IL302585A - System and method for detecting and responding to events in a computing device - Google Patents

System and method for detecting and responding to events in a computing device

Info

Publication number
IL302585A
IL302585A IL302585A IL30258523A IL302585A IL 302585 A IL302585 A IL 302585A IL 302585 A IL302585 A IL 302585A IL 30258523 A IL30258523 A IL 30258523A IL 302585 A IL302585 A IL 302585A
Authority
IL
Israel
Prior art keywords
edr
server
computerized
systematical
events
Prior art date
Application number
IL302585A
Other languages
Hebrew (he)
Inventor
Newman Andrew
Dudu Yaniv
Original Assignee
Reason Cybersecurity Ltd
Newman Andrew
Dudu Yaniv
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Reason Cybersecurity Ltd, Newman Andrew, Dudu Yaniv filed Critical Reason Cybersecurity Ltd
Priority to IL302585A priority Critical patent/IL302585A/en
Priority to PCT/IL2024/050367 priority patent/WO2024228181A1/en
Publication of IL302585A publication Critical patent/IL302585A/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Databases & Information Systems (AREA)
  • Bioethics (AREA)
  • Computer And Data Communications (AREA)

Description

בשחוממ רישכמב םיעוריא לע הבוגתלו יוליגל הטישו תכרעמ SYSTEM AND METHOD DETECTING AND RESPONDING TO EVENTS ON COMPUTERIZED DEVICE TECHNICAL FIELD id="p-1" id="p-1"
[001] The present invention generally relates to the detection and response to an event on one a computerized device.
BACKGROUND OF THE DISCLOSURE id="p-2" id="p-2"
[002] Enterprises use several protection layers to keep their organization safe. id="p-3" id="p-3"
[003] The first layer of defense is the endpoint antimalware and/or antivirus programs that provide protection against known viruses, known malware, and/or certain predefined behaviors. id="p-4" id="p-4"
[004] Enterprises may use an additional protection layer to detect threats that are not covered by the first layer. This second protective layer is very expensive to operate, thus, problematic to use on an endpoint of a single user or on endpoints of small enterprises. id="p-5" id="p-5"
[005] For example, an EDR solution on a large-scale enterprise is required to support up to tens of thousands of devices. Developing a solution for home users might entail an operation of much greater magnitude, involving hundreds of millions of devices.
SUMMARY id="p-6" id="p-6"
[006] Various objects, features, and aspects of the present discloser will become more apparent from the following detailed description of the embodiments of the below- described disclosure, along with the accompanying drawings in which like numerals represent like components. id="p-7" id="p-7"
[007] One embodiment may include a system to detect and respond to at least one or more systematical exceptional events on one or more computerized devices of a network of computerized devices, wherein each computerized device of the network comprises a local database and the system comprises an endpoint detection and response (EDR) server, wherein the system is configured to detect at least one or more systematical exceptional events by: storing at the local database of the computerized device at least one or more predetermined events by a client event application, wherein the local database is configured to respond to a query from the EDR server; periodically sending by the EDR server one or more queries to one or more computerized devices and receiving by the EDR server one or more responses from the local database of the computerized device of the one or more computerized devices, wherein a cap number of the one or more responses from the one or more computerized devices is set by the EDR server; and analyzing the one or more responses by the EDR server to detect one or more systematical exceptional events. id="p-8" id="p-8"
[008] For example, wherein the EDR server is configured to send a detection action to the one or more computerized devices, wherein the detection action is based on a characteristic of an event of one or more events, the client event application is configured to perform an operation when a characteristic of the event occurs. id="p-9" id="p-9"
[009] For example, wherein the detection action comprises at least one of: a script configured to detect a threat; a script configured to collect information; a script configured to perform an operation; a script configured to send the local database to be investigated by the EDR server; a script configured to send a file to be investigated by the EDR server; an operation based on systematical exceptional events characteristics; a rule based on systematical exceptional events characteristics; a script based on systematical exceptional events characteristics; a script configured to send the exceptional systematical event to be investigated by the EDR server; and a script configured to send an alert to the client event application. id="p-10" id="p-10"
[010] For example, wherein the computerized device of the one or more computerized devices comprises a prevention entity, the prevention entity is configured to implement one or more actions received from the EDR server and to prevent at least one of the one or more systematical exceptional events. id="p-11" id="p-11"
[011] For example, wherein the action comprises at least one of: a script for threat prevention; a script configured to collect information; a script configured to perform an operation; a rule for threat prevention; an operation for blocking a threat by sending a command to a prevention entity; a rule for allowing the exceptional systematical event and listing the allowed thread in a whitelist; a script configured to send the exceptional systematical event to be investigated, and a script configured to send an alert to the client event application. id="p-12" id="p-12"
[012] For example, wherein at least one or more predetermined actions comprise at least one of: a threat to the operating system (OS) of the computerized device, a virus, a malware attack, a ransom attack and unexpected behavior of the OS. id="p-13" id="p-13"
[013] For example, wherein the computerized device of the one or more computerized devices comprises an antivirus application, the antivirus application is configured to implement one or more actions received from the EDR server and to prevent at least one of the one or more systematical exceptional events. id="p-14" id="p-14"
[014] For example, wherein the computerized device of the one or more computerized devices comprises a DNS Server, the DNS Server is configured to implement one or more actions received from the EDR server and to prevent at least one of the one or more systematical exceptional events. id="p-15" id="p-15"
[015] For example, wherein the EDR server is configured to send an action to the one or more computerized devices within a predefined time slot. id="p-16" id="p-16"
[016] For example, wherein the EDR server is configured to: generate one or more triggers and one or more actions to the prevention entity when the one or more systematical exceptional events become a threat. id="p-17" id="p-17"
[017] For example, wherein the threat comprises at least one of: a malware attack, a ransomware attack, installing spyware and performing hacking. id="p-18" id="p-18"
[018] For example, wherein the EDR server is configured to: generate a new action rule and send the new action rule as a definition update to the prevention entity, the client event application, and to the local database, wherein the new action rule is generated when the action removes the threat from an operation system (OS) of the computerized device. id="p-19" id="p-19"
[019] For example, wherein an event of the OS of the computerized device is filtered to decide if to be processed or be ignored or to be triggered to handle immediately by taking an action based on the trigger. id="p-20" id="p-20"
[020] For example, wherein a response of one or more responses comprises details on a security-related vector based on the query. id="p-21" id="p-21"
[021] For example, wherein the query comprises: a query identification (ID), a query capacity, and a timeout for returning a response. id="p-22" id="p-22"
[022] For example, the system comprises a definition update server, wherein the client event application is configured to: update a definition handler, and the definition handler is configured to replace a current set of filters, triggers, and actions with a new set of filters, triggers, and actions by storing the new set in the local database of the computerized device. id="p-23" id="p-23"
[023] For example, wherein the query is processed, and a result of a new test query is sent to a response server. id="p-24" id="p-24"
[024] For example, wherein the Client event application is configured to detect a threat on one or more files of the computerized device. id="p-25" id="p-25"
[025] For example, wherein the EDR server comprises an artificial intelligence (AI) engine, where the AI engine is configured to: monitor for irregularities in an operating system (OS) of the computerized device; generate one or more queries based on a historical quires database and the irregularities of the OS; send the one or more queries to one or more of the computerized devices; and generate an action based on one or more query results. id="p-26" id="p-26"
