US20150222646A1 - Tagging Security-Relevant System Objects - Google Patents

Tagging Security-Relevant System Objects Download PDF

Info

Publication number
US20150222646A1
US20150222646A1 US14/169,401 US201414169401A US2015222646A1 US 20150222646 A1 US20150222646 A1 US 20150222646A1 US 201414169401 A US201414169401 A US 201414169401A US 2015222646 A1 US2015222646 A1 US 2015222646A1
Authority
US
United States
Prior art keywords
tag
tags
data object
system components
method
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/169,401
Inventor
David F. Diehl
Maxime Lamothe-Brassard
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Crowdstrike Inc
Original Assignee
Crowdstrike Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Crowdstrike Inc filed Critical Crowdstrike Inc
Priority to US14/169,401 priority Critical patent/US20150222646A1/en
Assigned to CROWDSTRIKE, INC. reassignment CROWDSTRIKE, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: LAMOTHE-BRASSARD, Maxime, DIEHL, DAVID F.
Publication of US20150222646A1 publication Critical patent/US20150222646A1/en
Assigned to SILICON VALLEY BANK reassignment SILICON VALLEY BANK SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CROWDSTRIKE, INC.
Application status is Abandoned legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Abstract

Devices described herein are configured to propagate tags among data objects representing system components. Such devices may detect an event associated with a plurality of system components. Based at least in part on detecting the event and on a configurable policy, the devices may propagate a tag that is assigned to a data object representing one of the plurality of system components to another data object representing another of the plurality of system components. One example of such a tag may be associated with a tree object that represents an execution chain of instances of at least the system component represented by the data object and the other system component represented by the other data object. Another example of such a tag may be a user-specified tag of another entity that the entity associated with the devices subscribes to.

