Self-isolating and self-healing networked devices

US 8,154,987 B2
Filed: 06/09/2004
Issued: 04/10/2012
Est. Priority Date: 06/09/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

monitoring a host electronic system with a monitoring component of the host electronic system to determine whether a network connection for the host electronic system is operating within a predefined operating profile that includes at least network packet transmission parameters, wherein the monitoring component comprises an embedded agent;

generating an indication of out-of-profile operation when the network connection for the host electronic system is not operating within the predefined operating profile;

taking action on one or more components within the host electronic system in response to the indication of out-of-profile operation by isolating the one or more components from a network to which the host electronic system is coupled while maintaining an out-of-band communication channel for the host electronic system, wherein the out-of-band communication channel is maintained by the embedded agent that operates independently of a host operating system executing on the host electronic system and is used for management purposes to allow one or more components not isolated from the network to restore or repair a condition causing the out-of-profile operation, wherein the embedded agent is coupled to an embedded firmware agent via a bi-directional agent bus, and the embedded agent and embedded firmware agent operate together to provide manageability and/or security functionality;

examining, as part of a network authentication process when the host system is first authenticated to the network, a connection history of the host electronic system to determine a boot history and network connection history of the host system since a previous secure connection, wherein the connection history comprises at least an amount of traffic, a kind of traffic by category and a destination network; and

isolating the host electronic system if untrusted networks were contacted or untrusted peripherals were installed until an approved configuration can be validated or restored via the out-of-band network connection.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for self-isolation of a network device that has been identified as potentially harmful. The network device may be isolated from the network except for an out-of-band communication channel that can be used for management purposes to restore or repair the device prior to the network connection being re-established.

68 Citations

View as Search Results

58 Claims

1. A method comprising:
- monitoring a host electronic system with a monitoring component of the host electronic system to determine whether a network connection for the host electronic system is operating within a predefined operating profile that includes at least network packet transmission parameters, wherein the monitoring component comprises an embedded agent;
  
  generating an indication of out-of-profile operation when the network connection for the host electronic system is not operating within the predefined operating profile;
  
  taking action on one or more components within the host electronic system in response to the indication of out-of-profile operation by isolating the one or more components from a network to which the host electronic system is coupled while maintaining an out-of-band communication channel for the host electronic system, wherein the out-of-band communication channel is maintained by the embedded agent that operates independently of a host operating system executing on the host electronic system and is used for management purposes to allow one or more components not isolated from the network to restore or repair a condition causing the out-of-profile operation, wherein the embedded agent is coupled to an embedded firmware agent via a bi-directional agent bus, and the embedded agent and embedded firmware agent operate together to provide manageability and/or security functionality;
  
  examining, as part of a network authentication process when the host system is first authenticated to the network, a connection history of the host electronic system to determine a boot history and network connection history of the host system since a previous secure connection, wherein the connection history comprises at least an amount of traffic, a kind of traffic by category and a destination network; and
  
