Host intrusion prevention server
First Claim
1. An intrusion-prevention server coupled to a plurality of hosts, said server comprising a processor and at least one memory device having computer readable instructions stored thereon for execution by the processor, forming:
- a plurality of data filters, each data filter corresponding to at least one intrusion pattern from among a set of intrusion patterns;
a plurality of encoded descriptors for characterizing said plurality of hosts;
a plurality of encoded rules;
a plurality of functional expressions each associated with at least one encoded rule from among said plurality of encoded rules;
a recommendation engine for identifying a subset of said encoded rules applicable to a selected host from among said plurality of hosts to assign a subset of said data filters to said selected host according to metadata received from said selected host, said metadata corresponding to selected descriptors from among said encoded descriptors; and
a scheduler coupled to said recommendation engine for determining a time table for applying said subset of said encoded rules to said selected host.
6 Assignments
0 Petitions
Accused Products
Abstract
An intrusion-prevention server supporting a set of hosts comprises data filters and an engine which uses a set of encoded rules for assigning data filters to hosts according to metadata characterizing the hosts. Each data filter corresponds to at least one intrusion pattern from among a set of intrusion patterns and the data filters are continuously updated as intrusion patterns change. Metadata acquired from a host varies with a changing state of the host. Acquisition of metadata from each host is streamlined to reduce communications between the server and the hosts and to minimize processing effort for both the server and the hosts.
-
Citations
17 Claims
-
1. An intrusion-prevention server coupled to a plurality of hosts, said server comprising a processor and at least one memory device having computer readable instructions stored thereon for execution by the processor, forming:
-
a plurality of data filters, each data filter corresponding to at least one intrusion pattern from among a set of intrusion patterns; a plurality of encoded descriptors for characterizing said plurality of hosts; a plurality of encoded rules; a plurality of functional expressions each associated with at least one encoded rule from among said plurality of encoded rules; a recommendation engine for identifying a subset of said encoded rules applicable to a selected host from among said plurality of hosts to assign a subset of said data filters to said selected host according to metadata received from said selected host, said metadata corresponding to selected descriptors from among said encoded descriptors; and a scheduler coupled to said recommendation engine for determining a time table for applying said subset of said encoded rules to said selected host. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An intrusion-prevention server supporting a plurality of hosts, said server comprising:
-
a first memory holding a set of encoded filters for protecting said plurality of hosts from intrusion; a second memory holding a global set of descriptors; an interface with said plurality of hosts, comprising computer readable instructions stored in a computer readable storage medium for execution by a processor, for acquiring metadata for characterizing a selected host from among said plurality of hosts, the metadata comprising data elements having a one-to-one correspondence to descriptors in a domain of descriptors of said global set of descriptors; a third memory for holding chronological metadata of said selected host; and an engine having a processor for executing processor-readable instructions encoding a set of rules for determining a binary indicator of applicability of each rule of said set of rules to said selected host where a value of said binary indicator equal to 1 assigns a respective encoded filter specified by said each rule to said selected host and a value of said binary indicator equal to 0 excludes said respective encoded filter from said selected host. - View Dependent Claims (9, 10, 11)
-
-
12. A method, implemented at a server having a processor and a processor-readable storage medium, for expediting provisioning of intrusion-protection software to a plurality of hosts, the method comprising:
-
devising a superset of rules for selectively assigning intrusion-protection software to said plurality of hosts; defining a superset of descriptors for characterizing said plurality of hosts; acquiring from a target host, from among said plurality of hosts, a first set of descriptors relevant to a first rule; executing said first rule according to said first set of descriptors; identifying a second set of descriptors relevant to a second rule where said second set of descriptors intersects said first set of descriptors in at least one descriptor; acquiring from said target host, a subset of said second set of descriptors, said subset excluding said at least one descriptor; and executing said second rule according to said subset and said at least one descriptor. - View Dependent Claims (13, 14, 15, 16, 17)
-
Specification