Description

    BACKGROUND
  • With Internet use forming an ever-greater part of day-to-day life, malicious software (often referred to as “malware”) and other security exploits that steal or destroy system resources, data, and private information are an increasing problem. Governments, businesses and individuals may devote significant resources to preventing intrusions, damage and thefts related to these security exploits. Security exploits come in many forms, such as computer viruses, worms, trojan horses, spyware, keystroke loggers, adware and rootkits. Such security exploits can be delivered in or through a variety of mechanisms, such as phishing emails, malicious clickable links, infected documents, infected executables, or infected archives.
  • Tools for addressing these threats may apply conditional logic, testing whether some aspect of a system component, such as a process or file, matches one of more criteria. Based on meeting the criteria, the tools may take some action or actions. Modifications to the criteria, which may alter the system components that are identified, may be cumbersome. For instance, such modifications may require changes to the source code of the tools and recompiling of the tools.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • The detailed description is set forth with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The use of the same reference numbers in different figures indicates similar or identical items or features.
  • FIG. 1 illustrates an example framework and devices for enabling interaction between a monitored device and a security service cloud.
  • FIG. 2 illustrates an example system component associated with an event, the filtering of the event based on a configurable policy, and the assigning of a tag to a data object representing the system component based on the event and the filtering.
  • FIG. 3 illustrates example system components associated with an event and the propagation of a tag assigned to a data object representing one of these system components to another data object representing another of the system components.
  • FIG. 4 illustrates a tree object representing an execution chain of instances of system components, the assigning of tags to the tree object, and the assigning of a tag for the tree object to data objects representing the system components.
  • FIG. 5 illustrates one entity subscribing to the user-specified tags of another entity and assigning those user-specified tags to ones of the data objects of monitored devices of the entity.
  • FIG. 6 is a flow diagram illustrating an example process for detecting an event associated with system components and propagating a tag assigned to a data object representing one of these system components to another data object representing another of the system components.
  • DETAILED DESCRIPTION
  • This disclosure includes techniques and arrangements for assigning tags to data objects representing system components associated with security-relevant system events (hereinafter simply “events”) and for propagating tags among the data objects based on those events and on a configurable policy. As used herein, the term “tag” refers to data object metadata that acts as a label or classifier of a data object. A tag may be a string, an integer, a hash, a binary flag, or some other efficient representation. Tags enable filtering of data objects for reporting, decision-making, and event generation and allow reclassification of data objects without any need for recoding or recompiling.
  • In various embodiments, one or more monitored devices may each be equipped with a security agent to monitor events on those respective one or more computing devices and a data store to maintain data objects representative of system components associated with those events. Those monitored computing devices may be in communication with devices of a security service cloud. The security service cloud may be also be configured to monitor events on those monitored computing devices and to maintain data objects representative of system components associated with those events in a data object store of the security service cloud. The security agents and security service cloud may monitor the same events, different events, or overlapping sets of events. Also, in some embodiments, the security agents may simply detect events and inform the security service cloud of those detected events. The data object stores of the security agents and security service cloud may include data objects representing the same system components, data objects representing different system components, or an overlapping set of data objects.
  • A security agent or security service cloud may first assign tags to the data objects based on a configurable policy. Such tags may be considered “taxonomic tags” which classify a type, function, role, etc. of a system component. For example, “document program” may be such a “taxonomic tag.” The security agent or security service cloud may also assign tags to data objects based on the observed behaviors or characteristics of the system components they represent. For instance, if a process repeatedly opens document files, the security agent or security service cloud may assign the tag “document program” to the process.
  • The security agent or security service cloud may detect or be informed of events and the system components associated with those events. Such events could include processes spawning other processes or threads, processes creating or opening files, etc. These events may include all events occurring on a monitored computing device or a subset of those events. If a subset, the security agent or security service cloud may be configured to filter events based on a configuration of the security agent or on a configurable policy (as used herein, “configurable policy” may refer to the configuration of the security agent or to a policy utilized by the security agent or security service cloud).
  • Based on the detected event and on the configurable policy, the security agent or security service cloud may propagate a tag assigned to one data object representing a system component associated with the event to another data object representing another of the system components associated with the event. For example, if a process creates a file, the security agent or security service cloud may propagate one or more tags of the data object for that process to the data object for that file. The security agent or security service cloud may propagate all of the tags of the data object for the process or only a subset of those tags based at least in part on the configurable policy. Propagation may occur in both directions, too; tags of the data object representing the file may also be propagated to the data object representing the process. In another example, a process may spawn multiple threads, and the security agent or security service cloud may propagate one or more tags of the data object for that process to all or only a subset of the data objects for those threads based at least in part on the configurable policy.
  • In some embodiments, the security agent or security service cloud may generate a data object that represents detected event and assign a tag to that data object, such as “suspicious event.” Such tags may be updated in response to detecting a subsequent event. For example, if a first event is merely suspicious, it may later be seen as security exploit activity if a second event occurs. In such a case, the tag may be updated to reflect the additional context (e.g., the tag “suspicious event” may be updated to “exploit activity”).
  • In various embodiments, the security agent or security service cloud may also create a tree object to represent an execution chain of instances of the system objects associated with the event. For example, if an event involves one process executing another process, that execution chain could be represented in a tree object. If the other process then creates a file, that file could also be represented in the tree object. The security agent or security service cloud can assign tags to the tree object and can assign a tree object tag to data objects representing the system components with appear in the tree object. Through the tree object tag, tags assigned to the tree object may be considered as tags of the data objects assigned the tree object tag. This enables retrospective classification of system components. For instance, nothing may be suspicious about a particular process when it first executes another. But if that other process then goes on to execute a further process, and the further process performs an action recognized as security exploit activity, the tag “security exploit” may be assigned to the tree object representing that execution chain. And because a tree object tag for that tree object is assigned to the original process, that original process now, through the tree object tag and tree object, has the tag “security exploit.”
  • In further embodiments, the security agent or security service cloud may enable a user to assign tags to data objects representing system components. These user-specified tags may be utilized by security agents of an entity associated with the user. Such tags may be utilized to classify system components that have not yet been classified in the configurable policy. For example, a particular process may be a document program, but a security agent utilizing the configurable policy may not recognize the process as such. The user may assign the tag “document program” to the data object representing that process. These user-specified tags may then later be considered in updating the configurable policy and taxonomic tags. Also, an entity may subscribe to another entity's user-specified tags, causing that other entity's user-specified tags to be assigned to the entity's data objects.
  • In some embodiments, the security agent or security service cloud may then utilize the tags to make decisions, generate reports, or even generate events. For example, if a tag is propagated to a data object that has been assigned a tag that conflicts with the propagated tag, the security agent or security service cloud may generate a tag conflict event.
  • Additionally, the security agent or security service cloud may update the tags assigned to the data objects based on an update to the configurable policy. Such updating may allow for reclassification without burdensome activities like recoding or recompiling the security agent or security service cloud.
  • Example Framework and Devices
  • FIG. 1 illustrates an example framework and systems for enabling interaction between a monitored device and a remote security service. As illustrated, one of more monitored devices 102 may be connected to security service computing devices 104 of a security service cloud via a network 106. In various embodiments, the monitored devices 102 may each be a server or server farm, multiple, distributed server farms, a mainframe, a work station, a personal computer (PC), a laptop computer, a tablet computer, a personal digital assistant (PDA), a cellular phone, a media center, an embedded system, or any other sort of device or devices. When implemented on multiple computing devices, a monitored device 102 may distribute its modules and data among the multiple computing devices. In some implementations, a monitored device 102 represents one or more virtual machines implemented on one or more computing devices. Also, each monitored device 102 may be associated with an entity, and the entity or entities may in turn have security service arrangements with a security service provider. The security service provider may in turn operate a security service cloud, which may include the security service computing devices 104.
  • In some embodiments, the security service computing devices 104 may each be or include a server or server farm, multiple, distributed server farms, a mainframe, a work station, a PC, a laptop computer, a tablet computer, a PDA, a cellular phone, a media center, an embedded system, or any other sort of device or devices. In one implementation, the security service computing devices 104 implementing the security service cloud represent a plurality of computing devices working in communication, such as a cloud computing network of nodes. When implemented on multiple computing devices, a security service computing device 104 may distribute its modules and data among the multiple computing devices. In some implementations, one or more of the security service computing devices 104 represent one or more virtual machines implemented on one or more computing devices.
  • The network 106 may include any one or more networks, such as wired networks, wireless networks, and combinations of wired and wireless networks. Further, the network 106 may include any one or combination of multiple different types of public or private networks (e.g., cable networks, the Internet, wireless networks, etc.). For example, the network 106 may include a public network and a client network associated with one of the entities. Such a client network may each be a private network. In some instances, computing devices communicate over the network 106 using a secure protocol (e.g., Hypertext Transfer Protocol Secure (https)) and/or any other protocol or set of protocols, such as the transmission control protocol/Internet protocol (TCP/IP).
  • As is further shown, each monitored device 102 may have a processor 108, and each security service computing device 104 may have a processor 110. Processors 108 and 110 may each be a central processing unit (CPU), a graphics processing unit (GPU), or both CPU and GPU, or other processing unit or component known in the art. Processors 108 and 110 may be different types of processing units or components or may be of the same type.
  • Each monitored device 102 may also have a communication interface 112, and each security service computing device 104 may have a communication interface 114. The communication interfaces 112 and 114 may be any sort of wired or wireless interfaces (or both) that enable their respective devices to communicate over the network 106 with other devices, including with each other. The communication interfaces 112 and 114 may be the same or different types of communication interfaces.
  • The monitored device(s) 102 each have input/output (I/O) devices 116, and the security service computing devices 104 each have I/O devices 118. The I/O devices 116 and 118 may include input devices, such as a keyboard, a mouse, a touch-sensitive display, voice input device, etc., and output devices such as a display, speakers, a printer, etc. The I/O devices 116 and 118 may be the same or different types of I/O devices. The I/O devices 116 of the monitored device(s) 102 may be used to enter user-specified tags, to subscribe to other entities' tags, and to view reports. The I/O devices 118 of the security service computing devices 104 may be used to specify the configurable policy, specify taxonomic tags, and view reports.
