Kernel-level security agent
First Claim
1. A computer-implemented method comprising:
- detecting a first action associated with malicious code;
responsive to detecting the first action, gathering data associated with the first action while refraining from taking a preventative action;
upon detecting one or more subsequent actions associated with malicious code, the one or more subsequent actions occurring after the first action, performing the preventative action, wherein the preventative action comprises at least one of;
falsifying data acquired by the malicious code;
orfalsifying data transmitted to an adversary associated with the malicious code.
4 Assignments
0 Petitions
Accused Products
Abstract
A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.
82 Citations
20 Claims
-
1. A computer-implemented method comprising:
-
detecting a first action associated with malicious code; responsive to detecting the first action, gathering data associated with the first action while refraining from taking a preventative action; upon detecting one or more subsequent actions associated with malicious code, the one or more subsequent actions occurring after the first action, performing the preventative action, wherein the preventative action comprises at least one of; falsifying data acquired by the malicious code;
orfalsifying data transmitted to an adversary associated with the malicious code. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. One or more tangible computer-readable storage devices storing computer-executable instructions configured to implement a kernel-level security agent on a computing device, the kernel-level security agent performing operations comprising:
-
observing an event associated with a process executing on the computing device; determining, based at least in part on the observed event, that the process is associated with malicious code; and responsive to the determining, deceiving an adversary associated with the malicious code, wherein the deceiving comprises at least one of; falsifying data acquired by the malicious code;
orfalsifying data transmitted to the adversary. - View Dependent Claims (9, 10, 11, 12, 13, 20)
-
-
14. A method implemented by a kernel-level security agent of a computing device, the method comprising:
-
observing execution activities of one or more processes of the computing device; storing data associated with the one or more execution activities in a model of the kernel-level security agent, the model representing one or more chains of execution activities involving at least a first process of the one or more processes; and taking action based at least in part on the one or more chains of execution activities, wherein the taking action comprises at least one of; falsifying data acquired by the first process;
orfalsifying data transmitted to an adversary associated with the first process. - View Dependent Claims (15, 16, 17, 18, 19)
-
Specification