[026] In another embodiment of this discloser, a method of an endpoint detection and response (EDR) system for detecting and responding to at least one or more systematical exceptional events on one or more computerized devices of a network of computerized devices, wherein each computerized device of the network comprises a local database the method comprising: storing at the local database of the computerized device at least one or more predetermined events by a client event application, wherein the local database is configured to respond to a query from the EDR server; periodically sending by the EDR server one or more quires to one or more computerized devices and receiving by the EDR server one or more responses from the local database of the computerized device of the one or more computerized devices, wherein a cap number of the one or more responses from the one or more computerized devices is set by the EDR server; and analyzing the one or more responses by the EDR server to detect one or more systematical exceptional events. id="p-27" id="p-27"
[027] For example, the method comprises: sending a detection action to the one or more computerized devices, wherein the detection action is based on a characteristic of an event of one or more events, the client event application is configured to perform an operation when a characteristic of the event occurs. id="p-28" id="p-28"
[028] For example, wherein the computerized device of the one or more computerized devices comprises a prevention entity, the prevention entity is configured to implement one or more actions received from the EDR server and to prevent at least one of the one or more systematical exceptional events. id="p-29" id="p-29"
[029] For example, the method comprises: generating one or more triggers or one or more actions to be stored in a database of the prevention entity when the one or more systematical exceptional events become a threat. id="p-30" id="p-30"
[030] In another embodiment of this discloser, a computerized device protected by an endpoint detection and response (EDR) system comprising a client event application configured to: store at a local database of the computerized device at least one or more predetermined events; respond to a query from an EDR server; periodically receiving from the EDR server one or more quires and sending to the EDR server one or more responses from the local database to be analyzed by the EDR server to detect one or more systematical exceptional events, wherein the computerized device is one of one or more computerized devices of a computerized devices network monitored by the EDR server and the number of responses sent to the EDR server is limited to a cap number for the computerized network.
BRIEF DESCRIPTION OF THE DRAWING id="p-31" id="p-31"
[031] In order to better understand the subject matter that is disclosed herein and to exemplify how it may be carried out in practice, embodiments will now be described, by way of non-limiting example only, with reference to the accompanying drawings, in which: id="p-32" id="p-32"
[032] Figure 1 illustrates a block diagram of a system for detecting and responding to at least one or more events on one or more computerized devices according to some demonstrative embodiments. id="p-33" id="p-33"
[033] Figure 2 illustrates a block diagram of another embodiment of a system for detecting and responding to at least one or more events on one or more computerized devices according to some demonstrative embodiments. id="p-34" id="p-34"
[034] Figure 3 illustrates a backend diagram of a method of EDR control application to detect events on one or more endpoints, according to some demonstrative embodiments. id="p-35" id="p-35"
[035] Figure 4 illustrates an example of a method of handling a client event according to some demonstrative embodiments. id="p-36" id="p-36"
[036] Figure 5 illustrates an example of a method of handling a client query according to some demonstrative embodiments. id="p-37" id="p-37"
[037] Figure 6 illustrates an example of a method of updating a definition of a client event handler according to some demonstrative embodiments. id="p-38" id="p-38"
[038] Figure 7 illustrates a product of manufacture according to some demonstrative embodiments.
DETAILED DESCRIPTION OF THE DRAWINGS id="p-39" id="p-39"
[039] In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of some embodiments. However, it will be understood by persons of ordinary skill in the art that some embodiments may be practiced without these specific details. In other instances, well-known methods, procedures, components, units, and/or circuits have not been described in detail so as not to obscure the discussion. id="p-40" id="p-40"
[040] Discussions made herein utilizing terms such as, for example, "processing," "computing," "calculating," "determining," "establishing," "analyzing," "checking," or the like, may refer to operation(s) and/or process(es) of a computer, a computing platform, a computing system, or other electronic computing devices, that manipulate and/or transform data represented as physical (e.g., electronic) quantities within the computer's registers and/or memories into other data similarly represented as physical quantities within the computer's registers and/or memories or other information storage medium that may store instructions to perform operations and/or processes. id="p-41" id="p-41"
[041] The terms "plurality" and "a plurality," as used herein, include, for example, "multiple" or "two or more." For example, "a plurality of items" includes two or more items. id="p-42" id="p-42"
[042] References to "one embodiment," "an embodiment," "demonstrative embodiment," "various embodiments," etc., indicate that the embodiment(s) so described may include a particular feature, structure, or characteristic, but not every embodiment necessarily includes the particular feature, structure, or characteristic. Further, repeated use of the phrase "in one embodiment" does not necessarily refer to the same embodiment, although it may. id="p-43" id="p-43"
[043] As used herein, unless otherwise specified, the use of the ordinal adjectives "first," "second," "third," etc., to describe a common object merely indicate that different instances of like objects are being referred to and are not intended to imply that the objects so described must be in a given sequence, either temporally, spatially, in ranking, or any other manner. id="p-44" id="p-44"
[044] As used herein, the term "circuitry" may refer to, be part of, or include an Application Specific Integrated Circuit (ASIC), an integrated circuit, an electronic circuit, a processor (shared, dedicated, or group), and/or memory (shared, dedicated, or group), that execute one or more software or firmware programs, a combinational logic circuit, and/or other suitable hardware components that provide the described functionality. In some demonstrative embodiments, the circuitry may be implemented in, or functions associated with the circuitry may be implemented by one or more software or firmware modules. In some demonstrative embodiments, the circuitry may include logic, at least partially operable in hardware. id="p-45" id="p-45"
[045] The term "logic" may refer, for example, to computing logic embedded in the circuitry of a computing apparatus and/or computing logic stored in a memory of a computing apparatus. For example, the logic may be accessible by a processor of the computing apparatus to execute the computing logic to perform computing functions and/or operations. In one example, logic may be embedded in various types of memory and/or firmware, e.g., silicon blocks of various chips and/or processors. Logic may be included in and/or implemented as part of various circuitry, e.g., radio circuitry, receiver circuitry, control circuitry, transmitter circuitry, transceiver circuitry, processor circuitry, and/or the like. In one example, logic may be embedded in volatile memory and/or non-volatile memory, including random access memory, read-only memory, programmable memory, magnetic memory, flash memory, persistent memory, and the like. Logic may be executed by one or more processors using memory, e.g., registers, stuck, buffers, and/or the like, coupled to the one or more processors, e.g., as necessary to execute the logic. id="p-46" id="p-46"
[046] The term "module," as used hereinbelow, is an object file that contains code to extend the running kernel environment. id="p-47" id="p-47"
[047] As used herein, the term "Artificial intelligence (AI)" is intelligence demonstrated by machines, unlike the natural intelligence displayed by humans and animals, which involves consciousness and emotionality. The term "artificial intelligence" is used to describe machines (or computers) that mimic "cognitive" functions that humans associate with the human mind, such as, for example, "learning" and "problem-solving." id="p-48" id="p-48"
[048] The term "machine learning (ML)," as used hereinbelow, is a study of computer algorithms configured to improve automatically based on a received data. ML is a subset of artificial intelligence. Machine learning algorithms build a mathematical model based on sample data, known as "training data," to make predictions or decisions without being explicitly programmed to do so. id="p-49" id="p-49"
