Real-time model of states of monitored devices

US 9,798,882 B2
Filed: 06/06/2014
Issued: 10/24/2017
Est. Priority Date: 06/06/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more processors; and

memory storing;

a model which represents system components and events of a plurality of monitored devices as data objects, wherein each data object has a scope, wherein a system component present on multiple ones of the plurality of monitored devices is represented in the model by at least two data objects including a first data object with a device-specific scope and a second data object with a group-specific scope or a global scope, and wherein the device-specific scope, the group-specific scope, and the global scope differ in scope; and

computer-executable instructions which, when executed by the one or more processors, cause the system to;

select one of a plurality of different actions based at least in part on;

a propagation of a property from the first data object to the second data object; and

(i) the device-specific scope of the first data object or (ii) the group-specific scope or the global scope of the second data object; and

perform the selected one of the plurality of different actions.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A model representing system components and events of a plurality of monitored devices as data objects is described herein. The model resides on a security service cloud and is updated in substantially real-time, as security-relevant information about the system components and events is received by the security service cloud. Each data object in the model has a scope and different actions are taken by security service cloud modules depending on different data object scopes. Further, the security service cloud maintains a model specific to each monitored device built in substantially real-time as the security-relevant information from that device is received. The security service cloud utilizes these device-specific models to detect security concerns and respond to those concerns in substantially real-time.

Citations

24 Claims

1. A system comprising:
- one or more processors; and
  
  memory storing;
  
  a model which represents system components and events of a plurality of monitored devices as data objects, wherein each data object has a scope, wherein a system component present on multiple ones of the plurality of monitored devices is represented in the model by at least two data objects including a first data object with a device-specific scope and a second data object with a group-specific scope or a global scope, and wherein the device-specific scope, the group-specific scope, and the global scope differ in scope; and
  
  computer-executable instructions which, when executed by the one or more processors, cause the system to;
  
  select one of a plurality of different actions based at least in part on;
  
  a propagation of a property from the first data object to the second data object; and
  
  (i) the device-specific scope of the first data object or (ii) the group-specific scope or the global scope of the second data object; and
  
  perform the selected one of the plurality of different actions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein each data object is represented as a vertex in a graph, and edges connecting the vertices represent relations between the system components or events represented by the data objects.
  - 3. The system of claim 1, wherein the system component present on the multiple ones of the plurality of monitored devices is represented in the model by three data objects including the first data object with the device-specific scope, the second data object with the group-specific scope, and a third data object with the global scope.
  - 4. The system of claim 3, wherein the computer-executable instructions, when executed by the one or more processors, further cause the system to propagate the property of the first data object to the second data object and the third data object based on their shared association with the system component.
  - 5. The system of claim 4, wherein selecting the one of the plurality of different actions is further based at least in part on the propagation of the property from the first data object to the second data object and the third data object.
  - 6. The system of claim 1, wherein the computer-executable instructions, when executed by the one or more processors, further cause the system to take different actions of the plurality of different actions based on whether a system component or behavior is observed for a first time globally, on any monitored device, or whether the system component or behavior is observed for the first time on a specific monitored device but has previously been observed on another monitored device.
  - 7. The system of claim 1, wherein the computer-executable instructions, when executed by the one or more processors, further cause the system to:
    - determine, based on a configuration, that a set of events is mapped to a creation, updating, or linking of a data object in the model; and
      
      output an event to cause the creation, updating, or linking of the data object.
  - 8. The system of claim 7, wherein the computer-executable instructions, when executed by the one or more processors, further cause the system to update the model responsive to receiving the output event.
  - 9. The system of claim 8, wherein updating the model comprises updating the model in real-time as the output event is received.
  - 10. The system of claim 1, wherein the computer-executable instructions, when executed by the one or more processors, further cause the system to query the model on behalf of a requestor, add metadata to a result from the query, and provide the result with the added metadata to the requestor.
  - 11. The system of claim 10, wherein the computer-executable instructions, when executed by the one or more processors, further cause the system to determine prevalence of a security concern within a group or across groups based on scopes of the data objects referenced in the result from the query.
  - 12. The system of claim 1, wherein the scopes are explicit properties of some data objects of the model and are implicit properties of other data objects of the model.