  isolating the host electronic system if untrusted networks were contacted or untrusted peripherals were installed until an approved configuration can be validated or restored via the out-of-band network connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The method of claim 1 wherein monitoring the host electronic system to determine whether the host electronic system is operating within the predefined operating profile comprises monitoring network traffic from the host electronic system to determine whether a quantity of network traffic is within a network traffic quantity profile as defined by the operating profile.
  - 3. The method of claim 1 wherein monitoring the host electronic system to determine whether the host electronic system is operating within the predefined operating profile comprises monitoring network traffic from the host electronic system to determine whether a quantity of network traffic in a plurality of network traffic categories is within a network traffic quantity and traffic category profile as defined by the operating profile.
  - 4. The method of claim 1 wherein monitoring the host electronic system to determine whether the host electronic system is operating within the predefined operating profile comprises monitoring network traffic from the host electronic system to determine whether one or more destinations of network traffic are within a network traffic destination profile as defined by the operating profile.
  - 5. The method of claim 1 wherein taking action on the one or more components within the host electronic system in response to the indication of out-of-profile operation comprises disabling a network interface in response to the indication of out-of-profile operation.
  - 6. The method of claim 5 wherein disabling the network interface comprises logically disabling the network interface by writing a pre-selected value to a control register corresponding to the network interface to be logically disabled using a configuration operation.
  - 7. The method of claim 6 wherein writing a pre-selected value to a control register corresponding to the network interface to be logically disabled using a configuration operation comprises writing the pre-selected value to a Peripheral Component Interconnect (PCI) Command register corresponding to the network interface.
  - 8. The method of claim 1 wherein taking action on the one or more components within the host electronic system in response to the indication of out-of-profile operation comprises disabling a device coupled with a host system bus in response to the indication of out-of-profile operation.
  - 9. The method of claim 8 wherein disabling the device coupled with the host system bus comprises logically disabling the device by writing a pre-selected value to a control register corresponding to the device to be logically disabled using a configuration operation.
  - 10. The method of claim 9 wherein writing a pre-selected value to a control register corresponding to the device to be logically disabled using a configuration operation comprises writing the pre-selected value to a Peripheral Component Interconnect (PCI) Command register corresponding to the device.
  - 11. The method of claim 1 wherein taking action on the one or more components within the host electronic system in response to the indication of out-of-profile operation comprises throttling network traffic.
  - 12. The method of claim 1 wherein taking action on the one or more components within the host electronic system in response to the indication of out-of-profile operation comprises redirecting network traffic.
  - 13. The method of claim 1 wherein taking action on the one or more components within the host electronic system in response to the indication of out-of-profile operation comprises sending an alert corresponding to the indication to a network administration device.
  - 14. The method of claim 1 wherein the host electronic system comprises a computer system.
  - 15. The method of claim 1 wherein the host electronic system comprises a network router.
  - 16. The method of claim 1 wherein monitoring the host electronic system to determine whether the host electronic system is operating within the predefined operating profile comprises searching files of the host electronic system for predetermined indications corresponding to one or more predefined risk parameters.
  - 17. The method of claim 1 further comprising:
    - receiving an updated operating profile from a remote device;
      
      monitoring the host electronic system to determine whether the host electronic system is operating within the updated operating profile; and
      
      generating the indication of out-of-profile operation when the host electronic system is not operating within the updated operating profile.
  - 18. The method of claim 17 wherein receiving the updated operating profile from the remote device comprises receiving programming instructions from the remote device.
  - 19. The method of claim 17 wherein receiving the updated operating profile from the remote device comprises receiving configuration data from the remote device.
  - 20. The method of claim 1 wherein monitoring the host electronic system to determine whether the host electronic system is operating within the predefined operating profile comprises scanning a dynamic memory of the host electronic system to determine the presence and integrity of pre-selected security software components.
  - 21. The method of claim 1 wherein monitoring the host electronic system to determine whether the host electronic system is operating within the predefined operating profile comprises determining whether the host electronic system is coupled with a network that complies with the predefined operating profile.
  - 22. The method of claim 1 wherein monitoring the host electronic system to determine whether the host electronic system is operating within the predefined operating profile comprises determining whether the host electronic system has been booted from unauthorized media.
  - 23. The method of claim 1 wherein monitoring the host electronic system to determine whether the host electronic system is operating within the predefined operating profile comprises determining whether a Basic Input/Output System (BIOS) of the host electronic system complies with the predefined operating profile.

24. An article comprising a non-transitory computer-readable medium having stored thereon instructions that, when executed, cause one or more processors to:
- monitor a host electronic system with a monitoring component of the host electronic system to determine whether a network connection for the host electronic system is operating within a predefined operating profile that includes at least network packet transmission parameters, wherein the monitoring component comprises an embedded agent;
  
  generate an indication of out-of-profile operation when the network connection for the host electronic system is not operating within the predefined operating profile;
  
  take action on one or more components within the host electronic system in response to the indication of out-of-profile operation by isolating the one or more components from a network to which the host electronic system is coupled while maintaining an out-of-band communication channel for the host electronic system, wherein the out-of-band communication channel is maintained by the embedded agent that operates independently of a host operating system executing on the host electronic system and is used for management purposes to allow one or more components not isolated from the network to restore or repair a condition causing the out-of-profile operation, wherein the embedded agent is coupled an to embedded firmware agent via a bi-directional agent bus, and the embedded agent and embedded firmware agent operate together to provide manageability and/or security functionality;
  
