公开(公告)号：US09858626B2

公开(公告)日：2018-01-02

申请号：US14792177

申请日：2015-07-06

Applicant: CrowdStrike, Inc.

Inventor： Dmitri Alperovitch ,  George Robert Kurtz ,  David Frederick Diehl ,  Sven Krasser ,  Adam S. Meyers

IPC: H04L29/06 ,  G06Q50/00 ,  G06Q10/00

CPC classification number: G06Q50/01 ,  G06Q10/00 ,  H04L63/104 ,  H04L63/107 ,  H04L63/14 ,  H04L63/1441 ,  H04L63/20

Abstract: Techniques for social sharing security information between client entities forming a group are described herein. The group of client entities is formed as a result of a security server providing one or more secure mechanisms for forming a group among client entities, the client entities each belonging to a different organization. The security service then automatically shares security information of a client entity in the group with one or more other client entities in the group.

公开(公告)号：US09621515B2

公开(公告)日：2017-04-11

申请号：US14709779

申请日：2015-05-12

Applicant: CrowdStrike, Inc.

Inventor： David F. Diehl ,  Dmitri Alperovitch ,  Ion-Alexandru Ionescu ,  George Robert Kurtz

IPC: H04L29/06 ,  G06F21/56 ,  G06F9/46 ,  G06F21/55 ,  H04L12/24

CPC classification number: G06F21/566 ,  G06F9/46 ,  G06F21/554 ,  G06F21/56 ,  G06F21/567 ,  G06F21/568 ,  G06F2221/034 ,  G06N5/04 ,  H04L41/0803 ,  H04L63/0245 ,  H04L63/1441

Abstract: A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.

公开(公告)号：US20150326614A1

公开(公告)日：2015-11-12

申请号：US14792177

申请日：2015-07-06

Applicant: CrowdStrike, Inc.

Inventor： Dmitri Alperovitch ,  George Robert Kurtz ,  David Frederick Diehl ,  Sven Krasser ,  Adam S. Meyers

IPC: H04L29/06

CPC classification number: G06Q50/01 ,  G06Q10/00 ,  H04L63/104 ,  H04L63/107 ,  H04L63/14 ,  H04L63/1441 ,  H04L63/20

Abstract: Techniques for social sharing security information between client entities forming a group are described herein. The group of client entities is formed as a result of a security server providing one or more secure mechanisms for forming a group among client entities, the client entities each belonging to a different organization. The security service then automatically shares security information of a client entity in the group with one or more other client entities in the group.

Abstract translation: 本文描述了形成组的客户端实体之间的社交共享安全信息的技术。 客户端实体组由安全服务器的结果形成，该安全服务器提供一个或多个安全机制，用于在客户端实体之间形成组，每个属于不同组织的客户实体。 然后，安全服务自动与组中的一个或多个其他客户端实体共享组中的客户端实体的安全信息。

公开(公告)号：US10002250B2

公开(公告)日：2018-06-19

申请号：US15393797

申请日：2016-12-29

Applicant: CrowdStrike, Inc.

Inventor： David F. Diehl ,  Dmitri Alperovitch ,  Ion-Alexandru Ionescu ,  George Robert Kurtz

IPC: G06F21/56 ,  G06N5/04

CPC classification number: G06F21/566 ,  G06F9/46 ,  G06F21/554 ,  G06F21/56 ,  G06F21/567 ,  G06F21/568 ,  G06F2221/034 ,  G06N5/04 ,  H04L41/0803 ,  H04L63/0245 ,  H04L63/1441

Abstract: A security agent is described herein. The security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The security agent may also deceive an adversary associated with malicious code. Further, the security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.

公开(公告)号：US20240028717A1

公开(公告)日：2024-01-25

申请号：US18480345

申请日：2023-10-03

Applicant: CrowdStrike, Inc.

Inventor： Adam S. Meyers ,  David F. Diehl ,  Dmitri Alperovitch ,  George Robert Kurtz ,  Sven Krasser

IPC: G06F21/56 ,  G06F21/55 ,  H04L9/40 ,  G06F21/62 ,  H04L61/4511

CPC classification number: G06F21/56 ,  G06F21/554 ,  H04L63/1491 ,  G06F21/6209 ,  H04L61/4511 ,  G06F2221/2111 ,  G06F2221/2129

Abstract: Deception-based techniques for responding to security attacks are described herein. The techniques include transitioning a security attack to a monitored computing device posing as a computing device impacted by the security attack and enabling the adversary to obtain deceptive information from the monitored computing device. Also, the adversary may obtain a document configured to report identifying information of an entity opening the document, thereby identifying the adversary associated with the attack. Further, the techniques include determining that a domain specified in a domain name request is associated with malicious activity and responding to the request with a network address of a monitored computing device to cause the requesting process to communicate with the monitored computing device in place of an adversary server. Additionally, a service may monitor dormant domains names associated with malicious activity and, in response to a change, respond with an alert or a configuration update.

