Kernel- and User-Level Cooperative Security Processing

US 20190205533A1
Filed: 12/28/2017
Published: 07/04/2019
Est. Priority Date: 12/28/2017
Status: Active Grant

First Claim

Patent Images

1. A method of detecting malicious activity on a computing device, the method comprising:

detecting, in a kernel mode of the computing device, an event associated with a process executing on the computing device;

determining, in the kernel mode, that validation of the event is required;

in response, providing a validation request on a kernel-level bus;

transmitting, via a bridge component, the validation request to a user-level bus;

determining, in a user mode of the computing device, in response to the validation request on the user-level bus, that the event is associated with malicious activity;

providing a validation response on the user-level bus in response to the determination that the event is associated with malicious activity; and

transmitting, via the bridge component, the validation response to the kernel-level bus.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some examples detect malicious activity on a computing device. A processor in kernel mode detects an event on the computing device. The processor provides a validation request on a kernel-level bus. A bidirectional bridge component transmits the request to a user-level bus. The processor in user mode determines that the event is associated with malicious activity and provides a validation response on the user-level bus. The bridge component transmits the validation response to the kernel-level bus. In some examples, the processor in user mode receives security-relevant information from a system service of the computing device, and analyzes the event based at least in part on the security-relevant information. In some examples, the processor in user mode receives a security query, queries the kernel mode via the bridge component, and responds to the security query indicating that the data stream is associated with malware.

Citations

20 Claims

1. A method of detecting malicious activity on a computing device, the method comprising:
- detecting, in a kernel mode of the computing device, an event associated with a process executing on the computing device;
  
  determining, in the kernel mode, that validation of the event is required;
  
  in response, providing a validation request on a kernel-level bus;
  
  transmitting, via a bridge component, the validation request to a user-level bus;
  
  determining, in a user mode of the computing device, in response to the validation request on the user-level bus, that the event is associated with malicious activity;
  
  providing a validation response on the user-level bus in response to the determination that the event is associated with malicious activity; and
  
  transmitting, via the bridge component, the validation response to the kernel-level bus.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, the operation of determining that the event is associated with malicious activity comprising processing, in the user mode, at least some data associated with the event in a restricted-privilege execution environment.
  - 3. The method according to claim 1, further comprising, in the kernel mode, terminating or quarantining the process in response to the validation response on the kernel-level bus.
  - 4. The method according to claim 3, wherein:
    - the event is associated with a request for service; and
      
      the method further comprises, in the kernel mode, permitting the request to succeed before receiving the validation response on the kernel-level bus.
  - 5. The method according to claim 1, wherein:
    - the event is associated with a request for service; and
      
      the method further comprises, in the kernel mode;
      
      blocking the request to await validation; and
      
      causing the request to fail in response to the validation response on the kernel-level bus.
  - 6. The method according to claim 1, wherein:
    - the event is associated with a request to create a second process; and
      
      the method further comprises, in the kernel mode;
      
      permitting the request to succeed before receiving the validation response on the kernel-level bus; and
      
      terminating or quarantining the second process in response to the validation response on the kernel-level bus.
  - 7. The method according to claim 1, further comprising:
    - providing, in the kernel mode, the validation request identifying a file to which access is requested;
      
      determining, in the user mode, that the file is associated with malicious activity; and
      
      in response, determining that the event is associated with malicious activity.
  - 8. The method according to claim 7, further comprising at least:
    - determining that the file corresponds with a catalog of malicious files;
      
      orapplying at least some data of the file to a machine-learning model and receiving from the machine-learning model an indication that the at least some data is associated with malicious activity.

9. One or more non-transitory computer-readable media having thereon computer-executable instructions that, upon execution by one or more processors, cause the one or more processors to perform a method of detecting malicious activity on a computing device, the method comprising:
- detecting, in a kernel mode of the computing device, an event associated with a process executing on the computing device;
  
  providing a validation request associated with the event on a kernel-level bus;
  
  transmitting, via a bridge component, the validation request to a user-level bus;
  
  receiving security-relevant information from a system service of the computing device in a user level of the computing device; and
  
  determining that the event is associated with malicious activity;
  
  in response to the validation request on the user-level bus; and
  
  based at least in part on the security-relevant information.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The one or more non-transitory computer-readable media according to claim 9, the method further comprising:
    - determining, in the user mode of the computing device, that the event is associated with malicious activity;
      
      providing a validation response on the user-level bus in response to the determination that the event is associated with malicious activity; and
      
      transmitting, via the bridge component, the validation response to the kernel-level bus.
  - 11. The one or more non-transitory computer-readable media according to claim 9, the method further comprising:
    - providing, in the user mode, an information response on the user-level bus in response to the validation request, the information response determined based at least in part on the security-relevant information;
      
      transmitting, via the bridge component, the information response to the kernel-level bus; and
      
      determining that the event is associated with malicious activity;
      
      in the kernel mode; and
      
      based at least in part on the security-relevant information in the information response on the kernel-level bus.
  - 12. The one or more non-transitory computer-readable media according to claim 9, the method further comprising, in the kernel mode, terminating or quarantining the process in response to the determination that the event is associated with malicious activity.
  - 13. The one or more non-transitory computer-readable media according to claim 9, the method further comprising, in the user mode:
    - determining a query based at least in part on the validation request on the user-level bus;
      
      providing the query to the system service; and
      
      receiving the security-relevant information in response to the query.
  - 14. The one or more non-transitory computer-readable media according to claim 13, the method further comprising, in the user mode:
    - extracting a digital certificate from the validation request;
      
      determining the query comprising the digital certificate; and
      
      receiving the security-relevant information indicating whether the digital certificate is valid.
  - 15. The one or more non-transitory computer-readable media according to claim 9, the method further comprising, in the user mode, before receiving the security-relevant information, registering with the system service to receive the security-relevant information.
  - 16. The one or more non-transitory computer-readable media according to claim 15, the method further comprising, in the user mode, registering with the system service to receive at least login notifications or new-session notifications.

17. A method comprising:
- registering, in a user mode of a computing device, with an operating system (OS) of the computing device to receive security queries;
  
  subsequently, receiving a security query indicating a data stream;
  
  in response, providing a request on a user-level bus, the request indicating the data stream;
  
  transmitting, via a bridge component, the request to a kernel-level bus;
  
  determining, in a kernel mode of the computing device, in response to the request on the kernel-level bus, that the data stream is associated with malware;
  
  providing a response on the kernel-level bus in response to the determination that the data stream is associated with malware;
  
  transmitting, via the bridge component, the response to the user-level bus; and
  
  in response to the response on the user-level bus, at the user level, responding to the security query with an indication that the data stream is associated with malware.
- View Dependent Claims (18, 19, 20)
- - 18. The method according to claim 17, wherein the data stream comprises a script that is ready for execution.
  - 19. The method according to claim 17, further comprising:
    - determining a summary representation of the data stream; and
      
      determining, in the kernel mode, that the summary representation is associated with malware.
  - 20. The method according to claim 17, further comprising registering with the WINDOWS Antimalware Scan Interface (AMSI) to receive the security queries.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Original Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Inventors
Diehl, David F., Petrbok, Milos, McCambridge, Colin Christopher, Putnam, Aaron

Granted Patent

US 10,740,459 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 21/606   by securing the transmissio...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2149   Restricted operating enviro...

H04L 9/3268   using certificate validatio...

Kernel- and User-Level Cooperative Security Processing

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Kernel- and User-Level Cooperative Security Processing

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links