US007594267B2
`
`(12) United States Patent
`Gladstone et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,594.267 B2
`Sep. 22, 2009
`
`(54) STATEFUL DISTRIBUTED EVENT
`PROCESSING AND ADAPTIVE SECURITY
`
`(75) Inventors: Philip J. S. Gladstone, Framingham,
`MA (US); Jeffrey A. Kramer,
`Wellesley, MA (US)
`(73) Assignee: Cisco Technology, Inc., San Jose, CA
`(US)
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 768 days.
`
`(*) Notice:
`
`(21) Appl. No.: 10/172,305
`
`(22) Filed:
`
`Jun. 14, 2002
`
`6,321,338 B1 * 1 1/2001 Porras et al. .................. 726/25
`6,405,250 B1
`6/2002 Lin et al. .................... TO9,224
`6,412,003 B1
`6/2002 Melen ........................ 709,225
`6,496,575 B1* 12/2002 Vasell et al. ......
`379,102.05
`6,691.244 B1* 2/2004 Kampe et al. .................. 714.f4
`6,708,212 B2 * 3/2004 Porras et al. ......
`... 709,224
`6,839,850 B1* 1/2005 Campbell et al. ............. T26/23
`
`ck
`
`(Continued)
`FOREIGN PATENT DOCUMENTS
`
`WO
`
`WO99,60462
`
`11, 1999
`
`(Continued)
`OTHER PUBLICATIONS
`S. o and Rht site E."), system Intrusion
`
`urvey; University o irginia,
`
`CO
`
`(65)
`
`(56)
`
`Prior Publication Data
`US 20O2/O194495 A1
`Dec. 19, 2002
`Related U.S. Application Data
`(60) Provisional application No. 60/298,592, filed on Jun.
`14, 2001.
`(51) Int. Cl
`(2006.01)
`Goof 7/04
`(2006.01)
`G6F 9/00
`(2006.01)
`G06F II/00
`(2006.01)
`H04N 7/6
`(52) U.S. Cl. ............................. 726/23: 726/11; 2. The invention provides method and apparatus for maintaining
`a networked computer system including first and second
`(58) Field flig Sarth 27.7O 2. 9.: nodes and an event processing server, the method comprising
`licati s file f s 1-1-9 1 s 1-
`s
`hhi s
`the first and second nodes detecting changes in State, the event
`See application file for complete search history.
`processing server receiving notification of the changes in
`References Cited
`state from the first and second nodes, the event processing
`server correlating changes in State detected in the first and
`U.S. PATENT DOCUMENTS
`second nodes, and the event processing server executing a
`maintenance decision which affects the first and second
`nodes. The detecting, transmitting, correlating, and executing
`occurs without human intervention.
`
`(Continued)
`Primary Examiner Nasser G Moazzami
`Assistant Examiner Mohammad W Reza
`
`(57)
`
`ABSTRACT
`
`4,647,944. A * 3/1987 Gravesteijn et al. ......... 347,264
`5,039,980 A * 8/1991 Aggers et al. ............... 340/506
`5, 107,249 A
`4, 1992 Johnson ...................... 340,541
`5,761,502 A * 6/1998 Jacobs .................... TO7/103 R
`6,282,175 B1* 8/2001 Steele et al. ................ 370,254
`
`41 Claims, 6 Drawing Sheets
`
`
`
`
`
`108
`
`s
`
`s
`
`V
`
`Event Processing Server
`f
`
`130
`
`40
`
`Juniper Ex. 1006-p. 1
`Juniper v Finjan
`
`

