Method and system for regulating host security configuration
First Claim
1. A method of determining current protection-software configurations for a plurality of hosts comprising:
- defining descriptors relevant to each host type of a plurality of host types;
devising a set of rules applicable to each host type, each rule depending on at least one descriptor of said each host type;
performing, at a server having at least one processor, processes of;
selecting a target host;
formulating a first subset of said set of rules comprising rules that have been added and rules that have been modified since a previous protection-software configuration of said target host;
sending queries to said target host and receiving from said target host values of current descriptors of said target host;
identifying updated descriptors of said current descriptors that have changed since said previous protection-software configuration;
formulating a second subset of said set of rules comprising each rule which depends on at least one of said updated descriptors;
executing each rule of said set of rules which belongs to at least one of said first subset of rules and said second subset of rules; and
installing in said target host at least one filter of a plurality of filters devised to combat known intrusion patterns.
4 Assignments
0 Petitions
Accused Products
Abstract
A recommendation engine coupled to a server computer in communication with a plurality of hosts is described. The recommendation engine includes computer readable intrusion-protection instructions stored in a memory device, which cause a processor of said server computer to determine a current host-protection configuration for a target host; detect discrepancy between said current host-protection configuration and a prior host-protection configuration; install said current host-protection configuration in said target host upon detecting said discrepancy; record successive host-reconfiguration periods, a host reconfiguration period being a difference between successive instants of time at which a current host-protection configuration differs from a prior host-protection configuration; determine a monitoring period according to a value of at least one of said successive host-reconfiguration periods; and a scheduler for activating said intrusion-protection instructions according to said monitoring period.
36 Citations
15 Claims
-
1. A method of determining current protection-software configurations for a plurality of hosts comprising:
-
defining descriptors relevant to each host type of a plurality of host types; devising a set of rules applicable to each host type, each rule depending on at least one descriptor of said each host type; performing, at a server having at least one processor, processes of; selecting a target host; formulating a first subset of said set of rules comprising rules that have been added and rules that have been modified since a previous protection-software configuration of said target host; sending queries to said target host and receiving from said target host values of current descriptors of said target host; identifying updated descriptors of said current descriptors that have changed since said previous protection-software configuration; formulating a second subset of said set of rules comprising each rule which depends on at least one of said updated descriptors; executing each rule of said set of rules which belongs to at least one of said first subset of rules and said second subset of rules; and installing in said target host at least one filter of a plurality of filters devised to combat known intrusion patterns. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for determining current protection-software configurations for a set of hosts comprising:
-
a central server distributing encoded intrusion-protection filters and intrusion-detection rules to a plurality of servers through a network, each server having at least one processor and communicatively coupled to a respective subset of hosts; a memory device storing descriptors and a set of rules applicable to each host type of a plurality of host types, each rule depending on at least one descriptor of said each host type; said each server configured to; select a target host of said respective subset of hosts; formulate a first subset of said set of rules comprising rules that have been added and rules that have been modified since a previous protection-software configuration of said target host; send queries to said target host and receive from said target host values of current descriptors of said target host; identify updated descriptors of said current descriptors that have changed since said previous protection-software configuration; formulate a second subset of said set of rules comprising each rule which depends on at least one of said updated descriptors; execute each rule of said set of rules which belongs to at least one of said first subset of rules and said second subset of rules; and install in said target host at least one filter of a plurality of filters devised to combat known intrusion patterns. - View Dependent Claims (11, 12, 13, 14, 15)
-
Specification