Techniques for self-isolation of networked devices

US 20060005245A1
Filed: 06/09/2004
Published: 01/05/2006
Est. Priority Date: 06/09/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

performing a security analysis of a host electronic system coupled with a network; and

selectively disabling one or more devices coupled with a host bus in response to results of the security analysis.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for self-isolation of a network device that has been identified as potentially harmful. The network device may be isolated from the network except for an out-of-band communication channel that can be used for management purposes to restore or repair the device prior to the network connection being re-established.

Citations

42 Claims

1. A method comprising:
- performing a security analysis of a host electronic system coupled with a network; and
  
  selectively disabling one or more devices coupled with a host bus in response to results of the security analysis.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 wherein performing the security analysis of the host electronic system comprises:
    - searching files of the host electronic system for predetermined indications corresponding to one or more predefined risk parameters; and
      
      generating an indication of a risk condition, if one or more of the predetermined conditions is found on the host electronic system.
  - 3. The method of claim 2 wherein searching the files of the host electronic system for predetermined indications corresponding to one or more predefined risk parameters comprises:
    - searching volatile memory of the host electronic system for the predetermined indications corresponding to the one or more predefined risk parameters; and
      
      searching non-volatile memory of the host electronic system for the predetermined indications corresponding to the one or more predefined risk parameters.
  - 4. The method of claim 2 wherein the predetermined indications comprise one or more of:
    - lack of communication from a component of the host electronic system within a predetermined period of time, lack of current security patches, operating during pre-selected hours and positive results from a virus or memory scan.
  - 5. The method of claim 2 wherein the predefined risk parameters are administratively configured.
  - 6. The method of claim 2 wherein the predefined risk parameters are received from a remote device.
  - 7. The method of claim 1 wherein performing a risk assessment self-analysis of a host electronic system coupled with a network comprises:
    - monitoring network traffic with the host electronic system; and
      
      generating an indication of a risk condition, if the network traffic is not within predetermined operating parameters.
  - 8. The method of claim 7 wherein the predetermined operating parameters comprise:
    - an acceptable network traffic volume, acceptable destinations, acceptable sources, acceptable operational time, acceptable traffic types identified by port, acceptable traffic types identified by protocol, acceptable traffic types identified by address and acceptable traffic types identified by header information.
  - 9. The method of claim 1 wherein selectively self-isolating the host electronic system by disabling one or more network communications channels for the host electronic system in response to results of the risk assessment analysis comprises:
    - analyzing the risk assessment result to determine whether one or more risk conditions exists; and
      
      logically disabling one or more network interface in response to a positive determination that one or more risk conditions exists.
  - 10. The method of claim 9 wherein logically disabling one or more network interfaces in response to a positive determination that one or more risk conditions exists comprises writing a pre-selected value to a control register corresponding to the one or more network interfaces to be logically disabled using a configuration operation.
  - 11. The method of claim 10 wherein writing a pre-selected value to a control register corresponding to the one or more network interfaces to be logically disabled using a configuration operation comprises writing the pre-selected value to a Peripheral Component Interconnect (PCI) Command register corresponding to each of the one or more network interfaces.
  - 12. The method of claim 1 further comprising maintaining an out-of-band network connection during the self-isolation to support remedial actions in response to the results of the security analysis.
  - 13. The method of claim 12 wherein the out-of-band network connection is not accessible by a host operating system.
  - 14. The method of claim 12 further comprising resolving a risk condition by communicating with a remote device via the out-of-band connection during self-isolation.

15. An article comprising a machine-readable medium having stored thereon instructions that, when executed, cause one or more processors to:
- perform a risk assessment self-analysis of a host electronic system coupled with a network; and
  
  selectively self-isolate the host electronic system by disabling one or more network communications channels for the host electronic system in response to results of the risk assessment analysis.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 16. The article of claim 15 wherein the instructions that cause the one or more processors to perform a risk assessment self-analysis of a host electronic system comprise instructions that, when executed, cause the one or more processors to:
    - search files of the host electronic system for predetermined indications corresponding to one or more risk conditions; and
      
      generate an indication of a risk condition, if one or more of the predetermined conditions is found on the host electronic system.
  - 17. The article of claim 16 wherein the instructions that cause the one or more processors to search the files of the host electronic system for predetermined indications corresponding to one or more predefined risk parameters comprise instructions that, when executed, cause the one or more processors to:
    - search volatile memory of the host electronic system for the predetermined indications corresponding to the one or more predefined risk parameters; and
      
      search non-volatile memory of the host electronic system for the predetermined indications corresponding to the one or more predefined risk parameters.
  - 18. The article of claim 16 wherein the predetermined indications comprise one or more of:
    - lack of communication from a component of the host electronic system within a predetermined period of time, lack of security patches, operating during pre-selected hours and positive results from a virus or memory scan.
  - 19. The article of claim 15 wherein the instructions that cause the one or more processors to selectively self-isolate the host electronic system by disabling one or more network communications channels for the host electronic system in response to results of the risk assessment analysis comprise instructions that, when executed, cause the one or more processors to:
    - analyze the risk assessment result to determine whether one or more risk conditions exists; and
      
