-
公开(公告)号:US20200342110A1
公开(公告)日:2020-10-29
申请号:US16855585
申请日:2020-04-22
申请人: CrowdStrike, Inc.
摘要: A bus filter driver and security agent components configured to retrieve and analyze firmware images are described herein. The bus filter driver may attach to a bus device associated with a memory component and retrieve a firmware image of firmware stored on the memory component. The bus filter driver may also retrieve hardware metadata. A kernel-mode component of the security agent may then retrieve the firmware image and hardware metadata from the bus filter driver and provide the firmware image and hardware metadata to a user-mode component of the security agent for security analysis. The security agent components may then provide results of the analysis and/or the firmware image and hardware metadata to a remote security service to determine a security status for the firmware.
-
公开(公告)号:US20200285740A1
公开(公告)日:2020-09-10
申请号:US16885174
申请日:2020-05-27
申请人: CrowdStrike, Inc.
摘要: Deception-based techniques for responding to security attacks are described herein. The techniques include transitioning a security attack to a monitored computing device posing as a computing device impacted by the security attack and enabling the adversary to obtain deceptive information from the monitored computing device. Also, the adversary may obtain a document configured to report identifying information of an entity opening the document, thereby identifying the adversary associated with the attack. Further, the techniques include determining that a domain specified in a domain name request is associated with malicious activity and responding to the request with a network address of a monitored computing device to cause the requesting process to communicate with the monitored computing device in place of an adversary server. Additionally, a service may monitor dormant domains names associated with malicious activity and, in response to a change, respond with an alert or a configuration update.
-
公开(公告)号:US20200278895A1
公开(公告)日:2020-09-03
申请号:US16289344
申请日:2019-02-28
申请人: CrowdStrike, Inc.
发明人: Vincenzo Iozzo , Giovanni Gola
摘要: A computer-processor executable container application operates within an operating system, such as an Android operating system. The application is itself configured to execute applications contained within the container application. The container application may create a secure computing environment in which business applications on a computing device can be protected and monitored without affecting or interacting with other applications or data on the computing device. Such a secure computing environment may enable businesses to protect their data residing on a personal computing device and to have visibility into how the data is accessed, used, and shared, while not interfering with personal use of the personal computing device.
-
公开(公告)号:US10664262B2
公开(公告)日:2020-05-26
申请号:US15690182
申请日:2017-08-29
申请人: CrowdStrike, Inc.
发明人: Cat S. Zimmermann , Steven King
摘要: A remote security system may generate multiple different binary programs for corresponding operating system (OS) kernel versions that are to receive a software upgrade. A suppression process may then compare code in the code sections between pairs of binary programs, and may also compare the data in the data sections between the pairs of binary programs to identify subsets of “identical” binaries. The remote security system may send a representative binary (while suppressing the remaining binaries in a subset of identical binaries) to host computing devices that run different OS kernel versions. On the receiving end, a host computing device that runs a particular OS kernel version may receive a binary program, and prior to loading the binary program, modify the binary program to render the binary loadable by (or compatible with) the particular OS kernel version running on the host computing device.
-
公开(公告)号:US20200005082A1
公开(公告)日:2020-01-02
申请号:US16237468
申请日:2018-12-31
申请人: CrowdStrike, Inc.
发明人: Radu Cazan , Daniel Radu , Marian Radu
摘要: Training and use of a byte n-gram embedding model is described herein. A neural network is trained to determine a probability of occurrence associated with a byte n-gram. The neural network includes one or more embedding model layers, at least one of which is configured to output an embedding array of values. The byte n-gram embedding model may be used to generate a hash of received data, to classify the received data with no knowledge of a data structure associated with the received data, to compare the received data to files having a known classification, and/or to generate a signature for the received data.
-
公开(公告)号:US20190268361A1
公开(公告)日:2019-08-29
申请号:US16281277
申请日:2019-02-21
申请人: CrowdStrike, Inc.
发明人: David Blewett , Brian Concannon , John Lee , Kris Merritt , Andrew Roden
IPC分类号: H04L29/06 , G06F17/27 , G06F16/248 , G06F9/451
摘要: Example techniques herein filter and classify security-relevant events from monitored computing devices. A control unit can receive event records of various types, each event record associated with a monitored device. The control unit can provide, for each event record matching a corresponding pattern of a pattern set associated with the respective event type, a respective match record. Each match record can include an identifier of the corresponding pattern and data of the respective event record. The control unit can provide, for each match record satisfying a corresponding condition of a condition set, a respective candidate record including a tag associated with the corresponding condition. The control unit can provide, for each candidate record satisfying a tag criterion, a result record. Some examples can receive a modification record and use it to provide an updated condition set used for determining candidate records.
-
公开(公告)号:US20190220260A1
公开(公告)日:2019-07-18
申请号:US16248551
申请日:2019-01-15
申请人: CrowdStrike, Inc.
CPC分类号: G06F8/61 , G06F9/44526 , G06F11/1433 , G06F2201/84
摘要: In some examples, a processing unit can install a second driver to an installed-driver backing store on a non-volatile (nonV) memory, and replace a first driver in a driver store of the nonV memory with the second driver without replacing the first driver in the volatile memory with the second driver. The processing unit can, subsequently, determine that the second driver has been loaded into the volatile memory, and write, by the second driver loaded into the volatile memory, a driver-configuration entry in a configuration datastore. An example computing system can include the first driver in volatile memory, and the nonV memory. The nonV memory can include a driver-configuration file, a driver store holding a first copy of the second driver, and an installed-driver backing store holding a second copy of the second driver. Some examples can roll back failed installation operations.
-
公开(公告)号:US20190205530A1
公开(公告)日:2019-07-04
申请号:US15857896
申请日:2017-12-29
申请人: CrowdStrike, Inc.
发明人: Daniel W. Brown
CPC分类号: G06F21/552 , G06F21/566
摘要: Example techniques locate or identify malware based on events from or at monitored computing devices. A control unit can detect a sequence of events of various types. The control unit can locate a loop within the sequence of events based at least in part on relative frequencies of the event types. The control unit can determine a distribution of event types of the events within the loop, and determining that software running the sequence is associated with malware based at least in part on the distribution of event types within the loop. In some examples, the control unit can locate a point of commonality among a plurality of stack traces associated with respective events within the loop. The control unit can determine a malware module comprising the point of commonality.
-
公开(公告)号:US10339316B2
公开(公告)日:2019-07-02
申请号:US14810840
申请日:2015-07-28
申请人: CrowdStrike, Inc.
摘要: Techniques utilizing library and pre-boot components to ensure that a driver associated with a kernel-mode component is initialized before other drivers during a boot phase are described herein. The library component is processed during a boot phase; the pre-boot component, which may be an alternative to the library component, is processed during a pre-boot phase. By ensuring that the driver is the first driver initialized, the components enable the driver to launch the kernel-mode component before other drivers are initialized. The library component may also determine whether another driver is to be initialized before the kernel-mode component driver, may ensure that kernel-mode component driver is initialized first, and may alert the kernel-mode component. Also, the library component may retrieve information that is to be deleted by the operating system before initialization of drivers and may provide that information to the kernel-mode component.
-
公开(公告)号:US20190138723A1
公开(公告)日:2019-05-09
申请号:US16007507
申请日:2018-06-13
申请人: CrowdStrike, Inc.
摘要: A security agent is described herein. The security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The security agent may also deceive an adversary associated with malicious code. Further, the security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.
-
-
-
-
-
-
-
-
-
搜索结果
172 条记录 (耗时 0.031 秒)
