Stateful distributed event processing and adaptive security

US 7,594,267 B2
Filed: 06/14/2002
Issued: 09/22/2009
Est. Priority Date: 06/14/2001
Status: Active Grant

First Claim

Patent Images

1. A method of maintaining a networked computer System including first and second nodes and an event processing server, comprising:

the first and second nodes detecting changes in state;

the event processing server receiving notification of the changes in state from the first and second nodes;

the event processing server correlating the changes in state detected by the first and second nodes;

the event processing server executing a maintenance decision that affects the first and second nodes, where the maintenance decision is based on the correlating of the changes in state detected by the first and second nodes, where the changes in state are a result of an absence of an event;

wherein the absence of an event comprises;

an absence of a request for system resources; and

an absence of an event message received within a predetermined time frame; and

where the event processing server is in communication with an interceptor that is inserted in a communication path of the networked computer system,at the interceptor, detecting an access request in the communications path;

generating an event message for the access request;

transmitting the event message to the event processing server;

in response, receiving a policy message from the event processing server comprising at least one of;

allowing the access request to continue along the communications path, anddisallowing the access request to continue along the communications,where the event processing server executing a maintenance decision that affects the first and second nodes includes determining that at least one of the first and second nodes are subject to a network-borne attack and, in response, performing at least one of;

placing the at least one of the first and second nodes under quarantine; and

defining system operations that may not be performed on the at least one of the first and second nodes while under attack,where the detecting, receiving, correlating, and executing occurs without human intervention.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides method and apparatus for maintaining a networked computer system including first and second nodes and an event processing server, the method comprising the first and second nodes detecting changes in state, the event processing server receiving notification of the changes in state from the first and second nodes, the event processing server correlating changes in state detected in the first and second nodes, and the event processing server executing a maintenance decision which affects the first and second nodes. The detecting, transmitting, correlating, and executing occurs without human intervention.

Citations

41 Claims

1. A method of maintaining a networked computer System including first and second nodes and an event processing server, comprising:
- the first and second nodes detecting changes in state;
  
  the event processing server receiving notification of the changes in state from the first and second nodes;
  
  the event processing server correlating the changes in state detected by the first and second nodes;
  
  the event processing server executing a maintenance decision that affects the first and second nodes, where the maintenance decision is based on the correlating of the changes in state detected by the first and second nodes, where the changes in state are a result of an absence of an event;
  
  wherein the absence of an event comprises;
  
  an absence of a request for system resources; and
  
  an absence of an event message received within a predetermined time frame; and
  
  where the event processing server is in communication with an interceptor that is inserted in a communication path of the networked computer system,at the interceptor, detecting an access request in the communications path;
  
  generating an event message for the access request;
  
  transmitting the event message to the event processing server;
  
  in response, receiving a policy message from the event processing server comprising at least one of;
  
  allowing the access request to continue along the communications path, anddisallowing the access request to continue along the communications,where the event processing server executing a maintenance decision that affects the first and second nodes includes determining that at least one of the first and second nodes are subject to a network-borne attack and, in response, performing at least one of;
  
  placing the at least one of the first and second nodes under quarantine; and
  
  defining system operations that may not be performed on the at least one of the first and second nodes while under attack,where the detecting, receiving, correlating, and executing occurs without human intervention.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, where the changes in state are recognized by a reference monitor.
  - 3. The method of claim 2, where the monitor is a stateful reference monitor.
  - 4. The method of claim 1, where the event processing server receiving the notification is the result of one of the first and second nodes reporting to the event processing server, and the event processing server polling the first and second nodes.
  - 5. The method of claim 1, comprising the event processing server updating an operating policy on the network.
  - 6. The method of claim 5, where updating the operating policy includes at least one of requesting security policy changes on at least one node, tuning system parameters on at least one node, and modifying network firewall parameters.
  - 7. The method of claim 5, comprising at least one node enacting the updated operating policy.
  - 8. The method of claim 1, comprising notifying an external entity of actions taken.
  - 9. The method of claim 8, where the external entity is a network administrator.
  - 10. The method of claim 8, where the external entity is a software application executing on an element of the networked computing system.
  - 11. The method of claim 1 where, in response to an intrusion detection, a human operator is prompted and allotted a predetermined period to execute the maintenance decision in accordance with the intrusion detection before the maintenance decision is executed without human intervention.
  - 12. The method of claim 1, where an event agent application periodically polls the event processing server for at least one operating policy update.

