Real-Time Model of States of Monitored Devices

US 20150356301A1
Filed: 06/06/2014
Published: 12/10/2015
Est. Priority Date: 06/06/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more processors;

a model which represents system components and events of a plurality of monitored devices as data objects, wherein each data object has a scope; and

one or more modules configured to be operated by the one or more processors to perform one of a plurality of different actions, wherein the one of the plurality of different actions is selected based the scope of the one of the data objects.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A model representing system components and events of a plurality of monitored devices as data objects is described herein. The model resides on a security service cloud and is updated in substantially real-time, as security-relevant information about the system components and events is received by the security service cloud. Each data object in the model has a scope and different actions are taken by security service cloud modules depending on different data object scopes. Further, the security service cloud maintains a model specific to each monitored device built in substantially real-time as the security-relevant information from that device is received. The security service cloud utilizes these device-specific models to detect security concerns and respond to those concerns in substantially real-time.

61 Citations

View as Search Results

25 Claims

1. A system comprising:
- one or more processors;
  
  a model which represents system components and events of a plurality of monitored devices as data objects, wherein each data object has a scope; and
  
  one or more modules configured to be operated by the one or more processors to perform one of a plurality of different actions, wherein the one of the plurality of different actions is selected based the scope of the one of the data objects.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein the scope is one of a device-specific scope, a device-group scope, or a global scope.
  - 3. The system of claim 1, wherein each data object is represented as a vertex in a graph, and edges connecting the vertices represent relations between the system components or events represented by the data objects.
  - 4. The system of claim 1, wherein a system component present on multiple ones of the monitored devices is represented in the model by three data objects including a first data object with a device-specific scope, a second data object with a group-specific scope, and a third data object with a global scope.
  - 5. The system of claim 4, further comprising a module to propagate a new property of the first data object to the second data object and the third data object based on their shared association with the system component.
  - 6. The system of claim 5, wherein the one or more modules are further configured to select the one of the plurality of different actions based at least in part on the propagation of the new property from the first data object to the second data object and the third data object.
  - 7. The system of claim 1, wherein the one or more modules take a different actions based on whether a system component or behavior is observed for a first time globally, on any monitored device, or whether the system component or behavior is observed for the first time on a specific monitored device but has previously been observed on another monitored device.
  - 8. The system of claim 1, further comprising a routing module to:
    - determine, based on a configuration, that a set of events is mapped to a creation, updating, or linking of a data object in the model; and
      
      outputting an event to cause the creation, updating, or linking of the data object.
  - 9. The system of claim 8, further comprising a module to update the model responsive to receiving the output event from the routing module.
  - 10. The system of claim 9, wherein the module updates the model in substantially real-time as output event is received.
  - 11. The system of claim 1, further comprising a query interface to query the model on behalf of a requestor, add metadata to a result from the query, and provide the result with the added metadata to the requestor.
  - 12. The system of claim 11, wherein the query interface is further to determine prevalence of a security concern within a group or across groups based on scopes of the data objects referenced in the result from the query.
  - 13. The system of claim 1, wherein the scopes are explicit properties of some data objects of the model and are implicit properties of other data objects of the model.

14. A method implemented by one or more devices of a security service cloud, comprising:
- receiving security-relevant information from a monitored device;
  
  representing the security-relevant information in a model specific to the monitored device in substantially real-time as the security information is received;
  
  detecting, in substantially real-time as the security relevant information is represented, a security concern associated with the security-relevant information represented in the model; and
  
  in response to detecting the security concern, taking an action, in substantially real-time as the security concern is detected, based at least in part on the security-relevant information represented in the model and on security-relevant information received from a plurality of monitored devices.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The method of claim 14, further comprising gathering further information from another model representing the security-relevant information received from a plurality of monitored devices or from one or more other sources responsive to detecting the security concern.
  - 16. The method of claim 15, wherein the one or more other sources include other device-specific models.
  - 17. The method of claim 14, wherein the model specific to the monitored device is associated with an actor module that is responsible for maintaining the model specific to the monitored device.
  - 18. The method of claim 14, wherein taking the action comprises at least one of updating a configuration of an agent of the monitored device, triggering an action on the monitored device, or updating runtime data in the monitored device.
  - 19. The method of claim 14, wherein the detecting comprises detecting different security concerns by different modules of the security service cloud, the different modules each configured to detect one or more different security concerns.

20. One or more non-transitory computer-readable media having stored thereon a plurality of programming instructions which, when executed by one or more computing devices, cause the one or more computing devices to perform actions comprising:
- receiving security-relevant information associated with system components or events of a plurality of monitored devices;
  
  in substantially real-time as the security-relevant information is received, updating a graph model representing the system components or events of the plurality of monitored devices as data objects; and
  
  in substantially real-time as the system component or events are represented,detecting a security concern associated with the represented system components or events, andrepresenting the security concern as a detection data object in the graph model.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The one or more non-transitory computer-readable media of claim 20, wherein the actions further comprise creating a search index for finding security relevant information without having to traverse the graph model.
  - 22. The one or more non-transitory computer-readable media of claim 20, wherein the actions further comprise receiving, by one or more worker modules configured to perform the detecting and the representing, notification of the update to the graph model through a message queue.
  - 23. The one or more non-transitory computer-readable media of claim 20, wherein the actions further comprise performing additional analysis in response to detecting the security concern.
  - 24. The one or more non-transitory computer-readable media of claim 20, wherein the actions further comprise storing additional data relevant to the data objects but which is not represented in the graph model.
  - 25. The one or more non-transitory computer-readable media of claim 20, wherein the data objects represent processes, modules of processes, execution chains of processes, event detections, or pattern hits.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Original Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Inventors
Diehl, David Frederick, Jackson, Leif Air Fire Grosch, Plush, James Robert

Granted Patent

US 9,798,882 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 41/0893   Assignment of logical group...

H04L 41/12   Discovery or management of ...

H04L 41/34   Signalling channels for net...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Real-Time Model of States of Monitored Devices

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

61 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Real-Time Model of States of Monitored Devices

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links