WO2008093314A2 - Method and apparatus for transferring data - Google Patents

Method and apparatus for transferring data Download PDF

Info

Publication number
WO2008093314A2
WO2008093314A2 PCT/IL2007/000112 IL2007000112W WO2008093314A2 WO 2008093314 A2 WO2008093314 A2 WO 2008093314A2 IL 2007000112 W IL2007000112 W IL 2007000112W WO 2008093314 A2 WO2008093314 A2 WO 2008093314A2
Authority
WO
WIPO (PCT)
Prior art keywords
pattern
information
computing platform
capturing
outputting
Prior art date
Application number
PCT/IL2007/000112
Other languages
French (fr)
Other versions
WO2008093314A3 (en
Inventor
Avi Zigdon
Eyal Kedem
Original Assignee
Techmind Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Techmind Ltd. filed Critical Techmind Ltd.
Priority to PCT/IL2007/000112 priority Critical patent/WO2008093314A2/en
Publication of WO2008093314A2 publication Critical patent/WO2008093314A2/en
Publication of WO2008093314A3 publication Critical patent/WO2008093314A3/en
Priority to IL199886A priority patent/IL199886A0/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones

Definitions

  • the present invention relates to data transfer in general, and to transferring control data from a secure system in particular.
  • Transferring data between computers is an essential part of daily work in almost any organization.
  • the transfer is possibly limited according to the source and destination computer, the characteristics of a network associated with the source or the destination computer, the data to be transferred, encryption and others.
  • an apparatus for transmitting information from a secure source computing platform to a destination computing platform wherein the transmitting is unidirectional comprising: a data collection module for collecting data from the source computing platform to be transmitted to the destination computing platform; a pattern generation component for generating a pattern representing the collected data; a signal outputting device for outputting the pattern; a capturing device for capturing the pattern output by the outputting device, said capturing device separated from said signal outputting device by a medium; and a pattern decoding component for retrieving the information from the pattern captured by the capturing device.
  • the pattern is optionally a barcode pattern
  • the capturing device is optionally a barcode reader
  • the signal outputting device is optionally a display.
  • the pattern is optionally a sound signal
  • the outputting device is optionally a loudspeaker
  • the capturing device is optionally a microphone.
  • the apparatus can further comprise a watchdog module for monitoring the functionality of said data collection module or of said pattern generation component, or a watchdog module for monitoring the functionality of said data collection module or of said capturing device or of said pattern decoding component.
  • the apparatus can further comprise a message simulation module for simulating a message to be sent to the destination computing platform.
  • the apparatus can further comprise an information distribution component for distributing the information to a target.
  • the target is optionally selected from the group consisting of: a file; a database; an optical representation, a visual representation, an audio presentation; a printer; a short message to be sent to a telephone, an e-mail, a fax, an alert to be generated; or a notification to be sent to a telephone recipient.
  • the medium is optionally fluid.
  • Another aspect of the disclosed invention relates to a method for transmitting information from a secure source computing platform to a destination computing platform wherein the transmitting is unidirectional, the method comprising the steps of: collecting information to be transmitted from the secure source computing platform to the destination computing platform; generating a pattern from the collected information; outputting the pattern by a first device; capturing the pattern by a second device, wherein the first device and the second device are separated by a medium; and decoding the pattern to retrieve the collected information.
  • the pattern is optionally an optical pattern such as a visual pattern, a barcode pattern, or a vocal pattern.
  • the method can further comprise a step of generating control information and generating a pattern from said control information, a step of distributing the information, or a step of encoding the information and a step of decoding the information.
  • the medium is fluid.
  • FIG. 1 is a schematic illustration of the apparatus of the disclosed invention and a typical environment in which the apparatus is used;
  • Fig. 2 is a schematic illustration of a two-dimensional barcode
  • Fig. 3 is a block diagram of the components of an apparatus implementing the disclosed invention
  • Fig. 4 is a flowchart of the main steps of the method of the disclosed invention.
  • the present invention overcomes the problem of transferring data from a secure system to another system, wherein no transfer channel such as a network connection, wireless connection, writable disk or diskette drive or the like is available.
  • An apparatus comprises components connected to or executed by the source computer or network, i.e. the computer or network from which it is required to transfer the information, and a second part which is connected to or executed by the destination computer or network, i.e. the computer or network to which it is required to transfer the information.
  • the source components include software for gathering the information to be transferred, and for encoding the information into a pattern.
  • the pattern is sent to a device connected to the source computer or network, which outputs the signal.
  • the destination components include an input device for capturing the signal describing the pattern, and software for decoding the pattern and transferring the information to a predetermined destination, or application or another usage.
  • the source and destination components are disconnected so that no other data can be transferred from the source to the destination, and certainly not the other way around.
  • the pattern generation and capturing rate depends on the type of the pattern and additional parameters.
  • a preferred embodiment of the disclosed invention includes software on the source side for gathering the information, generating an optical such as a graphic pattern and displaying the pattern on a display.
  • the destination components include a camera or another device capable of optical or visual capturing, and software for retrieving the information from the captured graphic pattern.
  • the display and the camera are separated by medium such as fluid, for example air, gas or another medium that enables light to pass.
