Method and system for regulating host security configuration

US 8,990,937 B2
Filed: 04/30/2013
Issued: 03/24/2015
Est. Priority Date: 10/19/2007
Status: Active Grant

First Claim

Patent Images

1. A method of determining current protection-software configurations for a plurality of hosts comprising:

defining descriptors relevant to each host type of a plurality of host types;

devising a set of rules applicable to each host type, each rule depending on at least one descriptor of said each host type;

performing, at a server having at least one processor, processes of;

selecting a target host;

formulating a first subset of said set of rules comprising rules that have been added and rules that have been modified since a previous protection-software configuration of said target host;

sending queries to said target host and receiving from said target host values of current descriptors of said target host;

identifying updated descriptors of said current descriptors that have changed since said previous protection-software configuration;

formulating a second subset of said set of rules comprising each rule which depends on at least one of said updated descriptors;

executing each rule of said set of rules which belongs to at least one of said first subset of rules and said second subset of rules; and

installing in said target host at least one filter of a plurality of filters devised to combat known intrusion patterns.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A recommendation engine coupled to a server computer in communication with a plurality of hosts is described. The recommendation engine includes computer readable intrusion-protection instructions stored in a memory device, which cause a processor of said server computer to determine a current host-protection configuration for a target host; detect discrepancy between said current host-protection configuration and a prior host-protection configuration; install said current host-protection configuration in said target host upon detecting said discrepancy; record successive host-reconfiguration periods, a host reconfiguration period being a difference between successive instants of time at which a current host-protection configuration differs from a prior host-protection configuration; determine a monitoring period according to a value of at least one of said successive host-reconfiguration periods; and a scheduler for activating said intrusion-protection instructions according to said monitoring period.

36 Citations

View as Search Results

15 Claims

1. A method of determining current protection-software configurations for a plurality of hosts comprising:
- defining descriptors relevant to each host type of a plurality of host types;
  
  devising a set of rules applicable to each host type, each rule depending on at least one descriptor of said each host type;
  
  performing, at a server having at least one processor, processes of;
  
  selecting a target host;
  
  formulating a first subset of said set of rules comprising rules that have been added and rules that have been modified since a previous protection-software configuration of said target host;
  
  sending queries to said target host and receiving from said target host values of current descriptors of said target host;
  
  identifying updated descriptors of said current descriptors that have changed since said previous protection-software configuration;
  
  formulating a second subset of said set of rules comprising each rule which depends on at least one of said updated descriptors;
  
  executing each rule of said set of rules which belongs to at least one of said first subset of rules and said second subset of rules; and
  
  installing in said target host at least one filter of a plurality of filters devised to combat known intrusion patterns.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 further comprising determining a host-specific schedule for subsequent determination of a current protection-software configuration for each host of said plurality of hosts.
  - 3. The method of claim 1 wherein said values of current descriptors received from said target host include at least one of processor type, storage capacity, current application software, processes being run, and errors logged at said target host.
  - 4. The method of claim 1 further comprising maintaining, at said server, a record of said values of current descriptors of said target host and corresponding reception times.
  - 5. The method of claim 1 further comprising communicating with a central server for acquiring said plurality of filters.
  - 6. The method of claim 1 further comprising:
    - determining a global monitoring period; and
      
      performing said process of selecting said target host at least once during said global monitoring period.
  - 7. The method of claim 1 further comprising performing at said server a process of determining a host-specific upper bound of a monitoring period during which each host of said plurality of hosts is selected at least once as said target host.
  - 8. The method of claim 7 further comprising performing at said server a process of determining a host-specific lower bound of said monitoring period.
  - 9. The method of claim 1 further comprising performing at said server a process of determining a time table for selecting each host of said plurality of hosts as said target host.

10. A system for determining current protection-software configurations for a set of hosts comprising:
- a central server distributing encoded intrusion-protection filters and intrusion-detection rules to a plurality of servers through a network, each server having at least one processor and communicatively coupled to a respective subset of hosts;
  
  a memory device storing descriptors and a set of rules applicable to each host type of a plurality of host types, each rule depending on at least one descriptor of said each host type;
  
  said each server configured to;
  
  select a target host of said respective subset of hosts;
  
  formulate a first subset of said set of rules comprising rules that have been added and rules that have been modified since a previous protection-software configuration of said target host;
  
  send queries to said target host and receive from said target host values of current descriptors of said target host;
  
  identify updated descriptors of said current descriptors that have changed since said previous protection-software configuration;
  
  formulate a second subset of said set of rules comprising each rule which depends on at least one of said updated descriptors;
  
  execute each rule of said set of rules which belongs to at least one of said first subset of rules and said second subset of rules; and
  
  install in said target host at least one filter of a plurality of filters devised to combat known intrusion patterns.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10 further comprising a memory device storing:
    - queries relevant to each host type;
      
      a profile of each host of said respective subset of hosts; and
      
      chronological data relevant to each host of said respective subset of hosts.
  - 12. The system of claim 10 further comprising a memory device storing software instructions for determining a host-specific schedule for subsequent determination of a current protection-software configuration for each host of said plurality of hosts.
  - 13. The system of claim 10 further comprising a memory device storing:
    - a first table of identifiers of a set of descriptors relevant to all rules applicable to said respective subset of hosts; and
      
      a second table indicating rules which depend on each descriptor of said set of descriptors.
  - 14. The system of claim 10 wherein said each server maintains historical data pertinent to said updated descriptors.
  - 15. The system of claim 14 further comprising a scheduler for determining a time table for selecting each host of said subset of hosts as said target host based on said historical data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Kabushiki Kaisha
Original Assignee
Trend Micro Inc.
Inventors
Durie, Anthony Robert
Primary Examiner(s)
Vaughan, Michael R

Application Number

US13/874,277
Publication Number

US 20130247138A1
Time in Patent Office

693 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2105   Dual mode as a secondary as...

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

Method and system for regulating host security configuration

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for regulating host security configuration

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links