  • In various embodiments, each monitored device has one or more computer-readable media 120, and each security service computing device 104 has one or more computer-readable media 122. Computer-readable media 120 and 122 may include any tangible, non-transitory storage media. For instance, computer-readable media 120 and 122 may include, but are not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the respective monitored device 102 or security service computing device 104. Further, computer-readable media 120 and 122 may be removable and/or non-removable.
  • As illustrated in FIG. 1, the computer-readable media 120 of each monitored device 102 stores a security agent 124. The security agent 124 may be a kernel-level agent or may reside partly on a monitored device 102 and partly on the security service cloud. The security agent 124 may include event consumers that receive notifications of events associated with execution activities of system components 126, filters, an event bus that routes the events to other module(s) of the security agent 124, correlators that track types of events and/or maintain state associated with events, and actors that gather state information and act upon events. The security agent 124 may be installed by and configurable by a security service cloud, such as by one or more of the security service devices 104, receiving, and applying while live, reconfigurations of module(s) of the security agent 124. The security agent 124 may also receive and apply, while live, configurable policies from the security service cloud. Such configurable policies may be the same as or different from the configuration of the security agent 124. An example security agent is described in greater detail in U.S. patent application Ser. No. 13/492,672, entitled “Kernel-Level Security Agent” and filed on Jun. 8, 2012.
  • The system components 126 may be any sort of module, process, thread, file, driver, service, pipe, handle, named kernel object, memory segment, user, cryptographic signer and signature authority, registry key, Internet Protocol (IP) address and subnet, domain name service (DNS) domain, or fully-qualified domain name (FQDN) of the monitored device 102. A system component 126 that is a module may be identified by a hash of its contents. These system components 126 may include both platform and application components. As mentioned, the security agent 124 receives notifications of execution activities, such as events, associated with these system components 126, filters and dispatched the events in accordance with the configuration of the security agent 124, and acts upon the events. Such actions may simply be recording and further monitoring or may rise to the level of remediation or alerts. In monitoring these events, the security agent 124 attempts to detect indications of exploit code 128 or other malicious activity of an adversary 130.
  • The security agent 124 may further include or be associated with a data object store 132. While FIG. 1 shows the data object store 132 as separate from the security agent 124, it is to be understood that the data object store 132 may either be a part of the security agent 124 or may be separate from and associated with the security agent 124. The data object store 132 may represent current and past states of the monitored device 102. The past states maintained include at least a subset of past states, such as states that enhance forensic and policy understanding of the current state. The data object store 132 may have at least three roles. In a first role, the data object store 132 may serve as a historian, providing access to past states of the monitored device 102 that are no longer stored elsewhere on the monitored device 102. In a second role, the data object store 132 may service as a validator, maintaining an independent model of the state of the monitored device 102 that can be used to detect malicious modifications of the host operating system state storage of the monitored device 102. In a third role, the data object store 132 provides a cache of configuration, information, and state that are received from a remote security service, that are computationally expensive to generate or fetch, or that are high-latency to fetch. An example of such a data object store is described in greater detail in U.S. patent application Ser. No. 13/728,746, entitled “Real-Time Representation of Security-Relevant System State” and filed on Dec. 27, 2012.
  • The data object store 132 may include a plurality of data objects 134 that represent system components 126 and events. These data objects 134 may form one or more graphs composed of nodes and edges, with node data objects representing system components 126 and edge data objects representing events. The security agent 124, through any of its actors or correlators, may create and update the data objects 134. In some embodiments, the data object store 132 may also be associated with functional components that are capable of creating and updating the data objects 134 based on events received from filter and dispatch components of the security agent 124.
  • In various embodiments, the data object store 132 may also maintain one or more tree objects 136. Tree objects 136 may represent execution chains of instances of system components 126. Whether or not the security agent 124 creates a tree object 136 responsive to an event may be determined based on the configurable policy received from the security service cloud.
  • As is further shown in FIG. 1, the data object store 132 may maintain tags 138 for some or all of the data objects 134 and tree objects 136. Each tag 138 acts as a label or classifier of a data object 134 or a tree objects 136. While the tags 138 are shown separately from the data objects 134 and tree objects 136 in FIG. 1, it is to be understood that each tag 138 may be stored as metadata of a specific data object 134 or tree object 136, although such storage may be contiguous or non-contiguous.
  • Tags 138 may have structure. The presence of a tag 138 can require another tag 138 (e.g., “Office2010” requires “Office” requires “document program”) or at least one member of a set of tags 138 (e.g., “updater” requires some other tag 138 indicating something which can be updated). Alternatively, such structure may be avoided with a hierarchy or via tag duplication. Such alternatives may be considered to avoid the computational expense of the tag structure. Tags 138 can also be mutually exclusive with each other (e.g., “document program” and “system program” may be mutually exclusive).
  • Further, tags 138 may be of any of a number of varieties, such as taxonomic tags 140, tree tags 142, and social tags 144. Tags 138 may also be of any of any number of different types, depending on implementation. Taxonomic tags 140 may be centrally declared and standardized (e.g., by the security agent 124 or by the security service cloud), and may be used to pass defined indications that may enable decision-making and direct actions. In some embodiments, taxonomic tags 140 may only be assigned by security service cloud code or authorized employees of the security service provider through controlled interfaces. Examples of taxonomic tags 140 may be classifications, such as a “CS_ShowInUI” tag for use in detections. Taxonomic tags 140 may be flagged to never display to a customer.
  • Tree tags 142 are dynamically created on a monitored device 102 along with tree objects 136 and serve to identify those tree objects 136. Each tree tag 142 may be assigned to data objects 134 which represent system components 126 that are included the tree object 142 identified by that tree tag 142. Tree tags 142 serve to associate data objects 134 with the taxonomic tags 140, social tags 144, or other tags 138 that are assigned to their respective tree objects 136.
  • Social tags 144 may be created and assigned by users of the monitored devices 102. Social tags 144 may be controlled by an entity associated with a monitored device 102 rather than centrally controlled by the security service cloud. The social tags 144 may, however, be provided to the security service cloud and have indirect effects on the security service cloud based on data analytics or manual propagation rules using the social tags 144 to assign taxonomic tags 140. Social tags 144 may include the identifier of the entities whose users created those social tags 144. Also, many taxonomic tags 140 may appear as social tags 144. For example, with a user associated with an entity may assign a “document program” tag 144 to an executable that the security service cloud has not classified with a taxonomic tag 140.
  • Also, in some embodiments, the tags 138 may include a tag 138 for a “system” data object 134 that can be tagged to adjust overall posture of the monitored device 102, as a lightweight alternative to full multi-modal configurations. This may cause the event filtering of the security agent 124 to start with a posture check.
  • In various embodiments, the security agent 124 may, in accordance with the configurable policy received from the security service cloud, assign tags 138 to data objects 134. For example, the security agent 124 may assign taxonomic tags 140 to at least some of the data objects 134 based on the types, observed behaviors, or characteristics of the system components 126 or events that those data objects 134 represent. The security agent 124 may also assign tags 138 to tree objects 136 based at least in part on the configurable policy. The security agent 124 may assign or remove tags 138 from data objects 134 or tree objects 136 directly with standard events, allowing dynamic control of tags 138, both programmatically and manually. Also, or instead, tag assignment may be triggered by any detected event. In such circumstances, tags 138 may be assigned to the data objects 134 representing the system components 126 associated with the event, to a data object 134 that represents the detected event, or to both.
  • Further, as illustrated in FIG. 2, the security agent 124 may assign tags 138 to data objects 134 based on events and on the configurable policy. At 202, the security agent 124 may detect the occurrence of an event associated with a system component 126, such as a file 204. The security agent 124 may then, at 206, filter the event based on the configurable policy. Based on the detection of the event and the filtering, the security agent 124 then, at 208, assigns a tag 138, such as tag X 210, to the data object 134 representing the system component 126 (e.g., file data object 212 representing file 204).
  • In some embodiments, tags 138 may be propagated between data objects 134 by the security agent 124 based at least in part on the configurable policy and on detecting an event. When the security agent 124 detects an event, the security agent 124 consults the configurable policy and determines which tags 138 should be propagated among the data objects 134 representing the system components 126 associated with the event. For example, if a parent process creates a child process, some or all of the tags 138 of the data object 134 representing the parent process may be propagated by the security agent 124 to the data object 134 representing the child process. Which tags 138 are propagated may be determined based on propagation rules associated with the tags 138 and included in the configurable policy. The configurable policy may include a propagation mask for each tag 138 that indicates the events that will cause the propagation of that tag 138. Such propagation masks may be compiler-generated bitmasks for each propagating event, allowing for a small, fixed number of operations for even a very large number of tags 138.
  • For example, in accordance with the configurable policy, a process may acquire some tags 138 by propagation from a file it loads, and we might define different propagation behavior based on whether or not the file was loaded as a primary module.
  • FIG. 3 illustrates one example of such a tag propagation. As illustrated in FIG. 3, a security agent 124 may detect 302 an event that is associated with a process 304 and a file 306. For example, the process 304 might create, read, write to, or delete the file 306. In response, and in accordance with the configurable policy, the security agent 124 may propagate 308 a tag 310 (shown as “tag X 310”) from data object 312 representing the process 304 to a data object 314 representing the file 306. The process data object 312 may also have additional tags, such as tag Y 316, which are not propagated to the file data object 314, in accordance with the configurable policy.
  • As described above, the security agent 124 may create tree objects 136 and tree tags 142 in accordance with the configurable policy. FIG. 4 illustrates an example of such tree object creation and tree tag assignment. As shown in FIG. 4, a security agent 124 detects 402 an event associated with a process 404 and a file 406, such as the execution of the file 406 by the process 404. In response, and in accordance with the configurable policy, the security agent 124 constructs 408 a tree object 410 for the execution chain 412 of the process 404 executing the file 406. Subsequent to creating the tree object 410, the security agent 124 may expand the representation of the execution chain 412 to represent additional events and instances of system components. For example, if the file 406 is an executable that then reads another file, the security agent 124 may update the representation of the execution chain 412 in the tree object 410 to reflect the extension of the execution chain 412. The security agent 124 may also assign tags 138 to the tree object 410, such as tag A 414 and tag B 416. These tags 414 and 416 may be taxonomic tags 140 or social tags 144. The security agent 124 may assign the tags 414 and 416 in accordance with the configurable policy. For example, if a system component 126 or event included in the execution chain 412 is determined to be suspicious, the tag “suspicious” could be assigned to the tree object 410. When creating the tree object 410, the security agent 124 also creates a tree tag 142 for the tree object 410 and assigns 418 the tree tag 142 (shown as “Tag T 420”) to data objects 422 and 424 representing the process 404 and file 406, respectively. While data objects 422 and 424 are each shown as being assigned only a single tree tag 142, it is to be understood that any data object 134, such as data objects 422 and 424, may have multiple tree tags 142 assigned to it if the system component 126 or event represented by that data object 134 appears in multiple tree objects 136. The data objects 422 and 424 may also have other tags 138 assigned to them. For example, the process data object 422 may have a tag C 426 assigned to it. When the security agent 124 subsequently filters the data objects 422 and 424 based on tags 138, the security agent 124 will consider, for instance, the process data object 422 to have tag C 426, tag T 420, and by virtue of tag T 420, both tag A 414 and tag B 416 as well. Process data object 422 will be considered to have tag A 414 and tag B 416 transitively—there is no need for these tags 414 and 416 to be explicitly assigned as their association with tree tag T 420 is sufficient to ensure their application to the process data object 422.
