Tagging Security-Relevant System Objects

US 20150222646A1
Filed: 01/31/2014
Published: 08/06/2015
Est. Priority Date: 01/31/2014
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented method comprising:

detecting an event associated with a system component;

filtering the event based on a configurable policy; and

based at least in part on the detecting and the filtering, assigning a tag to a data object representing the system component.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Devices described herein are configured to propagate tags among data objects representing system components. Such devices may detect an event associated with a plurality of system components. Based at least in part on detecting the event and on a configurable policy, the devices may propagate a tag that is assigned to a data object representing one of the plurality of system components to another data object representing another of the plurality of system components. One example of such a tag may be associated with a tree object that represents an execution chain of instances of at least the system component represented by the data object and the other system component represented by the other data object. Another example of such a tag may be a user-specified tag of another entity that the entity associated with the devices subscribes to.

35 Citations

View as Search Results

26 Claims

1. A computer-implemented method comprising:
- detecting an event associated with a system component;
  
  filtering the event based on a configurable policy; and
  
  based at least in part on the detecting and the filtering, assigning a tag to a data object representing the system component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the detecting, the filtering, and the assigning are performed by a kernel-level security agent.
  - 3. The method of claim 1, wherein the tag is one of a string, an integer, a hash, or a binary flag.
  - 4. The method of claim 1, further comprising assigning, based at least in part on the configurable policy, another tag to a data object representing the detection of the event.
  - 5. The method of claim 1, wherein the tag can imply another tag or be mutually exclusive with another tag.
  - 6. The method of claim 1, wherein the assigning is based at least in part on observed behavior or characteristics of the system component represented by the data object.
  - 7. The method of claim 1, wherein the tag is associated with logic which, when executed, classifies the system component represented by the data object and assigns a new tag that is associated with the classification of the system component.
  - 8. The method of claim 1, further comprising, based at least in part on the tag associated with the data object representing the system component, performing at least one of making a decision or generating a report.
  - 9. The method of claim 1, further comprising:
    - enabling a user to associate the tag with the system component represented by the data object, andperforming the assigning of the tag to the data object based at least in part on the user associating the tag with the system component.
  - 10. The method of claim 9, wherein the tag is shareable with one or more other users of one entity that subscribes to tags associated by the user or another user of another entity with the system component.

11. A computer-implemented method comprising:
- detecting an event associated with a plurality of system components; and
  
  based at least in part on a configurable policy and on detecting the event, propagating a tag that is assigned to a data object representing one of the plurality of system components to another data object representing another of the plurality of system components.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11, wherein the tag is one of a string, an integer, a hash, or a binary flag.
  - 13. The method of claim 11, wherein the propagating comprises propagating, based at least in part on the configurable policy, less than all of a plurality of tags assigned to the data object.
  - 14. The method of claim 11, wherein the propagating comprises propagating, based at least in part on the configurable policy, the tag to data objects representing a subset of the plurality of system components.
  - 15. The method of claim 11, wherein the tag is mutually exclusive with another tag associated with the other data object, and the method further comprises generating an event indicative of a tag conflict.
  - 16. The method of claim 11, wherein the system components include at least one of modules, processes, threads, files, drivers, services, pipes, handles, named kernel objects, memory segments, users, cryptographic signers and signature authorities, registry keys, Internet Protocol (IP) addresses and subnets, domain name service (DNS) domains, or fully-qualified domain names (FQDNs).
  - 17. The method of claim 11, wherein the tag is associated with a tree object that represents instances of at least a subset of the plurality of system components.
  - 18. The method of claim 11, wherein the system components are system components of a computing device and the propagating is performed by one or more other computing devices, the data object and other data object being stored on the one or more other computing devices.
  - 19. The method of claim 11, wherein the system component represented by the data object is a system component of a first computing device, the other system component represented by the other data object is a system component of a second computing device, and the propagating is performed by any of the first computing device, the second computing device, or a third one or more computing devices.

20. A system comprising:
- a processor;
  
  a memory coupled to the processor, the memory storing;
  
  data objects representing a plurality of system components,a tree object representing an execution chain of instances of at least a subset of the system components, andexecutable instructions, which, when operated by the processor, perform operations including;
  
  assigning a tag for the tree object to the data objects representing the subset of the system components,assigning one or more tags to the tree object, those tags applying to the data objects having the tag for the tree object, andmaking a decision based at least in part on tags assigned to the data objects representing the subset of the system components and the tags assigned to tree object.
- View Dependent Claims (21, 22, 23)
- - 21. The system of claim 20, wherein the operations further include constructing the tree object in response to detecting execution of one system component of the subset of the system components by another system component of the subset of system components.
  - 22. The system of claim 20, wherein the subset of system component includes both processes and non-process system components.
  - 23. The system of claim 20, wherein the memory stores multiple tree objects, and tags for the multiple tree objects are assigned to a data object representing a system component which appears in execution chains represented by the multiple tree objects.

24. One or more non-transitory computer-readable media having stored thereon a plurality of programming instructions that, when executed by a computing device, cause the computing device to perform operations comprising:
- subscribing, by an entity, to user-specified tags of another entity, the user-specified tags being associated with data objects representing system components of computing devices of the other entity,assigning the other entity'"'"'s user-specified tags to data objects representing system components of computing devices of the entity; and
  
  making a decision based at least in part on the other entity'"'"'s user-specified tags.
- View Dependent Claims (25, 26)
- - 25. The one or more non-transitory computer-readable media of claim 24, wherein one of the user-specified tags is a taxonomic tag applied to an unclassified system component.
  - 26. The one or more non-transitory computer-readable media of claim 24, wherein user-specified tags are shared with a service cloud and utilized by the service cloud in determining global changes in tag assignments.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Original Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Inventors
Diehl, David F., Lamothe-Brassard, Maxime

Application Number

US14/169,401
Publication Number

US 20150222646A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Tagging Security-Relevant System Objects

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

Tagging Security-Relevant System Objects

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others