-
公开(公告)号:US20190026466A1
公开(公告)日:2019-01-24
申请号:US15657379
申请日:2017-07-24
申请人: CrowdStrike, Inc.
摘要: Example techniques herein determine that a trial data stream is associated with malware (“dirty”) using a local computational model (CM). The data stream can be represented by a feature vector. A control unit can receive a first, dirty feature vector (e.g., a false miss) and determine the local CM based on the first feature vector. The control unit can receive a trial feature vector representing the trial data stream. The control unit can determine that the trial data stream is dirty if a broad CM or the local CM determines that the trial feature vector is dirty. In some examples, the local CM can define a dirty region in a feature space. The control unit can determine the local CM based on the first feature vector and other clean or dirty feature vectors, e.g., a clean feature vector nearest to the first feature vector.
-
公开(公告)号:US20180322286A1
公开(公告)日:2018-11-08
申请号:US15585156
申请日:2017-05-02
申请人: CrowdStrike, Inc.
CPC分类号: G06F21/566 , G06F21/552 , H04L63/14 , H04L63/1416
摘要: A security agent implemented on a monitored computing device is described herein. The security agent has access to parametric behavioral pattern definitions that, in combination with canonical patterns of behavior, configure the security agent to match observed behavior with known computing behavior that is benign or malignant. This arrangement of the definitions and the pattern of behavior allow the security agent's behavior to be updated by a remote security service without updating a configuration of the security agent. The remote security service can create, modify, and disseminate these definitions and patterns of behavior, giving the security agent real-time ability to respond to new behaviors exhibited by the monitored computing device.
-
公开(公告)号:US10025922B2
公开(公告)日:2018-07-17
申请号:US14818527
申请日:2015-08-05
申请人: CrowdStrike, Inc.
摘要: Techniques are described herein for loading a user-mode component associated with a kernel-mode component based on an asynchronous procedure call (APC) built by the kernel-mode component. The APC is provided to the main thread of a user-mode process while that user-mode process loads, causing the user-mode process to load the user-mode component. The APC also causes allocation of memory at a location adjacent to that of the user-mode process and stores instructions at the allocated memory. The user-mode component then atomically hooks function(s) of the user-mode process, including modifying a single instruction or set of instructions of the function(s) to jump to the allocated memory. When that modified instruction is executed and jumps to the allocated memory, the instructions at the allocated memory request loading of the user-mode component, which receives data from the hooked function. The user-mode component then provides that data to the kernel-mode component.
-
公开(公告)号:US10015199B2
公开(公告)日:2018-07-03
申请号:US15433535
申请日:2017-02-15
申请人: CrowdStrike, Inc.
CPC分类号: H04L63/20 , G06F21/55 , G06F21/56 , H04L63/1416 , H04L63/1441
摘要: Devices described herein are configured to propagate tags among data objects representing system components. Such devices may detect an event associated with a plurality of system components. Based at least in part on detecting the event and on a configurable policy, the devices may propagate a tag that is assigned to a data object representing one of the plurality of system components to another data object representing another of the plurality of system components. One example of such a tag may be associated with a tree object that represents an execution chain of at least the system component represented by the data object and the other system component represented by the other data object. Another example of such a tag may be a user-specified tag of another entity that the entity associated with the devices subscribes to.
-
公开(公告)号:US09904784B2
公开(公告)日:2018-02-27
申请号:US15483153
申请日:2017-04-10
申请人: CrowdStrike, Inc.
CPC分类号: G06F21/566 , G06F9/46 , G06F21/554 , G06F21/56 , G06F21/567 , G06F21/568 , G06F2221/034 , G06N5/04 , H04L41/0803 , H04L63/0245 , H04L63/1441
摘要: A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.
-
公开(公告)号:US20170213031A1
公开(公告)日:2017-07-27
申请号:US15483153
申请日:2017-04-10
申请人: CrowdStrike, Inc.
IPC分类号: G06F21/56
CPC分类号: G06F21/566 , G06F9/46 , G06F21/554 , G06F21/56 , G06F21/567 , G06F21/568 , G06F2221/034 , G06N5/04 , H04L41/0803 , H04L63/0245 , H04L63/1441
摘要: A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.
-
公开(公告)号:US20170039366A1
公开(公告)日:2017-02-09
申请号:US14818527
申请日:2015-08-05
申请人: CrowdStrike, Inc.
摘要: Techniques are described herein for loading a user-mode component associated with a kernel-mode component based on an asynchronous procedure call (APC) built by the kernel-mode component. The APC is provided to the main thread of a user-mode process while that user-mode process loads, causing the user-mode process to load the user-mode component. The APC also causes allocation of memory at a location adjacent to that of the user-mode process and stores instructions at the allocated memory. The user-mode component then atomically hooks function(s) of the user-mode process, including modifying a single instruction or set of instructions of the function(s) to jump to the allocated memory. When that modified instruction is executed and jumps to the allocated memory, the instructions at the allocated memory request loading of the user-mode component, which receives data from the hooked function. The user-mode component then provides that data to the kernel-mode component.
