US20150222646A1 - Tagging Security-Relevant System Objects - Google Patents
Tagging Security-Relevant System Objects Download PDFInfo
- Publication number
- US20150222646A1 US20150222646A1 US14/169,401 US201414169401A US2015222646A1 US 20150222646 A1 US20150222646 A1 US 20150222646A1 US 201414169401 A US201414169401 A US 201414169401A US 2015222646 A1 US2015222646 A1 US 2015222646A1
- Authority
- US
- United States
- Prior art keywords
- tag
- tags
- data object
- system components
- system component
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
Definitions
- malware malicious software
- Security exploits come in many forms, such as computer viruses, worms, trojan horses, spyware, keystroke loggers, adware and rootkits.
- Such security exploits can be delivered in or through a variety of mechanisms, such as phishing emails, malicious clickable links, infected documents, infected executables, or infected archives.
- Tools for addressing these threats may apply conditional logic, testing whether some aspect of a system component, such as a process or file, matches one of more criteria. Based on meeting the criteria, the tools may take some action or actions. Modifications to the criteria, which may alter the system components that are identified, may be cumbersome. For instance, such modifications may require changes to the source code of the tools and recompiling of the tools.
- FIG. 1 illustrates an example framework and devices for enabling interaction between a monitored device and a security service cloud.
- FIG. 2 illustrates an example system component associated with an event, the filtering of the event based on a configurable policy, and the assigning of a tag to a data object representing the system component based on the event and the filtering.
- FIG. 3 illustrates example system components associated with an event and the propagation of a tag assigned to a data object representing one of these system components to another data object representing another of the system components.
- FIG. 4 illustrates a tree object representing an execution chain of instances of system components, the assigning of tags to the tree object, and the assigning of a tag for the tree object to data objects representing the system components.
- FIG. 5 illustrates one entity subscribing to the user-specified tags of another entity and assigning those user-specified tags to ones of the data objects of monitored devices of the entity.
- FIG. 6 is a flow diagram illustrating an example process for detecting an event associated with system components and propagating a tag assigned to a data object representing one of these system components to another data object representing another of the system components.
- tags refers to data object metadata that acts as a label or classifier of a data object.
- a tag may be a string, an integer, a hash, a binary flag, or some other efficient representation. Tags enable filtering of data objects for reporting, decision-making, and event generation and allow reclassification of data objects without any need for recoding or recompiling.
- one or more monitored devices may each be equipped with a security agent to monitor events on those respective one or more computing devices and a data store to maintain data objects representative of system components associated with those events.
- Those monitored computing devices may be in communication with devices of a security service cloud.
- the security service cloud may be also be configured to monitor events on those monitored computing devices and to maintain data objects representative of system components associated with those events in a data object store of the security service cloud.
- the security agents and security service cloud may monitor the same events, different events, or overlapping sets of events. Also, in some embodiments, the security agents may simply detect events and inform the security service cloud of those detected events.
- the data object stores of the security agents and security service cloud may include data objects representing the same system components, data objects representing different system components, or an overlapping set of data objects.
- a security agent or security service cloud may first assign tags to the data objects based on a configurable policy. Such tags may be considered “taxonomic tags” which classify a type, function, role, etc. of a system component. For example, “document program” may be such a “taxonomic tag.”
- the security agent or security service cloud may also assign tags to data objects based on the observed behaviors or characteristics of the system components they represent. For instance, if a process repeatedly opens document files, the security agent or security service cloud may assign the tag “document program” to the process.
- the security agent or security service cloud may detect or be informed of events and the system components associated with those events. Such events could include processes spawning other processes or threads, processes creating or opening files, etc. These events may include all events occurring on a monitored computing device or a subset of those events. If a subset, the security agent or security service cloud may be configured to filter events based on a configuration of the security agent or on a configurable policy (as used herein, “configurable policy” may refer to the configuration of the security agent or to a policy utilized by the security agent or security service cloud).
- the security agent or security service cloud may propagate a tag assigned to one data object representing a system component associated with the event to another data object representing another of the system components associated with the event. For example, if a process creates a file, the security agent or security service cloud may propagate one or more tags of the data object for that process to the data object for that file. The security agent or security service cloud may propagate all of the tags of the data object for the process or only a subset of those tags based at least in part on the configurable policy. Propagation may occur in both directions, too; tags of the data object representing the file may also be propagated to the data object representing the process.
- a process may spawn multiple threads, and the security agent or security service cloud may propagate one or more tags of the data object for that process to all or only a subset of the data objects for those threads based at least in part on the configurable policy.
- the security agent or security service cloud may generate a data object that represents detected event and assign a tag to that data object, such as “suspicious event.”
- tags may be updated in response to detecting a subsequent event. For example, if a first event is merely suspicious, it may later be seen as security exploit activity if a second event occurs. In such a case, the tag may be updated to reflect the additional context (e.g., the tag “suspicious event” may be updated to “exploit activity”).
- the security agent or security service cloud may also create a tree object to represent an execution chain of instances of the system objects associated with the event. For example, if an event involves one process executing another process, that execution chain could be represented in a tree object. If the other process then creates a file, that file could also be represented in the tree object.
- the security agent or security service cloud can assign tags to the tree object and can assign a tree object tag to data objects representing the system components with appear in the tree object. Through the tree object tag, tags assigned to the tree object may be considered as tags of the data objects assigned the tree object tag. This enables retrospective classification of system components. For instance, nothing may be suspicious about a particular process when it first executes another.
- the tag “security exploit” may be assigned to the tree object representing that execution chain. And because a tree object tag for that tree object is assigned to the original process, that original process now, through the tree object tag and tree object, has the tag “security exploit.”
- the security agent or security service cloud may enable a user to assign tags to data objects representing system components.
- These user-specified tags may be utilized by security agents of an entity associated with the user. Such tags may be utilized to classify system components that have not yet been classified in the configurable policy. For example, a particular process may be a document program, but a security agent utilizing the configurable policy may not recognize the process as such. The user may assign the tag “document program” to the data object representing that process. These user-specified tags may then later be considered in updating the configurable policy and taxonomic tags. Also, an entity may subscribe to another entity's user-specified tags, causing that other entity's user-specified tags to be assigned to the entity's data objects.
- the security agent or security service cloud may then utilize the tags to make decisions, generate reports, or even generate events. For example, if a tag is propagated to a data object that has been assigned a tag that conflicts with the propagated tag, the security agent or security service cloud may generate a tag conflict event.
- the security agent or security service cloud may update the tags assigned to the data objects based on an update to the configurable policy. Such updating may allow for reclassification without burdensome activities like recoding or recompiling the security agent or security service cloud.
- FIG. 1 illustrates an example framework and systems for enabling interaction between a monitored device and a remote security service.
- one of more monitored devices 102 may be connected to security service computing devices 104 of a security service cloud via a network 106 .
- the monitored devices 102 may each be a server or server farm, multiple, distributed server farms, a mainframe, a work station, a personal computer (PC), a laptop computer, a tablet computer, a personal digital assistant (PDA), a cellular phone, a media center, an embedded system, or any other sort of device or devices.
- a monitored device 102 may distribute its modules and data among the multiple computing devices.
- a monitored device 102 represents one or more virtual machines implemented on one or more computing devices. Also, each monitored device 102 may be associated with an entity, and the entity or entities may in turn have security service arrangements with a security service provider. The security service provider may in turn operate a security service cloud, which may include the security service computing devices 104 .
- the security service computing devices 104 may each be or include a server or server farm, multiple, distributed server farms, a mainframe, a work station, a PC, a laptop computer, a tablet computer, a PDA, a cellular phone, a media center, an embedded system, or any other sort of device or devices.
- the security service computing devices 104 implementing the security service cloud represent a plurality of computing devices working in communication, such as a cloud computing network of nodes. When implemented on multiple computing devices, a security service computing device 104 may distribute its modules and data among the multiple computing devices.
- one or more of the security service computing devices 104 represent one or more virtual machines implemented on one or more computing devices.
- the network 106 may include any one or more networks, such as wired networks, wireless networks, and combinations of wired and wireless networks. Further, the network 106 may include any one or combination of multiple different types of public or private networks (e.g., cable networks, the Internet, wireless networks, etc.). For example, the network 106 may include a public network and a client network associated with one of the entities. Such a client network may each be a private network. In some instances, computing devices communicate over the network 106 using a secure protocol (e.g., Hypertext Transfer Protocol Secure (https)) and/or any other protocol or set of protocols, such as the transmission control protocol/Internet protocol (TCP/IP).
- https Hypertext Transfer Protocol Secure
- TCP/IP transmission control protocol/Internet protocol
- each monitored device 102 may have a processor 108
- each security service computing device 104 may have a processor 110 .
- Processors 108 and 110 may each be a central processing unit (CPU), a graphics processing unit (GPU), or both CPU and GPU, or other processing unit or component known in the art.
- Processors 108 and 110 may be different types of processing units or components or may be of the same type.
- Each monitored device 102 may also have a communication interface 112
- each security service computing device 104 may have a communication interface 114 .
- the communication interfaces 112 and 114 may be any sort of wired or wireless interfaces (or both) that enable their respective devices to communicate over the network 106 with other devices, including with each other.
- the communication interfaces 112 and 114 may be the same or different types of communication interfaces.
- the monitored device(s) 102 each have input/output (I/O) devices 116
- the security service computing devices 104 each have I/O devices 118 .
- the I/O devices 116 and 118 may include input devices, such as a keyboard, a mouse, a touch-sensitive display, voice input device, etc., and output devices such as a display, speakers, a printer, etc.
- the I/O devices 116 and 118 may be the same or different types of I/O devices.
- the I/O devices 116 of the monitored device(s) 102 may be used to enter user-specified tags, to subscribe to other entities' tags, and to view reports.
- the I/O devices 118 of the security service computing devices 104 may be used to specify the configurable policy, specify taxonomic tags, and view reports.
- each monitored device has one or more computer-readable media 120
- each security service computing device 104 has one or more computer-readable media 122 .
- Computer-readable media 120 and 122 may include any tangible, non-transitory storage media.
- computer-readable media 120 and 122 may include, but are not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the respective monitored device 102 or security service computing device 104 .
- computer-readable media 120 and 122 may be removable and/or non-removable.
- the computer-readable media 120 of each monitored device 102 stores a security agent 124 .
- the security agent 124 may be a kernel-level agent or may reside partly on a monitored device 102 and partly on the security service cloud.
- the security agent 124 may include event consumers that receive notifications of events associated with execution activities of system components 126 , filters, an event bus that routes the events to other module(s) of the security agent 124 , correlators that track types of events and/or maintain state associated with events, and actors that gather state information and act upon events.
- the security agent 124 may be installed by and configurable by a security service cloud, such as by one or more of the security service devices 104 , receiving, and applying while live, reconfigurations of module(s) of the security agent 124 .