  • the information is coded into a barcode pattern on the source side, and a barcode reader and interpreter captures and retrieves the information on the destination side.
  • network 124 and network 144 are any type of networks such as local area network (LAN), wide area network (WAN), or the like.
  • a multiplicity of computing platforms and resources is connected to each of network 124 or network 144, such as computing platforms 132, 136, or 148, laptop computer 128, displays 140 or 156, printer 152 or any other device or resource.
  • Computing platforms 104 or 108 can be of any type including a desktop computer, a laptop computer, personal computer, a mainframe computer, a network computer, a telephone with computing capabilities, or any other type of computing platform that is provisioned with a memory device (not shown) and a CPU or microprocessor device.
  • Computing platform 104 executes software 106 for receiving or collecting the information to be transferred.
  • the information can be, for example, security information related to an intrusion attempt, resource failure notice or the like.
  • the information can originate at any component connected to network 124, such as computing platforms 128, 132 or 136, display device 140 or network 124 itself.
  • Software 106 receives the information through an API, or actively collects it for example through a file or data base, and generates a graphic pattern from the information.
  • the graphic pattern is displayed on display 112 connected to computing platform 104 by any cable and using any format for connecting a display to a computing platform.
  • Display 112 can be any type of display, such as LCD, CRT, or the like.
  • the graphic pattern is preferably a barcode, and specifically a two- or three-dimensional barcode 116.
  • Fig. 2 shows an example of a two-dimensional barcode which can be displayed on display 1 12.
  • software 106 can be stored on any storage device, and installed or executed on any component connected to network 124.
  • Display 112 can be connected to computing platform 104 in addition to one or more additional displays used by users of platform 104, preferably using a VGA, DVI, or s-Video connectors.
  • Apparatus 100 of the disclosed invention further comprises a camera, a barcode reader or another capturing device 120 for capturing pattern 116 displayed on device 112.
  • Capturing device 120 and display 116 are preferably separated by air or another medium which enables the capturing of the pattern displayed on display 112.
  • the required physical distance, or distance range, between camera 120 and display 112 depends on the size and resolution of display 112, the size, density, or resolution of pattern 112, the amount of light shed on the gap between camera 120, and the characteristics of camera 120, and should generally follow the instructions provided by the barcode reader's manufacturer.
  • Capturing device 120 is connected to platform 108 via any connecting equipment and using any protocol, such as USB, RJ45, RS232, Ethernet, Bluetooth, infrared, or the like. If capturing device 120 does not receive power from another source, then this connection also provides power to the device.
  • Yet another component of the disclosed invention is software component 110, which captures pattern 116 displayed on display 112, decodes pattern 116 to retrieve the information sent from platform 104 and transfer the information to any destination within network 144 connected to platform 108.
  • the information can be sent to a file or data base stored on computing platform 148, an optical or visual presentation to be displayed on display 156, an audio representation to played; a print to be output by printer 152, a short message to be sent to a telephone, an alert of any kind to be generated, a database or a software to be updated, or any other action.
  • Software components 106 and 110 can be implemented in any programming language, such as C, C++, V#, Java, Visual basic, Perl, Python or any other, using any development environment, such as Microsoft .Net, J2EE, LAMP or the like.
  • display 112 and capturing device 120 are packed in a case, such as a substantially opaque box so that no external light interferes camera 120 in capturing pattern 116.
  • the pattern generating component of software 106 and the pattern decoding component of software 110 can be a part of a barcode product which comprises also barcode reader 120.
  • Such product can be, for example, IDAutomation.NET manufactured by IDAutomation (www.idautomation.com).
  • IDAutomation.NET manufactured by IDAutomation (www.idautomation.com).
  • Fig. 3 showing a block diagram of the software components of the disclosed invention.
  • the software is generally divided into components installed on the transmitting side 300, referenced as software 106 of
  • Transmitting side components comprise data collecting module 308, for collecting the information that has to be transmitted to the receiving side.
  • the information can be any binary information, including but not limited to alphanumeric strings.
  • the quantity of the information is optionally limited not to exceed a maximal threshold, for example about 5 kilobyte per minute so that transferring significant amount of data out of the secure system will not be possible.
  • the collection can be done actively, for example by reading from a file, querying another component on the transmitting side or otherwise accessing the information. Alternatively, the collection can be passive, by providing an application program interface (API) which is used by one or more applications that have to transmit information.
  • API application program interface
  • pattern generation module 312 codes the information into a pattern, such as a barcode pattern.
  • the pattern can be one-, two- or three-dimensional pattern, a string, or any other representation of the information. If the pattern is a barcode pattern, pattern generation module 312 is optionally supplied with the barcode reader connected to the receiving side. Once the pattern is generated, it is displayed by pattern display module 316 on display 112 of Fig. 1. Transmitting side components 300 further comprise an optional message simulation module 320, for simulating messages to be sent to the receiving side. Sending simulated messages are required for a number of reasons. A simulated message can be sent periodically for ensuring that the system is functional. If no message is received on the receiving side during a certain period of time, it might be the case the system is not functioning rather than there is no new message to transmit, so a periodical simulated message provides a functionality indication.
