Kernel-level security agent
First Claim
1. A system comprising:
- one or more processors; and
a kernel-level security agent configured to be executed by the one or more processors to observe events, filter the observed events using configurable filters, route the filtered events to one or more kernel-mode event consumers, and utilize the one or more kernel-mode event consumers to take action based at least on one of the filtered events,wherein the kernel-level security agent comprises a communications module implemented at the kernel-level and configured to communicate with one or more remote systems.
5 Assignments
0 Petitions
Accused Products
Abstract
A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.
-
Citations
32 Claims
-
1. A system comprising:
-
one or more processors; and a kernel-level security agent configured to be executed by the one or more processors to observe events, filter the observed events using configurable filters, route the filtered events to one or more kernel-mode event consumers, and utilize the one or more kernel-mode event consumers to take action based at least on one of the filtered events, wherein the kernel-level security agent comprises a communications module implemented at the kernel-level and configured to communicate with one or more remote systems. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A computer-implemented method comprising:
-
observing, by a kernel-level security agent, events on a computing device; filtering, by the kernel-level security agent, the observed events using configurable filters; routing, by the kernel-level security agent, the filtered events to one or more kernel-mode event consumers of the kernel-level security agent; and taking action, by the kernel-level security agent, based at least on one of the filtered events, wherein taking the action includes communicating, by a communications module of the kernel-level security agent, with one or more remote systems, the communications module being implemented at the kernel-level. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. One or more non-transitory computer-readable media having computer-executable instructions for a kernel-level security agent stored thereon and configured to program a computing device to perform, at the kernel level, operations comprising:
-
observing events on a computing device; filtering the observed events using configurable filters; and taking a security response action based at least on one of the filtered events, wherein the kernel-level security agent comprises a communications module implemented at the kernel-level and configured to communicate with one or more remote systems. - View Dependent Claims (31, 32)
-
Specification