System for Regulating Host Security Configuration

US 20090106842A1
Filed: 10/19/2007
Published: 04/23/2009
Est. Priority Date: 10/19/2007
Status: Active Grant

First Claim

Patent Images

1. A method of providing protection software to a plurality of hosts comprising:

determining a current time indicator;

sending, from a server, a set of queries to a target host from among said plurality of hosts to acquire current characterizing data elements from said target host;

comparing said current characterizing data elements with prior characterizing data elements of said target host;

where at least one current characterizing data element differs from a corresponding prior characterizing data element, determining a current protection-software configuration for said target host;

where said current protection-software configuration differs from a prior protection-software configuration, setting a host-reconfiguration time indicator to equal said current time indicator and transmitting said current protection-software configuration to said target host;

retaining said current characterizing data elements for subsequent use as prior characterizing data elements; and

retaining said current protection-software configuration for subsequent use as prior protection-software configuration.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for dynamically revising host-intrusion-protection configurations according to varying host state and changing intrusion patterns are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the hosts, maintains and updates protection software containing filters and rules for deploying each filter. A local server cyclically monitors each host of its subset of hosts at time instants separated by adjustable monitoring periods to acquire host-characterizing data and determine an optimal set of filters. The local server maintains a profile for each host and determines a current monitoring period for a host according to the host'"'"'s current profile. The processing effort is reduced by judicial adjustment of successive monitoring periods and selectively tailoring the host-characterizing data to the conditions of each host.

78 Citations

View as Search Results

21 Claims

1. A method of providing protection software to a plurality of hosts comprising:
- determining a current time indicator;
  
  sending, from a server, a set of queries to a target host from among said plurality of hosts to acquire current characterizing data elements from said target host;
  
  comparing said current characterizing data elements with prior characterizing data elements of said target host;
  
  where at least one current characterizing data element differs from a corresponding prior characterizing data element, determining a current protection-software configuration for said target host;
  
  where said current protection-software configuration differs from a prior protection-software configuration, setting a host-reconfiguration time indicator to equal said current time indicator and transmitting said current protection-software configuration to said target host;
  
  retaining said current characterizing data elements for subsequent use as prior characterizing data elements; and
  
  retaining said current protection-software configuration for subsequent use as prior protection-software configuration.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 comprising, before the step of sending:
    - associating each host in said plurality of hosts with a host type from among a predefined set of host types;
      
      defining a superset of host descriptors;
      
      associating a set of descriptors, from among said superset of descriptors, with each host type in said predefined set of host types; and
      
      formulating said set of queries to correspond to a specific set of descriptors associated with a type of said target host.
  - 3. The method of claim 1 comprising, before the step of determining said current protection-software configuration:
    - defining a superset of rules each rule for assigning an element of said protection-software; and
      
      executing selected rules from among said superset of rules using said current characterizing data elements.
  - 4. The method of claim 1 further comprising:
    - associating a monitoring interval with each query in said set of queries;
      
      identifying individual queries in said set of queries for each of which a sum of a respective monitoring interval and a prior time indicator associated with said target host exceeds said current time indicator;
      
      removing said individual queries from said set of queries; and
      
      retaining said current time indicator for subsequent use as a prior time indicator associated with said target host.
  - 5. The method of claim 1 further comprising:
    - determining a current host-reconfiguration period as said current time indicator minus a prior host-reconfiguration time indicator;
      
      determining a current monitoring interval for said target host as an arithmetic mean of said current host-reconfiguration period and a prior monitoring interval; and
      
      retaining said current monitoring interval for subsequent use as a prior monitoring interval.

6. A recommendation engine associated with a server for providing intrusion protection to a plurality of hosts communicatively connected to the server, said recommendation engine comprising:
- means for executing intrusion-protection software to determine a current host-protection configuration for a target host;
  
  means for installing said current host-protection configuration in said target host upon determining discrepancy between said current host-protection configuration and a prior host-protection configuration of said target host;
  
  means for recording successive host-reconfiguration periods where a host reconfiguration period is a difference between successive instants of time at which a current host-protection configuration differs from a prior host-protection configuration;
  
  means for determining a monitoring period according to a value of at least one of said successive host-reconfiguration periods; and
  
  a scheduler for activating said intrusion-protection software according to said monitoring period.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The recommendation engine of claim 6 wherein said intrusion-protection software comprises:
    - a set of queries for acquiring data elements from said target host; and
      
      a set of rules executing expressions for determining said current host-protection configuration based on said data elements.
  - 8. The recommendation engine of claim 6 wherein said means for updating said monitoring period determines said monitoring period as an arithmetic mean value of a current host-reconfiguration period in said successive host-reconfiguration periods and a preceding monitoring period of said each host.
  - 9. The recommendation engine of claim 6 wherein said means for updating said monitoring period determines said monitoring period as an arithmetic mean value of a predetermined number of host-reconfiguration periods in said successive host-reconfiguration periods.
  - 10. The recommendation engine of claim 9 wherein said means for updating said monitoring period determines said monitoring period as said arithmetic mean value minus a standard deviation of said predetermined number of host-reconfiguration periods subject to a condition that the monitoring period exceeds a predetermined lower bound.
  - 11. The recommendation engine of claim 6 wherein said means for updating said monitoring period determines said monitoring period as a geometric mean value of a current host-reconfiguration period in said successive host-reconfiguration periods and a preceding monitoring period of said each host.

