Malicious incident visualization
    11.
    发明授权

    公开(公告)号:US11588832B2

    公开(公告)日:2023-02-21

    申请号:US16943949

    申请日:2020-07-30

    申请人: CrowdStrike, Inc.

    IPC分类号: H04L29/06 H04L9/40

    摘要: Techniques to provide visualizations of possible malicious incidents associated with an event on a host device may include causing presentation of graphics of a process or thread in a user interface. Information about detected events may be transmitted to a computing device that generates the visualizations for presentation to an analyst to verify the malicious incidents. Based on patterns and information conveyed in the visualizations, the computer device or host device may take action to protect operation of the host device caused by the event.

    REAL-TIME STREAMING GRAPH QUERIES
    12.
    发明申请

    公开(公告)号:US20220374434A1

    公开(公告)日:2022-11-24

    申请号:US17325097

    申请日:2021-05-19

    申请人: CrowdStrike, Inc.

    IPC分类号: G06F16/2455 G06F16/901

    摘要: An event query host can include an event processor configured to process an event stream indicating events that occurred on a computing device. The event processor can add representations of events to an event graph. If an event added to the event graph is a trigger event associated with a query, the event processor can also add an instance of the query to a query queue. The query queue can be sorted based on scheduled execution times of query instances. At a scheduled execution time of a query instance in the query queue, a query manager of the event query host can execute the query instance and attempt to find a corresponding pattern of one or more events in the event graph.

    Network containment of compromised machines

    公开(公告)号:US11368432B2

    公开(公告)日:2022-06-21

    申请号:US16877265

    申请日:2020-05-18

    申请人: Crowdstrike, Inc.

    IPC分类号: H04L29/06 G06F21/55 G06F21/56

    摘要: A computing device can install and execute a kernel-level security agent that interacts with a remote security system as part of a detection loop aimed at defeating malware attacks. The kernel-level security agent can be installed with a firewall policy that can be remotely enabled by the remote security system in order to “contain” the computing device. Accordingly, when the computing device is being used, and a malware attack is detected on the computing device, the remote security system can send an instruction to contain the computing device, which causes the implementation, by an operating system (e.g., a Mac™ operating system) of the computing device, of the firewall policy accessible to the kernel-level security agent. Upon implementation and enforcement of the firewall policy, outgoing data packets from, and incoming data packets to, the computing device that would have been allowed prior to the implementation of the firewall policy are denied.

    METHOD AND APPARATUS FOR COMBINING A FIREWALL AND A FORENSICS AGENT TO DETECT AND PREVENT MALICIOUS SOFTWARE ACTIVITY

    公开(公告)号:US20220159024A1

    公开(公告)日:2022-05-19

    申请号:US17587487

    申请日:2022-01-28

    申请人: CrowdStrike, Inc.

    IPC分类号: H04L9/40 H04L41/16

    摘要: Methods and systems for detecting and preventing malicious software activity are presented. In one embodiment, a method is presented that includes monitoring network communications on a network. The method may also include detect a suspect network communication associated with a suspect network activity and, in response, determine an originating machine based on the suspect network activity. The method may further suspend network communications for the originating machine. A forensics software agent may then be selected based on the suspect network activity. Then, the forensics software agent may be deployed on the originating machine. After deployment, the forensics software agent may fetch computer forensics data from the originating machine. Once the computer forensics data is fetched, a response action may be selected and executed based on said computer forensics data.

    Using indirection to facilitate software upgrades

    公开(公告)号:US11017086B2

    公开(公告)日:2021-05-25

    申请号:US15721508

    申请日:2017-09-29

    申请人: CrowdStrike, Inc.

    摘要: A security agent for a host computing device may be implemented with multiple levels of indirection from an operating system (OS) kernel of the computing device in order to facilitate software upgrades for the security agent. An unserviceable kernel-mode component of the security agent may directly interface with the OS kernel and hook into a function (e.g., a security callback function) of the OS kernel in a first level of indirection, while a serviceable kernel-mode component of the security agent, which is upgradable, may indirectly interface with the OS kernel via the unserviceable kernel-mode component in a second level of indirection. The serviceable kernel-mode component may be configured to process events, and/or data related thereto, received from the OS kernel via the unserviceable kernel-mode component in order to monitor activity on the computing device for malware attacks.

    VISUALIZATION AND CONTROL OF REMOTELY MONITORED HOSTS

    公开(公告)号:US20210037035A1

    公开(公告)日:2021-02-04

    申请号:US16943755

    申请日:2020-07-30

    申请人: CrowdStrike, Inc.