`

`US 7,594.267 B2
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`6,973,488 B1* 12/2005 Yavatkar et al. ............. 709,223
`6,986, 133 B2 *
`1/2006 O'Brien et al. ...
`... 717, 173
`6,988,208 B2 *
`1/2006 Hrabik et al. ........
`... 726/23
`2002/0082886 A1* 6/2002 Manganaris et al. ........... 705/7
`FOREIGN PATENT DOCUMENTS
`
`
`
`WO
`
`WOO1 31420 A2
`
`5, 2001
`
`OTHER PUBLICATIONS
`R Gopal; Layered model for Supporting fault isolation and recovery;
`2OOO.
`RBueschkes, M Borning, D Kesdogan; Transaction-based Anomaly
`Detection; Workshop on Intrusion Detection and Network Monitor
`ing, 1999.*
`Anderson, Debra et al., “Next-generation Intrusion Detection Expert
`System (NIDES) A Summary.” Technical Report SRI-CSL-95-07.
`Computer Science Laboratory, SRI International, May 1995, 47 pgs.
`Neumann, Peter G. et al., “Experience with EMERALD to Date”, 1st
`USENIX Workshop on Intrusion Detection and Network Monitor
`ing, Santa Clara, California, Apr. 11-12, 1999, pp. 73-80.
`Snapp, Steven R. et al., “DIDS (Distributed Intrusion Detection
`System)—Motivation, Architecture, and An Early Prototype'. Pro
`ceedings of 14' National Computer Security Conference, Washing
`ton, D.C., Oct. 1991, pp. 167-176.
`
`Spafford, Eugene H. et al., “Intrustion detection using autonomous
`agents”. Computer Networks 34 (2000), pp. 547-570.
`Wallach, Dan S. et al., “Understanding Java Stack Inspection', IEEE
`Proceedings of Security & Privacy, May 1998, pp. 1-12.
`Vigna G. et al. “NetSTAT: A Network-Based Intrusion Detection
`Approach.” Computer Security Applications Conference, 1998. Pro
`ceedings. 14' Annual Phoenix, AZ, USA Dec. 7-11, 1998, Los
`Alamitos, CA, USA, IEEE Comput. Soc, US, Dec. 7, 1998 pp. 25-34,
`XPO 10318630.
`Experience with EMERALD to Date, Peter G. Neumann and Phillip
`A. Porras, Computer Science Laboratory, SRI International, Menlo
`Park, CA 94025-3493, 1 USENIX Workshop on Intrusion Detection
`and Network Monitoring Santa Clara, California, Apr. 11-12, 1999,
`pp. 73-80, BSNDOCID, XP-002230356.
`Garcia, et al. "Boundry Expansion of Expert Systems: Incorporating
`Evolutionary Computation With Intrusion Detection Solutions.” Pro
`ceedings IEEE Southeastcon 2001. Engineering the Future.
`Clemson, SC, Mar. 30-Apr. 1, 2001, IEEE Southeastcon, New York,
`NY: IEEE, US, Mar. 30, 2001, pp. 96-99, XPO 10542589.
`A System for Distributed Intrusion Detection, Steven R. Snapp, et al.
`“A System for Distributed Intrusion Detection.” COMPCON Spring
`91. Digest of Papers San Francisco, CA, USA Feb. 25-Mar. 2, 1991,
`Los Alamitos, CA, USA, IEEE Comput. Soc, US, Feb. 25, 1991, pp.
`170-176, XPO 10022505.
`* cited by examiner
`
`Juniper Ex. 1006-p. 2
`Juniper v Finjan
`
`

`

`U.S. Patent
`
`Sep. 22, 2009
`
`Sheet 1 of 6
`
`US 7,594,267 B2
`
`FIGURE 1.
`
`Node A.
`
`-40->
`
`Event
`Agent
`45
`
`50
`
`fgO
`
`Server C
`
`I
`2O
`V
`
`Loader
`125
`
`
`
`System
`Resources
`(e.g., disk)
`35
`
`30
`
`A
`170
`
`Reference
`Oritor
`25
`Interceptors
`26
`A
`2O
`
`Applications
`(e.g., e-mail)
`15
`
`10
`|
`
`110 18O
`
`Transceiver
`115
`
`A
`160
`
`Correlation Engine
`45
`
`instruction Engine
`135
`
`--
`140
`
`150
`
`130
`
`Event Processing Server
`1 OO
`
`
`
`Electronic File Storage
`155
`
`Juniper Ex. 1006-p. 3
`Juniper v Finjan
`
`

