Patents by Inventor William Timothy Strayer
William Timothy Strayer has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11831657Abstract: Techniques for enforcing trust policies for payload data transmitted through a data provisioning layer include: receiving, by a node in the data provisioning layer, payload data to be delivered to a recipient; obtaining, by the node, a trust policy indicating multiple attributes used to determine trustworthiness of payloads; determining, by the node, a set of values of the attributes associated with the payload data; generating, by the node, a trustworthiness opinion based at least on the trust policy and the set of values of the attributes; transmitting, by the node, the payload data and the trustworthiness opinion via the data provisioning layer toward the recipient; computing, by the recipient, a trustworthiness metric associated with the payload data based at least on the trustworthiness opinion; and determining, by the recipient, an action to take with respect to the payload data based at least on the trustworthiness metric.Type: GrantFiled: December 10, 2021Date of Patent: November 28, 2023Assignee: Raytheon BBN Technologies Corp.Inventors: William Timothy Strayer, Brandon Doherty Kalashian, Michael Hassan Atighetchi, Stephane Yannick Blais, Samuel Cunningham Nelson
-
Patent number: 11804949Abstract: Techniques for subscriber revocation in a publish-subscribe network using attribute-based encryption (ABE) are disclosed, including: generating a tree data structure including leaf nodes representing subscribers, subtrees of the tree data structure representing subsets of subscribers having different likelihoods of ABE key revocation; generating ABE keys associated with edges in the tree data structure; assigning ABE keys to the leaf nodes, each leaf node being assigned a subset of the ABE keys associated with edges that form a path from a root node to the leaf node; based at least on a revocation record that indicates one or more revoked subscribers, determining a minimal subset of ABE keys that covers all non-revoked subscribers; and encrypting a payload using an encryption policy requiring at least one ABE key in the minimal subset of the ABE keys, to obtain a ciphertext that is not accessible to the one or more revoked subscribers.Type: GrantFiled: March 19, 2021Date of Patent: October 31, 2023Assignee: Raytheon BBN Technologies Corp.Inventors: Joud Khoury, Samuel Cunningham Nelson, William Timothy Strayer
-
Patent number: 11558185Abstract: Techniques for stream-based key management are disclosed. A system obtains a first payload to be published to a first set of one or more subscribers, encrypts the first payload using a symmetric key, to obtain a first payload ciphertext, encrypts the symmetric key using an attribute-based encryption (ABE) policy associated with the first payload, to obtain a key ciphertext, and publishes the first payload ciphertext and the key ciphertext. The system obtains a second payload to be published to a second set of one or more subscribers. Responsive at least to determining that each subscriber in the second set of one more subscribers is in the first set of one or more subscribers and the ABE policy is associated with the second payload, the system encrypts the second payload using the symmetric key, to obtain a second payload ciphertext, and publishes the second payload ciphertext without republishing the key ciphertext.Type: GrantFiled: March 19, 2021Date of Patent: January 17, 2023Assignee: Raytheon BBN Technologies Corp.Inventors: Joud Khoury, Samuel Cunningham Nelson, William Timothy Strayer
-
Publication number: 20220303115Abstract: Techniques for subscriber revocation in a publish-subscribe network using attribute-based encryption (ABE) are disclosed, including: generating a tree data structure including leaf nodes representing subscribers, subtrees of the tree data structure representing subsets of subscribers having different likelihoods of ABE key revocation; generating ABE keys associated with edges in the tree data structure; assigning ABE keys to the leaf nodes, each leaf node being assigned a subset of the ABE keys associated with edges that form a path from a root node to the leaf node; based at least on a revocation record that indicates one or more revoked subscribers, determining a minimal subset of ABE keys that covers all non-revoked subscribers; and encrypting a payload using an encryption policy requiring at least one ABE key in the minimal subset of the ABE keys, to obtain a ciphertext that is not accessible to the one or more revoked subscribers.Type: ApplicationFiled: March 19, 2021Publication date: September 22, 2022Inventors: Joud Khoury, Samuel Cunningham Nelson, William Timothy Strayer
-
