HOST INTRUSION PREVENTION SERVER
First Claim
1. An intrusion-prevention server comprising:
- an interface communicatively coupled to a plurality of hosts;
a plurality of data filters, each data filter corresponding to at least one intrusion pattern from among a set of intrusion patterns;
a plurality of encoded descriptors for characterizing said plurality of hosts;
a plurality of encoded rules; and
a recommendation engine for applying a subset of said encoded rules to a selected host from among said plurality of hosts to assign a subset of said data filters to said selected host according to metadata received from said selected host, said metadata corresponding to selected descriptors from among said encoded descriptors.
6 Assignments
0 Petitions
Accused Products
Abstract
An intrusion-prevention server supporting a set of hosts comprises data filters and an engine which uses a set of encoded rules for assigning data filters to hosts according to metadata characterizing the hosts. Each data filter corresponds to at least one intrusion pattern from among a set of intrusion patterns and the data filters are continuously updated as intrusion patterns change. Metadata acquired from a host varies with a changing state of the host. Acquisition of metadata from each host is streamlined to reduce communications between the server and the hosts and to minimize processing effort for both the server and the hosts.
-
Citations
20 Claims
-
1. An intrusion-prevention server comprising:
-
an interface communicatively coupled to a plurality of hosts; a plurality of data filters, each data filter corresponding to at least one intrusion pattern from among a set of intrusion patterns; a plurality of encoded descriptors for characterizing said plurality of hosts; a plurality of encoded rules; and a recommendation engine for applying a subset of said encoded rules to a selected host from among said plurality of hosts to assign a subset of said data filters to said selected host according to metadata received from said selected host, said metadata corresponding to selected descriptors from among said encoded descriptors. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An intrusion-prevention server supporting a plurality of hosts Hk, 0≦
- k<
ν
, said server comprising;a first data store holding a set of μ
encoded filters {Fm, 0≦
m<
μ
};a second data store holding a global set D of Q descriptors {dj, 0≦
j<
Q};an interface with said plurality of hosts for acquiring metadata for characterizing a selected host Hk, the metadata comprising data elements having a one-to-one correspondence to descriptors in a domain of descriptors of said global set D; and an engine for executing a set of rules {Γ
m, 0≦
m<
μ
} to determine a binary indicator Φ
m,k where a value of Φ
m,k equal to 1 assigns filter Fm to host Hk and a value of Φ
m,k equal to 0 excludes filter Fm from host Hk. - View Dependent Claims (11, 12, 13, 14)
- k<
-
15. At a server, a method of providing intrusion-protection software to a plurality of hosts comprising:
-
devising a superset of rules for selectively assigning intrusion-protection software to said plurality of hosts; defining a superset of descriptors for characterizing said plurality of hosts; acquiring from a target host, from among said plurality of hosts, a first set of descriptors relevant to a first rule; executing said first rule according to said first set of descriptors; identifying a second set of descriptors relevant to a second rule where said second set of descriptors intersects said first set of descriptors in at least one descriptor; acquiring from said target host, a subset of said second set of descriptors, said subset excluding said at least one descriptor; and executing said second rule according to said subset and said at least one descriptor. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification