GUI Work Flow Management and Collaborative Workspace

The foundation of the ViSioN Network Management System is the CyverGUI. It facilitates the task of configuring, deploying and maintaining the network system through a “drag and drop” user interface.

The GUI is designed to remotely support the end user. The user and remote technical support view the same GUI screen. The user can be prompted by Technical Support by phone and screen action.

The CyverONE System incorporates the Adobe Air Interface. AIR is designed to support objects, animation and real time processing. It is a seasoned, user interface for the cloud incorporating the AIR field proven Flash, originated at Macromedia. It supports real time application interfaces that are superior to competitive alternatives. The system is designed for consistency in support of objects adopted throughout the system.

The ViSioN Graphical User Interface (GUI) is shown in Figure 3 below. It is the cornerstone of a workflow management system (WFM) and collaborative workspace capability. Secured voice, video and data networks must be configured in “real time” for a select group of persons who have “need to know.”

The WorkFlow Automation and Management (WFM) apply process control logic and MESH controls in the CyverONE VMs.

The PBX is the mechanism for routing the traditional IPsec VPN or Suite B IPsec VPN to the end-point. It makes practical the end-point to endpoint encryption. It facilitates a “trusted connection over an untrusted network” over the Internet. The CyverONE VoIP PBX provides all the features of an enterprise class PBX. The Graphical User Interface (GUI) is a major improvement in simplifying the management of the PBX, the configuration, maintenance of moves, changes and cancellations find me/follow me, conferencing and hosting the CyverONE Suite B IPsec VPN based service.

In addition, CyverONE offers a Software Development Kit (SDK) to applications developers to incentivize and facilitate applications development an “object design” on the CyverONE desktop. The Enterprise Class VoIP PBX is a requirement and a core capability for a unified communication system (Unicom). Until the past few years, the PBXs supplied by competitors have been premises based installations. In 2011 technology made it feasible to deploy the hosted VoIP PBX service. In the past the Legacy PBX was configured with “command line programming.” “Command Line Programming” requires an upscale, expert technologist to configure and maintain these systems. It results in a major system support cost factor.

Figure 5

2. 
   Multi-factored Authentication System - The NSA has specified the need for an Edge Router, Border router and Core Router. CyverONE assumes that the edge router performs the initial authentication of an “agent” attempting to access the system. It is assumed that the border router perform additional multi-function authentication routines. These routines may include speech identification, retinal scan, fingerprint, facial scan, semiconductor DNA, key cards, etc. A prime objective is to eliminate the need for passwords, an oftentimes impractical method for keyboarding entries into the system.
   

Retinal Scan – The smartphone and tablet have a camera with high resolution cable of scanning an individual’s retina as a primary method for authenticating the agent.

3. 
   Intrusion Detection and Access Control – ID systems will be developed and implemented. Best of breed approaches will be tested for deployment on the system. Today’s architectures for intrusion detection force the IDS designer to make a difficult choice. If the IDS resides on the host, it has an excellent view of what is happening in that host’s software, but is highly susceptible to attack. On the other hand, if the IDS resides in the network, it is more resistant to attack, but has a poor view of what is happening inside the host, making it more susceptible to evasion. In this paper we present an architecture that retains the visibility of a host-based IDS, but pulls the IDS outside of the host for greater attack resistance. We achieve this through the use of a virtual machine monitor. Reference: A Virtual Machine Introspection Based Architecture for Intrusion Detection, Tal Garfinkel Mendel Rosenblum, Computer Science Department, Stanford University
   
4. 
   Multi-Abstractions System Reasoning Infrastructure toward Achieving Adaptive Computing Systems – As the Enterprise or Government Agency dependence grows, there is a urgent need for an adaptive system that facilitates introducing new applications without disrupting network operations. Cyvergence personnel have designed and developed a Claims Processing System for Tenet Healthcare. The alternative proposal was to install mainframes in each of 8 facilities. The system was installed in a single location to support all eight locations. Efficiencies were achieved through an advanced policy and work flow management system. The system implemented various policies and performed work flow management.
   

An example of the application of the Adaptive System is the case where a Virtual Machine is approaching 80 percent of maximum capacity of a Virtual Machine: Under this circumstance the Adaptive Policy and Work Flow Management System determines how to transfer the process to a VM with the capacity to manage the application.

In our approach we propose using an advanced object model to provide an abstracted interface for establishing a reasoning methodology that allows various behaviors to be associated using multiple inheritance techniques. The approach targets security management and resource and availability controls to create a scalable and adaptive computing infrastructure with graphical work space tools to simplify policy management.

The policies that are applied to automate the relocation of the application are embodied in a number of “drag and drop” objects. The design of these objects makes it practical for an administrator with limited technical knowledge to manage the overall process and to maintain processing efficiency.

Adaptability is achieved by establishing policies which take into consideration new and changing elements combined with a rich testing structure to assess and categorize the behavior of new elements.