摘要翻译: 本文描述了基于由内核模式组件构建的异步过程调用(APC)来加载与内核模式组件相关联的用户模式组件的技术。 当用户模式进程加载时,APC被提供给用户模式进程的主线程,导致用户模式进程加载用户模式组件。 APC还在与用户模式过程相邻的位置处分配存储器,并在分配的存储器上存储指令。 用户模式组件然后原子地钩住用户模式过程的功能,包括修改单个指令或该功能的一组指令以跳转到分配的存储器。 当执行该修改的指令并跳转到分配的存储器时,分配的存储器上的指令请求加载用户模式组件,该组件从挂接的功能接收数据。 用户模式组件然后将该数据提供给内核模式组件。
-
公开(公告)号:US20160170740A1
公开(公告)日:2016-06-16
申请号:US15051461
申请日:2016-02-23
申请人: CrowdStrike, Inc.
IPC分类号: G06F9/445
CPC分类号: G06F8/656 , G06F21/566 , G06F21/568 , H04L67/34
摘要: Techniques are described herein for, without rebooting a computing device, unloading at least a component of a kernel-mode component of the computing device and loading an updated version of the component of the kernel-mode component. The techniques may be performed by an integrity manager associated with the kernel-mode component. The integrity manager may also determine integrity of the kernel-mode component by causing the kernel-mode component to perform an action associated with a known reaction, determining whether the known reaction occurred, and in response, performing a remediation action or notifying a remote security service. Further, the integrity manager may determine whether any computing device lists include representations of components or connections associated with the kernel-mode component. The integrity manager may then remove the representations from the lists or remove the representations from responses to requests for contents of the computing device lists.
-
公开(公告)号:US20150356301A1
公开(公告)日:2015-12-10
申请号:US14297974
申请日:2014-06-06
申请人: CrowdStrike, Inc.
IPC分类号: G06F21/57
CPC分类号: G06F21/577 , G06F21/552 , G06F2221/034 , G06N5/04 , H04L41/0893 , H04L41/12 , H04L63/1433 , H04L63/1441
摘要: A model representing system components and events of a plurality of monitored devices as data objects is described herein. The model resides on a security service cloud and is updated in substantially real-time, as security-relevant information about the system components and events is received by the security service cloud. Each data object in the model has a scope and different actions are taken by security service cloud modules depending on different data object scopes. Further, the security service cloud maintains a model specific to each monitored device built in substantially real-time as the security-relevant information from that device is received. The security service cloud utilizes these device-specific models to detect security concerns and respond to those concerns in substantially real-time.
摘要翻译: 在此描述表示作为数据对象的多个被监视设备的系统组件和事件的模型。 该模型位于安全服务云上,并且基本上实时更新,因为安全服务云接收到有关系统组件和事件的安全相关信息。 模型中的每个数据对象都有一个作用域,根据不同的数据对象作用域,安全服务云模块采取不同的动作。 此外,随着来自该设备的与安全性相关的信息被接收,安全服务云保持基本实时内置的每个被监控设备的特定模型。 安全服务云利用这些特定于设备的模型来检测安全性问题,并基本上实时地回应这些问题。
-
公开(公告)号:US20140317731A1
公开(公告)日:2014-10-23
申请号:US13866968
申请日:2013-04-19
申请人: CROWDSTRIKE, INC.
IPC分类号: G06F21/54
CPC分类号: G06F21/54 , G06F9/44521 , G06F21/56 , G06F2221/2141
摘要: Techniques for causing a component loader associated with a hotpatch mechanism to execute a user-mode component which, when executed, creates a user-mode process, thread, or held reference are described herein. The component may further indicate to the component loader that it lacks hotpatch data, causing the component loader to unload the component. In some implementations, a kernel-mode module may initially provide the component to the hotpatch mechanism with an entrypoint of the component set to zero and with hotpatch data for the component loader. The hotpatch mechanism may apply the hotpatch data, modifying the component loader such that the component loader requests execute rights for a section object for the component. The kernel-mode module may then set the entrypoint such that the component becomes executable, and provides the section object and component to the hotpatch mechanism to cause the component loader to execute the component.
摘要翻译: 用于引起与热补丁机制相关联的组件加载器执行用户模式组件的技术,该用户模式组件在执行时创建用户模式进程,线程或保持引用。 组件还可以向组件加载程序指示它缺少热补丁数据,导致组件加载器卸载组件。 在一些实现中,内核模式模块可以最初将组件提供给热补丁机制,其中组件的入口点设置为零,并且具有用于组件加载器的热补丁数据。 热补丁机制可以应用热补丁数据,修改组件加载器,使组件加载程序请求执行组件的段对象的权限。 然后,内核模式模块可以设置入口点,使得该组件变得可执行,并且将区段对象和组件提供给热补丁机制以使组件加载器执行该组件。
-
-
-
-
-
-
-
-
-
搜索结果
172 条记录 (耗时 0.026 秒)
