Dynamic Provisioning of Protection Software in a Host Intrusion Prevention System

US 20080168560A1
Filed: 10/18/2007
Published: 07/10/2008
Est. Priority Date: 01/05/2007
Status: Active Grant

First Claim

Patent Images

1. An intrusion-protection system for protecting a plurality of hosts, the system comprising:

a plurality of agents each associated with one of said hosts;

a plurality of local servers each local server communicatively coupled to each host in a respective subset of said plurality of hosts; and

a central server maintaining a software library comprising a plurality of filters and a plurality of rules, said central server sharing said library with said each local server;

where said each local server;

communicates with an agent, from among said plurality of agents, associated with said each host to acquire metadata of said each host; and

prescribes a subset of filters for said each host according to said metadata.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for optimizing security configurations of a set of computers are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the computers, maintains protection software containing filters and rules for deploying each filter. A local server receives updated protection software from a central server. Each local server interrogates each computer of its subset of computers to acquire computer-characterizing data and applies relevant rules to determine an optimal set of filters for each computer. Each rule adaptively determines required characterizing data elements from each computer for determining an optimal security configuration. A local server updates the security configuration of a computer to suit changes in the operational environment of the computer.

65 Citations

View as Search Results

20 Claims

1. An intrusion-protection system for protecting a plurality of hosts, the system comprising:
- a plurality of agents each associated with one of said hosts;
  
  a plurality of local servers each local server communicatively coupled to each host in a respective subset of said plurality of hosts; and
  
  a central server maintaining a software library comprising a plurality of filters and a plurality of rules, said central server sharing said library with said each local server;
  
  where said each local server;
  
  communicates with an agent, from among said plurality of agents, associated with said each host to acquire metadata of said each host; and
  
  prescribes a subset of filters for said each host according to said metadata.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1 wherein said metadata comprises a plurality of data elements characterizing configuration of, and processes executed within, said each host.
  - 3. The system of claim 2 wherein said software library further comprises a set of queries, each query corresponding to a specific data element from among said plurality of data elements, and execution of each rule in said plurality of rules comprises processing at least one query.
  - 4. The system of claim 3 wherein said software library further comprises a set of expressions used by said rules to determine security configurations for said plurality of host.
  - 5. The system of claim 4 wherein said expressions are modular and encoded in a script language.
  - 6. The system of claim 2 wherein a data element acquired from processing a query from among said at least one query determines one of:
    - a requirement for a subsequent data element to execute said each rule; and
      
      completion of acquisition of all data elements needed to execute said each rule.
  - 7. The system of claim 1 wherein execution of each rule in said plurality of rules determines one of:
    - a selection of a filter from among said plurality of filters for installation in an examined host from among said plurality of hosts;
      
      a selection of a filter already installed in said examined host for removal from said examined host; and
      
      ascertaining that a filter already installed in said examined host provides adequate intrusion protection to said examined host.
  - 8. The system of claim 1 wherein said each local server maintains a database storing, for each host and for every query processed, a record of said every query, a record of a response acquired, an indication of a last execution time, and an indication of a recommended succeeding execution time.
  - 9. The system of claim 1 wherein said each local server maintains historical data related to changes in queries responses.

10. At a server supporting a plurality of hosts, a method of intrusion prevention comprising:
- maintaining a set of filters, each filter being a set of instructions;
  
  selecting a target host from among said plurality of hosts;
  
  determining a subset of rules, from among a predefined set of rules, applicable to said target host;
  
  prompting said target host to provide metadata characterizing said target host, said metadata including a plurality of data elements;
  
  receiving said metadata from said target host;
  
  executing said subset of rules to determine applicable filters from among said set filters; and
  
  transmitting said applicable filters to said target host.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10 further comprising:
    - repeating said prompting;
      
      receiving updated metadata from said target host; and
      
      comparing new metadata to previous metadata;
      
      wherein metadata discrepancy determined from said comparing invokes a further step of executing said subset of rules to determine one of;
      
      recommendation of installing new filters in said target host;
      
      recommendation of removal of already installed filters from said target host; and
      
      ascertaining adequacy of already installed filters in said target host.
  - 12. The method of claim 10 further comprising a step of maintaining for the target host:
    - a record of time of receiving each data element of said metadata;
      
      content of said each data element;
      
      identifiers of said subset of rules; and
      
      identifiers of said applicable filters.
  - 13. The method of claim 10 further comprising:
    - associating each rule in said predefined set of rules with a respective data element from among said plurality of data elements;
      
      selecting said respective data element as a current data element; and
      
      executing said each rule using said current data element to produce one of;
      
      a result of said executing of said each rule; and
      
      designating a subsequent data element as a current data element and continuing said executing said each rule.
  - 14. The method of claim 13 wherein said result comprises one of recommendation of installing a new filter in said target host;
    - recommendation of removal of an already installed filter from said target host; and
      
      retaining a current security configuration of said target host.
  - 15. The method of claim 10 wherein said prompting comprises a step of sending a query to said target host to acquire a data element from among said plurality of data elements.
  - 16. The method of claim 10 further comprising:
    - receiving a new rule from a central server; and
      
      placing said new rule in a list of obligatory rules to be executed for each host in said plurality of hosts regardless of a state of said each host.

17. An intrusion-protection method for protecting a plurality of hosts, the method comprising:
- identification of intrusion patterns;
  
  devising a set of data filters, each data filter corresponding to at least one of said intrusion patterns;
  
  formulating a set of descriptors for characterizing said plurality of hosts;
  
  determining a set of rules, each rule associated with a respective data filter in said set of data filters and with a subset of descriptors from among said set of descriptors;
  
  executing, for a selected host, a selected rule from among said set of rules using content of a respective subset of descriptors; and
  
  ascertaining relevance of a specific data filter associated with said selected rule to said selected host according to a result of said executing.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17 further comprising a step of installing said specific data filter in said selected host based on said ascertaining.
  - 19. The method of claim 17 further comprising a step of removing said specific data filter from said selected host based on said ascertaining.
  - 20. The method of claim 17 further comprising a step of associating said each rule with a respective subset of hosts from among said plurality of hosts.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Kabushiki Kaisha
Original Assignee
Trend Micro Kabushiki Kaisha
Inventors
McGee, William G., DURIE, Anthony Robert

Granted Patent

US 8,505,092 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

Dynamic Provisioning of Protection Software in a Host Intrusion Prevention System

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

65 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic Provisioning of Protection Software in a Host Intrusion Prevention System

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links