboard. Alternatively, when once the system validates the packet and the validation fails, the validation fail message appears on the user interface and subsequently the installation aborted message appears to user on the dashboard. Hence, the complete process is easily tracked by user by monitoring the user dashboard.
FIG 6 is a process flowchart 600 illustrating an exemplary method of securing data communication, according to the embodiment of the present invention. At step 602, a communication session with a terminal node 110A-N is established based on a first request from the terminal node 110A-N. At step 604, a second request for transmission of a data packet is received from the terminal node 110A-N when the communication session is established with the terminal node 110A-N. Further, at step 606, corresponding data packet requested for transmission is determined based on the received second request. Also, at step 608, the determined data packet is modified before transmission based on one or more security criteria. Furthermore, at step 610, the modified data packet is transmitted to the terminal node 110A-N in response to the received second request.
The present invention provides an efficient mechanism for encryption, vulnerability management, exploit management, intrusion detection, intrusion prevention, anti-spyware, smart switch management, countermeasure deployment. In an exemplary embodiment, the method provides anonymity to the centralized servers. It helps the centralized servers to evade and reduce the attack surface. Also, the randomization of the TCP packets and node addresses creates a system which is even stronger and intelligently secured. The source node or centralized servers or the central patch server are kept anonymous by adding a multilayer of beehive network in frontline of these servers. The frontline network is exposed to the internet while safeguarding the original servers. Hence, this is a way to reduce the attack surface by anonymizing the attack surface and provide the shielding. Further, the present method of handshaking between the terminal servers and the centralized servers is safeguarding any man in the middle attack. The handshaking process ensures single authentic delivery of the pattern or patch to a terminal server. In case of multiple recipient, the red flag is raised and abort the installation.
The multi VPN model for transport of the deliverables and randomization of the VPN tunnel pathways adds an additional layer of security to avoid the eavesdropping of data packet traffic as well as code injection. The present invention can take a form of a computer program product comprising program modules accessible from computer- usable or computer-readable medium storing program code for use by or in connection with one or more computers, processors, or instruction execution system. For the purpose of this description, a computer-usable or computer-readable medium can be any apparatus that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. The medium can be electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device) or a propagation mediums in and of themselves as signal carriers are not included in the definition of physical computer-readable medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, random access memory (RAM), a read only memory (ROM), a rigid magnetic disk and optical disk such as compact disk read-only memory (CD-ROM), compact disk read/write, and DVD. Both processors and program code for implementing each aspect of the technology can be centralized or distributed (or a combination thereof) as known to those skilled in the art.
While the present invention has been described in detail with reference to certain embodiments, it should be appreciated that the present invention is not limited to those embodiments. In view of the present disclosure, many modifications and variations would be present themselves, to those skilled in the art without departing from the scope of the various embodiments of the present invention, as described herein. The scope of the present invention is, therefore, indicated by the following claims rather than by the foregoing description. All changes, modifications, and variations coming within the meaning and range of equivalency of the claims are to be considered within their scope. All advantageous embodiments claimed in method claims may also be apply to system/apparatus claims.
Reference sign list
100-computing environment 102-source computing system 104A-N multilayer network of nodes 106-network
108A-N-technical installation llOA-N-terminal nodes 202-mutation controller 204A-N-one or more radio nodes 206A-N-one or more relay nodes 208A-N-firewall 210A-B-network
302-communication management module
402-processor
404-memory
406-communication interface 408-network interface 410-input/output unit 412-bus
502- receiver module 504-authentication module 506-packet processing module 508-validation module 510-packet transmission module 512-installation module 514-database 516-output module