  • Returning to FIG. 1, the security agent 124 or a user interface received from the security service provider (e.g., a web page) may also enable a user of the monitored device 102 to subscribe to social tags 146 of another entity 148 on behalf of the entity associated with the monitored device 102. The monitored device 102 may then received the social tags 146, either directly from monitored devices of the other entity 148 or through a security service computing device 104 of the security service cloud. The monitored device 102 may also continue to receive the subscribed-to social tags 146 on an ongoing basis, as the social tags 146 are created. Upon receiving the social tags 146, the security agent 124 may assign the social tags 146 to data objects 134. The social tags 146 are assign to data objects 134 that are equivalents of the data objects of the other entity. “Equivalent” data objects may be those representing a same or similar type of system component 126 or event. Upon receiving and assigning the social tags 146, those social tags 146 may be considered part of social tags 144.
  • Social tags 144 can be used to provide a number of capabilities; for instance, social tags 144 may be used arbitrarily for annotation, allowing coordination between multiple analysts and across entities. Social tags 144 on patterns and files can allow for expression of entity preferences about policy and priority of different patterns, and to allow entities to rapidly whitelist local programs and files overall or with respect to specific patterns.
  • FIG. 5 illustrates an example of subscription to another entity's social tags. As illustrated in FIG. 5, a first entity 502 may subscribe 504 to social tags 506 of a second entity 508. The social tags 506 may be assigned to data objects, such as data object 510, which represent system components 126 or events of monitored devices 102 of the second entity 508. Responsive to the subscription, the first entity 502 may receive 512 the social tags 506. Security agents 124 of the monitored devices 102 of the first entity 502 may then assign the social tags 506 to data objects 514. Data objects 514 may then have both any tags of their own, such as tag D 516, and the subscribed-to social tags 506.
  • In various embodiments, referring again to FIG. 1, the security agent 124 may utilize the tags 138 for reporting, decision-making, or event-generating. The security agent 124 may utilize the configurable policy and tags 138 to filter the data objects 134. The result of that filtering may then be utilized to generate a report, which may be provided to a user of the monitored device 102 through the security agent 124 or through a user interface provided by the security service cloud (e.g., a web page). The security agent 124 may also or instead make a decision based on the filtered data objects 134. For example, if the filtered data objects 134 include any data objects 134 with the tag 138 “suspicious”, the security agent 134 may decide to perform additional monitoring or take remedial action. Further, the security agent 124 may generate events. For example, if the security agent 124 propagates a tag 138 to a data object 134, and that data object 134 has another tag 138 that conflicts with the propagated tag 138, the security agent 124 may generate an event indicative of a tag conflict.
  • Tags 138 can also be used by the security agent 124 to trigger runtime policy. For example, a tag 138 could indicate that a process should not be allowed to make outbound network connections. Such tags 138 take their effect from the configurable policy that is used by the security agent 124 to filter on the presence of the tag 138.
  • In various embodiments, the security service computing devices 104 of the security service cloud may each maintain in its computer-readable media 122, a data object store 150, which may include data objects 152 and tags 154. The data object store 150 may represent current and past states of one or more of the monitored devices 102. The past states maintained include at least a subset of past states, such as states that enhance forensic and policy understanding of the current state(s). The data object store 150 may include a plurality of data objects 152 that represent system components 126 and events of the one or more monitored computing devices. These data objects 152 may form one or more graphs composed of nodes and edges, with node data objects representing system components 126 and edge data objects representing events. The data object store 150 may maintain separate graphs for each of the monitored devices 102, a graph for multiple ones of the monitored devices, or both. A graph representing multiple ones of the monitored devices 102 may include representation of events associated with system components 126 from multiple monitored devices 102, such as a process on one monitored device 102 accessing a file on another monitored device 102. While not shown, the data object store 150 may include copies of the tree objects 136 created on the monitored devices 102.
  • In some embodiments, the tags 154 may be represent a superset of the tags 138 of the one or more monitored devices 102. Because the taxonomic tags 140 may be centrally created by the security service computing devices 104, the taxonomic tags 140 included in the tags 154 may be the same as, or at least include all of, the taxonomic tags 140 included in the tags 138. The taxonomic tags 140 included in the tags 154 may also include additional taxonomic tags 140 that have not yet been assigned to any data objects 134 or tree objects 136 of the monitored devices. The tree tags 142 of the tags 154, in addition to identifying tree objects 136 of monitored devices 102, also include identifiers of the monitored devices 102 to which the tree objects 136 belong. The social tags 144 of the tags 154 include identifications of the entities that created those social tags 144. As mentioned above, the security service cloud may utilize these social tags 144 in defining additional taxonomic tags 140.
  • The communications model for tags 138 and 154 implemented by the security agents 124 and the security service cloud may define under what circumstances tags 138 flow between monitored devices 102 and security service computing devices 104. This flow may be implemented as another propagation operation, or possibly as two operations: one to passively forward tag 138 and another to push changes to the tag assignment proactively.
  • In further embodiments, the security modules 156 of the security service computing devices may be configured to provide information security services to individual users and client entities through their monitored devices 102, such as maintenance and configuration of the security agent 124 and data object store 134, threat modeling, and/or remediation. The security modules 156 may include a configuration module 158 to configure the security agents 124 and to provide the configurable policy to the security agents 124, a monitoring module 160 to detect events on the monitored devices 102 or to receive indications of the occurrences of those events, and a social module 162 to enable social aspects of the security services, such as the sharing of social tags 144.
  • In further embodiments, the security modules 156 may build and maintain the data object store 150. The monitoring module 160 of the security modules 156 may detect events or receive indications of the occurrence of events and use that information to build the data object store 150. Such information may be received in substantially real time as the events are observed. The configuration module 158 may configure the monitored devices 102, specifying the events that the monitored devices 102 are to notify the monitoring module 160 of and the tags 138 which the monitored devices 102 are to share. Further, the configuration module 158 may update the configurable policy and disseminate the updated configurable policy to the monitored devices 102. Such an updated configurable policy may result in the updating of assignments of tags 138, removing some tags 138 and adding others. The updated configurable policy may also update propagation masks for tags 138, resulting in different propagation behaviors.
  • In some embodiments, the social module 162 may also provide social aspects to the security services, forming groups of users and/or client entities and automatically sharing security information among the users and/or client entities constituting a group. Alternatively or additionally, the social module 162 may enable the users or entities to subscribe to the social tags 144 of other users or other entities and enable the exchange of the subscribed-to tags 144, either retrieving and providing them or enabling users/entities to provide the social tags 144 to each other directly.
  • While not shown, the security modules 156 may also include one or more modules to act filter the tags 154 and act upon the filtering. Such actions may include decision-making, report-generating, or event-generating, in the manner described above with respect to the security agent 124. The actions may further include causing the configuration module 158 to update the configurable policy.
  • Example Processes
  • FIG. 6 illustrates an example processes. This process is illustrated as a logical flow graph, each operation of which represents a sequence of operations that can be implemented in hardware, software, or a combination thereof. In the context of software, the operations represent computer-executable instructions stored on one or more computer-readable storage media that, when executed by one or more processors, perform the recited operations. Generally, computer-executable instructions include routines, programs, objects, components, data structures, and the like that perform particular functions or implement particular abstract data types. The order in which the operations are described is not intended to be construed as a limitation, and any number of the described operations can be combined in any order and/or in parallel to implement the processes.
  • FIG. 6 is a flow diagram illustrating an example process for detecting an event associated with system components and propagating a tag assigned to a data object representing one of these system components to another data object representing another of the system components. The process includes, at 602, a security agent or security service cloud assigning tags to data objects representing system components of a computing device. Such assignment may be based on a configurable policy. The tags may each be one of a string, an integer, a hash, or a binary flag, and the system components may include at least one of modules, processes, threads, files, drivers, services, pipes, handles, named kernel objects, memory segments, users, cryptographic signers and signature authorities, registry keys, Internet Protocol (IP) addresses and subnets, domain name service (DNS) domains, or fully-qualified domain names (FQDNs). Also, the tags may have structure; a tag can imply another tag or be mutually exclusive with another tag. Further, a tag may be associated with logic which, when executed, classifies the system component represented by the data object and assigns a new tag (either in addition to the previous tag or replacing the previous tag) that is associated with the classification of the system component. At 604, the assigning may include enabling a user to associate the tag with a system component represented by a data object and assigning that user-associated tag to the data object. At 606, the assigning may include assigning a tag based at least in part on observed behavior or characteristics of a system component represented by a data object. Additionally or instead, the assigning may include assigning a tag to a data object representing a system component based at least in part on detecting an event associated with that system component and on filtering of that event using the configurable policy.
  • At 608, a security agent of a first entity may subscribe to user-specified tags of a second entity. The security agent may then assign the second entity's user-specified tags to data objects representing system components of computing devices of the first entity.
  • At 610, the security agent or security service cloud may detect an event occurring on a computing device that is associated with multiple system components of the computing device.
  • At 612, based on the configurable policy, the security agent or security service cloud may assign another tag to a data object representing the detection of the event. At 614, the security agent or security service cloud may detect a subsequent event and, based at least in part on detecting the subsequent event, update the other tag.
  • At 616, the security agent or security service cloud may construct a tree object representing an execution chain of instances of at least a subset of the system components. The security agent or security service cloud may construct the tree object in response to detecting execution of one system component of the subset of the system components by another system component of the subset of system components. The subset of system components may include both processes and non-process system components. At 618, the security agent or security service cloud may assign a tag for the tree object to the data objects representing the subset of the system components.
  • At 30620, based at least in part on detecting the event and on the configurable policy, the security agent or security service cloud propagates a tag that is assigned to a data object representing one system component of the plurality of system components to another data object representing another of the plurality of system components. In some embodiments, the propagating comprises propagating, based at least in part on the configurable policy, less than all of a plurality of tags assigned to the data object. Also or instead, the propagating may comprise propagating, based at least in part on the configurable policy, the tag to data objects representing a subset of the plurality of system components. Further, the system components may be system components of a computing device and the propagating may be performed by one or more other computing devices. In such embodiments, the data object and other data object may be stored on the one or more other computing devices. In addition, in some embodiments, the system component represented by the data object may be a system component of a first computing device, the other system component represented by the other data object may be a system component of a second computing device, and the propagating may be performed by any of the first computing device, the second computing device, or third one or more computing devices.
  • At 622, the security agent or security service cloud may generate an event based on the tag propagation. For example, the propagated tag may be mutually exclusive with another tag associated with the other data object, and the security agent or security service cloud may generate an event indicative of a tag conflict. Also or instead, at 624624, based at least in part on tags associated with data objects representing the plurality of system components, the security agent or security service cloud may perform at least one of making a decision or generating a report.
  • CONCLUSION
  • Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described. Rather, the specific features and acts are disclosed as example forms of implementing the claims.