[049] As used herein, the term "deep learning," as used hereinbelow, is a class of machine learning algorithms that uses multiple layers to extract higher-level features from the raw input progressively. For example, in image processing, lower layers may identify edges, while higher layers may identify the concepts relevant to a human, such as, for example, digits or letters and/or faces. id="p-50" id="p-50"
[050] The term "Artificial neural networks (ANNs) and/or neural networks (NNs) are computing systems vaguely inspired by the biological neural networks that constitute animal brains. id="p-51" id="p-51"
[051] The term "Endpoint Detection and Response (EDR)," as used hereinbelow, is a security layer for endpoints. For example, EDR may provide insights into the endpoint environments. The EDR may record events that happen on the endpoint and report them back to the enterprise's security operation center (SOC). id="p-52" id="p-52"
[052] The term "action," as used hereinbelow, is a piece of code that may tell the EDR what to do in response to a trigger. For example, the action may tell to block a threat and/or event by sending a command to an installed antimalware application, allow the "threat" by adding it to a whitelist, send back the threat for further investigation on the backend, and/or send an event to an EDR control application. id="p-53" id="p-53"
[053] The term "trigger," as used hereinbelow, is a piece of code with conditions that will be added to the triggers section. For example, every new event may run through all of the triggers defined in the client's EDR. Once a trigger has a match, a corresponding "action" may be activated. id="p-54" id="p-54"
[054] At enterprises, every day, the company's security engineers may define events. They look at the current events and make new triggers telling the EDR what to do when this type of event occurs. The number of events and the event types logged by the EDR directly affect the effectiveness of the EDR solution. A more comprehensive event monitoring will provide better protection and cover more attack vectors. Logging and reporting a large number of events may be very costly both in terms of bandwidth, servers, and in terms of data storage (DS) complexity and is directly affected by the number of endpoints protected by the EDR. id="p-55" id="p-55"
[055] Embodiments of this disclosure are configured to provide enterprise-grade protection to home users. An endpoint protection software is used to pass severe external independent protection tests. The transition from EDR for a company to EDR for home users is not trivial. For example, SOC engineers working on an EDR for a company are constantly looking at past data and searching for indications of security breaches they missed. Doing that on an ongoing basis may ensure their environment is as secure as possible. id="p-56" id="p-56"
[056] In some demonstrative embodiments, the EDR platform and/or application may support multiple operation modes at the same time. For example, one mode would be a research mode, while a second mode would be a Detection & response mode. id="p-57" id="p-57"
[057] In the research mode, SOC engineers may query the data to look for anomalies. For example, the SOC engineers may run queries using an EDR control application, and they get responses with details about the attack vector they are researching. This mode may also be performed by artificial intelligence (AI) that may generate and run queries on the data receiving a response and may generate and run an action to remove the anomalies based on the response and accumulated data related to the detected anomalies. id="p-58" id="p-58"
[058] For example, every endpoint is an isolated environment. The events that occurred on the endpoint may not be unique, but the events must be analyzed according to the environment they run on as if the events were unique. Thus, every EDR client stores a local database that includes back events. It maintains a connection to an EDR communication server. id="p-59" id="p-59"
[059] In some demonstrative embodiments, the EDR communication server may be responsible for maintaining the communication channel with all the clients and for sending the client queries to execute on their local database. The SOC engineers and/or the AI may define if to query all of the endpoints or only a small fraction of them (using caps). Every endpoint that will run the query will send back its result or an empty response if it does not match the query to the EDR response server. The EDR communication server may stop collecting data once the cap for relevant matches is reached. id="p-60" id="p-60"
[060] Every iteration result may be sent to the EDR control application to be displayed to the researcher. In addition, the researcher may ask for the entire endpoints DB to be sent back in case of a match, so the researcher will be able to quickly investigate the relevant local DBs in the EDR control application without the need to interact further with the user. id="p-61" id="p-61"
[061] In the Detection & response mode, once a new attack vector is detected, the engineers may create a new "trigger" and "action" for the detected attack vector. For example, a trigger may be: how the EDR may detect the new attack vector in real-time, and the action may be the operation that the EDR needs to take to mitigate the attack. id="p-62" id="p-62"
[062] In some demonstrative embodiments, setting a new rule may involve defining a new "Trigger" on the "EDR control application. id="p-63" id="p-63"
[063] In some demonstrative embodiments, triggers and actions may be dynamically updated. The EDR may get at least the most updated set of rules periodically. id="p-64" id="p-64"
[064] Reference is first made to Figure 1, which is an illustration of block diagrams of a system 100 to detect and respond to at least one or more systematical exceptional events 110 on one or more computerized devices of a network of computerized devices 102, according to some demonstrative embodiments. id="p-65" id="p-65"
[065] In some demonstrative embodiments, a computerized device 101, e.g., each computerized device of network 102, may include a local database 103. id="p-66" id="p-66"
[066] In some demonstrative embodiments, system 100 may include an endpoint detection and response (EDR) server 104. For example, system 100 may be configured to detect at least one or more systematical exceptional events 110 by storing at the local database 103 of the computerized device 101 at least one or more predetermined events (line 105) by a client event application 107. For example, the local database 103 may be configured to respond to a query (line 108) from the EDR server 104. id="p-67" id="p-67"
[067] In some demonstrative embodiments, the EDR server 104 may periodically send one or more quires to one or more computerized devices 101 and may receive one or more responses (line 108) from local database 103 of computerized device 1computerized devices network 102. id="p-68" id="p-68"
[068] For example, EDR server 104 may set a cap number of the one or more responses from the one or more computerized devices is set and may analyze the one or more responses to detect one or more systematical exceptional events 110. id="p-69" id="p-69"
[069] In some demonstrative embodiments, the EDR server 104 may be configured to send a detection action (line 106) to the one or more computerized devices 101For example, the detection action (line 106) may be based on a characteristic of an event of one or more events 105 and the client event application 107 may be configured to perform an operation when a characteristic of the event 106 occurs. id="p-70" id="p-70"
[070] For example, the detection action (line 105) may include at least one of: a script configured to detect a threat; a script configured to collect information; a script configured to perform an operation; a script configured to send the local database to be investigated by the EDR server; a script configured to send a file to be investigated by the EDR server; an operation based on systematical exceptional events characteristics 109; a rule based on systematical exceptional events characteristics 109; a script based on systematical exceptional events characteristics 109; a script configured to send the exceptional systematical event to be investigated by the EDR server; and a script configured to send an alert to the client event application. id="p-71" id="p-71"
[071] For example, computerized device 101 may include a prevention entity (not shown). The prevention entity may be configured to implement one or more actions received from the EDR server 104 and to prevent at least one of the one or more systematical exceptional events 110. id="p-72" id="p-72"
[072] For example, the action may include at least one of: a script for threat prevention; a script configured to collect information; a script configured to perform an operation; a rule for threat prevention; an operation for blocking a threat by sending a command to a prevention entity; a rule for allowing the exceptional systematical event and listing the allowed thread in a whitelist; a script configured to send the exceptional systematical event 109 to be investigated, and a script configured to send an alert to the client event application. id="p-73" id="p-73"
