公开(公告)号：US20180288100A1

公开(公告)日：2018-10-04

申请号：US15994655

申请日：2018-05-31

Applicant: SECUREWORKS CORP.

Inventor： Ross R. Kinder ,  Jon R. Ramsey ,  Timothy M. Vidas ,  Robert Danford

IPC: H04L29/06 ,  H04L12/24 ,  H04L12/26

Abstract: A method of configuring a network security device includes receiving a changed set of network rules to replace a current set of network rules; using a plurality of network traffic events to perform a first simulation of according to the current set of network rules and a second simulation according to the changed set of network rules; comparing the results of the first and second simulation to identify changes in network traffic allowed and denied between the current set and the changed set of network rules; displaying the changes in allowed and denied traffic for review of the changed set of network rules; receiving an instruction to implement the changed set of network rules based on the review; and filtering network traffic according to the changed set of network rules.

公开(公告)号：US20170244762A1

公开(公告)日：2017-08-24

申请号：US15436215

申请日：2017-02-17

Applicant: SecureWorks Corp.

Inventor： Ross R. Kinder ,  Aaron Hackworth ,  Matthew K. Geiger ,  Kevin R. Moore ,  Timothy M. Vidas ,  Oliver J. Palmer ,  Jon Ramsey ,  Matt J. McCormack

IPC: H04L29/06 ,  G06F9/445

CPC classification number: H04L63/1441 ,  H04L63/0428 ,  H04L63/08 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/145 ,  H04L63/1466 ,  H04L63/20 ,  H04L63/308

Abstract: A system for collection and analysis of forensic and event data comprising a server and an endpoint agent operating on a remote system. The server is configured to receive event data including process creation data, persistent process data, thread injection data, network connection data, memory pattern data, or any combination thereof, and analyze the event data to detect compromises of a remote system. The endpoint agent is configured to acquire event data, and communicate the event data to the server.

公开(公告)号：US11418524B2

公开(公告)日：2022-08-16

申请号：US16405788

申请日：2019-05-07

Applicant: Secureworks Corp.

Inventor： William M. Urbanski ,  Timothy M. Vidas ,  Kyle Soeder ,  Jon Ramsey ,  Robert William Danford ,  Aaron Hackworth

IPC: H04L9/40 ,  G06N20/00 ,  G06N7/00

Abstract: The present disclosure provides systems and methods for detection of one or more security threats or malicious actions. According to the present disclosure, data can be received from one or more data producers and provided to a behavior processor. The behavior processor extracts, identifies, or detects one or more behaviors from the data based on one or more datum, features, or characteristics included therein, and provides the one or more identified behaviors to a tactic processor. The tactic processor extracts, identifies, or detects one or more tactics based on the one or more identified behaviors, and submits the one or more identified tactics to a tactic classifier to determine whether the one or more identified tactics are indicative of the one or more security threats or malicious actions. Other aspects are also described.

公开(公告)号：US10484423B2

公开(公告)日：2019-11-19

申请号：US15436301

申请日：2017-02-17

Applicant: SecureWorks Corp.

Inventor： Ross R. Kinder ,  Aaron Hackworth ,  Matthew K. Geiger ,  Kevin R. Moore ,  Timothy M. Vidas

IPC: G06F21/00 ,  H04L29/06 ,  G06F21/55 ,  G06F21/56 ,  H04L12/24 ,  H04L12/707 ,  G06F9/4401 ,  G06F9/54 ,  H04L29/12

Abstract: A system for collection and analysis of forensic and event data comprising a server and an endpoint agent operating on a remote system. The server is configured to receive event data including process creation data, persistent process data, thread injection data, network connection data, memory pattern data, or any combination thereof, and analyze the event data to detect compromises of a remote system. The endpoint agent is configured to acquire event data, and communicate the event data to the server.

公开(公告)号：US10333992B2

公开(公告)日：2019-06-25

申请号：US15436215

申请日：2017-02-17

Applicant: SecureWorks Corp.

Inventor： Ross R. Kinder ,  Aaron Hackworth ,  Matthew K. Geiger ,  Kevin R. Moore ,  Timothy M. Vidas ,  Oliver J. Palmer ,  Jon Ramsey ,  Matt J. McCormack

IPC: H04L29/06

Abstract: A system for collection and analysis of forensic and event data comprising a server and an endpoint agent operating on a remote system. The server is configured to receive event data including process creation data, persistent process data, thread injection data, network connection data, memory pattern data, or any combination thereof, and analyze the event data to detect compromises of a remote system. The endpoint agent is configured to acquire event data, and communicate the event data to the server.

公开(公告)号：US09961107B2

公开(公告)日：2018-05-01

申请号：US15436304

申请日：2017-02-17

Applicant: SecureWorks Corp.

