Host intrusion prevention server

US 7,930,747 B2
Filed: 10/21/2007
Issued: 04/19/2011
Est. Priority Date: 01/08/2007
Status: Expired due to Fees

First Claim

Patent Images

1. An intrusion-prevention server coupled to a plurality of hosts, said server comprising a processor and at least one memory device having computer readable instructions stored thereon for execution by the processor, forming:

a plurality of data filters, each data filter corresponding to at least one intrusion pattern from among a set of intrusion patterns;

a plurality of encoded descriptors for characterizing said plurality of hosts;

a plurality of encoded rules;

a plurality of functional expressions each associated with at least one encoded rule from among said plurality of encoded rules;

a recommendation engine for identifying a subset of said encoded rules applicable to a selected host from among said plurality of hosts to assign a subset of said data filters to said selected host according to metadata received from said selected host, said metadata corresponding to selected descriptors from among said encoded descriptors; and

a scheduler coupled to said recommendation engine for determining a time table for applying said subset of said encoded rules to said selected host.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion-prevention server supporting a set of hosts comprises data filters and an engine which uses a set of encoded rules for assigning data filters to hosts according to metadata characterizing the hosts. Each data filter corresponds to at least one intrusion pattern from among a set of intrusion patterns and the data filters are continuously updated as intrusion patterns change. Metadata acquired from a host varies with a changing state of the host. Acquisition of metadata from each host is streamlined to reduce communications between the server and the hosts and to minimize processing effort for both the server and the hosts.

30 Citations

View as Search Results

17 Claims

1. An intrusion-prevention server coupled to a plurality of hosts, said server comprising a processor and at least one memory device having computer readable instructions stored thereon for execution by the processor, forming:
- a plurality of data filters, each data filter corresponding to at least one intrusion pattern from among a set of intrusion patterns;
  
  a plurality of encoded descriptors for characterizing said plurality of hosts;
  
  a plurality of encoded rules;
  
  a plurality of functional expressions each associated with at least one encoded rule from among said plurality of encoded rules;
  
  a recommendation engine for identifying a subset of said encoded rules applicable to a selected host from among said plurality of hosts to assign a subset of said data filters to said selected host according to metadata received from said selected host, said metadata corresponding to selected descriptors from among said encoded descriptors; and
  
  a scheduler coupled to said recommendation engine for determining a time table for applying said subset of said encoded rules to said selected host.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The intrusion-prevention server of claim 1 further comprising an interface communicatively coupled to a central server for receiving said data filters, said encoded descriptors, and said encoded rules.
  - 3. The intrusion-prevention server of claim 1 wherein at least one encoded rule is encoded as a tree of descriptors and executing said each encoded rule uses descriptors starting from a root descriptor to a leaf descriptor.
  - 4. The intrusion-prevention server of claim 1 further comprising a database. having computer readable instructions stored in a computer readable storage medium for execution by a processor, maintaining a profile of each host in said plurality of hosts.
  - 5. The intrusion-prevention server of claim 4 further comprising a first software program. comprising computer readable instructions stored in a computer readable storage medium for execution by a processor, for:
    - defining a plurality of host types according to said profile of each host;
      
      determining a host-specific subset of descriptors from among said encoded descriptors for each of said host types; and
      
      associating each host in said plurality of hosts with a host type from among said plurality of host types.
  - 6. The intrusion-prevention server of claim 5 further comprising a second software program, comprising computer readable instructions stored in a computer readable storage medium for execution by a processor, for determining a rule-specific subset of descriptors, from among said encoded descriptors, for each of said rules.
  - 7. The intrusion-prevention server of claim 6 further comprising a third software program, comprising computer readable instructions stored in a computer readable storage medium for execution by a processor, for determining an intersection of each host-specific subset of descriptors with each rule-specific subset of descriptors to determine a rule domain specific to each host.

