Kernel-level security agent
First Claim
1. A computing system comprising:
- at least one memory configured to store a situational model and computer-executable instructions of a kernel-level security agent; and
one or more processors that, upon executing the computer-executable instructions, perform operations comprising;
observing a first event associated with one or more processes executing on the computing system;
accessing, from a kernel mode of the computing system, the situational model;
determining that the first event passes a first filter;
updating the situational model based at least in part on the first event to provide an updated situational model;
observing a second event associated with one or more processes executing on the computing system;
determining that the second event passes a second filter based at least in part on the updated situational model;
determining a preventative action to take based on at least one of the second event and the updated situational model; and
performing the preventative action.
3 Assignments
0 Petitions
Accused Products
Abstract
A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.
-
Citations
20 Claims
-
1. A computing system comprising:
-
at least one memory configured to store a situational model and computer-executable instructions of a kernel-level security agent; and one or more processors that, upon executing the computer-executable instructions, perform operations comprising; observing a first event associated with one or more processes executing on the computing system; accessing, from a kernel mode of the computing system, the situational model; determining that the first event passes a first filter; updating the situational model based at least in part on the first event to provide an updated situational model; observing a second event associated with one or more processes executing on the computing system; determining that the second event passes a second filter based at least in part on the updated situational model; determining a preventative action to take based on at least one of the second event and the updated situational model; and performing the preventative action. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification