公开(公告)号：US11811821B2

公开(公告)日：2023-11-07

申请号：US17087194

申请日：2020-11-02

申请人： CrowdStrike, Inc.

发明人： Sven Krasser ,  David Elkind ,  Brett Meyer ,  Patrick Crenshaw

IPC分类号： H04L9/40 ,  G06N20/00 ,  G06F21/56

CPC分类号： H04L63/145 ,  G06F21/56 ,  G06N20/00 ,  H04L63/1416

摘要： Example techniques described herein determine a validation dataset, determine a computational model using the validation dataset, or determine a signature or classification of a data stream such as a file. The classification can indicate whether the data stream is associated with malware. A processing unit can determine signatures of individual training data streams. The processing unit can determine, based at least in part on the signatures and a predetermined difference criterion, a training set and a validation set of the training data streams. The processing unit can determine a computational model based at least in part on the training set. The processing unit can then operate the computational model based at least in part on a trial data stream to provide a trial model output. Some examples include determining the validation set based at least in part on the training set and the predetermined criterion for difference between data streams.

公开(公告)号：US10832168B2

公开(公告)日：2020-11-10

申请号：US15402524

申请日：2017-01-10

申请人： CrowdStrike, Inc.

发明人： Sven Krasser ,  David Elkind ,  Patrick Crenshaw ,  Brett Meyer

IPC分类号： G06N99/00 ,  H04N21/44 ,  G06N3/08 ,  G06F9/00 ,  G06T5/20 ,  G06N20/00 ,  H04L12/24 ,  H04L29/06 ,  G06F21/56 ,  G06N3/04 ,  G06N20/10

摘要： Example techniques described herein determine a signature or classification of a data stream such as a file. The classification can indicate whether the data stream is associated with malware. A processor can locate training analysis regions of training data streams based on predetermined structure data, and determining training model inputs based on the training analysis regions. The processor can determine a computational model based on the training model inputs. The computational model can receive an input vector and provide a corresponding feature vector. The processor can then locate a trial analysis region of a trial data stream based on the predetermined structure data and determine a trial model input. The processor can operate the computational model based on the trial model input to provide a trial feature vector, e.g., a signature. The processor can operate a second computational model to provide a classification based on the signature.

公开(公告)号：US20230421587A1

公开(公告)日：2023-12-28

申请号：US17849537

申请日：2022-06-24

申请人： Crowdstrike, Inc.

发明人： Brett Meyer ,  Joel Robert Spurlock ,  Andrew Forth ,  Kirby Koster ,  Joseph L. Faulhaber

IPC分类号： H04L9/40

CPC分类号： H04L63/1425

摘要： A distributed security system includes instances of a compute engine that can receive an event stream comprising event data associated with an occurrence of one or more events on one or more client computing devices and generate new event data based on the event data in the event stream. A predictions engine coupled in communication with the compute engine(s) receives the new event data and applies at least a portion of the received new event data to one or more machine learning models of the distributed security system based to the received new event data. The one or more machine learning models generate a prediction result that indicates whether the occurrence of the one or more events from which the new event data was generated represents one or more target behaviors, based on the applying of at least the portion of the received new event data to the one or more machine learning models according to the received new event data.

公开(公告)号：US10826934B2

公开(公告)日：2020-11-03

申请号：US15402503

申请日：2017-01-10

申请人： CrowdStrike, Inc.

发明人： Sven Krasser ,  David Elkind ,  Brett Meyer ,  Patrick Crenshaw

IPC分类号： H04L29/06 ,  G06N20/00 ,  G06F21/56

摘要： Example techniques described herein determine a validation dataset, determine a computational model using the validation dataset, or determine a signature or classification of a data stream such as a file. The classification can indicate whether the data stream is associated with malware. A processing unit can determine signatures of individual training data streams. The processing unit can determine, based at least in part on the signatures and a predetermined difference criterion, a training set and a validation set of the training data streams. The processing unit can determine a computational model based at least in part on the training set. The processing unit can then operate the computational model based at least in part on a trial data stream to provide a trial model output. Some examples include determining the validation set based at least in part on the training set and the predetermined criterion for difference between data streams.

公开(公告)号：US20230344843A1

公开(公告)日：2023-10-26

申请号：US17725352

申请日：2022-04-20

申请人： CrowdStrike, Inc.