Combined with policies that describe allowed behavioral structures an environment can be provided where new systems and applications can be added to existing virtualized environments without disruption or security issues being introduced into the system.

Policies can define ranges and thresholds for maintaining integrity of their mandates and can trigger events when policy violations have occurred. Supervisory policies can then be applied to take correct action of the environment to accommodate the policy’s mandates.

The initial phase of this project will be to complete the design approach to achieving these objectives. Subsequent phases will test the design within the infrastructure of what will become a product designed to provide a rich and adaptive virtualized computing environment. The system is described in Appendix F.

5. 
   Cross Domain – A bridge is required to connect multiple users with dissimilar encryption algorithms. It is conceptually practical to support Type 1, Suite B, traditional IPsec AES and other encryption algorithms, if certified by the NSA.

   Suite B IPsec VPN will be established as the backbone of the security system for SIPRNET (SABI) and NIPRNET. It adopts Secured Real Time Protocol (SRTP) for voice and Datagram Transport Layer Security (DTLS); elliptic curve and Diffie Hellman key exchange and AES encryption at the transport layer. It may be practical to adopt Type 1. Type 1 encryption is considered a shrinking market. NSA will take Suite B as far as it will go including replacement of Type 1, if possible.

   SOCOM does not currently favor Android. CyverONE proposes the installation of Android on the server and CyverGIX on the Mobile Device. A VNC Thin Client will connect the mobile device to the server. The Suite B IPsec VPN will communicate across the VNC connection, allowing encryption and decryption to be performed in the mobile device. It will allow SRTP and DTLS encrypted communication, end-point to end-point.

   Multiple encryption algorithms can be decrypted in the server and re-encrypted as the encryption key before transmission to the Mobility Device.

   To overcome SOCOM’s objection to the Android, the Android could be installed on the server and a VCN can provide the connection to the Mobile Device.

   Deborah Plunkett, Director of IAS at NSA, reports a need to carry 4 secure devices, there is need for a system that can convert multiple versions of Type 1 encryption to Suite B IPsec VPN in the smartphone and tablet. If VoIP is required, there is need for a PBX to perform the encryption and decryption in the cloud. This approach will minimize the need to carry multiple phones.

   CyverOne recommends that the pilot test program be launched with single supplier for the mobility device. The BYOD may be too expensive, although suppliers, such as, MobileIron are attempting to serve the BYOD issue. CyverONE will provide a MDM that can be downloaded from technical support central, assuming the Mobile Device Manager cooperates with access to the required utility.
   
   

6. 
   Virtual Applications

   QSI Healthcare Medical Record – The application is written in Microsoft Dot.Net. DISA supports the VA Hospital VistA Healthcare Management System. VistA is written I Java. Therefore, the Mobility Device can access the Healthcare Medical Record for two systems. The QSI HMR is accessed by Citrix. The Citrix System must provide a thin client VCN type protocol that can connect the Mobility Device. The VistA HMR is accessed with the Mobility Device. Suite B can provide the security. In due time these two MRS’s can be fully integrated.

   IntuView Intelligence Data Mining System - The Israeli company, produces a multi-lingual Intelligence program that “mines” intelligence and identifies manufacturers and users of IED (Innovative Explosive Device). In the past this information was sent a data center in Fairfax, VA. Typically, it took two or more months to mine the data and to return actionable intelligence to the war zone. The CyverONE system will permit the intelligence to be acquired in close to real time. The intelligence can be promptly deployed to the warfighter for timely counterinsurgency.

   CyverONE XML Interface - The ViSioN system is based upon a unique virtual object model. The CyverGIX Operating Environment is designed to provide XML access to data. The ViSioN Virtual Objects are designed to interface everything external to the system as an object. The ViSioN objects is designed to evolve into the Autonomous Virtual Object Model defined in Phase IV.

   Insider Threat – The threat of the insider and the Mole, as in the Alridge Ames, former CIA agent, responsible for the Russians executing 10 CIA agents. Robert Hanssen was an FBI agent. He was responsible for identifying a Russian General who was executed for spying for the United States. Rand Corporation is expert in the study of the Insider Threat. CyverONE will research into the best of practice programs for countering the Insider Threat.
   
   

7. 
   Advanced Cloud Server - High scalability is required. This is achieved through a multi-core, massive parallel, microprocessor.

   The encryption processes are relatively inefficient when executed in software. NSA wants encryption to be performed in hardware. The processor selected by CyverONE has hardware encryption as an integral part of each core processor.

   CyverONE is in the process of evaluating the processors supplied by MIPS, Intel and IBM. Cavium currently supports a 2 to 32 core MIPS processor. Cavium has a processor in development that delivers 384 fully integrated cores with hardware encryption. This processor incorporates many features including over 500 application accelerators, communications interfaces, compression processors, virtualization support and advanced security features. The 4G network interface has extraordinary high bandwidth as may provide the capacity desired for X-Ray transmissions. The MIPS processor power consumption is at least 70 percent less than alternatives.