    IPC分类号: H04L29/06 H04L12/24

    摘要: Methods and systems for visualization of data associated with events detected on a monitored server host, and control of the host, are provided. A system may detect an incident on a remote server host. The system may present scores and activity graphs on a user interface for a human operator to review. The user interface may include animated activity graphs to show the progress of a past malicious event. The user interface may emphasize, de-emphasize, and/or hide subgraphs. The user interface may include quick-action buttons and wizards to permit users to immediately kill processes or isolate a computer from the network. The user interface may include controls to bulk-tag detected events associated with a subgraph. The user interface may present notifications/dashboards of significant malicious events in progress and update same when a new event rises in incident score into the top 10.

    MAPPING UNBOUNDED INCIDENT SCORES TO A FIXED RANGE

    公开(公告)号:US20210037028A1

    公开(公告)日:2021-02-04

    申请号:US16944033

    申请日:2020-07-30

    申请人: CrowdStrike, Inc.

    IPC分类号: H04L29/06 H04L12/26 H04L12/24

    摘要: Techniques and systems to provide a more intuitive user overview of events data by mapping unbounded incident scores to a fixed range and aggregating incident scores by different schemes. The system may detect possible malicious incidents associated with events processing on a host device. The events data may be gathered from events detected on the host device. The incident scores for incidents may be determined from the events data. The incident scores may be mapped to bins of a fixed range to highlight the significance of the incident scores. For instance, a first score mapped to a first bin may be insignificant while a second score mapped to a last bin may require urgent review. The incident scores may also be aggregated at different levels (e.g., host device, organization, industry, global, etc.) and at different time intervals to provide insights to the data.

    Validation-based determination of computational models

    公开(公告)号:US10826934B2

    公开(公告)日:2020-11-03

    申请号:US15402503

    申请日:2017-01-10

    申请人: CrowdStrike, Inc.

    IPC分类号: H04L29/06 G06N20/00 G06F21/56

    摘要: Example techniques described herein determine a validation dataset, determine a computational model using the validation dataset, or determine a signature or classification of a data stream such as a file. The classification can indicate whether the data stream is associated with malware. A processing unit can determine signatures of individual training data streams. The processing unit can determine, based at least in part on the signatures and a predetermined difference criterion, a training set and a validation set of the training data streams. The processing unit can determine a computational model based at least in part on the training set. The processing unit can then operate the computational model based at least in part on a trial data stream to provide a trial model output. Some examples include determining the validation set based at least in part on the training set and the predetermined criterion for difference between data streams.

    Kernel- and user-level cooperative security processing

    公开(公告)号:US10740459B2

    公开(公告)日:2020-08-11

    申请号:US15857007

    申请日:2017-12-28

    申请人: CrowdStrike, Inc.

    摘要: Some examples detect malicious activity on a computing device. A processor in kernel mode detects an event on the computing device. The processor provides a validation request on a kernel-level bus. A bidirectional bridge component transmits the request to a user-level bus. The processor in user mode determines that the event is associated with malicious activity and provides a validation response on the user-level bus. The bridge component transmits the validation response to the kernel-level bus. In some examples, the processor in user mode receives security-relevant information from a system service of the computing device, and analyzes the event based at least in part on the security-relevant information. In some examples, the processor in user mode receives a security query, queries the kernel mode via the bridge component, and responds to the security query indicating that the data stream is associated with malware.

    Network containment of compromised machines

    公开(公告)号:US10659432B2

    公开(公告)日:2020-05-19

    申请号:US15643291

    申请日:2017-07-06

    申请人: CrowdStrike, Inc.

    IPC分类号: H04L29/06 G06F21/55 G06F21/56

    摘要: A computing device can install and execute a kernel-level security agent that interacts with a remote security system as part of a detection loop aimed at defeating malware attacks. The kernel-level security agent can be installed with a firewall policy that can be remotely enabled by the remote security system in order to “contain” the computing device. Accordingly, when the computing device is being used, and a malware attack is detected on the computing device, the remote security system can send an instruction to contain the computing device, which causes the implementation, by an operating system (e.g., a Mac™ operating system) of the computing device, of the firewall policy accessible to the kernel-level security agent. Upon implementation and enforcement of the firewall policy, outgoing data packets from, and incoming data packets to, the computing device that would have been allowed prior to the implementation of the firewall policy are denied.