Method and system for regulating host security configuration

US 8,453,204 B2
Filed: 07/10/2012
Issued: 05/28/2013
Est. Priority Date: 10/19/2007
Status: Active Grant

First Claim

Patent Images

1. A method, performed at a server having at least one processor, for determining current protection-software configurations for a plurality of hosts comprising:

determining a current time indicator;

determining for a target host a respective host type of a predefined set of host types;

identifying a set of host descriptors corresponding to said respective host type from a predefined superset of host descriptors;

sending a set of queries corresponding to said set of host descriptors to said target host to acquire current characterizing data elements from said target host;

comparing said current characterizing data elements with prior characterizing data elements of said target host;

where at least one current characterizing data element differs from a corresponding prior characterizing data element, updating a current protection-software configuration for said target host;

where said current protection-software configuration differs from a prior protection-software configuration, setting a host-reconfiguration time indicator to equal said current time indicator and transmitting said current protection-software configuration to said target host;

retaining said current characterizing data elements for subsequent use as prior characterizing data elements; and

retaining said current protection-software configuration for subsequent use as prior protection-software configuration.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A recommendation engine coupled to a server computer in communication with a plurality of hosts is described. The recommendation engine includes computer readable intrusion-protection instructions stored in a memory device, which cause a processor of said server computer to determine a current host-protection configuration for a target host; detect discrepancy between said current host-protection configuration and a prior host-protection configuration; install said current host-protection configuration in said target host upon detecting said discrepancy; record successive host-reconfiguration periods, a host reconfiguration period being a difference between successive instants of time at which a current host-protection configuration differs from a prior host-protection configuration; determine a monitoring period according to a value of at least one of said successive host-reconfiguration periods; and a scheduler for activating said intrusion-protection instructions according to said monitoring period.

34 Citations

20 Claims

1. A method, performed at a server having at least one processor, for determining current protection-software configurations for a plurality of hosts comprising:
- determining a current time indicator;
  
  determining for a target host a respective host type of a predefined set of host types;
  
  identifying a set of host descriptors corresponding to said respective host type from a predefined superset of host descriptors;
  
  sending a set of queries corresponding to said set of host descriptors to said target host to acquire current characterizing data elements from said target host;
  
  comparing said current characterizing data elements with prior characterizing data elements of said target host;
  
  where at least one current characterizing data element differs from a corresponding prior characterizing data element, updating a current protection-software configuration for said target host;
  
  where said current protection-software configuration differs from a prior protection-software configuration, setting a host-reconfiguration time indicator to equal said current time indicator and transmitting said current protection-software configuration to said target host;
  
  retaining said current characterizing data elements for subsequent use as prior characterizing data elements; and
  
  retaining said current protection-software configuration for subsequent use as prior protection-software configuration.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 comprising, before the step of updating said current protection-software configuration:
    - defining a superset of rules, each rule for assigning an element of said protection-software; and
      
      executing selected rules from among said superset of rules using said current characterizing data elements.
  - 3. The method of claim 2 further comprising arranging a set of descriptors, of said predefined superset of host descriptors, applicable to a rule of said selected rules in a tree structure.
  - 4. The method of claim 1 further comprising:
    - associating a monitoring interval with each query in said set of queries;
      
      identifying individual queries in said set of queries for each of which a sum of a respective monitoring interval and a prior time indicator associated with said target host exceeds said current time indicator;
      
      removing said individual queries from said set of queries; and
      
      retaining said current time indicator for subsequent use as a prior time indicator associated with said target host.
  - 5. The method of claim 1 further comprising:
    - determining a current host-reconfiguration period as said current time indicator minus a prior host-reconfiguration time indicator;
      
      determining a current monitoring interval of said target host as a function of said current host-reconfiguration period and a prior monitoring interval of said target host; and
      
      retaining said current monitoring interval for subsequent use as said prior monitoring interval of said target host.
  - 6. The method of claim 5 wherein said function is an arithmetic mean of said current host-reconfiguration period and said prior monitoring interval.
  - 7. The method of claim 1 further comprising selecting each host of said plurality of hosts as said target host at least once during a predefined cyclic global monitoring period.
  - 8. The method of claim 1 further comprising determining a time table for examining said target host.
  - 9. The method of claim 1 further comprising storing chronological data relevant to said target host.
  - 10. The method of claim 1 wherein said current protection-software configuration comprises deep-packet-inspection modules.

11. A system for determining current protection-software configurations for a set of hosts comprising a central server distributing encoded protection software to a plurality of servers through a network, each server having at least one processor and communicatively coupled to a respective subset of hosts, said each server configured to:
- determine a current time indicator;
  
  determine for a target host of said respective subset of hosts a respective host type of a predefined set of host types;
  
  identify a set of host descriptors corresponding to said respective host type from a predefined superset of host descriptors;
  
  send a set of queries corresponding to said set of host descriptors to said target host to acquire current characterizing data elements from said target host;
  
  compare said current characterizing data elements with prior characterizing data elements of said target host;
  
  update a current protection-software configuration for said target host, subject to an indication that at least one current characterizing data element differs from a corresponding prior characterizing data element;
  
  transmit said current protection-software configuration to said target host and set a host-reconfiguration time indicator to equal said current time indicator subject to an indication that said current protection-software configuration differs from a prior protection-software configuration;
  
  retain said current characterizing data elements for subsequent use as prior characterizing data elements; and
  
  retain said current protection-software configuration for subsequent use as prior protection-software configuration.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11 wherein said central server is configured to select said encoded protection software to be specific to said each server.
  - 13. The system of claim 11 further comprising a memory device storing software instructions for classifying each host of said respective subset of hosts according to predefined host types.
  - 14. The system of claim 11 further comprising a memory device storing software instructions for determining a time table for examining each host of said respective subset of hosts.
  - 15. The system of claim 11 further comprising a memory device storing:
    - a set of descriptors and corresponding queries relevant to each host type; and
      
      chronological data relevant to each host of said respective subset of hosts.
  - 16. The system of claim 11 wherein said each server is further configured to:
    - define a superset of rules, each rule for assigning an element of said protection-software; and
      
      execute selected rules of said superset of rules using said current characterizing data elements for said target host.
  - 17. The system of claim 16 wherein said each server is further configured to arrange a set of descriptors, of said predefined superset of host descriptors, applicable to a rule of said selected rules in a tree structure.
  - 18. The system of claim 11 wherein said current protection-software configuration comprises deep-packet-inspection modules.
  - 19. The system of claim 11 wherein said each server is further configured to:
    - determine a current host-reconfiguration period as said current time indicator minus a prior host-reconfiguration time indicator;
      
      determine a current monitoring interval of said target host as a function of said current host-reconfiguration period and a prior monitoring interval of said target host; and
      
      retain said current monitoring interval for subsequent use as said prior monitoring interval of said target host.
  - 20. The system of claim 19 wherein said function is an arithmetic mean of said current host-reconfiguration period and said prior monitoring interval.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Kabushiki Kaisha
Original Assignee
Trend Micro Inc.
Inventors
Durie, Anthony Robert
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
Vaughan, Michael R

Application Number

US13/545,932
Publication Number

US 20120284795A1
Time in Patent Office

322 Days
Field of Search

None
US Class Current

726/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2105   Dual mode as a secondary as...

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

Method and system for regulating host security configuration

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for regulating host security configuration

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links