Dynamic provisioning of protection software in a host intrusion prevention system
First Claim
1. An intrusion-protection system comprising:
- a plurality of agents, each agent installed in a respective computer of a plurality of computers, said each agent comprising respective deep-packet-inspection modules, stored in a memory of said respective computer, for monitoring computer activities and identifying intrusions;
a plurality of local servers, each local server comprising;
at least one processor;
at least one memory device storing detection software; and
an interface communicatively coupled to each computer in a respective subset of said plurality of computers; and
a central server maintaining a software library comprising deep-packet-inspection modules stored in a non-transitory computer-readable medium, said central server communicating said library to said each local server;
said detection software causes said at least one processor to;
recursively acquire a set of data elements from an agent installed in said each computer, said set of data elements characterizing a current configuration and running processes of said each computer, where a data element acquired from processing a query sent from said each local server to said each computer-indicates one of;
a requirement for a requisite subsequent data element for characterization of said each computer; and
completion of acquisition of all data elements;
identify requisite deep-packet-inspection modules of said library compatible with said set of data elements;
determine presence of each said requisite deep-packet-inspection module in said each computer; and
responsive to an indication that at least one deep-packet-inspection module of said requisite deep-packet-inspection modules is not present in said each computer, install said at least one deep-packet-inspection module in said each computer.
8 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus for optimizing security configurations of a set of computers are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the computers, maintains protection software containing filters and rules for deploying each filter. A local server receives updated protection software from a central server. Each local server interrogates each computer of its subset of computers to acquire computer-characterizing data and applies relevant rules to determine an optimal set of filters for each computer. Each rule adaptively determines required characterizing data elements from each computer for determining an optimal security configuration. A local server updates the security configuration of a computer to suit changes in the operational environment of the computer.
-
Citations
15 Claims
-
1. An intrusion-protection system comprising:
-
a plurality of agents, each agent installed in a respective computer of a plurality of computers, said each agent comprising respective deep-packet-inspection modules, stored in a memory of said respective computer, for monitoring computer activities and identifying intrusions; a plurality of local servers, each local server comprising; at least one processor; at least one memory device storing detection software; and an interface communicatively coupled to each computer in a respective subset of said plurality of computers; and a central server maintaining a software library comprising deep-packet-inspection modules stored in a non-transitory computer-readable medium, said central server communicating said library to said each local server; said detection software causes said at least one processor to; recursively acquire a set of data elements from an agent installed in said each computer, said set of data elements characterizing a current configuration and running processes of said each computer, where a data element acquired from processing a query sent from said each local server to said each computer-indicates one of; a requirement for a requisite subsequent data element for characterization of said each computer; and completion of acquisition of all data elements; identify requisite deep-packet-inspection modules of said library compatible with said set of data elements; determine presence of each said requisite deep-packet-inspection module in said each computer; and responsive to an indication that at least one deep-packet-inspection module of said requisite deep-packet-inspection modules is not present in said each computer, install said at least one deep-packet-inspection module in said each computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. At a server having at least one processor, a method of intrusion prevention comprising:
-
specifying data elements for characterizing a plurality of computers communicatively coupled to said server, each data element corresponding to a descriptor from a predefined superset of descriptors; acquiring, from a central server, a software library comprising DPI modules for protecting said plurality of computers, said DPI modules comprising deep-packet-inspection instructions; storing, in a memory device of said server, detection software which causes a processor of said server to perform processes of; recursive acquisition of a succession of data elements from an agent installed in a target computer of said plurality of computers where a data element acquired from processing a query sent from said each local server to said target computer indicates one of; a requirement for a requisite subsequent data element for characterization of said target computer; and completion of acquisition of all data elements; identifying requisite DPI modules of said library compatible with said succession of data elements; determining presence of each said DPI module in said target computer; and responsive to an indication that at least one DPI module of said requisite DPI modules is not present in said target computer, installing said at least one DPI module in said target computer. - View Dependent Claims (12, 13, 14, 15)
-
Specification