Claims (26)

What is claimed is:
1. A computer-implemented method comprising:
detecting an event associated with a system component;
filtering the event based on a configurable policy; and
based at least in part on the detecting and the filtering, assigning a tag to a data object representing the system component.
2. The method of claim 1, wherein the detecting, the filtering, and the assigning are performed by a kernel-level security agent.
3. The method of claim 1, wherein the tag is one of a string, an integer, a hash, or a binary flag.
4. The method of claim 1, further comprising assigning, based at least in part on the configurable policy, another tag to a data object representing the detection of the event.
5. The method of claim 1, wherein the tag can imply another tag or be mutually exclusive with another tag.
6. The method of claim 1, wherein the assigning is based at least in part on observed behavior or characteristics of the system component represented by the data object.
7. The method of claim 1, wherein the tag is associated with logic which, when executed, classifies the system component represented by the data object and assigns a new tag that is associated with the classification of the system component.
8. The method of claim 1, further comprising, based at least in part on the tag associated with the data object representing the system component, performing at least one of making a decision or generating a report.
9. The method of claim 1, further comprising:
enabling a user to associate the tag with the system component represented by the data object, and
performing the assigning of the tag to the data object based at least in part on the user associating the tag with the system component.
10. The method of claim 9, wherein the tag is shareable with one or more other users of one entity that subscribes to tags associated by the user or another user of another entity with the system component.
11. A computer-implemented method comprising:
detecting an event associated with a plurality of system components; and
based at least in part on a configurable policy and on detecting the event, propagating a tag that is assigned to a data object representing one of the plurality of system components to another data object representing another of the plurality of system components.
12. The method of claim 11, wherein the tag is one of a string, an integer, a hash, or a binary flag.
13. The method of claim 11, wherein the propagating comprises propagating, based at least in part on the configurable policy, less than all of a plurality of tags assigned to the data object.
14. The method of claim 11, wherein the propagating comprises propagating, based at least in part on the configurable policy, the tag to data objects representing a subset of the plurality of system components.
15. The method of claim 11, wherein the tag is mutually exclusive with another tag associated with the other data object, and the method further comprises generating an event indicative of a tag conflict.
16. The method of claim 11, wherein the system components include at least one of modules, processes, threads, files, drivers, services, pipes, handles, named kernel objects, memory segments, users, cryptographic signers and signature authorities, registry keys, Internet Protocol (IP) addresses and subnets, domain name service (DNS) domains, or fully-qualified domain names (FQDNs).
17. The method of claim 11, wherein the tag is associated with a tree object that represents instances of at least a subset of the plurality of system components.
18. The method of claim 11, wherein the system components are system components of a computing device and the propagating is performed by one or more other computing devices, the data object and other data object being stored on the one or more other computing devices.
19. The method of claim 11, wherein the system component represented by the data object is a system component of a first computing device, the other system component represented by the other data object is a system component of a second computing device, and the propagating is performed by any of the first computing device, the second computing device, or a third one or more computing devices.
20. A system comprising:
a processor;
a memory coupled to the processor, the memory storing:
data objects representing a plurality of system components,
a tree object representing an execution chain of instances of at least a subset of the system components, and
executable instructions, which, when operated by the processor, perform operations including:
assigning a tag for the tree object to the data objects representing the subset of the system components,
assigning one or more tags to the tree object, those tags applying to the data objects having the tag for the tree object, and
making a decision based at least in part on tags assigned to the data objects representing the subset of the system components and the tags assigned to tree object.
21. The system of claim 20, wherein the operations further include constructing the tree object in response to detecting execution of one system component of the subset of the system components by another system component of the subset of system components.
22. The system of claim 20, wherein the subset of system component includes both processes and non-process system components.
23. The system of claim 20, wherein the memory stores multiple tree objects, and tags for the multiple tree objects are assigned to a data object representing a system component which appears in execution chains represented by the multiple tree objects.
24. One or more non-transitory computer-readable media having stored thereon a plurality of programming instructions that, when executed by a computing device, cause the computing device to perform operations comprising:
subscribing, by an entity, to user-specified tags of another entity, the user-specified tags being associated with data objects representing system components of computing devices of the other entity,
assigning the other entity's user-specified tags to data objects representing system components of computing devices of the entity; and
making a decision based at least in part on the other entity's user-specified tags.
25. The one or more non-transitory computer-readable media of claim 24, wherein one of the user-specified tags is a taxonomic tag applied to an unclassified system component.
26. The one or more non-transitory computer-readable media of claim 24, wherein user-specified tags are shared with a service cloud and utilized by the service cloud in determining global changes in tag assignments.
US14/169,401 2014-01-31 2014-01-31 Tagging Security-Relevant System Objects Abandoned US20150222646A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/169,401 US20150222646A1 (en) 2014-01-31 2014-01-31 Tagging Security-Relevant System Objects