- the security agent 124 may also receive and apply, while live, configurable policies from the security service cloud. Such configurable policies may be the same as or different from the configuration of the security agent 124 .
- An example security agent is described in greater detail in U.S. patent application Ser. No. 13/492,672, entitled “Kernel-Level Security Agent” and filed on Jun. 8, 2012.
- the system components 126 may be any sort of module, process, thread, file, driver, service, pipe, handle, named kernel object, memory segment, user, cryptographic signer and signature authority, registry key, Internet Protocol (IP) address and subnet, domain name service (DNS) domain, or fully-qualified domain name (FQDN) of the monitored device 102 .
- a system component 126 that is a module may be identified by a hash of its contents.
- These system components 126 may include both platform and application components.
- the security agent 124 receives notifications of execution activities, such as events, associated with these system components 126 , filters and dispatched the events in accordance with the configuration of the security agent 124 , and acts upon the events. Such actions may simply be recording and further monitoring or may rise to the level of remediation or alerts. In monitoring these events, the security agent 124 attempts to detect indications of exploit code 128 or other malicious activity of an adversary 130 .
- the security agent 124 may further include or be associated with a data object store 132 . While FIG. 1 shows the data object store 132 as separate from the security agent 124 , it is to be understood that the data object store 132 may either be a part of the security agent 124 or may be separate from and associated with the security agent 124 .
- the data object store 132 may represent current and past states of the monitored device 102 .
- the past states maintained include at least a subset of past states, such as states that enhance forensic and policy understanding of the current state.
- the data object store 132 may have at least three roles. In a first role, the data object store 132 may serve as a historian, providing access to past states of the monitored device 102 that are no longer stored elsewhere on the monitored device 102 .
- the data object store 132 may service as a validator, maintaining an independent model of the state of the monitored device 102 that can be used to detect malicious modifications of the host operating system state storage of the monitored device 102 .
- the data object store 132 provides a cache of configuration, information, and state that are received from a remote security service, that are computationally expensive to generate or fetch, or that are high-latency to fetch.
- An example of such a data object store is described in greater detail in U.S. patent application Ser. No. 13/728,746, entitled “Real-Time Representation of Security-Relevant System State” and filed on Dec. 27, 2012.
- the data object store 132 may include a plurality of data objects 134 that represent system components 126 and events. These data objects 134 may form one or more graphs composed of nodes and edges, with node data objects representing system components 126 and edge data objects representing events.
- the security agent 124 through any of its actors or correlators, may create and update the data objects 134 .
- the data object store 132 may also be associated with functional components that are capable of creating and updating the data objects 134 based on events received from filter and dispatch components of the security agent 124 .
- the data object store 132 may also maintain one or more tree objects 136 .
- Tree objects 136 may represent execution chains of instances of system components 126 . Whether or not the security agent 124 creates a tree object 136 responsive to an event may be determined based on the configurable policy received from the security service cloud.
- the data object store 132 may maintain tags 138 for some or all of the data objects 134 and tree objects 136 .
- Each tag 138 acts as a label or classifier of a data object 134 or a tree objects 136 . While the tags 138 are shown separately from the data objects 134 and tree objects 136 in FIG. 1 , it is to be understood that each tag 138 may be stored as metadata of a specific data object 134 or tree object 136 , although such storage may be contiguous or non-contiguous.
- Tags 138 may have structure. The presence of a tag 138 can require another tag 138 (e.g., “Office2010” requires “Office” requires “document program”) or at least one member of a set of tags 138 (e.g., “updater” requires some other tag 138 indicating something which can be updated). Alternatively, such structure may be avoided with a hierarchy or via tag duplication. Such alternatives may be considered to avoid the computational expense of the tag structure. Tags 138 can also be mutually exclusive with each other (e.g., “document program” and “system program” may be mutually exclusive).
- tags 138 may be of any of a number of varieties, such as taxonomic tags 140 , tree tags 142 , and social tags 144 . Tags 138 may also be of any of any number of different types, depending on implementation.
- Taxonomic tags 140 may be centrally declared and standardized (e.g., by the security agent 124 or by the security service cloud), and may be used to pass defined indications that may enable decision-making and direct actions. In some embodiments, taxonomic tags 140 may only be assigned by security service cloud code or authorized employees of the security service provider through controlled interfaces. Examples of taxonomic tags 140 may be classifications, such as a “CS_ShowInUI” tag for use in detections. Taxonomic tags 140 may be flagged to never display to a customer.
- Tree tags 142 are dynamically created on a monitored device 102 along with tree objects 136 and serve to identify those tree objects 136 .
- Each tree tag 142 may be assigned to data objects 134 which represent system components 126 that are included the tree object 142 identified by that tree tag 142 .
- Tree tags 142 serve to associate data objects 134 with the taxonomic tags 140 , social tags 144 , or other tags 138 that are assigned to their respective tree objects 136 .
- Social tags 144 may be created and assigned by users of the monitored devices 102 .
- Social tags 144 may be controlled by an entity associated with a monitored device 102 rather than centrally controlled by the security service cloud.
- the social tags 144 may, however, be provided to the security service cloud and have indirect effects on the security service cloud based on data analytics or manual propagation rules using the social tags 144 to assign taxonomic tags 140 .
- Social tags 144 may include the identifier of the entities whose users created those social tags 144 . Also, many taxonomic tags 140 may appear as social tags 144 . For example, with a user associated with an entity may assign a “document program” tag 144 to an executable that the security service cloud has not classified with a taxonomic tag 140 .
- the tags 138 may include a tag 138 for a “system” data object 134 that can be tagged to adjust overall posture of the monitored device 102 , as a lightweight alternative to full multi-modal configurations. This may cause the event filtering of the security agent 124 to start with a posture check.
- the security agent 124 may, in accordance with the configurable policy received from the security service cloud, assign tags 138 to data objects 134 .
- the security agent 124 may assign taxonomic tags 140 to at least some of the data objects 134 based on the types, observed behaviors, or characteristics of the system components 126 or events that those data objects 134 represent.
- the security agent 124 may also assign tags 138 to tree objects 136 based at least in part on the configurable policy.
- the security agent 124 may assign or remove tags 138 from data objects 134 or tree objects 136 directly with standard events, allowing dynamic control of tags 138 , both programmatically and manually. Also, or instead, tag assignment may be triggered by any detected event. In such circumstances, tags 138 may be assigned to the data objects 134 representing the system components 126 associated with the event, to a data object 134 that represents the detected event, or to both.
- the security agent 124 may assign tags 138 to data objects 134 based on events and on the configurable policy.
- the security agent 124 may detect the occurrence of an event associated with a system component 126 , such as a file 204 .
- the security agent 124 may then, at 206 , filter the event based on the configurable policy.
- the security agent 124 then, at 208 , assigns a tag 138 , such as tag X 210 , to the data object 134 representing the system component 126 (e.g., file data object 212 representing file 204 ).
- tags 138 may be propagated between data objects 134 by the security agent 124 based at least in part on the configurable policy and on detecting an event.
- the security agent 124 detects an event, the security agent 124 consults the configurable policy and determines which tags 138 should be propagated among the data objects 134 representing the system components 126 associated with the event. For example, if a parent process creates a child process, some or all of the tags 138 of the data object 134 representing the parent process may be propagated by the security agent 124 to the data object 134 representing the child process. Which tags 138 are propagated may be determined based on propagation rules associated with the tags 138 and included in the configurable policy.
- the configurable policy may include a propagation mask for each tag 138 that indicates the events that will cause the propagation of that tag 138 .
- Such propagation masks may be compiler-generated bitmasks for each propagating event, allowing for a small, fixed number of operations for even a very large number of tags 138 .
- a process may acquire some tags 138 by propagation from a file it loads, and we might define different propagation behavior based on whether or not the file was loaded as a primary module.
- FIG. 3 illustrates one example of such a tag propagation.
- a security agent 124 may detect 302 an event that is associated with a process 304 and a file 306 .
- the process 304 might create, read, write to, or delete the file 306 .
- the security agent 124 may propagate 308 a tag 310 (shown as “tag X 310 ”) from data object 312 representing the process 304 to a data object 314 representing the file 306 .
- the process data object 312 may also have additional tags, such as tag Y 316 , which are not propagated to the file data object 314 , in accordance with the configurable policy.
- the security agent 124 may create tree objects 136 and tree tags 142 in accordance with the configurable policy.
- FIG. 4 illustrates an example of such tree object creation and tree tag assignment.
- a security agent 124 detects 402 an event associated with a process 404 and a file 406 , such as the execution of the file 406 by the process 404 .
- the security agent 124 constructs 408 a tree object 410 for the execution chain 412 of the process 404 executing the file 406 .
- the security agent 124 may expand the representation of the execution chain 412 to represent additional events and instances of system components.
- the security agent 124 may update the representation of the execution chain 412 in the tree object 410 to reflect the extension of the execution chain 412 .
- the security agent 124 may also assign tags 138 to the tree object 410 , such as tag A 414 and tag B 416 . These tags 414 and 416 may be taxonomic tags 140 or social tags 144 .
- the security agent 124 may assign the tags 414 and 416 in accordance with the configurable policy. For example, if a system component 126 or event included in the execution chain 412 is determined to be suspicious, the tag “suspicious” could be assigned to the tree object 410 .
- the security agent 124 When creating the tree object 410 , the security agent 124 also creates a tree tag 142 for the tree object 410 and assigns 418 the tree tag 142 (shown as “Tag T 420 ”) to data objects 422 and 424 representing the process 404 and file 406 , respectively. While data objects 422 and 424 are each shown as being assigned only a single tree tag 142 , it is to be understood that any data object 134 , such as data objects 422 and 424 , may have multiple tree tags 142 assigned to it if the system component 126 or event represented by that data object 134 appears in multiple tree objects 136 . The data objects 422 and 424 may also have other tags 138 assigned to them.
- the process data object 422 may have a tag C 426 assigned to it.
- the security agent 124 When the security agent 124 subsequently filters the data objects 422 and 424 based on tags 138 , the security agent 124 will consider, for instance, the process data object 422 to have tag C 426 , tag T 420 , and by virtue of tag T 420 , both tag A 414 and tag B 416 as well.
- Process data object 422 will be considered to have tag A 414 and tag B 416 transitively—there is no need for these tags 414 and 416 to be explicitly assigned as their association with tree tag T 420 is sufficient to ensure their application to the process data object 422 .
- the security agent 124 or a user interface received from the security service provider may also enable a user of the monitored device 102 to subscribe to social tags 146 of another entity 148 on behalf of the entity associated with the monitored device 102 .
- the monitored device 102 may then received the social tags 146 , either directly from monitored devices of the other entity 148 or through a security service computing device 104 of the security service cloud.
- the monitored device 102 may also continue to receive the subscribed-to social tags 146 on an ongoing basis, as the social tags 146 are created.
- the security agent 124 may assign the social tags 146 to data objects 134 .
