Internal security system for IT infrastructures
An internal monitoring system with kernel-level multi-stage validation and automated threat intelligence addresses the limitations of external perimeter security by providing proactive, deterministic, and adaptive security with session-based isolation and retroactive detection.
Patent Information
- Authority / Receiving Office
- DE · DE
- Patent Type
- Utility models
- Current Assignee / Owner
- GÜMÜSDAL CANER
- Filing Date
- 2026-02-27
- Publication Date
- 2026-06-25
Smart Images

Figure 00000000_0000_ABST
Abstract
Description
Technical field The present invention relates to a security system for IT infrastructures, in particular a system for detecting and neutralizing security threats, which operates as an internal monitoring system within the IT infrastructure. The invention specifically relates to extensions for session-based microsegmentation, outbound validation, retroactive threat detection, and automated threat intelligence processing. State of the art Conventional IT infrastructure security systems operate on the principle of an external protection layer. Firewalls, intrusion detection systems (IDS), and similar solutions form a protective barrier around the infrastructure to be protected. This architecture can be compared to armor: it protects from the outside, but is largely ineffective once this layer is breached. These perimeter-based approaches have several disadvantages: • After breaching the external protection layer, an attacker has largely free access to the internal network. • The response is reactive, only occurring after an attack is detected at the perimeter. • Internal threats (insider threats) are difficult to detect. • The systems operate in user space and have no direct access to the kernel level. • Decisions are often based on heuristic methods with high false-positive rates. Well-known solutions such as Endpoint Detection and Response (EDR), Security Information and Event Management (SIEM) and Network Detection and Response (NDR) address individual aspects of this problem, but not as an integrated system with kernel-level access and deterministic decision logic. Furthermore, the following unresolved problems exist in the state of the art: • No session-based isolation of individual actors with individual behavioral learning • No systematic control of outgoing data traffic with nested cryptographic validation • No retroactive detection of previously allowed threats upon the discovery of new signatures • No automated derivation of security rules from external threat databases with a closed feedback mechanism Comparison of architectural principles: Position: External (around the infrastructure) Internal (within the infrastructure) Analogy: Armaments, Immune system System levelUser-SpaceKernel-Space Reaction: Reactive, Proactive After Breach: Largely ineffective. Still active. Decision Heuristic Deterministic Session isolation: Not available. Individual per actor. Outbound control: None or rudimentary; 5-layer cryptographic validation Retroactive detection: Not available. Shadow log with automatic reverse scan. Object of the invention The present invention is based on the objective of providing a security system that does not operate as an external protective layer, but as an internal monitoring system, and remains functional even after external protective layers have been overcome. Another task is to provide a system that makes deterministic decisions based on multi-stage validation, thereby minimizing false positive rates. Furthermore, the invention is based on the objective of providing session-based isolation of individual actors with organic behavioral learning, realizing a multi-stage cryptographic exit control, enabling retroactive threat detection based on shadow logs, and providing an automated threat intelligence pipeline with a closed feedback mechanism. These problems are solved by the features of claims 1 and 18. Advantageous embodiments are described in the dependent claims. Solution The invention solves these problems through a security system that operates on the principle of a biological immune system. In contrast to conventional perimeter solutions, the system according to the invention is integrated into the data flow of the IT infrastructure and operates at the kernel level. The system initially comprises four main components according to claim 1: a) First processing component (10): A component that operates at a system level below the network layer and analyzes data packets before they are processed by higher system layers. b) Monitoring component (20): A component that is integrated into the data flow of the IT infrastructure and continuously analyzes it for anomalies. c) Decision component (30): A component that classifies security threats using multi-stage validation. The hierarchical validation ensures that decisions are deterministic and traceable. d) Response component (40): A component that automatically neutralizes detected threats. The automated response enables real-time defense without human intervention. The key feature of the invention is that the system operates as an internal monitoring and defense system within the IT infrastructure and remains functional even after external security layers have been breached. This fundamentally distinguishes the system from conventional perimeter solutions. According to claim 18, the system further comprises four extended components that interact as a closed loop according to the principle of a biological immune system: Beneficial effects Compared to the state of the art, the following advantages arise: 1. Protection after perimeter breach: The system remains active even if external protection layers have been breached. An attacker who overcomes the firewall faces the internal protection system. 