公开(公告)号：US20240202097A1

公开(公告)日：2024-06-20

申请号：US18081144

申请日：2022-12-14

申请人： CrowdStrike, Inc.

发明人： Martin Kelly ,  Marco Vedovati ,  Igor Polevoy ,  Milos Petrbok

IPC分类号： G06F11/34 ,  G06F9/445 ,  G06F9/54

CPC分类号： G06F11/3495 ,  G06F9/445 ,  G06F9/545

摘要： A unique process identifier (UPID) associated with a process identifier (PID) of a process executing in an operating system is generated in a kernel space of the operating system executing on a computing device. The UPID is inserted into a first mapping store that maps the PID to the UPID. A message is transmitted including the PID to a message buffer structure. A second mapping store that maps the UPID to the PID is updated in a user space of the operating system based on the message.

公开(公告)号：US11907370B2

公开(公告)日：2024-02-20

申请号：US17019166

申请日：2020-09-11

申请人： CrowdStrike, Inc.

发明人： David F. Diehl ,  Daniel W. Brown ,  Aaron Javan Marks ,  Kirby J. Koster ,  Daniel T. Martin

IPC分类号： G06F21/56 ,  H04L9/40 ,  G06F21/55 ,  G06N20/00

CPC分类号： G06F21/566 ,  G06F21/552 ,  H04L63/14 ,  H04L63/1416 ,  G06N20/00

摘要： A security agent implemented on a monitored computing device is described herein. The security agent has access to parametric behavioral pattern definitions that, in combination with canonical patterns of behavior, configure the security agent to match observed behavior with known computing behavior that is benign or malignant. This arrangement of the definitions and the pattern of behavior allow the security agent's behavior to be updated by a remote security service without updating a configuration of the security agent. The remote security service can create, modify, and disseminate these definitions and patterns of behavior, giving the security agent real-time ability to respond to new behaviors exhibited by the monitored computing device.

公开(公告)号：US20240056480A1

公开(公告)日：2024-02-15

申请号：US18496568

申请日：2023-10-27

申请人： CrowdStrike, Inc.

发明人： IOSIF ONUT ,  Qian Cui ,  Guy-Vincent Jourdan

IPC分类号： H04L9/40 ,  G06N20/00

CPC分类号： H04L63/1483 ,  G06N20/00 ,  H04L63/1416

摘要： Mechanisms are provided to detect content generated from phishing attacks. The mechanisms process an electronic communication, received from a data network, to produce a structure token. The structure token represents a content structure of the electronic communication. The structure token is processed by a machine learning model, which is trained to identify content that is generated in response to one or more phishing attacks. The machine learning model produces a classification output that indicates whether the electronic communication includes content that was generated in response to the one or more phishing attacks.

公开(公告)号：US20230394145A1

公开(公告)日：2023-12-07

申请号：US17862623

申请日：2022-07-12

申请人： CrowdStrike, Inc.

发明人： Felix Schwyzer

IPC分类号： G06F21/56 ,  G06F21/53

CPC分类号： G06F21/564 ,  G06F21/53 ,  G06N20/00

摘要： A plurality of memory image data is obtained. Respective ones of the memory image data may include captured memory contents from an executing process. Training data including feature vectors and classification values are provided to a machine learning (ML) training model executing on a processing device. The feature vectors may include indications of patterns within the memory image data. The ML training model is trained based on the training data to generate an ML production model. The training may include computing a plurality of model parameters that relate the feature vectors of the training data to the classification values of the training data.

公开(公告)号：US11822515B2

公开(公告)日：2023-11-21

申请号：US17091700

申请日：2020-11-06

申请人： CrowdStrike, Inc.

发明人： Cameron Gutman ,  Aaron LeMasters

IPC分类号： G06F16/17 ,  G06F9/44 ,  G06F9/4401 ,  G06F21/10 ,  H04L41/0806 ,  H04L9/40 ,  H04W12/08 ,  G06F13/00

CPC分类号： G06F16/1734 ,  G06F9/44 ,  G06F9/4403 ,  G06F21/10 ,  H04L41/0809 ,  H04L63/10 ,  H04W12/08 ,  G06F2213/0042

摘要： Drivers in different functional paths can use different types of identifiers for the same hardware device, such that the drivers may not be able to natively coordinate their actions related to the hardware device due to incompatible identifier types. However, a driver at a file system layer of one functional path can obtain a volume Physical Device Object (PDO) identifier at a volume layer and find a disk PDO identifier at a disk layer that is associated with the same device number. The driver can also find a parent device instance identifier from the disk PDO identifier, and use the parent device instance identifier as a plug-and-play (PnP) identifier for the hardware device during communications with a second driver in a PnP functional path.