`

`U.S. Patent
`
`Sep. 22, 2009
`
`Sheet 2 of 6
`
`US 7,594,267 B2
`
`FIGURE 2.
`
`OA
`
`Application
`15A
`
`Reference
`Monitor
`25A
`
`
`
`10B
`
`Event Agent
`45A
`
`Event Agent
`458
`
`Application
`16B
`
`Reference
`Moor
`25B
`
`Event Processing Server
`OO
`
`
`
`
`
`
`
`
`
`Electronic File Storage
`155
`
`Server C
`
`Juniper Ex. 1006-p. 4
`Juniper v Finjan
`
`

`

`U.S. Patent
`
`Sep. 22, 2009
`
`Sheet 3 of 6
`
`US 7,594,267 B2
`
`r - Y -
`
`Application
`5A
`
`20A
`Ree
`".
`
`FIGURE 3.
`
`Node. A
`
`Node 8
`
`Application
`168
`
`
`
`20s
`E. Los Event Agent
`M.
`4OB
`
`Event Agent
`45A
`
`
`
`Systern Resources
`35A,
`
`System Resources
`
`
`
`
`
`
`
`Server
`
`Event Processing Server
`o
`
`
`
`
`
`30 150
`
`190D
`
`
`
`Electronic File Storage
`155
`
`O
`
`Application
`7
`
`20D
`
`Node
`
`
`
`7
`/
`
`Event Agent
`45
`
`
`
`a.
`
`OD
`
`Application
`18
`
`2OE
`
`Reference
`Monitor
`25E
`
`
`
`
`
`E
`
`
`
`Event Agent
`
`System Resources
`35
`
`System resources
`35E
`
`Juniper Ex. 1006-p. 5
`Juniper v Finjan
`
`

`

`U.S. Patent
`
`Sep. 22, 2009
`
`Sheet 4 of 6
`
`US 7,594.267 B2
`
`FIGURE 4.
`
`400
`
`Processor
`(403)
`
`Input device
`(402)
`
`
`
`Interconnection
`mechanism
`(405)
`
`Output device
`(401)
`
`
`
`
`
`
`
`
`
`Juniper Ex. 1006-p. 6
`Juniper v Finjan
`
`

`

`U.S. Patent
`
`Sep. 22, 2009
`
`Sheet 5 of 6
`
`US 7,594.267 B2
`
`FIGURE 5.
`
`406
`
`
`
`Storage system memory
`(502)
`
`To Processor
`
`Juniper Ex. 1006-p. 7
`Juniper v Finjan
`
`

`

`U.S. Patent
`
`Sep. 22, 2009
`
`Sheet 6 of 6
`
`US 7,594.267 B2
`
`FIGURE 6.
`
`
`
`Juniper Ex. 1006-p. 8
`Juniper v Finjan
`
`

