SYSTEMS AND METHODS FOR TRACKING AND RECORDING EVENTS IN A NETWORK OF COMPUTING SYSTEMS

US 20130247185A1
Filed: 03/14/2012
Published: 09/19/2013
Est. Priority Date: 03/14/2012
Status: Active Grant

First Claim

Patent Images

1. A method for tracking activity on a computing system, the method comprising:

detecting an event, associated with a process, occurring in the computing system;

generating, by a processor, an event identifier for the event, wherein the event identifier uniquely identifies the event in the computing system; and

generating a record for the event, the record comprising the event identifier and details that describe the event.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security client can be configured to operate on the one or more computing systems and record all events occurring on the one or more computing systems. The security client can operate as a “security camera” for the computing systems by identifying and retaining data and information that describes and details different events that occur on the computing systems. The security client can be configured to generate event records for the events that are uniquely associated with the process that requested or performed event. Likewise, the security client can be configured to uniquely associate the event records with the specific computing system associated with the event.

Citations

20 Claims

1. A method for tracking activity on a computing system, the method comprising:
- detecting an event, associated with a process, occurring in the computing system;
  
  generating, by a processor, an event identifier for the event, wherein the event identifier uniquely identifies the event in the computing system; and
  
  generating a record for the event, the record comprising the event identifier and details that describe the event.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein generating the event identifier comprises:
    - performing a hash operation on information associated with the event to generate the event identifier.
  - 3. The method of claim 2, wherein the information comprises at least one of details of the event and the process and a time the event occurred.
  - 4. The method of claim 1, the method further comprising:
    - generating a global identifier for the event, wherein the global identifier uniquely identifies the event and the computing system; and
      
      associating the record of the event with the global identifier.
  - 5. The method of claim 4, the method further comprising:
    - providing the record and the global identifier to a central repository for storage with the global identifier.
  - 6. The method of claim 4, wherein generating the global identifier comprises:
    - performing a hash operation on attributes associated with the computing system and the event identifier to generate the global identifier.
  - 7. The method of claim 1, wherein the events comprises at least one of initiation of the process, a request to start a new process, a request to create a file, a request to modify a file, a request to delete a file, request to create a registry key, a request to delete a registry key, a request to modify a registry key, a request to establish a network connection, and a request to load a binary.
  - 8. The method of claim 1, wherein detecting the event comprises:
    - detecting a request, by the process, to an operating system executing on the computer system.

9. A computer readable storage medium comprising instructions that cause a processor to perform a comprising:
- detecting an event, associated with a process, occurring in the computing system;
  
  generating an event identifier for the event, wherein the event identifier uniquely identifies the event in the computing system; and
  
  generating a record for the event, the record comprising the event identifier and details that describe the event.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer readable storage medium of claim 9, wherein generating the event identifier comprises:
    - performing a hash operation on information associated with the event to generate the event identifier.
  - 11. The computer readable storage medium of claim 10, wherein the information comprises at least one of details of the event and the process and a time the event occurred.
  - 12. The computer readable storage medium of claim 9, the method further comprising:
    - generating a global identifier for the event, wherein the global identifier uniquely identifies the event and the computing system; and
      
      associating the record of the event with the global identifier.
  - 13. The computer readable storage medium of claim 12, the method further comprising:
    - providing the record and the global identifier to a central repository for storage with the global identifier.
  - 14. The computer readable storage medium of claim 12, wherein generating the global identifier comprises:
    - performing a hash operation on attributes associated with the computing system and the event identifier to generate the global identifier.
  - 15. The computer readable storage medium of claim 9, wherein the events comprises at least one of initiation of the process, a request to start a new process, a request to create a file, a request to modify a file, a request to delete a file, request to create a registry key, a request to delete a registry key, a request to modify a registry key, a request to establish a network connection, and a request to load a binary.
  - 16. The computer readable storage medium of claim 9, wherein detecting the event comprises:
    - detecting a request, by the process, to an operating system executing on the computer system.

17. A method for computer security, the method comprising:
- receiving at least one event record for an event associated with a process executing on a computing system, wherein the at least one event record comprises an event identifier that uniquely identifies the event in the computing system, details of the event, and a global identifier that uniquely identifies the event and the computing system; and
  
  storing the at least one event record in a computer readable storage medium.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein the event identifier was generated by performing a hash operation on information associated with the event.
  - 19. The method of claim 17, wherein the global identifier was generated by performing a hash operation on attributes associated with the computing system and the event identifier.
  - 20. The method of claim 17, the method further comprising:
    - identifying a security breach in the computing system; and
      
      utilizing the at least one event record to identify the cause of the security breach.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbon Black, Inc. (Broadcom, Inc.)
Original Assignee
Carbon Black, Inc. (Broadcom, Inc.)
Inventors
VISCUSO, Michael, Johnson, Benjamin, Saunders, Allen, Ruef, Andrew, McFarland, Jason

Granted Patent

US 10,185,822 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/554 involving event detection a...

SYSTEMS AND METHODS FOR TRACKING AND RECORDING EVENTS IN A NETWORK OF COMPUTING SYSTEMS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR TRACKING AND RECORDING EVENTS IN A NETWORK OF COMPUTING SYSTEMS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links