   The Intel processor is optimized for Microsoft Windows DOT.NET type support. The MIPS processor is optimal for routing, communications and Linux type processes. In the current network marketplace. Eight (8) of the ten (10) largest hosting services have adopted the Linux Operating System because of its superior performance in a network environment.

   The OCTEON III also features a revolutionary, low latency coherency architecture that enables multiple OCTEON III chips to appear as a single logical high-performance processor with up to 384 cores, an effective 2.5 Ghz cycle time, an effective 6 instructions per cycle and no wait state performance. Depending upon the outcome of the alternative server study, it is practical to integrate processors from multiple suppliers, if that can be justified based upon cost performance. The system has 2 Terabytes of memory capacity. The CN7XXX offers up to 4X performance over our market-share leading OCTEON II in a similar power envelope and up to 2x performance per Watt advantage over alternative solutions. Detailed Specifications for the Octeon III are contained in Appendix A.
   
   The encapsulated hardware accelerators will make this machine perform to unbelievable standards. Power to performance ratios will be unmatched and cost of ownership in the long term will be drastically reduced with an increase in capability. This will make this an attractive server product.
   
   Assuming the government wants a “Tempest” qualified server manufactured in the US, CyverONE can collaborate with Type 1 product manufacturer on developing the NexGen Scalable Servers. Otherwise, CyverONE will continue the plan to apply COTS (Commercial Off The Shelf) equipment, as specified by NSA. The selected MIPS processor satisfies FIPS 140-2 security standards. CyverONE has ported the CyverGIX operating environment to both the Intel and Cavium MIPS platforms. The CyverGIX operating environment is portable to existing servers.
   
   CyverONE currently purchases embedded processors from manufacturers who apply both the Intel and Cavium processors. These systems are operational in a commercial COTS type environment.
   
   Figure 7 is an illustration of the form and factor of the anticipated Satire Secure Cloud Server.
   

Figure 6

As stated by NSA, “The secure sharing of information among Department of Defense, coalition forces, and first responders motivates the need for widespread cryptographic interoperability and for NSA-approved information assurance products that meet appropriate security standards to protect classified information.” The cornerstone of the system is Suite B, a cryptography that addresses the need for SABI (Secret and Below Interoperability). The NSA Mobility initiative will take Suite B as far as it will go.” Currently, Type 1 is a cryptology that supports Top Secret and Above. It is expected that Suite B will evolve into a system that replaces a large portion of the Type 1 segment.

Intelligence is acquired and an action plan is developed for the warfighters. The network adds and removes from the network collaborators, the intelligence agents, “local partners” and warfighters. The adhoc network is automatically configured, negotiating a changing group of collaborating participants with varying levels of security clearance.

Data Mining - Initiation of the adhoc network shown in Figure 7 could be a data mining program that identifies a group of insurgents manufacturing Innovative Explosive Devices (IED). As the intelligence is corroborated, intelligence agents collaborate to provide actionable intelligence. Rather than forwarding the information from the mid-east to NMEC in Fairfax, VA, the ViSioN cloud server processes the data in hours instead of months. The Field Commander formulates and communicates the action plan with a select group of war fighters authorized to receive classified information on their mobile device.

Attacking the Attackers - Lt. General Keith Alexander, Commander of US Cyber Command and Director of NSA specifies the need for a system that “attacks the attackers.” Proactive analytics, authentication, identifying the hacker, spoofing the hacker and launching a counter attack in “real time” requires a responsive system. The virtualized platform is an ideal system for managing the proactive analytics.

The Director of NSA wants the system to “Attack the Attacker. The system should initiate a counterattack. In meetings with the NSA Program Manager, NSA has specified the need for multiple routers. These routers are specifically referred to edge, border and core routers. A multiple layered router is required to authenticate and screen dangerous hackers. Hardware cryptology is needed for high speed encryption and decryption. The edge router function identifies suspected hackers. Suspected hackers can be rerouted to a “spoofing” program. Action is taken to identify the hacker location. It may actually provide the intruder with access to system images that contain information that is intended to mislead.

An identity detection system that intercepts insurgent hackers may initiate an “Attack the Attacker.” Once the identity is made, a policy and analytics program launches a process to take defense action as well as an attack plan.

2. 
   MESH Wireless System Integration - The system features automatic routing management, negotiating the connections both with external routers and the virtual machines on the server. MESH is the basis for rapidly configuring an Adhoc network and optimizing the utilization of available server capacity.
   
   MESH reduces dependence on the central DCHP central service. It should be an ideal system for military “battle field” operations that are not within range of a DHCP station. The intent is to dynamically create and maintain a fully connected network that is self healing and can pass traffic through devices that are acting as nodes in their secondary capacity. The intent is not to replace the capabilities of the primary network nodes. The intent is rather to provide information pathways through the network thereby insuring deliver of mission critical data even when primary network nodes are not available or are offline.