  examine, as part of a network authentication process when the host system is first authenticated to the network, a connection history of the host electronic system to determine a boot history and network connection history of the host system since a previous secure connection, wherein the connection history comprises at least an amount of traffic, a kind of traffic by category and a destination network; and
  
  isolate the host electronic system if untrusted networks were contacted or untrusted peripherals were installed until an approved configuration can be validated or restored via the out-of-band network connection.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 25. The article of claim 24 wherein the instructions that cause the one or more processors to monitor the host electronic system to determine whether the host electronic system is operating within the predefined operating profile comprise instructions that, when executed, cause the one or more processors to monitor network traffic from the host electronic system to determine whether a quantity of network traffic is within a network traffic quantity profile as defined by the operating profile.
  - 26. The article of claim 24 wherein the instructions that cause the one or more processors to monitor the host electronic system to determine whether the host electronic system is operating within the predefined operating profile comprise instructions that, when executed, cause the one or more processors to monitor network traffic from the host electronic system to determine whether a quantity of network traffic in a plurality of network traffic categories is within a network traffic quantity and traffic category profile as defined by the operating profile.
  - 27. The article of claim 24 wherein the instructions that cause the one or more processors to monitor the host electronic system to determine whether the host electronic system is operating within the predefined operating profile comprise instructions that when executed, cause the one or more processors to monitor network traffic from the host electronic system to determine whether one or more destinations of network traffic are within a network traffic destination profile as defined by the operating profile.
  - 28. The article of claim 24 wherein the instructions that cause the one or more processors to disable one or more components within the host electronic system in response to the indication of out-of-profile operation comprise instructions that, when executed, cause the one or more processors to disable a network interface in response to the indication of out-of-profile operation.
  - 29. The article of claim 28 wherein the instructions that cause the one or more processors to disable the network interface comprise instructions that, when executed, cause the one or more processors to logically disable the network interface by writing a pre-selected value to a control register corresponding to the network interface to be logically disabled using a configuration operation.
  - 30. The article of claim 29 wherein the instructions that cause the one or more processors to write a pre-selected value to a control register corresponding to the network interface to be logically disabled using a configuration operation comprise instructions that, when executed, cause the one or more processors to write the pre-selected value to a Peripheral Component Interconnect (PCI) Command register corresponding to the network interface.
  - 31. The article of claim 24 wherein the instructions that cause the one or more processors to disable one or more components within the host electronic system in response to the indication of out-of-profile operation comprise instructions that, when executed, cause the one or more processors to disable a device coupled with a host system bus in response to the indication of out-of-profile operation.
  - 32. The article of claim 31 wherein the instructions that cause the one or more processors to disable the device coupled with the host system bus comprise instructions that, when executed, cause the one or more processors to logically disable the device by writing a pre-selected value to a control register corresponding to the device to be logically disabled using a configuration operation.
  - 33. The article of claim 32 wherein the instructions that cause the one or more processors to write a pre-selected value to a control register corresponding to the device to be logically disabled using a configuration operation comprise instructions that, when executed, cause the one or more processors to write the pre-selected value to a Peripheral Component Interconnect (PCI) Command register corresponding to the device.
  - 34. The article of claim 24 wherein the instructions that cause the one or more processors to take action on the one or more components within the host electronic system in response to the indication of out-of-profile operation comprise instructions that, when executed cause the one or more processors to throttle network traffic.
  - 35. The article of claim 24 wherein the instructions that cause the one or more processors to take action on the one or more components within the host electronic system in response to the indication of out-of-profile operation comprise instructions that cause the one or more processors to redirect network traffic.
  - 36. The article of claim 24 wherein the instructions that cause the one or more processors to take action on the one or more components within the host electronic system in response to the indication of out-of-profile operation comprise instructions that, when executed, cause the one or more processors to send an alert corresponding to the indication to a network administration device.
  - 37. The article of claim 24 wherein the host electronic system comprises a computer system.
  - 38. The article of claim 24 wherein the host electronic system comprises a network router.
  - 39. The article of claim 24 wherein the instructions that cause the one or more processors to monitor the host electronic system to determine whether the host electronic system is operating within the predefined operating profile comprise instructions that, when executed, cause the one or more processors to search files of the host electronic system for predetermined indications corresponding to one or more predefined risk parameters.
  - 40. The article of claim 24 further comprising instructions that, when executed, cause the one or more processors to:
    - receive an updated operating profile from a remote device;
      