公开(公告)号：US11811821B2

公开(公告)日：2023-11-07

申请号：US17087194

申请日：2020-11-02

申请人： CrowdStrike, Inc.

发明人： Sven Krasser ,  David Elkind ,  Brett Meyer ,  Patrick Crenshaw

IPC分类号： H04L9/40 ,  G06N20/00 ,  G06F21/56

CPC分类号： H04L63/145 ,  G06F21/56 ,  G06N20/00 ,  H04L63/1416

摘要： Example techniques described herein determine a validation dataset, determine a computational model using the validation dataset, or determine a signature or classification of a data stream such as a file. The classification can indicate whether the data stream is associated with malware. A processing unit can determine signatures of individual training data streams. The processing unit can determine, based at least in part on the signatures and a predetermined difference criterion, a training set and a validation set of the training data streams. The processing unit can determine a computational model based at least in part on the training set. The processing unit can then operate the computational model based at least in part on a trial data stream to provide a trial model output. Some examples include determining the validation set based at least in part on the training set and the predetermined criterion for difference between data streams.

公开(公告)号：US11687649B2

公开(公告)日：2023-06-27

申请号：US17008038

申请日：2020-08-31

申请人： Crowdstrike, Inc.

发明人： Ion-Alexandru Ionescu

IPC分类号： G06F21/00 ,  G06F21/55 ,  G06F9/54 ,  G06F21/33 ,  G06F21/56

CPC分类号： G06F21/554 ,  G06F9/545 ,  G06F9/547 ,  G06F21/33 ,  G06F21/566

摘要： A security agent executing in kernel mode may receive a request from the anti-malware component executing with low privileges in user mode, and, in response, the security agent may perform a security action with respect to a malicious file detected on the computing device. The security agent may then assist the anti-malware component in providing a user notification about the security action by obtaining, on behalf of the anti-malware component, a user token associated with the user session in which the malicious file was detected. The anti-malware component can use the obtained user token to request a pointer to a Component Object Model (COM) interface for outputting the notification in context of the appropriate user session, which allows for securely and efficiently providing the user notification.

公开(公告)号：US20230164152A1

公开(公告)日：2023-05-25

申请号：US18094580

申请日：2023-01-09

申请人： CrowdStrike, Inc.

发明人： Daniel W. Brown ,  Thomas R. Hobson ,  Hyacinth D. Diehl ,  Alexander J. Graul

IPC分类号： H04L9/40

CPC分类号： H04L63/1416 ,  H04L63/1425 ,  H04L63/1441

摘要： Techniques to provide visualizations of possible malicious incidents associated with an event on a host device may include causing presentation of graphics of a process or thread in a user interface. Information about detected events may be transmitted to a computing device that generates the visualizations for presentation to an analyst to verify the malicious incidents. Based on patterns and information conveyed in the visualizations, the computer device or host device may take action to protect operation of the host device caused by the event.

公开(公告)号：US20230164151A1

公开(公告)日：2023-05-25

申请号：US18094303

申请日：2023-01-06

申请人： CrowdStrike, Inc.

发明人： David F. Diehl ,  Nora Lillian Sandler ,  Matthew Edward Noonan ,  Christopher Robert Gwinn ,  Thomas Johann Essebier

IPC分类号： H04L9/40 ,  G06F21/54 ,  H04L41/042 ,  H04L41/28

CPC分类号： H04L63/1416 ,  G06F21/54 ,  H04L41/042 ,  H04L41/28 ,  H04L63/1441

摘要： A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.

公开(公告)号：US11599641B2

公开(公告)日：2023-03-07

申请号：US16855585

申请日：2020-04-22

申请人： CrowdStrike, Inc.

发明人： Timo Kreuzer ,  Ion-Alexandru Ionescu ,  Aaron LeMasters

IPC分类号： H04L29/06 ,  G06F21/57 ,  G06F13/42 ,  G06F21/44

摘要： A bus filter driver and security agent components configured to retrieve and analyze firmware images are described herein. The bus filter driver may attach to a bus device associated with a memory component and retrieve a firmware image of firmware stored on the memory component. The bus filter driver may also retrieve hardware metadata. A kernel-mode component of the security agent may then retrieve the firmware image and hardware metadata from the bus filter driver and provide the firmware image and hardware metadata to a user-mode component of the security agent for security analysis. The security agent components may then provide results of the analysis and/or the firmware image and hardware metadata to a remote security service to determine a security status for the firmware.