Techniques for self-isolation of networked devices

US 7,441,272 B2
Filed: 06/09/2004
Issued: 10/21/2008
Est. Priority Date: 06/09/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

performing a security analysis of a host electronic system coupled with a network;

selectively disabling one or more devices coupled with a host bus in response to results of the security analysis; and

maintaining an out-of-band network connection that is not accessible by a host operating system during the self-isolation to support remedial actions in response to the results of the security analysis.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for self-isolation of a network device that has been identified as potentially harmful. The network device may be isolated from the network except for an out-of-band communication channel that can be used for management purposes to restore or repair the device prior to the network connection being re-established.

311 Citations

27 Claims

1. A method comprising:
- performing a security analysis of a host electronic system coupled with a network;
  
  selectively disabling one or more devices coupled with a host bus in response to results of the security analysis; and
  
  maintaining an out-of-band network connection that is not accessible by a host operating system during the self-isolation to support remedial actions in response to the results of the security analysis.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein performing the security analysis of the host electronic system comprises:
    - searching files of the host electronic system for predetermined indications corresponding to one or more predefined risk parameters; and
      
      generating an indication of a risk condition, if one or more of the predetermined conditions is found on the host electronic system.
  - 3. The method of claim 2 wherein searching the files of the host electronic system for predetermined indications corresponding to one or more predefined risk parameters comprises:
    - searching volatile memory of the host electronic system for the predetermined indications corresponding to the one or more predefined risk parameters; and
      
      searching non-volatile memory of the host electronic system for the predetermined indications corresponding to the one or more predefined risk parameters.
  - 4. The method of claim 2 wherein the predetermined indications comprise one or more of:
    - lack of communication from a component of the host electronic system within a predetermined period of time, lack of current security patches, operating during pre-selected hours and positive results from a virus or memory scan.
  - 5. The method of claim 2 wherein the predefined risk parameters are administratively configured.
  - 6. The method of claim 2 wherein the predefined risk parameters are received from a remote device.
  - 7. The method of claim 1 wherein performing a risk assessment self-analysis of a host electronic system coupled with a network comprises:
    - monitoring network traffic with the host electronic system; and
      
      generating an indication of a risk condition, if the network traffic is not within predetermined operating parameters.
  - 8. The method of claim 7 wherein the predetermined operating parameters comprise:
    - an acceptable network traffic volume, acceptable destinations, acceptable sources, acceptable operational time, acceptable traffic types identified by port, acceptable traffic types identified by protocol, acceptable traffic types identified by address and acceptable traffic types identified by header information.
  - 9. The method of claim 1 wherein selectively self-isolating the host electronic system by disabling one or more network communications channels for the host electronic system in response to results of the risk assessment analysis comprises:
    - analyzing the risk assessment result to determine whether one or more risk conditions exists; and
      
      logically disabling one or more network interface in response to a positive determination that one or more risk conditions exists.
  - 10. The method of claim 9 wherein logically disabling one or more network interfaces in response to a positive determination that one or more risk conditions exists comprises writing a pre-selected value to a control register corresponding to the one or more network interfaces to be logically disabled using a configuration operation.
  - 11. The method of claim 10 wherein writing a pre-selected value to a control register corresponding to the one or more network interfaces to be logically disabled using a configuration operation comprises writing the pre-selected value to a Peripheral Component Interconnect (PCI) Command register corresponding to each of the one or more network interfaces.
  - 12. The method of claim 1 further comprising resolving a risk condition by communicating with a remote device via the out-of-band connection during self-isolation.

13. An article comprising a machine-readable medium having stored thereon instructions that, when executed, cause one or more processors to:
- perform a risk assessment self-analysis of a host electronic system coupled with a network;
  
  selectively self-isolate the host electronic system by disabling one or more network communications channels for the host electronic system in response to results of the risk assessment analysis; and
  
  maintain an out-of-band network connection that is not accessible by a host operating system during the self-isolation to support remedial actions in response to the results of the security analysis.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 14. The article of claim 13 wherein the instructions that cause the one or more processors to perform a risk assessment self-analysis of a host electronic system comprise instructions that, when executed, cause the one or more processors to:
    - search files of the host electronic system for predetermined indications corresponding to one or more risk conditions; and
      
      generate an indication of a risk condition, if one or more of the predetermined conditions is found on the host electronic system.
  - 15. The article of claim 14 wherein the instructions that cause the one or more processors to search the files of the host electronic system for predetermined indications corresponding to one or more predefined risk parameters comprise instructions that, when executed, cause the one or more processors to:
    - search volatile memory of the host electronic system for the predetermined indications corresponding to the one or more predefined risk parameters; and
      
      search non-volatile memory of the host electronic system for the predetermined indications corresponding to the one or more predefined risk parameters.
  - 16. The article of claim 14 wherein the predetermined indications comprise one or more of:
    - lack of communication from a component of the host electronic system within a predetermined period of time, lack of security patches, operating during pre-selected hours and positive results from a virus or memory scan.
  - 17. The article of claim 13 wherein the instructions that cause the one or more processors to selectively self-isolate the host electronic system by disabling one or more network communications channels for the host electronic system in response to results of the risk assessment analysis comprise instructions that, when executed, cause the one or more processors to:
    - analyze the risk assessment result to determine whether one or more risk conditions exists; and
      
      logically disable one or more network interface in response to a positive determination that one or more risk conditions exists.
  - 18. The article of claim 13 wherein the instructions that cause the one or more processors to perform the risk assessment self-analysis of a host electronic system coupled with a network comprise instructions that, when executed, cause the one or more processors to:
    - monitor network traffic with the host electronic system; and
      
      generate an indication of a risk condition, if the network traffic is not within predetermined operating parameters.
  - 19. The article of claim 18 wherein the predetermined operating parameters comprise:
    - an acceptable network traffic volume, acceptable destinations, acceptable sources, acceptable operational time, acceptable traffic types identified by port, acceptable traffic types identified by protocol, acceptable traffic types identified by address and acceptable traffic types identified by header information.
  - 20. The article of claim 17 wherein the instructions that cause the one or more processors to logically disable one or more network interfaces in response to a positive determination that one or more risk conditions exists comprise instructions that, when executed, cause the one or more processors to write a pre-selected value to a control register corresponding to the one or more network interfaces to be logically disabled using a configuration operation.
  - 21. The article of claim 20 wherein the instructions that cause the one or more processors to write a pre-selected value to a control register corresponding to the one or more network interfaces to be logically disabled using a configuration operation comprise instructions that, when executed, cause the one or more processors to write the pre-selected value to a Peripheral Component Interconnect (PCI) Command register corresponding to each of the one or more network interfaces.
  - 22. The article of claim 13 further comprising instructions that, when executed, cause the one or more processors to resolve a risk condition by communicating with a remote device via the out-of-band connection during self-isolation.

23. A system comprising:
- one or more network interfaces;
  
  a machine-readable medium having stored thereon instructions that, when executed, cause one or more processors to perform a security analysis of the system, selectively logically disable one or more of the network interfaces in response to results of the risk assessment analysis, and maintain an out-of-band network connection that is not accessible by a host operating system during the self-isolation to support remedial actions in response to the results of the security analysis.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The system of claim 23 wherein the instructions that cause the one or more processors to perform the security analysis comprise instructions that, when executed, cause the one or more processors to search files of the host electronic system for predetermined indications corresponding to one or more conditions, and generate an indication of a risk condition, if one or more of the predetermined conditions is found on the host electronic system.
  - 25. The system of claim 23 wherein the predetermined indications comprise one or more of:
    - lack of communication from a component of the host electronic system within a predetermined period of time, lack of current security patches, operating during pre-selected hours and positive results from a virus or memory scan.
  - 26. The system of claim 23 wherein the instructions that cause the one or more processors to selectively self-isolate the system by disabling one or more network interfaces comprise instructions that, when executed, cause the one or more processors to analyze the analysis result to determine whether one or more conditions exists, and logically disable one or more of the network interfaces in response to a positive determination that one or more conditions exists.
  - 27. The system of claim 26 wherein the instructions that cause the one or more processors to logically disable one or more network interfaces in response to a positive determination that one or more conditions exists comprise instructions that, when executed, cause the one or more processors to write a pre-selected value to a control register corresponding to the one or more network interfaces to be logically disabled using a configuration operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tahoe Research Limited (f/k/a Learndale Limited) (Vector Capital Corporation)
Original Assignee
Intel Corporation
Inventors
Rajagopal, Priya, Durham, David M., Kardach, James, Sahita, Ravi, Hahn, Scott, Yavatkar, Raj
Primary Examiner(s)
HENEGHAN, MATTHEW E

Application Number

US10/865,355
Publication Number

US 20060005245A1
Time in Patent Office

1,595 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

G06F 21/85   interconnection devices, e....

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Techniques for self-isolation of networked devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

311 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for self-isolation of networked devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

311 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links