`

`1.
`STATEFUL DISTRIBUTED EVENT
`PROCESSING AND ADAPTIVE SECURITY
`
`US 7,594,267 B2
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`
`This application claims priority to provisional U.S. appli
`cation Ser. No. 60/298,592 filed Jun. 14, 2001 and entitled
`Stateful Distributed Event Processing and Adaptive Security,
`the disclosures of which are incorporated herein by reference.
`This application is also related to co-pending U.S. appli
`cation Ser. No. 10/071,328 filed Feb. 8, 2002 and entitled
`Stateful Reference Monitor, the disclosures of which are
`incorporated herein by reference.
`
`BACKGROUND
`
`10
`
`15
`
`30
`
`35
`
`40
`
`45
`
`This invention relates to computer network Security, and
`more particularly to methods and apparatus for securing one
`or more nodes on a computer network.
`Conventional network security systems can be said to pro
`vide either “active' or “passive' protection. Active security
`systems provide real-time barriers to intrusions, via Software
`or hardware-based pre-programmed intrusion detection mea
`sures. “Passive' systems provide the ability to detect and
`25
`recover from previously observed security breaches, by
`examining data gathered about previous system access activ
`ity, so as to improve static access controls and policies over
`time. Active systems, then, function primarily to prevent
`intrusions, and passive systems function primarily to report
`on and examine data about previous intrusions to prevent
`future intrusions.
`Examples of conventional active security systems include
`access control tools, content filtering tools, and system audit
`ing tools. Access control tools, such as network firewalls, can
`be deployed on dedicated machines, usually at a network
`perimeter, to control inbound and outbound access using
`pre-configured permission levels. Content filtering tools, like
`computer virus Scanners, typically execute on either an e-mail
`server or a workstation, and function by Screening incoming
`content, like e-mail and attached files, for potentially threat
`ening matter, based on known signatures of previously
`observed attacks. System auditing tools, like reference moni
`tors, may provide either stateless or state-based monitoring
`(such as the state-based monitoring provided by the stateful
`reference monitor described in U.S. patent application Ser.
`No. 10/071,328 and incorporated by reference herein) of
`individual workstations or servers, by identifying variations
`from either pre-determined settings or a dynamic machine
`State.
`Examples of conventional passive security systems include
`activity logging tools and auditing tools, which may be
`employed in conjunction with one another. Activity logging
`tools track the activity of one or more computers and tran
`scribe observed system activity to a series of log files as
`individual entries. Auditing tools typically examine those log
`entries to discern breaches, attacks, or other potentially
`threatening activity, occurring either across machines or
`within individual machines.
`Both types of security systems provide useful intrusion
`detection and prevention functions. However, both generally
`rely on pre-programmed network administration policy, busi
`ness rules, or other parameters, and so neither (particularly
`passive systems) provides the adaptation capability some
`times necessary to counter novel types of attacks as they
`occur. Also, conventional active systems are unable to
`observe and correlate seemingly innocuous activity as it
`
`50
`
`55
`
`60
`
`65
`
`2
`occurs across nodes to determine that an intrusion is in
`progress. Given the growing ubiquity of computer networks
`and the value of electronic assets, commensurate growth of
`network security threats is to be expected. Therefore, a secu
`rity system which provides adaptive countermeasures in real
`time to localized (i.e., limited to one node) or non-localized
`intrusions would provide tremendous value to operators of
`computer networks.
`
`SUMMARY OF THE INVENTION
`
`A first embodiment of the invention provides a method of
`maintaining a networked computer system including first and
`second nodes and an event processing server, comprising the
`first and second nodes detecting changes in state, the event
`processing server receiving notification of the changes in
`state from the first and second nodes, the event processing
`server correlating changes in State detected in the first and
`second nodes, and the event processing server executing a
`maintenance decision which affects the first and second
`nodes, wherein the detecting, transmitting, correlating, and
`executing occurs without human intervention.
`This embodiment may be practiced wherein the changes in
`state are a result of at least one of an event and the absence of
`an event, wherein the changes in state are recognized by a
`reference monitor, and/or wherein the event processing server
`receiving the report is the result of one of the first and second
`nodes reporting to the event processing server and the event
`processing server polling the first and second nodes. The
`embodiment may further include the event processing server
`updating an operating policy on the network, and updating the
`operating policy may include at least one of requesting Secu
`rity policy changes on at least one node, requesting changes to
`privileges to access system resources on at least one node,
`tuning system parameters on at least one node, and modifying
`network firewall parameters. At least one node may further
`enact the updated operating policy. Also, the embodiment
`may further include notifying an external entity of actions
`taken, and the external entity may be a network administrator
`or a software application executing on the network.
`A second embodiment of the invention provides a method
`for maintaining a networked computer system including at
`least one node detecting a change in state, an event processing
`server on the network receiving notification of the at least one
`change in state from the at least one node, and the event
`processing server responding to the notification by executing
`a maintenance decision, wherein the detecting, receiving, and
`responding occurs without human intervention.
`This embodiment may be practiced wherein the change in
`state is a result of at least one of an event and the absence of
`an event, wherein the change in State is recognized by a
`reference monitor, wherein the event processing server
`receiving the report is the result of one of the node reporting
`to the event processing server and the event processing server
`polling the node, and may be practiced wherein the mainte
`nance decision affects the at least one node detecting the
`change in state, and/or wherein the maintenance decision
`affects at least one node other than the node detecting the
`change in state. The embodiment may further include the
`event processing server updating an operating policy on the
`network, wherein updating the operating policy may include
`at least one of requesting security policy changes on at least
`one node, requesting changes to privileges to access system
`resources on at least one node, tuning system parameters on at
`least one node, and modifying network firewall parameters.
`The embodiment may still further include at least one node
`enacting the updated operating policy, and/or notifying an
`
`Juniper Ex. 1006-p. 9
`Juniper v Finjan
`
`

