Parametric content control in a network security system

US 20070028291A1
Filed: 07/29/2005
Published: 02/01/2007
Est. Priority Date: 07/29/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method for use with a computer system having a plurality of host computers (hosts) and a server associated with the hosts comprising:

the server propagating to the hosts a master set of policies relating to file operations, and policy options indicating at least whether and with what conditions such operations are allowed or banned, and the server propagating a value to the hosts;

the value stored on the host indicating which subset of policies and policy options to implement on the host from the master set of policies and policy options;

the host implementing the file operation policies indicated by the value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security system provides a defense from known and unknown viruses, worms, spyware, hackers, and social engineering attacks. The system can implement centralized policies that allow an administrator to approve, block, quarantine, or log file activities. The system can provide and update a security value that causes host computers to change security levels for a number of different policies. The policies are grouped into a master set of policies and options which are propagated to the hosts from a centralized server. The security value is stored on the hosts and the server, and changes of the value on the server are propagated to the hosts.

Citations

45 Claims

1. A method for use with a computer system having a plurality of host computers (hosts) and a server associated with the hosts comprising:
- the server propagating to the hosts a master set of policies relating to file operations, and policy options indicating at least whether and with what conditions such operations are allowed or banned, and the server propagating a value to the hosts;
  
  the value stored on the host indicating which subset of policies and policy options to implement on the host from the master set of policies and policy options;
  
  the host implementing the file operation policies indicated by the value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 2. The method of claim 1, wherein each policy has a single configuration parameter that indicates one of the policy options, the value that is propagated selecting the policy option for each of a number of policies.
  - 3. The method of claim 1, the master set includes lists of policies and options, the value that is propagated selecting one of the lists.
  - 4. The method of claim 1, wherein the policies have at least three options that constitute an ordered set of restrictions that incrementally increase or reduce host'"'"'s ability to perform file operations.
  - 5. The method of claim 1, wherein the server changes the value in response to a manual change by an administrator.
  - 6. The method of claim 1, wherein the server changes the value automatically without input from a human administrator.
  - 7. The method of claim 6, wherein the automatic server value change is in response to a detected security event or SNMP message or syslog message or report or network message or email message.
  - 8. The method of claim 1, wherein the host changes the value automatically without input from a human or without a command from the server.
  - 9. The method of claim 1, wherein the host changes the value automatically in response to a policy report on the same host or in response to an event detected on the host or in response to a command executed on the host.
  - 10. The method of claim 1, wherein the policy options include automatically permitting execution and/or reading operations of files with an associated meta-information state indicating that such operations are approved.
  - 11. The method of claim 1, wherein the policy options include blocking execution and/or reading of files with an associated meta-information state indicating that such operations are banned and/or sending reports to the server.
  - 12. The method of claim 1, wherein the policy options include blocking execution and/or reading of files with an associated pending meta-information state indicating that such actions have not yet been determined to be allowed or banned.
  - 13. The method of claim 1, wherein the policy options include permitting execution and/or reading of files with an associated pending meta-information state indicating that such actions have not yet been fully determined to be allowed or banned.
  - 14. The method of claim 1, wherein the policy options include sending reports to the server in the event of a request for an operation on a file with an associated pending meta-information state indicating that such actions have not yet been fully determined to be allowed or banned.
  - 15. The method of claim 1, wherein the policy options include detecting and tracking the creation or modification or first execution of new files with associated pending and/or banned meta-information states.
  - 16. The method of claim 1, wherein the policy options include blocking the creation or modification of files with associated pending meta-information state.
  - 17. The method of claim 1, wherein the policy options include automatic deletion or moving of files with associated banned meta-information state.
  - 18. The method of claim 1, wherein the policy options include automatically setting the host meta-information state of newly created or modified files to approve.
  - 19. The method of claim 1, wherein the policy options include automatically setting the server meta-information state of files which are newly created or modified on the host to approve.
  - 20. The method of claim 1, wherein the host maintains meta-information for each of the files on the host, the meta-information including a state having at least three possible values:
    - Approved, Banned, and Pending.
  - 21. The method of claim 20, wherein an indication to allow allows an operation without further monitoring.
  - 22. The method of claim 20, wherein the policy options include delaying a file operation while the host and/or server are analyzing the file.
  - 23. The method of claim 22, wherein server associates the pending state with a file when the server determines that it does not have meta-information associated with that file.
  - 24. The method of claim 22, wherein host associates the pending state with a file when the host determines that it does not have meta-information associated with that file.
  - 25. The method of claim 1, wherein the server maintains meta-information indicating when a file is first seen by any host
  - 26. The method of claim 1, wherein at least some of the policies and policy options indicate an action based on the name of a file.
  - 27. The method of claim 1, wherein at least some of the policies and policy options indicate an action based on the content of a file.
  - 28. The method of claim 1, wherein at least some of the policies and policy options indicate an action based on combinations of the name and content of a file.
  - 29. The method of claim 1, wherein the server maintains meta-information about files including a hash of the contents of the file.
  - 30. The method of claim 29, wherein the hash of the contents of the file is a hash of the contents of interest within the file.
  - 31. The method of claim 1, wherein the policies include execution of a new file, write accesses to files, and reads to files, and wherein the options include allowing the action to take place, banning the action, or approving the action with further monitoring.
  - 32. The method of claim 31, wherein the further monitoring includes one or more of logging and providing a report.
  - 33. The method of claim 1, wherein one of the values bans all new executables.
  - 34. The method of claim 1, wherein one of the values allows all file operations.
  - 35. The method of claim 1, wherein the server changes the value by posting a new value in a manner accessible to the hosts, the hosts accessing the new value, comparing the new value to the value the host has, and changing its value to the new value.
  - 36. The method of claim 35, wherein there is an ordered set of values and associated policies and policy options, the hosts changing to the new value incrementally though other intermediate values.
  - 37. The method of claim 1, wherein each of the hosts is arranged into one of a plurality of host groups, the server changing the value for at least one but not all host groups, such that the host groups have different values.
  - 38. The method of claim 1, wherein the server changes the value by sending the new value to the hosts.
  - 39. The method of claim 9, wherein changes to server file meta-information state are made available to hosts and/or propagate to hosts.