公开(公告)号：US20200285740A1

公开(公告)日：2020-09-10

申请号：US16885174

申请日：2020-05-27

Applicant: CrowdStrike, Inc.

Inventor： Adam S. Meyers ,  Dmitri Alperovitch ,  George Robert Kurtz ,  David F. Diehl ,  Sven Krasser

IPC: G06F21/56 ,  G06F21/55 ,  H04L29/06 ,  H04L29/12 ,  G06F21/62

Abstract: Deception-based techniques for responding to security attacks are described herein. The techniques include transitioning a security attack to a monitored computing device posing as a computing device impacted by the security attack and enabling the adversary to obtain deceptive information from the monitored computing device. Also, the adversary may obtain a document configured to report identifying information of an entity opening the document, thereby identifying the adversary associated with the attack. Further, the techniques include determining that a domain specified in a domain name request is associated with malicious activity and responding to the request with a network address of a monitored computing device to cause the requesting process to communicate with the monitored computing device in place of an adversary server. Additionally, a service may monitor dormant domains names associated with malicious activity and, in response to a change, respond with an alert or a configuration update.

公开(公告)号：US20190138723A1

公开(公告)日：2019-05-09

申请号：US16007507

申请日：2018-06-13

Applicant: CrowdStrike, Inc.

Inventor： David F. Diehl ,  Dmitri Alperovitch ,  Ion-Alexandru Ionescu ,  George Robert Kurtz

IPC: G06F21/56 ,  G06F9/46 ,  G06F21/55 ,  H04L12/24 ,  H04L29/06 ,  G06N5/04

Abstract: A security agent is described herein. The security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The security agent may also deceive an adversary associated with malicious code. Further, the security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.

公开(公告)号：US09904784B2

公开(公告)日：2018-02-27

申请号：US15483153

申请日：2017-04-10

Applicant: CrowdStrike, Inc.

Inventor： David F. Diehl ,  Dmitri Alperovitch ,  Ion-Alexandru Ionescu ,  George Robert Kurtz

IPC: G06F21/56 ,  G06F21/55

CPC classification number: G06F21/566 ,  G06F9/46 ,  G06F21/554 ,  G06F21/56 ,  G06F21/567 ,  G06F21/568 ,  G06F2221/034 ,  G06N5/04 ,  H04L41/0803 ,  H04L63/0245 ,  H04L63/1441

Abstract: A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.

公开(公告)号：US20170213031A1

公开(公告)日：2017-07-27

申请号：US15483153

申请日：2017-04-10

Applicant: CrowdStrike, Inc.

Inventor： David F. Diehl ,  Dmitri Alperovitch ,  Ion-Alexandru Ionescu ,  George Robert Kurtz

IPC: G06F21/56

CPC classification number: G06F21/566 ,  G06F9/46 ,  G06F21/554 ,  G06F21/56 ,  G06F21/567 ,  G06F21/568 ,  G06F2221/034 ,  G06N5/04 ,  H04L41/0803 ,  H04L63/0245 ,  H04L63/1441

Abstract: A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.

公开(公告)号：US12013941B2

公开(公告)日：2024-06-18

申请号：US17255958

申请日：2019-06-28

Applicant: CrowdStrike, Inc.

Inventor： George Robert Kurtz ,  Dmitri Alperovitch ,  Amol Kulkarni ,  Jan Miller ,  Daniel Radu

IPC: G06F21/56 ,  G06F21/00 ,  G06F21/57

CPC classification number: G06F21/566 ,  G06F21/567 ,  G06F21/577 ,  G06F2221/034

Abstract: A security service can determine a synthetic context based at least in part on context data associated with a first malware sample, and detonate the first malware sample in the synthetic context to provide one or more first event records representing events performed by the first malware sample and detected during detonation. Additionally or alternatively, the security service can detonate the first malware sample and locate a second malware sample in a corpus based at least in part on the one or more first event records. Additionally or alternatively, the security service can receive event records representing events detected during a detonation of a first malware sample, the detonation based at least in part on context data, and locate a second malware sample in the corpus based at least in part on the one or more reference event records.