Applications Claiming Priority (7)

Application Number Priority Date Filing Date Title
US14/169,401 US20150222646A1 (en) 2014-01-31 2014-01-31 Tagging Security-Relevant System Objects
CA2935764A CA2935764A1 (en) 2014-01-31 2015-01-29 Tagging security-relevant system objects
JP2016549102A JP2017512329A (en) 2014-01-31 2015-01-29 Tagging system objects that are relevant to security
PCT/US2015/013522 WO2015116819A1 (en) 2014-01-31 2015-01-29 Tagging security-relevant system objects
EP15743323.6A EP3100202A4 (en) 2014-01-31 2015-01-29 Tagging security-relevant system objects
AU2015210929A AU2015210929A1 (en) 2014-01-31 2015-01-29 Tagging security-relevant system objects
US15/433,535 US10015199B2 (en) 2014-01-31 2017-02-15 Processing security-relevant events using tagged trees

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US15/433,535 Division US10015199B2 (en) 2014-01-31 2017-02-15 Processing security-relevant events using tagged trees

Publications (1)

Publication Number Publication Date
US20150222646A1 true US20150222646A1 (en) 2015-08-06

Family

ID=53755819

Family Applications (2)

Application Number Title Priority Date Filing Date
US14/169,401 Abandoned US20150222646A1 (en) 2014-01-31 2014-01-31 Tagging Security-Relevant System Objects
US15/433,535 Active US10015199B2 (en) 2014-01-31 2017-02-15 Processing security-relevant events using tagged trees

Family Applications After (1)

Application Number Title Priority Date Filing Date
US15/433,535 Active US10015199B2 (en) 2014-01-31 2017-02-15 Processing security-relevant events using tagged trees

Country Status (6)

Country Link
US (2) US20150222646A1 (en)
EP (1) EP3100202A4 (en)
JP (1) JP2017512329A (en)
AU (1) AU2015210929A1 (en)
CA (1) CA2935764A1 (en)
WO (1) WO2015116819A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160142424A1 (en) * 2014-11-19 2016-05-19 Sec.Do Technologies Ltd. System and method thereof for identifying and responding to security incidents based on preemptive forensics
US10015199B2 (en) 2014-01-31 2018-07-03 Crowdstrike, Inc. Processing security-relevant events using tagged trees
US10270805B2 (en) * 2017-12-12 2019-04-23 Cyber Secdo Ltd. System and method thereof for identifying and responding to security incidents based on preemptive forensics

Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5721913A (en) * 1994-05-05 1998-02-24 Lucent Technologies Inc. Integrated activity management system
US20030101357A1 (en) * 2001-11-29 2003-05-29 Ectel Ltd. Fraud detection in a distributed telecommunications networks
US20040049693A1 (en) * 2002-09-11 2004-03-11 Enterasys Networks, Inc. Modular system for detecting, filtering and providing notice about attack events associated with network security
US20060101263A1 (en) * 2004-11-08 2006-05-11 Microsoft Corporation System and method of allowing user mode applications with access to file data
US20060143688A1 (en) * 2004-10-29 2006-06-29 Core Sdi, Incorporated Establishing and enforcing security and privacy policies in web-based applications
US20070113289A1 (en) * 2004-11-17 2007-05-17 Steven Blumenau Systems and Methods for Cross-System Digital Asset Tag Propagation
US7583187B1 (en) * 2006-07-11 2009-09-01 Mcafee, Inc. System, method and computer program product for automatically summarizing security events
US20110107419A1 (en) * 2009-11-02 2011-05-05 Seth Kelby Vidal Systems and methods for improved identification and analysis of threats to a computing system
US8127360B1 (en) * 2006-06-29 2012-02-28 Symantec Corporation Method and apparatus for detecting leakage of sensitive information
US20120063649A1 (en) * 2010-09-15 2012-03-15 Microsoft Corporation User-specific attribute customization
US20120124594A1 (en) * 2009-07-23 2012-05-17 Nec Corporation Event processing system, distribution controller, event processing method, distribution control method, and program storage medium
US20120137375A1 (en) * 2010-09-20 2012-05-31 Georgia Tech Research Corporation Security systems and methods to reduce data leaks in enterprise networks
US8291494B1 (en) * 2008-07-08 2012-10-16 Mcafee, Inc. System, method, and computer program product for detecting unwanted activity associated with an object, based on an attribute associated with the object
US20120304247A1 (en) * 2011-05-25 2012-11-29 John Badger System and process for hierarchical tagging with permissions
US20130051624A1 (en) * 2011-03-22 2013-02-28 Panasonic Corporation Moving object detection apparatus and moving object detection method
US20130332981A1 (en) * 2012-06-08 2013-12-12 Eric Paris Method and system for extending selinux policy with enforcement of file name translations
US20140115010A1 (en) * 2012-10-18 2014-04-24 Google Inc. Propagating information through networks
US20140223555A1 (en) * 2011-02-10 2014-08-07 Telefonica, S.A. Method and system for improving security threats detection in communication networks