Publication number: 20220303127Abstract: Techniques for stream-based key management are disclosed. A system obtains a first payload to be published to a first set of one or more subscribers, encrypts the first payload using a symmetric key, to obtain a first payload ciphertext, encrypts the symmetric key using an attribute-based encryption (ABE) policy associated with the first payload, to obtain a key ciphertext, and publishes the first payload ciphertext and the key ciphertext. The system obtains a second payload to be published to a second set of one or more subscribers. Responsive at least to determining that each subscriber in the second set of one more subscribers is in the first set of one or more subscribers and the ABE policy is associated with the second payload, the system encrypts the second payload using the symmetric key, to obtain a second payload ciphertext, and publishes the second payload ciphertext without republishing the key ciphertext.Type: ApplicationFiled: March 19, 2021Publication date: September 22, 2022Inventors: Joud Khoury, Samuel Cunningham Nelson, William Timothy Strayer
-
Publication number: 20220103572Abstract: Techniques for enforcing trust policies for payload data transmitted through a data provisioning layer include: receiving, by a node in the data provisioning layer, payload data to be delivered to a recipient; obtaining, by the node, a trust policy indicating multiple attributes used to determine trustworthiness of payloads; determining, by the node, a set of values of the attributes associated with the payload data; generating, by the node, a trustworthiness opinion based at least on the trust policy and the set of values of the attributes; transmitting, by the node, the payload data and the trustworthiness opinion via the data provisioning layer toward the recipient; computing, by the recipient, a trustworthiness metric associated with the payload data based at least on the trustworthiness opinion; and determining, by the recipient, an action to take with respect to the payload data based at least on the trustworthiness metric.Type: ApplicationFiled: December 10, 2021Publication date: March 31, 2022Inventors: William Timothy Strayer, Brandon Doherty Kalashian, Michael Hassan Atighetchi, Stephane Yannick Blais, Samuel Cunningham Nelson
-
Patent number: 9894043Abstract: Techniques for cryptographically secure, cross-domain information sharing are described. A first information domain including a first attribute-based encryption (ABE) authority defines a first universe of ABE attributes. Plaintext is encrypted using ABE encryption, producing ABE ciphertext. The ABE encryption uses an ABE access control expression defined with a set of ABE attributes comprising a first ABE attribute subset from the first universe of ABE attributes and second ABE attribute subset from a second universe of ABE attributes defined by a second ABE authority of a second information domain. The ABE ciphertext and the ABE access control expression are combined to produce an ABE package. The ABE package is encrypted, using predicate-based encryption (PBE), producing a PBE ciphertext. The PBE encryption uses a first set of PBE attributes from a universe of PBE attributes defined by a PBE authority.Type: GrantFiled: December 3, 2015Date of Patent: February 13, 2018Assignee: Raytheon BBN Technologies Corp.Inventors: Joud Khoury, William Timothy Strayer
-
Patent number: 9723023Abstract: Systems and methods for protecting a network including providing a mapping between internal addresses as seen by devices of the protected network and external addresses; providing devices with a mapped address for a destination in response to a lookup request; rewriting, at a gateway, destination addresses of packets exiting the protected network based on the mapping; and rewriting, at the destination-network gateway, source addresses of packets entering the protected network based on the mapping. Embodiments include a gateway coupled to a protected network, an external network, and a name server. The name server, in response to a hostname lookup request, configured to provide a network device with the internal address; and the gateway with a mapping including the internal address, the addresses of the device, and the hostname. The gateway configured to rewrite destination addresses of outbound packets, and source addresses of inbound packets, based on the mapping.Type: GrantFiled: March 14, 2013Date of Patent: August 1, 2017Assignee: Raytheon BBN Technologies Corp.Inventors: Daniel Joseph Ellard, Alden Warren Jackson, Christine Elaine Jones, Josh Forrest Karlin, Victoria Ursula Manfredi, David Patrick Mankins, William Timothy Strayer
-
Publication number: 20170093817Abstract: Techniques for cryptographically secure, cross-domain information sharing are described. A first information domain including a first attribute-based encryption (ABE) authority defines a first universe of ABE attributes. Plaintext is encrypted using ABE encryption, producing ABE ciphertext. The ABE encryption uses an ABE access control expression defined with a set of ABE attributes comprising a first ABE attribute subset from the first universe of ABE attributes and second ABE attribute subset from a second universe of ABE attributes defined by a second ABE authority of a second information domain. The ABE ciphertext and the ABE access control expression are combined to produce an ABE package. The ABE package is encrypted, using predicate-based encryption (PBE), producing a PBE ciphertext. The PBE encryption uses a first set of PBE attributes from a universe of PBE attributes defined by a PBE authority.Type: ApplicationFiled: December 3, 2015Publication date: March 30, 2017Inventors: Joud Khoury, William Timothy Strayer
