Processing Security-Relevant Events using Tagged Trees

US 20170163686A1
Filed: 02/15/2017
Published: 06/08/2017
Est. Priority Date: 01/31/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a processor; and

a memory coupled to the processor, the memory storing;

a tree object representing an execution chain of at least some system components of a plurality of system components;

respective data objects representing the at least some system components; and

executable instructions;

wherein the executable instructions, when operated by the processor, cause the processor to perform operations including;

assigning, to the data objects, a first tag representing the tree object;

assigning, to the tree object, a second tag, wherein the second tag applies transitively to the data objects via the first tag; and

performing an action based at least in part on the second tag.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Devices described herein are configured to propagate tags among data objects representing system components. Such devices may detect an event associated with a plurality of system components. Based at least in part on detecting the event and on a configurable policy, the devices may propagate a tag that is assigned to a data object representing one of the plurality of system components to another data object representing another of the plurality of system components. One example of such a tag may be associated with a tree object that represents an execution chain of instances of at least the system component represented by the data object and the other system component represented by the other data object. Another example of such a tag may be a user-specified tag of another entity that the entity associated with the devices subscribes to.

33 Citations

View as Search Results

20 Claims

1. A system comprising:
- a processor; and
  
  a memory coupled to the processor, the memory storing;
  
  a tree object representing an execution chain of at least some system components of a plurality of system components;
  
  respective data objects representing the at least some system components; and
  
  executable instructions;
  
  wherein the executable instructions, when operated by the processor, cause the processor to perform operations including;
  
  assigning, to the data objects, a first tag representing the tree object;
  
  assigning, to the tree object, a second tag, wherein the second tag applies transitively to the data objects via the first tag; and
  
  performing an action based at least in part on the second tag.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein:
    - the operations further include performing the action based on at least one of the second tag or a third tag assigned to at least one of the data objects;
      
      the at least one of the second tag or the third tag indicates suspicious behavior or exploit activity; and
      
      the action includes at least one of;
      
      performing additional monitoring;
      
      issuing an alert;
      
      generating an event;
      
      generating a report;
      
      ortaking a remedial action.
  - 3. The system of claim 1, wherein the operations further include:
    - detecting execution, by a first system component of the at least some system components, of a second system component of the at least some system components; and
      
      in response;
      
      constructing the tree object in the memory; and
      
      assigning the first tag to the first system component and to the second system component.
  - 4. The system of claim 1, wherein the at least some system components include a process and a non-process system component.
  - 5. The system of claim 4, wherein the non-process system component includes a file written by the process.
  - 6. The system of claim 1, wherein:
    - the memory further stores a second tree object representing a second execution chain of a subset of the plurality of system components;
      
      the second tree object is associated with a fourth tag; and
      
      the operations further include;
      
      determining that a first system component of the at least some system components appears in the second execution chain; and
      
      assigning the fourth tag to the respective data object representing the first system component.

7. A computer-implemented method comprising:
- creating, in a computer-readable memory, data objects representing respective system components of a monitored computing device;
  
  creating, in the computer-readable memory, a tree object representing an execution chain, wherein the execution chain includes the system components;
  
  assigning, to the data objects, a first tag representing the tree object;
  
  assigning, to the tree object, a second tag, wherein the second tag applies transitively to the data objects via the first tag; and
  
  performing an action based at least in part on a stored configuration and the second tag.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The method of claim 7, wherein:
    - the method further includes;
      
      filtering the second tag based on the stored configuration to provide a result; and
      
      performing the action based on the result; and
      
      the action includes at least one of;
      
      performing additional monitoring;
      
      issuing an alert;
      
      generating an event;
      
      generating a report;
      
      ortaking a remedial action.
  - 9. The method of claim 7, further including:
    - detecting an event associated with at least two of the system components; and
      
      in response, creating the tree object.
  - 10. The method of claim 9, further including, before creating the tree object, determining that the event corresponds with a configurable policy.
  - 11. The method of claim 7, further including:
    - detecting an event associated with at least one of the system components;
      
      filtering the event based on a configurable policy to provide a result; and
      
      based at least in part on the result and on the first tag, updating the tree object by at least one of;
      
      assigning a tag to the tree object;
      
      orremoving a tag from the tree object.
  - 12. The method of claim 7, further including:
    - detecting execution by a first system component of the system components of a second system component of the monitored computing device; and
      
      in response;
      
      creating a second data object representing the second system component;
      
      assigning, to the second data object, the first tag; and
      
      assigning, to the second tree object, a third tag associated with at least one of the data objects.
  - 13. The method of claim 7, further including:
    - detecting an event associated with at least a first system component and a second system component of the system components, wherein a first data object of the data objects represents the first system component and a second data object of the data objects represents the second system component; and
      
      in response, based at least in part on a configurable policy, propagating, from the first data object to the second data object, at least one tag assigned to the first data object.
  - 14. The method of claim 13, wherein the propagating includes propagating the at least one tag and fewer than all of a plurality of tags assigned to the first data object.
  - 15. The method of claim 13, further including:
    - determining that the at least one tag is mutually exclusive with a third tag associated with the second data object; and
      
      in response, generating an event indicative of a tag conflict.

16. A computer-implemented method, comprising:
- receiving, via a network, information of system components of a monitored computing device;
  
  creating, in a computer-readable memory, data objects representing respective ones of the system components;
  
  receiving, via the network, an indication of an event associated with the system components;
  
  creating, in the computer-readable memory, a tree object representing the event;
  
  assigning, to the data objects, a first tag representing the tree object;
  
  assigning, to the tree object, a second tag; and
  
  performing an action based at least in part on the second tag.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, further including at least one of:
    - assigning, to the data objects, a third tag representing the monitored computing device;
      
      orassigning, to the tree object, the third tag.
  - 18. The method of claim 16, further including:
    - receiving, via the network, information of a second system component of a second monitored computing device;
      
      creating, in the computer-readable memory, a second data object representing the second system component; and
      
      in response to the indication of the event, updating at least one tag of the second data object.
  - 19. The method of claim 16, further including:
    - in response to the indication of the event, updating a configurable policy to provide an updated policy; and
      
      transmitting, via the network, the updated policy to a second monitored computing device.
  - 20. The method of claim 16, further including:
    - assigning, to at least one of the data objects, a third tag; and
      
      performing the action further based at least in part on the third tag.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Original Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Inventors
Lamothe-Brassard, Maxime, Diehl, David F.

Granted Patent

US 10,015,199 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Processing Security-Relevant Events using Tagged Trees

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Processing Security-Relevant Events using Tagged Trees

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others