  • Transmitting side components 300 further comprise an optional watchdog module 324, which monitors the activity and functionality of the other components by receiving periodical indications from the other components. If an indication is not received, the relevant component is re-invoked, and if the problem persists an error message is sent through message simulation module 324, if possible, or to an operator or another entity in charge of platform 104 or another platform connected to network 124 of Fig. 1.
  • Receiving side components 304 comprise a pattern capturing module 328 for capturing the pattern displayed on display 112 of Fig.
  • pattern decoding nodule 332 for decoding the pattern and retrieving the information collected by data collecting module 308 and coded by pattern generation module 312.
  • pattern capturing module 328 pattern decoding nodule 332 are optionally supplied with the capturing device, such as barcode reader 120 of Fig. 1.
  • Pattern capturing module 328 optionally scans display 112 in a continuous manner and thus captures every displayed pattern, as long as the pattern update rate is below the scanning rate of the device, which is typically about five to six times a second, or more. Identical messages are distinguished due to the simulated separating messages generated by message simulation module 320.
  • Information distribution module 336 receives the decoded information and transfers it to a target according to the user's will, such as creating or updating a file, updating a database, sending a short message, a fax or an e-mail to a recipient, or any other action. Preferably, information distribution module 336 disregards messages simulated by message simulation module 320.
  • Receiving side components 304 further comprise a watchdog module 340 similar to watchdog module 324 of the transmitting side. Watchdog module 340 monitors the components of the receiving side and notifies if any component malfunctions, or if a periodical simulated message is not received.
  • the notification can also be of any form, including generating an alert, updating a File or a database or sending a notification. If either software components 300 or software components 304 were developed using an environment that requires a platform in order to run, such as Java virtual Machine for applications developed in Java, or Microsoft .Net platform for applications developed in .NET, the relevant execution platform is supplied and installed with the software.
  • Fig. 4 showing a flowchart of the method of the disclosed invention.
  • the method starts at step 400 wherein information is collected, either actively or passively through an API, as detailed in association with data collecting module 308 of Fig. 3. Additionally, control information is generated on step 404, reflecting either periodically generated control information, or informative data such as malfunction information.
  • patterns such as barcode patterns are generated on step 408, and output on step 412, for example by displaying the pattern on display 112 of Fig. 1.
  • the patterns are captured by a capturing device such as a camera or a barcode reader on the receiving side.
  • the device outputting the pattern on step 412 and the device capturing the information on step 416 are set apart from each other wherein a medium separates them, since no physical connection is allowed between the outputting device connected to a secure system and a device not connected to the same system.
  • the pattern capturing rate is limited by the limitations of the manufacturer of the reader, on the required transfer rate, and on the certainty required for assuring that particular pattern, representing a particular message to be conveyed is indeed captured. For example, if the scan rate of the device of about five to six times per second, then designing the source side to send new messages not more frequently than three seconds apart, provides certainty of over 99 percent that the information is not missed or misread.
  • the patterns are decoded to retrieve the original information, and on step 428 the information is distributed to its destination.
  • different types of information are transmitted to different destinations. For example, indications concerning intrusion attempts in the source platform or network are notified to security personnel, while malfunction notifications are sent to maintenance personnel.
  • control information or non-required types of information are ignored.
  • the disclosed method and apparatus provide for unidirectional transfer of information from a secure source computing platform to a destination platform. The information is limited in quantity to disable massive transfer of sensitive information, and enable the transfer of information such as maintenance and control information. Numerous embodiments, modifications and alternatives may be designed for the disclosed invention.
  • the information may be transferred via optical means such as infra-red or other optical transmitting and receiving methods.
  • the pattern generated for the information may be auditory, such as tones, speech, dual tone multi frequency (DTMF) or any other auditory format.
  • DTMF dual tone multi frequency
  • pattern generation module 312 of Fig. 2 will generate sound rather than a visual pattern
  • display 112 and camera 120 of Fig. 1 will be replaced by a sound emitting and sound receiving devices, such as a loudspeaker and a microphone, respectively
  • pattern decoding module 332 of Fig. 1 will be replaced by a sound analysis module.
  • the information can be transmitted and received using any other means that enable a medium between the transmitting and receiving systems, such as smell, signaling, or the like.
  • the information may be further encrypted and decrypted, so that even if the displayed pattern is captured and decoded by a non-legitimate user, the real information can not be accessed.
  • the additional encryption is preferably performed prior to pattern generation step 412, and the decryption is performed after pattern decoding step 420 of Fig. 4.
  • the software component of the transmitted side can be used as a screen saver. Such usage will avoid the security breach caused by leaving platform 104 of Fig. 1 constantly accessible. This can be done by following the standard actions related to using an application as a screen saver, according to the operating system of platform 104 of Fig. 1.
  • the components described above can be implemented as detailed as one or more applications executed on a general purpose processor, or alternatively as firmware ported for a specific processor such as digital signal processor (DSP) or microcontrollers, or can be implemented as hardware or configurable hardware such as field programmable gate away (FPGA) or application specific integrated circuit (ASIC).
  • DSP digital signal processor
  • FPGA field programmable gate away
  • ASIC application specific integrated circuit

Abstract

A method and apparatus for transmitting data from a secure system which is not allowed to connect to a network, write information to a media or the like to a destination system. The apparatus comprises a pattern generation component for generating a pattern out of the information to be transmitted, a device to output the pattern, a capturing device for capturing the output pattern, and a component to decode said pattern and retrieve the information. The output device and the capturing device are separated by a medium such as air.

Description

METHOD AND APPARATUS FOR TRANSFERRING DATA
BACKGROUND OF THE INVENTION
FIELD OF THE INVENTION
The present invention relates to data transfer in general, and to transferring control data from a secure system in particular.
DISCUSSION OF THE RELATED ART
Transferring data between computers is an essential part of daily work in almost any organization. The transfer is possibly limited according to the source and destination computer, the characteristics of a network associated with the source or the destination computer, the data to be transferred, encryption and others.
However, when the source of the data is a highly secure computer, connected to a highly secure network, such transfer may become technically impossible. When the whole network is highly secured, no output device or channel exist which enable outputting data from any of the computers in the network. While this may work well for the regular functionalities of the network, the output limitation may sometime pose a problem, such as in situations related to the computer network itself. For example, if an illegal attempt to access a computer of the network is detected, or if a computer or another resource associated with the network is malfunctions, or any other situation occurs, it might be required to notify a person or system outside the secure network. In such situations it may be essential to output data from the system, so the situation can be handled. Existing solutions do not ensure unidirectional data transfer, which is essential for protecting the secure network from viruses, Trojan horses or other damages, or do not limit the transfer to certain data types or set quantity limit so as to ensure that only essential data is transferred and to protect sensitive data within the secure system.
There is therefore- a need in the art for a method and apparatus for transferring data out of a secure computer or a network into a second network. The transfer should be unidirectional, and there should be an option to limit the transfer to specific data or quantity.
SUMMARY OF THE PRESENT INVENTION
It is an object of the present invention to provide a novel method and apparatus for transmitting information from a secure computing platform or network to another computing platform or network, which overcomes the disadvantages of the prior art.
In accordance with the present invention, there is thus provided an apparatus for transmitting information from a secure source computing platform to a destination computing platform wherein the transmitting is unidirectional, the apparatus comprising: a data collection module for collecting data from the source computing platform to be transmitted to the destination computing platform; a pattern generation component for generating a pattern representing the collected data; a signal outputting device for outputting the pattern; a capturing device for capturing the pattern output by the outputting device, said capturing device separated from said signal outputting device by a medium; and a pattern decoding component for retrieving the information from the pattern captured by the capturing device. Within the apparatus, the pattern is optionally a barcode pattern, the capturing device is optionally a barcode reader, and the signal outputting device is optionally a display. Within the apparatus, the pattern is optionally a sound signal, the outputting device is optionally a loudspeaker, and the capturing device is optionally a microphone. The apparatus can further comprise a watchdog module for monitoring the functionality of said data collection module or of said pattern generation component, or a watchdog module for monitoring the functionality of said data collection module or of said capturing device or of said pattern decoding component. The apparatus can further comprise a message simulation module for simulating a message to be sent to the destination computing platform. The apparatus can further comprise an information distribution component for distributing the information to a target. The target is optionally selected from the group consisting of: a file; a database; an optical representation, a visual representation, an audio presentation; a printer; a short message to be sent to a telephone, an e-mail, a fax, an alert to be generated; or a notification to be sent to a telephone recipient. The medium is optionally fluid.
Another aspect of the disclosed invention relates to a method for transmitting information from a secure source computing platform to a destination computing platform wherein the transmitting is unidirectional, the method comprising the steps of: collecting information to be transmitted from the secure source computing platform to the destination computing platform; generating a pattern from the collected information; outputting the pattern by a first device; capturing the pattern by a second device, wherein the first device and the second device are separated by a medium; and decoding the pattern to retrieve the collected information. The pattern is optionally an optical pattern such as a visual pattern, a barcode pattern, or a vocal pattern. The method can further comprise a step of generating control information and generating a pattern from said control information, a step of distributing the information, or a step of encoding the information and a step of decoding the information. Within the method, the medium is fluid.
BRIEF DESCRIPTION OF THE DRAWINGS
The present invention will be understood and appreciated more folly from the following detailed description taken in conjunction with the drawings in which: Fig. 1 is a schematic illustration of the apparatus of the disclosed invention and a typical environment in which the apparatus is used;
Fig. 2 is a schematic illustration of a two-dimensional barcode; Fig. 3 is a block diagram of the components of an apparatus implementing the disclosed invention; and Fig. 4 is a flowchart of the main steps of the method of the disclosed invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
The present invention overcomes the problem of transferring data from a secure system to another system, wherein no transfer channel such as a network connection, wireless connection, writable disk or diskette drive or the like is available.