8. An intrusion-prevention server supporting a plurality of hosts, said server comprising:
- a first memory holding a set of encoded filters for protecting said plurality of hosts from intrusion;
  
  a second memory holding a global set of descriptors;
  
  an interface with said plurality of hosts, comprising computer readable instructions stored in a computer readable storage medium for execution by a processor, for acquiring metadata for characterizing a selected host from among said plurality of hosts, the metadata comprising data elements having a one-to-one correspondence to descriptors in a domain of descriptors of said global set of descriptors;
  
  a third memory for holding chronological metadata of said selected host;
  
  andan engine having a processor for executing processor-readable instructions encoding a set of rules for determining a binary indicator of applicability of each rule of said set of rules to said selected host where a value of said binary indicator equal to 1 assigns a respective encoded filter specified by said each rule to said selected host and a value of said binary indicator equal to 0 excludes said respective encoded filter from said selected host.
- View Dependent Claims (9, 10, 11)
- - 9. The intrusion-prevention server of claim 8 further comprising a memory holding instructions for determining said domain of descriptors using said chronological metadata.
  - 10. The intrusion-prevention server of claim 8 wherein said engine is configured to select a subset of descriptors from within said domain of descriptors according to a current state of said selected host and determines said binary indicator based solely on said subset of descriptors.
  - 11. The intrusion-prevention server of claim 10 wherein said each rule is associated with a tree of descriptors and said subset of descriptors are descriptors along a tree path between a root descriptor and a leaf descriptor of said tree of descriptors.

12. A method, implemented at a server having a processor and a processor-readable storage medium, for expediting provisioning of intrusion-protection software to a plurality of hosts, the method comprising:
- devising a superset of rules for selectively assigning intrusion-protection software to said plurality of hosts;
  
  defining a superset of descriptors for characterizing said plurality of hosts;
  
  acquiring from a target host, from among said plurality of hosts, a first set of descriptors relevant to a first rule;
  
  executing said first rule according to said first set of descriptors;
  
  identifying a second set of descriptors relevant to a second rule where said second set of descriptors intersects said first set of descriptors in at least one descriptor;
  
  acquiring from said target host, a subset of said second set of descriptors, said subset excluding said at least one descriptor; and
  
  executing said second rule according to said subset and said at least one descriptor.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method of claim 12 further comprising a step of defining a host-specific set of rules, from among said superset of rules, comprising rules applicable to each host in said plurality of hosts so that said first rule and said second rule belong to a set of rules specific to said target host.
  - 14. The method of claim 12 further comprising:
    - executing a number of rules exceeding two; and
      
      sharing descriptors acquired from said target host among said number of rules so that the descriptors acquired from said target host for said number of rules collectively correspond to a union of descriptors defining said number of rules.
  - 15. The method of claim 12 further comprising a step of selecting said first set of descriptors and said second set of descriptors according to a current state of said target host.
  - 16. The method of claim 15 further comprising defining a domain of descriptors for each rule, said domain comprising descriptors from said superset of descriptors relevant to said each rule so that said first set of descriptors belongs to a domain of said first rule and said second set of descriptors belongs to a domain of said second rule.
  - 17. The method of claim 16 further comprising:
    - arranging said domain of descripVictoria-tors of said each rule in a tree structure having a root descriptor, inner descriptors, and leaf descriptors;
      
      setting a current descriptor to equal said root descriptor;
      
      starting a rule path of said each rule for said target host from said root descriptor;
      
      determining a subsequent descriptor along said rule path according to a data element of said target host corresponding to said current descriptor;
      
      where said subsequent descriptor is a leaf descriptor, executing said each rule; and
      
      where said subsequent descriptor is an inner descriptor, updating said current descriptor to equal said subsequent descriptor and repeating the step of determining.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Kabushiki Kaisha
Original Assignee
Trend Micro Inc.
Inventors
Durie, Anthony Robert, McGee, William G.
Primary Examiner(s)
CHEN, SHIN HON

Application Number

US11/875,950
Publication Number

US 20080168561A1
Time in Patent Office

1,276 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1441   Countermeasures against mal...

Host intrusion prevention server

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Host intrusion prevention server

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links