公开(公告)号：US10740459B2

公开(公告)日：2020-08-11

申请号：US15857007

申请日：2017-12-28

Applicant: CrowdStrike, Inc.

Inventor： David F. Diehl ,  Milos Petrbok ,  Colin Christopher McCambridge ,  Aaron Putnam

IPC: G06F21/56 ,  G06F21/55 ,  G06F21/53 ,  H04L9/32 ,  G06F21/60 ,  H04L29/06

Abstract: Some examples detect malicious activity on a computing device. A processor in kernel mode detects an event on the computing device. The processor provides a validation request on a kernel-level bus. A bidirectional bridge component transmits the request to a user-level bus. The processor in user mode determines that the event is associated with malicious activity and provides a validation response on the user-level bus. The bridge component transmits the validation response to the kernel-level bus. In some examples, the processor in user mode receives security-relevant information from a system service of the computing device, and analyzes the event based at least in part on the security-relevant information. In some examples, the processor in user mode receives a security query, queries the kernel mode via the bridge component, and responds to the security query indicating that the data stream is associated with malware.

公开(公告)号：US09621515B2

公开(公告)日：2017-04-11

申请号：US14709779

申请日：2015-05-12

Applicant: CrowdStrike, Inc.

Inventor： David F. Diehl ,  Dmitri Alperovitch ,  Ion-Alexandru Ionescu ,  George Robert Kurtz

IPC: H04L29/06 ,  G06F21/56 ,  G06F9/46 ,  G06F21/55 ,  H04L12/24

CPC classification number: G06F21/566 ,  G06F9/46 ,  G06F21/554 ,  G06F21/56 ,  G06F21/567 ,  G06F21/568 ,  G06F2221/034 ,  G06N5/04 ,  H04L41/0803 ,  H04L63/0245 ,  H04L63/1441

Abstract: A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.

公开(公告)号：US20150101044A1

公开(公告)日：2015-04-09

申请号：US14048920

申请日：2013-10-08

Applicant: CrowdStrike, Inc.

Inventor： Daniel T. Martin ,  David F. Diehl

IPC: G06F21/50

CPC classification number: G06F21/552 ,  G06F11/3006 ,  G06F11/3089 ,  G06F21/554 ,  G06F2201/86 ,  G06F2201/875 ,  H04L63/1425

Abstract: A computing device described herein is configured to receive a notification of an event associated with a plurality of system components. In response, the computing device determines a state for the system components based on a state for one of those system components specified in an event model. That specified state in the event model reflects a previous occurrence of another event.

Abstract translation: 这里描述的计算设备被配置为接收与多个系统组件相关联的事件的通知。 作为响应，计算设备基于事件模型中指定的那些系统组件之一的状态来确定系统组件的状态。 事件模型中的指定状态反映了先前发生的另一个事件。

公开(公告)号：US11907370B2

公开(公告)日：2024-02-20

申请号：US17019166

申请日：2020-09-11

Applicant: CrowdStrike, Inc.

Inventor： David F. Diehl ,  Daniel W. Brown ,  Aaron Javan Marks ,  Kirby J. Koster ,  Daniel T. Martin

IPC: G06F21/56 ,  H04L9/40 ,  G06F21/55 ,  G06N20/00

CPC classification number: G06F21/566 ,  G06F21/552 ,  H04L63/14 ,  H04L63/1416 ,  G06N20/00

Abstract: A security agent implemented on a monitored computing device is described herein. The security agent has access to parametric behavioral pattern definitions that, in combination with canonical patterns of behavior, configure the security agent to match observed behavior with known computing behavior that is benign or malignant. This arrangement of the definitions and the pattern of behavior allow the security agent's behavior to be updated by a remote security service without updating a configuration of the security agent. The remote security service can create, modify, and disseminate these definitions and patterns of behavior, giving the security agent real-time ability to respond to new behaviors exhibited by the monitored computing device.

公开(公告)号：US20230164151A1

公开(公告)日：2023-05-25

申请号：US18094303

申请日：2023-01-06

Applicant: CrowdStrike, Inc.