- the social tags 146 are assign to data objects 134 that are equivalents of the data objects of the other entity. “Equivalent” data objects may be those representing a same or similar type of system component 126 or event. Upon receiving and assigning the social tags 146 , those social tags 146 may be considered part of social tags 144 .
- Social tags 144 can be used to provide a number of capabilities; for instance, social tags 144 may be used arbitrarily for annotation, allowing coordination between multiple analysts and across entities. Social tags 144 on patterns and files can allow for expression of entity preferences about policy and priority of different patterns, and to allow entities to rapidly whitelist local programs and files overall or with respect to specific patterns.
- FIG. 5 illustrates an example of subscription to another entity's social tags.
- a first entity 502 may subscribe 504 to social tags 506 of a second entity 508 .
- the social tags 506 may be assigned to data objects, such as data object 510 , which represent system components 126 or events of monitored devices 102 of the second entity 508 .
- the first entity 502 may receive 512 the social tags 506 .
- Security agents 124 of the monitored devices 102 of the first entity 502 may then assign the social tags 506 to data objects 514 .
- Data objects 514 may then have both any tags of their own, such as tag D 516 , and the subscribed-to social tags 506 .
- the security agent 124 may utilize the tags 138 for reporting, decision-making, or event-generating.
- the security agent 124 may utilize the configurable policy and tags 138 to filter the data objects 134 .
- the result of that filtering may then be utilized to generate a report, which may be provided to a user of the monitored device 102 through the security agent 124 or through a user interface provided by the security service cloud (e.g., a web page).
- the security agent 124 may also or instead make a decision based on the filtered data objects 134 . For example, if the filtered data objects 134 include any data objects 134 with the tag 138 “suspicious”, the security agent 134 may decide to perform additional monitoring or take remedial action.
- the security agent 124 may generate events. For example, if the security agent 124 propagates a tag 138 to a data object 134 , and that data object 134 has another tag 138 that conflicts with the propagated tag 138 , the security agent 124 may generate an event indicative of a tag conflict.
- Tags 138 can also be used by the security agent 124 to trigger runtime policy. For example, a tag 138 could indicate that a process should not be allowed to make outbound network connections. Such tags 138 take their effect from the configurable policy that is used by the security agent 124 to filter on the presence of the tag 138 .
- the security service computing devices 104 of the security service cloud may each maintain in its computer-readable media 122 , a data object store 150 , which may include data objects 152 and tags 154 .
- the data object store 150 may represent current and past states of one or more of the monitored devices 102 .
- the past states maintained include at least a subset of past states, such as states that enhance forensic and policy understanding of the current state(s).
- the data object store 150 may include a plurality of data objects 152 that represent system components 126 and events of the one or more monitored computing devices. These data objects 152 may form one or more graphs composed of nodes and edges, with node data objects representing system components 126 and edge data objects representing events.
- the data object store 150 may maintain separate graphs for each of the monitored devices 102 , a graph for multiple ones of the monitored devices, or both.
- a graph representing multiple ones of the monitored devices 102 may include representation of events associated with system components 126 from multiple monitored devices 102 , such as a process on one monitored device 102 accessing a file on another monitored device 102 .
- the data object store 150 may include copies of the tree objects 136 created on the monitored devices 102 .
- the tags 154 may be represent a superset of the tags 138 of the one or more monitored devices 102 . Because the taxonomic tags 140 may be centrally created by the security service computing devices 104 , the taxonomic tags 140 included in the tags 154 may be the same as, or at least include all of, the taxonomic tags 140 included in the tags 138 . The taxonomic tags 140 included in the tags 154 may also include additional taxonomic tags 140 that have not yet been assigned to any data objects 134 or tree objects 136 of the monitored devices. The tree tags 142 of the tags 154 , in addition to identifying tree objects 136 of monitored devices 102 , also include identifiers of the monitored devices 102 to which the tree objects 136 belong. The social tags 144 of the tags 154 include identifications of the entities that created those social tags 144 . As mentioned above, the security service cloud may utilize these social tags 144 in defining additional taxonomic tags 140 .
- the communications model for tags 138 and 154 implemented by the security agents 124 and the security service cloud may define under what circumstances tags 138 flow between monitored devices 102 and security service computing devices 104 . This flow may be implemented as another propagation operation, or possibly as two operations: one to passively forward tag 138 and another to push changes to the tag assignment proactively.
- the security modules 156 of the security service computing devices may be configured to provide information security services to individual users and client entities through their monitored devices 102 , such as maintenance and configuration of the security agent 124 and data object store 134 , threat modeling, and/or remediation.
- the security modules 156 may include a configuration module 158 to configure the security agents 124 and to provide the configurable policy to the security agents 124 , a monitoring module 160 to detect events on the monitored devices 102 or to receive indications of the occurrences of those events, and a social module 162 to enable social aspects of the security services, such as the sharing of social tags 144 .
- the security modules 156 may build and maintain the data object store 150 .
- the monitoring module 160 of the security modules 156 may detect events or receive indications of the occurrence of events and use that information to build the data object store 150 . Such information may be received in substantially real time as the events are observed.
- the configuration module 158 may configure the monitored devices 102 , specifying the events that the monitored devices 102 are to notify the monitoring module 160 of and the tags 138 which the monitored devices 102 are to share. Further, the configuration module 158 may update the configurable policy and disseminate the updated configurable policy to the monitored devices 102 . Such an updated configurable policy may result in the updating of assignments of tags 138 , removing some tags 138 and adding others.
- the updated configurable policy may also update propagation masks for tags 138 , resulting in different propagation behaviors.
- the social module 162 may also provide social aspects to the security services, forming groups of users and/or client entities and automatically sharing security information among the users and/or client entities constituting a group.
- the social module 162 may enable the users or entities to subscribe to the social tags 144 of other users or other entities and enable the exchange of the subscribed-to tags 144 , either retrieving and providing them or enabling users/entities to provide the social tags 144 to each other directly.
- the security modules 156 may also include one or more modules to act filter the tags 154 and act upon the filtering. Such actions may include decision-making, report-generating, or event-generating, in the manner described above with respect to the security agent 124 . The actions may further include causing the configuration module 158 to update the configurable policy.
- FIG. 6 illustrates an example processes. This process is illustrated as a logical flow graph, each operation of which represents a sequence of operations that can be implemented in hardware, software, or a combination thereof.
- the operations represent computer-executable instructions stored on one or more computer-readable storage media that, when executed by one or more processors, perform the recited operations.
- computer-executable instructions include routines, programs, objects, components, data structures, and the like that perform particular functions or implement particular abstract data types.
- the order in which the operations are described is not intended to be construed as a limitation, and any number of the described operations can be combined in any order and/or in parallel to implement the processes.
- FIG. 6 is a flow diagram illustrating an example process for detecting an event associated with system components and propagating a tag assigned to a data object representing one of these system components to another data object representing another of the system components.
- the process includes, at 602 , a security agent or security service cloud assigning tags to data objects representing system components of a computing device. Such assignment may be based on a configurable policy.
- the tags may each be one of a string, an integer, a hash, or a binary flag
- the system components may include at least one of modules, processes, threads, files, drivers, services, pipes, handles, named kernel objects, memory segments, users, cryptographic signers and signature authorities, registry keys, Internet Protocol (IP) addresses and subnets, domain name service (DNS) domains, or fully-qualified domain names (FQDNs).
- IP Internet Protocol
- DNS domain name service
- FQDNs fully-qualified domain names
- the tags may have structure; a tag can imply another tag or be mutually exclusive with another tag.
- a tag may be associated with logic which, when executed, classifies the system component represented by the data object and assigns a new tag (either in addition to the previous tag or replacing the previous tag) that is associated with the classification of the system component.
- the assigning may include enabling a user to associate the tag with a system component represented by a data object and assigning that user-associated tag to the data object.
- the assigning may include assigning a tag based at least in part on observed behavior or characteristics of a system component represented by a data object. Additionally or instead, the assigning may include assigning a tag to a data object representing a system component based at least in part on detecting an event associated with that system component and on filtering of that event using the configurable policy.
- a security agent of a first entity may subscribe to user-specified tags of a second entity.
- the security agent may then assign the second entity's user-specified tags to data objects representing system components of computing devices of the first entity.
- the security agent or security service cloud may detect an event occurring on a computing device that is associated with multiple system components of the computing device.
- the security agent or security service cloud may assign another tag to a data object representing the detection of the event.
- the security agent or security service cloud may detect a subsequent event and, based at least in part on detecting the subsequent event, update the other tag.
- the security agent or security service cloud may construct a tree object representing an execution chain of instances of at least a subset of the system components.
- the security agent or security service cloud may construct the tree object in response to detecting execution of one system component of the subset of the system components by another system component of the subset of system components.
- the subset of system components may include both processes and non-process system components.
- the security agent or security service cloud may assign a tag for the tree object to the data objects representing the subset of the system components.
- the security agent or security service cloud propagates a tag that is assigned to a data object representing one system component of the plurality of system components to another data object representing another of the plurality of system components.
- the propagating comprises propagating, based at least in part on the configurable policy, less than all of a plurality of tags assigned to the data object.
- the propagating may comprise propagating, based at least in part on the configurable policy, the tag to data objects representing a subset of the plurality of system components.
- the system components may be system components of a computing device and the propagating may be performed by one or more other computing devices.
- the data object and other data object may be stored on the one or more other computing devices.
- the system component represented by the data object may be a system component of a first computing device
- the other system component represented by the other data object may be a system component of a second computing device
- the propagating may be performed by any of the first computing device, the second computing device, or third one or more computing devices.
- the security agent or security service cloud may generate an event based on the tag propagation.
- the propagated tag may be mutually exclusive with another tag associated with the other data object, and the security agent or security service cloud may generate an event indicative of a tag conflict.
- the security agent or security service cloud may perform at least one of making a decision or generating a report.
Abstract
Devices described herein are configured to propagate tags among data objects representing system components. Such devices may detect an event associated with a plurality of system components. Based at least in part on detecting the event and on a configurable policy, the devices may propagate a tag that is assigned to a data object representing one of the plurality of system components to another data object representing another of the plurality of system components. One example of such a tag may be associated with a tree object that represents an execution chain of instances of at least the system component represented by the data object and the other system component represented by the other data object. Another example of such a tag may be a user-specified tag of another entity that the entity associated with the devices subscribes to.
Description
- With Internet use forming an ever-greater part of day-to-day life, malicious software (often referred to as “malware”) and other security exploits that steal or destroy system resources, data, and private information are an increasing problem. Governments, businesses and individuals may devote significant resources to preventing intrusions, damage and thefts related to these security exploits. Security exploits come in many forms, such as computer viruses, worms, trojan horses, spyware, keystroke loggers, adware and rootkits. Such security exploits can be delivered in or through a variety of mechanisms, such as phishing emails, malicious clickable links, infected documents, infected executables, or infected archives.