`

`3
`external entity of actions taken, wherein the external entity is
`a network administrator or a software application executing
`on the network.
`A third embodiment of the invention provides a method for
`maintaining a node on a networked computer system includ
`ing at least one node detecting a change in state, and the at
`least one node reacting to the change in state, wherein the at
`least one node detecting and reacting occurs without human
`intervention.
`The embodiment may be practiced wherein the change in
`state is a result of at least one of an event and the absence of
`an event, and/or wherein the change in state is recognized by
`a stateful reference monitor. The embodiment may further
`include at least one node notifying an event processing server
`on the network, the event processing server responding to the
`notification by updating an operating policy on the network,
`wherein updating the operating policy includes at least one of
`requesting updates to security policy on at least one node,
`requesting changes to privileges to access system resources
`on at least one node, tuning system parameters on at least one
`node, and modifying network firewall parameters. The
`embodiment may further include the at least one node enact
`ing the updated operating policy, and/or notifying an external
`entity of actions taken, wherein the external entity is a net
`work administrator and/or a Software application executing
`on the network.
`A fourth embodiment of the invention provides a com
`puter-readable medium having instructions recorded thereon,
`which instructions, when executed, enable at least one pro
`cessor in a networked computer system to detect a change in
`state of a node, and process instructions defining reacting to
`the detected change in State.
`The embodiment may further include instructions defining
`communicating the change in state to an event processing
`server, instructions defining processing maintenance instruc
`tions received from the event processing server, and/or
`instructions defining transmitting notification to a network
`administrator of actions taken.
`A fifth embodiment of the invention provides a computer
`readable medium having instructions recorded thereon,
`which instructions, when executed, enable at least one pro
`cessor in a networked computer system to maintain an oper
`ating policy for the network, receive notification of a change
`in State from at least one node, and update the operating policy
`based on the change in state.
`The embodiment may further include instructions defining
`storing received notifications of changes in state in memory,
`instructions defining correlating notifications received from a
`plurality of nodes, instructions defining storing received noti
`fications in electronic file storage, and/or instructions defin
`ing notifying an external entity of actions taken, wherein the
`external entity is a network administrator or a software appli
`cation executing on the network.
`A sixth embodiment of the invention provides a method for
`maintaining a networked computer system including at least
`one node detecting a change in state, an event processing
`server on the network receiving notification of the at least one
`change in state from the at least one node, and the event
`processing server responding to the notification by dispens
`ing a maintenance decision.
`The embodiment may further comprise executing, by a
`human operator, the maintenance decision on at least one
`node on the networked computer system, or executing, with
`out human intervention, the maintenance decision on at least
`one node on the networked computer system. A human opera
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`US 7,594,267 B2
`
`10
`
`15
`
`4
`tor may be prompted and allotted a predetermined period to
`execute the maintenance decision before it is executed with
`out human intervention.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 is a functional block diagram depicting the interac
`tion of system components which define aspects of at least
`one embodiment of the invention;
`FIG. 2 is a functional block diagram depicting the interac
`tion of system components which define aspects of at least
`one other embodiment of the invention;
`FIG.3 is a functional block diagram depicting the interac
`tion of system components which define aspects of at least a
`third embodiment of the invention;
`FIG. 4 is a block diagram of an exemplary computer system
`on which aspects of embodiments of the invention may be
`implemented;
`FIG. 5 is a block diagram depicting exemplary computer
`system components with which aspects of embodiments of
`the invention may be implemented; and
`FIG. 6 is a functional block diagram depicting the interac
`tion of system components which define aspects of at least
`another embodiment of the invention.
`
`DETAILED DESCRIPTION
`
`Aspects of embodiments of the present invention provide
`methods and apparatus for securing a networked computer
`system through the coordinated execution of reference moni
`tor and event agent software on individual nodes, and event
`processing server software on a network server, for achieving
`active security measures, administrative control, and the abil
`ity to correlate potentially threatening activity across multiple
`nodes in real time.
`Computer system 400, shown in FIG.4, with which aspects
`of these embodiments, either individually or in combination,
`may be implemented, may include at least one main unit
`connected to both one or more output devices 401 which store
`information, transmit information or display information to
`one or more users or machines, and one or more input devices
`402 which receives input from one or more users or machines.
`The main unit may include one or more processors 403 con
`nected to a memory system 404 via one or more interconnec
`tion mechanisms 405. Such as a bus or Switch. Any input
`device 402 and/or output device 401 are also connected to the
`processor 403 and memory system 404 via the interconnec
`tion mechanism 405. The computer system 400 may further
`include a storage system 406 in which information is held on
`or in a non-volatile medium. The medium may be fixed in the
`system or may be removable.
`Alternatively, computer system 400 may be distributed,
`and therefore may not include a main unit. In particular, input
`devices 402, processors 403, memory systems 404, intercon
`nection mechanisms 405, and storage systems 406 may each
`comprise individual or multiple computer systems, and may
`be geographically disparate. For example, storage systems
`406 may comprise a server farm residing in New York which
`communicates with a processor 403 residing in Pennsylvania,
`via the Internet, which serves as interconnection mechanism
`405.
`Computer system 400 may be a general purpose computer
`system which is programmable using a computer program
`ming language. Computer programming languages Suitable
`for implementing such a system include procedural program
`ming languages, object-oriented programming languages,
`combinations of the two, or other languages. The computer
`
`Juniper Ex. 1006-p. 10
`Juniper v Finjan
`
`