13. A method for maintaining a networked computer system including:
- at least one node detecting at least one change in state;
  
  an event processing server associated with the networked computing system receiving notification of the at least one change in state from the at least one node; and
  
  the event processing server responding to the notification by executing a maintenance decision, where the maintenance decision is based on the at least one change in state from the at least one node, the at least one change in state being a result of an absence of an event;
  
  where the absence of an event comprises;
  
  an absence of a request for system resources; and
  
  an absence of an event message received within a predetermined time frame; and
  
  where the event processing server is in communication with an interceptor that is inserted in a communication path of the networked computer system,at the interceptor, detecting an access request in the communications path;
  
  generating an event message for the access request;
  
  transmitting the event message to the event processing server;
  
  in response, receiving a policy message from the event processing server comprising at least one of;
  
  allowing the access request to continue along the communications path, anddisallowing the access request to continue along the communications,where the event processing server executing a maintenance decision that affects the first and second nodes includes determining that at least one of the first and second nodes are subject to a network-borne attack and, in response, performing at least one of;
  
  placing the at least one of the first and second nodes under quarantine;
  
  and defining system operations that may not be performed on the at least one of the first and second nodes while under attack,where the detecting, receiving, and responding occurs without human intervention.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. The method of claim 13, where the change in state is recognized by a reference monitor.
  - 15. The method of claim 14, where the reference monitor is a stateful reference monitor.
  - 16. The method of claim 13, where the event processing server receiving the report is the result of the at least one node reporting to the event processing server, and the event processing server polling the at least one node.
  - 17. The method of claim 13, where the maintenance decision affects the at least one node detecting the change in state.
  - 18. The method of claim 13, where the maintenance decision affects at least one node other than the node detecting the change in state.
  - 19. The method of claim 13, comprising the event processing server updating an operating policy on the network.
  - 20. The method of claim 19, where updating the operating policy includes at least one of requesting security policy changes on at least one node, tuning system parameters on at least one node, and modifying network firewall parameters.
  - 21. The method of claim 19, comprising at least one node enacting the updated operating policy.
  - 22. The method of claim 13, comprising notifying an external entity of actions taken.
  - 23. The method of claim 22, where the external entity is a software application executing on the network.

24. A method for maintaining a node on a networked computer system including:
- at least one node detecting a change in state;
  
  an event processing server associated with the networked computing system receiving notification of the at least one change in state from the at least one node; and
  
  the event processing server responding to the notification by executing a maintenance decision, where the maintenance decision is based on the at least one change in state from the at least one node,at least one node reacting to the change in state, where the change in state is a result of an absence of an event;
  
  where, the absence of an event comprises;
  
  an absence of a request for system resources; and
  
  an absence of an event message received within a predetermined time frame;
  
  where the event processing server is in communication with an interceptor that is inserted in a communication path of the networked computer system,at the interceptor, detecting an access request in the communications path;
  
  generating an event message for the access request;
  
  transmitting the event message to the event processing server;
  
  in response, receiving a policy message from the event processing server comprising at least one of;
  
  allowing the access request to continue along the communications path, anddisallowing the access request to continue along the communications,where the event processing server executing a maintenance decision that affects the first and second nodes includes determining that at least one of the first and second nodes are subject to a network-borne attack and, in response, performing at least one of;
  
  placing the at least one of the first and second nodes under quarantine;
  
  and defining system operations that may not be performed on the at least one of the first and second nodes while under attack,where the at least one node detecting and reacting to the change in state occurs without human intervention.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 35)
- - 25. The method of claim 24, where the change in state is recognized by a reference monitor.
  - 26. The method of claim 25, where the reference monitor is a stateful reference monitor.
  - 27. The method of claim 24, comprising the event processing server responding to the notification by updating an operating policy on the network.
  - 28. The method of claim 27, where updating the operating policy includes at least one of requesting updates to security policy on at least one node, tuning system parameters on at least one node, and modifying network firewall parameters.
  - 29. The method of claim 27, comprising the at least one node enacting the updated operating policy.
  - 30. The method of claim 24, comprising notifying an external entity of actions taken.
  - 31. The method of claim 30, where the external entity is a network administrator.
  - 32. The method of claim 30, where the external entity is a software application executing on the network.
  - 35. The method of claim 24, where, in response to an intrusion detection, a human operator is prompted and allotted a predetermined time period to execute the maintenance decision in accordance with the intrusion detection before the maintenance decision is executed without human intervention.