Family Cites Families (57)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0944432A (en) * 1995-05-24 1997-02-14 Fuji Xerox Co Ltd Information processing method and information processor
US20020156814A1 (en) * 1997-01-13 2002-10-24 Ho Bruce K. Method and apparatus for visual business computing
DE19747583B4 (en) * 1997-10-28 2006-04-20 Telefonaktiebolaget Lm Ericsson (Publ) Communication system and method
US6088804A (en) 1998-01-12 2000-07-11 Motorola, Inc. Adaptive system and method for responding to computer network security attacks
US7418504B2 (en) 1998-10-30 2008-08-26 Virnetx, Inc. Agile network protocol for secure communications using secure domain names
US6925631B2 (en) * 2000-12-08 2005-08-02 Hewlett-Packard Development Company, L.P. Method, computer system and computer program product for processing extensible markup language streams
JP3842573B2 (en) * 2001-03-30 2006-11-08 株式会社東芝 Structured document search method, a structured document management apparatus and program
EP1709571A4 (en) 2003-12-16 2009-06-17 Aerulean Plant Identification System and method for plant identification
JP4327698B2 (en) * 2004-10-19 2009-09-09 富士通株式会社 Network viruses activity detection program, processing methods and systems
US7765410B2 (en) 2004-11-08 2010-07-27 Microsoft Corporation System and method of aggregating the knowledge base of antivirus software applications
US7765400B2 (en) 2004-11-08 2010-07-27 Microsoft Corporation Aggregation of the knowledge base of antivirus software
US7698744B2 (en) 2004-12-03 2010-04-13 Whitecell Software Inc. Secure system for allowing the execution of authorized computer program code
US8365293B2 (en) 2005-01-25 2013-01-29 Redphone Security, Inc. Securing computer network interactions between entities with authorization assurances
JP4660264B2 (en) * 2005-04-22 2011-03-30 株式会社東芝 Information processing apparatus and program
US7874001B2 (en) 2005-07-15 2011-01-18 Microsoft Corporation Detecting user-mode rootkits
US20070094496A1 (en) 2005-10-25 2007-04-26 Michael Burtscher System and method for kernel-level pestware management
US8201243B2 (en) 2006-04-20 2012-06-12 Webroot Inc. Backwards researching activity indicative of pestware
US8190868B2 (en) 2006-08-07 2012-05-29 Webroot Inc. Malware management through kernel detection
US9111088B2 (en) * 2006-08-14 2015-08-18 Quantum Security, Inc. Policy-based physical security system for restricting access to computer resources and data flow through network equipment
US8321677B2 (en) 2006-09-21 2012-11-27 Google Inc. Pre-binding and tight binding of an on-line identity to a digital signature
GB0620855D0 (en) * 2006-10-19 2006-11-29 Dovetail Software Corp Ltd Data processing apparatus and method
US8181264B2 (en) * 2007-02-07 2012-05-15 Apple Inc. Method and apparatus for deferred security analysis
US8565799B2 (en) 2007-04-04 2013-10-22 Qualcomm Incorporated Methods and apparatus for flow data acquisition in a multi-frequency network
US8918717B2 (en) * 2007-05-07 2014-12-23 International Business Machines Corporation Method and sytem for providing collaborative tag sets to assist in the use and navigation of a folksonomy
US8065728B2 (en) 2007-09-10 2011-11-22 Wisconsin Alumni Research Foundation Malware prevention system monitoring kernel events
US7769767B2 (en) * 2007-09-27 2010-08-03 Domingo Enterprises, Llc System and method for filtering content on a mobile device based on contextual tagging
AT539542T (en) 2008-02-11 2012-01-15 Dolby Lab Licensing Corp Dynamic dns-system for private networks
US20090216806A1 (en) 2008-02-24 2009-08-27 Allofme Ltd. Digital assets internet timeline aggregation and sharing platform
JP2009266034A (en) 2008-04-25 2009-11-12 Hitachi Ltd Information flow control system
GB0815587D0 (en) 2008-08-27 2008-10-01 Applied Neural Technologies Ltd Computer/network security application
US8401195B2 (en) 2008-09-22 2013-03-19 Motorola Solutions, Inc. Method of automatically populating a list of managed secure communications group members
US8234693B2 (en) 2008-12-05 2012-07-31 Raytheon Company Secure document management
KR20100078081A (en) 2008-12-30 2010-07-08 (주) 세인트 시큐리티 System and method for detecting unknown malicious codes by analyzing kernel based system events
KR101021708B1 (en) 2009-01-20 2011-03-15 성균관대학교산학협력단 Group Key Distribution Method and Server and Client for Implementing the Same
WO2010105260A1 (en) 2009-03-13 2010-09-16 Assa Abloy Ab Transfer device for sensitive material such as a cryptographic key
US9098310B2 (en) * 2009-10-29 2015-08-04 International Business Machines Corporation Constructing and deploying patterns of flows
KR101038048B1 (en) 2009-12-21 2011-06-01 한국인터넷진흥원 Botnet malicious behavior real-time analyzing system
US8739284B1 (en) * 2010-01-06 2014-05-27 Symantec Corporation Systems and methods for blocking and removing internet-traversing malware
US8621628B2 (en) 2010-02-25 2013-12-31 Microsoft Corporation Protecting user mode processes from improper tampering or termination
US9384112B2 (en) 2010-07-01 2016-07-05 Logrhythm, Inc. Log collection, structuring and processing
KR101329847B1 (en) 2010-07-26 2013-11-14 주식회사 팬택 Portable terminal and method for social network service that use human body communication
KR20120072266A (en) 2010-12-23 2012-07-03 한국전자통신연구원 Apparatus for controlling security condition of a global network
US8762298B1 (en) 2011-01-05 2014-06-24 Narus, Inc. Machine learning based botnet detection using real-time connectivity graph based traffic features
US20120246297A1 (en) 2011-03-25 2012-09-27 Vijaya Shanker Agent based monitoring for saas it service management
WO2012135192A2 (en) 2011-03-28 2012-10-04 Mcafee, Inc. System and method for virtual machine monitor based anti-malware security
US8813227B2 (en) 2011-03-29 2014-08-19 Mcafee, Inc. System and method for below-operating system regulation and control of self-modifying code
US8612405B1 (en) * 2011-09-30 2013-12-17 Emc Corporation System and method of dynamic data object upgrades
US9043864B2 (en) * 2011-09-30 2015-05-26 Oracle International Corporation Constraint definition for conditional policy attachments
US8832162B2 (en) * 2012-03-25 2014-09-09 Think Computer Corporation Method and system for storing, categorizing and distributing information concerning relationships between data
US9081960B2 (en) 2012-04-27 2015-07-14 Ut-Battelle, Llc Architecture for removable media USB-ARM
IL219597D0 (en) * 2012-05-03 2012-10-31 Syndrome X Ltd Malicious threat detection, malicious threat prevention, and a learning systems and methods for malicious threat detection and prevention
US9043903B2 (en) 2012-06-08 2015-05-26 Crowdstrike, Inc. Kernel-level security agent
US9292881B2 (en) 2012-06-29 2016-03-22 Crowdstrike, Inc. Social sharing of security information in a group
US9047463B2 (en) * 2012-06-29 2015-06-02 Sri International Method and system for protecting data flow at a mobile device
US9124637B2 (en) * 2013-01-18 2015-09-01 Apple Inc. Data protection for keychain syncing
US9270659B2 (en) 2013-11-12 2016-02-23 At&T Intellectual Property I, L.P. Open connection manager virtualization at system-on-chip
US20150222646A1 (en) 2014-01-31 2015-08-06 Crowdstrike, Inc. Tagging Security-Relevant System Objects

