Abstract: Techniques for enforcing trust policies for payload data transmitted through a data provisioning layer include: receiving, by a node in the data provisioning layer, payload data to be delivered to a recipient; obtaining, by the node, a trust policy indicating multiple attributes used to determine trustworthiness of payloads; determining, by the node, a set of values of the attributes associated with the payload data; generating, by the node, a trustworthiness opinion based at least on the trust policy and the set of values of the attributes; transmitting, by the node, the payload data and the trustworthiness opinion via the data provisioning layer toward the recipient; computing, by the recipient, a trustworthiness metric associated with the payload data based at least on the trustworthiness opinion; and determining, by the recipient, an action to take with respect to the payload data based at least on the trustworthiness metric.

Abstract: Techniques for subscriber revocation in a publish-subscribe network using attribute-based encryption (ABE) are disclosed, including: generating a tree data structure including leaf nodes representing subscribers, subtrees of the tree data structure representing subsets of subscribers having different likelihoods of ABE key revocation; generating ABE keys associated with edges in the tree data structure; assigning ABE keys to the leaf nodes, each leaf node being assigned a subset of the ABE keys associated with edges that form a path from a root node to the leaf node; based at least on a revocation record that indicates one or more revoked subscribers, determining a minimal subset of ABE keys that covers all non-revoked subscribers; and encrypting a payload using an encryption policy requiring at least one ABE key in the minimal subset of the ABE keys, to obtain a ciphertext that is not accessible to the one or more revoked subscribers.

Abstract: Techniques for stream-based key management are disclosed. A system obtains a first payload to be published to a first set of one or more subscribers, encrypts the first payload using a symmetric key, to obtain a first payload ciphertext, encrypts the symmetric key using an attribute-based encryption (ABE) policy associated with the first payload, to obtain a key ciphertext, and publishes the first payload ciphertext and the key ciphertext. The system obtains a second payload to be published to a second set of one or more subscribers. Responsive at least to determining that each subscriber in the second set of one more subscribers is in the first set of one or more subscribers and the ABE policy is associated with the second payload, the system encrypts the second payload using the symmetric key, to obtain a second payload ciphertext, and publishes the second payload ciphertext without republishing the key ciphertext.

Abstract: Techniques for subscriber revocation in a publish-subscribe network using attribute-based encryption (ABE) are disclosed, including: generating a tree data structure including leaf nodes representing subscribers, subtrees of the tree data structure representing subsets of subscribers having different likelihoods of ABE key revocation; generating ABE keys associated with edges in the tree data structure; assigning ABE keys to the leaf nodes, each leaf node being assigned a subset of the ABE keys associated with edges that form a path from a root node to the leaf node; based at least on a revocation record that indicates one or more revoked subscribers, determining a minimal subset of ABE keys that covers all non-revoked subscribers; and encrypting a payload using an encryption policy requiring at least one ABE key in the minimal subset of the ABE keys, to obtain a ciphertext that is not accessible to the one or more revoked subscribers.

Abstract: Techniques for stream-based key management are disclosed. A system obtains a first payload to be published to a first set of one or more subscribers, encrypts the first payload using a symmetric key, to obtain a first payload ciphertext, encrypts the symmetric key using an attribute-based encryption (ABE) policy associated with the first payload, to obtain a key ciphertext, and publishes the first payload ciphertext and the key ciphertext. The system obtains a second payload to be published to a second set of one or more subscribers. Responsive at least to determining that each subscriber in the second set of one more subscribers is in the first set of one or more subscribers and the ABE policy is associated with the second payload, the system encrypts the second payload using the symmetric key, to obtain a second payload ciphertext, and publishes the second payload ciphertext without republishing the key ciphertext.

