Processing security-relevant events using tagged trees

US 10,015,199 B2
Filed: 02/15/2017
Issued: 07/03/2018
Est. Priority Date: 01/31/2014
Status: Active Grant

First Claim

Patent Images

1. A computing device comprising:

a processor; and

a memory coupled to the processor, the memory storing;

a tree object representing an execution chain of at least a first system components and a second system component of a plurality of system components, wherein the tree object comprises;

an indication of the first system component; and

an indication of the second system component;

a first data object representing the first system component;

a second data object representing the second system component; and

executable instructions;

wherein the executable instructions, when operated by the processor, cause the processor to perform operations including;

assigning, to both the first data object and the second data object, a first tag representing the tree object;

detecting a first event associated with the first system component;

in response to the first event, assigning, to the tree object, a second tag, wherein the second tag applies transitively to the data objects via the first tag;

detecting a second event subsequent to the first event and associated with the second system component; and

in response to the second event, performing a remedial action with respect to the first system component based at least in part on the second tag assigned to the tree object and the first tag assigned to the first data object.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Devices described herein are configured to propagate tags among data objects representing system components. Such devices may detect an event associated with a plurality of system components. Based at least in part on detecting the event and on a configurable policy, the devices may propagate a tag that is assigned to a data object representing one of the plurality of system components to another data object representing another of the plurality of system components. One example of such a tag may be associated with a tree object that represents an execution chain of at least the system component represented by the data object and the other system component represented by the other data object. Another example of such a tag may be a user-specified tag of another entity that the entity associated with the devices subscribes to.

72 Citations

20 Claims

1. A computing device comprising:
- a processor; and
  
  a memory coupled to the processor, the memory storing;
  
  a tree object representing an execution chain of at least a first system components and a second system component of a plurality of system components, wherein the tree object comprises;
  
  an indication of the first system component; and
  
  an indication of the second system component;
  
  a first data object representing the first system component;
  
  a second data object representing the second system component; and
  
  executable instructions;
  
  wherein the executable instructions, when operated by the processor, cause the processor to perform operations including;
  
  assigning, to both the first data object and the second data object, a first tag representing the tree object;
  
  detecting a first event associated with the first system component;
  
  in response to the first event, assigning, to the tree object, a second tag, wherein the second tag applies transitively to the data objects via the first tag;
  
  detecting a second event subsequent to the first event and associated with the second system component; and
  
  in response to the second event, performing a remedial action with respect to the first system component based at least in part on the second tag assigned to the tree object and the first tag assigned to the first data object.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computing device of claim 1, wherein:
    - the operations include performing the remedial action further based on at least one of the second tag or a third tag assigned to at least one of the first data object and the second data object; and
      
      the at least one of the second tag or the third tag indicates suspicious behavior or exploit activity.
  - 3. The computing device of claim 1, wherein the operations further include:
    - detecting execution by the first system component of the second system component; and
      
      in response;
      
      constructing the tree object in the memory; and
      
      assigning the first tag to the first data object and to the second data object.
  - 4. The computing device of claim 1, wherein the first system component includes a process, and the second system component comprises a non-process system component.
  - 5. The computing device of claim 4, wherein the non-process system component includes a file written by the process.
  - 6. The computing device of claim 1, wherein:
    - the memory further stores a second tree object representing a second execution chain of a subset of the plurality of system components;
      
      the second tree object is associated with a fourth tag; and
      
      the operations further include;
      
      determining that a first system component of the at least some system components appears in the second execution chain; and
      
      assigning the fourth tag to the respective data object representing the first system component.