An apparatus according to the disclosed invention comprises components connected to or executed by the source computer or network, i.e. the computer or network from which it is required to transfer the information, and a second part which is connected to or executed by the destination computer or network, i.e. the computer or network to which it is required to transfer the information. The source components include software for gathering the information to be transferred, and for encoding the information into a pattern. The pattern is sent to a device connected to the source computer or network, which outputs the signal. The destination components include an input device for capturing the signal describing the pattern, and software for decoding the pattern and transferring the information to a predetermined destination, or application or another usage. The source and destination components are disconnected so that no other data can be transferred from the source to the destination, and certainly not the other way around. The pattern generation and capturing rate depends on the type of the pattern and additional parameters. A preferred embodiment of the disclosed invention includes software on the source side for gathering the information, generating an optical such as a graphic pattern and displaying the pattern on a display. The destination components include a camera or another device capable of optical or visual capturing, and software for retrieving the information from the captured graphic pattern. The display and the camera are separated by medium such as fluid, for example air, gas or another medium that enables light to pass. In a yet preferred embodiment the information is coded into a barcode pattern on the source side, and a barcode reader and interpreter captures and retrieves the information on the destination side. Referring now to Fig. 1, showing a preferred embodiment of the disclosed invention, generally referenced 100. The requirement is to transfer information such as control information from a computer or another device connected to secure network 124 to a computer or another device connected to network 144. Preferably, network 124 and network 144 are any type of networks such as local area network (LAN), wide area network (WAN), or the like. A multiplicity of computing platforms and resources is connected to each of network 124 or network 144, such as computing platforms 132, 136, or 148, laptop computer 128, displays 140 or 156, printer 152 or any other device or resource. Computing platforms 104 or 108 can be of any type including a desktop computer, a laptop computer, personal computer, a mainframe computer, a network computer, a telephone with computing capabilities, or any other type of computing platform that is provisioned with a memory device (not shown) and a CPU or microprocessor device. Computing platform 104 executes software 106 for receiving or collecting the information to be transferred. The information can be, for example, security information related to an intrusion attempt, resource failure notice or the like. The information can originate at any component connected to network 124, such as computing platforms 128, 132 or 136, display device 140 or network 124 itself. Software 106 receives the information through an API, or actively collects it for example through a file or data base, and generates a graphic pattern from the information. The graphic pattern is displayed on display 112 connected to computing platform 104 by any cable and using any format for connecting a display to a computing platform. Display 112 can be any type of display, such as LCD, CRT, or the like. The graphic pattern is preferably a barcode, and specifically a two- or three-dimensional barcode 116. Fig. 2 shows an example of a two-dimensional barcode which can be displayed on display 1 12. A person skilled in the art will appreciate that software 106 can be stored on any storage device, and installed or executed on any component connected to network 124. Display 112 can be connected to computing platform 104 in addition to one or more additional displays used by users of platform 104, preferably using a VGA, DVI, or s-Video connectors. Apparatus 100 of the disclosed invention further comprises a camera, a barcode reader or another capturing device 120 for capturing pattern 116 displayed on device 112. Capturing device 120 and display 116 are preferably separated by air or another medium which enables the capturing of the pattern displayed on display 112. The required physical distance, or distance range, between camera 120 and display 112 depends on the size and resolution of display 112, the size, density, or resolution of pattern 112, the amount of light shed on the gap between camera 120, and the characteristics of camera 120, and should generally follow the instructions provided by the barcode reader's manufacturer. For example, for the Quadras Mini barcode reader, manufactured by Microscan (www.microscan.com), the manufacturer suggests that for a barcode pattern about 2.5 inch (about 6.25 cm) wide, the distance between the barcode reader and the display should be about 20 inch (50 cm); and for a barcode pattern of about 3.5 inch (about 8.75 cm) in width, the distance between the barcode reader and the display should be between about 34 inch (85 cm). Capturing device 120 is connected to platform 108 via any connecting equipment and using any protocol, such as USB, RJ45, RS232, Ethernet, Bluetooth, infrared, or the like. If capturing device 120 does not receive power from another source, then this connection also provides power to the device. Yet another component of the disclosed invention is software component 110, which captures pattern 116 displayed on display 112, decodes pattern 116 to retrieve the information sent from platform 104 and transfer the information to any destination within network 144 connected to platform 108. The information can be sent to a file or data base stored on computing platform 148, an optical or visual presentation to be displayed on display 156, an audio representation to played; a print to be output by printer 152, a short message to be sent to a telephone, an alert of any kind to be generated, a database or a software to be updated, or any other action. Software components 106 and 110 can be implemented in any programming language, such as C, C++, V#, Java, Visual basic, Perl, Python or any other, using any development environment, such as Microsoft .Net, J2EE, LAMP or the like. In a preferred embodiment, display 112 and capturing device 120 are packed in a case, such as a substantially opaque box so that no external light interferes camera 120 in capturing pattern 116. In a preferred embodiment of the disclosed invention, when the pattern is a barcode and camera 20 is a barcode reader, the pattern generating component of software 106 and the pattern decoding component of software 110 can be a part of a barcode product which comprises also barcode reader 120. Such product can be, for example, IDAutomation.NET manufactured by IDAutomation (www.idautomation.com). Referring now to Fig. 3, showing a block diagram of the software components of the disclosed invention. The software is generally divided into components installed on the transmitting side 300, referenced as software 106 of
Fig. 1, and components installed on the receiving side 304, referenced as software
1 10 of Fig. 1. Transmitting side components comprise data collecting module 308, for collecting the information that has to be transmitted to the receiving side. The information can be any binary information, including but not limited to alphanumeric strings. The quantity of the information is optionally limited not to exceed a maximal threshold, for example about 5 kilobyte per minute so that transferring significant amount of data out of the secure system will not be possible. The collection can be done actively, for example by reading from a file, querying another component on the transmitting side or otherwise accessing the information. Alternatively, the collection can be passive, by providing an application program interface (API) which is used by one or more applications that have to transmit information. Once the information is collected, pattern generation module 312 codes the information into a pattern, such as a barcode pattern. The pattern can be one-, two- or three-dimensional pattern, a string, or any other representation of the information. If the pattern is a barcode pattern, pattern generation module 312 is optionally supplied with the barcode reader connected to the receiving side. Once the pattern is generated, it is displayed by pattern display module 316 on display 112 of Fig. 1. Transmitting side components 300 further comprise an optional message simulation module 320, for simulating messages to be sent to the receiving side. Sending simulated messages are required for a number of reasons. A simulated message can be sent periodically