System for Regulating Host Security Configuration
First Claim
1. A method of providing protection software to a plurality of hosts comprising:
- determining a current time indicator;
sending, from a server, a set of queries to a target host from among said plurality of hosts to acquire current characterizing data elements from said target host;
comparing said current characterizing data elements with prior characterizing data elements of said target host;
where at least one current characterizing data element differs from a corresponding prior characterizing data element, determining a current protection-software configuration for said target host;
where said current protection-software configuration differs from a prior protection-software configuration, setting a host-reconfiguration time indicator to equal said current time indicator and transmitting said current protection-software configuration to said target host;
retaining said current characterizing data elements for subsequent use as prior characterizing data elements; and
retaining said current protection-software configuration for subsequent use as prior protection-software configuration.
6 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus for dynamically revising host-intrusion-protection configurations according to varying host state and changing intrusion patterns are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the hosts, maintains and updates protection software containing filters and rules for deploying each filter. A local server cyclically monitors each host of its subset of hosts at time instants separated by adjustable monitoring periods to acquire host-characterizing data and determine an optimal set of filters. The local server maintains a profile for each host and determines a current monitoring period for a host according to the host'"'"'s current profile. The processing effort is reduced by judicial adjustment of successive monitoring periods and selectively tailoring the host-characterizing data to the conditions of each host.
78 Citations
21 Claims
-
1. A method of providing protection software to a plurality of hosts comprising:
-
determining a current time indicator; sending, from a server, a set of queries to a target host from among said plurality of hosts to acquire current characterizing data elements from said target host; comparing said current characterizing data elements with prior characterizing data elements of said target host; where at least one current characterizing data element differs from a corresponding prior characterizing data element, determining a current protection-software configuration for said target host; where said current protection-software configuration differs from a prior protection-software configuration, setting a host-reconfiguration time indicator to equal said current time indicator and transmitting said current protection-software configuration to said target host; retaining said current characterizing data elements for subsequent use as prior characterizing data elements; and retaining said current protection-software configuration for subsequent use as prior protection-software configuration. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A recommendation engine associated with a server for providing intrusion protection to a plurality of hosts communicatively connected to the server, said recommendation engine comprising:
-
means for executing intrusion-protection software to determine a current host-protection configuration for a target host; means for installing said current host-protection configuration in said target host upon determining discrepancy between said current host-protection configuration and a prior host-protection configuration of said target host; means for recording successive host-reconfiguration periods where a host reconfiguration period is a difference between successive instants of time at which a current host-protection configuration differs from a prior host-protection configuration; means for determining a monitoring period according to a value of at least one of said successive host-reconfiguration periods; and a scheduler for activating said intrusion-protection software according to said monitoring period. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. At a sever providing intrusion-protection software to a plurality of hosts, a method of regulating communications between said server and said hosts, said method comprising:
-
associating a monitoring period τ
* with a target host from among said plurality of hosts;executing a process for determining a current host-protection configuration for said target host; where said current host-protection configuration differs from a prior host-protection configuration; installing said current host-protection configuration in said target host; recording a current reconfiguration-time indicator; determining a current reconfiguration period - as a difference between said current reconfiguration-time indicator and a prior reconfiguration-time indicator; updating said monitoring period τ
* as τ
*←
(τ
*+τ
)/2and;scheduling a subsequent execution of said process according to said monitoring period. - View Dependent Claims (13, 14, 15, 16)
-
-
17. At a sever providing intrusion-protection software to a plurality of hosts, a method of regulating communications between said server and said hosts, said method comprising:
-
associating a monitoring period τ
* with a target host;initializing to zero each of a first sum Σ
1, a second sum Σ
2, entry m of a vector Vm, and entry m a vector Wm, 0≦
m<
κ
, where κ
>
1 is a predefined parameter;initializing a cyclic event counter j to −
1;executing a process for determining a current host-protection configuration for said target host; where said current host-protection configuration differs from a prior host-protection configuration; installing said current host-protection configuration in said target host; recording a current reconfiguration-time indicator; for j≧
0determining a current reconfiguration period τ
as a difference between said current reconfiguration-time indicator and a prior reconfiguration-time indicator;performing the operations j←
(j+1)modulo κ
,
Σ
1←
Σ
1+(τ
−
Vj), Σ
2←
Σ
2+(τ
2−
Wj), Vj←
τ and
Wj←
τ
2,and determining a monitoring period according to Σ
1 and Σ
2;for j<
0, setting said event counter j to zero;and; scheduling a subsequent execution of said process according to said monitoring period. - View Dependent Claims (18, 19, 20, 21)
-
Specification