Kernel-level security agent
First Claim
1. A system comprising:
- one or more processors; and
a kernel-level security agent including a kernel-mode collector component, configurable filter(s), a routing component, and one or more kernel-mode event consumers, each of the kernel-mode collector component, configurable filter(s), routing component, and one or more kernel-mode event consumers being implemented at the kernel-level wherein;
the kernel-mode collector component is configured to be executed by the one or more processors to observe kernel-level events,the configurable filter(s) are configured to be executed by the one or more processors to filter the observed events, including at least the kernel-level events,the routing component is configured to be executed by the one or more processors to route one(s) of the filtered events to one(s) of the one or more kernel-mode event consumers, andthe one or more kernel-mode event consumers are configured to be executed by the one or more processors to take action based at least on one of the filtered events.
4 Assignments
0 Petitions
Accused Products
Abstract
A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.
85 Citations
30 Claims
-
1. A system comprising:
-
one or more processors; and a kernel-level security agent including a kernel-mode collector component, configurable filter(s), a routing component, and one or more kernel-mode event consumers, each of the kernel-mode collector component, configurable filter(s), routing component, and one or more kernel-mode event consumers being implemented at the kernel-level wherein; the kernel-mode collector component is configured to be executed by the one or more processors to observe kernel-level events, the configurable filter(s) are configured to be executed by the one or more processors to filter the observed events, including at least the kernel-level events, the routing component is configured to be executed by the one or more processors to route one(s) of the filtered events to one(s) of the one or more kernel-mode event consumers, and the one or more kernel-mode event consumers are configured to be executed by the one or more processors to take action based at least on one of the filtered events. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A computer-implemented method comprising:
-
observing, by a kernel-level security agent, events on a computing device; filtering, by the kernel-level security agent, the observed events using configurable filters; routing, by the kernel-level security agent, the filtered events to one or more kernel-mode event consumers of the kernel-level security agent; and taking action, by the kernel-level security agent, based at least on one of the filtered events; and receiving, from a remote security system, by the kernel-level security agent, instructions for performing a configuration update of at least one component of the kernel-level security agent. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. One or more non-transitory computer-readable media having computer-executable instructions for a kernel-level security agent stored thereon and configured to program a computing device to perform, at the kernel level, operations comprising:
-
observing events on a computing device; filtering the observed events using configurable filters; and taking one or more security response actions based at least on one of the filtered events, wherein taking the one or more security response actions comprises informing a remote security system of the filtered events. - View Dependent Claims (30)
-
Specification