Dynamic Provisioning of Protection Software in a Host Intrusion Prevention System
First Claim
1. An intrusion-protection system for protecting a plurality of hosts, the system comprising:
- a plurality of agents each associated with one of said hosts;
a plurality of local servers each local server communicatively coupled to each host in a respective subset of said plurality of hosts; and
a central server maintaining a software library comprising a plurality of filters and a plurality of rules, said central server sharing said library with said each local server;
where said each local server;
communicates with an agent, from among said plurality of agents, associated with said each host to acquire metadata of said each host; and
prescribes a subset of filters for said each host according to said metadata.
8 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus for optimizing security configurations of a set of computers are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the computers, maintains protection software containing filters and rules for deploying each filter. A local server receives updated protection software from a central server. Each local server interrogates each computer of its subset of computers to acquire computer-characterizing data and applies relevant rules to determine an optimal set of filters for each computer. Each rule adaptively determines required characterizing data elements from each computer for determining an optimal security configuration. A local server updates the security configuration of a computer to suit changes in the operational environment of the computer.
65 Citations
20 Claims
-
1. An intrusion-protection system for protecting a plurality of hosts, the system comprising:
-
a plurality of agents each associated with one of said hosts; a plurality of local servers each local server communicatively coupled to each host in a respective subset of said plurality of hosts; and a central server maintaining a software library comprising a plurality of filters and a plurality of rules, said central server sharing said library with said each local server; where said each local server; communicates with an agent, from among said plurality of agents, associated with said each host to acquire metadata of said each host; and prescribes a subset of filters for said each host according to said metadata. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. At a server supporting a plurality of hosts, a method of intrusion prevention comprising:
-
maintaining a set of filters, each filter being a set of instructions; selecting a target host from among said plurality of hosts; determining a subset of rules, from among a predefined set of rules, applicable to said target host; prompting said target host to provide metadata characterizing said target host, said metadata including a plurality of data elements; receiving said metadata from said target host; executing said subset of rules to determine applicable filters from among said set filters; and transmitting said applicable filters to said target host. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. An intrusion-protection method for protecting a plurality of hosts, the method comprising:
-
identification of intrusion patterns; devising a set of data filters, each data filter corresponding to at least one of said intrusion patterns; formulating a set of descriptors for characterizing said plurality of hosts; determining a set of rules, each rule associated with a respective data filter in said set of data filters and with a subset of descriptors from among said set of descriptors; executing, for a selected host, a selected rule from among said set of rules using content of a respective subset of descriptors; and ascertaining relevance of a specific data filter associated with said selected rule to said selected host according to a result of said executing. - View Dependent Claims (18, 19, 20)
-
Specification