发明人： Vitaly Zaytsev ,  Brett Meyer ,  Joel Robert Spurlock

IPC分类号： H04L9/40

CPC分类号： H04L63/1425 ,  H04L63/145

摘要： Techniques and systems for a security service system configured with a sensor component including a machine learning (ML) malware classifier to perform behavioral detection on host devices. The security service system may deploy a sensor component to monitor behavioral events on a host device. The sensor component may generate events data corresponding to monitored operations targeted by malware. The system may map individual events from events data onto a behavioral activity pattern and generate process trees. The system may extract behavioral artifacts to build a feature vector used for malware classification and generate a machine learning (ML) malware classifier. The sensor component may use the ML malware classifier to perform asynchronous behavioral detection on a host device and process system events for malware detection.

公开(公告)号：US20180197089A1

公开(公告)日：2018-07-12

申请号：US15402524

申请日：2017-01-10

申请人： CrowdStrike, Inc.

发明人： Sven Krasser ,  David Elkind ,  Patrick Crenshaw ,  Brett Meyer

IPC分类号： G06N5/04 ,  G06N99/00 ,  H04L12/24 ,  H04L29/06

CPC分类号： G06N20/00 ,  G06F21/56 ,  G06N3/0445 ,  G06N3/0454 ,  G06N3/084 ,  G06N20/10 ,  H04L41/145 ,  H04L41/147 ,  H04L63/1416

摘要： Example techniques described herein determine a signature or classification of a data stream such as a file. The classification can indicate whether the data stream is associated with malware. A processor can locate training analysis regions of training data streams based on predetermined structure data, and determining training model inputs based on the training analysis regions. The processor can determine a computational model based on the training model inputs. The computational model can receive an input vector and provide a corresponding feature vector. The processor can then locate a trial analysis region of a trial data stream based on the predetermined structure data and determine a trial model input. The processor can operate the computational model based on the trial model input to provide a trial feature vector, e.g., a signature. The processor can operate a second computational model to provide a classification based on the signature.

公开(公告)号：US20240146747A1

公开(公告)日：2024-05-02

申请号：US17977898

申请日：2022-10-31

申请人： CrowdStrike, Inc.

发明人： Vitaly Zaytsev ,  Robert Molony ,  Joel Robert Spurlock ,  Brett Meyer

IPC分类号： H04L9/40

CPC分类号： H04L63/1425 ,  H04L63/1416

摘要： Methods and systems for multi-cloud breach detection using ensemble classification and deep anomaly detection are disclosed. According to an implementation, a security appliance may receive logged event data. The security appliance may determine using a supervised machine learning (ML) model, a first anomaly score representing a first context. The security appliance may further determine using a semi-supervised machine learning (ML) model, a second anomaly score representing the second context, and using an unsupervised ML model, one or more third anomaly scores representing one or more third contexts. The security appliance may aggregate the first anomaly score, the second anomaly score and the one or more third anomaly scores using a classification module to produce a final anomaly score and a final context. The security appliance may determine that an anomaly exists and a type of attack based on the final anomaly score and the final context.

公开(公告)号：US20210075798A1

公开(公告)日：2021-03-11

申请号：US17087194

申请日：2020-11-02

申请人： CrowdStrike, Inc.

发明人： Sven Krasser ,  David Elkind ,  Brett Meyer ,  Patrick Crenshaw

IPC分类号： H04L29/06 ,  G06N20/00 ,  G06F21/56

摘要： Example techniques described herein determine a validation dataset, determine a computational model using the validation dataset, or determine a signature or classification of a data stream such as a file. The classification can indicate whether the data stream is associated with malware. A processing unit can determine signatures of individual training data streams. The processing unit can determine, based at least in part on the signatures and a predetermined difference criterion, a training set and a validation set of the training data streams. The processing unit can determine a computational model based at least in part on the training set. The processing unit can then operate the computational model based at least in part on a trial data stream to provide a trial model output. Some examples include determining the validation set based at least in part on the training set and the predetermined criterion for difference between data streams.

公开(公告)号：US20180198800A1

公开(公告)日：2018-07-12

申请号：US15402503

申请日：2017-01-10

申请人： CrowdStrike, Inc.

发明人： Sven Krasser ,  David Elkind ,  Brett Meyer ,  Patrick Crenshaw

IPC分类号： H04L29/06 ,  G06N99/00

CPC分类号： H04L63/145 ,  G06F21/56 ,  G06N20/00 ,  H04L63/1416

摘要： Example techniques described herein determine a validation dataset, determine a computational model using the validation dataset, or determine a signature or classification of a data stream such as a file. The classification can indicate whether the data stream is associated with malware. A processing unit can determine signatures of individual training data streams. The processing unit can determine, based at least in part on the signatures and a predetermined difference criterion, a training set and a validation set of the training data streams. The processing unit can determine a computational model based at least in part on the training set. The processing unit can then operate the computational model based at least in part on a trial data stream to provide a trial model output. Some examples include determining the validation set based at least in part on the training set and the predetermined criterion for difference between data streams.