      monitor the host electronic system to determine whether the host electronic system is operating within the updated operating profile; and
      
      generate the indication of out-of-profile operation when the host electronic system is not operating within the updated operating profile.
  - 41. The article of claim 40 wherein the instructions that cause the one or more processors to receive the updated operating profile from the remote device comprise instructions that, when executed, cause the one or more processors to receive further instructions from the remote device.
  - 42. The article of claim 40 wherein the instructions that cause the one or more processors to receive the updated operating profile from the remote device comprise instructions that, when executed, cause the one or more processors to receive configuration data from the remote device.
  - 43. The article of claim 24 wherein the instructions that cause the one or more processors to monitor the host electronic system to determine whether the host electronic system is operating within the predefined operating profile comprise instructions that cause the one or more processors to scan a dynamic memory of the host electronic system to determine the presence and integrity of pre-selected security software components.
  - 44. The article of claim 24 wherein the instructions that cause the one or more processors to monitor the host electronic system to determine whether the host electronic system is operating within the predefined operating profile comprise instructions that, when executed, cause the one or more processors to determine whether the host electronic system is coupled with a network that complies with the predefined operating profile.
  - 45. The article of claim 24 wherein the instructions that cause the one or more processors to monitor the host electronic system to determine whether the host electronic system is operating within the predefined operating profile comprise instructions that, when executed, cause the one or more processors to determine whether the host electronic system has been booted from unauthorized media.
  - 46. The article of claim 24 wherein the instructions that cause the one or more processors to monitor the host electronic system to determine whether the host electronic system is operating within the predefined operating profile comprise instructions that, when executed, cause the one or more processors to determine whether a Basic Input/Output System (BIOS) of the host electronic system complies with the predefined operating profile.

47. A system comprising:
- dynamic random access memory (DRAM);
  
  one or more processors coupled with the DRAM; and
  
  a computer-readable medium having stored thereon instructions that, when executed, cause the one or more processors to monitor a host electronic system with a monitoring component of the host electronic system to determine whether a network connection for the host electronic system is operating within a predefined operating profile that includes at least network packet transmission parameters, wherein the monitoring component comprises an embedded agent, to generate an indication of out-of-profile operation when the network connection for the host electronic system is not operating within the predefined operating profile, to take action on one or more components within the host electronic system in response to the indication of out-of-profile operation by isolating the one or more components from a network to which the host electronic system is coupled while maintaining an out-of-band communication channel for the host electronic system, wherein the out-of-band communication channel is maintained by the embedded agent that operates independently of a host operating system executing on the host electronic system and is used for management purposes to allow one or more components not isolated from the network to restore or repair a condition causing the out-of-profile operation, wherein the embedded agent is coupled to an embedded firmware agent via a bi-directional agent bus, and the embedded agent and embedded firmware agent operate together to provide manageability and/or security functionality, to examine, as part of a network authentication process when the host system is first authenticated to the network, a connection history of the host electronic system to determine a boot history and network connection history of the host system since a previous secure connection, wherein the connection history comprises at least an amount of traffic, a kind of traffic by category and a destination network; and
  