   CyverONE is evaluating Identity based Encryption (IBE). IBE appears to be inherently more efficient than the IPsec VPN. It may prove to be a preferred alternative to IPsec.

   
   
   
3. 
   COIN Distance Learning Program - When the U.S. military invaded Iraq, it lacked a common understanding of the problems inherent in counterinsurgency campaigns. It had neither studied them, nor developed doctrine and tactics to deal with them. It is fair to say that in 2003, most Army officers knew more about the U.S. Civil War than they did about counterinsurgency.
   
   The training should be secured and delivered on the Army Learning Management System (ALMS). The ALMS system adopts the SCORM standards. The training program will serve as an ideal pilot test environment for the Suite B implementation.

   CyverONE delivered a Learning Management System to Edudyne Foundation. The program emphasized distance learning, and mind mapping as a primary learning tool.

   SCORM is a specification of the Advanced Distributed Learning (ADL) Initiative, which comes out of the Office of the United States Secretary of Defense. Sharable Content Object Reference Model (SCORM) is a collection of standards and specifications for web-based e-learning. It defines communications between client side content and a host system called the run-time environment, which is commonly supported by a learning management system.
   

1. 
   The Autonomous Virtual Object Model (AVOM) –The Virtual Object design anticipates deployment of the AVOM. Object sets encapsulated the security rules. The AVOM objects have persistence and autonomy. The AVOM model makes it practical to move a secured Object Set anywhere across the network where there is adequate processing capacity available on a virtual platform. An AVOM proposal is being submitted to DARPA.

   The DOD has published the DOD Cloud Computing Strategy, July 2012. Teri Tekai, DOD CIO stresses the importance of Cross Domain, Multi-Level Security, Interoperability, Scalability, Small Footprint and COST. The ViSioN system adopting the AVOM architecture is designed to achieve these objectives. The AVOM will provide a “fine grain” Need to Know capability. The proposed system is an extension of the object model delivered in Phases I, II and III. It represents a system architecture based upon “stateless objects.” It eliminates the following

   
   
   

• 
  Cross Domain Breeching
  
• 
  Process Model.
  
• 
  Standard Application Protocols.
  
• 
  Storage Mapping
  

The system will incorporate data warehousing, knowledge mining and cross-language extraction of information by introducing a domain-oriented "idea mining" and cross platform information sharing capability.
The Autonomous Virtual Object Model (AVOM) is a major advance over the state of the art in system architecture. The uniqueness of the system starts with embedding security rules in a Unique, self contained set of objects. The objects are both persistent and autonomous. The security rules within each object are moved with the object set regardless of where it is moved. This will allow each individual who acquires the information to have control over who may access the information contained within the object. Along with these security rules, CyverONE’s ViSioN System provides basic authentication capabilities so that the originating user can force identity authentication prior to accessing the data.
What Makes This AVOM Novel/Revolutionary?

This project will provide a revolutionary approach to an integrated object oriented model that delivers the following:

• 
  Elimination of the process model – Processes are evolved from the fact that processing is done procedurally with nested stacks, etc. Processes require stack resources and other TSS data that are expensive to migrate across networks in the event the process needs to be moved. The process model is vulnerable to attack where procedures may be invoked in the stack which may compromise data and process integrity via un-trusted paths.
  
• 
  Eliminating the process model concurrently eliminates the vulnerability of breeching security on shared memory resources.
  
• 
  Elimination of standard application protocols – SMTP, HTTP as well as just about all other protocols can be eliminated using an advanced model for communication of object structures. Secure e-mail and application interfaces can be devised that share objects using a single level storage concept. Application protocols such as these provide a context to a hacker to aid in unauthorized decryption if the protocol is captured while in transit. Underlying address pointers relative to a trusted connection provide a much more obfuscated data stream.
  
• 
  Elimination of storage mapping – because process based applications are not persistent they will lose their data when the process ends requiring mapping to persistent storage. The objects described herein are persistent and already represent the data, the method and the access without the requirement of further mapping and they have the advantage of being inherently persistent.
  
• 
  Deployment of a method based net-centric scheduler for processor core resources – distributed object domains will require access to objects in other domains. Trusted connections are made which can then respond to message requests via a net-centric scheduler. Processing object methods in response to an event eliminates the need to carry large stacks around to maintain processes allowing object structure to define procedure in a network centric fashion where processing follows available resources and interface hardware.
  
• 
  CyverONE packages its proprietary approaches to all the above functions into market tailored packages that will comprise our approach to Virtual Resource Management. With the ability to increase application to server density, consolidate network routing functions onto fewer networking appliances, and automate server maintenance and applications administration, we are in the position to help installations maximize their Return on Investment (ROI) with the purchase of our systems, software, and consulting services. We have titled this program Virtual System Integration Management with AVOM. It represents the ability to utilize these capabilities to maximize a “lights out” approach to Data Center management.
  