for ensuring that the system is functional. If no message is received on the receiving side during a certain period of time, it might be the case the system is not functioning rather than there is no new message to transmit, so a periodical simulated message provides a functionality indication. Another reason for sending a simulated message can be to separate between two identical messages, so the receiving side will be able to tell apart the two identical messages. Transmitting side components 300 further comprise an optional watchdog module 324, which monitors the activity and functionality of the other components by receiving periodical indications from the other components. If an indication is not received, the relevant component is re-invoked, and if the problem persists an error message is sent through message simulation module 324, if possible, or to an operator or another entity in charge of platform 104 or another platform connected to network 124 of Fig. 1. Receiving side components 304 comprise a pattern capturing module 328 for capturing the pattern displayed on display 112 of Fig. 1, and pattern decoding nodule 332 for decoding the pattern and retrieving the information collected by data collecting module 308 and coded by pattern generation module 312. When the pattern is a barcode, pattern capturing module 328 pattern decoding nodule 332 are optionally supplied with the capturing device, such as barcode reader 120 of Fig. 1. Pattern capturing module 328 optionally scans display 112 in a continuous manner and thus captures every displayed pattern, as long as the pattern update rate is below the scanning rate of the device, which is typically about five to six times a second, or more. Identical messages are distinguished due to the simulated separating messages generated by message simulation module 320. Information distribution module 336 receives the decoded information and transfers it to a target according to the user's will, such as creating or updating a file, updating a database, sending a short message, a fax or an e-mail to a recipient, or any other action. Preferably, information distribution module 336 disregards messages simulated by message simulation module 320. Receiving side components 304 further comprise a watchdog module 340 similar to watchdog module 324 of the transmitting side. Watchdog module 340 monitors the components of the receiving side and notifies if any component malfunctions, or if a periodical simulated message is not received. The notification can also be of any form, including generating an alert, updating a File or a database or sending a notification. If either software components 300 or software components 304 were developed using an environment that requires a platform in order to run, such as Java virtual Machine for applications developed in Java, or Microsoft .Net platform for applications developed in .NET, the relevant execution platform is supplied and installed with the software.
Reference is now made to Fig. 4, showing a flowchart of the method of the disclosed invention. The method starts at step 400 wherein information is collected, either actively or passively through an API, as detailed in association with data collecting module 308 of Fig. 3. Additionally, control information is generated on step 404, reflecting either periodically generated control information, or informative data such as malfunction information. For both types of information, patterns, such as barcode patterns are generated on step 408, and output on step 412, for example by displaying the pattern on display 112 of Fig. 1. On step 416 the patterns are captured by a capturing device such as a camera or a barcode reader on the receiving side. The device outputting the pattern on step 412 and the device capturing the information on step 416 are set apart from each other wherein a medium separates them, since no physical connection is allowed between the outputting device connected to a secure system and a device not connected to the same system. The pattern capturing rate is limited by the limitations of the manufacturer of the reader, on the required transfer rate, and on the certainty required for assuring that particular pattern, representing a particular message to be conveyed is indeed captured. For example, if the scan rate of the device of about five to six times per second, then designing the source side to send new messages not more frequently than three seconds apart, provides certainty of over 99 percent that the information is not missed or misread. On step 420 the patterns are decoded to retrieve the original information, and on step 428 the information is distributed to its destination. Optionally, different types of information are transmitted to different destinations. For example, indications concerning intrusion attempts in the source platform or network are notified to security personnel, while malfunction notifications are sent to maintenance personnel. On step 424, control information or non-required types of information are ignored. The disclosed method and apparatus provide for unidirectional transfer of information from a secure source computing platform to a destination platform. The information is limited in quantity to disable massive transfer of sensitive information, and enable the transfer of information such as maintenance and control information. Numerous embodiments, modifications and alternatives may be designed for the disclosed invention. In a preferred embodiment, the information may be transferred via optical means such as infra-red or other optical transmitting and receiving methods. Another preferred embodiment includes the usage of audio means rather than by visual means. Thus, the pattern generated for the information may be auditory, such as tones, speech, dual tone multi frequency (DTMF) or any other auditory format. When an auditory pattern is used, pattern generation module 312 of Fig. 2 will generate sound rather than a visual pattern, display 112 and camera 120 of Fig. 1 will be replaced by a sound emitting and sound receiving devices, such as a loudspeaker and a microphone, respectively, and pattern decoding module 332 of Fig. 1 will be replaced by a sound analysis module. In a further alternative, the information can be transmitted and received using any other means that enable a medium between the transmitting and receiving systems, such as smell, signaling, or the like.
In yet another preferred embodiment the information may be further encrypted and decrypted, so that even if the displayed pattern is captured and decoded by a non-legitimate user, the real information can not be accessed. The additional encryption is preferably performed prior to pattern generation step 412, and the decryption is performed after pattern decoding step 420 of Fig. 4.
It will be appreciated by a person skilled in the art that the software component of the transmitted side can be used as a screen saver. Such usage will avoid the security breach caused by leaving platform 104 of Fig. 1 constantly accessible. This can be done by following the standard actions related to using an application as a screen saver, according to the operating system of platform 104 of Fig. 1. It will be appreciated that the components described above, can be implemented as detailed as one or more applications executed on a general purpose processor, or alternatively as firmware ported for a specific processor such as digital signal processor (DSP) or microcontrollers, or can be implemented as hardware or configurable hardware such as field programmable gate away (FPGA) or application specific integrated circuit (ASIC). It will further be appreciated by persons skilled in the art that the present invention is not limited to what has been particularly shown and described hereinabove. Rather the scope of the present invention is defined only by the claims which follow.

