公开(公告)号：US20220374434A1

公开(公告)日：2022-11-24

申请号：US17325097

申请日：2021-05-19

Applicant: CrowdStrike, Inc.

Inventor： Brent Ryan Nash ,  James Robert Plush ,  Timothy Jason Berger ,  Hyacinth D. Diehl

IPC: G06F16/2455 ,  G06F16/901

Abstract: An event query host can include an event processor configured to process an event stream indicating events that occurred on a computing device. The event processor can add representations of events to an event graph. If an event added to the event graph is a trigger event associated with a query, the event processor can also add an instance of the query to a query queue. The query queue can be sorted based on scheduled execution times of query instances. At a scheduled execution time of a query instance in the query queue, a query manager of the event query host can execute the query instance and attempt to find a corresponding pattern of one or more events in the event graph.

公开(公告)号：US12189791B2

公开(公告)日：2025-01-07

申请号：US18133884

申请日：2023-04-12

Applicant: CrowdStrike, Inc.

Inventor： David F. Diehl ,  James Robert Plush ,  Timothy Jason Berger

IPC: G06F21/60 ,  G06F9/54 ,  H04L9/40

Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.

公开(公告)号：US12210510B2

公开(公告)日：2025-01-28

申请号：US18610943

申请日：2024-03-20

Applicant: CrowdStrike, Inc.

Inventor： James Robert Plush ,  Timothy Jason Berger ,  Ramnath Venugopalan

IPC: G06F16/23 ,  G06F7/14 ,  G06F16/22 ,  G06F16/28

Abstract: A digital security system can store data associated with entities in resolver trees. If the digital security system determines that two resolver trees are likely representing the same entity, the digital security system can use a merge operation to merge the resolver trees into a single resolver tree that represents the entity. The single resolver tree can include a merge node indicating a merge identifier of the merge operation. Nodes containing information merged into the resolver tree from another resolver tree during the merge operation can be tagged with the corresponding merge identifier. Accordingly, if the merge operation is to be undone, for instance if subsequent information indicates that the entries are likely separate entities, the resolver tree can be unmerged and the nodes tagged with the merge identifier can be restored to a separate resolver tree.

公开(公告)号：US11960470B2

公开(公告)日：2024-04-16

申请号：US17576782

申请日：2022-01-14

Applicant: CrowdStrike, Inc.

Inventor： James Robert Plush ,  Timothy Jason Berger ,  Ramnath Venugopalan

IPC: G06F16/22 ,  G06F7/14 ,  G06F16/23 ,  G06F16/28

CPC classification number: G06F16/2365 ,  G06F7/14 ,  G06F16/2246 ,  G06F16/2358 ,  G06F16/288

Abstract: A digital security system can store data associated with entities in resolver trees. If the digital security system determines that two resolver trees are likely representing the same entity, the digital security system can use a merge operation to merge the resolver trees into a single resolver tree that represents the entity. The single resolver tree can include a merge node indicating a merge identifier of the merge operation. Nodes containing information merged into the resolver tree from another resolver tree during the merge operation can be tagged with the corresponding merge identifier. Accordingly, if the merge operation is to be undone, for instance if subsequent information indicates that the entries are likely separate entities, the resolver tree can be unmerged and the nodes tagged with the merge identifier can be restored to a separate resolver tree.

公开(公告)号：US11836137B2

公开(公告)日：2023-12-05

申请号：US17325097

申请日：2021-05-19

Applicant: CrowdStrike, Inc.

Inventor： Brent Ryan Nash ,  James Robert Plush ,  Timothy Jason Berger ,  Hyacinth D. Diehl

IPC: G06F16/2455 ,  G06F16/901

CPC classification number: G06F16/24568 ,  G06F16/9024

Abstract: An event query host can include an event processor configured to process an event stream indicating events that occurred on a computing device. The event processor can add representations of events to an event graph. If an event added to the event graph is a trigger event associated with a query, the event processor can also add an instance of the query to a query queue. The query queue can be sorted based on scheduled execution times of query instances. At a scheduled execution time of a query instance in the query queue, a query manager of the event query host can execute the query instance and attempt to find a corresponding pattern of one or more events in the event graph.

