Dynamic provisioning of protection software in a host instrusion prevention system

US 8,943,593 B2
Filed: 08/01/2013
Issued: 01/27/2015
Est. Priority Date: 01/05/2007
Status: Active Grant

First Claim

Patent Images

1. A server for protecting a plurality of computers from intrusion, the server comprising at least one processor configured to:

maintain a plurality of filters, each filter for combating at least one intrusion pattern from a set of known intrusion patterns;

maintain a plurality of descriptors, each descriptor relevant to a respective computer characteristic;

select a specific descriptor as a current descriptor;

recursively;

send said current descriptor to a selected computer of said plurality of computers;

receive a current data element from said selected computer indicating a value of said current descriptor;

determine a subsequent descriptor according to said current data element;

replace said current descriptor with said subsequent descriptor; and

determine requisite filters of said plurality of filters for said selected computer upon determining reception of respective requisite data elements;

andtransmit said requisite filters to said selected computer.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for optimizing security configurations of a set of computers are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the computers, maintains protection software containing filters and rules for deploying each filter. A local server receives updated protection software from a central server. Each local server interrogates each computer of its subset of computers to acquire computer-characterizing data and applies relevant rules to determine an optimal set of filters for each computer. Each rule adaptively determines required characterizing data elements from each computer for determining an optimal security configuration. A local server updates the security configuration of a computer to suit changes in the operational environment of the computer.

31 Citations

22 Claims

1. A server for protecting a plurality of computers from intrusion, the server comprising at least one processor configured to:
- maintain a plurality of filters, each filter for combating at least one intrusion pattern from a set of known intrusion patterns;
  
  maintain a plurality of descriptors, each descriptor relevant to a respective computer characteristic;
  
  select a specific descriptor as a current descriptor;
  
  recursively;
  
  send said current descriptor to a selected computer of said plurality of computers;
  
  receive a current data element from said selected computer indicating a value of said current descriptor;
  
  determine a subsequent descriptor according to said current data element;
  
  replace said current descriptor with said subsequent descriptor; and
  
  determine requisite filters of said plurality of filters for said selected computer upon determining reception of respective requisite data elements;
  
  andtransmit said requisite filters to said selected computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 17)
- - 2. The server of claim 1 wherein said plurality of descriptors is arranged in a tree structure having a root descriptor and leaf descriptors and said at least one processor is configured to detect said subsequent descriptor becoming a leaf descriptor indicating reception of said respective requisite data elements.
  - 3. The server of claim 1 wherein said at least one processor is configured to execute processor-readable instructions to determine said subsequent descriptor based on said current descriptor and said current data element.
  - 4. The server of claim 1 wherein said at least one processor is coupled to a memory device storing a lookup table for determining said subsequent descriptor based on said current descriptor and said current data element.
  - 5. The server of claim 1 further comprising a scheduler for determining a time table for examining each computer of said plurality of computers.
  - 6. The server of claim 1 wherein said at least one processor is configured to divide said plurality of descriptors into computer-specific sets of descriptors and wherein said current descriptor and said subsequent descriptor belong to a set of descriptors specific to said selected computer.
  - 7. The server of claim 1 wherein said at least one processor is configured to divide said plurality of descriptors into sets of descriptors pertinent to respective computer types and wherein said current descriptor and said subsequent descriptor belong to a set of descriptors specific to a type of said selected computer.
  - 8. The server of claim 1 further comprising a database for storing current profiles of said plurality of computers.
  - 9. The server of claim 8 wherein said at least one processor is configured to:
    - classify said plurality of computers according to predefined computer types; and
      
      associate computer-specific descriptors with each computer type.
  - 10. The server of claim 1 wherein said descriptors include at least one of:
    - processor type, storage capacity, current application software, processes being run, and errors logged.
  - 11. The server of claim 1 wherein said at least one processor is further configured to track changes of said requisite filters and determine a monitoring period for said selected computer accordingly.
  - 17. The method of claim 1 further comprising dividing said plurality of descriptors into computer-specific sets of descriptors and selecting said current descriptor and said subsequent descriptor from a set of descriptors specific to said selected computer.

12. A method implemented in a server comprising at least one processor for protecting a plurality of computers from intrusion, the method comprising:
- maintaining in a memory device a plurality of filters, each filter for combating at least one intrusion pattern from a set of known intrusion patterns;
  
  acquiring a plurality of descriptors, each descriptor relevant to a respective computer characteristic;
  
  selecting a specific descriptor as a current descriptor;
  
  executing a recursive process comprising;
  
  sending said current descriptor to a selected computer of said plurality of computers;
  
  receiving a current data element from said selected computer indicating a value of said current descriptor;
  
  determining a subsequent descriptor according to said current data element;
  
  replacing said current descriptor with said subsequent descriptor; and
  
  determining requisite filters of said plurality of filters for said selected computer upon determining reception of respective requisite data elements;
  
  andtransmitting said requisite filters to said selected computer.
- View Dependent Claims (13, 14, 15, 16, 18, 19, 20, 21, 22)
- - 13. The method of claim 12 further comprising arranging said plurality of descriptors in a tree structure having a root descriptor and leaf descriptors and configuring said at least one processor to terminate said recursive process upon detecting that said subsequent descriptor is a leaf descriptor, said detecting being indicative of acquisition of said respective requisite data elements.
  - 14. The method of claim 12 further comprising executing processor-readable instructions for determining said subsequent descriptor based on said current descriptor and said current data element.
  - 15. The method of claim 12 further comprising examining a lookup table stored in said memory device for determining said subsequent descriptor based on said current descriptor and said current data element.
  - 16. The method of claim 12 further comprising determining a time table for examining each computer of said plurality of computers.
  - 18. The method of claim 12 further comprising dividing said plurality of descriptors into sets of descriptors pertinent to respective computer types and selecting said current descriptor and said subsequent descriptor from a set of descriptors specific to a type of said selected computer.
  - 19. The method of claim 12 further storing current profiles of said plurality of computers in a database maintained at said server.
  - 20. The method of claim 19 further comprising:
    - classifying said plurality of computers according to predefined computer types; and
      
      associating computer-specific descriptors with each computer type.
  - 21. The method of claim 12 further comprising tracking changes of said requisite filters and determining a monitoring period for said selected computer according to timing of tracked changes.
  - 22. The method of claim 12 wherein said transmitting comprises excluding requisite filters already installed in said selected computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Kabushiki Kaisha
Original Assignee
Trend Micro Inc.
Inventors
Durie, Anthony Robert, McGee, William G.
Primary Examiner(s)
Vaughan, Michael R

Application Number

US13/957,297
Publication Number

US 20140223563A1
Time in Patent Office

544 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

Dynamic provisioning of protection software in a host instrusion prevention system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

31 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic provisioning of protection software in a host instrusion prevention system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links