Kernel-level security agent

US 9,621,515 B2
Filed: 05/12/2015
Issued: 04/11/2017
Est. Priority Date: 06/08/2012
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more processors; and

a kernel-level security agent including a kernel-mode collector component, configurable filter(s), a routing component, and one or more kernel-mode event consumers, each of the kernel-mode collector component, configurable filter(s), routing component, and one or more kernel-mode event consumers being implemented at the kernel-level wherein;

the kernel-mode collector component is configured to be executed by the one or more processors to observe kernel-level events,the configurable filter(s) are configured to be executed by the one or more processors to filter the observed events, including at least the kernel-level events,the routing component is configured to be executed by the one or more processors to route one(s) of the filtered events to one(s) of the one or more kernel-mode event consumers, andthe one or more kernel-mode event consumers are configured to be executed by the one or more processors to take action based at least on one of the filtered events.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.

85 Citations

View as Search Results

30 Claims

1. A system comprising:
- one or more processors; and
  
  a kernel-level security agent including a kernel-mode collector component, configurable filter(s), a routing component, and one or more kernel-mode event consumers, each of the kernel-mode collector component, configurable filter(s), routing component, and one or more kernel-mode event consumers being implemented at the kernel-level wherein;
  
  the kernel-mode collector component is configured to be executed by the one or more processors to observe kernel-level events,the configurable filter(s) are configured to be executed by the one or more processors to filter the observed events, including at least the kernel-level events,the routing component is configured to be executed by the one or more processors to route one(s) of the filtered events to one(s) of the one or more kernel-mode event consumers, andthe one or more kernel-mode event consumers are configured to be executed by the one or more processors to take action based at least on one of the filtered events.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The system of claim 1, wherein the kernel-level security agent comprises a model to track attributes or behaviors of one or more objects or processes of the system, and the kernel-level security agent is further configured to update the model based at least in part on the filtered events.
  - 3. The system of claim 2, wherein one or both of the configurable filter(s) or kernel-mode event consumers is configured to query the model.
  - 4. The system of claim 1, wherein the kernel-level security agent comprises a communications module implemented at the kernel-level and configured to communicate with one or more remote systems.
  - 5. The system of claim 1, wherein the action is informing a remote security system of the filtered events.
  - 6. The system of claim 5, wherein the kernel-level security agent receives, in response, at least one of instructions for performing a further action or a configuration update.
  - 7. The system of claim 1, wherein the kernel-level security agent receives one or more events, configuration updates, or instructions for performing actions from a remote security system independently of communications from the kernel-level security agent to the remote security system.
  - 8. The system of claim 1, wherein the one or more kernel-mode event consumers include at least one correlator that notes the fact of the occurrence of the filtered events and, based at least in part on an association between the occurrence of the filtered events and at least one of a threshold, a set, a sequence, a Markov chain, or a finite state machine, takes the action.
  - 9. The system of claim 1, wherein the one or more kernel-mode event consumers are to produce a new filterable event in response to receiving one or more of the filtered events.
  - 10. The system of claim 1, wherein the one or more kernel-mode event consumers include at least one actor configured to perform at least one of:
    - gathering forensic data associated with an event,storing the forensic data in a model,informing a remote security system of the filtered events, ortaking an action to halt or deceive a process associated with one or more of the filtered events.
  - 11. The system of claim 1, wherein the kernel-level security agent updates, replaces or removes one or more components of the kernel-level security agent while the kernel-level security agent continues to operate.
  - 12. The system of claim 11, wherein an existing component of the kernel-level security agent designated to be replaced or removed continues to operate during an update of the kernel-level security agent.
  - 13. The system of claim 1, wherein the kernel-level security agent comprises a scheduler to schedule asynchronous events for processing by the one or more kernel-mode event consumers.
  - 14. The system of claim 1, wherein the kernel-level security agent performs at least one of:
    - observing events associated with multiple processes or threads in parallel,filtering the multiple observed events in parallel,routing the multiple filtered events in parallel, orutilizing multiple kernel-mode event consumers in parallel.
  - 15. The system of claim 1, wherein the kernel-level security agent utilizes the one or more kernel-mode event consumers to take action in response to a second event associated with a malicious code of the system, the second event occurring after observation of a first event by the kernel-level security agent.
  - 16. The system of claim 1, wherein the kernel-level security agent includes at least one of:
    - a configuration manager to receive the configuration updates from a remote security system;
      
