公开(公告)号：US12175312B2

公开(公告)日：2024-12-24

申请号：US17953801

申请日：2022-09-27

Applicant: CrowdStrike, Inc.

Inventor： Marco Vedovati ,  Martin Kelly

IPC: G06F9/54

Abstract: A first message structure is selected from a first subset of a plurality of message structures based on a size of a message payload and a message type of the message payload. Each of the first subset of the plurality of message structures has a different size. A size of the first message structure is greater than or equal to the size of the message payload. A first request is transmitted to an application programming interface (API) utilizing the size of the first message structure. In response to transmitting the first request to the API, a reference is received to a buffer structure. The message payload is copied into the buffer structure using the reference to the buffer structure.

公开(公告)号：US20240370407A1

公开(公告)日：2024-11-07

申请号：US18142333

申请日：2023-05-02

Applicant: CrowdStrike, Inc.

Inventor： Jeffrey Capone ,  Joshua Jones ,  Artsiom Tsai ,  Naeem Fanaeian

IPC: G06F16/17 ,  G06F17/16

Abstract: A computer-implemented method of detecting similarity between a first file and a plurality of second files, the method includes generating a first vector corresponding to the first file and a plurality of second vectors each corresponding to one of the plurality of second files; determining that the first file is similar to at least one of the plurality of second files based on a comparison of the first vector to the plurality of second vectors; and responsive to determining that the first file is similar to the at least one of the plurality of second files, performing a remediation operation on the first file.

公开(公告)号：US20240311473A1

公开(公告)日：2024-09-19

申请号：US18185136

申请日：2023-03-16

Applicant: CrowdStrike, Inc.

Inventor： Gabriel Cirlig ,  Matthew Zavislak ,  Robert Aron

IPC: G06F21/55 ,  G06F9/451

CPC classification number: G06F21/554 ,  G06F9/451 ,  G06F2221/034

Abstract: Systems and methods disclosed that receive, from an accessibility service executing on a computing device, screen content that is displayed on a screen of the computing device to a user. The accessibility service is configured to interact with a graphical user interface executing on the computing device to determine the screen content and determine that the screen content includes malicious content. The systems and methods perform an operation, by the computing device, that impedes the user from selecting the malicious content.

公开(公告)号：US20240281352A1

公开(公告)日：2024-08-22

申请号：US18110456

申请日：2023-02-16

Applicant: CrowdStrike, Inc.

Inventor： Andrew Southgate

IPC: G06F11/30 ,  G06F11/32

CPC classification number: G06F11/3065 ,  G06F11/327

Abstract: An artificial intelligence (AI) monitoring service detects, in real time or in near real time, misbehaving AI. The AI monitoring service monitors any of inputs to the AI, incoming/outgoing communications, API calls, inter-service/inter-container activities associated with the AI, and/or an output generated by the AI. Any activity conducted by, or associated with, the AI may be compared to an AI behavior profile defining permissible/impermissible activities. If any activity fails to conform to the AI behavior profile, alerts are sent and threat procedures are implemented. Very early stages of abnormal AI behavior are detected, thus quickly exposing abnormal AI behavior before the artificial intelligence can implement undesirable, or even harmful, actions.

公开(公告)号：US20240248983A1

公开(公告)日：2024-07-25

申请号：US18159266

申请日：2023-01-25

Applicant: CrowdStrike, Inc.

Inventor： Marian Radu ,  Daniel Radu

IPC: G06F21/55

CPC classification number: G06F21/552 ,  G06F2221/034

Abstract: A security agent configured to utilize a decision validation model for a prediction model of a security agent of the computing device is described herein. The decision validation model includes non-executable data and is utilized by a function of the security agent along with the input vector and decision value of the prediction model as inputs to the decision validation model. The decision validation model then outputs a different decision value from the decision value of the prediction model. The security agent receives the decision validation model from a security service that trains the decision validation model when the prediction model is generating false predictions.

公开(公告)号：US20240054209A1

公开(公告)日：2024-02-15

申请号：US17884295

申请日：2022-08-09

Applicant: CrowdStrike, Inc.

Inventor： Marina Simakov ,  Eyal Karni ,  Yaron Zinar

IPC: G06F21/46

CPC classification number: G06F21/46

Abstract: Techniques and systems are described for enabling an identity provider to identify a computing device during authentication of a user that uses the computing device, and to do so in a manner that is independent of a browser and/or a client application and/or an operating system on the computing device. For example, upon receiving, from a first identity provider, redirection data to redirect an authentication request to a second identity provider, a security agent executing on the computing device may intercept the authentication request, retrieve data about the computing device, and send the authentication request with the device data to the second identity provider. Upon receiving, from the second identity provider, a signed response to the authentication request, the computing device may send the signed response to the first identity provider to receive a result of the authentication request from the first identity provider.

