Kernel-level security agent

US 9,043,903 B2
Filed: 06/08/2012
Issued: 05/26/2015
Est. Priority Date: 06/08/2012
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more processors; and

a kernel-level security agent configured to be executed by the one or more processors to observe events, filter the observed events using configurable filters, route the filtered events to one or more kernel-mode event consumers, and utilize the one or more kernel-mode event consumers to take action based at least on one of the filtered events,wherein the kernel-level security agent comprises a communications module implemented at the kernel-level and configured to communicate with one or more remote systems.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.

65 Citations

View as Search Results

32 Claims

1. A system comprising:
- one or more processors; and
  
  a kernel-level security agent configured to be executed by the one or more processors to observe events, filter the observed events using configurable filters, route the filtered events to one or more kernel-mode event consumers, and utilize the one or more kernel-mode event consumers to take action based at least on one of the filtered events,wherein the kernel-level security agent comprises a communications module implemented at the kernel-level and configured to communicate with one or more remote systems.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The system of claim 1, wherein the kernel-level security agent include a collector component configured to observe kernel-level or user-level events and to provide at least a subset of the observed events to the configurable filters.
  - 3. The system of claim 1, wherein the kernel-level security agent comprises a model to track attributes or behaviors of one or more objects or processes of the system, and the kernel-level security agent is further configured to update the model based at least in part on the filtered events.
  - 4. The system of claim 3, wherein one or both of the configurable filters or kernel-mode event consumers is configured to query the model.
  - 5. The system of claim 1, wherein the action is informing a remote security system of the filtered events.
  - 6. The system of claim 5, wherein the kernel-level security agent receives, in response, at least one of instructions for performing a further action or a configuration update.
  - 7. The system of claim 1, wherein the kernel-level security agent receives one or more events, configuration updates, or instructions for performing actions from a remote security system independently of communications from the kernel-level security agent to the remote security system.
  - 8. The system of claim 1, wherein the one or more kernel-mode event consumers include at least one correlator that notes the fact of the occurrence of the filtered events and, based at least in part on an association between the occurrence of the filtered events and at least one of a threshold, a set, a sequence, a Markov chain, or a finite state machine, takes the action.
  - 9. The system of claim 1, wherein the one or more kernel-mode event consumers are to produce a new filterable event in response to receiving one or more of the filtered events.
  - 10. The system of claim 1, wherein the one or more kernel-mode event consumers include at least one actor configured to perform at least one of:
    - gathering forensic data associated with an event,storing the forensic data in a model,informing a remote security system of the filtered events, ortaking an action to halt or deceive a process associated with one or more of the filtered events.
  - 11. The system of claim 1, wherein the kernel-level security agent updates, replaces or removes one or more components of the kernel-level security agent while the kernel-level security agent continues to operate.
  - 12. The system of claim 11, wherein an existing component of the kernel-level security agent designated to be replaced or removed continues to operate during an update of the kernel-level security agent.
  - 13. The system of claim 1, wherein the kernel-level security agent includes a configurable routing component to route the filtered events.
  - 14. The system of claim 1, wherein the kernel-level security agent comprises a scheduler to schedule asynchronous events for processing by the one or more kernel-mode event consumers.
  - 15. The system of claim 1, wherein the kernel-level security agent performs at least one of:
    - observing events associated with multiple processes or threads in parallel,filtering the multiple observed events in parallel,routing the multiple filtered events in parallel, orutilizing multiple kernel-mode event consumers in parallel.
  - 16. The system of claim 1, wherein the kernel-level security agent utilizes the one or more kernel-mode event consumers to take action in response to a second event associated with a malicious code of the system, the second event occurring after observation of a first event by the kernel-level security agent.
  - 17. The system of claim 1, wherein the kernel-level security agent includes at least one of:
    - a configuration manager to receive the configuration updates from a remote security system;
      
      a component manager to load or unload a new component based on the configuration update;
      
      a state manager to persist state information between old and new components;
      
      a storage manager to interface with storage of the system on behalf of the kernel-level security agent, oran integrity manager to observe, filter, and route events during an update of core components and managers of the kernel-level security agent.
  - 18. The system of claim 1, wherein the kernel-level security agent comprises a hypervisor, one or more pre-boot components that leverages hardware-provided security features, or one or more pre-boot components that does not leverage hardware-provided security features.
  - 19. The system of claim 1, wherein the kernel-level security agent comprises at least one collector to observe events in a user mode of the system and at least one configurable filter to filter events in the user mode of the system.
  - 20. The system of claim 1, wherein the kernel-level security agent is a secure operating system that launches prior to a system operating system.