Claims

1.A method (400) for securing data communication in a computing environment (100), the method (400) comprising: establishing, by a processor (402), a communication session with a terminal node (110A-N) based on a first request from the terminal node (110A-N); receiving, by the processor (402), a second request for transmission of a data packet from the terminal node (110A-N) when the communication session is established with the terminal node (110A-N); determining, by the processor (402), corresponding data packet requested for transmission based on the received second request; modifying, by the processor (402), the determined data packet before transmission based on one or more security criteria; and transmitting, by the processor (402), the modified data packet to the terminal node (110A-N) in response to the received second request.
2.The method (400) according to claim 1, further comprising: receiving an acknowledgement packet from the terminal node (110A-N) in response to the transmission of modified data packet ; validating the acknowledgement packet received from the terminal node (110A-N) based on one or more set criteria; and providing access to the modified data packet based on the successful validation.
3.The method (400) according to any of the preceding claims, further comprising: rejecting the second request if the validation of the acknowledgment packet received from terminal node (110A-N) fails; and denying access to the modified data packet upon rejecting the second request.
4.The method (400) according to any of the preceding claims, wherein establishing the communication session with the terminal node (110A-N) based on the first request from the terminal node (110A-N) comprises: receiving the first request for establishing the communication session from the terminal node (110A-N) via a network (104, 106); extracting one or more parameters associated with the terminal node (110A-N) from the received first request; authenticating the extracted one or more parameters associated with the terminal node (110A-N) based on a prestored corresponding one or more parameters associated with the terminal node (110A-N); and establishing the communication session with the terminal node (110A-N) upon successful authentication of the extracted one or more parameters associated with the terminal node (110A-N).
5.The method (400) according to any of the preceding claims, wherein determining corresponding data packet requested for transmission based on the received second request comprises: obtaining information related to the requested data packet by parsing the received second request; comparing the obtained information related to the requested data packet with one or more lists of data packets; and retrieving the data packet matching the obtained information related to the requested data packet based on comparison .
6.The method (400) according to any of the preceding claims, wherein modifying the determined data packet before transmission based on the one or more security criteria comprises : determining one or more properties associated with the determined data packet; determining whether the one or more properties associated with the determined data packet meets the one or more security criteria; and appending a temporary security bit to the determined data packet if the one or more properties associated with the determined data packet meets the one or more security criteria .
7.The method (400) according to claim 5, wherein determining whether the one or more properties associated with the determined data packet meets the one or more security criteria comprises : rejecting the second request for transmission of data packet if the one or more properties associated with the determined data packet fails to meet the one or more security criteria .
8.The method (400) according to any of the preceding claims, wherein transmitting the modified data packet to the terminal node (110A-N) in response to the received second request comprises : determining a first random path for transmission of the modified data packet to a relay node (206A-N), wherein the first random path comprises an encryption key, one or more addresses and an identifier of one or more radio nodes (204A- N) in a predefined manner, wherein the one or more radio nodes (204A-N) routes the modified data packet to the relay node (206A-N); transmitting the modified data packet to the relay node (206A-N) based on the determined first random path; determining a second random path for transmission of modified data packet from the relay node (206A-N) to the terminal node (110A-N) based on address of terminal node
(110A-N) and one or more random communication channels (106) existing between the relay node (206A-N) and the terminal node (110A-N); and transmitting the modified data packet from the relay node (206A-N) to the terminal node (110A-N) based on the determined second random path.
9.The method (400) according to any of the preceding claims, wherein transmitting the modified data packet to the relay node (206A-N) based on the determined first random path comprises : transmitting the modified data packet to one of the radio node (204A-N) based on the determined first random path; obtaining address of subsequent radio node for routing the modified data packet to the subsequent node by parsing content of the modified data packet; and repeating the steps above until the modified data packet reaches the relay node (206A-N).
10. The method (400) according to any of the preceding claims, wherein the one or more addresses of the one or more radio nodes (204A-N) comprised in the first random path comprises a multi-layer network domain extension.
11. The method (400) according to any of the preceding claims, wherein determining the first random path for transmission of the modified data packet to the relay node (206A-N) comprises: verifying the determined first random path based on one or more validation conditions; and determining whether the verified first random path is non repetitive from previously used paths.
12. A computing system (202) for securing data communication in a computing environment (100), the system (202) comprising: one or more processor(s) (402); and a memory (404) coupled to the one or more processor (s) (402), wherein the memory (404) comprises a communication management module (302) stored in the form of machine-readable instructions executable by the one or more processor(s) (402), wherein the communication management module (302) is capable of performing a method according to any of the claims 1-11.
13. A multi-layer communication network (104) comprising: a computing system (202) communicatively coupled to a source node (102A-N) and one or more radio nodes (204A-N) via a communication channel (104, 106), wherein the computing system (202) comprises a communication management module (302) configured for securing communication between the source node (102A-N) and a terminal node (110A-N); one or more radio nodes (204A-N) communicatively coupled to the computing system (202) and one or more relay nodes (206A- N), wherein the one or more radio nodes (204A-N) is configured for routing a data packet from the source node (102A-N) to the one or more relay nodes (206A-N); and the one or more relay nodes (206A-N) communication coupled to the one or more radio nodes (204A-N) and the terminal node (110A-N), wherein the one or more relay nodes (206A-N) is configured for delivering the data packet to the terminal node (110A-N) via a communication channel (106).
14. A computing environment (100) for securing data communication, the computing environment (100) comprising: one or more technical installations (108A-N) comprising one or more terminal nodes (110A-N) configured for receiving one or more data packets from one or more source nodes (102A-N); a multilayer network of nodes (104A-N) communicatively coupled to the one or more technical installations (108A-N) and the one or more source nodes (102A-N), as claimed in claim 13; and one or more source nodes (102A-N) communicatively coupled to the multilayer network of nodes (104A-N).
15. A computer-program product, having machine-readable instructions stored therein, that when executed by a processor (s) (402), cause the processor(s) (402) to perform method steps according to any of the claims 1-11.
PCT/EP2020/070523 2020-07-21 2020-07-21 Method and system for securing data communication in a computing environment WO2022017582A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2020/070523 WO2022017582A1 (en) 2020-07-21 2020-07-21 Method and system for securing data communication in a computing environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2020/070523 WO2022017582A1 (en) 2020-07-21 2020-07-21 Method and system for securing data communication in a computing environment

