-
公开(公告)号:US11588832B2
公开(公告)日:2023-02-21
申请号:US16943949
申请日:2020-07-30
申请人: CrowdStrike, Inc.
摘要: Techniques to provide visualizations of possible malicious incidents associated with an event on a host device may include causing presentation of graphics of a process or thread in a user interface. Information about detected events may be transmitted to a computing device that generates the visualizations for presentation to an analyst to verify the malicious incidents. Based on patterns and information conveyed in the visualizations, the computer device or host device may take action to protect operation of the host device caused by the event.
-
公开(公告)号:US20220374434A1
公开(公告)日:2022-11-24
申请号:US17325097
申请日:2021-05-19
申请人: CrowdStrike, Inc.
IPC分类号: G06F16/2455 , G06F16/901
摘要: An event query host can include an event processor configured to process an event stream indicating events that occurred on a computing device. The event processor can add representations of events to an event graph. If an event added to the event graph is a trigger event associated with a query, the event processor can also add an instance of the query to a query queue. The query queue can be sorted based on scheduled execution times of query instances. At a scheduled execution time of a query instance in the query queue, a query manager of the event query host can execute the query instance and attempt to find a corresponding pattern of one or more events in the event graph.
-
公开(公告)号:US11368432B2
公开(公告)日:2022-06-21
申请号:US16877265
申请日:2020-05-18
申请人: Crowdstrike, Inc.
发明人: Paul Meyer , Cameron Gutman , John R. Kooker
摘要: A computing device can install and execute a kernel-level security agent that interacts with a remote security system as part of a detection loop aimed at defeating malware attacks. The kernel-level security agent can be installed with a firewall policy that can be remotely enabled by the remote security system in order to “contain” the computing device. Accordingly, when the computing device is being used, and a malware attack is detected on the computing device, the remote security system can send an instruction to contain the computing device, which causes the implementation, by an operating system (e.g., a Mac™ operating system) of the computing device, of the firewall policy accessible to the kernel-level security agent. Upon implementation and enforcement of the firewall policy, outgoing data packets from, and incoming data packets to, the computing device that would have been allowed prior to the implementation of the firewall policy are denied.
-
公开(公告)号:US20220159024A1
公开(公告)日:2022-05-19
申请号:US17587487
申请日:2022-01-28
申请人: CrowdStrike, Inc.
发明人: Eyal Karni , Sagi Sheinfeld , Yaron Zinar
摘要: Methods and systems for detecting and preventing malicious software activity are presented. In one embodiment, a method is presented that includes monitoring network communications on a network. The method may also include detect a suspect network communication associated with a suspect network activity and, in response, determine an originating machine based on the suspect network activity. The method may further suspend network communications for the originating machine. A forensics software agent may then be selected based on the suspect network activity. Then, the forensics software agent may be deployed on the originating machine. After deployment, the forensics software agent may fetch computer forensics data from the originating machine. Once the computer forensics data is fetched, a response action may be selected and executed based on said computer forensics data.
-
公开(公告)号:US11017086B2
公开(公告)日:2021-05-25
申请号:US15721508
申请日:2017-09-29
申请人: CrowdStrike, Inc.
发明人: Cat S. Zimmermann , Steven King
摘要: A security agent for a host computing device may be implemented with multiple levels of indirection from an operating system (OS) kernel of the computing device in order to facilitate software upgrades for the security agent. An unserviceable kernel-mode component of the security agent may directly interface with the OS kernel and hook into a function (e.g., a security callback function) of the OS kernel in a first level of indirection, while a serviceable kernel-mode component of the security agent, which is upgradable, may indirectly interface with the OS kernel via the unserviceable kernel-mode component in a second level of indirection. The serviceable kernel-mode component may be configured to process events, and/or data related thereto, received from the OS kernel via the unserviceable kernel-mode component in order to monitor activity on the computing device for malware attacks.
-
公开(公告)号:US20210037035A1
公开(公告)日:2021-02-04
申请号:US16943755
申请日:2020-07-30
申请人: CrowdStrike, Inc.
