Host intrusion prevention server
First Claim
1. A method of intrusion protection of a plurality of hosts, implemented by a deep-security device having at least one processor and at least one memory device, the method comprising:
- storing a set of intrusion patterns;
storing a set of data filters, each data filter for combating at least one of said intrusion patterns;
encoding a set of descriptors for characterizing said plurality of hosts;
devising a set of encoded rules for selectively assigning said data filters to said plurality of hosts according to said descriptors;
arranging descriptors of each said encoded rule into a tree structure having a root descriptor, inner descriptors, and leaf descriptors;
sending a root descriptor to a selected host; and
performing a recursive process of;
receiving state information from said selected host;
determining a subsequent descriptor according to said state information;
where said subsequent descriptor is an inner descriptor, sending said subsequent descriptor to said selected host;
andsubject to an indication that said subsequent descriptor is a leaf descriptor, determining a current security configuration for said selected host.
3 Assignments
0 Petitions
Accused Products
Abstract
An intrusion-prevention server supporting a set of hosts comprises data filters and an engine which uses a set of encoded rules for assigning data filters to hosts according to metadata characterizing the hosts. Each data filter corresponds to at least one intrusion pattern from among a set of intrusion patterns and the data filters are continuously updated as intrusion patterns change. Metadata acquired from a host varies with a changing state of the host. Acquisition of metadata from each host is streamlined to reduce communications between the server and the hosts and to minimize processing effort for both the server and the hosts.
-
Citations
23 Claims
-
1. A method of intrusion protection of a plurality of hosts, implemented by a deep-security device having at least one processor and at least one memory device, the method comprising:
-
storing a set of intrusion patterns; storing a set of data filters, each data filter for combating at least one of said intrusion patterns; encoding a set of descriptors for characterizing said plurality of hosts; devising a set of encoded rules for selectively assigning said data filters to said plurality of hosts according to said descriptors; arranging descriptors of each said encoded rule into a tree structure having a root descriptor, inner descriptors, and leaf descriptors; sending a root descriptor to a selected host; and performing a recursive process of; receiving state information from said selected host; determining a subsequent descriptor according to said state information; where said subsequent descriptor is an inner descriptor, sending said subsequent descriptor to said selected host; and subject to an indication that said subsequent descriptor is a leaf descriptor, determining a current security configuration for said selected host. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for intrusion protection of a plurality of hosts comprising:
-
a processor; a memory device, storing; a set of intrusion patterns; a set of data filters, each data filter for combating at least one of said intrusion patterns; a set of descriptors for characterizing said plurality of hosts; a set of encoded rules for selectively assigning said data filters to said plurality of hosts according to said descriptors; an encoded tree structure of descriptors for each said encoded rule, said tree structure having a root descriptor, inner descriptors, and leaf descriptors; a memory device storing processor-executable instructions which cause said processor to; send a root descriptor of an encoded rule to a selected host; receive state information from said selected host; determine a subsequent descriptor according to said state information; where said subsequent descriptor is an inner descriptor, send said subsequent descriptor to said selected host; and subject to an indication that said subsequent descriptor is a leaf descriptor, determine a current security configuration for said selected host. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
Specification