Claims

1. An apparatus for transmitting information from an at least one secure source computing platform to an at least one destination computing platform wherein the transmitting is unidirectional, the apparatus comprising: a data collection module for collecting data from the at least one source computing platform to be transmitted to the at least one destination computing platform; a pattern generation component for generating a pattern representing the collected data; a signal outputting device for outputting the pattern; a capturing device, for capturing the pattern output by the outputting ■ device, said capturing device separated from said signal outputting device by a medium; and a pattern decoding component for retrieving the information from the pattern captured by the capturing device.
2. The apparatus of claim 1 wherein the pattern is an optical pattern.
3. The apparatus of claim 1 wherein the pattern is a barcode pattern.
4. The apparatus of claim 3 wherein said capturing device is a barcode reader.
5. The apparatus of claim 1 wherein said signal outputting device is a display.
6. The apparatus of claim 1 wherein said pattern is a sound signal.
7. The apparatus of claim 6 wherein said outputting device is a loudspeaker.
8. The apparatus of claim 6 wherein said capturing device is a microphone.
9. The apparatus of claim 1 further comprising a watchdog module for monitoring the functionality of any one or more of the group consisting of: said data collection module or said pattern generation component.
10. The apparatus of claim 1 further comprising a watchdog module for monitoring the functionality of any one or more of the group consisting of: said data collection module, said capturing device, or said pattern decoding component.
11. The apparatus of claim 1 further comprising a message simulation module for simulating an at least one message to be sent to the destination computing platform.
12. The apparatus of claim 1 further comprising an information distribution component for distributing the information to an at least one target.
13. The apparatus of claim 12 wherein the target is selected from the group consisting of: a file; a database; a visual representation, an audio presentation; a printer; a short message to be sent to a telephone, an e-mail, a fax, an alert to be generated; or a notification to be sent to a telephone recipient,
14. The apparatus of claim 1 wherein the medium is fluid.
15. A method for transmitting information from an at least one secure source computing platform to an at least one destination computing platform wherein the transmitting is unidirectional, the method comprising the steps of: collecting information to be transmitted from the at least one secure source computing platform to the at least one destination computing platform; generating a pattern from the collected information; outputting the pattern by a first device; capturing the pattern by a second device, wherein the first device and the second device are separated by a medium; and decoding the pattern to retrieve the collected information.
16. The method of claim 15 wherein the pattern is a visual pattern.
17. The method of claim 15 wherein the pattern is a barcode pattern.
18. The method of claim 15 wherein the pattern is a sound pattern.
19. The method of claim 15 further comprising a step of generating control information and generating a pattern from said control information.
20. The method of claim 15 further comprising a step of distributing the information.
21. The method of claim 15 further comprising a step of encoding the information and a step of decoding the information.
22. The method of claim 15 wherein the medium is fluid.
PCT/IL2007/000112 2007-01-29 2007-01-29 Method and apparatus for transferring data WO2008093314A2 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/IL2007/000112 WO2008093314A2 (en) 2007-01-29 2007-01-29 Method and apparatus for transferring data
IL199886A IL199886A0 (en) 2007-01-29 2009-07-15 Method and apparatus for transferring data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IL2007/000112 WO2008093314A2 (en) 2007-01-29 2007-01-29 Method and apparatus for transferring data

Publications (2)

Publication Number Publication Date
WO2008093314A2 true WO2008093314A2 (en) 2008-08-07
WO2008093314A3 WO2008093314A3 (en) 2009-04-16

Family

ID=39674580

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2007/000112 WO2008093314A2 (en) 2007-01-29 2007-01-29 Method and apparatus for transferring data

Country Status (1)

