Patent ID: 10410 | Patent Number 11,985,113 | Status: Granted


Segmentation is a fundamental design principle enabling secure cyber system development. This invention enables a level of segmentation heretofore not possible. This invention leverages and integrates the techniques of host based containerization and network partitioning by creating features within host that attach network labels to communication leaving the host that provides context information including the application, user/role, and/or business process that generated the data. Network segmentation capabilities then utilize that labeling information to provide logical separation of traffic such that applications/business processes appear to be on independent networks. This invention is the technique and technology that integrates the host containers with the network segmentation by providing a mechanism to intercept and label traffic coming from containers to enable network segmentation tools work efficiently and effectively. This is done through software that runs on the host the is a shim between the container and the network interface (a driver in the hypervisor, another container with host based routing, software running in the hypervisor, etc). This software is configured with parameters of information about the container it is attached to so that it can properly generate the network labeling to enable a network segmentation topology to segment traffic between software running on hosts (Cisco ISE, Software defined networking/openflo, etc). Finally, this technology allows for dynamic actions to reduce security risk. If a risk is found, through any myriad of cyber or physical sensors, policies could be enabled that dynamically alter how the network segmentation behaves; i.e. blackhole some communication, send communication to a honeypot instead of real system, increase logging/sensoring on traffic, introduce latency/cost to traffic, etc.

Application Number



Seppala,Garret E
Carroll,Tom E
Edgar,Thomas W

Market Sector