-
公开(公告)号:US10740459B2
公开(公告)日:2020-08-11
申请号:US15857007
申请日:2017-12-28
Applicant: CrowdStrike, Inc.
Inventor: David F. Diehl , Milos Petrbok , Colin Christopher McCambridge , Aaron Putnam
Abstract: Some examples detect malicious activity on a computing device. A processor in kernel mode detects an event on the computing device. The processor provides a validation request on a kernel-level bus. A bidirectional bridge component transmits the request to a user-level bus. The processor in user mode determines that the event is associated with malicious activity and provides a validation response on the user-level bus. The bridge component transmits the validation response to the kernel-level bus. In some examples, the processor in user mode receives security-relevant information from a system service of the computing device, and analyzes the event based at least in part on the security-relevant information. In some examples, the processor in user mode receives a security query, queries the kernel mode via the bridge component, and responds to the security query indicating that the data stream is associated with malware.
-
公开(公告)号:US20180239657A1
公开(公告)日:2018-08-23
申请号:US15438553
申请日:2017-02-21
Applicant: CrowdStrike, Inc.
Inventor: Milos Petrbok , Colin Christopher McCambridge
IPC: G06F9/54
Abstract: A symmetric, cross-platform, bridge component is described herein. The bridge component creates an interface (through a set of application programming interfaces (APIs)) to enable the sending of data between a pair of components, called “endpoints,” a first endpoint component of the pair being executed in a kernel mode of a computing device, and a second endpoint component of the pair being executed in a user mode of the computing device. A process for sending data between a kernel-level endpoint component and a user-level endpoint component executing on a computing device involves opening a communications port, setting the communications port to a connected state, and sending a message containing the data via the communications port. Data may be transmitted in this manner between the user mode and the kernel mode of the computing device in either direction.
-
公开(公告)号:US20240202097A1
公开(公告)日:2024-06-20
申请号:US18081144
申请日:2022-12-14
Applicant: CrowdStrike, Inc.
Inventor: Martin Kelly , Marco Vedovati , Igor Polevoy , Milos Petrbok
CPC classification number: G06F11/3495 , G06F9/445 , G06F9/545
Abstract: A unique process identifier (UPID) associated with a process identifier (PID) of a process executing in an operating system is generated in a kernel space of the operating system executing on a computing device. The UPID is inserted into a first mapping store that maps the PID to the UPID. A message is transmitted including the PID to a message buffer structure. A second mapping store that maps the UPID to the PID is updated in a user space of the operating system based on the message.
-
Patent Agency Ranking
公开(公告)号:US20190205533A1
公开(公告)日:2019-07-04
申请号:US15857007
申请日:2017-12-28
Applicant: CrowdStrike, Inc.
Inventor: David F. Diehl , Milos Petrbok , Colin Christopher McCambridge , Aaron Putnam
Abstract: Some examples detect malicious activity on a computing device. A processor in kernel mode detects an event on the computing device. The processor provides a validation request on a kernel-level bus. A bidirectional bridge component transmits the request to a user-level bus. The processor in user mode determines that the event is associated with malicious activity and provides a validation response on the user-level bus. The bridge component transmits the validation response to the kernel-level bus. In some examples, the processor in user mode receives security-relevant information from a system service of the computing device, and analyzes the event based at least in part on the security-relevant information. In some examples, the processor in user mode receives a security query, queries the kernel mode via the bridge component, and responds to the security query indicating that the data stream is associated with malware.
-
公开(公告)号:US10387228B2
公开(公告)日:2019-08-20
申请号:US15438553
申请日:2017-02-21
Applicant: CrowdStrike, Inc.
Inventor: Milos Petrbok , Colin Christopher McCambridge
Abstract: A symmetric, cross-platform, bridge component is described herein. The bridge component creates an interface (through a set of application programming interfaces (APIs)) to enable the sending of data between a pair of components, called “endpoints,” a first endpoint component of the pair being executed in a kernel mode of a computing device, and a second endpoint component of the pair being executed in a user mode of the computing device. A process for sending data between a kernel-level endpoint component and a user-level endpoint component executing on a computing device involves opening a communications port, setting the communications port to a connected state, and sending a message containing the data via the communications port. Data may be transmitted in this manner between the user mode and the kernel mode of the computing device in either direction.
-
公开(公告)号:US20240211305A1
公开(公告)日:2024-06-27
申请号:US18069557
申请日:2022-12-21
Applicant: CrowdStrike, Inc.
Inventor: Martin Kelly , Milos Petrbok
IPC: G06F9/48
CPC classification number: G06F9/4881
Abstract: Trackable activity performed by a process executing in an operating system of a computing device is detected, the process associated with an initial sequence number and an initial message queue of a plurality of message queues, and each of the plurality of message queues comprising a first counter. Based on a comparison of the first counter to the initial sequence number, an assigned message queue of the process is set to the initial message queue or a second message queue of the plurality of message queues. A message is transmitted on the assigned message queue, the message comprising a process identifier of the process.
-
公开(公告)号:US20240202134A1
公开(公告)日:2024-06-20
申请号:US18081149
申请日:2022-12-14
Applicant: CrowdStrike, Inc.
Inventor: Martin Kelly , Marco Vedovati , Igor Polevoy , Milos Petrbok , Christopher White
IPC: G06F12/1009 , G06F1/14 , G06F9/54
CPC classification number: G06F12/1009 , G06F1/14 , G06F9/544
Abstract: A method includes retrieving, in a kernel space of an operating system executing on a computing device, a first value from a first clock source, retrieving, in a user space of the operating system executing on the computing device, a second value from a second clock source, generating a unique process identifier (UPID) associated with a process identifier (PID) of a process executing in the operating system, wherein the UPID is based on the first value of the first clock source and the second value of the second clock source, and tracking process activity of the process executing in the operating system by utilizing the UPID.
-
公开(公告)号:US20230025760A1
公开(公告)日:2023-01-26
申请号:US17385902
申请日:2021-07-26
Applicant: CrowdStrike, Inc.
Inventor: Alexander Nip , Milos Petrbok
Abstract: Methods and systems for implementing division of process resources of running processes into individually locked partitions, and indirect mapping of keys to process resources to locks of each partition, are provided. In computing systems implementing concurrent processing, applications may generate and destroy concurrently running processes with high frequency. Real-time security monitoring may cause the computing system to run monitoring processes collecting large volumes of data regarding system events occurring in context of various other processes, causing threads of processes of the security monitoring application to make frequent write access and read access to resources of those processes in memory. Indirect mapping of lock acquisition across locks provides scalable alleviation of lock contention and thread blocking that result from computational concurrency, while handling read and write requests which arise at unpredictable times from kernel-space monitoring processes, and which request unpredictable resources of monitored user-space processes.
-
-
-
-
-
-
-
Search Results
8
records
(took 0.014 seconds)