`

`US 7,594,267 B2
`
`15
`
`5
`system may also be specially programmed, special purpose
`hardware, or an application specific integrated circuit
`(ASIC).
`In a general purpose computer system, the processor is
`typically a commercially available processor which executes
`a program called an operating system, which controls the
`execution of other computer programs and provides Schedul
`ing, debugging, input/output control, accounting, compila
`tion, storage assignment, data management, memory man
`agement, communication control and related services. The
`10
`processor and operating system defines the platform for
`which application programs in other computer programming
`languages are written. The invention is not limited to any
`particular processor, operating system or programming lan
`gllage.
`Storage system 406, shown in greater detail in FIG. 5,
`typically includes a computer-readable and computer-write
`able non-volatile recording medium 501, in which data is
`stored that define a program to be executed by the processor,
`or information stored to be processed by the program. The
`medium may, for example, be a disk or flash memory. Typi
`cally, in operation, the processor causes data to be read from
`the nonvolatile recording medium 501 into another memory
`502 that allows for faster access to the information by the
`processor than does the medium 501. This memory 502 is
`typically a volatile, random access memory such as a
`dynamic random access memory (DRAM) or static memory
`(SRAM). It may be located in storage system 406, as shown,
`or in memory system 404, not shown. The processor 403
`generally manipulates the data within the integrated circuit
`memory 404, 502 and then copies the data to the medium 501
`after processing is completed. A variety of mechanisms are
`known for managing data movement between the medium
`501 and the integrated circuit memory element 404, 502, and
`the invention is not limited thereto. The invention is not lim
`ited to a particular memory system 404 or storage system 406.
`Aspects of embodiments of the invention may be imple
`mented in Software, hardware or firmware, or any combina
`tion thereof. The various elements of an embodiment, either
`individually or in combination, may be implemented as a
`computer program product including a computer-readable
`medium, e.g. storage 406, on which instructions are stored for
`access and execution by a processor, e.g. processor 403.
`When executed by the processor 403, the instructions instruct
`the processor 403 to perform the various steps of the process.
`FIG. 1 is a functional block diagram depicting the relation
`ship between system components, such as those described
`above, adapted to enable aspects of embodiments of the
`invention.
`Reference Monitor 25 executes on Node A, which may be
`a workstation, server, or other computer on the network.
`Reference Monitor 25 may be a software application, which
`may execute on Node A synchronously, asynchronously, or
`both, providing continuous monitoring capability. Reference
`Monitor 25 may be adapted to execute on nodes running any
`commercially prevalent operating system such as UNIX,
`LINUX, Windows NT, and others. Reference Monitor 25 acts
`to detect and intercept local node operations and/or network
`originated requests through which the operating system and/
`or user applications attempt to access system resources on the
`node. In some embodiments, in order to monitor system
`events, Reference Monitor 25 comprises Interceptors 26,
`which are inserted in the control or communication paths
`traversed by those events. For example, if an particular moni
`tored eventis a network access request, an Interceptor 26 may
`be inserted in the operating system at a point where the
`network access request is communicated from one portion of
`
`45
`
`6
`the operating system to another. Interceptor 26 may generate
`an event message for each event intercepted. Event messages
