HOST INTRUSION PREVENTION SERVER

US 20080168561A1
Filed: 10/21/2007
Published: 07/10/2008
Est. Priority Date: 01/08/2007
Status: Active Grant

First Claim

Patent Images

1. An intrusion-prevention server comprising:

an interface communicatively coupled to a plurality of hosts;

a plurality of data filters, each data filter corresponding to at least one intrusion pattern from among a set of intrusion patterns;

a plurality of encoded descriptors for characterizing said plurality of hosts;

a plurality of encoded rules; and

a recommendation engine for applying a subset of said encoded rules to a selected host from among said plurality of hosts to assign a subset of said data filters to said selected host according to metadata received from said selected host, said metadata corresponding to selected descriptors from among said encoded descriptors.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion-prevention server supporting a set of hosts comprises data filters and an engine which uses a set of encoded rules for assigning data filters to hosts according to metadata characterizing the hosts. Each data filter corresponds to at least one intrusion pattern from among a set of intrusion patterns and the data filters are continuously updated as intrusion patterns change. Metadata acquired from a host varies with a changing state of the host. Acquisition of metadata from each host is streamlined to reduce communications between the server and the hosts and to minimize processing effort for both the server and the hosts.

Citations

20 Claims

1. An intrusion-prevention server comprising:
- an interface communicatively coupled to a plurality of hosts;
  
  a plurality of data filters, each data filter corresponding to at least one intrusion pattern from among a set of intrusion patterns;
  
  a plurality of encoded descriptors for characterizing said plurality of hosts;
  
  a plurality of encoded rules; and
  
  a recommendation engine for applying a subset of said encoded rules to a selected host from among said plurality of hosts to assign a subset of said data filters to said selected host according to metadata received from said selected host, said metadata corresponding to selected descriptors from among said encoded descriptors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The intrusion-prevention server of claim 1 further comprising an interface communicatively coupled to a central server for receiving said data filters, said encoded descriptors, and said encoded rules.
  - 3. The intrusion-prevention server of claim 1 further comprising a plurality of functional expressions each associated with at least one encoded rule from among said plurality of encoded rules.
  - 4. The intrusion-prevention server of claim 1 wherein at least one encoded rule is encoded as a tree of descriptors and executing said each encoded rule uses descriptors starting from a root descriptor to a leaf descriptor.
  - 5. The intrusion-prevention server of claim 1 further comprising a database maintaining a profile of each host in said plurality of hosts.
  - 6. The intrusion-prevention server of claim 5 further comprising a first software program for:
    - defining a plurality of host types according to said profile of each host;
      
      determining a host-specific subset of descriptors from among said encoded descriptors for each of said host types; and
      
      associating each host in said plurality of hosts with a host type from among said plurality of host types.
  - 7. The intrusion-prevention server of claim 6 further comprising a second software program for determining a rule-specific subset of descriptors, from among said encoded descriptors, for each of said rules.
  - 8. The intrusion-prevention server of claim 7 further comprising a third software program for determining an intersection of each host-specific subset of descriptors with each rule-specific subset of descriptors to determine a rule domain specific to each host.
  - 9. The intrusion-prevention server of claim 8 further comprising a scheduler associated with said recommendation engine for applying a respective subset of said encoded rules to each host from among said plurality of hosts.

10. An intrusion-prevention server supporting a plurality of hosts H_k, 0≦
- k<
  
  ν
  
  , said server comprising;
  
  a first data store holding a set of μ
  
  encoded filters {F_m, 0≦
  
  m<
  
  μ
  
  };
  
  a second data store holding a global set D of Q descriptors {d_j, 0≦
  
  j<
  
  Q};
  
  an interface with said plurality of hosts for acquiring metadata for characterizing a selected host H_k, the metadata comprising data elements having a one-to-one correspondence to descriptors in a domain of descriptors of said global set D; and
  
  an engine for executing a set of rules {Γ
  
  _m, 0≦
  
  m<
  
  μ
  
  } to determine a binary indicator Φ
  
  _m,kwhere a value of Φ
  
  _m,kequal to 1 assigns filter F_mto host H_kand a value of Φ
  
  _m,kequal to 0 excludes filter F_mfrom host H_k.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The intrusion-prevention server of claim 10 further comprising a third data store for holding chronological metadata of said selected host H_k.
  - 12. The intrusion-prevention server of claim 11 further comprising a program store holding instructions for determining said domain of descriptors using said chronological metadata.
  - 13. The intrusion-prevention server of claim 10 wherein said engine selects a subset of descriptors from within said domain of descriptors according to a current state of said selected host and determines said binary indicator based solely on said subset of descriptors.
  - 14. The intrusion-prevention server of claim 13 wherein each rule Γ
    - _mis associated with a tree of descriptors and said subset of descriptors are descriptors along a tree path between a root descriptor and a leaf descriptor of said tree of descriptors.

15. At a server, a method of providing intrusion-protection software to a plurality of hosts comprising:
- devising a superset of rules for selectively assigning intrusion-protection software to said plurality of hosts;
  
  defining a superset of descriptors for characterizing said plurality of hosts;
  
  acquiring from a target host, from among said plurality of hosts, a first set of descriptors relevant to a first rule;
  
  executing said first rule according to said first set of descriptors;
  
  identifying a second set of descriptors relevant to a second rule where said second set of descriptors intersects said first set of descriptors in at least one descriptor;
  
  acquiring from said target host, a subset of said second set of descriptors, said subset excluding said at least one descriptor; and
  
  executing said second rule according to said subset and said at least one descriptor.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15 further comprising a step of defining a host-specific set of rules, from among said superset of rules, comprising rules applicable to each host in said plurality of hosts so that said first rule and said second rule belong to a set of rules specific to said target host.
  - 17. The method of claim 15 further comprising:
    - executing a number of rules exceeding two; and
      
      sharing descriptors acquired from said target host among said number of rules so that the descriptors acquired from said target host for said number of rules collectively correspond to a union of descriptors defining said number of rules.
  - 18. The method of claim 15 further comprising a step of selecting said first set of descriptors and said second set of descriptors according to a current state of said target host.
  - 19. The method of claim 18 further comprising defining a domain of descriptors for each rule, said domain comprising descriptors from said superset of descriptors relevant to said each rule so that said first set of descriptors belongs to a domain of said first rule and said second set of descriptors belongs to a domain of said second rule.
  - 20. The method of claim 19 further comprising:
    - arranging said domain of descriptors of said each rule in a tree structure having a root descriptor, inner descriptors, and leaf descriptors;
      
      setting a current descriptor to equal said root descriptor;
      
      starting a rule path of said each rule for said target host from said root descriptor;
      
      determining a subsequent descriptor along said rule path according to a data element of said target host corresponding to said current descriptor;
      
      where said subsequent descriptor is a leaf descriptor, executing said each rule; and
      
      where said subsequent descriptor is an inner descriptor, updating said current descriptor to equal said subsequent descriptor and repeating the step of determining.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Kabushiki Kaisha
Original Assignee
Trend Micro Kabushiki Kaisha
Inventors
MCGEE, William G., DURIE, Anthony Robert

Granted Patent

US 7,930,747 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1441   Countermeasures against mal...

HOST INTRUSION PREVENTION SERVER

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

HOST INTRUSION PREVENTION SERVER

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links