-
公开(公告)号:US20210329013A1
公开(公告)日:2021-10-21
申请号:US16849450
申请日:2020-04-15
申请人: CrowdStrike, Inc.
IPC分类号: H04L29/06 , G06F16/2455
摘要: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.
-
公开(公告)号:US11113425B2
公开(公告)日:2021-09-07
申请号:US15873670
申请日:2018-01-17
申请人: Crowdstrike, Inc.
IPC分类号: G06F21/00 , G06F21/82 , G06F13/40 , G06F21/71 , G06F13/38 , G06F21/56 , G06F21/57 , G06F21/55 , G06F9/4401 , G06F21/85 , G06F13/20
摘要: A plug-and-play (PnP) driver associated with a security agent is described herein. The PnP driver attaches to device stacks of enumerated bus devices of a computing device as upper-device or lower-device filters based on the device classes of the enumerated bus devices. For example, the PnP driver may attach to the device stack of a hub or controller device as an upper-device filter and to device stacks of other devices as lower-device filters. Either while attaching or after attachment, the PnP driver may take action to alter, limit, or otherwise block functionality of an enumerated bus device. The PnP driver may also perform a system inventory of enumerated bus devices connected to the computing device and create fingerprints for one or more of the computing devices. Additionally, the PnP driver may create and remove control device objects (CDOs) to enable communication with user-mode processes or threads.
-
公开(公告)号:US20210263790A1
公开(公告)日:2021-08-26
申请号:US17234602
申请日:2021-04-19
申请人: CrowdStrike, Inc.
发明人: Vincenzo Iozzo , Giovanni Gola
摘要: A computer-processor executable container application operates within an operating system, such as an Android operating system. The application is itself configured to execute applications contained within the container application. The container application may create a secure computing environment in which business applications on a computing device can be protected and monitored without affecting or interacting with other applications or data on the computing device. Such a secure computing environment may enable businesses to protect their data residing on a personal computing device and to have visibility into how the data is accessed, used, and shared, while not interfering with personal use of the personal computing device.
-
公开(公告)号:US10983849B2
公开(公告)日:2021-04-20
申请号:US16289344
申请日:2019-02-28
申请人: CrowdStrike, Inc.
发明人: Vincenzo Iozzo , Giovanni Gola
摘要: A computer-processor executable container application operates within an operating system, such as an Android operating system. The application is itself configured to execute applications contained within the container application. The container application may create a secure computing environment in which business applications on a computing device can be protected and monitored without affecting or interacting with other applications or data on the computing device. Such a secure computing environment may enable businesses to protect their data residing on a personal computing device and to have visibility into how the data is accessed, used, and shared, while not interfering with personal use of the personal computing device.
-
公开(公告)号:US20210056078A1
公开(公告)日:2021-02-25
申请号:US17091700
申请日:2020-11-06
申请人: CrowdStrike, Inc.
发明人: Cameron Gutman , Aaron LeMasters
摘要: Drivers in different functional paths can use different types of identifiers for the same hardware device, such that the drivers may not be able to natively coordinate their actions related to the hardware device due to incompatible identifier types. However, a driver at a file system layer of one functional path can obtain a volume Physical Device Object (PDO) identifier at a volume layer and find a disk PDO identifier at a disk layer that is associated with the same device number. The driver can also find a parent device instance identifier from the disk PDO identifier, and use the parent device instance identifier as a plug-and-play (PnP) identifier for the hardware device during communications with a second driver in a PnP functional path.
-
公开(公告)号:US10832168B2
公开(公告)日:2020-11-10
申请号:US15402524
申请日:2017-01-10
申请人: CrowdStrike, Inc.
发明人: Sven Krasser , David Elkind , Patrick Crenshaw , Brett Meyer
IPC分类号: G06N99/00 , H04N21/44 , G06N3/08 , G06F9/00 , G06T5/20 , G06N20/00 , H04L12/24 , H04L29/06 , G06F21/56 , G06N3/04 , G06N20/10
摘要: Example techniques described herein determine a signature or classification of a data stream such as a file. The classification can indicate whether the data stream is associated with malware. A processor can locate training analysis regions of training data streams based on predetermined structure data, and determining training model inputs based on the training analysis regions. The processor can determine a computational model based on the training model inputs. The computational model can receive an input vector and provide a corresponding feature vector. The processor can then locate a trial analysis region of a trial data stream based on the predetermined structure data and determine a trial model input. The processor can operate the computational model based on the trial model input to provide a trial feature vector, e.g., a signature. The processor can operate a second computational model to provide a classification based on the signature.
-
公开(公告)号:US10831712B2
公开(公告)日:2020-11-10
申请号:US15993515
申请日:2018-05-30
申请人: CrowdStrike, Inc.
发明人: Cameron Gutman , Aaron LeMasters
摘要: Drivers in different functional paths can use different types of identifiers for the same hardware device, such that the drivers may not be able to natively coordinate their actions related to the hardware device due to incompatible identifier types. However, a driver at a file system layer of one functional path can obtain a volume Physical Device Object (PDO) identifier at a volume layer and find a disk PDO identifier at a disk layer that is associated with the same device number. The driver can also find a parent device instance identifier from the disk PDO identifier, and use the parent device instance identifier as a plug-and-play (PnP) identifier for the hardware device during communications with a second driver in a PnP functional path.
-
公开(公告)号:US10243972B2
公开(公告)日:2019-03-26
申请号:US15096027
申请日:2016-04-11
申请人: CrowdStrike, Inc.
发明人: Daniel W. Brown
摘要: A security agent implemented on a monitored computing device is described herein. The security agent is configured to receive an event notification indicative of execution of an object and store, in a data structure on the monitored computing device, information associated with the event notification and the object. The security agent is further configured to receive an event notification indicative of an occurrence on the monitored computing device of an activity. Based at least in part on the stored information, the security agent correlates the occurrence of the activity with the execution of the object and generates an exploit detection event based on the correlating.
-
公开(公告)号:US20190014086A1
公开(公告)日:2019-01-10
申请号:US15643291
申请日:2017-07-06
申请人: CrowdStrike, Inc.
发明人: Paul Meyer , Cameron Gutman , John R. Kooker
IPC分类号: H04L29/06
摘要: A computing device can install and execute a kernel-level security agent that interacts with a remote security system as part of a detection loop aimed at defeating malware attacks. The kernel-level security agent can be installed with a firewall policy that can be remotely enabled by the remote security system in order to “contain” the computing device. Accordingly, when the computing device is being used, and a malware attack is detected on the computing device, the remote security system can send an instruction to contain the computing device, which causes the implementation, by an operating system (e.g., a Mac™ operating system) of the computing device, of the firewall policy accessible to the kernel-level security agent. Upon implementation and enforcement of the firewall policy, outgoing data packets from, and incoming data packets to, the computing device that would have been allowed prior to the implementation of the firewall policy are denied.
-
公开(公告)号:US10002250B2
公开(公告)日:2018-06-19
申请号:US15393797
申请日:2016-12-29
申请人: CrowdStrike, Inc.
CPC分类号: G06F21/566 , G06F9/46 , G06F21/554 , G06F21/56 , G06F21/567 , G06F21/568 , G06F2221/034 , G06N5/04 , H04L41/0803 , H04L63/0245 , H04L63/1441
摘要: A security agent is described herein. The security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The security agent may also deceive an adversary associated with malicious code. Further, the security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.
-
-
-
-
-
-
-
-
-
搜索结果
213 条记录 (耗时 0.028 秒)