Inventor： Ross R. Kinder ,  Aaron Hackworth ,  Matthew K. Geiger ,  Kevin R. Moore ,  Timothy M. Vidas

IPC: H04L29/06 ,  G06F21/55 ,  G06F21/56 ,  H04L12/24 ,  H04L12/707 ,  G06F9/44 ,  G06F9/54 ,  H04L29/12

CPC classification number: H04L63/1466 ,  G06F9/4406 ,  G06F9/542 ,  G06F21/552 ,  G06F21/554 ,  G06F21/565 ,  G06F21/566 ,  G06F2221/033 ,  G06F2221/034 ,  G06F2221/2115 ,  H04L41/069 ,  H04L45/22 ,  H04L61/1511 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1441 ,  H04L63/20 ,  H04L63/308

Abstract: A system for collection and analysis of forensic and event data comprising a server and an endpoint agent operating on a remote system. The server is configured to receive event data including process creation data, persistent process data, thread injection data, network connection data, memory pattern data, or any combination thereof, and analyze the event data to detect compromises of a remote system. The endpoint agent is configured to acquire event data, and communicate the event data to the server.

公开(公告)号：US20170243005A1

公开(公告)日：2017-08-24

申请号：US15436304

申请日：2017-02-17

Applicant: SecureWorks Corp.

Inventor： Ross R. Kinder ,  Aaron Hackworth ,  Matthew K. Geiger ,  Kevin R. Moore ,  Timothy M. Vidas

IPC: G06F21/56 ,  G06F9/44 ,  G06F21/55 ,  H04L29/06

CPC classification number: H04L63/1466 ,  G06F9/4406 ,  G06F9/542 ,  G06F21/552 ,  G06F21/554 ,  G06F21/565 ,  G06F21/566 ,  G06F2221/033 ,  G06F2221/034 ,  G06F2221/2115 ,  H04L41/069 ,  H04L45/22 ,  H04L61/1511 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1441 ,  H04L63/20 ,  H04L63/308

Abstract: A system for collection and analysis of forensic and event data comprising a server and an endpoint agent operating on a remote system. The server is configured to receive event data including process creation data, persistent process data, thread injection data, network connection data, memory pattern data, or any combination thereof, and analyze the event data to detect compromises of a remote system. The endpoint agent is configured to acquire event data, and communicate the event data to the server.

公开(公告)号：US10713360B2

公开(公告)日：2020-07-14

申请号：US15436286

申请日：2017-02-17

Applicant: SecureWorks Corp.

Inventor： Ross R. Kinder ,  Aaron Hackworth ,  Matthew K. Geiger ,  Kevin R. Moore ,  Timothy M. Vidas

IPC: G06F21/56 ,  H04L29/06 ,  G06F9/54 ,  G06F21/55 ,  H04L12/24 ,  H04L12/707 ,  G06F9/4401 ,  H04L29/12

Abstract: A system for collection and analysis of forensic and event data comprising a server and an endpoint agent operating on a remote system. The server is configured to receive event data including process creation data, persistent process data, thread injection data, network connection data, memory pattern data, or any combination thereof, and analyze the event data to detect compromises of a remote system. The endpoint agent is configured to acquire event data, and communicate the event data to the server.

公开(公告)号：US10678919B2

公开(公告)日：2020-06-09

申请号：US15436295

申请日：2017-02-17

Applicant: SecureWorks Corp.

Inventor： Ross R. Kinder ,  Aaron Hackworth ,  Matthew K. Geiger ,  Kevin R. Moore ,  Timothy M. Vidas

IPC: G06F21/56 ,  H04L29/06 ,  G06F9/54 ,  G06F21/55 ,  H04L12/24 ,  H04L12/707 ,  G06F9/4401 ,  H04L29/12

Abstract: A system for collection and analysis of forensic and event data comprising a server and an endpoint agent operating on a remote system. The server is configured to receive event data including process creation data, persistent process data, thread injection data, network connection data, memory pattern data, or any combination thereof, and analyze the event data to detect compromises of a remote system. The endpoint agent is configured to acquire event data, and communicate the event data to the server.

公开(公告)号：US10659498B2

公开(公告)日：2020-05-19

申请号：US15994655

申请日：2018-05-31

Applicant: SECUREWORKS CORP.

Inventor： Ross R. Kinder ,  Jon R. Ramsey ,  Timothy M. Vidas ,  Robert Danford

IPC: H04L29/06 ,  H04L12/24 ,  H04L12/26

Abstract: A method of configuring a network security device includes receiving a changed set of network rules to replace a current set of network rules; using a plurality of network traffic events to perform a first simulation of according to the current set of network rules and a second simulation according to the changed set of network rules; comparing the results of the first and second simulation to identify changes in network traffic allowed and denied between the current set and the changed set of network rules; displaying the changes in allowed and denied traffic for review of the changed set of network rules; receiving an instruction to implement the changed set of network rules based on the review; and filtering network traffic according to the changed set of network rules.