[073] For example, at least one or more predetermined actions may include at least one of: a threat to the operating system (OS) of the computerized device, a virus, a malware attack, a ransom attack and unexpected behavior of the OS. id="p-74" id="p-74"
[074] In some demonstrative embodiments, the computerized device 101 of the computerized devices network 102 may include an antivirus application. For example, the antivirus application may be configured to implement one or more actions received from the EDR server 105 and to prevent at least one of the one or more systematical exceptional events 110. id="p-75" id="p-75"
[075] In some demonstrative embodiments, computerized device 101 may include a DNS Server. For example, the DNS Server may be configured to implement one or more actions received from the EDR server 104 and to prevent at least one of the one or more systematical exceptional events 110. id="p-76" id="p-76"
[076] In some demonstrative embodiments, EDR server 104 may be configured to send an action to the one or more computerized devices within a predefined time slot. id="p-77" id="p-77"
[077] In some demonstrative embodiments, the EDR server 104 may be configured to: generate one or more triggers and one or more actions to the prevention entity when the one or more systematical exceptional events 110 become a threat. id="p-78" id="p-78"
[078] For example, the threat may include at least one of: a malware attack, a ransomware attack, installing spyware and performing hacking. id="p-79" id="p-79"
[079] In some demonstrative embodiments, EDR server 104 may be configured to: generate a new action rule and send the new action rule as a definition update to the prevention entity, the Client event application 107, and to the local database, wherein the new action rule is generated when the action removes the threat from an operation system (OS) of the computerized device. id="p-80" id="p-80"
[080] In some demonstrative embodiments, an event of the OS of the computerized device 101 may be filtered to decide if to be processed or be ignored or to be triggered to handle immediately by taking an action based on the trigger. id="p-81" id="p-81"
[081] In some demonstrative embodiments, a response of the one or more responses (line 108) may include details on a security-related vector based on the query. id="p-82" id="p-82"
[082] In some demonstrative embodiments, the query may include at least one of a query identification (ID), a query capacity, and a timeout for returning a response. id="p-83" id="p-83"
[083] In some demonstrative embodiments, system 100 may include a definition update server (not shown), wherein the client event application 107 may be configured to: update a definition handler, and the definition handler may be configured to replace a current set of filters, triggers, and actions with a new set of filters, triggers, and actions by storing the new set in the local database 103 of the computerized device 101. id="p-84" id="p-84"
[084] In some demonstrative embodiments, the query may be processed, and a result of a new test query may be sent to a response server. id="p-85" id="p-85"
[085] In some demonstrative embodiments, the client event application 107 may be configured to detect a threat on one or more files of the computerized device 101. id="p-86" id="p-86"
[086] In some demonstrative embodiments, the EDR server 104 may include an artificial intelligence (AI) engine 112. The AI engine 112 may be configured to: monitor for irregularities in an operating system (OS) of the computerized device 101, may generate one or more queries based on a historical quires database and the irregularities of the OS, may send the one or more queries to one or more of the computerized devices 101, and may generate an action based on one or more query results. id="p-87" id="p-87"
[087] In some other demonstrative embodiments, system 100 may include EDR server 104, one or more computerized devices 101, wherein each of the one or more computerized 101 may be operably coupled to a local database (DB) 102. For example, the one or more computerized devices 101 may also be referred to as endpoints and may include, for example, mobile devices, desktop computers, laptop computers, workstations, terminals, and/or any other computerized device. id="p-88" id="p-88"
[088] In some demonstrative embodiments, the computerized device 101 may include the client event application 107. id="p-89" id="p-89"
[089] In some demonstrative embodiments, the client event application 107 may be configured to maintain the user database 103 of the computerized device 101 of the computerized devices network 102 at least one or more events 106, and may be configured to answer query 108 from EDR server 104. For example, query 108 may include a query identification (ID), a query capacity, and a timeout for returning a response. id="p-90" id="p-90"
[090] In some demonstrative embodiments, the EDR server 104 may be configured to periodically send the query to one or more computerized devices 101 through a communication server (not shown) and may receive a response (line 108) from one or more computerized devices 101. For example, the content of local database 103 may be sent to a response server (not shown) based on query 108 when requested by the EDR server 104. For example, the response may include details on a security-related vector based on query 108. id="p-91" id="p-91"
[091] In some demonstrative embodiments, the EDR server 104 may detect the event 106 on the computerized device 101 and may send a detection action 106 to one or more computerized devices 101. For example, the detection action 106 may be invoked by a trigger, and the trigger for detection action 106 may be based on a characteristic of the event 106. id="p-92" id="p-92"
[092] In some demonstrative embodiments, the one or more actions 106 may include one or more operations based on the threat characteristics. For example, the action may include at least one of the: blocking a threat by sending a command to an antivirus (AV) engine, allowing the threat and listing the allowed thread in a whitelist, sending the threat to be investigated, sending an alert to the EDR control application and/or other actions. id="p-93" id="p-93"
[093] For example, the trigger may be at least one of a threat to the OS of the computerized device, a virus, a malware attack, a ransom attack, unexpected behavior of the OS, or the like. id="p-94" id="p-94"
[094] In some demonstrative embodiments, EDR server 104 may be configured to detect a threat and/or event on one or more events of the computerized device 101. For example, the EDR server 104 may scan the events and/or run queries on the events 106. For example, if a threat is detected, the EDR server 104 may trigger an action to remove the threat. id="p-95" id="p-95"
[095] In some demonstrative embodiments, the EDR server 104 may be configured to detect the event 106 on the computerized device 101 and may send a test query to one or more computerized devices 101. For example, the test query should be based on the characteristics of the threat. For example, a successful test query can result in a role. id="p-96" id="p-96"
[096] In some demonstrative embodiments, EDR server 104 may be configured to generate one or more triggers and/or one or more actions. For example, the triggers and/or actions may be stored in the local database 103 based on the threat and/or event. The local database 103 may be managed by the client event application 107. For example, the client event application 107 may be installed on the computerized device 101. id="p-97" id="p-97"
[097] In some demonstrative embodiments, the EDR server 104 may be configured to generate a new action rule and send the new action rule as a definition update to at least one of the local databases 103 and/or to a database that may be operably coupled to EDR server 104. For example, a new action may be generated when the action removes the threat and/or the event from an operating system (OS) of the computerized device 101. id="p-98" id="p-98"
[098] In some demonstrative embodiments, an event of the OS of the computerized device may be filtered to decide if to be processed or be ignored or to be triggered to handle immediately by taking action 106 based on the trigger. id="p-99" id="p-99"
[099] In some demonstrative embodiments, system 100 may include a definition update server (not shown), and the EDR server 104 may be configured to update a definition handler (not shown). For example, the definition handler may be configured to replace a current set of filters, triggers, and actions with a new set of filters, triggers, and actions by storing the new set in the local database 103 of the computerized device 101. id="p-100" id="p-100"
[0100] In some demonstrative embodiments, the EDR server 104 may be configured to detect a threat on one or more files of the computerized device. id="p-101" id="p-101"
[0101] In some demonstrative embodiments, system 100 may be controlled and/or operated by humans 111, e.g., engineers, cyber specialists, and the like. In some other demonstrative embodiments, the system 100 may be controlled and/or operated by artificial intelligence (AI). In those demonstrative embodiments, the EDR server 1may include and/or be operably coupled to an AI engine 112. For example, the AI engine 112 may be configured to generate one or more queries based on a historical queries database and the irregularities of the OS and/or and may generate one or more actions based on one or more query results. The EDR server 104 may send the one or more queries 108 and the one or more operations generated by AI engine to one or more of the computerized devices 101. id="p-102" id="p-102"