21. A computer-implemented method comprising:
- observing, by a kernel-level security agent, events on a computing device;
  
  filtering, by the kernel-level security agent, the observed events using configurable filters;
  
  routing, by the kernel-level security agent, the filtered events to one or more kernel-mode event consumers of the kernel-level security agent; and
  
  taking action, by the kernel-level security agent, based at least on one of the filtered events, wherein taking the action includes communicating, by a communications module of the kernel-level security agent, with one or more remote systems, the communications module being implemented at the kernel-level.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- - 22. The computer-implemented method of claim 21, further comprising tracking attributes or behaviors of one or more objects or processes of the system in a model of the kernel-level security agent and updating the model based at least in part on the filtered events.
  - 23. The computer-implemented method of claim 21, wherein the communicating comprises informing a remote security system of the filtered events.
  - 24. The computer-implemented method of claim 23, further comprising receiving, in response to the informing, at least one of instructions for performing a further action or a configuration update.
  - 25. The computer-implemented method of claim 21, wherein taking the action comprises taking the action by one or more kernel-mode event consumers of the kernel-level security agent, and the one or more kernel-mode event consumers include at least one correlator that notes the fact of the occurrence of the filtered events and, based at least in part on an association between the occurrence of the filtered events and at least one of a threshold, a set, a sequence, a Markov chain, or a finite state machine, takes the action.
  - 26. The computer-implemented method of claim 21, further comprising producing, by one or more kernel-mode event consumers of the kernel-level security agent, a new filterable event in response to receiving one or more of the filtered events.
  - 27. The computer-implemented method of claim 21, wherein taking the action comprises taking the action by one or more kernel-mode event consumers of the kernel-level security agent, and the one or more kernel-mode event consumers include at least one actor configured to perform at least one of:
    - gathering forensic data associated with an event,storing the forensic data in a model,informing a remote security system of the filtered events, ortaking an action to halt or deceive a process associated with one or more of the filtered events.
  - 28. The computer-implemented method of claim 21, further comprising updating, replacing or removing one or more components of the kernel-level security agent while the kernel-level security agent continues to operate.
  - 29. The computer-implemented method of claim 21, further comprising:
    - observing events associated with multiple processes or threads in parallel,filtering the multiple observed events in parallel,routing the multiple filtered events in parallel, orutilizing multiple kernel-mode event consumers in parallel.

30. One or more non-transitory computer-readable media having computer-executable instructions for a kernel-level security agent stored thereon and configured to program a computing device to perform, at the kernel level, operations comprising:
- observing events on a computing device;
  
  filtering the observed events using configurable filters; and
  
  taking a security response action based at least on one of the filtered events,wherein the kernel-level security agent comprises a communications module implemented at the kernel-level and configured to communicate with one or more remote systems.
- View Dependent Claims (31, 32)
- - 31. The one or more non-transitory computer-readable media of claim 30, wherein taking the security response action comprises informing a remote security system of the filtered events.
  - 32. The one or more non-transitory computer-readable media of claim 30, wherein the security response action is one of:
    - gathering forensic data associated with an event,storing the forensic data in a model,informing a remote security system of the filtered events, ortaking an action to halt or deceive a process associated with one or more of the filtered events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Original Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Inventors
Diehl, David F., Alperovitch, Dmitri, Ionescu, Ion-Alexandru, Kurtz, George Robert
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US13/492,672
Publication Number

US 20130333040A1
Time in Patent Office

1,082 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 21/568   eliminating virus, restorin...

G06F 2221/034   Test or assess a computer o...

G06F 9/46   Multiprogramming arrangements

G06N 5/04   Inference or reasoning models

H04L 41/0803   Configuration setting

H04L 63/0245   Filtering by information in...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

Kernel-level security agent

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

65 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Kernel-level security agent

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links