- Tools for addressing these threats may apply conditional logic, testing whether some aspect of a system component, such as a process or file, matches one of more criteria. Based on meeting the criteria, the tools may take some action or actions. Modifications to the criteria, which may alter the system components that are identified, may be cumbersome. For instance, such modifications may require changes to the source code of the tools and recompiling of the tools.
- The detailed description is set forth with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The use of the same reference numbers in different figures indicates similar or identical items or features.
-
FIG. 1 illustrates an example framework and devices for enabling interaction between a monitored device and a security service cloud. -
FIG. 2 illustrates an example system component associated with an event, the filtering of the event based on a configurable policy, and the assigning of a tag to a data object representing the system component based on the event and the filtering. -
FIG. 3 illustrates example system components associated with an event and the propagation of a tag assigned to a data object representing one of these system components to another data object representing another of the system components. -
FIG. 4 illustrates a tree object representing an execution chain of instances of system components, the assigning of tags to the tree object, and the assigning of a tag for the tree object to data objects representing the system components. -
FIG. 5 illustrates one entity subscribing to the user-specified tags of another entity and assigning those user-specified tags to ones of the data objects of monitored devices of the entity. -
FIG. 6 is a flow diagram illustrating an example process for detecting an event associated with system components and propagating a tag assigned to a data object representing one of these system components to another data object representing another of the system components. - This disclosure includes techniques and arrangements for assigning tags to data objects representing system components associated with security-relevant system events (hereinafter simply “events”) and for propagating tags among the data objects based on those events and on a configurable policy. As used herein, the term “tag” refers to data object metadata that acts as a label or classifier of a data object. A tag may be a string, an integer, a hash, a binary flag, or some other efficient representation. Tags enable filtering of data objects for reporting, decision-making, and event generation and allow reclassification of data objects without any need for recoding or recompiling.
- In various embodiments, one or more monitored devices may each be equipped with a security agent to monitor events on those respective one or more computing devices and a data store to maintain data objects representative of system components associated with those events. Those monitored computing devices may be in communication with devices of a security service cloud. The security service cloud may be also be configured to monitor events on those monitored computing devices and to maintain data objects representative of system components associated with those events in a data object store of the security service cloud. The security agents and security service cloud may monitor the same events, different events, or overlapping sets of events. Also, in some embodiments, the security agents may simply detect events and inform the security service cloud of those detected events. The data object stores of the security agents and security service cloud may include data objects representing the same system components, data objects representing different system components, or an overlapping set of data objects.
- A security agent or security service cloud may first assign tags to the data objects based on a configurable policy. Such tags may be considered “taxonomic tags” which classify a type, function, role, etc. of a system component. For example, “document program” may be such a “taxonomic tag.” The security agent or security service cloud may also assign tags to data objects based on the observed behaviors or characteristics of the system components they represent. For instance, if a process repeatedly opens document files, the security agent or security service cloud may assign the tag “document program” to the process.
- The security agent or security service cloud may detect or be informed of events and the system components associated with those events. Such events could include processes spawning other processes or threads, processes creating or opening files, etc. These events may include all events occurring on a monitored computing device or a subset of those events. If a subset, the security agent or security service cloud may be configured to filter events based on a configuration of the security agent or on a configurable policy (as used herein, “configurable policy” may refer to the configuration of the security agent or to a policy utilized by the security agent or security service cloud).
- Based on the detected event and on the configurable policy, the security agent or security service cloud may propagate a tag assigned to one data object representing a system component associated with the event to another data object representing another of the system components associated with the event. For example, if a process creates a file, the security agent or security service cloud may propagate one or more tags of the data object for that process to the data object for that file. The security agent or security service cloud may propagate all of the tags of the data object for the process or only a subset of those tags based at least in part on the configurable policy. Propagation may occur in both directions, too; tags of the data object representing the file may also be propagated to the data object representing the process. In another example, a process may spawn multiple threads, and the security agent or security service cloud may propagate one or more tags of the data object for that process to all or only a subset of the data objects for those threads based at least in part on the configurable policy.
- In some embodiments, the security agent or security service cloud may generate a data object that represents detected event and assign a tag to that data object, such as “suspicious event.” Such tags may be updated in response to detecting a subsequent event. For example, if a first event is merely suspicious, it may later be seen as security exploit activity if a second event occurs. In such a case, the tag may be updated to reflect the additional context (e.g., the tag “suspicious event” may be updated to “exploit activity”).
- In various embodiments, the security agent or security service cloud may also create a tree object to represent an execution chain of instances of the system objects associated with the event. For example, if an event involves one process executing another process, that execution chain could be represented in a tree object. If the other process then creates a file, that file could also be represented in the tree object. The security agent or security service cloud can assign tags to the tree object and can assign a tree object tag to data objects representing the system components with appear in the tree object. Through the tree object tag, tags assigned to the tree object may be considered as tags of the data objects assigned the tree object tag. This enables retrospective classification of system components. For instance, nothing may be suspicious about a particular process when it first executes another. But if that other process then goes on to execute a further process, and the further process performs an action recognized as security exploit activity, the tag “security exploit” may be assigned to the tree object representing that execution chain. And because a tree object tag for that tree object is assigned to the original process, that original process now, through the tree object tag and tree object, has the tag “security exploit.”
- In further embodiments, the security agent or security service cloud may enable a user to assign tags to data objects representing system components. These user-specified tags may be utilized by security agents of an entity associated with the user. Such tags may be utilized to classify system components that have not yet been classified in the configurable policy. For example, a particular process may be a document program, but a security agent utilizing the configurable policy may not recognize the process as such. The user may assign the tag “document program” to the data object representing that process. These user-specified tags may then later be considered in updating the configurable policy and taxonomic tags. Also, an entity may subscribe to another entity's user-specified tags, causing that other entity's user-specified tags to be assigned to the entity's data objects.
- In some embodiments, the security agent or security service cloud may then utilize the tags to make decisions, generate reports, or even generate events. For example, if a tag is propagated to a data object that has been assigned a tag that conflicts with the propagated tag, the security agent or security service cloud may generate a tag conflict event.
- Additionally, the security agent or security service cloud may update the tags assigned to the data objects based on an update to the configurable policy. Such updating may allow for reclassification without burdensome activities like recoding or recompiling the security agent or security service cloud.
-
FIG. 1 illustrates an example framework and systems for enabling interaction between a monitored device and a remote security service. As illustrated, one of moremonitored devices 102 may be connected to securityservice computing devices 104 of a security service cloud via anetwork 106. In various embodiments, the monitoreddevices 102 may each be a server or server farm, multiple, distributed server farms, a mainframe, a work station, a personal computer (PC), a laptop computer, a tablet computer, a personal digital assistant (PDA), a cellular phone, a media center, an embedded system, or any other sort of device or devices. When implemented on multiple computing devices, a monitoreddevice 102 may distribute its modules and data among the multiple computing devices. In some implementations, a monitoreddevice 102 represents one or more virtual machines implemented on one or more computing devices. Also, each monitoreddevice 102 may be associated with an entity, and the entity or entities may in turn have security service arrangements with a security service provider. The security service provider may in turn operate a security service cloud, which may include the securityservice computing devices 104. - In some embodiments, the security
service computing devices 104 may each be or include a server or server farm, multiple, distributed server farms, a mainframe, a work station, a PC, a laptop computer, a tablet computer, a PDA, a cellular phone, a media center, an embedded system, or any other sort of device or devices. In one implementation, the securityservice computing devices 104 implementing the security service cloud represent a plurality of computing devices working in communication, such as a cloud computing network of nodes. When implemented on multiple computing devices, a securityservice computing device 104 may distribute its modules and data among the multiple computing devices. In some implementations, one or more of the securityservice computing devices 104 represent one or more virtual machines implemented on one or more computing devices. - The
network 106 may include any one or more networks, such as wired networks, wireless networks, and combinations of wired and wireless networks. Further, thenetwork 106 may include any one or combination of multiple different types of public or private networks (e.g., cable networks, the Internet, wireless networks, etc.). For example, thenetwork 106 may include a public network and a client network associated with one of the entities. Such a client network may each be a private network. In some instances, computing devices communicate over thenetwork 106 using a secure protocol (e.g., Hypertext Transfer Protocol Secure (https)) and/or any other protocol or set of protocols, such as the transmission control protocol/Internet protocol (TCP/IP). - As is further shown, each monitored
device 102 may have aprocessor 108, and each securityservice computing device 104 may have aprocessor 110.Processors Processors - Each monitored
device 102 may also have acommunication interface 112, and each securityservice computing device 104 may have acommunication interface 114. The communication interfaces 112 and 114 may be any sort of wired or wireless interfaces (or both) that enable their respective devices to communicate over thenetwork 106 with other devices, including with each other. The communication interfaces 112 and 114 may be the same or different types of communication interfaces. - The monitored device(s) 102 each have input/output (I/O)
devices 116, and the securityservice computing devices 104 each have I/O devices 118. The I/O devices O devices O devices 116 of the monitored device(s) 102 may be used to enter user-specified tags, to subscribe to other entities' tags, and to view reports. The I/O devices 118 of the securityservice computing devices 104 may be used to specify the configurable policy, specify taxonomic tags, and view reports. - In various embodiments, each monitored device has one or more computer-
readable media 120, and each securityservice computing device 104 has one or more computer-readable media 122. Computer-readable media readable media device 102 or securityservice computing device 104. Further, computer-readable media - As illustrated in
FIG. 1 , the computer-readable media 120 of each monitoreddevice 102 stores asecurity agent 124. Thesecurity agent 124 may be a kernel-level agent or may reside partly on a monitoreddevice 102 and partly on the security service cloud. Thesecurity agent 124 may include event consumers that receive notifications of events associated with execution activities ofsystem components 126, filters, an event bus that routes the events to other module(s) of thesecurity agent 124, correlators that track types of events and/or maintain state associated with events, and actors that gather state information and act upon events. Thesecurity agent 124 may be installed by and configurable by a security service cloud, such as by one or more of thesecurity service devices 104, receiving, and applying while live, reconfigurations of module(s) of thesecurity agent 124. Thesecurity agent 124 may also receive and apply, while live, configurable policies from the security service cloud. Such configurable policies may be the same as or different from the configuration of thesecurity agent 124. An example security agent is described in greater detail in U.S. patent application Ser. No. 13/492,672, entitled “Kernel-Level Security Agent” and filed on Jun. 8, 2012. - The
