Dynamic provisioning of protection software in a host intrusion prevention system
First Claim
1. An intrusion-protection method implemented in a server comprising at least one processor and at least one memory device for protecting a plurality of computers, the method comprising:
- identification of intrusion patterns;
devising a set of data filters, each data filter corresponding to at least one of said intrusion patterns;
formulating a set of descriptors for characterizing said plurality of computers;
determining a set of rules, each rule associated with a respective subset of data filters of said set of data filters and with a subset of descriptors of said set of descriptors;
executing, for a selected computer, a selected rule of said set of rules using content of a respective subset of descriptors acquired from said selected computer;
ascertaining relevance of a specific data filter associated with said selected rule to said selected computer according to a result of said executing;
tracking changes made to said selected computer as a result of said executing;
determining a monitoring period for said selected computer according to timing of tracked changes; and
installing said specific data filter in said selected computer based on said ascertaining.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus for optimizing security configurations of a set of computers are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the computers, maintains protection software containing filters and rules for deploying each filter. A local server receives updated protection software from a central server. Each local server interrogates each computer of its subset of computers to acquire computer-characterizing data and applies relevant rules to determine an optimal set of filters for each computer. Each rule adaptively determines required characterizing data elements from each computer for determining an optimal security configuration. A local server updates the security configuration of a computer to suit changes in the operational environment of the computer.
-
Citations
20 Claims
-
1. An intrusion-protection method implemented in a server comprising at least one processor and at least one memory device for protecting a plurality of computers, the method comprising:
-
identification of intrusion patterns; devising a set of data filters, each data filter corresponding to at least one of said intrusion patterns; formulating a set of descriptors for characterizing said plurality of computers; determining a set of rules, each rule associated with a respective subset of data filters of said set of data filters and with a subset of descriptors of said set of descriptors; executing, for a selected computer, a selected rule of said set of rules using content of a respective subset of descriptors acquired from said selected computer; ascertaining relevance of a specific data filter associated with said selected rule to said selected computer according to a result of said executing; tracking changes made to said selected computer as a result of said executing; determining a monitoring period for said selected computer according to timing of tracked changes; and installing said specific data filter in said selected computer based on said ascertaining. - View Dependent Claims (2, 3)
-
-
4. A method implemented in a server comprising at least one processor for protecting a plurality of computers from intrusion, the method comprising:
-
maintaining in a memory device a plurality of data filters, each data filter for combating at least one intrusion pattern from a set of known intrusion patterns; acquiring a plurality of descriptors, each descriptor relevant to a respective computer characteristic; maintaining a set of rules, each rule associated with a set of data filters of said plurality of data filters and with a set of descriptors of said plurality of descriptors; communicating with a selected computer to acquire values of descriptors relevant to a specific rule; applying said specific rule to determine compatibility of each data filter of a respective set of data filters with characteristics of said selected computer; tracking changes made to said selected computer as a result of said applying; determining a monitoring period for said selected computer according to timing of tracked changes; and installing data filters in said selected computer based on said compatibility. - View Dependent Claims (5, 6, 7, 8, 9, 10)
-
-
11. A server for protecting a plurality of computers from intrusion, the server comprising at least one processor and at least one memory device, and is configured to:
-
maintain a plurality of filters, each filter for combating at least one intrusion pattern from a set of known intrusion patterns; maintain a plurality of descriptors, each descriptor relevant to a respective computer characteristic; execute a set of rules, each rule associated with a set of data filters of said plurality of data filters and with a set of descriptors of said plurality of descriptors; select a particular computer and a specific rule; communicate with said particular computer to acquire values of descriptors relevant to said specific rule; determine compatibility of each data filter of a set of data filters pertinent to said specific rule with characteristics of said particular computer; track changes made to said selected computer as a result of executing said set of rules; determine a monitoring period for said selected computer according to timing of tracked changes; and install data filters in said particular computer based on said compatibility. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. A server for protecting a plurality of computers from intrusion, the server comprising at least one processor coupled to a memory device and configured to:
-
maintain a plurality of data filters, each data filter for combating at least one intrusion pattern from a set of known intrusion patterns; maintain a plurality of descriptors, each descriptor relevant to a respective computer characteristic; divide said plurality of descriptors into computer-specific sets of descriptors; send to a selected computer of said plurality of computers a respective set of descriptors; receive data elements corresponding to said respective set of descriptors from said selected computer; execute selected encoded rules stored in said memory device, using said data elements, to determine requisite data filters of said plurality of data filters for said selected computer; track changes made to said selected computer as a result of executing said selected encoded rules; determine a monitoring period for said selected computer according to timing of tracked changes; and install the requisite data filters in said selected computer. - View Dependent Claims (20)
-
Specification