-
Patent number: 9571463Abstract: Systems and techniques for policy-based access control in content networks are herein described. Content and metadata describing the content may be encrypted by using an access control policy and a cryptographic key associated with the access control policy. The access control policy may be defined with a set of access control attributes. Each node in the content-based network may be assigned a set of access control attributes and a cryptographic key generated as a function of its assigned set of access control attributes. Each node in the content-based network may be configured to decrypt successfully the metadata or the content if and only if the assigned set of access control attributes of the node satisfies the access control policy used to encrypt the metadata or content.Type: GrantFiled: July 14, 2014Date of Patent: February 14, 2017Assignee: Raytheon BBN Technologies Corp.Inventors: William Timothy Strayer, Joud Khoury, Armando Luis Caro, Jr., Vikas Kawadia, Samuel Cunningham Nelson, V
-
Publication number: 20160014095Abstract: Systems and techniques for policy-based access control in content networks are herein described. Content and metadata describing the content may be encrypted by using an access control policy and a cryptographic key associated with the access control policy. The access control policy may be defined with a set of access control attributes. Each node in the content-based network may be assigned a set of access control attributes and a cryptographic key generated as a function of its assigned set of access control attributes. Each node in the content-based network may be configured to decrypt successfully the metadata or the content if and only if the assigned set of access control attributes of the node satisfies the access control policy used to encrypt the metadata or content.Type: ApplicationFiled: July 14, 2014Publication date: January 14, 2016Inventors: William Timothy Strayer, Joud Khoury, Armando Luis Caro, JR., Vikas Kawadia, Samuel Cunningham Nelson, V
-
Patent number: 9237027Abstract: Systems and methods for protecting a network including preventing data traffic from exiting the network unless a domain name request has been performed by a device attempting to transmit the data traffic. In an embodiment, a device within the protected network attempting to send data outside the protected network requests an address for a destination outside the protected network from a domain name server (DNS). In response, the DNS provides an address of the destination to the device and a gateway. In response to receiving the address, the gateway temporarily allows access to the address. In an embodiment, a DNS is coupled to a protected network and the gateway, the DNS provides an external address to a device in response to a request; and a mapping to the gateway; the gateway, coupled to a protected network and an external network, allows traffic according to the mapping.Type: GrantFiled: March 14, 2013Date of Patent: January 12, 2016Assignee: Raytheon BBN Technologies Corp.Inventors: Daniel Joseph Ellard, Alden Warren Jackson, Christine Elaine Jones, Josh Forrest Karlin, Victoria Ursula Manfredi, David Patrick Mankins, William Timothy Strayer
-
Patent number: 8595818Abstract: Systems, methods, and devices for decoy routing and covert channel bonding are described. The decoy routing system includes a client computing device, a decoy router, and a decoy proxy such that packets addressed to a decoy destination are re-routed by the decoy router to a covert destination via the decoy proxy. The decoy routing method may be applied to a covert channel bonding process, in which a plurality of packet data streams are sent to one or more decoy destinations, re-routed appropriately via one or more decoy routers and/or decoy proxies, and assembled together into a single packet data stream at either a decoy proxy, or a final covert destination.Type: GrantFiled: June 1, 2011Date of Patent: November 26, 2013Assignee: Raytheon BBN Technologies Corp.Inventors: Josh Forrest Karlin, Gregory Stephen Lauer, Craig Partridge, David Patrick Mankins, William Timothy Strayer
-
Publication number: 20130019309Abstract: Systems and methods are disclosed for determining whether a mission has occurred. The disclosed systems and methods utilize event models that represent a sequence of tasks that an entity could or must take in order to successfully complete the mission. As a specific example, an event model may represent the sequence of tasks a malicious insider may complete in order to exfiltrate sensitive information. Most event models include certain tasks that must be accomplished in order for the insider to successfully exfiltrate an organization's sensitive information. Many of the observable tasks in the attack models can be monitored using relatively little information, such as the source, time, and type of the communication. The monitored information is utilized in a traceback search through the event model for occurrences of the tasks of the event model to determine whether the mission that the event model represents occurred.Type: ApplicationFiled: July 12, 2011Publication date: January 17, 2013Applicant: RAYTHEON BBN TECHNOLOGIES CORP.Inventors: William Timothy Strayer, Craig Partridge, Alden Warren Jackson, Stephen Henry Polit