system components 126 may be any sort of module, process, thread, file, driver, service, pipe, handle, named kernel object, memory segment, user, cryptographic signer and signature authority, registry key, Internet Protocol (IP) address and subnet, domain name service (DNS) domain, or fully-qualified domain name (FQDN) of the monitoreddevice 102. Asystem component 126 that is a module may be identified by a hash of its contents. Thesesystem components 126 may include both platform and application components. As mentioned, thesecurity agent 124 receives notifications of execution activities, such as events, associated with thesesystem components 126, filters and dispatched the events in accordance with the configuration of thesecurity agent 124, and acts upon the events. Such actions may simply be recording and further monitoring or may rise to the level of remediation or alerts. In monitoring these events, thesecurity agent 124 attempts to detect indications ofexploit code 128 or other malicious activity of anadversary 130. - The
security agent 124 may further include or be associated with adata object store 132. WhileFIG. 1 shows the data objectstore 132 as separate from thesecurity agent 124, it is to be understood that the data objectstore 132 may either be a part of thesecurity agent 124 or may be separate from and associated with thesecurity agent 124. The data objectstore 132 may represent current and past states of the monitoreddevice 102. The past states maintained include at least a subset of past states, such as states that enhance forensic and policy understanding of the current state. The data objectstore 132 may have at least three roles. In a first role, the data objectstore 132 may serve as a historian, providing access to past states of the monitoreddevice 102 that are no longer stored elsewhere on the monitoreddevice 102. In a second role, the data objectstore 132 may service as a validator, maintaining an independent model of the state of the monitoreddevice 102 that can be used to detect malicious modifications of the host operating system state storage of the monitoreddevice 102. In a third role, the data objectstore 132 provides a cache of configuration, information, and state that are received from a remote security service, that are computationally expensive to generate or fetch, or that are high-latency to fetch. An example of such a data object store is described in greater detail in U.S. patent application Ser. No. 13/728,746, entitled “Real-Time Representation of Security-Relevant System State” and filed on Dec. 27, 2012. - The data object
store 132 may include a plurality ofdata objects 134 that representsystem components 126 and events. These data objects 134 may form one or more graphs composed of nodes and edges, with node data objects representingsystem components 126 and edge data objects representing events. Thesecurity agent 124, through any of its actors or correlators, may create and update the data objects 134. In some embodiments, the data objectstore 132 may also be associated with functional components that are capable of creating and updating the data objects 134 based on events received from filter and dispatch components of thesecurity agent 124. - In various embodiments, the data object
store 132 may also maintain one or more tree objects 136. Tree objects 136 may represent execution chains of instances ofsystem components 126. Whether or not thesecurity agent 124 creates atree object 136 responsive to an event may be determined based on the configurable policy received from the security service cloud. - As is further shown in
FIG. 1 , the data objectstore 132 may maintaintags 138 for some or all of the data objects 134 and tree objects 136. Eachtag 138 acts as a label or classifier of adata object 134 or a tree objects 136. While thetags 138 are shown separately from the data objects 134 and tree objects 136 inFIG. 1 , it is to be understood that eachtag 138 may be stored as metadata of aspecific data object 134 ortree object 136, although such storage may be contiguous or non-contiguous. -
Tags 138 may have structure. The presence of atag 138 can require another tag 138 (e.g., “Office2010” requires “Office” requires “document program”) or at least one member of a set of tags 138 (e.g., “updater” requires someother tag 138 indicating something which can be updated). Alternatively, such structure may be avoided with a hierarchy or via tag duplication. Such alternatives may be considered to avoid the computational expense of the tag structure.Tags 138 can also be mutually exclusive with each other (e.g., “document program” and “system program” may be mutually exclusive). - Further, tags 138 may be of any of a number of varieties, such as
taxonomic tags 140, tree tags 142, andsocial tags 144.Tags 138 may also be of any of any number of different types, depending on implementation.Taxonomic tags 140 may be centrally declared and standardized (e.g., by thesecurity agent 124 or by the security service cloud), and may be used to pass defined indications that may enable decision-making and direct actions. In some embodiments,taxonomic tags 140 may only be assigned by security service cloud code or authorized employees of the security service provider through controlled interfaces. Examples oftaxonomic tags 140 may be classifications, such as a “CS_ShowInUI” tag for use in detections.Taxonomic tags 140 may be flagged to never display to a customer. - Tree tags 142 are dynamically created on a monitored
device 102 along withtree objects 136 and serve to identify those tree objects 136. Eachtree tag 142 may be assigned todata objects 134 which representsystem components 126 that are included thetree object 142 identified by thattree tag 142. Tree tags 142 serve to associate data objects 134 with thetaxonomic tags 140,social tags 144, orother tags 138 that are assigned to their respective tree objects 136. -
Social tags 144 may be created and assigned by users of the monitoreddevices 102.Social tags 144 may be controlled by an entity associated with a monitoreddevice 102 rather than centrally controlled by the security service cloud. Thesocial tags 144 may, however, be provided to the security service cloud and have indirect effects on the security service cloud based on data analytics or manual propagation rules using thesocial tags 144 to assigntaxonomic tags 140.Social tags 144 may include the identifier of the entities whose users created thosesocial tags 144. Also, manytaxonomic tags 140 may appear associal tags 144. For example, with a user associated with an entity may assign a “document program”tag 144 to an executable that the security service cloud has not classified with ataxonomic tag 140. - Also, in some embodiments, the
tags 138 may include atag 138 for a “system” data object 134 that can be tagged to adjust overall posture of the monitoreddevice 102, as a lightweight alternative to full multi-modal configurations. This may cause the event filtering of thesecurity agent 124 to start with a posture check. - In various embodiments, the
security agent 124 may, in accordance with the configurable policy received from the security service cloud, assigntags 138 to data objects 134. For example, thesecurity agent 124 may assigntaxonomic tags 140 to at least some of the data objects 134 based on the types, observed behaviors, or characteristics of thesystem components 126 or events that those data objects 134 represent. Thesecurity agent 124 may also assigntags 138 to tree objects 136 based at least in part on the configurable policy. Thesecurity agent 124 may assign or removetags 138 fromdata objects 134 or tree objects 136 directly with standard events, allowing dynamic control oftags 138, both programmatically and manually. Also, or instead, tag assignment may be triggered by any detected event. In such circumstances,tags 138 may be assigned to the data objects 134 representing thesystem components 126 associated with the event, to adata object 134 that represents the detected event, or to both. - Further, as illustrated in
FIG. 2 , thesecurity agent 124 may assigntags 138 todata objects 134 based on events and on the configurable policy. At 202, thesecurity agent 124 may detect the occurrence of an event associated with asystem component 126, such as afile 204. Thesecurity agent 124 may then, at 206, filter the event based on the configurable policy. Based on the detection of the event and the filtering, thesecurity agent 124 then, at 208, assigns atag 138, such astag X 210, to the data object 134 representing the system component 126 (e.g., file data object 212 representing file 204). - In some embodiments,
tags 138 may be propagated between data objects 134 by thesecurity agent 124 based at least in part on the configurable policy and on detecting an event. When thesecurity agent 124 detects an event, thesecurity agent 124 consults the configurable policy and determines which tags 138 should be propagated among the data objects 134 representing thesystem components 126 associated with the event. For example, if a parent process creates a child process, some or all of thetags 138 of the data object 134 representing the parent process may be propagated by thesecurity agent 124 to the data object 134 representing the child process. Which tags 138 are propagated may be determined based on propagation rules associated with thetags 138 and included in the configurable policy. The configurable policy may include a propagation mask for eachtag 138 that indicates the events that will cause the propagation of thattag 138. Such propagation masks may be compiler-generated bitmasks for each propagating event, allowing for a small, fixed number of operations for even a very large number oftags 138. - For example, in accordance with the configurable policy, a process may acquire some
tags 138 by propagation from a file it loads, and we might define different propagation behavior based on whether or not the file was loaded as a primary module. -
FIG. 3 illustrates one example of such a tag propagation. As illustrated inFIG. 3 , asecurity agent 124 may detect 302 an event that is associated with aprocess 304 and afile 306. For example, theprocess 304 might create, read, write to, or delete thefile 306. In response, and in accordance with the configurable policy, thesecurity agent 124 may propagate 308 a tag 310 (shown as “tag X 310”) from data object 312 representing theprocess 304 to a data object 314 representing thefile 306. The process data object 312 may also have additional tags, such astag Y 316, which are not propagated to the file data object 314, in accordance with the configurable policy. - As described above, the
security agent 124 may createtree objects 136 andtree tags 142 in accordance with the configurable policy.FIG. 4 illustrates an example of such tree object creation and tree tag assignment. As shown inFIG. 4 , asecurity agent 124 detects 402 an event associated with aprocess 404 and afile 406, such as the execution of thefile 406 by theprocess 404. In response, and in accordance with the configurable policy, thesecurity agent 124 constructs 408 atree object 410 for theexecution chain 412 of theprocess 404 executing thefile 406. Subsequent to creating thetree object 410, thesecurity agent 124 may expand the representation of theexecution chain 412 to represent additional events and instances of system components. For example, if thefile 406 is an executable that then reads another file, thesecurity agent 124 may update the representation of theexecution chain 412 in thetree object 410 to reflect the extension of theexecution chain 412. Thesecurity agent 124 may also assigntags 138 to thetree object 410, such astag A 414 andtag B 416. Thesetags taxonomic tags 140 orsocial tags 144. Thesecurity agent 124 may assign thetags system component 126 or event included in theexecution chain 412 is determined to be suspicious, the tag “suspicious” could be assigned to thetree object 410. When creating thetree object 410, thesecurity agent 124 also creates atree tag 142 for thetree object 410 and assigns 418 the tree tag 142 (shown as “Tag T 420”) todata objects 422 and 424 representing theprocess 404 and file 406, respectively. While data objects 422 and 424 are each shown as being assigned only asingle tree tag 142, it is to be understood that anydata object 134, such as data objects 422 and 424, may havemultiple tree tags 142 assigned to it if thesystem component 126 or event represented by thatdata object 134 appears in multiple tree objects 136. The data objects 422 and 424 may also haveother tags 138 assigned to them. For example, the process data object 422 may have atag C 426 assigned to it. When thesecurity agent 124 subsequently filters the data objects 422 and 424 based ontags 138, thesecurity agent 124 will consider, for instance, the process data object 422 to havetag C 426,tag T 420, and by virtue oftag T 420, bothtag A 414 andtag B 416 as well. Process data object 422 will be considered to havetag A 414 andtag B 416 transitively—there is no need for thesetags tree tag T 420 is sufficient to ensure their application to the process data object 422. - Returning to
FIG. 1 , thesecurity agent 124 or a user interface received from the security service provider (e.g., a web page) may also enable a user of the monitoreddevice 102 to subscribe tosocial tags 146 of anotherentity 148 on behalf of the entity associated with the monitoreddevice 102. The monitoreddevice 102 may then received thesocial tags 146, either directly from monitored devices of theother entity 148 or through a securityservice computing device 104 of the security service cloud. The monitoreddevice 102 may also continue to receive the subscribed-tosocial tags 146 on an ongoing basis, as thesocial tags 146 are created. Upon receiving thesocial tags 146, thesecurity agent 124 may assign thesocial tags 146 to data objects 134. Thesocial tags 146 are assign todata objects 134 that are equivalents of the data objects of the other entity. “Equivalent” data objects may be those representing a same or similar type ofsystem component 126 or event. Upon receiving and assigning thesocial tags 146, thosesocial tags 146 may be considered part ofsocial tags 144. -
