Dynamic provisioning of protection software in a host intrusion prevention system

US 9,231,917 B2
Filed: 10/07/2014
Issued: 01/05/2016
Est. Priority Date: 01/05/2007
Status: Active Grant

First Claim

Patent Images

1. An intrusion-protection method implemented in a server comprising at least one processor and at least one memory device for protecting a plurality of computers, the method comprising:

identification of intrusion patterns;

devising a set of data filters, each data filter corresponding to at least one of said intrusion patterns;

formulating a set of descriptors for characterizing said plurality of computers;

determining a set of rules, each rule associated with a respective subset of data filters of said set of data filters and with a subset of descriptors of said set of descriptors;

executing, for a selected computer, a selected rule of said set of rules using content of a respective subset of descriptors acquired from said selected computer;

ascertaining relevance of a specific data filter associated with said selected rule to said selected computer according to a result of said executing;

tracking changes made to said selected computer as a result of said executing;

determining a monitoring period for said selected computer according to timing of tracked changes; and

installing said specific data filter in said selected computer based on said ascertaining.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for optimizing security configurations of a set of computers are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the computers, maintains protection software containing filters and rules for deploying each filter. A local server receives updated protection software from a central server. Each local server interrogates each computer of its subset of computers to acquire computer-characterizing data and applies relevant rules to determine an optimal set of filters for each computer. Each rule adaptively determines required characterizing data elements from each computer for determining an optimal security configuration. A local server updates the security configuration of a computer to suit changes in the operational environment of the computer.

Citations

20 Claims

1. An intrusion-protection method implemented in a server comprising at least one processor and at least one memory device for protecting a plurality of computers, the method comprising:
- identification of intrusion patterns;
  
  devising a set of data filters, each data filter corresponding to at least one of said intrusion patterns;
  
  formulating a set of descriptors for characterizing said plurality of computers;
  
  determining a set of rules, each rule associated with a respective subset of data filters of said set of data filters and with a subset of descriptors of said set of descriptors;
  
  executing, for a selected computer, a selected rule of said set of rules using content of a respective subset of descriptors acquired from said selected computer;
  
  ascertaining relevance of a specific data filter associated with said selected rule to said selected computer according to a result of said executing;
  
  tracking changes made to said selected computer as a result of said executing;
  
  determining a monitoring period for said selected computer according to timing of tracked changes; and
  
  installing said specific data filter in said selected computer based on said ascertaining.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1 further comprising a step of removing said specific data filter from said selected computer based on said ascertaining.
  - 3. The method of claim 1 further comprising a step of associating said each rule with a respective subset of computers of said plurality of computers.

4. A method implemented in a server comprising at least one processor for protecting a plurality of computers from intrusion, the method comprising:
- maintaining in a memory device a plurality of data filters, each data filter for combating at least one intrusion pattern from a set of known intrusion patterns;
  
  acquiring a plurality of descriptors, each descriptor relevant to a respective computer characteristic;
  
  maintaining a set of rules, each rule associated with a set of data filters of said plurality of data filters and with a set of descriptors of said plurality of descriptors;
  
  communicating with a selected computer to acquire values of descriptors relevant to a specific rule;
  
  applying said specific rule to determine compatibility of each data filter of a respective set of data filters with characteristics of said selected computer;
  
  tracking changes made to said selected computer as a result of said applying;
  
  determining a monitoring period for said selected computer according to timing of tracked changes; and
  
  installing data filters in said selected computer based on said compatibility.
- View Dependent Claims (5, 6, 7, 8, 9, 10)
- - 5. The method of claim 4 wherein said communicating comprises selecting a specific descriptor as a current descriptor and executing a recursive process comprising:
    - sending said current descriptor to said selected computer; and
      
      receiving a value of said current descriptor from said selected computer, said value indicating one of;
      
      a determination that all said values of descriptors relevant to said specific rule have been received; and
      
      a requisite subsequent descriptor.
  - 6. The method of claim 4 further comprising:
    - retaining records of time intervals between successive time instants at which said applying results in installing a filter in said selected computer; and
      