Country Link
WO (1) WO2008093314A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015142836A1 (en) * 2014-03-17 2015-09-24 Saudi Arabian Oil Company Systems, methods and computer programs for communicating between networks having different security levels, using barcodes
WO2016025402A1 (en) * 2014-08-11 2016-02-18 Kopel Matthew Interactive image-based communication using image coding

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6202060B1 (en) * 1996-10-29 2001-03-13 Bao Q. Tran Data management system
US6811088B2 (en) * 1993-05-28 2004-11-02 Symbol Technologies, Inc. Portable data collection system
US6942151B2 (en) * 2001-05-15 2005-09-13 Welch Allyn Data Collection, Inc. Optical reader having decoding and image capturing functionality
US7111787B2 (en) * 2001-05-15 2006-09-26 Hand Held Products, Inc. Multimode image capturing and decoding optical reader

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6811088B2 (en) * 1993-05-28 2004-11-02 Symbol Technologies, Inc. Portable data collection system
US6202060B1 (en) * 1996-10-29 2001-03-13 Bao Q. Tran Data management system
US6942151B2 (en) * 2001-05-15 2005-09-13 Welch Allyn Data Collection, Inc. Optical reader having decoding and image capturing functionality
US7111787B2 (en) * 2001-05-15 2006-09-26 Hand Held Products, Inc. Multimode image capturing and decoding optical reader

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015142836A1 (en) * 2014-03-17 2015-09-24 Saudi Arabian Oil Company Systems, methods and computer programs for communicating between networks having different security levels, using barcodes
WO2015142841A1 (en) * 2014-03-17 2015-09-24 Saudi Arabian Oil Company Systems, methods and computer programs for communicating between networks having different security levels, using barcodes
WO2015142807A1 (en) * 2014-03-17 2015-09-24 Saudi Arabian Oil Comapny Systems, methods and computer programs for communicating between networks having different security levels, using barcodes
WO2015142815A1 (en) * 2014-03-17 2015-09-24 Saudi Arabin Oil Company Systems, methods and computer programs for communicating between networks having different security levels, using barcodes
US9189637B2 (en) 2014-03-17 2015-11-17 Saudi Arabian Oil Company Systems, methods, and computer medium to securely transfer business transactional data between physically isolated networks having different levels of network protection utilizing barcode technology
US9210179B2 (en) 2014-03-17 2015-12-08 Saudi Arabian Oil Company Systems, methods, and computer medium to securely transfer business transactional data between networks having different levels of network protection using barcode technology with data diode network security appliance
US9223991B2 (en) 2014-03-17 2015-12-29 Saudi Arabian Oil Company Systems, methods, and computer medium to securely transfer large volumes of data between physically isolated networks having different levels of network protection
US9235724B2 (en) 2014-03-17 2016-01-12 Saudi Arabian Oil Company Systems, methods, and computer medium to securely transfer backup data between physically isolated networks having different levels of network protection
WO2016025402A1 (en) * 2014-08-11 2016-02-18 Kopel Matthew Interactive image-based communication using image coding
US10482558B2 (en) 2014-08-11 2019-11-19 Waltz, Inc. Interactive image-based communication using image coding

Also Published As

Publication number Publication date
WO2008093314A3 (en) 2009-04-16

Similar Documents

Publication Publication Date Title
US11012447B2 (en) Method, system, and storage medium for secure communication utilizing social networking sites
US8966249B2 (en) Data security and integrity by remote attestation
CN101646995B (en) Data stream filters and plug-ins for storage managers
US9288172B2 (en) Access restriction device, access restriction method, computer readable storage medium
US8478860B2 (en) Device detection system for monitoring use of removable media in networked computers
EP2667314B1 (en) System and method for detection and treatment of malware on data storage devices
US9158648B2 (en) Reporting product status information using a visual code
EP3598336A1 (en) Information processing device and information processing method
US9690598B2 (en) Remotely establishing device platform integrity
CN107895122B (en) Special sensitive information active defense method, device and system
WO2017158593A1 (en) A system, method and computer program product for protecting a computer system from attacks
KR20140036444A (en) A digital forensic audit system for analyzing user's behaviors
CN109960938A (en) Processing method, device, medium and the electronic equipment of sensitive information
CN111611606A (en) File encryption and decryption method and device
US10248658B2 (en) Analytics and deduplication for air-gapped log analysis
WO2008093314A2 (en) Method and apparatus for transferring data
CN109885985A (en) A kind of method and its realization system of the anti-anti- screenshotss of downloading of online reading PDF
US20100241910A1 (en) Method and system for maintenance of a data-processing apparatus
WO2019073232A1 (en) A security system and method
JP2008226242A (en) System and method for logging electronic document or part thereof
JP6053646B2 (en) Monitoring device, information processing system, monitoring method, and program
US11176021B2 (en) Messaging systems with improved reliability
US20210357284A1 (en) Incident management for triaging service disruptions
KR20230076593A (en) A multi-dimensional security automatic management system and a security management method based on digitial twin
KR100632774B1 (en) A dvr system having an independent alarm mail server

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 199886

Country of ref document: IL

NENP Non-entry into the national phase in:

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07706055

Country of ref document: EP

Kind code of ref document: A2

122 Ep: pct application non-entry in european phase

Ref document number: 07706055

Country of ref document: EP

Kind code of ref document: A2