System for regulating host security configuration

US 7,996,896 B2
Filed: 10/19/2007
Issued: 08/09/2011
Est. Priority Date: 10/19/2007
Status: Active Grant

First Claim

Patent Images

1. A method of regulating communications between a server and a plurality of hosts, said server having a processor and a memory device storing processor executable instructions, said method comprising:

associating a monitoring period τ

* with a target host from among said plurality of hosts;

executing a process for determining a current host-protection configuration for said target host;

where said current host-protection configuration differs from a prior host-protection configuration;

installing said current host-protection configuration in said target host;

recording a current reconfiguration-time indicator;

determining a current reconfiguration period τ

as a difference between said current reconfiguration-time indicator and a prior reconfiguration-time indicator; and

updating said monitoring period τ

* as τ

* ←

(τ

*+τ

)/2; and

scheduling a subsequent execution of said process according to said monitoring period.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for dynamically revising host-intrusion-protection configurations according to varying host state and changing intrusion patterns are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the hosts, maintains and updates protection software containing filters and rules for deploying each filter. A local server cyclically monitors each host of its subset of hosts at time instants separated by adjustable monitoring periods to acquire host-characterizing data and determine an optimal set of filters. The local server maintains a profile for each host and determines a current monitoring period for a host according to the host'"'"'s current profile. The processing effort is reduced by judicial adjustment of successive monitoring periods and selectively tailoring the host-characterizing data to the conditions of each host.

46 Citations

View as Search Results

14 Claims

1. A method of regulating communications between a server and a plurality of hosts, said server having a processor and a memory device storing processor executable instructions, said method comprising:
- associating a monitoring period τ
  
  * with a target host from among said plurality of hosts;
  
  executing a process for determining a current host-protection configuration for said target host;
  
  where said current host-protection configuration differs from a prior host-protection configuration;
  
  installing said current host-protection configuration in said target host;
  
  recording a current reconfiguration-time indicator;
  
  determining a current reconfiguration period τ
  
  as a difference between said current reconfiguration-time indicator and a prior reconfiguration-time indicator; and
  
  updating said monitoring period τ
  
  * as τ
  
  * ←
  
  (τ
  
  *+τ
  
  )/2; and
  
  scheduling a subsequent execution of said process according to said monitoring period.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 further comprising a step of imposing an upper bound τ
    - _b* of said monitoring period τ
      
      * so that τ
      
      *≦
      
      τ
      
      _b*, where said upper bound is specific to said target host.
  - 3. The method of claim 1 wherein said process comprises a step of executing a set of rules to determine said current host-protection configuration, where executing each rule in said set of rules comprises steps of:
    - selecting a set of queries from a superset of queries, according to a current state of said target host;
      
      sending said set of queries to said target host; and
      
      receiving from said target host a data element in response to each query in said set of queries.
  - 4. The method of claim 3 wherein said selecting comprises, for each query, starting with a root query, determining a subsequent query according to a data element received from said target host in response to said each query, where a null subsequent query completes formation of said set of queries.
  - 5. The method of claim 1 further comprising selecting each host in said plurality of hosts as said target host at least once during a cyclic global monitoring period.
  - 6. The method of claim 1 further comprising:
    - determining host-specific rules applicable to said target host;
      
      determining a set of queries from a superset of queries according to a current state of said target host;
      
      identifying for each query within said set of queries specific rules among said host-specific rules which rely on said each query; and
      
      sending said each query only once to said target host; and
      
      apply a result of said query to each of said specific rules.
  - 7. The method of claim 1 further comprising:
    - determining a set of host-specific rules applicable to said target host;
      
      determining a set of host-specific descriptors applicable to said target host;
      
      forming a table identifying specific rules, from among said set of host-specific rules, corresponding to each descriptor within said set of host-specific descriptors;
      
      sending a query to said target host to acquire a value of said each descriptor; and
      
      apply a result of said query to each of said specific rules.
  - 8. The method of claim 1 wherein said process for determining said current host-protection configuration comprises:
    - defining a superset of descriptors characterizing said target host;
      
      classifying hosts supported by said server into host classes;
      
      dividing said superset of descriptors into host-specific descriptor sets each host-specific descriptor applicable to each host within a respective host class;
      