Patent Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5721913A (en) * 1994-05-05 1998-02-24 Lucent Technologies Inc. Integrated activity management system
US20030101357A1 (en) * 2001-11-29 2003-05-29 Ectel Ltd. Fraud detection in a distributed telecommunications networks
US20040049693A1 (en) * 2002-09-11 2004-03-11 Enterasys Networks, Inc. Modular system for detecting, filtering and providing notice about attack events associated with network security
US20060143688A1 (en) * 2004-10-29 2006-06-29 Core Sdi, Incorporated Establishing and enforcing security and privacy policies in web-based applications
US20060101263A1 (en) * 2004-11-08 2006-05-11 Microsoft Corporation System and method of allowing user mode applications with access to file data
US20070113289A1 (en) * 2004-11-17 2007-05-17 Steven Blumenau Systems and Methods for Cross-System Digital Asset Tag Propagation
US8127360B1 (en) * 2006-06-29 2012-02-28 Symantec Corporation Method and apparatus for detecting leakage of sensitive information
US7583187B1 (en) * 2006-07-11 2009-09-01 Mcafee, Inc. System, method and computer program product for automatically summarizing security events
US8291494B1 (en) * 2008-07-08 2012-10-16 Mcafee, Inc. System, method, and computer program product for detecting unwanted activity associated with an object, based on an attribute associated with the object
US20120124594A1 (en) * 2009-07-23 2012-05-17 Nec Corporation Event processing system, distribution controller, event processing method, distribution control method, and program storage medium
US20110107419A1 (en) * 2009-11-02 2011-05-05 Seth Kelby Vidal Systems and methods for improved identification and analysis of threats to a computing system
US20120063649A1 (en) * 2010-09-15 2012-03-15 Microsoft Corporation User-specific attribute customization
US20120137375A1 (en) * 2010-09-20 2012-05-31 Georgia Tech Research Corporation Security systems and methods to reduce data leaks in enterprise networks
US20140223555A1 (en) * 2011-02-10 2014-08-07 Telefonica, S.A. Method and system for improving security threats detection in communication networks
US20130051624A1 (en) * 2011-03-22 2013-02-28 Panasonic Corporation Moving object detection apparatus and moving object detection method
US20120304247A1 (en) * 2011-05-25 2012-11-29 John Badger System and process for hierarchical tagging with permissions
US20130332981A1 (en) * 2012-06-08 2013-12-12 Eric Paris Method and system for extending selinux policy with enforcement of file name translations
US20140115010A1 (en) * 2012-10-18 2014-04-24 Google Inc. Propagating information through networks

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10015199B2 (en) 2014-01-31 2018-07-03 Crowdstrike, Inc. Processing security-relevant events using tagged trees
US20160142424A1 (en) * 2014-11-19 2016-05-19 Sec.Do Technologies Ltd. System and method thereof for identifying and responding to security incidents based on preemptive forensics
US9888031B2 (en) * 2014-11-19 2018-02-06 Cyber Secdo Ltd. System and method thereof for identifying and responding to security incidents based on preemptive forensics
US10270805B2 (en) * 2017-12-12 2019-04-23 Cyber Secdo Ltd. System and method thereof for identifying and responding to security incidents based on preemptive forensics

Also Published As

Publication number Publication date
JP2017512329A (en) 2017-05-18
US10015199B2 (en) 2018-07-03
EP3100202A4 (en) 2017-10-04
CA2935764A1 (en) 2015-08-06
AU2015210929A1 (en) 2016-07-14
EP3100202A1 (en) 2016-12-07
WO2015116819A1 (en) 2015-08-06
US20170163686A1 (en) 2017-06-08

Similar Documents

Publication Publication Date Title
US8700561B2 (en) System and method for providing data protection workflows in a network environment
US8438644B2 (en) Information system security based on threat vectors
US9628507B2 (en) Advanced persistent threat (APT) detection center
US8478708B1 (en) System and method for determining risk posed by a web user
US20160269430A1 (en) Security action of network packet based on signature and reputation
US20170063889A1 (en) Machine-generated traffic detection (beaconing)
US20170134425A1 (en) Cyber security sharing and identification system
US8468602B2 (en) System and method for host-level malware detection
US9152789B2 (en) Systems and methods for dynamic cloud-based malware behavior analysis
US9672355B2 (en) Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security
US9094291B1 (en) Partial risk score calculation for a data object
US20110041179A1 (en) Malware detection
Tamersoy et al. Guilt by association: large scale malware detection by mining file-relation graphs
US8549643B1 (en) Using decoys by a data loss prevention system to protect against unscripted activity
CN102741824A (en) Systems and methods for behavioral sandboxing
Mahmood et al. Security analytics: Big data analytics for cybersecurity: A review of trends, techniques and tools
US8875293B2 (en) System, method, and logic for classifying communications
EP3262815A1 (en) System and method for securing an enterprise computing environment
US8407804B2 (en) System and method of whitelisting parent virtual images
US9104864B2 (en) Threat detection through the accumulated detection of threat characteristics
US20170286678A1 (en) Behavior Profiling for Malware Detection
US9832214B2 (en) Method and apparatus for classifying and combining computer attack information
US9886581B2 (en) Automated intelligence graph construction and countermeasure deployment
US9686293B2 (en) Systems and methods for malware detection and mitigation
CA2934311C (en) Cybersecurity system

Legal Events

Date Code Title Description
AS Assignment

Owner name: CROWDSTRIKE, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:DIEHL, DAVID F.;LAMOTHE-BRASSARD, MAXIME;SIGNING DATES FROM 20140127 TO 20140130;REEL/FRAME:032104/0348

AS Assignment

Owner name: SILICON VALLEY BANK, CALIFORNIA

Free format text: SECURITY INTEREST;ASSIGNOR:CROWDSTRIKE, INC.;REEL/FRAME:043300/0283

Effective date: 20170301