-
公开(公告)号:US20230244723A1
公开(公告)日:2023-08-03
申请号:US17589772
申请日:2022-01-31
申请人: CrowdStrike, Inc.
发明人: Theo Chihaia , Horea Razvan Coroiu , Constantin-Cosmin Crecana , Cezar Mihai Socoteanu , Alexandru Postica
IPC分类号: G06F16/93
CPC分类号: G06F16/93
摘要: A documentation generation engine coupled to a mutation handler are provided, configured to traverse a knowledge base to derive selective views. Organizations may configure a documentation generator application running on generator hosts to summarize records of a knowledge base storing institutional knowledge, and relationships therebetween, as human-readable reference documents. It is undesired for the documentation generator to query the knowledge base on a naive basis in response to updates in order to derive views required to generate updated documentation. Therefore, example embodiments of the present disclosure provide a query-writing framework which describes a schema organizing these records for human readability and describing relationships of these records to other records of interest, from which a set of queries may be derived which cause a knowledge base to return all records topically related by a schema of a query-writing framework, while minimizing excess querying unnecessarily amplifying computational workload and network traffic.
-
公开(公告)号:US20230229717A1
公开(公告)日:2023-07-20
申请号:US17576734
申请日:2022-01-14
申请人: Crowdstrike, Inc.
发明人: Hyacinth David Diehl , Michael Edward Lusignan , Brent Ryan Nash , Liudmila Nikolaeva , Nora Lillian Sandler , Garry James Bodsworth
IPC分类号: G06F16/9532 , G06F16/9536 , H04L9/40
CPC分类号: G06F16/9532 , G06F16/9536 , H04L63/1408
摘要: An event query host can include one or more processors configured to process an event stream indicating events that occurred on one or more computing devices. The event stream comprises event data that is associated with occurrences of events on the one or more computing devices. The event query host can forward the event data to a first query engine and to a second query engine. The first query engine can determine, based on a set of query definitions, that the forwarded event data is associated with a first query to be executed by the first query engine, and so executes the first query instance associated with the first query. The second query engine can also determine, based on the set of query definitions, that the forwarded event data is associated with a second query to be executed by the second query engine, and so executes the second query instance associated with the second query.
-
公开(公告)号:US11616790B2
公开(公告)日:2023-03-28
申请号:US16849450
申请日:2020-04-15
申请人: CrowdStrike, Inc.
IPC分类号: H04L9/40 , G06F16/2455 , G06Q50/26
摘要: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.
-
公开(公告)号:US11582246B2
公开(公告)日:2023-02-14
申请号:US16944052
申请日:2020-07-30
申请人: CrowdStrike, Inc.
发明人: Daniel W. Brown
摘要: Techniques and systems to provide a more intuitive user overview of events data by mapping unbounded incident scores to a fixed range and aggregating incident scores by different schemes. The system may detect possible malicious incidents associated with events processing on a host device. The events data may be gathered from events detected on the host device. The incident scores for incidents may be determined from the events data. The incident scores may be mapped to bins of a fixed range to highlight the significance of the incident scores. For instance, a first score mapped to a first bin may be insignificant while a second score mapped to a last bin may require urgent review. The incident scores may also be aggregated at different levels (e.g., host device, organization, industry, global, etc.) and at different time intervals to provide insights to the data.
-
公开(公告)号:US20210397750A1
公开(公告)日:2021-12-23
申请号:US17466861
申请日:2021-09-03
申请人: CrowdStrike, Inc.
IPC分类号: G06F21/82 , G06F13/40 , G06F21/71 , G06F13/38 , G06F21/56 , G06F21/57 , G06F21/55 , G06F9/4401 , G06F21/85
摘要: A plug-and-play (PnP) driver associated with a security agent is described herein. The PnP driver attaches to device stacks of enumerated bus devices of a computing device as upper-device or lower-device filters based on the device classes of the enumerated bus devices. For example, the PnP driver may attach to the device stack of a hub or controller device as an upper-device filter and to device stacks of other devices as lower-device filters. Either while attaching or after attachment, the PnP driver may take action to alter, limit, or otherwise block functionality of an enumerated bus device. The PnP driver may also perform a system inventory of enumerated bus devices connected to the computing device and create fingerprints for one or more of the computing devices. Additionally, the PnP driver may create and remove control device objects (CDOs) to enable communication with user-mode processes or threads.
-
公开(公告)号:US11050764B2
公开(公告)日:2021-06-29
申请号:US16110927
申请日:2018-08-23
申请人: CrowdStrike, Inc.
发明人: Brody Nisbet , Andrew Roden , John Lee
IPC分类号: H04L29/06 , G06F16/245 , G06F16/248 , G06F11/30 , G06F11/32 , G06F11/34 , G06F21/55 , H04W12/12
摘要: Cardinality-based activity pattern detection is described herein. Events on a computing system are monitored to detect patterns matching defined activity patterns. A cardinality-based activity pattern query is executed over data representing detected activity patterns to identify multiple, distinct defined activity patterns that have occurred during a particular time period.
-
公开(公告)号:US20210049292A1
公开(公告)日:2021-02-18
申请号:US17060355
申请日:2020-10-01
申请人: CrowdStrike, Inc.
摘要: A security agent configured to initiate a security agent component as a hypervisor for a computing device is described herein. The security agent component may then determine pages of the memory which include identified memory locations and set privilege attributes of those pages to prevent specific types of access to the memory locations, such as executing code stored at a memory location. Also, the security agent component may refrain from setting intercepts for pages including a whitelisted memory location. Further, the security agent component may set intercepts for debug registers, note read operations from the operating system for those registers, and respond with operating-system-permitted values. Additionally, the security agent component may set intercepts for instructions for performing write operations on control registers.
-
公开(公告)号:US20210037027A1
公开(公告)日:2021-02-04
申请号:US16943949
申请日:2020-07-30
申请人: CrowdStrike, Inc.
IPC分类号: H04L29/06
摘要: Techniques to provide visualizations of possible malicious incidents associated with an event on a host device may include causing presentation of graphics of a process or thread in a user interface. Information about detected events may be transmitted to a computing device that generates the visualizations for presentation to an analyst to verify the malicious incidents. Based on patterns and information conveyed in the visualizations, the computer device or host device may take action to protect operation of the host device caused by the event.
-
公开(公告)号:US10853491B2
公开(公告)日:2020-12-01
申请号:US16007507
申请日:2018-06-13
申请人: CrowdStrike, Inc.
摘要: A security agent is described herein. The security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The security agent may also deceive an adversary associated with malicious code. Further, the security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.
-
公开(公告)号:US10803172B2
公开(公告)日:2020-10-13
申请号:US15585156
申请日:2017-05-02
申请人: CrowdStrike, Inc.
摘要: A security agent implemented on a monitored computing device is described herein. The security agent has access to parametric behavioral pattern definitions that, in combination with canonical patterns of behavior, configure the security agent to match observed behavior with known computing behavior that is benign or malignant. This arrangement of the definitions and the pattern of behavior allow the security agent's behavior to be updated by a remote security service without updating a configuration of the security agent. The remote security service can create, modify, and disseminate these definitions and patterns of behavior, giving the security agent real-time ability to respond to new behaviors exhibited by the monitored computing device.
-
-
-
-
-
-
-
-
-
搜索结果
172 条记录 (耗时 0.028 秒)