`may then be communicated to Reference Monitor 25, which
`may return a policy message to Interceptor 26. The policy
`message may be an action for Interceptor 26 to take. Such as
`allowing an access request event to continue along the control
`or communication path so that it has its intended effect, or not
`allowing the event to pass along the path. Reference Monitor
`25 may instead, or also, construe the absence of an anticipated
`request for system resources as a harmful activity. In these
`embodiments, Reference Monitor 25 may interpretan overall
`absence of event messages, of certain types of event mes
`sages, or of event messages received within a certain time
`frame, for example, as cause to return a policy message to
`Interceptor 26, Such as an instruction to not to allow an event
`to continue along its intended path.
`Event Agent 45 also executes on Node A, and in this
`embodiment is a Software application which executes con
`tinuously in the background on Node A. Event Agent 45
`executes in conjunction with, and may be integrated with,
`Reference Monitor 25 and coordinates communication
`between Reference Monitor 25 and Event Processing Server
`100. Event Agent 45 may be adapted to execute on nodes
`running any commercially prevalent operating system Such as
`UNIX, LINUX, Windows NT, and others. Event Agent 45
`may execute on the same physical machine as Reference
`Monitor 25, or on a different physical machine (not shown) if
`the machines are networked. If Event Agent 45 and Reference
`Monitor 25 execute on different physical machines, they will
`preferably communicate via any secure network protocol that
`Supports message integrity and authentication, Such as
`HTTPS and others. Secure network protocols are desirable so
`that Event Agent 45 and Reference Monitor 25 can validate
`the origin and content of communication received.
`Event Processing Server 100, in this embodiment, is a
`Software application in communication with one or more
`Event Agents 45, and may execute on a workstation or server
`residing within the same sub-network as Event Agents 45, or
`on a different Sub-network connected via a router, gateway or
`other component. Data transport between Event Agent 45 and
`Event Processing Server 100 may be accomplished via such
`secure communication protocols as HTTPS and/or others. In
`the embodiment depicted, Event Processing Server 100 con
`sists of integrated software components Transceiver 115,
`Loader 125. Instruction Engine 135, Correlation Engine 145,
`and Electronic File Storage 155. Transceiver 115 receives
`event notifications from Event Agent 45 and prepares them
`for processing. Data is passed to Loader 125, which prepares
`it for loading to Electronic File Storage 155. In a preferred
`embodiment, Electronic File Storage 155 is a database orga
`nized to provide a constantly updated representation of the
`status of Event Agents 45 in quickly accessible form. Instruc
`tion Engine 135 and Correlation Engine 145 process data in
`Electronic File Storage 155. Instruction Engine 135 deter
`mines whether individual notifications received from nodes
`warrant policy updates—for instance, determining whether a
`notification indicates an active attack (such as a buffer over
`run attack) or a passive attack (Such as a virus)—and deter
`mines steps to be taken, Such as placing nodes in quarantine,
`defining system operations which may not be performed on
`any machine on which a Reference Monitor 25 executes, or
`tuning operating system, network, or firewall parameters.
`Instruction Engine 135 passes instructions to be issued to
`Transceiver 115, which then transmits them to Event Agent
`45. Correlation Engine 145 determines whether event notifi
`cations, when considered in combination, warrant policy
`updates. By continuously tracking and analyzing the activity
`
`25
`
`30
`
`35
`
`40
`
`50
`
`55
`
`60
`
`65
`
`Juniper Ex. 1006-p. 11
`Juniper v Finjan
`
`