Abstract: Techniques for enforcing trust policies for payload data transmitted through a data provisioning layer include: receiving, by a node in the data provisioning layer, payload data to be delivered to a recipient; obtaining, by the node, a trust policy indicating multiple attributes used to determine trustworthiness of payloads; determining, by the node, a set of values of the attributes associated with the payload data; generating, by the node, a trustworthiness opinion based at least on the trust policy and the set of values of the attributes; transmitting, by the node, the payload data and the trustworthiness opinion via the data provisioning layer toward the recipient; computing, by the recipient, a trustworthiness metric associated with the payload data based at least on the trustworthiness opinion; and determining, by the recipient, an action to take with respect to the payload data based at least on the trustworthiness metric.

Abstract: Techniques for cryptographically secure, cross-domain information sharing are described. A first information domain including a first attribute-based encryption (ABE) authority defines a first universe of ABE attributes. Plaintext is encrypted using ABE encryption, producing ABE ciphertext. The ABE encryption uses an ABE access control expression defined with a set of ABE attributes comprising a first ABE attribute subset from the first universe of ABE attributes and second ABE attribute subset from a second universe of ABE attributes defined by a second ABE authority of a second information domain. The ABE ciphertext and the ABE access control expression are combined to produce an ABE package. The ABE package is encrypted, using predicate-based encryption (PBE), producing a PBE ciphertext. The PBE encryption uses a first set of PBE attributes from a universe of PBE attributes defined by a PBE authority.

Abstract: Systems and methods for protecting a network including providing a mapping between internal addresses as seen by devices of the protected network and external addresses; providing devices with a mapped address for a destination in response to a lookup request; rewriting, at a gateway, destination addresses of packets exiting the protected network based on the mapping; and rewriting, at the destination-network gateway, source addresses of packets entering the protected network based on the mapping. Embodiments include a gateway coupled to a protected network, an external network, and a name server. The name server, in response to a hostname lookup request, configured to provide a network device with the internal address; and the gateway with a mapping including the internal address, the addresses of the device, and the hostname. The gateway configured to rewrite destination addresses of outbound packets, and source addresses of inbound packets, based on the mapping.

Abstract: Techniques for cryptographically secure, cross-domain information sharing are described. A first information domain including a first attribute-based encryption (ABE) authority defines a first universe of ABE attributes. Plaintext is encrypted using ABE encryption, producing ABE ciphertext. The ABE encryption uses an ABE access control expression defined with a set of ABE attributes comprising a first ABE attribute subset from the first universe of ABE attributes and second ABE attribute subset from a second universe of ABE attributes defined by a second ABE authority of a second information domain. The ABE ciphertext and the ABE access control expression are combined to produce an ABE package. The ABE package is encrypted, using predicate-based encryption (PBE), producing a PBE ciphertext. The PBE encryption uses a first set of PBE attributes from a universe of PBE attributes defined by a PBE authority.

Abstract: Systems and techniques for policy-based access control in content networks are herein described. Content and metadata describing the content may be encrypted by using an access control policy and a cryptographic key associated with the access control policy. The access control policy may be defined with a set of access control attributes. Each node in the content-based network may be assigned a set of access control attributes and a cryptographic key generated as a function of its assigned set of access control attributes. Each node in the content-based network may be configured to decrypt successfully the metadata or the content if and only if the assigned set of access control attributes of the node satisfies the access control policy used to encrypt the metadata or content.

Abstract: Systems and techniques for policy-based access control in content networks are herein described. Content and metadata describing the content may be encrypted by using an access control policy and a cryptographic key associated with the access control policy. The access control policy may be defined with a set of access control attributes. Each node in the content-based network may be assigned a set of access control attributes and a cryptographic key generated as a function of its assigned set of access control attributes. Each node in the content-based network may be configured to decrypt successfully the metadata or the content if and only if the assigned set of access control attributes of the node satisfies the access control policy used to encrypt the metadata or content.

Abstract: Systems and methods for protecting a network including preventing data traffic from exiting the network unless a domain name request has been performed by a device attempting to transmit the data traffic. In an embodiment, a device within the protected network attempting to send data outside the protected network requests an address for a destination outside the protected network from a domain name server (DNS). In response, the DNS provides an address of the destination to the device and a gateway. In response to receiving the address, the gateway temporarily allows access to the address. In an embodiment, a DNS is coupled to a protected network and the gateway, the DNS provides an external address to a device in response to a request; and a mapping to the gateway; the gateway, coupled to a protected network and an external network, allows traffic according to the mapping.