2. Kernel-level analysis: By operating below the network layer, threats are detected before they reach higher system layers. 3. Deterministic decisions: Multi-stage validation enables precise decisions with minimal false positive rates. 4. Individual actor isolation: Each authenticated actor receives its own security environment with individual behavioral learning. A compromised actor cannot access the security environments of other actors. 5. Collective intelligence: The aggregation of individual baselines enables the detection of anomalies that would not be detectable at the individual level. 6.7. Outbound Control: Outgoing data is checked using nested cryptographic validation, preventing data exfiltration. 8. Retroactive Detection: Data transfers that have already been allowed through are subsequently compared against new threat signatures, enabling the detection of attacks that initially went undetected. 9. Automated Rule Update: Security rules are automatically derived from external threat databases and validated, minimizing response time to new threats. 10. Autonomous Operation: In an extended version, the system can operate autonomously even if the connection to the central control system is interrupted. Example of implementation A preferred embodiment of the invention will be explained in more detail below with reference to the drawings. Fig. 1 shows the schematic structure of the safety system according to the invention with its core components as well as the extended system structure with the additional components according to claim 18. First processing component (10) The first processing component (10) operates at the kernel level and analyzes incoming data packets (110) before they reach the network layer. In a preferred implementation, a kernel-level filtering technology is used for this purpose, which processes packets with minimal latency (sub-millisecond). The component performs the following functions: • Packet inspection: Each incoming packet is checked for known attack patterns • Protocol validation: Compliance with protocol specifications is verified • Rate limiting: Unusually high request volumes are detected and limited • Early filtering: Obviously malicious packets are dropped One technical advantage of this arrangement is that suspicious packets can be isolated or discarded without affecting higher system layers or consuming resources. Monitoring component (20) The monitoring component (20) is integrated into the data flow of the IT infrastructure (100). It continuously analyzes network traffic and system behavior for anomalies. The analysis is performed in several stages: Stage 1 - Packet-Level Analysis: • Analysis of source and destination addresses • Examination of ports and protocols • Detection of packet manipulation Stage 2 - Behavioral Analysis: • Detection of unusual communication patterns • Analysis of request volume and frequency • Identification of anomalies over time Stage 3 - Context Analysis: • Comparison with known threat indicators • Correlation with historical data • Evaluation in the context of business operations In a preferred implementation, the monitoring component operates in a trusted execution environment, thereby ensuring the integrity of the analysis results. Decision component (30) The decision component (30) performs a multi-stage validation. In a preferred embodiment, this validation comprises at least three hierarchical stages. Reaction component (40) The response component (40) automatically neutralizes detected threats. Depending on the severity and type of threat, different responses are triggered: isolation of affected connections, neutralization of malicious packets, alerting of security personnel, and forensic documentation. Central Controlling Authority (50) and Executing Authority (60) In an extended embodiment (according to claim 8), the system comprises a central control instance (50) and at least one executing instance (60). The executing instance can operate autonomously if the connection to the control instance is interrupted and then relies on locally stored security rules. Multidimensional safety grid (Claim 14) In a further embodiment, the monitoring component (20) includes a dynamic coordination unit that organizes security parameters in a multidimensional grid and shifts all coordinates pseudorandomly within a configurable time interval. Upon detection of a mismatch, the requester is forced to repeat the entire validation chain without an error message. Asymmetric computational effort limit (Claim 15) The first processing component (10) optionally includes a cost-limiting unit that assigns a computationally intensive validation problem to suspicious query points. Verification of the solution takes place with a constant processing time, resulting in an economic asymmetry. Polymorphic response diversification (Claim 16) The decision component (30) optionally includes a diversification unit that generates structurally different response variants and embeds forensic identification tokens. Pre-authenticating cloaked gateway (Claim 17) The system optionally includes a gateway component (70) that cryptographically pre-authenticates incoming requests and answers unauthenticated requests with generic error responses that do not allow any inference about the downstream system. Session isolation component (80) - Claim 18 In a significant extension (according to claim 18), the system comprises a session isolation component (80). This component creates an individual security environment for each authenticated actor. The analogy to the biological immune system is cell isolation: Just as a biological immune system isolates infected cells to prevent spread, the session isolation component isolates each actor in its own security environment. The security environment includes a behavioral learning unit (81) that performs