`

`7
`reported by various event agents across one or more net
`works, Event Processing Server 100 is able to correlate events
`that may seem unrelated across the distributed System to
`recognize potential attacks. Attacks may be defined by com
`binations of events, such as attempting to access a particular
`resource together with writing a particular file. Other rela
`tionships between time and machine resources accessed may
`also signify an attack.
`Reference Monitor 25, Event Agent 45, and Event Process
`ing Server 100 may interact in various ways to provide local
`protection of individual nodes, remote adaptive protection of
`one or more nodes, and correlative protection for one or more
`nodes, as described in detail below.
`Local protection of individual nodes is provided by Refer
`ence Monitor 25. In the embodiment depicted in FIG. 1, an
`instruction arrives in 10 from Network 5 to Application 15,
`which may be an e-mail, browser, terminal server, or other
`Software application running on Node A. This network-based
`instruction received in 10 causes Application 15 to issue a
`corresponding request in 20 for System Resources 35 (i.e.,
`access to disk or CPU), which is detected and routed through
`Reference Monitor 25. If the request does not violate pre
`programmed administrative policies, which in the embodi
`ment shown are stored as coded instructions within the Ref
`erence Monitororina database on hard disk35, the Reference
`Monitor allows Application 15 access to System Resources
`35 in 30. If the request violates these policies, Reference
`Monitor 25 may prevent Application 15 from accessing Sys
`tem. Resources 35 in 30.
`Reference Monitor 25 may work in conjunction with Event
`Agent 45 and Event Processing Server 100 to provide remote
`adaptive protection in addition to, or instead of, local protec
`tion. Also depicted in FIG. 1, Reference Monitor 25 may
`perform basic analysis on the instruction arriving in 10 and
`communicate with Event Agent 45 in 40 as to its nature, as
`defined by current administrative policy. Event Agent 45 then
`sends a notification via Network 5 in 50 and 110 (which
`constitute transfer of the same notification) to Event Process
`ing Server 100 as to the nature of the activity. Event Process
`ing Server 100 receives the notification in 110 from Network
`5. Transceiver 115 receives the notification in 110 from Event
`Agent 45 and prepares it for processing. This data is then
`passed in 120 to Loader 125, which prepares it for loading,
`and in 130 initiates the load of the data to Electronic File
`Storage 155. Once loaded, Instruction Engine 135 and Cor
`45
`relation Engine 145 process the data in Electronic