公开(公告)号：US20190266323A1

公开(公告)日：2019-08-29

申请号：US16168588

申请日：2018-10-23

申请人： CrowdStrike, Inc.

发明人： Cory-Khoi Quang Nguyen ,  Brody Nisbet ,  John Lee

IPC分类号： G06F21/55 ,  G06F21/56 ,  G06F11/30 ,  H04L29/06

摘要： A security service system and method for using a process based on ancestry relationship as a pattern for identifying a suspicious activity, such as a possible malicious attack or malware, are described herein. The security service system identifies a trigger command in a process running on a monitored computing device, identifies an ancestry command associated with the trigger command, determines an ancestry level of the ancestry command, and upon determining that the ancestry level of the ancestry command is different from an expected ancestry level of the ancestry command for the trigger command, identify a pattern based on the trigger command, the ancestry command, and the ancestry level of the ancestry command.

公开(公告)号：US11258805B2

公开(公告)日：2022-02-22

申请号：US16367561

申请日：2019-03-28

申请人： CrowdStrike, Inc.

发明人： Cory-Khoi Quang Nguyen ,  Jaron Michael Bradley ,  John Lee ,  Brody Nisbet

IPC分类号： H04L29/06 ,  G06F16/906 ,  G06F17/18 ,  G06K9/62

摘要： An event can be associated with a monitored computing device and a command-line record. An event vector can be determined for each of a plurality of events based at least in part on at least a portion of the respective command-line record and on a trained representation mapping. A respective reduced event vector can be determined having fewer elements. The reduced event vectors can be clustered to determine cluster identifiers. A first event can be determined to be associated with a security violation based on a corresponding cluster identifier matching a cluster identifier of a second event that is associated with a security violation. In some examples, a cluster can include a relatively larger first group of events and a relatively smaller second group of events. That cluster can be determined to satisfy a criterion based on the numbers of events in at least one of the groups.

公开(公告)号：US11050764B2

公开(公告)日：2021-06-29

申请号：US16110927

申请日：2018-08-23

申请人： CrowdStrike, Inc.

发明人： Brody Nisbet ,  Andrew Roden ,  John Lee

IPC分类号： H04L29/06 ,  G06F16/245 ,  G06F16/248 ,  G06F11/30 ,  G06F11/32 ,  G06F11/34 ,  G06F21/55 ,  H04W12/12

摘要： Cardinality-based activity pattern detection is described herein. Events on a computing system are monitored to detect patterns matching defined activity patterns. A cardinality-based activity pattern query is executed over data representing detected activity patterns to identify multiple, distinct defined activity patterns that have occurred during a particular time period.

公开(公告)号：US20200314117A1

公开(公告)日：2020-10-01

申请号：US16367561

申请日：2019-03-28

申请人： CrowdStrike, Inc.

发明人： Cory-Khoi Quang Nguyen ,  Jaron Michael Bradley ,  John Lee ,  Brody Nisbet

IPC分类号： H04L29/06 ,  G06F16/906 ,  G06F17/18 ,  G06K9/62

摘要： An event can be associated with a monitored computing device and a command-line record. An event vector can be determined for each of a plurality of events based at least in part on at least a portion of the respective command-line record and on a trained representation mapping. A respective reduced event vector can be determined having fewer elements. The reduced event vectors can be clustered to determine cluster identifiers. A first event can be determined to be associated with a security violation based on a corresponding cluster identifier matching a cluster identifier of a second event that is associated with a security violation. In some examples, a cluster can include a relatively larger first group of events and a relatively smaller second group of events. That cluster can be determined to satisfy a criterion based on the numbers of events in at least one of the groups.

公开(公告)号：US20200311262A1

公开(公告)日：2020-10-01

申请号：US16367616

申请日：2019-03-28

申请人： CrowdStrike, Inc.

发明人： Cory-Khoi Quang Nguyen ,  Jaron Michael Bradley ,  John Lee ,  Brody Nisbet

IPC分类号： G06F21/55 ,  G06F21/56

摘要： Event vectors can be determined for respective events based on respective command-line records and a trained representation mapping. Respective coordinate vectors can be determined, each having fewer elements than the respective event vector. Respective representations of at least some of the events can be presented via an electronic display at the respective coordinate vectors. A selection of a first representation can be received via a user interface. The events can be clustered based on the event vectors. A first cluster can be selected based on the selection. An indication of a tag can be received via the user interface. Each event of the first cluster can be associated with the tag. Some examples include transmitting a security command to cause a monitored computing device associated with an event in the first cluster to perform a mitigation action.

公开(公告)号：US20190268355A1

公开(公告)日：2019-08-29

申请号：US16110927

申请日：2018-08-23

申请人： CrowdStrike, Inc.

发明人： Brody Nisbet ,  Andrew Roden ,  John Lee

IPC分类号： H04L29/06 ,  G06F11/30 ,  G06F11/32 ,  G06F11/34 ,  G06F16/245 ,  G06F16/248

摘要： Cardinality-based activity pattern detection is described herein. Events on a computing system are monitored to detect patterns matching defined activity patterns. A cardinality-based activity pattern query is executed over data representing detected activity patterns to identify multiple, distinct defined activity patterns that have occurred during a particular time period.