Methods and apparatus for adaptive server reprovisioning under security assault

US 20050198530A1
Filed: 12/12/2003
Published: 09/08/2005
Est. Priority Date: 12/12/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method for automated adaptive reprovisioning of servers under security assault, the method comprising:

detecting a security assault or a possible security assault on a first server; and

reprovisioning by automatically creating a new server instance with a desired new server configuration to perform at least one of the tasks performed by said first server.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for automated adaptive reprovisioning of servers under security assault. The method comprises detecting a security assault or a possible security assault on a first server, and reprovisioning by automatically creating a new server instance with a desired new server configuration to perform at least one of the tasks performed by said server.

23 Citations

View as Search Results

30 Claims

1. A method for automated adaptive reprovisioning of servers under security assault, the method comprising:
- detecting a security assault or a possible security assault on a first server; and
  
  reprovisioning by automatically creating a new server instance with a desired new server configuration to perform at least one of the tasks performed by said first server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method of claim 1, wherein said detecting comprises determining if said first server is a candidate for reprovisioning, because of properties or behavior that suggest its security has been compromised or is likely to be compromised, or its functioning otherwise unacceptably impaired, by a security assault.
  - 3. The method of claim 1, wherein said reprovisioning comprises automatically bringing up said new server instance, or otherwise making available said new server instance to customers or other users of said first server.
  - 4. The method of claim 1, further comprising bringing down said first server prior to said reprovisioning.
  - 5. The method of claim 1, wherein said new server instance brought up in said reprovisioning differs from said first server in at least one parameter.
  - 6. The method of claim 1, wherein a difference between said new server instance and said first server is responsive to whether or not other security incidents have been detected in a network to which said servers are coupled.
  - 7. The method of claim 1, wherein a difference between said new server instance and said first server is responsive to a nature of any other security incidents that have been detected in said network to which said servers are coupled.
  - 8. The method of claim 1, wherein a difference between said new server instance and said first server is responsive to a probable compromise or a functional impairment observed in said detection.
  - 9. The method of claim 1, wherein a difference between said new server instance and said first server includes a version of server software used by said servers.
  - 10. The method of claim 1, wherein a difference between said new server instance and said first server includes a version of operating system software used by said servers.
  - 11. The method of claim 1, wherein a difference between said new server instance and said first server includes a version of network connectivity software used by said servers.
  - 12. The method of claim 1, wherein a difference between said new server instance and said first server includes strength of encryption used by said servers.
  - 13. The method of claim 1, wherein a difference between said new server instance and said first server includes a degree of function offered to users by said servers.
  - 14. The method of claim 1, wherein said new server instance brought up in said reprovisioning differs from said first server only if more than a fixed number of instances of probable server compromise have been observed.
  - 15. The method of claim 1, wherein a difference between said new server instance and said first server is responsive to a number of probable server compromises that have been observed.
  - 16. The method of claim 1, wherein said server comprises a computer providing services through a network.
  - 17. The method of claim 1, wherein said server comprises a program running on a network-coupled computer, providing services through a network.
  - 18. The method of claim 1, wherein said reprovisioning comprises selecting said desired new server configuration for said new server instance from a plurality of new server configurations.
  - 19. The method of claim 18, wherein said selecting said desired new server configuration for said new server instance comprises selecting a new server configuration from a table of new server configurations.
  - 20. The method of claim 18, wherein said selecting said desired new server configuration for said new server instance comprises randomly selecting a new server configuration from among all new server configurations in a table.
  - 21. The method of claim 18, wherein said selecting said desired new server configuration for said new server instance comprises randomly selecting a new server configuration from among all new server configurations in a table for which no probable compromise has been observed.
  - 22. The method of claim 18, wherein said selecting said desired new server configuration for said new server instance comprises indexing into a table according to a number of times a server providing a function of said first server has been subject to probable compromise.

23. A computer-readable medium having stored thereon a plurality of instructions for automated adaptive reprovisioning of servers under security assault, said plurality of instructions including instructions which, when executed by a processor, cause said processor to perform:
- detecting a security assault or a possible security assault on a first server; and
  
  reprovisioning by automatically creating a new server instance with a desired new server configuration to perform at least one of the tasks performed by said first server.
- View Dependent Claims (24, 25, 26, 27, 28, 29)
- - 24. The computer-readable medium of claim 23, wherein said detecting comprises determining if said first server is a candidate for reprovisioning, because of properties or behavior that suggest its security has been compromised or is likely to be compromised, or its functioning otherwise unacceptably impaired, by a security assault.
  - 25. The computer-readable medium of claim 23, wherein said reprovisioning comprises automatically bringing up said new server instance, or otherwise making available said new server instance to customers or other users of said first server.
  - 26. The computer-readable medium of claim 23, further comprising bringing down said first server prior to said reprovisioning.
  - 27. The computer-readable medium of claim 23, wherein said new server instance brought up in said reprovisioning differs from said first server in at least one parameter.
  - 28. The computer-readable medium of claim 23, wherein a difference between said new server instance and said first server is responsive to whether or not other security incidents have been detected in a network to which said servers are coupled.
  - 29. The computer-readable medium of claim 23, wherein a difference between said new server instance and said first server is responsive to a nature of any other security incidents that have been detected in said network to which said servers are coupled.

30. A system for automated adaptive reprovisioning of servers under security assault, the system comprising:
- a first server;
  
  a security monitor, coupled to said first server, for detecting if said first server is a candidate for automatic reprovisioning with a new server instance; and
  
  a provisioner, coupled to said first server, for automatically reprovisioning said server with said new server instance if said server is such a candidate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Pandey, Prashant, Whalley, Ian N., Chess, David M., White, Steve R.

Application Number

US10/734,802
Publication Number

US 20050198530A1
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

G06F 21/554 involving event detection a...

H04L 63/1441 Countermeasures against mal...

Methods and apparatus for adaptive server reprovisioning under security assault

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for adaptive server reprovisioning under security assault

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links