公开(公告)号：US11645397B2

公开(公告)日：2023-05-09

申请号：US16849543

申请日：2020-04-15

Applicant: Crowdstrike, Inc.

Inventor： David F. Diehl ,  James Robert Plush ,  Timothy Jason Berger

IPC: G06F21/60 ,  G06F9/54 ,  H04L29/06 ,  H04L9/40

CPC classification number: G06F21/60 ,  G06F9/542 ,  H04L63/0892 ,  H04L63/105 ,  H04L63/1408

Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.

公开(公告)号：US09798882B2

公开(公告)日：2017-10-24

申请号：US14297974

申请日：2014-06-06

Applicant: CrowdStrike, Inc.

Inventor： David Frederick Diehl ,  Leif Air Fire Grosch Jackson ,  James Robert Plush

IPC: G06F21/55 ,  G06F21/57

CPC classification number: G06F21/577 ,  G06F21/552 ,  G06F2221/034 ,  G06N5/04 ,  H04L41/0893 ,  H04L41/12 ,  H04L63/1433 ,  H04L63/1441

Abstract: A model representing system components and events of a plurality of monitored devices as data objects is described herein. The model resides on a security service cloud and is updated in substantially real-time, as security-relevant information about the system components and events is received by the security service cloud. Each data object in the model has a scope and different actions are taken by security service cloud modules depending on different data object scopes. Further, the security service cloud maintains a model specific to each monitored device built in substantially real-time as the security-relevant information from that device is received. The security service cloud utilizes these device-specific models to detect security concerns and respond to those concerns in substantially real-time.

公开(公告)号：US20240232170A1

公开(公告)日：2024-07-11

申请号：US18610943

申请日：2024-03-20

Applicant: CrowdStrike, Inc.

Inventor： James Robert Plush ,  Timothy Jason Berger ,  Ramnath Venugopalan

IPC: G06F16/23 ,  G06F7/14 ,  G06F16/22 ,  G06F16/28

CPC classification number: G06F16/2365 ,  G06F7/14 ,  G06F16/2246 ,  G06F16/2358 ,  G06F16/288

Abstract: A digital security system can store data associated with entities in resolver trees. If the digital security system determines that two resolver trees are likely representing the same entity, the digital security system can use a merge operation to merge the resolver trees into a single resolver tree that represents the entity. The single resolver tree can include a merge node indicating a merge identifier of the merge operation. Nodes containing information merged into the resolver tree from another resolver tree during the merge operation can be tagged with the corresponding merge identifier. Accordingly, if the merge operation is to be undone, for instance if subsequent information indicates that the entries are likely separate entities, the resolver tree can be unmerged and the nodes tagged with the merge identifier can be restored to a separate resolver tree.

公开(公告)号：US20240061844A1

公开(公告)日：2024-02-22

申请号：US18496684

申请日：2023-10-27

Applicant: CrowdStrike, Inc.

Inventor： Brent Ryan Nash ,  Timothy Jason Berger ,  Hyacinth D. Diehl ,  James Robert Plush

IPC: G06F16/2455 ,  G06F16/901

CPC classification number: G06F16/24568 ,  G06F16/9024

Abstract: An event query host can include an event processor configured to process an event stream indicating events that occurred on a computing device. The event processor can add representations of events to an event graph. If an event added to the event graph is a trigger event associated with a query, the event processor can also add an instance of the query to a query queue. The query queue can be sorted based on scheduled execution times of query instances. At a scheduled execution time of a query instance in the query queue, a query manager of the event query host can execute the query instance and attempt to find a corresponding pattern of one or more events in the event graph.

公开(公告)号：US20230297690A1

公开(公告)日：2023-09-21

申请号：US18133884

申请日：2023-04-12

Applicant: CrowdStrike, Inc.

Inventor： David F. Diehl ,  James Robert Plush ,  Timothy Jason Berger

IPC: G06F21/60 ,  G06F9/54 ,  H04L9/40

CPC classification number: G06F21/60 ,  G06F9/542 ,  H04L63/0892 ,  H04L63/105 ,  H04L63/1408

Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.