-
Publication number: 20130014261Abstract: A system (200) detects transmission of potentially malicious packets. The system (200) receives, or otherwise observes, packets and generates hash values based on variable-sized blocks of the packets. The system (200) then compares the generated hash values to hash values associated with prior packets. The system (200) determines that one of the received packets is a potentially malicious packet when one or more of the generated hash values associated with the received packet match one or more of the hash values associated with the prior packets.Type: ApplicationFiled: September 14, 2012Publication date: January 10, 2013Applicant: STRAGENT, LLCInventors: Walter Clark Millliken, William Timothy Strayer, Stephen Douglas Milligan, Luis Sanchez, Craig Partridge
-
Publication number: 20120311691Abstract: Systems, methods, and devices for decoy routing and covert channel bonding are described. The decoy routing system includes a client computing device, a decoy router, and a decoy proxy such that packets addressed to a decoy destination are re-routed by the decoy router to a covert destination via the decoy proxy. The decoy routing method may be applied to a covert channel bonding process, in which a plurality of packet data streams are sent to one or more decoy destinations, re-routed appropriately via one or more decoy routers and/or decoy proxies, and assembled together into a single packet data stream at either a decoy proxy, or a final covert destination.Type: ApplicationFiled: June 1, 2011Publication date: December 6, 2012Applicant: Raytheon BBN Technologies Corp.Inventors: Josh Forrest Karlin, Gregory Stephen Lauer, Craig Partridge, David Patrick Mankins, William Timothy Strayer
-
Patent number: 8321938Abstract: A network analysis architecture provides a suite of complementary logic operable at different temporal and spatial timescales. The distinct temporal and spatial scales define different tiers, each analyzing network events according to predetermined temporal and spatial scales of progressive magnitude. Particular event detection logic may be operable on an immediate temporal scale, while other logic identifies trends over a longer time period. Similarly, different spatial scales are appropriate to different algorithms, as in logic that examines only headers or length of packets, or inspects an entire payload or transferred file. Deployment of logic that is focused on different timing and scope of data allows timely action in the case of readily apparent deviations, and permits longer term analysis for identifying trends that emerge over time.Type: GrantFiled: February 12, 2009Date of Patent: November 27, 2012Assignee: Raytheon BBN Technologies Corp.Inventors: William Timothy Strayer, Walter Milliken, Ronald Joseph Watro
-
Patent number: 8272060Abstract: A system (200) detects transmission of potentially malicious packets. The system (200) receives, or otherwise observes, packets and generates hash values based on variable-sized blocks of the packets. The system (200) then compares the generated hash values to hash values associated with prior packets. The system (200) determines that one of the received packets is a potentially malicious packet when one or more of the generated hash values associated with the received packet match one or more of the hash values associated with the prior packets.Type: GrantFiled: April 18, 2010Date of Patent: September 18, 2012Assignee: Stragent, LLCInventors: Walter Clark Milliken, William Timothy Strayer, Stephen Douglas Milligan, Luis Sanchez, Craig Partridge
-
Patent number: 8204945Abstract: A system (120) detects transmission of potentially unwanted e-mail messages. The system (120) may receive e-mail messages and generate hash values based on one or more portions of the e-mail messages. The system (120) may then determine whether the generated hash values match hash values associated with prior e-mail messages. The system (120) may determine that one of the e-mail messages is a potentially unwanted e-mail message when one or more of the generated hash values associated with the e-mail message match one or more of the hash values associated with the prior e-mail messages.Type: GrantFiled: October 9, 2008Date of Patent: June 19, 2012Assignee: Stragent, LLCInventors: Walter Clark Milliken, William Timothy Strayer, Stephen Douglas Milligan
-
Patent number: 8166549Abstract: A system (200) detects transmission of potentially malicious packets. The system (200) receives, or otherwise observes, packets and generates hash values based on variable-sized blocks of the packets. The system (200) then compares the generated hash values to hash values associated with prior packets. The system (200) determines that one of the received packets is a potentially malicious packet when one or more of the generated hash values associated with the received packet match one or more of the hash values associated with the prior packets.Type: GrantFiled: April 18, 2010Date of Patent: April 24, 2012Assignee: Stragent, LLCInventors: Walter Clark Milliken, William Timothy Strayer, Stephen Douglas Milligan, Luis Sanchez, Craig Partridge