Dynamic provisioning of protection software in a host intrusion prevention system

US 8,505,092 B2
Filed: 10/18/2007
Issued: 08/06/2013
Est. Priority Date: 01/05/2007
Status: Active Grant

First Claim

Patent Images

1. An intrusion-protection system comprising:

a plurality of agents, each agent installed in a respective computer of a plurality of computers, said each agent comprising respective deep-packet-inspection modules, stored in a memory of said respective computer, for monitoring computer activities and identifying intrusions;

a plurality of local servers, each local server comprising;

at least one processor;

at least one memory device storing detection software; and

an interface communicatively coupled to each computer in a respective subset of said plurality of computers; and

a central server maintaining a software library comprising deep-packet-inspection modules stored in a non-transitory computer-readable medium, said central server communicating said library to said each local server;

said detection software causes said at least one processor to;

recursively acquire a set of data elements from an agent installed in said each computer, said set of data elements characterizing a current configuration and running processes of said each computer, where a data element acquired from processing a query sent from said each local server to said each computer-indicates one of;

a requirement for a requisite subsequent data element for characterization of said each computer; and

completion of acquisition of all data elements;

identify requisite deep-packet-inspection modules of said library compatible with said set of data elements;

determine presence of each said requisite deep-packet-inspection module in said each computer; and

responsive to an indication that at least one deep-packet-inspection module of said requisite deep-packet-inspection modules is not present in said each computer, install said at least one deep-packet-inspection module in said each computer.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for optimizing security configurations of a set of computers are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the computers, maintains protection software containing filters and rules for deploying each filter. A local server receives updated protection software from a central server. Each local server interrogates each computer of its subset of computers to acquire computer-characterizing data and applies relevant rules to determine an optimal set of filters for each computer. Each rule adaptively determines required characterizing data elements from each computer for determining an optimal security configuration. A local server updates the security configuration of a computer to suit changes in the operational environment of the computer.

Citations

15 Claims

1. An intrusion-protection system comprising:
- a plurality of agents, each agent installed in a respective computer of a plurality of computers, said each agent comprising respective deep-packet-inspection modules, stored in a memory of said respective computer, for monitoring computer activities and identifying intrusions;
  
  a plurality of local servers, each local server comprising;
  
  at least one processor;
  
  at least one memory device storing detection software; and
  
  an interface communicatively coupled to each computer in a respective subset of said plurality of computers; and
  
  a central server maintaining a software library comprising deep-packet-inspection modules stored in a non-transitory computer-readable medium, said central server communicating said library to said each local server;
  
  said detection software causes said at least one processor to;
  
  recursively acquire a set of data elements from an agent installed in said each computer, said set of data elements characterizing a current configuration and running processes of said each computer, where a data element acquired from processing a query sent from said each local server to said each computer-indicates one of;
  
  a requirement for a requisite subsequent data element for characterization of said each computer; and
  
  completion of acquisition of all data elements;
  
  identify requisite deep-packet-inspection modules of said library compatible with said set of data elements;
  
  determine presence of each said requisite deep-packet-inspection module in said each computer; and
  
  responsive to an indication that at least one deep-packet-inspection module of said requisite deep-packet-inspection modules is not present in said each computer, install said at least one deep-packet-inspection module in said each computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1 wherein each data element of said set of data elements corresponds to a descriptor from a predefined superset of computer descriptors.
  - 3. The system of claim 2 wherein said software library further comprises a set of a queries, each query corresponding to a specific data element of a plurality of data elements.
  - 4. The system of claim 3 wherein said software library further comprises a set of expressions for determining requisite security configurations for each of said plurality of computers.
  - 5. The system of claim 4 wherein said expressions are encoded in a script language.
  - 6. The system of claim 1 wherein said detection software further causes said at least one processor to:
    - determine presence of redundant deep-packet-inspection modules in said each computer, said redundant deep-packet-inspection modules being exclusive of said requisite deep-packet-inspection modules; and
      
      remove any redundant deep-packet-inspection module found in said each computer.
  - 7. The system of claim 3 wherein said each local server maintains a database storing for each computer and for every query processed:
    - a record of said every query;
      
      a record of a response acquired;
      
      an indication of a last execution time; and
      
      an indication of a recommended succeeding execution time.
  - 8. The system of claim 7 wherein said each local server maintains historical data related to changes in queries responses.
  - 9. The system of claim 1 wherein said DPI modules of said library comprise encoded intrusion-protection filters individually matching corresponding intrusion patterns.
  - 10. The system of claim 9 wherein said each computer receives data packets from external sources through a network and wherein at least one of said encoded intrusion-protection filters causes said each computer to examine content of said data packets to detect intrusion patterns.

11. At a server having at least one processor, a method of intrusion prevention comprising:
- specifying data elements for characterizing a plurality of computers communicatively coupled to said server, each data element corresponding to a descriptor from a predefined superset of descriptors;
  
  acquiring, from a central server, a software library comprising DPI modules for protecting said plurality of computers, said DPI modules comprising deep-packet-inspection instructions;
  
  storing, in a memory device of said server, detection software which causes a processor of said server to perform processes of;
  
  recursive acquisition of a succession of data elements from an agent installed in a target computer of said plurality of computers where a data element acquired from processing a query sent from said each local server to said target computer indicates one of;
  
  a requirement for a requisite subsequent data element for characterization of said target computer; and
  
  completion of acquisition of all data elements;
  
  identifying requisite DPI modules of said library compatible with said succession of data elements;
  
  determining presence of each said DPI module in said target computer; and
  
  responsive to an indication that at least one DPI module of said requisite DPI modules is not present in said target computer, installing said at least one DPI module in said target computer.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11 further comprising:
    - storing, in said memory device, said data elements as current data elements and said requisite DPI modules as current DPI modules;
      
      repeating said prompting;
      
      receiving updated data elements from said target computer; and
      
      responsive to a determination of discrepancy between said updated data elements and said current data elements;
      
      determining new requisite DPI modules of said library compatible with said updated data elements;
      
      installing DPI modules of said new requisite DPI modules exclusive of said current DPI modules in said target computer;
      
      determining presence of redundant DPI modules in said current DPI modules exclusive of said new requisite DPI modules; and
      
      responsive to an indication of presence of at least one redundant DPI module, removing said at least one redundant DPI module from said target computer.
  - 13. The method of claim 11 further comprising maintaining for the target computer:
    - a record of time of receiving each data element of said data elements;
      
      content of said each data element; and
      
      identifiers of said requisite software modules.
  - 14. The method of claim 13 wherein said prompting comprises sending queries to said target computer to acquire said data elements.
  - 15. The method of claim 11 further comprising:
    - receiving at said server an obligatory DPI module from the central server; and
      
      placing said obligatory DPI module in a list of obligatory DPI modules to be executed for each computer in said plurality of computers regardless of content of data elements provided by said each computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Kabushiki Kaisha
Original Assignee
Trend Micro Inc.
Inventors
Durie, Anthony Robert, McGee, William G.
Primary Examiner(s)
Vaughan, Michael R

Application Number

US11/874,590
Publication Number

US 20080168560A1
Time in Patent Office

2,119 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

Dynamic provisioning of protection software in a host intrusion prevention system

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic provisioning of protection software in a host intrusion prevention system

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links