System for regulating host security configuration
First Claim
Patent Images
1. A recommendation engine coupled to a server computer in communication with a plurality of hosts, the recommendation engine comprising:
- computer readable intrusion-protection instructions stored in a memory device, which cause a processor of said server computer to;
determine a host type, from among a predefined set of host types, of a target host;
determine a set of host-specific descriptors applicable to said host type;
send queries to said target host according to said set of host-specific descriptors;
determine a current host-protection configuration for said target host according to responses to said queries;
detect discrepancy between said current host-protection configuration and a prior host-protection configuration;
install said current host-protection configuration in said target host upon detecting said discrepancy;
record successive host-reconfiguration periods, a host reconfiguration period being a difference between successive instants of time at which a current host-protection configuration differs from a prior host-protection configuration;
determine a monitoring period for said target host according to a value of at least one of said successive host-reconfiguration periods;
anda scheduler for activating said intrusion-protection instructions according to said monitoring period.
3 Assignments
0 Petitions
Accused Products
Abstract
A recommendation engine coupled to a server computer in communication with a plurality of hosts is described. The recommendation engine includes computer readable intrusion-protection instructions stored in a memory device, which cause a processor of said server computer to determine a current host-protection configuration for a target host; detect discrepancy between said current host-protection configuration and a prior host-protection configuration; install said current host-protection configuration in said target host upon detecting said discrepancy; record successive host-reconfiguration periods, a host reconfiguration period being a difference between successive instants of time at which a current host-protection configuration differs from a prior host-protection configuration; determine a monitoring period according to a value of at least one of said successive host-reconfiguration periods; and a scheduler for activating said intrusion-protection instructions according to said monitoring period.
37 Citations
20 Claims
-
1. A recommendation engine coupled to a server computer in communication with a plurality of hosts, the recommendation engine comprising:
-
computer readable intrusion-protection instructions stored in a memory device, which cause a processor of said server computer to; determine a host type, from among a predefined set of host types, of a target host; determine a set of host-specific descriptors applicable to said host type; send queries to said target host according to said set of host-specific descriptors; determine a current host-protection configuration for said target host according to responses to said queries; detect discrepancy between said current host-protection configuration and a prior host-protection configuration; install said current host-protection configuration in said target host upon detecting said discrepancy; record successive host-reconfiguration periods, a host reconfiguration period being a difference between successive instants of time at which a current host-protection configuration differs from a prior host-protection configuration; determine a monitoring period for said target host according to a value of at least one of said successive host-reconfiguration periods; and a scheduler for activating said intrusion-protection instructions according to said monitoring period. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
and execute said set of rules.
-
-
6. The recommendation engine of claim 1 wherein said intrusion-protection instructions further cause said processor to determine said monitoring period as a function of a current host-reconfiguration period of said successive host-reconfiguration periods and a preceding monitoring period of said target host.
-
7. The recommendation engine of claim 6 wherein said intrusion-protection instructions further cause said processor to determine said monitoring period for each host of the plurality of hosts.
-
8. The recommendation engine of claim 6 wherein the function is an arithmetic mean value.
-
9. The recommendation engine of claim 6 wherein the function is ageometric mean value.
-
10. The recommendation engine of claim 1 wherein said intrusion-protection instructions further cause said processor to determine said monitoring period as a function of a predetermined number of host-reconfiguration periods of said successive host-reconfiguration periods.
-
11. The recommendation engine of claim 10 wherein said intrusion-protection instructions further cause said processor to determine said monitoring period for each host of the plurality of hosts.
-
12. The recommendation engine of claim 10 wherein the function is an arithmetic mean value.
-
13. The recommendation engine of claim 12 wherein said intrusion-protection instructions further cause said processor to determine said monitoring period as said arithmetic mean value minus a standard deviation of said predetermined number of host-reconfiguration periods subject to a condition that the monitoring period exceeds a predetermined lower bound.
-
14. The recommendation engine of claim 10 wherein the function is a geometric mean value.
-
15. The recommendation engine of claim 1 wherein said intrusion-protection instructions further cause said processor to:
-
determine host-specific rules applicable to said target host; determine a set of queries from a superset of queries according to a current state of said target host; identify for each query within said set of queries specific rules among said host-specific rules which rely on said each query; send said each query only once to said target host; and apply a result of said query to each of said specific rules.
-
-
16. The recommendation engine of claim 1 wherein said intrusion-protection instructions further cause said processor to:
-
determine a set of host-specific rules applicable to said target host; identify specific rules, from among said set of host-specific rules, corresponding to each descriptor within said set of host-specific descriptors; send a query to said target host to acquire a value of said each descriptor; and apply a result of said query to each of said specific rules.
-
-
17. The recommendation engine of claim 1 wherein said intrusion-protection instructions further cause said processor to:
-
define a superset of descriptors characterizing said target host; classify hosts supported by said server into host classes; divide said superset of descriptors into host-specific descriptor sets each host-specific descriptor applicable to each host within a respective host class; divide each host-specific descriptor set into rule domains each rule domain being applicable to a respective rule and being independent of the state of said each host; determine a subset of descriptors, of said each rule domain, which are dependent on a current state of said target host; acquire data elements characterizing said target host corresponding to said subset of descriptors; and execute said respective rule using said data elements.
-
-
18. The recommendation engine of claim 1 wherein said intrusion-protection instructions further cause said processor to impose an upper bound of said monitoring period, the upper bound being specific to said target host.
-
19. The recommendation engine of claim 1 wherein said intrusion-protection instructions further cause said processor to impose a lower bound of said monitoring period, the lower bound being specific to said target host.
-
20. The recommendation engine of claim 1 wherein said intrusion-protection instructions further cause said processor to determine a global monitoring period during which each host in said plurality of hosts is selected at least once as said target host.
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeTrend Micro Kabushiki Kaisha
-
Original AssigneeTrend Micro Inc.
-
InventorsDurie, Anthony Robert
-
Primary Examiner(s)Flynn, Nathan
-
Assistant Examiner(s)Vaughan, Michael R
-
Application NumberUS13/166,991Publication NumberTime in Patent Office390 DaysField of SearchNoneUS Class Current726/22CPC Class CodesG06F 21/55 Detecting local intrusion o...G06F 2221/2101 Auditing as a secondary aspectG06F 2221/2105 Dual mode as a secondary as...H04L 63/1408 by monitoring network traff...H04L 63/20 for managing network securi...