an organic learning process. The learning process comprises three phases: Phase 1 - Observation: The learning unit observes the actor's behavior over a configurable period. In a preferred implementation, this period is seven days. During this phase, the system does not intervene. Phase 2 - Baseline Establishment: An individual normal distribution is derived from the observed behavioral patterns. In a preferred implementation, the baseline includes typical request patterns, access frequencies, and resource utilization. Phase 3 - Active Protection: Deviations from the baseline are classified as anomalies. The baseline is updated on a rolling basis so that the system adapts to organic changes in behavior. A special feature is the collective baseline unit (82) according to claim 20. This aggregates individual baselines of several actors of the same type. For example, all administrators of a system are grouped together in one pool. The anomaly detection takes into account both the individual deviation and the deviation from the collective baseline, thereby detecting anomalies that would be inconspicuous at the individual level. Dual-token architecture (Claim 21) The session isolation component (80) comprises a dual-token unit (83) with two complementary tokens: Birth token (long-term): A hardware-bound token generated in a trusted execution environment. This token verifies the existence and identity of the security environment. Transit token (short-term): A short-lived token for communication between security nodes. In a preferred implementation, this token is renewed every five minutes. The removal of either token triggers the immediate destruction of the security environment. This ensures that any manipulated or compromised environments are neutralized immediately. The destruction includes the volatile multiple overwriting of all session-related data. Progressive escalation (Claim 22) The session isolation component (80) performs a progressive, multi-stage escalation. The escalation level is increased when anomalies are detected; it is reduced again when behavior is normal. This bidirectional adjustment occurs continuously and automatically. In a preferred implementation, the escalation comprises six stages: invisible logging, temporary delay, extended analysis, access restriction, extended lockout, and permanent notification to the system administrator. The escalation level is systematically reduced if normal behavior continues. Output validation component (90) - Claim 23 The outbound validation component (90) verifies outbound data traffic (120) using a cryptographic layer unit (91). In a preferred implementation, the layer unit comprises at least five nested validation layers: Layer 1 - Time Limit: Each data transmission receives a time-limited validation token with an expiration time and a unique random value. Layer 2 - Context Binding: A cryptographic message authentication code binds the transmission to the context (user identity, destination address, payload hash, source address). Layer 3 - Asymmetric Signature: An asymmetric cryptographic signature, whose private key remains in the trusted execution environment, confirms the authenticity of the transmission. Layer 4 - Actor Verification: Verification ensures that the transmission originates from an authorized actor.Layer 5 - Zero-Knowledge Output: The data to be transmitted leaves the trusted execution environment directly, without the application layer having access to the plaintext data of the output token (according to claim 25). Each layer incorporates the validation results of all previous layers, so an attacker must breach all layers simultaneously to bypass the outbound control. Retroactive detection component (200) - Claim 26 The retroactive recognition component (200) addresses the problem that a threat has not yet been recognized as such at the time of its transmission. The analogy to the biological immune system is antibody memory: Just as an immune system remembers past infections and reacts more quickly upon renewed contact, the retroactive recognition component compares already transmitted transfers against newly discovered signatures. The component includes a shadow log unit (201) that stores a cryptographic hash for each transmitted data transfer. In a preferred implementation, no user data is stored, but only hash values, timestamps, and metadata. Detection is performed in three layers (according to claim 26): Layer 1 - Exact hash match: Fast check for identical byte sequences using cryptographic hash functions. Layer 2 - Pattern-based detection: Check against signature rules that recognize variants of an attack pattern. Layer 3 - Behavioral similarity detection: Check using fuzzy hashing, which recognizes similarities between different threats, even if they differ in individual bytes. The layers are arranged sequentially from fast and precise to slow and tolerant, thereby optimizing the computational effort. The signature storage unit (202) secures stored malicious code by means of cryptographic sealing (according to claim 27). The integrity check is performed without reconstructing the plaintext content, and the deletion is carried out by means of multiple overwriting with a volatile write guarantee. Threat intelligence component (210) - Claim 28 The threat intelligence component (210) implements an automated pipeline for deriving security rules from external threat databases. The analogy to the biological immune system is bone marrow: just as bone marrow constantly produces new immune cells, the threat intelligence component constantly generates new security rules. The pipeline comprises the following stages: Stage 1 - Collection: Automatic querying of at least two external threat databases. In a preferred implementation, public vulnerability databases and critical vulnerability