      dividing each host-specific descriptor set into rule domains each rule domain being applicable to a respective rule and being independent of the state of said each host;
      
      determining a subset of descriptors, of said each rule domain, which are dependent on a current state of said target host;
      
      acquiring data elements characterizing said target host corresponding to said subset of descriptors; and
      
      executing said respective rule using said data elements.
  - 9. The method of claim 1 wherein said process of determining said current-host-protection configuration comprises:
    - identifying a set of queries relevant to said target host;
      
      identifying a set of rules applicable to said target host where each rule within said set of rules relies on at least one data element characterizing said target host and acquired through at least one query within said set of queries;
      
      sending all queries of said set of queries to said target host to acquire corresponding data elements;
      
      storing said corresponding data element in a memory device of said server;
      
      identifying specific queries of said set of queries which return data elements differing from corresponding previously stored data elements;
      
      identifying specific rules, within said set of rules, each of which relying on at least one of said specific queries; and
      
      executing said specific rules.

10. A method of regulating communications between a server and a plurality of hosts, said server having a processor and a memory device storing processor executable instructions, said method comprising:
- associating a monitoring period τ
  
  * with a target host;
  
  initializing to zero each of a first sum Σ
  
  ₁, a second sum Σ
  
  ₂, entry m of a vector V_m, and entry m a vector W_m, 0≦
  
  m<
  
  κ
  
  , where κ
  
  >
  
  1 is a predefined parameter;
  
  initializing a cyclic event counter j to −
  
  1;
  
  executing a process for determining a current host-protection configuration for said target host;
  
  where said current host-protection configuration differs from a prior host-protection configuration;
  
  installing said current host-protection configuration in said target host;
  
  recording a current reconfiguration-time indicator;
  
  for j≧
  
  0determining a current reconfiguration period τ
  
  as a difference between said current reconfiguration-time indicator and a prior reconfiguration-time indicator;
  
  performing the operations j←
  
  (j+1)_{modulo κ}, Σ
  
  ₁←
  
  Σ
  
  ₁+(τ
  
  −
  
  V_j), Σ
  
  ₂←
  
  Σ
  
  ₂+(τ
  
  ²W_j), V_j←
  
  τ and
  
  W_j←
  
  τ
  
  ², anddetermining a monitoring period according to Σ
  
  ₁and Σ
  
  ₂;
  
  for j<
  
  0, setting said event counter j to zero;
  
  and;
  
  scheduling a subsequent execution of said process according to said monitoring period.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10 wherein said updating comprises further steps of:
    - determining a mean reconfiguration period <
      
      τ
      
      >
      
      as Σ
      
      ₁/κ
      
      ;
      
      determining a reconfiguration-period standard deviation as σ
      
      =(Σ
      
      ₂/κ
      
      −
      
      <
      
      τ
      
      >
      
      ²)^1/2; and
      
      setting said monitoring period as τ
      
      *=<
      
      τ
      
      >
      
      −
      
      α
      
      ×
      
      σ
      
      , α
      
      >
      
      0 being a predetermined design parameter.
  - 12. The method of claim 11 further comprising a step of imposing a lower bound τ
    - _a* and an upper bound τ
      
      _b* of said monitoring period τ
      
      *, so that τ
      
      _a*≦
      
      τ
      
      *≦
      
      τ
      
      _b*, said lower bound and said upper bound being specific to said target host.
  - 13. The method of claim 10 wherein said process comprises steps of:
    - sending a set of queries to said target host;
      
      receiving metadata from said target host;
      
      executing a set of rules to determine said current host-protection configuration.
  - 14. The method of claim 10 further comprising a step of determining a global monitoring period during which each host in said plurality of hosts is selected at least once as said target host.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Kabushiki Kaisha
Original Assignee
Trend Micro Inc.
Inventors
Durie, Anthony Robert
Primary Examiner(s)
Flynn; Nathan
Assistant Examiner(s)
Vaughan; Michael R

Application Number

US11/875,500
Publication Number

US 20090106842A1
Time in Patent Office

1,390 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2105   Dual mode as a secondary as...

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

System for regulating host security configuration

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

46 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

System for regulating host security configuration

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others