Social tags 144 can be used to provide a number of capabilities; for instance,social tags 144 may be used arbitrarily for annotation, allowing coordination between multiple analysts and across entities.Social tags 144 on patterns and files can allow for expression of entity preferences about policy and priority of different patterns, and to allow entities to rapidly whitelist local programs and files overall or with respect to specific patterns. -
FIG. 5 illustrates an example of subscription to another entity's social tags. As illustrated inFIG. 5 , afirst entity 502 may subscribe 504 tosocial tags 506 of asecond entity 508. Thesocial tags 506 may be assigned to data objects, such as data object 510, which representsystem components 126 or events of monitoreddevices 102 of thesecond entity 508. Responsive to the subscription, thefirst entity 502 may receive 512 thesocial tags 506.Security agents 124 of the monitoreddevices 102 of thefirst entity 502 may then assign thesocial tags 506 to data objects 514. Data objects 514 may then have both any tags of their own, such astag D 516, and the subscribed-tosocial tags 506. - In various embodiments, referring again to
FIG. 1 , thesecurity agent 124 may utilize thetags 138 for reporting, decision-making, or event-generating. Thesecurity agent 124 may utilize the configurable policy and tags 138 to filter the data objects 134. The result of that filtering may then be utilized to generate a report, which may be provided to a user of the monitoreddevice 102 through thesecurity agent 124 or through a user interface provided by the security service cloud (e.g., a web page). Thesecurity agent 124 may also or instead make a decision based on the filtered data objects 134. For example, if the filtered data objects 134 include anydata objects 134 with thetag 138 “suspicious”, thesecurity agent 134 may decide to perform additional monitoring or take remedial action. Further, thesecurity agent 124 may generate events. For example, if thesecurity agent 124 propagates atag 138 to adata object 134, and that data object 134 has anothertag 138 that conflicts with the propagatedtag 138, thesecurity agent 124 may generate an event indicative of a tag conflict. -
Tags 138 can also be used by thesecurity agent 124 to trigger runtime policy. For example, atag 138 could indicate that a process should not be allowed to make outbound network connections.Such tags 138 take their effect from the configurable policy that is used by thesecurity agent 124 to filter on the presence of thetag 138. - In various embodiments, the security
service computing devices 104 of the security service cloud may each maintain in its computer-readable media 122, adata object store 150, which may includedata objects 152 and tags 154. The data objectstore 150 may represent current and past states of one or more of the monitoreddevices 102. The past states maintained include at least a subset of past states, such as states that enhance forensic and policy understanding of the current state(s). The data objectstore 150 may include a plurality ofdata objects 152 that representsystem components 126 and events of the one or more monitored computing devices. These data objects 152 may form one or more graphs composed of nodes and edges, with node data objects representingsystem components 126 and edge data objects representing events. The data objectstore 150 may maintain separate graphs for each of the monitoreddevices 102, a graph for multiple ones of the monitored devices, or both. A graph representing multiple ones of the monitoreddevices 102 may include representation of events associated withsystem components 126 from multiple monitoreddevices 102, such as a process on one monitoreddevice 102 accessing a file on another monitoreddevice 102. While not shown, the data objectstore 150 may include copies of the tree objects 136 created on the monitoreddevices 102. - In some embodiments, the
tags 154 may be represent a superset of thetags 138 of the one or moremonitored devices 102. Because thetaxonomic tags 140 may be centrally created by the securityservice computing devices 104, thetaxonomic tags 140 included in thetags 154 may be the same as, or at least include all of, thetaxonomic tags 140 included in thetags 138. Thetaxonomic tags 140 included in thetags 154 may also include additionaltaxonomic tags 140 that have not yet been assigned to anydata objects 134 or tree objects 136 of the monitored devices. The tree tags 142 of thetags 154, in addition to identifying tree objects 136 of monitoreddevices 102, also include identifiers of the monitoreddevices 102 to which the tree objects 136 belong. Thesocial tags 144 of thetags 154 include identifications of the entities that created thosesocial tags 144. As mentioned above, the security service cloud may utilize thesesocial tags 144 in defining additionaltaxonomic tags 140. - The communications model for
tags security agents 124 and the security service cloud may define under what circumstances tags 138 flow between monitoreddevices 102 and securityservice computing devices 104. This flow may be implemented as another propagation operation, or possibly as two operations: one to passivelyforward tag 138 and another to push changes to the tag assignment proactively. - In further embodiments, the
security modules 156 of the security service computing devices may be configured to provide information security services to individual users and client entities through their monitoreddevices 102, such as maintenance and configuration of thesecurity agent 124 and data objectstore 134, threat modeling, and/or remediation. Thesecurity modules 156 may include a configuration module 158 to configure thesecurity agents 124 and to provide the configurable policy to thesecurity agents 124, amonitoring module 160 to detect events on the monitoreddevices 102 or to receive indications of the occurrences of those events, and asocial module 162 to enable social aspects of the security services, such as the sharing ofsocial tags 144. - In further embodiments, the
security modules 156 may build and maintain the data objectstore 150. Themonitoring module 160 of thesecurity modules 156 may detect events or receive indications of the occurrence of events and use that information to build the data objectstore 150. Such information may be received in substantially real time as the events are observed. The configuration module 158 may configure the monitoreddevices 102, specifying the events that the monitoreddevices 102 are to notify themonitoring module 160 of and thetags 138 which the monitoreddevices 102 are to share. Further, the configuration module 158 may update the configurable policy and disseminate the updated configurable policy to the monitoreddevices 102. Such an updated configurable policy may result in the updating of assignments oftags 138, removing sometags 138 and adding others. The updated configurable policy may also update propagation masks fortags 138, resulting in different propagation behaviors. - In some embodiments, the
social module 162 may also provide social aspects to the security services, forming groups of users and/or client entities and automatically sharing security information among the users and/or client entities constituting a group. Alternatively or additionally, thesocial module 162 may enable the users or entities to subscribe to thesocial tags 144 of other users or other entities and enable the exchange of the subscribed-totags 144, either retrieving and providing them or enabling users/entities to provide thesocial tags 144 to each other directly. - While not shown, the
security modules 156 may also include one or more modules to act filter thetags 154 and act upon the filtering. Such actions may include decision-making, report-generating, or event-generating, in the manner described above with respect to thesecurity agent 124. The actions may further include causing the configuration module 158 to update the configurable policy. -
FIG. 6 illustrates an example processes. This process is illustrated as a logical flow graph, each operation of which represents a sequence of operations that can be implemented in hardware, software, or a combination thereof. In the context of software, the operations represent computer-executable instructions stored on one or more computer-readable storage media that, when executed by one or more processors, perform the recited operations. Generally, computer-executable instructions include routines, programs, objects, components, data structures, and the like that perform particular functions or implement particular abstract data types. The order in which the operations are described is not intended to be construed as a limitation, and any number of the described operations can be combined in any order and/or in parallel to implement the processes. -
FIG. 6 is a flow diagram illustrating an example process for detecting an event associated with system components and propagating a tag assigned to a data object representing one of these system components to another data object representing another of the system components. The process includes, at 602, a security agent or security service cloud assigning tags to data objects representing system components of a computing device. Such assignment may be based on a configurable policy. The tags may each be one of a string, an integer, a hash, or a binary flag, and the system components may include at least one of modules, processes, threads, files, drivers, services, pipes, handles, named kernel objects, memory segments, users, cryptographic signers and signature authorities, registry keys, Internet Protocol (IP) addresses and subnets, domain name service (DNS) domains, or fully-qualified domain names (FQDNs). Also, the tags may have structure; a tag can imply another tag or be mutually exclusive with another tag. Further, a tag may be associated with logic which, when executed, classifies the system component represented by the data object and assigns a new tag (either in addition to the previous tag or replacing the previous tag) that is associated with the classification of the system component. At 604, the assigning may include enabling a user to associate the tag with a system component represented by a data object and assigning that user-associated tag to the data object. At 606, the assigning may include assigning a tag based at least in part on observed behavior or characteristics of a system component represented by a data object. Additionally or instead, the assigning may include assigning a tag to a data object representing a system component based at least in part on detecting an event associated with that system component and on filtering of that event using the configurable policy. - At 608, a security agent of a first entity may subscribe to user-specified tags of a second entity. The security agent may then assign the second entity's user-specified tags to data objects representing system components of computing devices of the first entity.
- At 610, the security agent or security service cloud may detect an event occurring on a computing device that is associated with multiple system components of the computing device.
- At 612, based on the configurable policy, the security agent or security service cloud may assign another tag to a data object representing the detection of the event. At 614, the security agent or security service cloud may detect a subsequent event and, based at least in part on detecting the subsequent event, update the other tag.
- At 616, the security agent or security service cloud may construct a tree object representing an execution chain of instances of at least a subset of the system components. The security agent or security service cloud may construct the tree object in response to detecting execution of one system component of the subset of the system components by another system component of the subset of system components. The subset of system components may include both processes and non-process system components. At 618, the security agent or security service cloud may assign a tag for the tree object to the data objects representing the subset of the system components.
- At 30620, based at least in part on detecting the event and on the configurable policy, the security agent or security service cloud propagates a tag that is assigned to a data object representing one system component of the plurality of system components to another data object representing another of the plurality of system components. In some embodiments, the propagating comprises propagating, based at least in part on the configurable policy, less than all of a plurality of tags assigned to the data object. Also or instead, the propagating may comprise propagating, based at least in part on the configurable policy, the tag to data objects representing a subset of the plurality of system components. Further, the system components may be system components of a computing device and the propagating may be performed by one or more other computing devices. In such embodiments, the data object and other data object may be stored on the one or more other computing devices. In addition, in some embodiments, the system component represented by the data object may be a system component of a first computing device, the other system component represented by the other data object may be a system component of a second computing device, and the propagating may be performed by any of the first computing device, the second computing device, or third one or more computing devices.
- At 622, the security agent or security service cloud may generate an event based on the tag propagation. For example, the propagated tag may be mutually exclusive with another tag associated with the other data object, and the security agent or security service cloud may generate an event indicative of a tag conflict. Also or instead, at 624624, based at least in part on tags associated with data objects representing the plurality of system components, the security agent or security service cloud may perform at least one of making a decision or generating a report.
- Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described. Rather, the specific features and acts are disclosed as example forms of implementing the claims.
Claims (26)
1. A computer-implemented method comprising:
detecting an event associated with a system component;
filtering the event based on a configurable policy; and
based at least in part on the detecting and the filtering, assigning a tag to a data object representing the system component.
2. The method of claim 1 , wherein the detecting, the filtering, and the assigning are performed by a kernel-level security agent.