公开(公告)号：US11899786B2

公开(公告)日：2024-02-13

申请号：US16507194

申请日：2019-07-10

Applicant: CrowdStrike, Inc.

Inventor： Cory-Khoi Quang Nguyen ,  Jaron Michael Bradley ,  William Leon Charles Pauley

IPC: G06N3/08 ,  G06N3/044 ,  G06F21/55 ,  G06V30/196

CPC classification number: G06F21/554 ,  G06N3/044 ,  G06N3/08 ,  G06V30/1985 ,  G06F2221/034

Abstract: An event can be analyzed for association with a security violation. Characters or other values of event data (e.g., command-line text) associated with the event can be provided sequentially to a trained representation mapping to determine respective representation vectors. Respective indicators can be determined by applying the vectors to a trained classifer. A token in the event data can be located based on the indicators. The event's can be determined to be associated with a security violation based on the token satisfying a token-security criterion. The representation mapping can be trained by adjusting model parameters so the trained representation predicts, based on a character of training command-line text, an immediately following character in the training command-line text. The classifier can be determined based on the trained representation mapping and classification training data indicating whether respective portions of training event data are associated with security violations.

公开(公告)号：US20240007491A1

公开(公告)日：2024-01-04

申请号：US17855360

申请日：2022-06-30

Applicant: CrowdStrike, Inc.

Inventor： Joel Robert Spurlock ,  Elia Zaitsev ,  Daniel W. Brown ,  Thomas R. Hobson

IPC: H04L9/40

CPC classification number: H04L63/1425 ,  H04L63/1441

Abstract: Methods and systems for detecting malicious attacks in a network and preventing lateral movement in the network by identity control are disclosed. According to an implementation, a security appliance may receive telemetry data from an endpoint device collected during a period of time. The security appliance may determine a threat behavior based on the telemetry data. The threat behavior may be associated with a user identity or user account. The security appliance further determines one or more additional user identities based on the user identity connected to the threat behavior. The security appliance may enforce one or more security actions on the user identity and the one or more additional user identities to prevent attacks to a plurality of computing domains from the endpoint device using the one or more additional user identities. The security appliance may be implemented on any network participants including servers, cloud device, cloud-based services/platforms, etc.

公开(公告)号：US20230421587A1

公开(公告)日：2023-12-28

申请号：US17849537

申请日：2022-06-24

Applicant: Crowdstrike, Inc.

Inventor： Brett Meyer ,  Joel Robert Spurlock ,  Andrew Forth ,  Kirby Koster ,  Joseph L. Faulhaber

IPC: H04L9/40

CPC classification number: H04L63/1425

Abstract: A distributed security system includes instances of a compute engine that can receive an event stream comprising event data associated with an occurrence of one or more events on one or more client computing devices and generate new event data based on the event data in the event stream. A predictions engine coupled in communication with the compute engine(s) receives the new event data and applies at least a portion of the received new event data to one or more machine learning models of the distributed security system based to the received new event data. The one or more machine learning models generate a prediction result that indicates whether the occurrence of the one or more events from which the new event data was generated represents one or more target behaviors, based on the applying of at least the portion of the received new event data to the one or more machine learning models according to the received new event data.

公开(公告)号：US20230351016A1

公开(公告)日：2023-11-02

申请号：US17733721

申请日：2022-04-29

Applicant: CrowdStrike, Inc.

Inventor： Marian Radu ,  Daniel Radu

IPC: G06F21/56 ,  G06F21/55 ,  G06F21/57

CPC classification number: G06F21/565 ,  G06F21/563 ,  G06F21/552 ,  G06F21/577

Abstract: Methods and systems are provided for a histogram model configuring a computing system to derive an indicator of compromise signature based on a sliding window index of identified malware samples, and a matching rule constructor configuring a computing system to generate matching signatures by selecting statistically relevant n-grams of an unidentified file sample. A matching rule constructor configures the computing system to construct a matching rule including, as a signature, 32 n-grams found in the unidentified file sample which occur most frequently, and another 32 n-grams found in the unidentified file sample which occur least frequently amongst records of the threat database across 32 discrete file size ranges. These functions can configure backend operations to a sample identification operation performed by a user operating a client computing device, in a fashion that does not require a user to manually discern strings from the unidentified file sample to derive a signature for the matching engine to search against the threat database.