12. At a sever providing intrusion-protection software to a plurality of hosts, a method of regulating communications between said server and said hosts, said method comprising:
- associating a monitoring period τ
  
  * with a target host from among said plurality of hosts;
  
  executing a process for determining a current host-protection configuration for said target host;
  
  where said current host-protection configuration differs from a prior host-protection configuration;
  
  installing said current host-protection configuration in said target host;
  
  recording a current reconfiguration-time indicator;
  
  determining a current reconfiguration period - as a difference between said current reconfiguration-time indicator and a prior reconfiguration-time indicator;
  
  updating said monitoring period τ
  
  * as τ
  
  *←
  
  (τ
  
  *+τ
  
  )/2and;
  
  scheduling a subsequent execution of said process according to said monitoring period.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method of claim 12 further comprising a step of imposing an upper bound τ
    - _b* of said monitoring period τ
      
      * so that τ
      
      *≦
      
      τ
      
      _b*, where said upper bound is specific to said target host.
  - 14. The method of claim 12 wherein said process comprises a step of executing a set of rules to determine said current host-protection configuration, where executing each rule in said set of rules comprises steps of:
    - selecting a set of queries from a superset of queries, according to a current state of said target host;
      
      sending said set of queries to said target host;
      
      andreceiving from said target host a data element in response to each query in said set of queries.
  - 15. The method of claim 14 wherein said selecting comprises, for each query, starting with a root query, determining a subsequent query according to a data element received from said target host in response to said each query, where a null subsequent query completes formation of said set of queries.
  - 16. The method of claim 12 further comprising selecting each host in said plurality of hosts as said target host at least once during a cyclic global monitoring period.

17. At a sever providing intrusion-protection software to a plurality of hosts, a method of regulating communications between said server and said hosts, said method comprising:
- associating a monitoring period τ
  
  * with a target host;
  
  initializing to zero each of a first sum Σ
  
  ₁, a second sum Σ
  
  ₂, entry m of a vector V_m, and entry m a vector W_m, 0≦
  
  m<
  
  κ
  
  , where κ
  
  >
  
  1 is a predefined parameter;
  
  initializing a cyclic event counter j to −
  
  1;
  
  executing a process for determining a current host-protection configuration for said target host;
  
  where said current host-protection configuration differs from a prior host-protection configuration;
  
  installing said current host-protection configuration in said target host;
  
  recording a current reconfiguration-time indicator;
  
  for j≧
  
  0determining a current reconfiguration period τ
  
  as a difference between said current reconfiguration-time indicator and a prior reconfiguration-time indicator;
  
  performing the operations j←
  
  (j+1)_{modulo κ},
  Σ
  
  ₁←
  
  Σ
  
  ₁+(τ
  
  −
  
  V_j), Σ
  
  ₂←
  
  Σ
  
  ₂+(τ
  
  ²−
  
  W_j), V_j←
  
  τ and
  
  W_j←
  
  τ
  
  ²,anddetermining a monitoring period according to Σ
  
  ₁and Σ
  
  ₂;
  
  for j<
  
  0, setting said event counter j to zero;
  
  and;
  
  scheduling a subsequent execution of said process according to said monitoring period.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The method of claim 17 wherein said updating comprises further steps of:
    - determining a mean reconfiguration period <
      
      τ
      
      >
      
      as Σ
      
      ₁/κ
      
      ;
      
      determining a reconfiguration-period standard deviation as σ
      
      =(Σ
      
      ₂/κ
      
      −
      
      −
      
      <
      
      τ
      
      >
      
      ²)^1/2;
      
      andsetting said monitoring period as τ
      
      *=<
      
      τ
      
      >
      
      −
      
      α
      
      ×
      
      σ
      
      , α
      
      >
      
      0 being a predetermined design parameter.
  - 19. The method of claim 18 further comprising a step of imposing a lower bound τ
    - _a* and an upper bound τ
      
      _b* of said monitoring period τ
      
      *, so that τ
      
      _a*≦
      
      τ
      
      *≦
      
      τ
      
      _b*, said lower bound and said upper bound being specific to said target host.
  - 20. The method of claim 17 wherein said process comprises steps of:
    - sending a set of queries to said target host;
      
      receiving metadata from said target host;
      
      executing a set of rules to determine said current host-protection configuration.
  - 21. The method of claim 17 further comprising a step of determining a global monitoring period during which each host in said plurality of hosts is selected at least once as said target host.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Kabushiki Kaisha
Original Assignee
Trend Micro Kabushiki Kaisha
Inventors
DURIE, Anthony Robert

Granted Patent

US 7,996,896 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2105   Dual mode as a secondary as...

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

System for Regulating Host Security Configuration

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

78 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System for Regulating Host Security Configuration

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links