[0102] Reference is now made to Figure 2, which illustrates a block diagram of another embodiment of a system 200 for detecting and responding to at least one or more events 106 on one or more computerized devices 101 according to some demonstrative embodiments. id="p-103" id="p-103"
[0103] In some demonstration embodiments, system 200 may include an EDR server 104, a network of computerized devices 102 which include one or more computerized devices 101. For example, the one or more computerized devices 101 may also be referred to as endpoints. For example, endpoints may include cellphones, mobile devices, desktop computers, laptop computers, workstations, terminals and/or any other computerized device. id="p-104" id="p-104"
[0104] It should be understood that the below-described operation of system 200 is an example only, and other ways of operation can be performed using system 200, system 100, and any combination of components of system 100 and system 200. id="p-105" id="p-105"
[0105] In some demonstrative embodiments, the computerized device 101 of the one or more computerized devices may include a prevention entity 201, the prevention entity 201 may be configured to implement one or more actions 202 received from the EDR server 104 and to prevent at least one of the one or more systematical exceptional events 110. id="p-106" id="p-106"
[0106] For example, the action may include at least one of: a script for threat prevention; a script configured to collect information; a script configured to perform an operation; a rule for threat prevention; an operation for blocking a threat by sending a command to a prevention entity; a rule for allowing the exceptional systematical event and listing the allowed thread in a whitelist; a script configured to send the exceptional systematical event to be investigated, and a script configured to send an alert to the client event application. id="p-107" id="p-107"
[0107] In some demonstrative embodiments, computerized device 101 of the one or more computerized devices 102 may include, for example, an antivirus application. For example, the antivirus application may be configured to implement one or more actions received from the EDR server 104 and to prevent at least one of the one or more systematical exceptional events 110. id="p-108" id="p-108"
[0108] In some demonstrative embodiments, computerized device 101 of the one or more computerized devices may include a DNS Server (not shown), the DNS Server may be configured to implement one or more actions 202 received from the EDR server 104 and to prevent at least one of the one or more systematical exceptional events 110. id="p-109" id="p-109"
[0109] For example, the EDR server 104 may be configured to send action 202 to the one or more computerized devices 101 within a predefined time slot. id="p-110" id="p-110"
[0110] In some demonstrative embodiments, EDR server 104 may be configured to: generate one or more triggers and one or more actions to the prevention entity 201 when the one or more systematical exceptional events 110 become a threat. For example, the threat may include at least one of: a malware attack, a ransomware attack, installing spyware, and performing hacking. id="p-111" id="p-111"
[0111] Furthermore, for example, EDR server 104 may be configured to: generate a new action rule and send the new action rule as a definition update to the prevention entity 201, the client event application 107, and to the local database 103. The new action rule may be generated when the action successfully removes the threat from the OS of the computerized device, e.g., computerized device 101. id="p-112" id="p-112"
[0112] In some demonstrative embodiments, prevention entity 201 may include, for example, an antivirus (AV) software installed in the computerized device 101, e.g., in each computerized device. For example, the antivirus software may be operably coupled to a database (DB), e.g., an AV DB 203. The AV DB 203 may include a list of known viruses, a plurality of actions to delete the viruses from the computerized device 101, and/or other data if desired. id="p-113" id="p-113"
[0113] In some demonstrative embodiments, the EDR server 104 may be configured to periodically send a query to one or more computerized devices 101 through a communication server (not shown) and may receive a response from one or more computerized devices 101. For example, the content of local database 103 may be sent to a response server (not shown) based on the query when requested by the EDR server 104. For example, the response may include details on a security-related vector based on the query. id="p-114" id="p-114"
[0114] In some demonstrative embodiments, the EDR server 104 may detect an event on the computerized device 101 and may send an action 202 to one or more computerized devices 101 and/or endpoints. For example, action 202 may be invoked by a trigger, and the trigger for the action may be based on a characteristic of the current event and/or previous events. id="p-115" id="p-115"
[0115] In some demonstrative embodiments, one or more actions 202 may include one or more operations based on the threat characteristics. For example, action 202 may include at least one of the: blocking a threat by sending a command to the prevention entity 201, e.g., an antivirus (AV) engine, allowing the threat and listing the allowed threat in a whitelist, sending the threat to be further investigated, sending an alert to the client event application 107 and/or other actions. id="p-116" id="p-116"
[0116] For example, event 106 may be at least one of a threat to the OS of the computerized device 101, a virus, a malware attack, a ransom attack, unexpected behavior of the OS, or the like. id="p-117" id="p-117"
[0117] In some demonstrative embodiments, EDR server 104 may be configured to detect a threat and/or event on one or more resources such as, for example, files, registry, OS objects, etc., of the computerized device 101. For example, the EDR server 104 may scan the files and/or run queries on the files. If a threat is detected, the EDR server 104 may trigger an action, e.g., action 202 to remove the threat. id="p-118" id="p-118"
[0118] Reference is now made to Figure 3, which illustrates a backend diagram of a method 300 to detect events on one or more endpoints, according to some demonstrative embodiments. For example, method 300 may be run by of an EDR control application 310 which may be installed on an EDR server. id="p-119" id="p-119"
[0119] In some demonstrative embodiments, an EDR control application 310 may generate a new query with parameters (line 320). For example, the new query 330 may include a query name, a query cap, a timeout to receive a response to the query, Should_Send_DB parameter, and any other parameters. The new query may be sent to (line 340) a communication server 350. id="p-120" id="p-120"
[0120] In some demonstrative embodiments, the communication server 350 may send the query 330 to a predetermined number, e.g., "cap." of endpoints 360, e.g., computerized devices (line 355). For example, endpoints 360 may send responses (line 365) to a response server 370. Communication server 350 may wait for all endpoints to replay (diamond 385) and may check the number of responses for a query ID (line 390). If the responses from the query ID reach the "cap" (diamond 375), the response server 370 may report the results of the query ID (line 395) to the EDR control application 310, and if the responses from the query ID have not reached the "cap" (diamond 375), the query ID may be sent to other endpoints (diamond 380) until the "cap" is reached. id="p-121" id="p-121"
[0121] Reference is now made to Figure 4, which illustrates an example of a method 400 of handling a client event, according to some demonstrative embodiments. id="p-122" id="p-122"
[0122] In some demonstrative embodiments, a new event (line 415), e.g., threat, malware attack, and the like, may be detected in an operating system (OS) 410 of an endpoint. The event may be filtered by one or more filters 420. For example, filter 4may be one or more conditions to decide if new event (line 415) should be processed or ignored. If the new event (line 415) is processed, one or more triggers 430 may be activated. For example, one or more triggers 430 may be rules set by the EDR control application 310 (Figure 3). Triggers 430 may be configured to decide if, for example, the new event (line 415) may need to be handled immediately. id="p-123" id="p-123"
[0123] In some demonstrative embodiments, if event (line 415) may be a risk to the OS, an action 440 may be stored in a local database 460 of the endpoint, e.g., a computerized device. For example, the action may be a to-do operation for a corresponding trigger. For example, the action may be configured to block the process responsible for triggering the new event (line 415). id="p-124" id="p-124"
[0124] In some demonstrative embodiments, triggers 430 and action 440 may be stored in local database 460 of the endpoint, e.g., computerized device 101 (Figure 1). id="p-125" id="p-125"
[0125] Reference is now made to Figure 5, which illustrates an example of a method 500 for handling a client query, according to some demonstrative embodiments. id="p-126" id="p-126"
[0126] In some demonstrative embodiments, an EDR control application 510 of EDR server 104 (Figure 1) may generate a query 520 with parameters (line 515). For example, query 520 may include a query name, a query cap, a timeout, DB, e.g., should_Send_DB, and/or any others parameters. Query 520 may be sent to (line 525) a communication server 530. id="p-127" id="p-127"
[0127] In some demonstrative embodiments, communication server 530 may send query 520 to a client, e.g., an endpoint and/or computerized device (line 535). For example, the client may include a client query handler 540. Client query handler 5stores the received query in a query local database, e.g., local DB 103 (Figure 1) (line 545). id="p-128" id="p-128"
[0128] In some demonstrative embodiments, if query 520 has a result (diamond 5and diamond 565), the result may be sent to a response server 580. It also may be decided if the result should be sent to a client database e.g., local DB 103 (Figure 1) (diamond 570). If yes, the result may be stored in the client database e.g., local DB 1(Figure 1) (line 575) and may be sent to response server 580 (line 560). If the decision of diamond 570 is "No," nothing may be done (shape 590). id="p-129" id="p-129"
[0129] In some demonstrative embodiments, if the query has no result (diamond 555), the client query handler 540 may send a null result (line 585) to response server 580. id="p-130" id="p-130"
[0130] Reference is now made to Figure 6 illustrates an example of a method 600 of updating a definition of a client event handler according to some demonstrative embodiments. id="p-131" id="p-131"
[0131] In some demonstrative embodiments, an EDR control application 610 may push new triggers and actions, e.g., test trigger (line 615), to a definition update server 620. The definition update server 620 may use update definition handler 625 to replace a current set of filters, triggers, and actions with a new set of filters, triggers, and actions (line 630). id="p-132" id="p-132"
[0132] In some demonstrative embodiments, when a new event 445 may be detected on OS 640 of an endpoint, the new set of filters 650, triggers 655, and actions 635 may be used to block the event 445, as described above in Figure 4. If the new action 6blocks the event, it may be stored at local DB 660 of the computerized device 1(Figure 1). id="p-133" id="p-133"
[0133] Reference is now made to Figure 7, which is a schematic illustration of a product of manufacture 700. Product 700 may include one or more tangible computer-readable non-transitory storage medium 710, which may include computer-executable instructions 720, implemented by processing device 730, operable to, when executed by at least one computer processor, enable an EDR server 104 (Figure 1) to detect and block events, e.g., threat, on one or more OS, for example, computerized devices at home and/or offices as described above with reference to Figures 1 - 6. Other instructions may be stored at a client event application that handles the events on the computerized device as described in Figures 1-2. The phrase "non-transitory machine-readable medium" is directed to include all computer-readable media, with the sole exception being a transitory propagating signal. id="p-134" id="p-134"
[0134] In some demonstrative embodiments, product 700 and/or machine-readable storage medium 710 may include one or more types of computer-readable storage media capable of storing data, including volatile memory, non-volatile memory, removable or non-removable memory, erasable or non-erasable memory, writeable or re-writeable memory, and the like. For example, machine-readable storage medium 7may include any type of memory, such as, for example, RAM, DRAM, ROM, programmable ROM (PROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), Flash memory, a hard disk drive (HDD), a solid-state disk drive (SSD), fusen drive, and the like. The computer-readable storage media may include any suitable media involved with downloading or transferring a computer program from a remote computer to a requesting computer carried by data signals embodied in a carrier wave or other propagation medium through a communication link, e.g., a modem, radio, or network connection. id="p-135" id="p-135"
[0135] In some demonstrative embodiments, processing device 730 may include logic. The logic may include instructions, data, and/or code, which, if executed by a machine, may cause the machine to perform a method, process, and/or operations as described herein. The machine may include, for example, any suitable processing platform, computing platform, computing device, processing device, computing system, processing system, computer, processor, or the like, and may be implemented using any suitable combination of hardware, software, firmware, and the like. id="p-136" id="p-136"
[0136] In some demonstrative embodiments, processing device 730 may include or may be implemented as software, firmware, a software module, an application, a program, a subroutine, instructions, an instruction set, computing code, words, values, symbols, and the like. Instructions 740 may include any suitable types of code, such as source code, compiled code, interpreted code, executable code, static code, dynamic code, and the like. Instructions may be implemented according to a predefined computer language, manner or syntax, for instructing a processor to perform a specific function. The instructions may be implemented using any suitable high-level, low-level, object-oriented, visual, compiled and/or interpreted programming languages, such as C, C++, C#, Java, Python, BASIC, Matlab, assembly language, machine code, markup language, and the like. id="p-137" id="p-137"
[0137] It is to be understood that the system and/or the method for implementing an operation of EDR system is described hereinabove by way of example only. Other embodiments may be implemented based on the detailed description and the claims that followed. id="p-138" id="p-138"
[0138] It is to be understood that numerals in the drawings represent elements through several figures and that not all components and/or steps described and illustrated with reference to the figures are required for all embodiments or arrangements. id="p-139" id="p-139"
[0139] It should also be understood that the embodiments, implementations, and/or arrangements of the systems and methods disclosed herein can be incorporated as a software algorithm, application, program, module, or code residing in hardware, firmware and/or on a computer useable medium (including software modules and browser plug-ins) that can be executed in a processor of a computer system or a computing device to configure the processor and/or other elements to perform the functions and/or operations described herein. id="p-140" id="p-140"
[0140] It should be appreciated that according to at least one embodiment, one or more computer programs, modules, and/or applications that, when executed, perform methods of the present invention need not reside on a single computer or processor but can be distributed in a modular fashion amongst a number of different computers or processors to implement various aspects of the systems and methods disclosed herein. id="p-141" id="p-141"
[0141] Thus, illustrative embodiments and arrangements of the present systems and methods provide a computer-implemented method, computer system, and computer program product for processing code(s). The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments and arrangements. In this regard, each block in the flowchart or block diagrams can represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). id="p-142" id="p-142"
[0142] It should also be noted that, in some alternative implementations, the functions noted in the block can occur out of order noted in the figures. For example, two blocks shown in succession may be executed substantially concurrently, or the blocks can sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by particular purpose hardware-based systems that perform the specified functions or acts or combinations of specialized purpose hardware and computer instructions. id="p-143" id="p-143"
[0143] The terminology used herein is to describe particular embodiments only and is not intended to be limiting the discloser. As used herein, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. id="p-144" id="p-144"
[0144] Also, the phraseology and terminology used herein are for the purpose of description and should not be regarded as limiting. The use of "including," "comprising," or "having," "containing," "involving," and variations thereof herein is meant to encompass the items listed thereafter and equivalents thereof as well as additional items. id="p-145" id="p-145"
[0145] The subject matter described above is provided by way of illustration only and should not be construed as limiting. Various modifications and changes can be made to the subject matter described herein without following the example embodiments and applications illustrated and described and without departing from the true spirit and scope of the present invention, which is set forth in the following claims.

Claims (24)

CLAIMS What is claimed is:
1. A system to detect and respond to at least one or more systematical exceptional events on one or more computerized devices of a network of computerized devices, wherein each computerized device of the network comprises a local database and the system comprises an endpoint detection and response (EDR) server, wherein the system is configured to detect of the at least one or more systematical exceptional events by: storing at the local database of the computerized device at least one or more predetermined events by a client event application, wherein the local database is configured to respond to a query from the EDR server; periodically sending by the EDR server one or more quires to one or more computerized devices and receiving by the EDR server one or more responses from the local database of the computerized device of the one or more computerized devices, wherein a cap number of the one or more responses from the one or more computerized devices is set by the EDR server; and analyzing the one or more responses by the EDR server to detect one or more systematical exceptional events.
2. The system of claim 1, wherein the EDR server is configured to send a detection action to the one or more computerized devices, wherein the detection action is based on a characteristic of an event of one or more events, the client event application is configured to perform an operation when a characteristic of the event occurs.
3. The system of claim 2, wherein the detection action comprises at least one of: a script configured to detect a threat; a script configured to collect information; a script configured to perform an operation; a script configured to send the local database to be investigated by the EDR server; a script configured to send a file to be investigated by the EDR server; an operation based on systematical exceptional events characteristics; a rule based on systematical exceptional events characteristics; a script based on systematical exceptional events characteristics; a script configured to send the exceptional systematical event to be investigated by the EDR server; and a script configured to send an alert to the client event application.
4. The system of claim 1, wherein the computerized device of the one or more computerized devices comprises a prevention entity, the prevention entity is configured to implement one or more actions received from the EDR server and to prevent at least one of the one or more systematical exceptional events.
5. The system of claim 4, wherein the action comprises at least one of: a script for threat prevention; a script configured to collect information; a script configured to perform an operation; a rule for threat prevention; an operation for blocking a threat by sending a command to a prevention entity; a rule for allowing the exceptional systematical event and listing the allowed thread in a whitelist; a script configured to send the exceptional systematical event to be investigated; and a script configured to send an alert to the client event application.
6. The system of claim 1, wherein the at least one or more predetermined actions comprise at least one of: a threat to the operating system (OS) of the computerized device, a virus, a malware attack, a ransom attack and unexpected behavior of the OS.
7. The system of claim 1, wherein the computerized device of the one or more computerized devices comprises an antivirus application, the antivirus application is configured to implement one or more actions received from the EDR server and to prevent at least one of the one or more systematical exceptional events.
8. The system of claim 1, wherein the computerized device of the one or more computerized devices comprises a DNS Server, the DNS Server is configured to implement one or more actions received from the EDR server and to prevent at least one of the one or more systematical exceptional events.
9. The system of claim 1, wherein the EDR server is configured to send an action to the one or more computerized devices within a predefined time slot.
10. The system of claim 4, wherein the EDR server is configured to: generate one or more triggers and one or more actions to the prevention entity when the one or more systematical exceptional events become a threat.
11. The system of claim 10, wherein the threat comprises at least one of: a malware attack, a ransomware attack, installing spyware and performing hacking.
12. The system of claim 10, wherein the EDR server is configured to: generate a new action rule and send the new action rule as a definition update to the prevention entity, the client event application, and to the local database, wherein the new action rule is generated when the action removes the threat from an operation system (OS) of the computerized device.
13. The system of claim 12, wherein an event of the OS of the computerized device is filtered to decide if to be processed or be ignored or to be triggered to handle immediately by taking an action based on the trigger.
14. The system of claim 1, wherein a response of the one or more responses comprises details on a security-related vector based on the query.
15. The system of claim 1, wherein the query comprises: a query identification (ID), a query capacity, and a timeout for returning a response.
16. The system of claim 1 comprises a definition update server, wherein the client event application is configured to: update a definition handler, and the definition handler is configured to replace a current set of filters, triggers, and actions with a new set of filters, triggers, and actions by storing the new set in the local database of the computerized device.
17. The system of claim 1, wherein the query is processed, and a result of a new test query is sent to a response server.
18. The system of claim 1, wherein the Client event application is configured to detect a threat on one or more files of the computerized device.
19. The system of claim 1, wherein the EDR server comprises an artificial intelligence (AI) engine, where the AI engine is configured to: monitor for irregularities in an operating system (OS) of the computerized device; generate one or more queries based on a historical quires database and the irregularities of the OS; send the one or more queries to one or more of the computerized devices; and generate an action based on one or more query results.
20. A method of an endpoint detection and response (EDR) system for detecting and responding to at least one or more systematical exceptional events on one or more computerized devices of a network of computerized devices, wherein each computerized device of the network comprises a local database the method comprising: storing at the local database of the computerized device at least one or more predetermined events by a client event application, wherein the local database is configured to respond to a query from the EDR server; periodically sending by the EDR server one or more quires to one or more computerized devices and receiving by the EDR server one or more responses from the local database of the computerized device of the one or more computerized devices, wherein a cap number of the one or more responses from the one or more computerized devices is set by the EDR server; and analyzing the one or more responses by the EDR server to detect one or more systematical exceptional events.
21. The method of claim 20 comprises: sending a detection action to the one or more computerized devices, wherein the detection action is based on a characteristic of an event of one or more events, the client event application is configured to perform an operation when a characteristic of the event occurs.
22. The method of claim 20, wherein the computerized device of the one or more computerized devices comprise a prevention entity, the prevention entity is configured to implement one or more actions received from the EDR server and to prevent at least one of the one or more systematical exceptional events.
23. The method of claim 19 comprises: generating one or more triggers or one or more actions to be stored in a database of the prevention entity when the one or more systematical exceptional events become a threat.
24. A computerized device protected by an endpoint detection and response (EDR) system comprising a client event application configured to: store at a local database of the computerized device at least one or more predetermined events; respond to a query from an EDR server; periodically receiving from the EDR server one or more quires and sending to the EDR server one or more responses from the local database to be analyzed by the EDR server to detect one or more systematical exceptional events, wherein the computerized device is one of one or more computerized devices of a computerized devices network monitored by the EDR server and the number of responses sent to the EDR server is limited to a cap number for the computerized network.
IL302585A 2023-05-02 2023-05-02 System and method for detecting and responding to events in a computing device IL302585A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
IL302585A IL302585A (en) 2023-05-02 2023-05-02 System and method for detecting and responding to events in a computing device
PCT/IL2024/050367 WO2024228181A1 (en) 2023-05-02 2024-04-15 System and method detecting and responding to events on computerized device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
IL302585A IL302585A (en) 2023-05-02 2023-05-02 System and method for detecting and responding to events in a computing device