catalogs are queried. Stage 2 - Analysis: Classification of the collected threat information and assignment to the relevant security modules of the system. Stage 3 - Rule Generation: The rule generation unit (211) derives machine-readable security rules from the analyzed threats. Stage 4 - Validation: The validation unit (212) checks the generated rules in multiple stages: syntactic correctness, performance impact, false positive rate, and effectiveness against the target threat. Stage 5 - Deployment: Validated rules are deployed atomically with cryptographic signing. In a preferred implementation, deployment occurs without interrupting ongoing operations (hot reload). The pipeline is traversed cyclically at a configurable time interval. In a preferred implementation, this interval is fifteen minutes. Closed feedback mechanism (Claim 29) The pipeline includes a closed feedback mechanism (according to claim 29). If an increased false-positive rate is measured for a generated rule, the rule is automatically improved. If a configurable threshold is exceeded, the rule is automatically removed. This mechanism ensures that the quality of the safety rules is continuously improved and that faulty rules do not accumulate. The analogy to the biological immune system is the regulation of immune cells: Overreacting immune cells (autoimmune reaction) are eliminated, as are overreacting safety rules (false positives). Interaction of the components The components (80, 90, 200, 210) work together as a closed loop: • The threat intelligence component (210) provides new signatures to the retroactive detection component (200). • The retroactive detection component (200) identifies threats retrospectively and informs the session isolation component (80). • The session isolation component (80) escalates affected actors and signals this to the exit validation component (90). • The exit validation component (90) becomes more restrictive with escalated actors and reports suspicious patterns to the threat intelligence component (210). This cycle creates an adaptive system that becomes stronger with each detected attack - analogous to a biological immune system that becomes more resistant after each infection overcome. Bypass prevention through network topology A key feature of the session isolation component (80) is that its unavoidability is ensured not only by software rules but also by the network topology. In a preferred implementation, the session isolation component is the last point of contact before the customer system. Outgoing data from the output validation component (90) is transmitted to the session isolation component (80) exclusively via an isolated communication channel. There is no alternative path to the customer system. Actor types The session isolation component (80) distinguishes between different actor types and assigns a corresponding security environment to each type: Authenticated User, Individual Environment, Behavioral Learning per User Administrator Individual Environment Monitor even privileged actors Authorized automated actor; Permanent environment; Stable baseline for service-to-service Unauthorized automated actor; No environment; Rejection without token issuance Immune system analogy The system according to the invention operates entirely on the principle of a biological immune system. The following table shows the correspondences: Skin (outer barrier) Gateway component (70) + First processing component (10) 1, 17 Innate immunity Retroactive recognition complex (200) - 3-layer recognition 26 Cell Isolation Session Isolation Comp. (80) - Armored Glass Environment 18 Antibody memory shadow log unit (201) - retroactive matching 26 Collective Learning Collective Baseline Unit (82)20 Lymph nodes (exit control) Exit validation comp. (90) - 5-layer Exit 23 Bone marrow (cell renewal) Threat intelligence computation (210) - Rule pipeline 28 Apoptosis (self-destruction) Token withdrawal → Environmental destruction 21 Reference symbol list 10 First Processing Component 20 Monitoring Component 30 Decision Component 40 Response Component 50 Central Control Instance 60 Execution Instance 70 Gateway Component 80 Session Isolation Component 81 Behavioral Learning Unit 82 Collective Baseline Unit 83 Dual Token Unit 84 Escalation Unit 90 Outbound Validation Component 91 Cryptographic Layer Unit 100 IT Infrastructure 110 Inbound Traffic 120 Outbound Traffic 200 Retroactive Detection Component 201 Shadow Log Unit 202 Signature Storage Unit 210 Threat Intelligence Component 211 Rule Generation Unit 212 Validation Unit REFERENCE MARK LIST 10 First Processing Component (Kernel-Level Filtering Unit) 20 Monitoring Component (In-Datapath Analysis Unit) 30 Decision Component (Multi-Stage Validation Unit) 40 Response Component (Automated Neutralization Unit) 50 Central Control Instance (Sovereign) 60 Executioner 70 Gateway Component (Pre-authenticating Cheat Gateway) 80 Session Isolation Component (Runtime Session Containment) 81 Behavioral Learning Unit (Organic Learning Method) 82 Collective Baseline Unit (Actor Type Aggregation) 83 Dual-Token Unit (Birth Token and Transit Token) 84 Escalation Unit (Progressive Multi-Stage Escalation) 90 Exit Validation Component (Exit Authentication) 91 Cryptographic Layer Unit (Nested Validation) 100 IT Infrastructure (Protected System) 110 Incoming traffic 120 Outgoing traffic 200 Retroactive detection component (post-threat detection) 201 Shadow log unit(Cryptographic Transfer Protocol) 202 Signature Storage Unit (Cryptographically Sealed Samples) 210 Threat Intelligence Component (Automated Rule Pipeline) 211 Rule Generation Unit (Signature Derivation from Threat Data) 212 Validation Unit (Multi-Stage Rule Check) The reference numerals in the drawing (Fig. 1) correspond to the reference numerals used in the description and the claims.