3. The method of claim 1 , wherein the tag is one of a string, an integer, a hash, or a binary flag.
4. The method of claim 1 , further comprising assigning, based at least in part on the configurable policy, another tag to a data object representing the detection of the event.
5. The method of claim 1 , wherein the tag can imply another tag or be mutually exclusive with another tag.
6. The method of claim 1 , wherein the assigning is based at least in part on observed behavior or characteristics of the system component represented by the data object.
7. The method of claim 1 , wherein the tag is associated with logic which, when executed, classifies the system component represented by the data object and assigns a new tag that is associated with the classification of the system component.
8. The method of claim 1 , further comprising, based at least in part on the tag associated with the data object representing the system component, performing at least one of making a decision or generating a report.
9. The method of claim 1 , further comprising:
enabling a user to associate the tag with the system component represented by the data object, and
performing the assigning of the tag to the data object based at least in part on the user associating the tag with the system component.
10. The method of claim 9 , wherein the tag is shareable with one or more other users of one entity that subscribes to tags associated by the user or another user of another entity with the system component.
11. A computer-implemented method comprising:
detecting an event associated with a plurality of system components; and
based at least in part on a configurable policy and on detecting the event, propagating a tag that is assigned to a data object representing one of the plurality of system components to another data object representing another of the plurality of system components.
12. The method of claim 11 , wherein the tag is one of a string, an integer, a hash, or a binary flag.
13. The method of claim 11 , wherein the propagating comprises propagating, based at least in part on the configurable policy, less than all of a plurality of tags assigned to the data object.
14. The method of claim 11 , wherein the propagating comprises propagating, based at least in part on the configurable policy, the tag to data objects representing a subset of the plurality of system components.
15. The method of claim 11 , wherein the tag is mutually exclusive with another tag associated with the other data object, and the method further comprises generating an event indicative of a tag conflict.
16. The method of claim 11 , wherein the system components include at least one of modules, processes, threads, files, drivers, services, pipes, handles, named kernel objects, memory segments, users, cryptographic signers and signature authorities, registry keys, Internet Protocol (IP) addresses and subnets, domain name service (DNS) domains, or fully-qualified domain names (FQDNs).
17. The method of claim 11 , wherein the tag is associated with a tree object that represents instances of at least a subset of the plurality of system components.
18. The method of claim 11 , wherein the system components are system components of a computing device and the propagating is performed by one or more other computing devices, the data object and other data object being stored on the one or more other computing devices.
19. The method of claim 11 , wherein the system component represented by the data object is a system component of a first computing device, the other system component represented by the other data object is a system component of a second computing device, and the propagating is performed by any of the first computing device, the second computing device, or a third one or more computing devices.
20. A system comprising:
a processor;
a memory coupled to the processor, the memory storing:
data objects representing a plurality of system components,
a tree object representing an execution chain of instances of at least a subset of the system components, and
executable instructions, which, when operated by the processor, perform operations including:
assigning a tag for the tree object to the data objects representing the subset of the system components,
assigning one or more tags to the tree object, those tags applying to the data objects having the tag for the tree object, and
making a decision based at least in part on tags assigned to the data objects representing the subset of the system components and the tags assigned to tree object.
21. The system of claim 20 , wherein the operations further include constructing the tree object in response to detecting execution of one system component of the subset of the system components by another system component of the subset of system components.
22. The system of claim 20 , wherein the subset of system component includes both processes and non-process system components.
23. The system of claim 20 , wherein the memory stores multiple tree objects, and tags for the multiple tree objects are assigned to a data object representing a system component which appears in execution chains represented by the multiple tree objects.
24. One or more non-transitory computer-readable media having stored thereon a plurality of programming instructions that, when executed by a computing device, cause the computing device to perform operations comprising:
subscribing, by an entity, to user-specified tags of another entity, the user-specified tags being associated with data objects representing system components of computing devices of the other entity,
assigning the other entity's user-specified tags to data objects representing system components of computing devices of the entity; and
making a decision based at least in part on the other entity's user-specified tags.
25. The one or more non-transitory computer-readable media of claim 24 , wherein one of the user-specified tags is a taxonomic tag applied to an unclassified system component.
26. The one or more non-transitory computer-readable media of claim 24 , wherein user-specified tags are shared with a service cloud and utilized by the service cloud in determining global changes in tag assignments.
Priority Applications (8)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/169,401 US20150222646A1 (en) | 2014-01-31 | 2014-01-31 | Tagging Security-Relevant System Objects |
EP15743323.6A EP3100202B1 (en) | 2014-01-31 | 2015-01-29 | Tagging security-relevant system objects |
JP2016549102A JP2017512329A (en) | 2014-01-31 | 2015-01-29 | Tag system objects related to security |
CA2935764A CA2935764A1 (en) | 2014-01-31 | 2015-01-29 | Tagging security-relevant system objects |
PCT/US2015/013522 WO2015116819A1 (en) | 2014-01-31 | 2015-01-29 | Tagging security-relevant system objects |
AU2015210929A AU2015210929A1 (en) | 2014-01-31 | 2015-01-29 | Tagging security-relevant system objects |
IL246866A IL246866A0 (en) | 2014-01-31 | 2016-07-20 | Tagging security-relevant system objects |
US15/433,535 US10015199B2 (en) | 2014-01-31 | 2017-02-15 | Processing security-relevant events using tagged trees |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/169,401 US20150222646A1 (en) | 2014-01-31 | 2014-01-31 | Tagging Security-Relevant System Objects |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/433,535 Division US10015199B2 (en) | 2014-01-31 | 2017-02-15 | Processing security-relevant events using tagged trees |
Publications (1)
Publication Number | Publication Date |
---|---|
US20150222646A1 true US20150222646A1 (en) | 2015-08-06 |
Family
ID=53755819
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/169,401 Abandoned US20150222646A1 (en) | 2014-01-31 | 2014-01-31 | Tagging Security-Relevant System Objects |
US15/433,535 Active US10015199B2 (en) | 2014-01-31 | 2017-02-15 | Processing security-relevant events using tagged trees |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/433,535 Active US10015199B2 (en) | 2014-01-31 | 2017-02-15 | Processing security-relevant events using tagged trees |
Country Status (7)
Country | Link |
---|---|
US (2) | US20150222646A1 (en) |
EP (1) | EP3100202B1 (en) |
JP (1) | JP2017512329A (en) |
AU (1) | AU2015210929A1 (en) |
CA (1) | CA2935764A1 (en) |
IL (1) | IL246866A0 (en) |
WO (1) | WO2015116819A1 (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160142424A1 (en) * | 2014-11-19 | 2016-05-19 | Sec.Do Technologies Ltd. | System and method thereof for identifying and responding to security incidents based on preemptive forensics |
US10015199B2 (en) | 2014-01-31 | 2018-07-03 | Crowdstrike, Inc. | Processing security-relevant events using tagged trees |
US10320820B2 (en) | 2016-03-24 | 2019-06-11 | Carbon Black, Inc. | Systems and techniques for guiding a response to a cybersecurity incident |
US10325109B2 (en) * | 2017-09-14 | 2019-06-18 | International Business Machines Corporation | Automatic and dynamic selection of cryptographic modules for different security contexts within a computer network |
CN110383319A (en) * | 2017-01-31 | 2019-10-25 | 益百利信息解决方案公司 | Large scale scale heterogeneous data intake and user's parsing |
US20200034558A1 (en) * | 2016-05-10 | 2020-01-30 | Cyberark Software Ltd. | Application control |
US10594730B1 (en) * | 2015-12-08 | 2020-03-17 | Amazon Technologies, Inc. | Policy tag management |
US10681059B2 (en) | 2016-05-25 | 2020-06-09 | CyberOwl Limited | Relating to the monitoring of network security |
US10943022B2 (en) * | 2018-03-05 | 2021-03-09 | Microsoft Technology Licensing, Llc | System for automatic classification and protection unified to both cloud and on-premise environments |
US11171994B2 (en) * | 2017-09-28 | 2021-11-09 | At&T Intellectual Property I, L.P. | Tag-based security policy creation in a distributed computing environment |
US11386041B1 (en) | 2015-12-08 | 2022-07-12 | Amazon Technologies, Inc. | Policy tag management for data migration |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8880736B2 (en) * | 2009-07-09 | 2014-11-04 | Simon Cooper | Methods and systems for archiving and restoring securely installed applications on a computing device |
CN106330851B (en) * | 2015-07-10 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Mobile terminal security information acquisition and distribution method and device based on cloud service |
Citations (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5721913A (en) * | 1994-05-05 | 1998-02-24 | Lucent Technologies Inc. | Integrated activity management system |
US20030101357A1 (en) * | 2001-11-29 | 2003-05-29 | Ectel Ltd. | Fraud detection in a distributed telecommunications networks |
US20040049693A1 (en) * | 2002-09-11 | 2004-03-11 | Enterasys Networks, Inc. | Modular system for detecting, filtering and providing notice about attack events associated with network security |
US20060101263A1 (en) * | 2004-11-08 | 2006-05-11 | Microsoft Corporation | System and method of allowing user mode applications with access to file data |
US20060143688A1 (en) * | 2004-10-29 | 2006-06-29 | Core Sdi, Incorporated | Establishing and enforcing security and privacy policies in web-based applications |
US20070113289A1 (en) * | 2004-11-17 | 2007-05-17 | Steven Blumenau | Systems and Methods for Cross-System Digital Asset Tag Propagation |
US7583187B1 (en) * | 2006-07-11 | 2009-09-01 | Mcafee, Inc. | System, method and computer program product for automatically summarizing security events |