33. A computer-readable medium storing computer executable instructions that when executed by a computer cause the computer to perform a method, the method comprising:
- detecting a change in state of a node,an event processing server associated with the networked computing system receiving notification of the at least one change in state from the at least one node; and
  
  the event processing server responding to the notification by executing a maintenance decision, where the maintenance decision is based on the at least one change in state from the at least one node,where the change in state is a result of an absence of an event;
  
  wherein the absence of an event comprises;
  
  an absence of a request for system resources; and
  
  an absence of an event message received within a predetermined time frame; and
  
  reacting to the detected change in state,where the event processing server is in communication with an interceptor that is inserted in a communication path of the networked computer system,at the interceptor, detecting an access request in the communications path;
  
  generating an event message for the access request;
  
  transmitting the event message to the event processing server;
  
  in response, receiving a policy message from the event processing server comprising at least one of;
  
  allowing the access request to continue along the communications path, anddisallowing the access request to continue along the communications,where the event processing server executing a maintenance decision that affects the first and second nodes includes determining that at least one of the first and second nodes are subject to a network-borne attack and, in response, performing at least one of;
  
  placing the at least one of the first and second nodes under quarantine;
  
  and defining system operations that may not be performed on the at least one of the first and second nodes while under attack,where the at least one node detecting and reacting to the change in state occurs without human intervention.
- View Dependent Claims (34, 36, 37)
- - 34. The computer-readable medium of claim 33, the method comprising communicating the change in state to an event processing server.
  - 36. The computer-readable medium of claim 34, the method comprising processing maintenance instructions received from the event processing server.
  - 37. The computer-readable medium of claim 33, the method comprising transmitting notification to a network administrator of actions taken.

38. A method for maintaining a networked computer system including:
- at least one node detecting at least one change in state;
  
  an event processing server associated with the networked computing system receiving notification of the at least one change in state from the at least one node;
  
  the event processing server responding to the notification by dispensing a maintenance decision, where the maintenance decision is based on the at least one change in state from the at least one node, the at least one change in state being a result of an absence of an event; and
  
  where the absence of an event comprises;
  
  an absence of a request for system resources; and
  
  an absence of an event message received within a predetermined time frame where the event processing server is in communication with an interceptor that is inserted in a communication path of the networked computer system,at the interceptor, detecting an access request in the communications path;
  
  generating an event message for the access request;
  
  transmitting the event message to the event processing server;
  
  in response;
  
  receiving a policy message from the event processing server comprising at least one of;
  
  allowing the access request to continue along the communications path, anddisallowing the access request to continue along the communications,where the event processing server executing a maintenance decision that affects the first and second nodes includes determining that at least one of the first and second nodes are subject to a network-borne attack and, in response, performing at least one of;
  
  placing the at least one of the first and second nodes under quarantine;
  
  and defining system operations that may not be performed on the at least one of the first and second nodes while under attack,where the at least one node detecting and reacting to the change in state occurs without human intervention.
- View Dependent Claims (39, 40, 41)
- - 39. The method of claim 38, comprising executing, by a human operator, the maintenance decision on at least one node on the networked computer system.
  - 40. The method of claim 38, comprising:
    - executing, without human intervention, the maintenance decision on at least one node on the networked computer system.
  - 41. The method of claim 40, where a human operator is prompted and allotted a predetermined period to execute the maintenance decision before it is executed without human intervention.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Kramer, Jeffrey A., Gladstone, Philip J. S.
Primary Examiner(s)
Moazzami; Nasser G
Assistant Examiner(s)
Reza; Mohammad W

Application Number

US10/172,305
Publication Number

US 20020194495A1
Time in Patent Office

2,657 Days
Field of Search

713190-210, 713/189, 726/23, 726/22, 726/11, 726/27, 709/223, 725/25
US Class Current

726/23
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/0254   Stateful filtering

H04L 63/1416   Event detection, e.g. attac...

Stateful distributed event processing and adaptive security

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Stateful distributed event processing and adaptive security

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links