Host intrusion prevention server

US 8,230,508 B2
Filed: 04/06/2011
Issued: 07/24/2012
Est. Priority Date: 01/08/2007
Status: Active Grant

First Claim

Patent Images

1. A method of intrusion protection of a plurality of hosts, implemented by a deep-security device having at least one processor and at least one memory device, the method comprising:

storing a set of intrusion patterns;

storing a set of data filters, each data filter for combating at least one of said intrusion patterns;

encoding a set of descriptors for characterizing said plurality of hosts;

devising a set of encoded rules for selectively assigning said data filters to said plurality of hosts according to said descriptors;

arranging descriptors of each said encoded rule into a tree structure having a root descriptor, inner descriptors, and leaf descriptors;

sending a root descriptor to a selected host; and

performing a recursive process of;

receiving state information from said selected host;

determining a subsequent descriptor according to said state information;

where said subsequent descriptor is an inner descriptor, sending said subsequent descriptor to said selected host;

andsubject to an indication that said subsequent descriptor is a leaf descriptor, determining a current security configuration for said selected host.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion-prevention server supporting a set of hosts comprises data filters and an engine which uses a set of encoded rules for assigning data filters to hosts according to metadata characterizing the hosts. Each data filter corresponds to at least one intrusion pattern from among a set of intrusion patterns and the data filters are continuously updated as intrusion patterns change. Metadata acquired from a host varies with a changing state of the host. Acquisition of metadata from each host is streamlined to reduce communications between the server and the hosts and to minimize processing effort for both the server and the hosts.

31 Citations

View as Search Results

23 Claims

1. A method of intrusion protection of a plurality of hosts, implemented by a deep-security device having at least one processor and at least one memory device, the method comprising:
- storing a set of intrusion patterns;
  
  storing a set of data filters, each data filter for combating at least one of said intrusion patterns;
  
  encoding a set of descriptors for characterizing said plurality of hosts;
  
  devising a set of encoded rules for selectively assigning said data filters to said plurality of hosts according to said descriptors;
  
  arranging descriptors of each said encoded rule into a tree structure having a root descriptor, inner descriptors, and leaf descriptors;
  
  sending a root descriptor to a selected host; and
  
  performing a recursive process of;
  
  receiving state information from said selected host;
  
  determining a subsequent descriptor according to said state information;
  
  where said subsequent descriptor is an inner descriptor, sending said subsequent descriptor to said selected host;
  
  andsubject to an indication that said subsequent descriptor is a leaf descriptor, determining a current security configuration for said selected host.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 further comprising:
    - classifying said hosts into a number of classes each class including a respective subset of hosts from among said plurality of hosts;
      
      determining class-specific subsets of descriptors from among said set of descriptors; and
      
      assigning a class-specific subset of descriptors relevant of a specific class to each host of said specific class.
  - 3. The method of claim 1 further comprising selecting descriptors of each encoded rule according to:
    - state-dependent sequence of queries sent from said deep-security device to a target host; and
      
      responses to said queries received at said deep-security device.
  - 4. The method of claim 1 further comprising:
    - identifying a subset of said encoded rules applicable to said selected host according to characterizing information received from said selected host; and
      
      determining a time table for applying said subset of said encoded rules to said selected host.
  - 5. The method of claim 1 wherein said determining said current security configuration of said selected host comprises determining at least one of:
    - maintaining an existing security configuration;
      
      removal of at least one existing filter; and
      
      assigning new filters from among said set of data filters.
  - 6. The method of claim 1 further comprising interactive communications between said deep-security device and said selected host.
  - 7. The method of claim 1 further comprising employing a table identifying encoded rules pertinent to each descriptor of said set of descriptors.
  - 8. The method of claim 1 further comprising targeting each host of said plurality of hosts, for determining a respective current security configuration, at least once during a predetermined cyclic global monitoring period.
  - 9. The method of claim 1 further comprising communicating with a central server for receiving said set of data filters.
  - 10. The method of claim 1 wherein the step of determining a subsequent descriptor comprises:
    - setting a recursion-index j to zero;
      
      assigning a descriptor-index K_jto a descriptor at recursion-index j;
      
      acquiring, from said selected host, a state S_jof the descriptor corresponding to recursion-index j; and
      
      determining a subsequent descriptor k_j+1index as a function of the current descriptor index K_jand its corresponding state S_j.
  - 11. The method of claim 10 further comprising evaluating said function according to an encoded algorithm.
  - 12. The method of claim 10 further comprising evaluating said function by examining a respective lookup table.

13. A system for intrusion protection of a plurality of hosts comprising:
- a processor;
  
  a memory device, storing;
  
  a set of intrusion patterns;
  
  a set of data filters, each data filter for combating at least one of said intrusion patterns;
  
  a set of descriptors for characterizing said plurality of hosts;
  
  a set of encoded rules for selectively assigning said data filters to said plurality of hosts according to said descriptors;
  
  an encoded tree structure of descriptors for each said encoded rule, said tree structure having a root descriptor, inner descriptors, and leaf descriptors;
  
  a memory device storing processor-executable instructions which cause said processor to;
  
  send a root descriptor of an encoded rule to a selected host;
  
  receive state information from said selected host;
  
  determine a subsequent descriptor according to said state information;
  
  where said subsequent descriptor is an inner descriptor, send said subsequent descriptor to said selected host; and
  
  subject to an indication that said subsequent descriptor is a leaf descriptor, determine a current security configuration for said selected host.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. The system of claim 13 wherein said plurality of hosts is classified into a number of classes each class including a respective subset of hosts of said plurality of hosts, and said processor-executable instructions cause said processor to assign a class-specific subset of descriptors to each host.
  - 15. The system of claim 13 wherein said processor-executable instructions further cause said processor to select descriptors of each encoded rule according to:
    - state-dependent sequence of queries sent from said processor to said selected host; and
      
      responses to said queries received at said processor.
  - 16. The system of claim 13 wherein said processor-executable instructions further cause said processor to:
    - identify a subset of said encoded rules applicable to said selected host according to characterizing information received from said selected host; and
      
      determine a time table for applying said subset of said encoded rules to said selected host.
  - 17. The system of claim 13 wherein said current security configuration of said selected host is based on at least one of:
    - an existing security configuration to be maintained;
      
      at least one existing filter to be removed from said selected host; and
      
      new filters from among said set of data filters to be installed in said selected host.
  - 18. The system of claim 13 further comprising an interface for enabling interactive communications between said processor and said selected host.
  - 19. The system of claim 13 further comprising a table stored in a memory device for identifying encoded rules pertinent to each descriptor of said set of descriptors.
  - 20. The system of claim 13 wherein said processor-executable instructions further cause said processor to determine for each host of said plurality of hosts a respective current security configuration at least once during a predetermined cyclic global monitoring period.
  - 21. The system of claim 13 further comprising a central server providing said set of data filters.
  - 22. The system of claim 13 wherein said processor-executable instructions cause said processor to determine said subsequent descriptor by executing an encoded algorithm.
  - 23. The system of claim 13 wherein said processor-executable instructions cause said processor to determine said subsequent descriptor by examining a respective lookup table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Kabushiki Kaisha
Original Assignee
Trend Micro Inc.
Inventors
Durie, Anthony Robert, McGee, William G.
Primary Examiner(s)
CHEN, SHIN HON

Application Number

US13/080,559
Publication Number

US 20110179489A1
Time in Patent Office

475 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1441   Countermeasures against mal...

Host intrusion prevention server

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

31 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Host intrusion prevention server

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links