Kernel- and User-Level Cooperative Security Processing
First Claim
1. A method of detecting malicious activity on a computing device, the method comprising:
- detecting, in a kernel mode of the computing device, an event associated with a process executing on the computing device;
determining, in the kernel mode, that validation of the event is required;
in response, providing a validation request on a kernel-level bus;
transmitting, via a bridge component, the validation request to a user-level bus;
determining, in a user mode of the computing device, in response to the validation request on the user-level bus, that the event is associated with malicious activity;
providing a validation response on the user-level bus in response to the determination that the event is associated with malicious activity; and
transmitting, via the bridge component, the validation response to the kernel-level bus.
3 Assignments
0 Petitions
Accused Products
Abstract
Some examples detect malicious activity on a computing device. A processor in kernel mode detects an event on the computing device. The processor provides a validation request on a kernel-level bus. A bidirectional bridge component transmits the request to a user-level bus. The processor in user mode determines that the event is associated with malicious activity and provides a validation response on the user-level bus. The bridge component transmits the validation response to the kernel-level bus. In some examples, the processor in user mode receives security-relevant information from a system service of the computing device, and analyzes the event based at least in part on the security-relevant information. In some examples, the processor in user mode receives a security query, queries the kernel mode via the bridge component, and responds to the security query indicating that the data stream is associated with malware.
-
Citations
20 Claims
-
1. A method of detecting malicious activity on a computing device, the method comprising:
-
detecting, in a kernel mode of the computing device, an event associated with a process executing on the computing device; determining, in the kernel mode, that validation of the event is required; in response, providing a validation request on a kernel-level bus; transmitting, via a bridge component, the validation request to a user-level bus; determining, in a user mode of the computing device, in response to the validation request on the user-level bus, that the event is associated with malicious activity; providing a validation response on the user-level bus in response to the determination that the event is associated with malicious activity; and transmitting, via the bridge component, the validation response to the kernel-level bus. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. One or more non-transitory computer-readable media having thereon computer-executable instructions that, upon execution by one or more processors, cause the one or more processors to perform a method of detecting malicious activity on a computing device, the method comprising:
-
detecting, in a kernel mode of the computing device, an event associated with a process executing on the computing device; providing a validation request associated with the event on a kernel-level bus; transmitting, via a bridge component, the validation request to a user-level bus; receiving security-relevant information from a system service of the computing device in a user level of the computing device; and determining that the event is associated with malicious activity; in response to the validation request on the user-level bus; and based at least in part on the security-relevant information. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A method comprising:
-
registering, in a user mode of a computing device, with an operating system (OS) of the computing device to receive security queries; subsequently, receiving a security query indicating a data stream; in response, providing a request on a user-level bus, the request indicating the data stream; transmitting, via a bridge component, the request to a kernel-level bus; determining, in a kernel mode of the computing device, in response to the request on the kernel-level bus, that the data stream is associated with malware; providing a response on the kernel-level bus in response to the determination that the data stream is associated with malware; transmitting, via the bridge component, the response to the user-level bus; and in response to the response on the user-level bus, at the user level, responding to the security query with an indication that the data stream is associated with malware. - View Dependent Claims (18, 19, 20)
-
Specification