  , and to isolate the host electronic system if untrusted networks were contacted or untrusted peripherals were installed until an approved configuration can be validated or restored via the out-of-band network connection.
- View Dependent Claims (48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58)
- - 48. The system of claim 47 wherein the instructions that cause the one or more processors to monitor the host electronic system to determine whether the host electronic system is operating within the predefined operating profile comprise instructions that, when executed, cause the one or more processors to monitor network traffic from the host electronic system to determine whether a quantity of network traffic is within a network traffic quantity profile as defined by the operating profile.
  - 49. The system of claim 47 wherein the instructions that cause the one or more processors to monitor the host electronic system to determine whether the host electronic system is operating within the predefined operating profile comprise instructions that, when executed, cause the one or more processors to monitor network traffic from the host electronic system to determine whether a quantity of network traffic in a plurality of network traffic categories is within a network traffic quantity and traffic category profile as defined by the operating profile.
  - 50. The system of claim 47 wherein the instructions that cause the one or more processors to monitor the host electronic system to determine whether the host electronic system is operating within the predefined operating profile comprise instructions that when executed, cause the one or more processors to monitor network traffic from the host electronic system to determine whether one or more destinations of network traffic are within a network traffic destination profile as defined by the operating profile.
  - 51. The system of claim 47 wherein the instructions that cause the one or more processors to disable one or more components within the host electronic system in response to the indication of out-of-profile operation comprise instructions that, when executed, cause the one or more processors to disable a network interface in response to the indication of out-of-profile operation.
  - 52. The system of claim 47 wherein the instructions that cause the one or more processors to disable the network interface comprise instructions that, when executed, cause the one or more processors to logically disable the network interface by writing a pre-selected value to a control register corresponding to the network interface to be logically disabled using a configuration operation.
  - 53. The system of claim 52 wherein the instructions that cause the one or more processors to write a pre-selected value to a control register corresponding to the network interface to be logically disabled using a configuration operation comprise instructions that, when executed, cause the one or more processors to write the pre-selected value to a Peripheral Component Interconnect (PCI) Command register corresponding to the network interface.
  - 54. The system of claim 47 wherein the instructions that cause the one or more processors to disable one or more components within the host electronic system in response to the indication of out-of-profile operation comprise instructions that, when executed, cause the one or more processors to disable a device coupled with a host system bus in response to the indication of out-of-profile operation.
  - 55. The system of claim 54 wherein the instructions that cause the one or more processors to disable the device coupled with the host system bus comprise instructions that, when executed, cause the one or more processors to logically disable the device by writing a pre-selected value to a control register corresponding to the device to be logically disabled using a configuration operation.
  - 56. The system of claim 55 wherein the instructions that cause the one or more processors to write a pre-selected value to a control register corresponding to the device to be logically disabled using a configuration operation comprise instructions that, when executed, cause the one or more processors to write the pre-selected value to a Peripheral Component Interconnect (PCI) Command register corresponding to the device.
  - 57. The system of claim 47 wherein the instructions that cause the one or more processors to monitor the host electronic system to determine whether the host electronic system is operating within the predefined operating profile comprise instructions that, when executed, cause the one or more processors to search files of the host electronic system for predetermined indications corresponding to one or more predefined risk parameters.
  - 58. The system of claim 47, wherein the computer-readable medium further comprising instructions that, when executed, cause the one or more processors to receive an updated operating profile from a remote device, monitor the host electronic system to determine whether the host electronic system is operating within the updated operating profile, and generate the indication of out-of-profile operation when the host electronic system is not operating within the updated operating profile.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Yavatkar, Raj, Crouch, Alan, Durham, David M.
Primary Examiner(s)
Bates, Kevin
Assistant Examiner(s)
MCADAMS, BRAD

Application Number

US10/865,365
Publication Number

US 20050276228A1
Time in Patent Office

2,862 Days
Field of Search

713/187, 714/36, 709/224, 726 21- 27
US Class Current

370/216
CPC Class Codes

H04J 3/14   Monitoring arrangements for...

H04L 63/0227   Filtering policies mail mes...

H04L 63/145   the attack involving the pr...

H04L 67/303   Terminal profiles

H04L 67/61   taking into account QoS or ...

H04L 69/40   for recovering from a failu...

Self-isolating and self-healing networked devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

68 Citations

58 Claims

Specification

Solutions

Use Cases

Quick Links

Self-isolating and self-healing networked devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

58 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links