Kernel-Level Security Agent

US 20140109226A1
Filed: 12/24/2013
Published: 04/17/2014
Est. Priority Date: 06/08/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

detecting a first action associated with malicious code;

responsive to detecting the first action, gathering data associated with the first action while refraining from taking a preventative action;

upon detecting one or more subsequent actions associated with malicious code, the one or more subsequent actions occurring after the first action, performing the preventative action.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.

26 Citations

View as Search Results

20 Claims

1. A computer-implemented method comprising:
- detecting a first action associated with malicious code;
  
  responsive to detecting the first action, gathering data associated with the first action while refraining from taking a preventative action;
  
  upon detecting one or more subsequent actions associated with malicious code, the one or more subsequent actions occurring after the first action, performing the preventative action.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the preventative action is preventing the one or more subsequent actions and further actions by the malicious process or deceiving an adversary associated with the malicious code.
  - 3. The method of claim 1, further comprising storing the gathered data in a model that tracks actions taken by processes of a system which executed the first action.
  - 4. The method of claim 1, further comprising providing the gathered data to a remote security system.
  - 5. The method of claim 4, further comprising receiving, in response, instructions associated with the preventative action or a configuration update for configuring a security agent that performs the detecting, gathering, and performing.
  - 6. The method of claim 1, wherein the detecting, gathering, and performing are performed by a kernel-level security agent that utilizes configurable filters.
  - 7. The method of claim 1, wherein detecting the first action or the one or more subsequent actions comprises observing events associated with multiple processes or threads in parallel.

8. One or more tangible computer-readable media storing computer-executable instructions configured to implement a kernel-level security agent on a computer device, the kernel-level security agent performing operations comprising:
- observing an event associated with a process executing on the computing device;
  
  determining, based at least in part on the observed event, that the process is associated with malicious code; and
  
  responsive to the determining, deceiving an adversary associated with the malicious code.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The one or more tangible computer-readable media of claim 8, wherein the deceiving comprises falsifying data acquired by the malicious code.
  - 10. The one or more tangible computer-readable media of claim 8, wherein the deceiving comprises falsifying the data transmitted to the adversary.
  - 11. The one or more tangible computer-readable media of claim 8, wherein the determining comprises determining that the process is associated with malicious code based at least on part on a model that tracks processes of the computing device.
  - 12. The one or more tangible computer-readable media of claim 8, wherein the kernel-level security agent utilizes configurable filters.
  - 13. The one or more tangible computer-readable media of claim 8, wherein the operations further comprise providing gathered data associated with the observed event to a remote security system.
  - 14. The one or more tangible computer-readable media of claim 8, wherein the operations further comprise preventing an action by the process.

15. A method implemented by a kernel-level security agent of a computing device, the method comprising:
- observing execution activities of one or more processes of the computing device;
  
  storing data associated with the one or more execution activities in a model of the kernel-level security agent, the model representing one or more chains of execution activities; and
  
  taking action based at least in part on the one or more chains of execution activities.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, wherein at least one of the chains of execution activities represents a genealogy of one of the processes.
  - 17. The method of claim 15, wherein the taking action comprises halting or deceiving a process associated with malicious activity.
  - 18. The method of claim 15, further comprising providing the stored data to a remote security system.
  - 19. The method of claim 18, further comprising receiving, in response, instructions associated with the action or a configuration update for configuring the kernel-level security agent.
  - 20. The method of claim 15, wherein the kernel-level security agent utilizes configurable filters

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Original Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Inventors
Diehl, David F., Alperovitch, Dmitri, Ionescu, Ion-Alexandru, Kurtz, George Robert

Granted Patent

US 9,571,453 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 21/568   eliminating virus, restorin...

G06F 2221/034   Test or assess a computer o...

G06F 9/46   Multiprogramming arrangements

G06N 5/04   Inference or reasoning models

H04L 41/0803   Configuration setting

H04L 63/0245   Filtering by information in...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

Kernel-Level Security Agent

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Kernel-Level Security Agent

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links