2. 
   “Need to Know” – The more people that are granted access to classified information, the higher the probability that the information may be improperly disclosed. As information and intelligence is forwarded up organization channels and as information is combined with intelligence, the intelligence may require the assignment of a security classification and limit access to the information.
   
   

The Cavium OCTEON Multi-Core MIPS64 Processor is part of this plan. Cyvergence can deploy an OCTEON II based processor early in 2013. The CyverGIX operating environment has been installed on a 16 core OCTEON based system. It was installed at Best Buy/Dealtree before we committed to a less expensive Intel based processor.

When we started with Cavium in 2007 Cavium annual revenues was $50M. Revenues in 2012 are in the range of $259 M.

The OCTEON III features a revolutionary, low latency coherency architecture that enables multiple OCTEON III chips to appear as a single logical high-performance processor with up to 384 cores, providing up to 960GHz compute, up to 800+ Gbps of application performance and up to 2 Terabytes of memory capacity. Power consumption is very low and very competitive. The system provides superior features that will facilitate cross platform, multi-level security, interoperability, low power, scalability and low cost. Prototype OCTEON III processors will be available in 2012 and production released in 2014. All of the CyverGIX software will be readily transferred to the OCTEON III.

OCTEON III CN7XXX Multi-Core MIPS64 Processors The OCTEON III CN7XXX family of Multi-Core MIPS64 Processors provides up to 120GHz of 64 bit processing and targets high-performance, high-throughput, service-rich applications for Cloud, Secure Datacenter, Wireless Infrastructure, Enterprise and Storage equipment. The family includes a range of software compatible processors, with up to 48 cnMIPS64 III cores, over 500 application acceleration engines including integrated high-performance search processing leveraged from Cavium’s NEURON Search processors, chip-to-chip interconnect and an innovative real-time PowerMin™ power manager, providing the highest compute and services performance of any standard ISA processor.  OCTEON III supports over 100Gbps of application processing in a single chip and supports over 500 Gbps of I/O connectivity and the latest standards-based SERDES I/O’s including multiple ports of 40G, 20G, 10G, GE, Interlaken, Interlaken/LA, SRIO, PCIe Gen3, SATA 6G and USB 3.0. OCTEON III also features a revolutionary, low latency coherency architecture that enables multiple OCTEON III chips to appear as a single logical high-performance processor with up to 384 cores, providing up to 960GHz compute, up to 800+ Gbps of application performance and up to 2 Terabytes of memory capacity. The CN7XXX offers up to 4X performance over our market-share leading OCTEON II in a similar power envelope and up to 2x performance per Watt advantage over alternative solutions. The CN7XXX processors offer the highest compute for demanding 4G/LTE infrastructure applications, switch/router and ATCA blades, and high-performance appliances. With configurable SERDES, up to 4 memory controllers, a large L2 Cache, and complete application acceleration, including NEURON Search, packet processing, Encryption/Decryption, Deep Packet Inspection (RegEx), Compression/decompression, De-duplication, RAID, and Multi-core scaling, the CN7XXX offers both the highest compute available as well as the highest throughput processing and services. Powerful control plane processing solutions are enabled with high-frequency cores up to 2.5GHz, large and highly-associative L1 and L2 caches, and enormous DRAM bandwidth. Using a 28nm process and innovative power saving technology, the CN7XXX offers 2X to 5X performance, power, and real-estate advantage over alternatives. The OCTEON III is supported by industry-standard software tool chains and operating systems, and is fully software compatible with the OCTEON II, OCTEON Plus and OCTEON families, enabling straightforward software reuse and scalability from 1 to 48 cores with the same software design.
OCTEON III CN7XXX - Block Diagram
OCTEON III CN7XXX - Product Family
Device cnMIPS III cores Performance Options L2 Cache Networking Interfaces PCI-Express/ SRIO Memory I/O w/ ECC Package Maximum Instructions Per Second A A P C P CN7XXX Up to 48 240 Billion  per chip y y Large Multiple 40G, 20G, 10GE, GE Interlaken, Interlaken/LA PCIe Gen3 SRIO 4x 72-bit DDR3/4 TBD

Figure 1 and Figure 2 illustrate the unique characteristics of the ViSioN System. The design strategy of the CyverONE ViSioN System is to provide a secure connection over an untrusted network.

Figure 1

CyverONE proposes the acceleration of testing to achieve early adoption of the system for the DOD SIPRNET, the Secret Internet Protocol Router Network.

Figure 2 is a diagram of Virtual Secret Network (VSN). NSA’s initial objective in the NSA Fishbowl project was to test security of a voice connection across the network. Phase I set the stage for securing voice, video and data both “in-flight” and “at-rest” in Phase II. IPSec and IPSec compliant Suite B are installed in the VM-1000 Application Server and the end-point devices. It provides end-point to end-point encryption.