Abstract: Systems, methods, and devices for decoy routing and covert channel bonding are described. The decoy routing system includes a client computing device, a decoy router, and a decoy proxy such that packets addressed to a decoy destination are re-routed by the decoy router to a covert destination via the decoy proxy. The decoy routing method may be applied to a covert channel bonding process, in which a plurality of packet data streams are sent to one or more decoy destinations, re-routed appropriately via one or more decoy routers and/or decoy proxies, and assembled together into a single packet data stream at either a decoy proxy, or a final covert destination.

Abstract: Systems and methods are disclosed for determining whether a mission has occurred. The disclosed systems and methods utilize event models that represent a sequence of tasks that an entity could or must take in order to successfully complete the mission. As a specific example, an event model may represent the sequence of tasks a malicious insider may complete in order to exfiltrate sensitive information. Most event models include certain tasks that must be accomplished in order for the insider to successfully exfiltrate an organization's sensitive information. Many of the observable tasks in the attack models can be monitored using relatively little information, such as the source, time, and type of the communication. The monitored information is utilized in a traceback search through the event model for occurrences of the tasks of the event model to determine whether the mission that the event model represents occurred.

Abstract: A system (200) detects transmission of potentially malicious packets. The system (200) receives, or otherwise observes, packets and generates hash values based on variable-sized blocks of the packets. The system (200) then compares the generated hash values to hash values associated with prior packets. The system (200) determines that one of the received packets is a potentially malicious packet when one or more of the generated hash values associated with the received packet match one or more of the hash values associated with the prior packets.

Abstract: Systems, methods, and devices for decoy routing and covert channel bonding are described. The decoy routing system includes a client computing device, a decoy router, and a decoy proxy such that packets addressed to a decoy destination are re-routed by the decoy router to a covert destination via the decoy proxy. The decoy routing method may be applied to a covert channel bonding process, in which a plurality of packet data streams are sent to one or more decoy destinations, re-routed appropriately via one or more decoy routers and/or decoy proxies, and assembled together into a single packet data stream at either a decoy proxy, or a final covert destination.

Abstract: A network analysis architecture provides a suite of complementary logic operable at different temporal and spatial timescales. The distinct temporal and spatial scales define different tiers, each analyzing network events according to predetermined temporal and spatial scales of progressive magnitude. Particular event detection logic may be operable on an immediate temporal scale, while other logic identifies trends over a longer time period. Similarly, different spatial scales are appropriate to different algorithms, as in logic that examines only headers or length of packets, or inspects an entire payload or transferred file. Deployment of logic that is focused on different timing and scope of data allows timely action in the case of readily apparent deviations, and permits longer term analysis for identifying trends that emerge over time.

Abstract: A system (200) detects transmission of potentially malicious packets. The system (200) receives, or otherwise observes, packets and generates hash values based on variable-sized blocks of the packets. The system (200) then compares the generated hash values to hash values associated with prior packets. The system (200) determines that one of the received packets is a potentially malicious packet when one or more of the generated hash values associated with the received packet match one or more of the hash values associated with the prior packets.

Abstract: A system (120) detects transmission of potentially unwanted e-mail messages. The system (120) may receive e-mail messages and generate hash values based on one or more portions of the e-mail messages. The system (120) may then determine whether the generated hash values match hash values associated with prior e-mail messages. The system (120) may determine that one of the e-mail messages is a potentially unwanted e-mail message when one or more of the generated hash values associated with the e-mail message match one or more of the hash values associated with the prior e-mail messages.

Abstract: A system (200) detects transmission of potentially malicious packets. The system (200) receives, or otherwise observes, packets and generates hash values based on variable-sized blocks of the packets. The system (200) then compares the generated hash values to hash values associated with prior packets. The system (200) determines that one of the received packets is a potentially malicious packet when one or more of the generated hash values associated with the received packet match one or more of the hash values associated with the prior packets.