Publications (1)

Publication Number Publication Date
WO2022017582A1 true WO2022017582A1 (en) 2022-01-27

Family

ID=71741795

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2020/070523 WO2022017582A1 (en) 2020-07-21 2020-07-21 Method and system for securing data communication in a computing environment

Country Status (1)

Country Link
WO (1) WO2022017582A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114697389A (en) * 2022-03-16 2022-07-01 奇安信科技集团股份有限公司 Data transmission method, device and scan engine

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012015388A1 (en) * 2010-07-26 2012-02-02 Hewlett-Packard Development Company, L. P. Mitigation of detected patterns in a network device
US20150124809A1 (en) * 2013-11-05 2015-05-07 Cisco Technology, Inc. Policy enforcement proxy
WO2018213457A1 (en) * 2017-05-19 2018-11-22 Agari Data, Inc. Using message context to evaluate security of requested data

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012015388A1 (en) * 2010-07-26 2012-02-02 Hewlett-Packard Development Company, L. P. Mitigation of detected patterns in a network device
US20150124809A1 (en) * 2013-11-05 2015-05-07 Cisco Technology, Inc. Policy enforcement proxy
WO2018213457A1 (en) * 2017-05-19 2018-11-22 Agari Data, Inc. Using message context to evaluate security of requested data

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114697389A (en) * 2022-03-16 2022-07-01 奇安信科技集团股份有限公司 Data transmission method, device and scan engine
CN114697389B (en) * 2022-03-16 2024-06-11 奇安信科技集团股份有限公司 Data transmission method, device and scanning engine

Similar Documents

Publication Publication Date Title
US10659462B1 (en) Secure data transmission using a controlled node flow
US10659434B1 (en) Application whitelist using a controlled node flow
US20210099873A1 (en) Authenticating client devices in a wireless communication network with client-specific pre-shared keys
CN101227468B (en) Method, device and system for authenticating user to network
EP3208222A1 (en) Anonymous and ephemeral tokens to authenticate elevator calls
CN112260995A (en) Access authentication method, device and server
WO2018157247A1 (en) System and method for securing communications with remote security devices
US20180115520A1 (en) Dark virtual private networks and secure services
WO2018213330A1 (en) Certificate pinning by a tunnel endpoint
US20230006988A1 (en) Method for selectively executing a container, and network arrangement
EP4323898B1 (en) Computer-implemented methods and systems for establishing and/or controlling network connectivity
EP3674938B1 (en) Identifying computing processes on automation servers
CN113206858A (en) Mobile target defense method based on internet of things DDoS attack
JP2023162313A (en) System for authenticating and controlling network connection of terminal and method related thereto
US20110154469A1 (en) Methods, systems, and computer program products for access control services using source port filtering
CN118233193A (en) Identity authentication method, key storage method and device of Internet of things equipment
CN102045310B (en) Industrial Internet intrusion detection as well as defense method and device
Chiu et al. NoPKI-a point-to-point trusted third party service based on blockchain consensus algorithm
CN117811840B (en) Multi-network range collaborative data transmission method, device, equipment and medium
WO2022017582A1 (en) Method and system for securing data communication in a computing environment
US8590031B2 (en) Methods, systems, and computer program products for access control services using a transparent firewall in conjunction with an authentication server
CN109600745B (en) Novel 5G cellular network channel safety system and safety implementation method
KR101811121B1 (en) Method for Protecting Server using Authenticated Relay Server
CN100589485C (en) Apparatus and method for using multiple alerters to traverse gateway devices
CN111917746B (en) Routing protocol access authentication method, device and medium

Legal Events

Date Code Title Description
DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20744015

Country of ref document: EP

Kind code of ref document: A1