Figure 2



Figure 3

Deborah Plunkett, Director IAD/NSA reports the need to carry 4 phones when traveling. We guess that they have IPsec, Type 1.1, Type 1.2 and a service to the public network.

Figure 4

Managing Network Security Has Been Too Complex

Current systems depend upon multi-factored authentication. Keyboarding passwords into the system is a real problem. Record keeping and authorization to change and issue passwords is problematic. Speech Identification and Retinal Scan can be fully automatic. These Mobile Devices provide high computing power at the end-point device. Sypris has proposed the implementation of the Satire Network Server. The network integrates a PBX and Jupiter Router. The Type 1 legacy encryption devices are interfaced externally to the Satire System. It was anticipated that the T1 encryption algorithms would be integrated internal to the Satire Server.

CyverONE has proposed to Sypris that a study determine what is required ti incorporate the T1 algorithms with the Satire Server. The objective is to determine what functions can be consolidated into the server to reduce Plunkett’s 4 phones to a single hone.

Simplifying the Network Management Problem

There are a number of problems inherent to the complexity of managing current networks.

1. 
   Back Dooring the Operating System
   
2. 
   Intercepting Access Passwords
   
3. 
   Keyboard Entry of Passwords
   
4. 
   Need to Know Administration
   
5. 
   Interoperability
   
6. 
   Cross Domain Vulnerability
   
7. 
   Multi-Level Security
   

NSA is making a major commitment to Suite B IPsec VPN in support of security for the mobility devices, the smartphone and tablet. Suite B is expected to eventually displace Type 1 cryptology. NSA Mobility is deferring support for Cross Domain and Multi-Level Security. It would appear that multi-layered authentication will be supported in the initial phases of deploying the system.

Workflow Management

Work Flow Management - A workflow management system is illustrated in Figure 5. A workflow consists of a sequence of connected steps. Emphasis is on the flow paradigm, where each step follows the precedent without delay or gap and ends just before the subsequent step may begin. This concept is related to non overlapping tasks of single resources. It is a depiction of a sequence of operations, declared as work of a person, a group of persons, an organization of staff, or one or more simple or complex mechanisms. Workflow may be seen as any abstraction of real work. Reference: Wikipedia Work Flow Management

Work flow and Policy Management System

CyverONE personnel previously developed a significant work flow management (WFM) system to support a healthcare record management system. The work was performed for Tenet Health Systems. It integrated the IBM AS400 and Nortel Meridian Telecom Switch. It was a highly successful application.

A diagram of a WFM system would present the logic of actions and the data flow required to perform a task. Figure 5 is a simplified illustration of the tasks involved.

Collaborative Workspace - Counterinsurgency warfare illustrates the need for a secure collaboative workspace. Information is acquired that when reduced to actionable intelligence, an attack plan must be created. First, the need to make certain that friends in the attack zone are not injured. The ViSioN System allows you to configure an adhoc network limited the access to those “agents” who have a need to know.

Figure 5

Autonomous Virtual Object Model

The Autonomous Virtual Object Model (AVOM) provides a powerful solution to system security. It is discussed in Phase IV, Patent Claim 13.0

Distributed Database with Net Centric View – IBM implemented a SLVS architecture within the AS400 product line. The IBM system addressed multiple databases within a single enclosure. CyverONE will design a SLVS into the Vision System. It will provide a Net Centric view doe geographically distributed databases.

Cross Domain Vulnerability - Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications, such as web browsers through breaches of browser security, that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007. Wikipedia

Multi-Level Security - Multilevel security or multiple levels of security (MLS) is the application of a computer system to process information with different sensitivities (i.e., at different security levels), permit simultaneous access by users with different security clearances and needs-to-know, and prevent users from obtaining access to information for which they lack authorization. Wikipedia

Appendix C. Management’s Related Experience

Ken has extensive experience developing COTS (Commercial Off The Shelf) products. As a founder of Microdata, he participated in the study of the minicomputer market leading to the design and development of the Micro 800, a unique, microprogrammable computer. The market studied minicomputers produced by Digital Equipment Corporation, Interdata, Data General, General Automation, Computer Automation and Varian Data Machines. Ken was President of Microdata, leading the company to an initial public offering.

Ken defined the microcomputer, MicroFive’s initial product. The product computed with the IBM PC/AT. MicroFive developed the MicroStar operating system and database management system. The company participated in a joint venture with Jeumont Schneider, a major digital PBX manufacture in France. MicroFive was sold to Samsung, the Korean electronic conglomerate. The company was acquired by McDonnell Douglas.

