Dynamic provisioning of protection software in a host intrusion prevention system

US 9,813,377 B2
Filed: 04/10/2017
Issued: 11/07/2017
Est. Priority Date: 01/05/2007
Status: Active Grant

First Claim

Patent Images

1. A server for intrusion protection of a plurality of computers, the server comprising:

a processor and a memory device storing processor executable instructions causing the processor to;

acquire a superset of descriptors characterizing said plurality of computers;

acquire a superset of filters;

acquire a set of rules, each rule for determining a respective rule-specific set of filters corresponding to a respective rule-specific set of descriptors;

classify said plurality of computers according to predefined computer types;

associate each computer type with a respective type-specific set of descriptors;

associate a target computer of said plurality of computer with a respective computer type;

determine a rule domain as an intersection of a type-specific set of descriptors corresponding to said respective computer type and a rule-specific set of descriptors corresponding to a selected rule;

communicate with said target computer to acquire a value of each of at least one descriptor of said rule domain; and

execute said selected rule to determine a set of requisite filters.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for optimizing security configurations of a set of computers are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the computers, maintains protection software containing filters and rules for deploying each filter. A local server receives updated protection software from a central server. Each local server interrogates each computer of its subset of computers to acquire computer-characterizing data and applies relevant rules to determine an optimal set of filters for each computer. Each rule adaptively determines required characterizing data elements from each computer for determining an optimal security configuration. A local server updates the security configuration of a computer to suit changes in the operational environment of the computer.

37 Citations

View as Search Results

19 Claims

1. A server for intrusion protection of a plurality of computers, the server comprising:
- a processor and a memory device storing processor executable instructions causing the processor to;
  
  acquire a superset of descriptors characterizing said plurality of computers;
  
  acquire a superset of filters;
  
  acquire a set of rules, each rule for determining a respective rule-specific set of filters corresponding to a respective rule-specific set of descriptors;
  
  classify said plurality of computers according to predefined computer types;
  
  associate each computer type with a respective type-specific set of descriptors;
  
  associate a target computer of said plurality of computer with a respective computer type;
  
  determine a rule domain as an intersection of a type-specific set of descriptors corresponding to said respective computer type and a rule-specific set of descriptors corresponding to a selected rule;
  
  communicate with said target computer to acquire a value of each of at least one descriptor of said rule domain; and
  
  execute said selected rule to determine a set of requisite filters.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The server of claim 1 wherein said processor executable instructions further cause the processor to install said set of requisite filters in said target computer subject to a determination that said requisite set of filters is not an empty set.
  - 3. The server of claim 2 wherein said set of requisite filters excludes filters already installed in said target computer.
  - 4. The server of claim 1 wherein said processor executable instructions further cause the processor to:
    - assemble rule-specific descriptors for each rule of said set of rules in a data structure relating descriptors to rules; and
      
      retain said value of each of at least one descriptor relevant to said selected rule for reuse in executing other rules applicable to said target computer based on content of said data structure.
  - 5. The server of claim 1 wherein said processor executable instructions further cause the processor to:
    - assemble in a data structure, for each descriptor of said superset of descriptors identifiers of specific rules of said set of rules which depend on said each descriptor; and
      
      retain said value of each of at least one descriptor relevant to said selected rule for reuse in executing other rules applicable to said target computer based on content of said data structure.
  - 6. The server of claim 1 wherein said processor executable instructions further cause the processor to maintain a profile of each computer of said plurality of computers and wherein said respective computer type is based on a profile of said target computer.
  - 7. The server of claim 1 wherein said processor executable instructions further cause the processor to communicate with a central server to acquire said superset of descriptors.
  - 8. The server of claim 1 wherein said processor executable instructions further cause the processor to acquire said value of each of at least one descriptor of said rule domain from said target computer through an agent residing in said target computer.
  - 9. The server of claim 1 wherein said processor executable instructions further cause the processor to acquire a set of expressions and wherein at least one rule of said set of rules executes at least one expression of said set of expressions.
  - 10. The server of claim 2 wherein said processor executable instructions further cause the processor to:
    - track installation of said set of requisite filters; and
      
      determine a monitoring period for said target computer according to timing of said installations.
  - 11. The server of claim 1 wherein said superset of descriptors include at least one of:
    - processor type, storage capacity, current application software, processes being run, and errors logged.
  - 12. The server of claim 1 wherein said set of requisite filters comprises at least one of:
    - a new filter; and
      
      an updated filter.
  - 13. The server of claim 1 wherein said value of each of at least one descriptor of said rule domain is based on a state-dependent sequence of queries.
  - 14. The server of claim 1 wherein said rule domain comprises descriptors arranged in a tree structure having a root descriptor, inner descriptors, and leaf descriptors.

15. A method of intrusion protection of a plurality of computers, the method comprising:
- configuring a processor to perform processes of;
  
  acquiring a superset of descriptors characterizing said plurality of computers;
  
  acquiring a superset of filters;
  
  acquiring a set of rules, each rule for determining a respective rule-specific set of filters corresponding to a respective rule-specific set of descriptors;
  
  classifying said plurality of computers according to predefined computer types;
  
  associating each computer type with a respective type-specific set of descriptors;
  
  associating a target computer of said plurality of computer with a respective computer type;
  
  identifying common descriptors of a type-specific set of descriptors corresponding to said respective computer type and a rule-specific set of descriptors corresponding to a selected rule; and
  
  communicating with said target computer to acquire a value of each of at least one common descriptor;
  
  determining a set of requisite filters for said target computer according to said selected rule.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method of claim 15 further comprising installing in said target computer each filter of said set of requisite filters which is not currently installed in said target computer.
  - 17. The method of claim 15 further comprising storing in a memory device:
    - identifiers of rule-specific descriptors for each rule of said set of rules; and
      
      values of descriptors relevant to said selected rule for reuse in executing other rules applicable to said target computer according to said identifiers.
  - 18. The method of claim 15 further comprising storing in a memory device:
    - for each descriptor of said superset of descriptors identifiers of specific rules of said set of rules which depend on said each descriptor; and
      
      values of descriptors relevant to said selected rule for reuse in executing other rules applicable to said target computer based on content of said identifiers.
  - 19. The method of claim 15 further comprising arranging said common descriptors into a tree structure having a root descriptor, inner descriptors, and leaf descriptors, wherein said at least one common descriptor comprise descriptors along a path from said root descriptor to a leaf descriptor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Kabushiki Kaisha
Original Assignee
Trend Micro Inc.
Inventors
Durie, Anthony Robert, McGee, William G.
Primary Examiner(s)
Vaughan, Michael R

Application Number

US15/483,407
Publication Number

US 20170214656A1
Time in Patent Office

211 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

Dynamic provisioning of protection software in a host intrusion prevention system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic provisioning of protection software in a host intrusion prevention system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links