Kernel-level security agent

US 9,904,784 B2
Filed: 04/10/2017
Issued: 02/27/2018
Est. Priority Date: 06/08/2012
Status: Active Grant

First Claim

Patent Images

1. A computing system comprising:

at least one memory configured to store a situational model and computer-executable instructions of a kernel-level security agent; and

one or more processors that, upon executing the computer-executable instructions, perform operations comprising;

observing a first event associated with one or more processes executing on the computing system;

accessing, from a kernel mode of the computing system, the situational model;

determining that the first event passes a first filter;

updating the situational model based at least in part on the first event to provide an updated situational model;

observing a second event associated with one or more processes executing on the computing system;

determining that the second event passes a second filter based at least in part on the updated situational model;

determining a preventative action to take based on at least one of the second event and the updated situational model; and

performing the preventative action.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.

Citations

20 Claims

1. A computing system comprising:
- at least one memory configured to store a situational model and computer-executable instructions of a kernel-level security agent; and
  
  one or more processors that, upon executing the computer-executable instructions, perform operations comprising;
  
  observing a first event associated with one or more processes executing on the computing system;
  
  accessing, from a kernel mode of the computing system, the situational model;
  
  determining that the first event passes a first filter;
  
  updating the situational model based at least in part on the first event to provide an updated situational model;
  
  observing a second event associated with one or more processes executing on the computing system;
  
  determining that the second event passes a second filter based at least in part on the updated situational model;
  
  determining a preventative action to take based on at least one of the second event and the updated situational model; and
  
  performing the preventative action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The computing system of claim 1, the operations further comprising tracking attributes or behaviors of one or more objects or processes of the computing system in the situational model.
  - 3. The computing system of claim 2, wherein the operations for determining that the first event passes the first filter comprise querying the situational model from the kernel mode.
  - 4. The computing system of claim 1, further comprising a network interface, the operations for performing the preventative action comprising informing a remote security system of at least one of the first event or the second event via the network interface.
  - 5. The computing system of claim 4, the operations further comprising receiving, in response, at least:
    - instructions for performing a further action;
      
      ora configuration update.
  - 6. The computing system of claim 1, the operations further comprising receiving one or more events, configuration updates, or instructions for performing actions from a remote security system independently of communications from the kernel-level security agent to the remote security system.
  - 7. The computing system of claim 1, the operations further comprising:
    - noting, using at least one correlator module, the fact of the occurrence of the first event;
      
      determining an association between the occurrence of the first event and at least one of a threshold, a set, a sequence, a Markov chain, or a finite state machine; and
      
      providing a third event further based at least in part on the association,wherein the preventative action is performed based at least in part on the third event.
  - 8. The computing system of claim 1, the operations further comprising producing a third event in response to at least:
    - the determination that the first event passes the first filter;
      
      orthe determination that the second event passes the second filter.
  - 9. The computing system of claim 1, the operations for performing the preventative action comprising at least:
    - gathering forensic data associated with at least the first event or the second event,storing the forensic data in a model,informing a remote security system of the filtered events,halting a first process associated with at least the first event or the second event, ordeceiving the first process.
  - 10. The computing system of claim 1, the operations further comprising updating, replacing, or removing one or more components of the kernel-level security agent while the kernel-level security agent continues to operate.
  - 11. The computing system of claim 10, wherein an existing component of the kernel-level security agent designated to be replaced or removed continues to operate during an update of the kernel-level security agent.
  - 12. The computing system of claim 1, the operations further comprising, in response to determining that the first event passes the first filter, routing the first event to at least a correlator module, the situational model, an actor component, or a communications module.
  - 13. The computing system of claim 1, the operations further comprising scheduling asynchronous events for processing by one or more kernel-mode event consumers of the kernel-level security agent.
  - 14. The computing system of claim 1, the operations further comprising at least:
    - observing events associated with multiple processes or threads in parallel,filtering the multiple observed events in parallel,routing the multiple filtered events in parallel, orprocessing events using multiple event consumers in parallel.
  - 15. The computing system of claim 1, the operations further comprising, using one or more kernel-mode event consumers of the kernel-level security agent:
    - determining that the second event is associated with a malicious code of the system, the second event occurring after observation of the first event by the kernel-level security agent; and
      
      in response, performing the preventative action.
  - 16. The computing system of claim 1, wherein the computer-executable instructions of the kernel-level security agent comprise computer-executable instructions of at least:
    - a configuration manager configured to receive the configuration updates from a remote security system;
      
      a component manager configured to load or unload a new component based on the configuration update;
      
      a state manager configured to persist state information between old and new components;
      
      a storage manager configured to interface with storage of the system on behalf of the kernel-level security agent, oran integrity manager configured to observe, filter, and route events during an update of core components and managers of the kernel-level security agent.
  - 17. The computing system of claim 1, wherein the computer-executable instructions of the kernel-level security agent comprise computer-executable instructions of at least:
    - a hypervisor,a pre-boot component configured to leverage hardware-provided security features, ora pre-boot component configured not to leverage hardware-provided security features.
  - 18. The computing system of claim 1, the operations further comprising:
    - using at least one collector module, observing events in a user mode of the computing system; and
      
      using at least one configurable filter, filtering the events in the user mode of the computing system.
  - 19. The computing system of claim 1, wherein the kernel-level security agent is a secure operating system that launches prior to a system operating system.
  - 20. The computing system of claim 1, wherein the operations further comprise determining that the first event passes the first filter based at least in part on the situational model.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Original Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Inventors
Diehl, David F., Alperovitch, Dmitri, Ionescu, Ion-Alexandru, Kurtz, George Robert
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US15/483,153
Publication Number

US 20170213031A1
Time in Patent Office

323 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 21/568   eliminating virus, restorin...

G06F 2221/034   Test or assess a computer o...

G06F 9/46   Multiprogramming arrangements

G06N 5/04   Inference or reasoning models

H04L 41/0803   Configuration setting

H04L 63/0245   Filtering by information in...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

Kernel-level security agent

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Kernel-level security agent

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links