Publications (1)

Publication Number Publication Date
IL302585A true IL302585A (en) 2024-12-01

Family

ID=93332836

Family Applications (1)

Application Number Title Priority Date Filing Date
IL302585A IL302585A (en) 2023-05-02 2023-05-02 System and method for detecting and responding to events in a computing device

Country Status (2)

Country Link
IL (1) IL302585A (en)
WO (1) WO2024228181A1 (en)

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP7531816B2 (en) * 2020-11-26 2024-08-13 エヌピーコア インコーポレイテッド Image-based malicious code detection method and device and artificial intelligence-based endpoint threat detection and response system using the same
GB2626472A (en) * 2021-10-11 2024-07-24 Sophos Ltd Augmented threat investigation

Also Published As

Publication number Publication date
WO2024228181A1 (en) 2024-11-07

Similar Documents

Publication Publication Date Title
IL289426B2 (en) Method and device for managing security in a computer network
IL295777A (en) Method and system for online user security information event management
IL297006A (en) Protecting computer assets from malicious attacks
IL296554A (en) Quantum computing machine learning for security threats
IL283695B1 (en) Systems and methods for detecting behavioral threats
IL283698B1 (en) Systems and methods for detecting behavioral threats
Sharma et al. Modelling of smart risk assessment approach for cloud computing environment using AI & supervised machine learning algorithms
IL266200A (en) Dynamic reputation indicator for optimizing computer security operations
US20230421582A1 (en) Cybersecurity operations case triage groupings
IL295223A (en) System, method and computer software for technology of receiving, processing, saving and searching information
IL323163A (en) Speculative decoding in autoregressive generative artificial intelligence models
Čisar et al. The framework of runtime application self-protection technology
IL283697B2 (en) Systems and methods for detecting behavioral threats
Bui et al. A systematic comparison of large language models performance for intrusion detection
Saber et al. Automated penetration testing, a systematic review
Wan et al. Exploring the effectiveness of web crawlers in detecting security vulnerabilities in computer software applications
IL302585A (en) System and method for detecting and responding to events in a computing device
Masango et al. Web defacement and intrusion monitoring tool: Wdimt
IL307998A (en) Soc enrichment method and system
Katiyar Cyber security using artificial intelligence
IL267368B2 (en) Electronic product testing systems
IL286952B2 (en) Identifying relationships and preventing dependent relationships
IL309475A (en) Attack path adjustment system and method
IL305720A (en) System and method for providing threat intelligence using a large language model
CN117370701A (en) Browser risk detection method, browser risk detection device, computer equipment and storage medium