13. A method implemented by one or more devices of a security service cloud, comprising:
- receiving security-relevant information from a monitored device;
  
  representing the security-relevant information in a model specific to the monitored device in real-time as the security-relevant information is received, wherein a system component or an event associated with the security-relevant information received from the monitored device is represented in the model by at least two data objects including a first data object with a device-specific scope and a second data object with a group-specific scope or a global scope, and wherein the device-specific scope, the group-specific scope, and the global scope differ in scope;
  
  propagating a property from the first data object to the second data object;
  
  detecting, in real-time as the security-relevant information is represented, a security concern associated with the security-relevant information represented in the model; and
  
  in response to detecting the security concern;
  
  selecting an action among a plurality of different actions based at least in part on the propagating of the property from the first data object to the second data object; and
  
  taking the action, in real-time as the security concern is detected.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The method of claim 13, further comprising gathering further information from another model representing additional security-relevant information received from a plurality of monitored devices or from one or more other sources responsive to detecting the security concern.
  - 15. The method of claim 14, wherein the one or more other sources include other device-specific models.
  - 16. The method of claim 13, wherein the model specific to the monitored device is associated with an actor module that is responsible for maintaining the model specific to the monitored device.
  - 17. The method of claim 13, wherein taking the action comprises at least one of updating a configuration of an agent of the monitored device, triggering an action on the monitored device, or updating runtime data in the monitored device.
  - 18. The method of claim 13, wherein the detecting comprises detecting different security concerns by different modules of the security service cloud, the different modules each configured to detect one or more different security concerns.

19. One or more non-transitory computer-readable media having stored thereon a plurality of programming instructions which, when executed by one or more computing devices, cause the one or more computing devices to perform actions comprising:
- receiving security-relevant information associated with system components and events of a plurality of monitored devices;
  
  in real-time as the security-relevant information is received, updating a graph model representing the system components and events of the plurality of monitored devices as data objects, wherein a system component or an event associated with the security-relevant information received from the plurality of monitored devices is represented in the graph model by at least two data objects including a first data object with a device-specific scope and a second data object with a group-specific scope or a global scope, and wherein the device-specific scope, the group-specific scope, and the global scope differ in scope;
  
  propagating a property from the first data object to the second data object; and
  
  in real-time as the system components and events are represented,detecting a security concern associated with the represented system components and events, andin response to detecting the security concern;
  
  selecting an action among a plurality of different actions based at least in part on the propagating of the property from the first data object to the second data object; and
  
  taking the action, in real-time as the security concern is detected.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The one or more non-transitory computer-readable media of claim 19, wherein the actions further comprise creating a search index for finding security relevant information without having to traverse the graph model.
  - 21. The one or more non-transitory computer-readable media of claim 19, wherein the actions further comprise receiving a notification of the update to the graph model through a message queue.
  - 22. The one or more non-transitory computer-readable media of claim 19, wherein the actions further comprise performing additional analysis in response to detecting the security concern.
  - 23. The one or more non-transitory computer-readable media of claim 19, wherein the actions further comprise storing additional data relevant to the data objects but which is not represented in the graph model.
  - 24. The one or more non-transitory computer-readable media of claim 20, wherein the data objects represent processes, modules of processes, execution chains of processes, event detections, or pattern hits.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Original Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Inventors
Diehl, David Frederick, Jackson, Leif Air Fire Grosch, Plush, James Robert
Primary Examiner(s)
Cribbs, Malcolm

Application Number

US14/297,974
Publication Number

US 20150356301A1
Time in Patent Office

1,236 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 41/0893   Assignment of logical group...

H04L 41/12   Discovery or management of ...

H04L 41/34   Signalling channels for net...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Real-time model of states of monitored devices

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Real-time model of states of monitored devices

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links