Security agent
First Claim
1. A computer-implemented method comprising:
- detecting a first action associated with malicious code;
responsive to detecting the first action, while refraining from taking a preventative action, gathering data associated with the first action;
subsequently, detecting one or more subsequent actions associated with malicious code, the one or more subsequent actions occurring after the first action; and
in response to detecting the first action and the one or more subsequent actions, performing the preventative action.
4 Assignments
0 Petitions
Accused Products
Abstract
A security agent is described herein. The security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The security agent may also deceive an adversary associated with malicious code. Further, the security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.
-
Citations
23 Claims
-
1. A computer-implemented method comprising:
-
detecting a first action associated with malicious code; responsive to detecting the first action, while refraining from taking a preventative action, gathering data associated with the first action; subsequently, detecting one or more subsequent actions associated with malicious code, the one or more subsequent actions occurring after the first action; and in response to detecting the first action and the one or more subsequent actions, performing the preventative action. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. One or more tangible computer-readable storage devices storing computer-executable instructions configured to implement a security agent on a computer device, the security agent performing operations comprising:
-
observing an event associated with a process executing on the computing device; determining, based at least in part on the observed event and on a model that tracks processes of the computing device, that the process is associated with malicious code wherein the determining comprises; observing execution activities of one or more processes of the computing device, the one or more processes including the process and the execution activities including the event; and storing data associated with the one or more execution activities in the model, the model representing one or more chains of execution activities; and responsive to the determining, deceiving an adversary associated with the malicious code based at least in part on the one or more chains of execution activities. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A method implemented by a security agent of a computing device, the method comprising:
-
observing execution activities of at least two processes of the computing device; storing first data associated with a first execution activity of the execution activities in a model of the security agent; storing second data associated with a second execution activity of the execution activities in the model of the security agent, wherein; the model represents one or more chains of execution activities; the one or more chains of execution activities comprise a first chain of execution activities; and the first chain of execution activities comprises the first data and the second data; and taking action based at least in part on the first chain of execution activities. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
Specification