      a component manager to load or unload a new component based on the configuration update;
      
      a state manager to persist state information between old and new components;
      
      a storage manager to interface with storage of the system on behalf of the kernel-level security agent, oran integrity manager to observe, filter, and route events during an update of core components and managers of the kernel-level security agent.
  - 17. The system of claim 1, wherein the kernel-level security agent comprises a hypervisor, one or more pre-boot components that leverages hardware-provided security features, or one or more pre-boot components that does not leverage hardware-provided security features.
  - 18. The system of claim 1, wherein the kernel-level security agent comprises at least one user-mode collector to observe events in a user mode of the system and at least one user-mode configurable filter to filter events in the user mode of the system.
  - 19. The system of claim 1, wherein the kernel-level security agent is a secure operating system that launches prior to a system operating system.

20. A computer-implemented method comprising:
- observing, by a kernel-level security agent, events on a computing device;
  
  filtering, by the kernel-level security agent, the observed events using configurable filters;
  
  routing, by the kernel-level security agent, the filtered events to one or more kernel-mode event consumers of the kernel-level security agent; and
  
  taking action, by the kernel-level security agent, based at least on one of the filtered events; and
  
  receiving, from a remote security system, by the kernel-level security agent, instructions for performing a configuration update of at least one component of the kernel-level security agent.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
- - 21. The computer-implemented method of claim 20, further comprising tracking attributes or behaviors of one or more objects or processes of the system in a model of the kernel-level security agent and updating the model based at least in part on the filtered events.
  - 22. The computer-implemented method of claim 20, wherein the taking the action includes informing the remote security system of the filtered events.
  - 23. The computer-implemented method of claim 22, further comprising receiving, in response to the informing, instructions for performing a further action.
  - 24. The computer-implemented method of claim 20, wherein taking the action comprises taking the action by one or more kernel-mode event consumers of the kernel-level security agent, and the one or more kernel-mode event consumers include at least one correlator that notes the fact of the occurrence of the filtered events and, based at least in part on an association between the occurrence of the filtered events and at least one of a threshold, a set, a sequence, a Markov chain, or a finite state machine, takes the action.
  - 25. The computer-implemented method of claim 20, further comprising producing, by one or more kernel-mode event consumers of the kernel-level security agent, a new filterable event in response to receiving one or more of the filtered events.
  - 26. The computer-implemented method of claim 20, wherein taking the action comprises taking the action by one or more kernel-mode event consumers of the kernel-level security agent, and the one or more kernel-mode event consumers include at least one actor configured to perform at least one of:
    - gathering forensic data associated with an event,storing the forensic data in a model,informing the remote security system of the filtered events, ortaking an action to halt or deceive a process associated with one or more of the filtered events.
  - 27. The computer-implemented method of claim 20, further comprising updating, replacing or removing one or more components of the kernel-level security agent while the kernel-level security agent continues to operate.
  - 28. The computer-implemented method of claim 20, further comprising:
    - observing events associated with multiple processes or threads in parallel,filtering the multiple observed events in parallel,routing the multiple filtered events in parallel, orutilizing multiple kernel-mode event consumers in parallel.

29. One or more non-transitory computer-readable media having computer-executable instructions for a kernel-level security agent stored thereon and configured to program a computing device to perform, at the kernel level, operations comprising:
- observing events on a computing device;
  
  filtering the observed events using configurable filters; and
  
  taking one or more security response actions based at least on one of the filtered events, wherein taking the one or more security response actions comprises informing a remote security system of the filtered events.
- View Dependent Claims (30)
- - 30. The one or more non-transitory computer-readable media of claim 29, wherein the one or more security response actions further include one of:
    - gathering forensic data associated with an event,storing the forensic data in a model,informing the remote security system of the filtered events, ortaking an action to halt or deceive a process associated with one or more of the filtered events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Original Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Inventors
Diehl, David F., Alperovitch, Dmitri, Ionescu, Ion-Alexandru, Kurtz, George Robert
Primary Examiner(s)
Revak, Christopher

Application Number

US14/709,779
Publication Number

US 20150244679A1
Time in Patent Office

700 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 21/568   eliminating virus, restorin...

G06F 2221/034   Test or assess a computer o...

G06F 9/46   Multiprogramming arrangements

G06N 5/04   Inference or reasoning models

H04L 41/0803   Configuration setting

H04L 63/0245   Filtering by information in...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

Kernel-level security agent

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

85 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Kernel-level security agent

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links