发明人: Alexander J. Graul
摘要: Methods and systems for visualization of data associated with events detected on a monitored server host, and control of the host, are provided. A system may detect an incident on a remote server host. The system may present scores and activity graphs on a user interface for a human operator to review. The user interface may include animated activity graphs to show the progress of a past malicious event. The user interface may emphasize, de-emphasize, and/or hide subgraphs. The user interface may include quick-action buttons and wizards to permit users to immediately kill processes or isolate a computer from the network. The user interface may include controls to bulk-tag detected events associated with a subgraph. The user interface may present notifications/dashboards of significant malicious events in progress and update same when a new event rises in incident score into the top 10.
-
公开(公告)号:US20210037028A1
公开(公告)日:2021-02-04
申请号:US16944033
申请日:2020-07-30
申请人: CrowdStrike, Inc.
发明人: Daniel W. Brown , Sseziwa A. Mukasa
摘要: Techniques and systems to provide a more intuitive user overview of events data by mapping unbounded incident scores to a fixed range and aggregating incident scores by different schemes. The system may detect possible malicious incidents associated with events processing on a host device. The events data may be gathered from events detected on the host device. The incident scores for incidents may be determined from the events data. The incident scores may be mapped to bins of a fixed range to highlight the significance of the incident scores. For instance, a first score mapped to a first bin may be insignificant while a second score mapped to a last bin may require urgent review. The incident scores may also be aggregated at different levels (e.g., host device, organization, industry, global, etc.) and at different time intervals to provide insights to the data.
-
公开(公告)号:US10826934B2
公开(公告)日:2020-11-03
申请号:US15402503
申请日:2017-01-10
申请人: CrowdStrike, Inc.
发明人: Sven Krasser , David Elkind , Brett Meyer , Patrick Crenshaw
摘要: Example techniques described herein determine a validation dataset, determine a computational model using the validation dataset, or determine a signature or classification of a data stream such as a file. The classification can indicate whether the data stream is associated with malware. A processing unit can determine signatures of individual training data streams. The processing unit can determine, based at least in part on the signatures and a predetermined difference criterion, a training set and a validation set of the training data streams. The processing unit can determine a computational model based at least in part on the training set. The processing unit can then operate the computational model based at least in part on a trial data stream to provide a trial model output. Some examples include determining the validation set based at least in part on the training set and the predetermined criterion for difference between data streams.
-
公开(公告)号:US10740459B2
公开(公告)日:2020-08-11
申请号:US15857007
申请日:2017-12-28
申请人: CrowdStrike, Inc.
摘要: Some examples detect malicious activity on a computing device. A processor in kernel mode detects an event on the computing device. The processor provides a validation request on a kernel-level bus. A bidirectional bridge component transmits the request to a user-level bus. The processor in user mode determines that the event is associated with malicious activity and provides a validation response on the user-level bus. The bridge component transmits the validation response to the kernel-level bus. In some examples, the processor in user mode receives security-relevant information from a system service of the computing device, and analyzes the event based at least in part on the security-relevant information. In some examples, the processor in user mode receives a security query, queries the kernel mode via the bridge component, and responds to the security query indicating that the data stream is associated with malware.
-
公开(公告)号:US10659432B2
公开(公告)日:2020-05-19
申请号:US15643291
申请日:2017-07-06
申请人: CrowdStrike, Inc.
发明人: Paul Meyer , Cameron Gutman , John R. Kooker
摘要: A computing device can install and execute a kernel-level security agent that interacts with a remote security system as part of a detection loop aimed at defeating malware attacks. The kernel-level security agent can be installed with a firewall policy that can be remotely enabled by the remote security system in order to “contain” the computing device. Accordingly, when the computing device is being used, and a malware attack is detected on the computing device, the remote security system can send an instruction to contain the computing device, which causes the implementation, by an operating system (e.g., a Mac™ operating system) of the computing device, of the firewall policy accessible to the kernel-level security agent. Upon implementation and enforcement of the firewall policy, outgoing data packets from, and incoming data packets to, the computing device that would have been allowed prior to the implementation of the firewall policy are denied.
-
-
-
-
-
-
-
-
-