Dynamic provisioning of protection software in a host intrusion prevention system

US 9,621,589 B2
Filed: 01/06/2015
Issued: 04/11/2017
Est. Priority Date: 01/05/2007
Status: Active Grant

First Claim

Patent Images

1. A method of intrusion protection of a plurality of computers, the method comprising:

at a central server comprising a memory device having processor executable instructions stored thereon for execution by at least one hardware processor, forming a software library comprising;

a set of data filters each corresponding to at least one intrusion pattern; and

a set of rules, each rule for identifying a number of requisite data filters according to a respective subset of descriptors of a set of descriptors characterizing said plurality of computers;

at a local server of a set of local servers coupled to said central server, employing a hardware processor for;

determining descriptors of each computer coupled to said local server;

acquiring from said central server;

a respective subset of said set of data filters; and

a respective subset of rules of said set of rules;

executing said respective subset of rules to identify for said each computer corresponding data filters; and

where a number of said corresponding data filters is not zero, installing each said corresponding data filter in said each computer.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for optimizing security configurations of a set of computers are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the computers, maintains protection software containing filters and rules for deploying each filter. A local server receives updated protection software from a central server. Each local server interrogates each computer of its subset of computers to acquire computer-characterizing data and applies relevant rules to determine an optimal set of filters for each computer. Each rule adaptively determines required characterizing data elements from each computer for determining an optimal security configuration. A local server updates the security configuration of a computer to suit changes in the operational environment of the computer.

37 Citations

View as Search Results

20 Claims

1. A method of intrusion protection of a plurality of computers, the method comprising:
- at a central server comprising a memory device having processor executable instructions stored thereon for execution by at least one hardware processor, forming a software library comprising;
  
  a set of data filters each corresponding to at least one intrusion pattern; and
  
  a set of rules, each rule for identifying a number of requisite data filters according to a respective subset of descriptors of a set of descriptors characterizing said plurality of computers;
  
  at a local server of a set of local servers coupled to said central server, employing a hardware processor for;
  
  determining descriptors of each computer coupled to said local server;
  
  acquiring from said central server;
  
  a respective subset of said set of data filters; and
  
  a respective subset of rules of said set of rules;
  
  executing said respective subset of rules to identify for said each computer corresponding data filters; and
  
  where a number of said corresponding data filters is not zero, installing each said corresponding data filter in said each computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein said corresponding data filters exclude data filters already installed in said each computer.
  - 3. The method of claim 1 wherein said determining comprises:
    - sending a sequence of queries from said local server to said each computer; and
      
      examining responses received at said local server to determine said descriptors of each computer.
  - 4. The method of claim 1 further comprising:
    - classifying said plurality of computers according to predefined computer types; and
      
      associating computer-specific descriptors with each computer type.
  - 5. The method of claim 4 wherein said respective subset of rules is defined according to a union of descriptors of all computers coupled to said local server.
  - 6. The method of claim 1 further comprising determining, at said local server, a time table for examining said each computer.
  - 7. The method of claim 1 further comprising storing a current profile of said each computer in a database maintained at said local server.
  - 8. The method of claim 2 further comprising:
    - tracking installation of said corresponding data filters; and
      
      determining a monitoring period for said each computer according to timing of said installations.
  - 9. The method of claim 1 further comprising providing a software agent to said each computer devised to cause a processor of said each computer to receive queries from, and send relevant information to, said local server.
  - 10. The method of claim 1 further comprising:
    - forming a table for identifying rules dependent on each descriptor of said descriptors of each computer;
      
      applying a value of said each descriptor to all rules dependent on said each descriptor.

11. A system for intrusion protection of a plurality of computers, the system comprising:
- a central server, comprising a memory device having processor executable instructions stored thereon for execution by at least one hardware processor, maintaining a software library comprising;
  
  a set of data filters each corresponding to at least one intrusion pattern; and
  
  a set of rules, each rule for identifying a requisite data filter according to a respective subset of descriptors of a set of descriptors characterizing said plurality of computers;
  
  a set of local servers coupled to said central server, at least one local server comprising a hardware processor and a computer readable storage medium having computer readable instructions stored thereon causing said hardware processor to;
  
  determine descriptors of each computer coupled to said at least one local server;
  
  acquire from said central server;
  
  a respective subset of said set of data filters; and
  
  a respective subset of rules of said set of rules;
  
  execute said respective subset of rules to identify for said each computer a respective subset of data filters; and
  
  install said respective subset of data filters in said each computer.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11 wherein said respective subset of data filters excludes data filters already installed in said each computer.
  - 13. The system of claim 11 wherein said computer readable instructions further cause said hardware processor to:
    - send a sequence of queries from said at least one local server to said each computer; and
      
      examine responses received at said at least one local server to determine said descriptors of each computer.
  - 14. The system of claim 11 wherein said computer readable instructions further cause said hardware processor to:
    - classify said plurality of computers according to predefined computer types; and
      
      associate computer-specific descriptors with each computer type.
  - 15. The system of claim 14 wherein said computer readable instructions further cause said hardware processor to define said respective subset of rules according to a union of descriptors of all computers coupled to said at least one local server.
  - 16. The system of claim 11 wherein said computer readable instructions further cause said hardware processor to determine a time table for examining said each computer.
  - 17. The system of claim 11 wherein said computer readable instructions further cause said hardware processor to form a database containing a current profile of said each computer.
  - 18. The system of claim 12 wherein said computer readable instructions further cause said hardware processor to:
    - track installation of said respective subset of data filters; and
      
      determine a monitoring period for said each computer according to timing of said installations.
  - 19. The system of claim 11 wherein said computer readable instructions further cause said hardware processor to provide a software agent to said each computer devised to cause a processor of said each computer to receive queries from, and send relevant information to, said at least one local server.
  - 20. The system of claim 11 wherein said computer readable instructions further cause said hardware processor to:
    - form a table for identifying rules dependent on each descriptor of said descriptors of each computer;
      
      apply a value of said each descriptor to all rules dependent on said each descriptor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Kabushiki Kaisha
Original Assignee
Trend Micro Inc.
Inventors
Durie, Anthony Robert, McGee, William G.
Primary Examiner(s)
Vaughan, Michael R

Application Number

US14/590,916
Publication Number

US 20160241593A1
Time in Patent Office

826 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

Dynamic provisioning of protection software in a host intrusion prevention system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic provisioning of protection software in a host intrusion prevention system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links