公开(公告)号：US20240007491A1

公开(公告)日：2024-01-04

申请号：US17855360

申请日：2022-06-30

申请人： CrowdStrike, Inc.

发明人： Joel Robert Spurlock ,  Elia Zaitsev ,  Daniel W. Brown ,  Thomas R. Hobson

IPC分类号： H04L9/40

CPC分类号： H04L63/1425 ,  H04L63/1441

摘要： Methods and systems for detecting malicious attacks in a network and preventing lateral movement in the network by identity control are disclosed. According to an implementation, a security appliance may receive telemetry data from an endpoint device collected during a period of time. The security appliance may determine a threat behavior based on the telemetry data. The threat behavior may be associated with a user identity or user account. The security appliance further determines one or more additional user identities based on the user identity connected to the threat behavior. The security appliance may enforce one or more security actions on the user identity and the one or more additional user identities to prevent attacks to a plurality of computing domains from the endpoint device using the one or more additional user identities. The security appliance may be implemented on any network participants including servers, cloud device, cloud-based services/platforms, etc.

公开(公告)号：US20230421587A1

公开(公告)日：2023-12-28

申请号：US17849537

申请日：2022-06-24

申请人： Crowdstrike, Inc.

发明人： Brett Meyer ,  Joel Robert Spurlock ,  Andrew Forth ,  Kirby Koster ,  Joseph L. Faulhaber

IPC分类号： H04L9/40

CPC分类号： H04L63/1425

摘要： A distributed security system includes instances of a compute engine that can receive an event stream comprising event data associated with an occurrence of one or more events on one or more client computing devices and generate new event data based on the event data in the event stream. A predictions engine coupled in communication with the compute engine(s) receives the new event data and applies at least a portion of the received new event data to one or more machine learning models of the distributed security system based to the received new event data. The one or more machine learning models generate a prediction result that indicates whether the occurrence of the one or more events from which the new event data was generated represents one or more target behaviors, based on the applying of at least the portion of the received new event data to the one or more machine learning models according to the received new event data.

公开(公告)号：US20240146747A1

公开(公告)日：2024-05-02

申请号：US17977898

申请日：2022-10-31

申请人： CrowdStrike, Inc.

发明人： Vitaly Zaytsev ,  Robert Molony ,  Joel Robert Spurlock ,  Brett Meyer

IPC分类号： H04L9/40

CPC分类号： H04L63/1425 ,  H04L63/1416

摘要： Methods and systems for multi-cloud breach detection using ensemble classification and deep anomaly detection are disclosed. According to an implementation, a security appliance may receive logged event data. The security appliance may determine using a supervised machine learning (ML) model, a first anomaly score representing a first context. The security appliance may further determine using a semi-supervised machine learning (ML) model, a second anomaly score representing the second context, and using an unsupervised ML model, one or more third anomaly scores representing one or more third contexts. The security appliance may aggregate the first anomaly score, the second anomaly score and the one or more third anomaly scores using a classification module to produce a final anomaly score and a final context. The security appliance may determine that an anomaly exists and a type of attack based on the final anomaly score and the final context.

公开(公告)号：US20230344843A1

公开(公告)日：2023-10-26

申请号：US17725352

申请日：2022-04-20

申请人： CrowdStrike, Inc.

发明人： Vitaly Zaytsev ,  Brett Meyer ,  Joel Robert Spurlock

IPC分类号： H04L9/40

CPC分类号： H04L63/1425 ,  H04L63/145

摘要： Techniques and systems for a security service system configured with a sensor component including a machine learning (ML) malware classifier to perform behavioral detection on host devices. The security service system may deploy a sensor component to monitor behavioral events on a host device. The sensor component may generate events data corresponding to monitored operations targeted by malware. The system may map individual events from events data onto a behavioral activity pattern and generate process trees. The system may extract behavioral artifacts to build a feature vector used for malware classification and generate a machine learning (ML) malware classifier. The sensor component may use the ML malware classifier to perform asynchronous behavioral detection on a host device and process system events for malware detection.