Ken’s work at Burroughs Corporation let to the company’s initial product entry into the computer mainframe market. Ken was instrumental in Burrough’s acquiring a System Management Contract for the Airborne Long Range Input to SAGE (ALRI). Thereafter, Ken was assigned to defining requirements for the NORAD Command and Control Systems 425L that interfaced the SAGE Air Defense System, the DEW line, Midas/Samos 117L Satellite Reconnaissance Systems, Space Track and Ballistic Missile Defense. The competition was the IBM SAGE System FSQ7A and the RCA commercial computer. Burroughs proposed a multi-processor for which included two patent applications, the Virtual Memory and Stack Processor. The 425L Computer became the Burroughs First Commercial Computer, the B5500. The 425L System Computer led to Burrough’s obtaining a contract for the USAF 473L Intelligence System.

Ken was instrumental in obtaining the contract for the communication link connecting the Space Track Satellite Tracking Sites with the Midas/Samos Satellite Tracking Center at Sunnyvale. The ECT communication link applied the Bose Chaudhuri error correction code in a high burst noise environment over land lines. The product led to the formation of Paradyne Corporation

MicroFive and Jeumont Schneider in Puteaux, France formed a joint venture, the Office Automation Corporation. The Purpose of OAC was to integrate the Jeumont Schneider Digital PBX with the MicroFive Local Area Network. MicroFive was acquired by Samsung, the Korean conglomerate because of the MicroFive IBM compatible PCAT with a no-wait state memory access method, unique in the industry at that time.

As Director of Syndicated Office Systems, a Division of Tenet Health Systems, Brad developed a work flow accounting and claims processing system. The competitive source proposed the installation of 8 mainframes at geographically distributed locations. Brad implemented a system that required only one AS400 mainframe. The system performed claims processing for a large chain of Tenet hospitals. The integrated policy and work flow management system achieved a unique level of operating efficiency. The system integrated the Nortel Meridian Telecom Switch with the IBM AS400 Data Processing System. The Document Work Flow Management System was developed by Brad as an alternative to the FileNet System. The concepts perfected in the Tenet system will be extended and is the basis for the SBIR OSD12 IA2 Multi-Abstractions System Reasoning Infrastructure toward Achieving Adaptive Computing Systems Cross Domain and Multi-Level Security.

Brad developed the Suite B IPsec VPN in compliance with FIPS 140-2. The system is delivered on a virtual server that applies a MESH capability to configure both VMs and external routers. The system is designed to be automatically configured as a ADhoc secured network.

Brad developed the CyverONE Enterprise Class PBX, the basis for a major call center at Best Buy, Irvine, CA. The PBX has been integrated with a virtual server to support a hosted VoIP service. The Hosted VoIP service has been deployed as a commercial service to commercial accounts.

Brad developed the CyverONE Interactive Access Device (IAD). The IAD integrates a router, PBX, IPsec VPN and QoS. The product will co-exist with the Suite B IPsec VPN to facilitate co-existence with the conversion of SIPRNET and IPNET to Suite B, Secure End-Point to End-Point encryption system.

Brad is the creator of the CyverGIX Operating Environment. He manages development of our secure unified communication technology

Brad created and developed a MESH Wireless Network and a learning management system for education.

As Program Development Manager for Mideo Systems, Brad developed an image processing system for storing forensic information for the crime labs, photo labs, medical examiners, justice department and law enforcement.

All of the product and system capabilities identified in these paragraphs are the basis for implementing the Adhoc Secured Network that targets support for SOCOM and other government agencies.

Matthew R. Link – Director of Software Development

Matthew Link has a proven track record of delivering multiple projects across multiple platforms. A highly technical manager with experience on multiple platforms in enterprise wide environments.

Developed and deployed the CyverGIX operating system and Graphical User Interface for CyverONE. Implemented the NSA IPSec compliant Suite B on CyverGIX.

Created a custom ANSI X.12 270/271 Eligibility interface to Medi-Cal resulting in automated check of eligibility status for incoming accounts. All accounts activity is monitored and auditable to ensure fill HIPAA compliance.

Led all development teams for Tenet’s Patient Financial Services (PFS) division with responsibility for all in-house and off-shore development teams. Provided direct management of all operations for the installations, service provisioning, and support for the LAN, WAN, voice, and data networks infrastructure for Tenet’s PFS division and all business offices.

• 
  Implemented barcode scanning of returning correspondence resulting in an additional savings of $360,000.00 yearly.
  
• 
  Installed multiple new Business Office locations with the necessary equipment to support the needs of the Information Services group.
  
• 
  Implemented a proprietary predictive dialer that was developed in-house that returned efficiencies of 3:1 for participants in dialing campaigns. This initiative was so successful that it was expanded to allow inbound/outbound call blending. The inclusion of custom Interactive Voice Response in the mix allowed a granular level of control that could identify incoming accounts and route them directly to the appropriate agent without any interaction required on the part of the client
  

• 
  Created a Rule Base Expert System to support a pseudo-intelligent Workload Balancing Monitor to increase batch throughput based on dynamically evaluated workload parameters with full workflow capabilities.
  
• 
  Created security software that allowed for password synchronization across all of the platforms. This provided consistent password expiration, password synchronization, and the ability to disable user profiles enterprise wide with a single action.
  
• 
  Developed a utility that would allow for the sharing of spooled information across the entire enterprise regardless of platform.
  
• 
  Implemented the seventh installation of IBM Report Data Archival and Retrieval Systems with such success that IBM requested to purchase my suite of utilities from NME for inclusion in the RDARS (Visual Info) product.
  

Ken founded CyverONE in 2004 with the Mission to “Secure Communications.” CyverONE has created a variety of proprietary Secure Communications software technologies, including, CyverGIX™ Virtual Application Server Software, Virtual Secure Server Software, a Virtual PBX Software System and “Virtual Secret Network™” Software for the Android. Ken was a key factor in the development of the Airborne Long Range Input (ALRI) to SAGE. The project led to requirements definition and development of the Command and Control Center for the NORAD 425L System. The project integrated a multi-processor that interfaced multiple command and control systems including SAGE, Space Track, Midas/Samos 117L, SAGE Air Defense System and the Intel 473L System. Ken formulated the marketing strategy that was a successful counter to the IBM and RCA proposals. The 425L system development was the basis for the Burroughs B550 Data Processing System, the first commercially successful multi-processor system. Ken was also Founder and CEO - MicroFive Corporation, Co-founder and CEO of Microdata Corporation, Executive Director, Edudyne Foundation 501(c)3 Non-Profit, Burroughs System Engineer on the Norad Command and Control Systems and System Engineer on the K-1 Bombing Navigation System for the Air Force Strategic Air Command

Brad is the creator of the CyverGIX™ Virtual Operating System, and manages development of our VM appliance technology and our AVOM security development initiatives. Prior to creation of CyverGIX, Brad created and developed a MESH Wireless Network application for educational markets. As Founder and President of BARANT Technologies, Brad focused on the development of high quality software and the development of the Linux operating systems. As both a private contractor and employee of various companies, Brad has developed systems for financial accounting, collections, process control, pipeline product control, job costing and scheduling, payroll and a host of other applications. As Director of MIS for Tenet Health systems, Brad developed a healthcare workflow system integrating the Nortel Unified Communications, a patient record imaging system, billing and financial reporting system. The system implemented a Document Work Flow Management System as an alternative to FileNet. As Program Development Manager for Mideo Systems, Brad developed an image processing system for storing forensic information for the crime labs, photo labs, medical examiners, justice department and law enforcement. This system was implemented using Microsoft dot.net and was adopted as a standard for Law Enforcement in Los Angeles and other leading law enforcement agencies.

Matt is co-creator of CyverONE’s “Virtual Secret Network” software for its ViSioN System. A proven leader in all aspects of Information Technology with experience in directing major in-house and off-shore development teams. A proven track record of delivering multiple projects across multiple platforms. A highly technical manager with experience on multiple platforms in enterprise wide environments.

Consultant

Created a custom ANSI X.12 270/271 Eligibility interface to Medi-Cal resulting in automated check of eligibility status for incoming accounts. All accounts activity is monitored and auditable to ensure fill HIPAA compliance.

Created a series of utilities allowing for the indexing, storage and retrieval of files scanned in from optical scanners with full application integration. All files are protected, access is audited, and stored files are encrypted to provide full HIPAA compliance.

Jon led Quiksilver to an initial public offering (IPO). Performing as Quiksilver’s CFO and Vice President of Operations, the company grew from $4M to over $100 M in annual sales. Jon was responsible for strategic planning, financial management, facilities management, warehousing operations. He made a significant contribution to the writing of Quiksilver’s prospectus prior to going public. As CEO of the Shark Club, he created a new Concept in Entertainment that took Orange County and the Country by surprise as an avant-garde Restaurant and Nightclub. Jon was a Management Consultant for KPMG, LLP, multi-disciplinary activity. He earned his MBA from the University of North Texas, with honors.

He speaks fluent Chinese, French, Spanish and conversational Arabic. Mr. Freeman is the recipient of two Distinguished Public Service Awards, three Presidential Meritorious Service Awards and a Distinguished Honor Award.

The CyverGUI (Graphical User Interface) simplifies the user interface and reduces system support cost. (See Appendix E)Centralized technical support shares GUI screens with the remotely located end user for the purpose of network configuration, user training and network maintenance.

An Advanced “Object Oriented” Policy and Work Flow Management System combined with an advanced Intrusion Detection System can be the basis for “rerouting the attackers and “Attacking the Attackers.”

Reference: A Virtual Machine Introspection Based Architecture for Intrusion Detection, Tal Garfinkel Mendel Rosenblum, {talg,mendel}@cs.stanford.edu, Computer Science Department, Stanford University.

Appendix G ViSioN System Block Diagram

The diagrams present a view of the ViSioN System and the operating environment that is the foundation of the overall system.

Constructor is the process of creating and deleting objects in C++. It is not a trivial task.