公开(公告)号：US09043903B2

公开(公告)日：2015-05-26

申请号：US13492672

申请日：2012-06-08

申请人： David F. Diehl ,  Dmitri Alperovitch ,  Ion-Alexandru Ionescu ,  George Robert Kurtz

发明人： David F. Diehl ,  Dmitri Alperovitch ,  Ion-Alexandru Ionescu ,  George Robert Kurtz

IPC分类号： H04L29/06 ,  G06F21/56 ,  G06F9/46 ,  G06F21/55

CPC分类号： G06F21/566 ,  G06F9/46 ,  G06F21/554 ,  G06F21/56 ,  G06F21/567 ,  G06F21/568 ,  G06F2221/034 ,  G06N5/04 ,  H04L41/0803 ,  H04L63/0245 ,  H04L63/1441

摘要： A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.

摘要翻译： 本文描述了内核级安全性代理。 内核级安全性代理被配置为观察事件，使用可配置的过滤器过滤观察到的事件，将过滤的事件路由到一个或多个事件消费者，并且利用一个或多个事件消费者至少基于一个被过滤的事件消费者采取行动 事件 在一些实现中，内核级安全代理检测与恶意代码相关联的第一动作，收集关于恶意代码的数据，并且响应于检测到后续的恶意代码动作，执行预防措施。 内核级安全代理也可能欺骗与恶意代码相关联的对手。 此外，内核级安全代理可以使用表示执行活动链的模型，并且可以基于执行活动链执行动作。

公开(公告)号：US20130333040A1

公开(公告)日：2013-12-12

申请号：US13492672

申请日：2012-06-08

申请人： David F. Diehl ,  Dmitri Alperovitch ,  Ion-Alexandru Ionescu ,  George Robert Kurtz

发明人： David F. Diehl ,  Dmitri Alperovitch ,  Ion-Alexandru Ionescu ,  George Robert Kurtz

IPC分类号： G06F21/00

CPC分类号： G06F21/566 ,  G06F9/46 ,  G06F21/554 ,  G06F21/56 ,  G06F21/567 ,  G06F21/568 ,  G06F2221/034 ,  G06N5/04 ,  H04L41/0803 ,  H04L63/0245 ,  H04L63/1441

摘要： A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.