Claims
Security system for IT infrastructures, comprising: a) at least one initial processing component (10) operating at a system level below the network layer and analyzing data packets before processing by higher system layers; b) at least one monitoring component (20) integrated into the data flow of the IT infrastructure (100) and continuously analyzing it for anomalies; c) at least one decision component (30) configured to classify security threats using multi-stage validation; d) at least one response component (40) configured to automatically neutralize detected threats; wherein the security system operates as an internal monitoring and defense system within the IT infrastructure (100) and remains functional even after overcoming external protection layers. Security system according to claim 1, characterized in that the first processing component (10) operates at the kernel level of the operating system and processes data packets with a latency of less than one millisecond. Security system according to claim 1 or 2, characterized in that the monitoring component (20) performs a multi-layered analysis, comprising: - a packet-level analysis; - a behavioral analysis; and - a context analysis. Safety system according to one of the preceding claims, characterized in that the decision component (30) performs a hierarchical validation with at least three stages. Security system according to one of the preceding claims, characterized in that the reaction component (40) can perform at least one of the following reactions: - Isolation of affected connections; - Neutralization of harmful data packets; - Alerting of security personnel; - Forensic documentation of the incident. Security system according to one of the preceding claims, characterized in that the system can be configured as an extension module for third-party security infrastructures, wherein the system can exercise a right of veto over decisions of the third-party system. Security system according to one of the preceding claims, characterized in that the decision component (30) uses hardware-bound authentication in which decisions are linked to a physical device identity. Security system according to one of the preceding claims, characterized in that the system comprises a central control instance (50) and at least one executing instance (60), wherein the executing instance can operate autonomously when the connection to the control instance is interrupted. Security system according to claim 8, characterized in that the executing instance (60) resorts to locally stored security rules in the event of an interrupted connection to the control instance (50). Security system according to one of the preceding claims, characterized in that the monitoring component (20) operates in a trusted execution environment. Security system according to one of the preceding claims, characterized in that the system includes a forensic component that archives attack data in encrypted form. Security system according to one of the preceding claims, characterized in that the communication between the components takes place via an isolated communication channel. Security system according to one of the preceding claims, characterized in that the system can be operated both as a standalone system and as an extension module for existing security infrastructures. A security system according to any one of claims 1 to 3, characterized in that the monitoring component (20) comprises a dynamic coordination unit configured to: a) organize security parameters in a multidimensional grid of at least n×m positions, each position representing a set of validation coordinates; b) pseudorandomly shift all coordinates of the grid in a configurable time interval, such that the validation landscape continuously changes for a requester; c) trigger a complete reset mechanism upon detection of a mismatch between the coordinates transmitted by a requester and the current grid state, forcing the requester to repeat the entire validation chain from the beginning; wherein the reset mechanism occurs without an error message or other notification to the requester. A security system according to claim 1 or 2, characterized in that the first processing component (10) comprises a cost-limiting unit configured: a) upon detection of potentially security-relevant query behavior, to assign to the requesting system a computationally intensive validation problem, the solution of which requires asymmetrically higher computing power than its verification; b) to perform the verification of the solution supplied by the requesting system with constant processing time; wherein the cost-limiting unit operates at a system level below the network layer and the processing is stateless. A security system according to one of the preceding claims, characterized in that the decision component (30) comprises a diversification unit configured: a) to generate one of n structurally different response variants for each incoming request from a requester classified as suspicious, wherein each variant contains the same information content for an authorized recipient; b) to embed an individual forensic identification token in each response variant, which enables tracing via the forensic component according to claim 11; wherein the structural diversity of the response variants is designed such that automated extraction of consistent data structures by the requester is prevented. Security system according to claim 1, characterized in that the system comprises a gateway component (70) upstream of the first processing component (10), which is configured: a) to validate incoming requests using a cryptographic authentication token before they reach the first processing component (10); b) to respond to unauthenticated requests with a generic error response that does not allow any inference to be made about the existence, type or configuration of the downstream security system; wherein the gateway component (70) does not disclose any metadata, service information or processing instructions to unauthenticated requesters. Security system according to one of the preceding claims, characterized in that the system further comprises: a) a session isolation component (80) that generates an individual security environment for each authenticated actor, wherein the security environment comprises a behavioral learning unit (81) that observes the actor's behavior over a configurable learning period and derives an individual behavioral baseline from it; b) an outbound validation component (90) that checks outbound data traffic (120) by means of at least three nested cryptographic validation layers before data leaves the IT infrastructure (100); c) a retroactive detection component (200) that stores already passed data transfers in a shadow log unit (201) and subsequently compares them against newly added threat signatures;d) a threat intelligence component (210) that automatically derives security rules from external threat databases and checks them via a validation unit (212) before they are activated; wherein the components (80, 90, 200, 210) work together as a closed loop and the system operates according to the principle of a biological immune system.; Security system according to claim 18, characterized in that the behavioral learning unit (81) performs an organic learning process comprising: - an observation phase without intervention authority; - a baseline formation phase in which an individual normal distribution is derived from the observed behavioral patterns; - an active protection phase in which deviations from the baseline are classified as anomalies; wherein the baseline is updated on a rolling basis. Security system according to claim 18 or 19, characterized in that the session isolation component (80) comprises a collective baseline unit (82) that aggregates individual baselines of several actors of the same type, wherein the anomaly detection takes into account both the individual deviation and the deviation from the collective baseline. Security system according to one of claims 18 to 20, characterized in that the session isolation component (80) comprises a dual-token unit (83) with: - a hardware-bound long-term token generated in a trusted execution environment; and - a short-lived transit token for communication between security nodes; wherein the removal of either token triggers the immediate destruction of the security environment. Security system according to one of claims 18 to 21, characterized in that the session isolation component (80) performs a progressive multi-stage escalation, wherein: - the escalation level is increased in the case of detected anomalies; - the escalation level is reduced again in the case of normal behavior; wherein the bidirectional adjustment is continuous and automated. Security system according to claim 18, characterized in that the output validation component (90) comprises a cryptographic layer unit (91) with at least five nested validation layers, each layer including the validation results of all previous layers, so that an attacker must breach all layers simultaneously. Security system according to claim 23, characterized in that at least one validation layer comprises context-bound token creation, wherein the token is cryptographically bound to the user identity, the destination address, the payload hash and the source address. Security system according to claim 23 or 24, characterized in that the data to be transmitted leaves the trusted execution environment directly without the application layer having access to plaintext data of the output token. Security system according to claim 18, characterized in that the retroactive detection component (200) performs staggered detection in at least three layers: - First layer: exact hash matching; - Second layer: pattern-based detection using signature rules; - Third layer: behavior-like detection using fuzzy hashing; wherein the layers are arranged sequentially from fast and exact to slow and tolerant. Security system according to claim 26, characterized in that the signature storage unit (202) secures stored malicious code by means of cryptographic sealing, wherein the integrity check is performed without reconstruction of the plaintext content and the deletion is carried out by means of multiple overwriting with volatile write guarantee. Security system according to claim 18, characterized in that the threat intelligence component (210) comprises a closed pipeline with: - automatic collection from at least two external threat databases; - automatic rule generation by means of the rule generation unit (211); - multi-stage validation by the validation unit (212); - atomic provisioning with cryptographic signing; wherein the pipeline is traversed cyclically in a configurable time interval. Safety system according to claim 28, characterized in that the pipeline comprises a closed feedback mechanism in which false positive messages lead to automatic control improvement and, if a configurable threshold is exceeded, to automatic control removal.