7. A computer-implemented method comprising:
- performing the following operations;
  
  creating, in a computer-readable memory, a first data object representing a first system component of a monitored computing device;
  
  creating, in the computer-readable memory, a second data object representing a second system component of a monitored computing device;
  
  creating, in the computer-readable memory, a tree object representing an execution chain, the tree object comprising;
  
  an indication of the first system component; and
  
  an indication of the second system component;
  
  assigning, to both the first data object and the second data object, a first tag representing the tree object; and
  
  subsequently, performing the following operations;
  
  detecting a first event associated with the first system component;
  
  in response to the first event, assigning, to the tree object, a second tag, wherein the second tag applies transitively to the first data object and the second data object via the first tag;
  
  detecting a second event subsequent to the first event and associated with the second system component; and
  
  in response to the second event, performing a remedial action with respect to the first system component based at least in part on the second tag.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The method of claim 7, wherein:
    - the method further includes;
      
      filtering the second tag based on the stored configuration to provide a result; and
      
      performing the remedial action further based on the result.
  - 9. The method of claim 7, further including:
    - detecting an event associated with both the first system component and the second system component; and
      
      in response, creating the tree object.
  - 10. The method of claim 9, further including, before creating the tree object, determining that the event corresponds with a configurable policy.
  - 11. The method of claim 7, further including:
    - detecting an event associated with at least one of the first system component and the second system component;
      
      filtering the event based on a configurable policy to provide a result; and
      
      based at least in part on the result and on the first tag, updating the tree object by at least one of;
      
      assigning a tag to the tree object;
      
      orremoving a tag from the tree object.
  - 12. The method of claim 7, further including:
    - detecting execution by the first system component of the second system component of the monitored computing device; and
      
      creating the second data object in response to the detection of the execution.
  - 13. The method of claim 7, further including:
    - detecting an event associated with at least the first system component and the second system component; and
      
      in response, based at least in part on a configurable policy, propagating, from the first data object to the second data object, at least one tag assigned to the first data object.
  - 14. The method of claim 13, wherein the propagating includes propagating the at least one tag and fewer than all of a plurality of tags assigned to the first data object.
  - 15. The method of claim 13, further including:
    - determining that the at least one tag is mutually exclusive with a third tag associated with the second data object; and
      
      in response, generating an event indicative of a tag conflict.

16. A computer-implemented method, comprising:
- performing the following operations;
  
  receiving, via a network, information of a first system component and a second system component of a monitored computing device;
  
  creating, in a computer-readable memory, a first data object representing the first system component and a second data object representing the second system component;
  
  receiving, via the network, an indication of a first event associated with both the first system component and the second system component;
  
  creating, in the computer-readable memory, a tree object representing the first event, the tree object comprising;
  
  an indication of the first system component; and
  
  an indication of the second system component and subsequently, performing the following operations;
  
  assigning, to both the first data object and the second data object, a first tag representing the tree object;
  
  receiving, via the network, an indication of a second event associated with the first system component;
  
  in response to the second event, assigning, to the tree object, a second tag;
  
  receiving, via the network, an indication of a third event subsequent to the second event and associated with the second system component; and
  
  in response to the third event, performing a remedial action with respect to the first system component based at least in part on the second tag.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, further including at least one of:
    - assigning, to at least one of the first data object or the second data object, a third tag representing the monitored computing device;
      
      orassigning, to the tree object, the third tag.
  - 18. The method of claim 16, further including:
    - receiving, via the network, information of a third system component, the third system component being a system component of a second monitored computing device;
      
      creating, in the computer-readable memory, a third data object representing the third system component; and
      
      in response to the indication of the event, updating at least one tag of the second third data object.
  - 19. The method of claim 16, further including:
    - in response to the indication of the event, updating a configurable policy to provide an updated policy; and
      
      transmitting, via the network, the updated policy to a second monitored computing device.
  - 20. The method of claim 16, further including:
    - assigning, to at least one of the first data object or the second data object, a third tag; and
      
      performing the action further based at least in part on the third tag.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Original Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Inventors
Diehl, David F., Lamothe-Brassard, Maxime
Primary Examiner(s)
Giddins, Nelson

Application Number

US15/433,535
Publication Number

US 20170163686A1
Time in Patent Office

503 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Processing security-relevant events using tagged trees

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

72 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Processing security-relevant events using tagged trees

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

72 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links