      logically disable one or more network interface in response to a positive determination that one or more risk conditions exists.
  - 20. The article of claim 15 wherein the instructions that cause the one or more processors to perform the risk assessment self-analysis of a host electronic system coupled with a network comprise instructions that, when executed, cause the one or more processors to:
    - monitor network traffic with the host electronic system; and
      
      generate an indication of a risk condition, if the network traffic is not within predetermined operating parameters.
  - 21. The article of claim 20 wherein the predetermined operating parameters comprise:
    - an acceptable network traffic volume, acceptable destinations, acceptable sources, acceptable operational time, acceptable traffic types identified by port, acceptable traffic types identified by protocol, acceptable traffic types identified by address and acceptable traffic types identified by header information.
  - 22. The article of claim 19 wherein the instructions that cause the one or more processors to logically disable one or more network interfaces in response to a positive determination that one or more risk conditions exists comprise instructions that, when executed, cause the one or more processors to write a pre-selected value to a control register corresponding to the one or more network interfaces to be logically disabled using a configuration operation.
  - 23. The article of claim 22 wherein the instructions that cause the one or more processors to write a pre-selected value to a control register corresponding to the one or more network interfaces to be logically disabled using a configuration operation comprise instructions that, when executed, cause the one or more processors to write the pre-selected value to a Peripheral Component Interconnect (PCI) Command register corresponding to each of the one or more network interfaces.
  - 24. The article of claim 15 further comprising instructions that, when executed, cause the one or more processors to maintain an out-of-band network connection during the self-isolation.
  - 25. The article of claim 24 wherein the out-of-band network connection is not accessible by a host operating system.
  - 26. The article of claim 24 further comprising instructions that, when executed, cause the one or more processors to resolve a risk condition by communicating with a remote device via the out-of-band connection during self-isolation.

27. A system comprising:
- one or more network interfaces;
  
  a machine-readable medium having stored thereon instructions that, when executed, cause one or more processors to perform a security analysis of the system, and selectively logically disable one or more of the network interfaces in response to results of the risk assessment analysis.
- View Dependent Claims (28, 29, 30, 31)
- - 28. The system of claim 27 wherein the instructions that cause the one or more processors to perform the security analysis comprise instructions that, when executed, cause the one or more processors to search files of the host electronic system for predetermined indications corresponding to one or more conditions, and generate an indication of a risk condition, if one or more of the predetermined conditions is found on the host electronic system.
  - 29. The system of claim 27 wherein the predetermined indications comprise one or more of:
    - lack of communication from a component of the host electronic system within a predetermined period of time, lack of current security patches, operating during pre-selected hours and positive results from a virus or memory scan.
  - 30. The system of claim 27 wherein the instructions that cause the one or more processors to selectively self-isolate the system by disabling one or more network interfaces comprise instructions that, when executed, cause the one or more processors to analyze the analysis result to determine whether one or more conditions exists, and logically disable one or more of the network interfaces in response to a positive determination that one or more conditions exists.
  - 31. The system of claim 30 wherein the instructions that cause the one or more processors to logically disable one or more network interfaces in response to a positive determination that one or more conditions exists comprise instructions that, when executed, cause the one or more processors to write a pre-selected value to a control register corresponding to the one or more network interfaces to be logically disabled using a configuration operation.

32. A method comprising:
- monitoring a host electronic system for conditions defined by a security policy; and
  
  selectively logically disabling a component of the host electronic system coupled with a bus of the electronic system in response to results of the monitoring.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 33. The method of claim 32 wherein the bus device comprises a network interface.
  - 34. The method of claim 32 wherein the bus device comprises a storage device.
  - 35. The method of claim 34 wherein the storage device comprises a non-volatile memory device.
  - 36. The method of claim 34 wherein the storage device comprises a volatile memory device.
  - 37. The method of claim 32 wherein the bus device comprises an extended system bus controller.
  - 38. The method of claim 37 wherein the extended system bus controller conforms to a Universal Serial Bus (USB) standard.
  - 39. The method of claim 37 wherein the extended system bus controller conforms to IEEE Standard 1394.
  - 40. The method of claim 32 wherein the bus device conforms to a Peripheral Component Interconnect (PCI) standard.
  - 41. The method of claim 40 wherein the bus device is disabled by writing a predetermined value to a PCI Command register using a configuration operation.
  - 42. The method of claim 32 further comprising receiving security policy definitions from a remote device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tahoe Research Limited (f/k/a Learndale Limited) (Vector Capital Corporation)
Original Assignee
Intel Corporation
Inventors
Rajagopal, Priya, Durham, David M., Kardach, James, Sahita, Ravi, Hahn, Scott, Yavatkar, Raj

Granted Patent

US 7,441,272 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/85   interconnection devices, e....

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Techniques for self-isolation of networked devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for self-isolation of networked devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links