Inventor： David F. Diehl ,  Nora Lillian Sandler ,  Matthew Edward Noonan ,  Christopher Robert Gwinn ,  Thomas Johann Essebier

IPC: H04L9/40 ,  G06F21/54 ,  H04L41/042 ,  H04L41/28

CPC classification number: H04L63/1416 ,  G06F21/54 ,  H04L41/042 ,  H04L41/28 ,  H04L63/1441

Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.

公开(公告)号：US11563756B2

公开(公告)日：2023-01-24

申请号：US16849411

申请日：2020-04-15

Applicant: Crowdstrike, Inc.

Inventor： David F. Diehl ,  Nora Lillian Sandler ,  Matthew Edward Noonan ,  Christopher Robert Gwinn ,  Thomas Johann Essebier

IPC: G06F11/00 ,  H04L9/40 ,  G06F21/54 ,  H04L41/042 ,  H04L41/28

Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.

公开(公告)号：US20210329013A1

公开(公告)日：2021-10-21

申请号：US16849450

申请日：2020-04-15

Applicant: CrowdStrike, Inc.

Inventor： David F. Diehl ,  Michael Edward Lusignan ,  Thomas Johann Essebier

IPC: H04L29/06 ,  G06F16/2455

Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.

公开(公告)号：US20190205533A1

公开(公告)日：2019-07-04

申请号：US15857007

申请日：2017-12-28

Applicant: CrowdStrike, Inc.

Inventor： David F. Diehl ,  Milos Petrbok ,  Colin Christopher McCambridge ,  Aaron Putnam

IPC: G06F21/55 ,  G06F21/53 ,  G06F21/56 ,  H04L9/32

Abstract: Some examples detect malicious activity on a computing device. A processor in kernel mode detects an event on the computing device. The processor provides a validation request on a kernel-level bus. A bidirectional bridge component transmits the request to a user-level bus. The processor in user mode determines that the event is associated with malicious activity and provides a validation response on the user-level bus. The bridge component transmits the validation response to the kernel-level bus. In some examples, the processor in user mode receives security-relevant information from a system service of the computing device, and analyzes the event based at least in part on the security-relevant information. In some examples, the processor in user mode receives a security query, queries the kernel mode via the bridge component, and responds to the security query indicating that the data stream is associated with malware.

公开(公告)号：US20180365289A1

公开(公告)日：2018-12-20

申请号：US15624193

申请日：2017-06-15

Applicant: CrowdStrike, Inc.

Inventor： Daniel W. Brown ,  David F. Diehl

IPC: G06F17/30 ,  H04L29/06

Abstract: Example techniques herein search a graph data structure and retrieve data associated with a result node or edge. The graph can include nodes representing, e.g., processes or files, and edges between the nodes. A control unit can produce a discrete finite automaton (DFA) based on a query. The control unit can traverse the DFA in conjunction with the graph, beginning at an initial state of the DFA and an entry-point node of the graph, to reach a result node of the graph associated with a triggering state of the DFA. Traversal can include unwinding upon reaching a terminal state of the DFA, in some examples. The control unit can retrieve data associated with the result node or an edge connected there to, and can provide the data via a communications interface. A data-retrieval system can communicate with a data-storage system via the communications interface, in some examples.

公开(公告)号：US10002250B2

公开(公告)日：2018-06-19

申请号：US15393797

申请日：2016-12-29

Applicant: CrowdStrike, Inc.

Inventor： David F. Diehl ,  Dmitri Alperovitch ,  Ion-Alexandru Ionescu ,  George Robert Kurtz

IPC: G06F21/56 ,  G06N5/04

CPC classification number: G06F21/566 ,  G06F9/46 ,  G06F21/554 ,  G06F21/56 ,  G06F21/567 ,  G06F21/568 ,  G06F2221/034 ,  G06N5/04 ,  H04L41/0803 ,  H04L63/0245 ,  H04L63/1441

Abstract: A security agent is described herein. The security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The security agent may also deceive an adversary associated with malicious code. Further, the security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.