      determining a subsequent time for repeating said communicating and said applying for said selected computer according to said records.
  - 7. The method of claim 5 further comprising dividing said plurality of descriptors into computer-specific sets of descriptors and selecting said specific descriptor and said requisite subsequent descriptor from a set of descriptors specific to said selected computer.
  - 8. The method of claim 5 further comprising dividing said plurality of descriptors into sets of descriptors pertinent to respective computer types and selecting said specific descriptor and said requisite subsequent descriptor from a set of descriptors specific to a type of said selected computer.
  - 9. The method of claim 4 further comprising storing current profiles of said plurality of computers in a database maintained at said server.
  - 10. The method of claim 4 further comprising:
    - classifying said plurality of computers according to predefined computer types; and
      
      associating computer-specific descriptors with each computer type.

11. A server for protecting a plurality of computers from intrusion, the server comprising at least one processor and at least one memory device, and is configured to:
- maintain a plurality of filters, each filter for combating at least one intrusion pattern from a set of known intrusion patterns;
  
  maintain a plurality of descriptors, each descriptor relevant to a respective computer characteristic;
  
  execute a set of rules, each rule associated with a set of data filters of said plurality of data filters and with a set of descriptors of said plurality of descriptors;
  
  select a particular computer and a specific rule;
  
  communicate with said particular computer to acquire values of descriptors relevant to said specific rule;
  
  determine compatibility of each data filter of a set of data filters pertinent to said specific rule with characteristics of said particular computer;
  
  track changes made to said selected computer as a result of executing said set of rules;
  
  determine a monitoring period for said selected computer according to timing of tracked changes; and
  
  install data filters in said particular computer based on said compatibility.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The server of claim 11 further configured to execute a recursive process to acquire said values of descriptors relevant to said specific rule where a current value of a descriptor received from said particular computer determines whether a value of a subsequent descriptor is needed to execute said specific rule.
  - 13. The server of claim 11 further configured to examine each computer of said plurality of computers according to a time table.
  - 14. The server of claim 11 further configured to divide said plurality of descriptors into computer-specific sets of descriptors and to select said set of descriptors associated with said each rule from a set of descriptors specific to said particular computer.
  - 15. The server of claim 11 further configured to divide said plurality of descriptors into sets of descriptors pertinent to respective computer types and to select said set of descriptors associated with said each rule from a set of descriptors specific to said particular computer from a set of descriptors specific to a type of said particular computer.
  - 16. The server of claim 11 further configured to maintain a database storing current profiles of said plurality of computers.
  - 17. The server of claim 11 further comprising a scheduler for determining a time table for examining each computer of said plurality of computers.
  - 18. The server of claim 11 wherein said descriptors include at least one of:
    - processor type, storage capacity, current application software, processes being run, and errors logged.

19. A server for protecting a plurality of computers from intrusion, the server comprising at least one processor coupled to a memory device and configured to:
- maintain a plurality of data filters, each data filter for combating at least one intrusion pattern from a set of known intrusion patterns;
  
  maintain a plurality of descriptors, each descriptor relevant to a respective computer characteristic;
  
  divide said plurality of descriptors into computer-specific sets of descriptors;
  
  send to a selected computer of said plurality of computers a respective set of descriptors;
  
  receive data elements corresponding to said respective set of descriptors from said selected computer;
  
  execute selected encoded rules stored in said memory device, using said data elements, to determine requisite data filters of said plurality of data filters for said selected computer;
  
  track changes made to said selected computer as a result of executing said selected encoded rules;
  
  determine a monitoring period for said selected computer according to timing of tracked changes; and
  
  install the requisite data filters in said selected computer.
- View Dependent Claims (20)
- - 20. The server of claim 19 wherein said at least one processor is configured to:
    - classify said plurality of computers according to predefined computer types;
      
      associate computer-specific descriptors with each computer type; and
      
      associate each computer with a respective computer type according to a stored profile of said each computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Kabushiki Kaisha
Original Assignee
Trend Micro Inc.
Inventors
McGee, William G., Durie, Antony Robert
Primary Examiner(s)
Vaughan, Michael R

Application Number

US14/508,992
Publication Number

US 20150026765A1
Time in Patent Office

455 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

Dynamic provisioning of protection software in a host intrusion prevention system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic provisioning of protection software in a host intrusion prevention system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links