40. A computer system comprising:
- a plurality of host computers (hosts); and
  
  a server for propagating to the hosts a master set of policies relating to file operations, and policy options indicating at least whether and with what conditions such operations are allowed or banned, and the server further for propagating a value to the hosts for storage on the hosts;
  
  the value stored on the host indicating which subset of policies and policy options to implement on the host from the master set of policies and policy options;
  
  the host for implementing the file operation policies indicated by the value.
- View Dependent Claims (41, 42, 43, 44, 45)
- - 41. The system of claim 40, wherein the information propagated by the server includes a value that indicates a set of policy options for each of a number of different policies.
  - 42. The system of claim 41, wherein the hosts are organized into multiple host groups, the server propagating changes in the value to one or more but not all of the host groups.
  - 43. The system of claim 40, wherein the file operations include write access to files and execution of files, the options including plurality of options in an ordered set of restrictions that incrementally increase or reduce a host'"'"'s ability to perform file operations.
  - 44. The system of claim 40, wherein the master set includes lists of policies and policy options, and the server provides information including a value indicating one of the lists.
  - 45. The system of claim 40, wherein the server posts the information in a location accessible to the hosts, and the hosts access the information and update their values.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bit 7, Inc. (Bb7 LLC)
Original Assignee
Bit 7, Inc. (Bb7 LLC)
Inventors
Brennan, Todd, Hillery, Allen

Application Number

US11/194,075
Publication Number

US 20070028291A1
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Parametric content control in a network security system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

Parametric content control in a network security system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links