US20110107419A1 (en) * | 2009-11-02 | 2011-05-05 | Seth Kelby Vidal | Systems and methods for improved identification and analysis of threats to a computing system |
US8127360B1 (en) * | 2006-06-29 | 2012-02-28 | Symantec Corporation | Method and apparatus for detecting leakage of sensitive information |
US20120063649A1 (en) * | 2010-09-15 | 2012-03-15 | Microsoft Corporation | User-specific attribute customization |
US20120124594A1 (en) * | 2009-07-23 | 2012-05-17 | Nec Corporation | Event processing system, distribution controller, event processing method, distribution control method, and program storage medium |
US20120137375A1 (en) * | 2010-09-20 | 2012-05-31 | Georgia Tech Research Corporation | Security systems and methods to reduce data leaks in enterprise networks |
US8291494B1 (en) * | 2008-07-08 | 2012-10-16 | Mcafee, Inc. | System, method, and computer program product for detecting unwanted activity associated with an object, based on an attribute associated with the object |
US20120304247A1 (en) * | 2011-05-25 | 2012-11-29 | John Badger | System and process for hierarchical tagging with permissions |
US20130051624A1 (en) * | 2011-03-22 | 2013-02-28 | Panasonic Corporation | Moving object detection apparatus and moving object detection method |
US20130332981A1 (en) * | 2012-06-08 | 2013-12-12 | Eric Paris | Method and system for extending selinux policy with enforcement of file name translations |
US20140115010A1 (en) * | 2012-10-18 | 2014-04-24 | Google Inc. | Propagating information through networks |
US20140223555A1 (en) * | 2011-02-10 | 2014-08-07 | Telefonica, S.A. | Method and system for improving security threats detection in communication networks |
Family Cites Families (57)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH0944432A (en) * | 1995-05-24 | 1997-02-14 | Fuji Xerox Co Ltd | Information processing method and information processor |
US20020156814A1 (en) * | 1997-01-13 | 2002-10-24 | Ho Bruce K. | Method and apparatus for visual business computing |
DE19747583B4 (en) * | 1997-10-28 | 2006-04-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Communication system and method |
US6088804A (en) | 1998-01-12 | 2000-07-11 | Motorola, Inc. | Adaptive system and method for responding to computer network security attacks |
US7418504B2 (en) | 1998-10-30 | 2008-08-26 | Virnetx, Inc. | Agile network protocol for secure communications using secure domain names |
US6925631B2 (en) * | 2000-12-08 | 2005-08-02 | Hewlett-Packard Development Company, L.P. | Method, computer system and computer program product for processing extensible markup language streams |
JP3842573B2 (en) * | 2001-03-30 | 2006-11-08 | 株式会社東芝 | Structured document search method, structured document management apparatus and program |
WO2005058018A2 (en) | 2003-12-16 | 2005-06-30 | Aerulean Plant Identification Systems, Inc. | System and method for plant identification |
JP4327698B2 (en) * | 2004-10-19 | 2009-09-09 | 富士通株式会社 | Network type virus activity detection program, processing method and system |
US7765400B2 (en) | 2004-11-08 | 2010-07-27 | Microsoft Corporation | Aggregation of the knowledge base of antivirus software |
US7765410B2 (en) | 2004-11-08 | 2010-07-27 | Microsoft Corporation | System and method of aggregating the knowledge base of antivirus software applications |
US7698744B2 (en) | 2004-12-03 | 2010-04-13 | Whitecell Software Inc. | Secure system for allowing the execution of authorized computer program code |
US8365293B2 (en) | 2005-01-25 | 2013-01-29 | Redphone Security, Inc. | Securing computer network interactions between entities with authorization assurances |
JP4660264B2 (en) * | 2005-04-22 | 2011-03-30 | 株式会社東芝 | Information processing apparatus and program |
US7874001B2 (en) | 2005-07-15 | 2011-01-18 | Microsoft Corporation | Detecting user-mode rootkits |
US20070094496A1 (en) | 2005-10-25 | 2007-04-26 | Michael Burtscher | System and method for kernel-level pestware management |
US8201243B2 (en) | 2006-04-20 | 2012-06-12 | Webroot Inc. | Backwards researching activity indicative of pestware |
US8190868B2 (en) | 2006-08-07 | 2012-05-29 | Webroot Inc. | Malware management through kernel detection |
US9111088B2 (en) * | 2006-08-14 | 2015-08-18 | Quantum Security, Inc. | Policy-based physical security system for restricting access to computer resources and data flow through network equipment |
US8321677B2 (en) | 2006-09-21 | 2012-11-27 | Google Inc. | Pre-binding and tight binding of an on-line identity to a digital signature |
GB0620855D0 (en) * | 2006-10-19 | 2006-11-29 | Dovetail Software Corp Ltd | Data processing apparatus and method |
US8181264B2 (en) * | 2007-02-07 | 2012-05-15 | Apple Inc. | Method and apparatus for deferred security analysis |
US8565799B2 (en) | 2007-04-04 | 2013-10-22 | Qualcomm Incorporated | Methods and apparatus for flow data acquisition in a multi-frequency network |
US8918717B2 (en) * | 2007-05-07 | 2014-12-23 | International Business Machines Corporation | Method and sytem for providing collaborative tag sets to assist in the use and navigation of a folksonomy |
US8065728B2 (en) | 2007-09-10 | 2011-11-22 | Wisconsin Alumni Research Foundation | Malware prevention system monitoring kernel events |
US7769767B2 (en) * | 2007-09-27 | 2010-08-03 | Domingo Enterprises, Llc | System and method for filtering content on a mobile device based on contextual tagging |
RU2490814C2 (en) | 2008-02-11 | 2013-08-20 | Долби Лэборетериз Лайсенсинг Корпорейшн | Dynamic dns system for private networks |
US20090216806A1 (en) | 2008-02-24 | 2009-08-27 | Allofme Ltd. | Digital assets internet timeline aggregation and sharing platform |
JP2009266034A (en) | 2008-04-25 | 2009-11-12 | Hitachi Ltd | Information flow control system |
GB0815587D0 (en) | 2008-08-27 | 2008-10-01 | Applied Neural Technologies Ltd | Computer/network security application |
US8401195B2 (en) | 2008-09-22 | 2013-03-19 | Motorola Solutions, Inc. | Method of automatically populating a list of managed secure communications group members |
US8234693B2 (en) | 2008-12-05 | 2012-07-31 | Raytheon Company | Secure document management |
KR20100078081A (en) | 2008-12-30 | 2010-07-08 | (주) 세인트 시큐리티 | System and method for detecting unknown malicious codes by analyzing kernel based system events |
KR101021708B1 (en) | 2009-01-20 | 2011-03-15 | 성균관대학교산학협력단 | Group Key Distribution Method and Server and Client for Implementing the Same |
EP2406749B1 (en) | 2009-03-13 | 2018-06-13 | Assa Abloy Ab | Transfer device for sensitive material such as a cryptographic key |
US9098310B2 (en) * | 2009-10-29 | 2015-08-04 | International Business Machines Corporation | Constructing and deploying patterns of flows |
KR101038048B1 (en) | 2009-12-21 | 2011-06-01 | 한국인터넷진흥원 | Botnet malicious behavior real-time analyzing system |
US8739284B1 (en) * | 2010-01-06 | 2014-05-27 | Symantec Corporation | Systems and methods for blocking and removing internet-traversing malware |
US8621628B2 (en) | 2010-02-25 | 2013-12-31 | Microsoft Corporation | Protecting user mode processes from improper tampering or termination |
US9384112B2 (en) | 2010-07-01 | 2016-07-05 | Logrhythm, Inc. | Log collection, structuring and processing |
KR101329847B1 (en) | 2010-07-26 | 2013-11-14 | 주식회사 팬택 | Portable terminal and method for social network service that use human body communication |
KR20120072266A (en) | 2010-12-23 | 2012-07-03 | 한국전자통신연구원 | Apparatus for controlling security condition of a global network |
US8762298B1 (en) | 2011-01-05 | 2014-06-24 | Narus, Inc. | Machine learning based botnet detection using real-time connectivity graph based traffic features |
US20120246297A1 (en) | 2011-03-25 | 2012-09-27 | Vijaya Shanker | Agent based monitoring for saas it service management |
US8813227B2 (en) | 2011-03-29 | 2014-08-19 | Mcafee, Inc. | System and method for below-operating system regulation and control of self-modifying code |
AU2012236739A1 (en) | 2011-03-28 | 2013-10-03 | Mcafee, Inc. | System and method for virtual machine monitor based anti-malware security |
US8612405B1 (en) * | 2011-09-30 | 2013-12-17 | Emc Corporation | System and method of dynamic data object upgrades |
US9043864B2 (en) * | 2011-09-30 | 2015-05-26 | Oracle International Corporation | Constraint definition for conditional policy attachments |
US8832162B2 (en) * | 2012-03-25 | 2014-09-09 | Think Computer Corporation | Method and system for storing, categorizing and distributing information concerning relationships between data |
US9081960B2 (en) | 2012-04-27 | 2015-07-14 | Ut-Battelle, Llc | Architecture for removable media USB-ARM |
IL219597A0 (en) * | 2012-05-03 | 2012-10-31 | Syndrome X Ltd | Malicious threat detection, malicious threat prevention, and a learning systems and methods for malicious threat detection and prevention |
US9043903B2 (en) * | 2012-06-08 | 2015-05-26 | Crowdstrike, Inc. | Kernel-level security agent |
US9292881B2 (en) | 2012-06-29 | 2016-03-22 | Crowdstrike, Inc. | Social sharing of security information in a group |
US9047463B2 (en) * | 2012-06-29 | 2015-06-02 | Sri International | Method and system for protecting data flow at a mobile device |
US9124637B2 (en) * | 2013-01-18 | 2015-09-01 | Apple Inc. | Data protection for keychain syncing |
US9270659B2 (en) | 2013-11-12 | 2016-02-23 | At&T Intellectual Property I, L.P. | Open connection manager virtualization at system-on-chip |
US20150222646A1 (en) | 2014-01-31 | 2015-08-06 | Crowdstrike, Inc. | Tagging Security-Relevant System Objects |
-
2014
- 2014-01-31 US US14/169,401 patent/US20150222646A1/en not_active Abandoned
-
2015
- 2015-01-29 JP JP2016549102A patent/JP2017512329A/en active Pending
- 2015-01-29 WO PCT/US2015/013522 patent/WO2015116819A1/en active Application Filing
- 2015-01-29 EP EP15743323.6A patent/EP3100202B1/en active Active
- 2015-01-29 CA CA2935764A patent/CA2935764A1/en not_active Abandoned
- 2015-01-29 AU AU2015210929A patent/AU2015210929A1/en not_active Abandoned
-
2016
- 2016-07-20 IL IL246866A patent/IL246866A0/en unknown
-
2017
- 2017-02-15 US US15/433,535 patent/US10015199B2/en active Active
Patent Citations (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5721913A (en) * | 1994-05-05 | 1998-02-24 | Lucent Technologies Inc. | Integrated activity management system |
US20030101357A1 (en) * | 2001-11-29 | 2003-05-29 | Ectel Ltd. | Fraud detection in a distributed telecommunications networks |
US20040049693A1 (en) * | 2002-09-11 | 2004-03-11 | Enterasys Networks, Inc. | Modular system for detecting, filtering and providing notice about attack events associated with network security |
US20060143688A1 (en) * | 2004-10-29 | 2006-06-29 | Core Sdi, Incorporated | Establishing and enforcing security and privacy policies in web-based applications |
US20060101263A1 (en) * | 2004-11-08 | 2006-05-11 | Microsoft Corporation | System and method of allowing user mode applications with access to file data |
US20070113289A1 (en) * | 2004-11-17 | 2007-05-17 | Steven Blumenau | Systems and Methods for Cross-System Digital Asset Tag Propagation |
US8127360B1 (en) * | 2006-06-29 | 2012-02-28 | Symantec Corporation | Method and apparatus for detecting leakage of sensitive information |
US7583187B1 (en) * | 2006-07-11 | 2009-09-01 | Mcafee, Inc. | System, method and computer program product for automatically summarizing security events |
US8291494B1 (en) * | 2008-07-08 | 2012-10-16 | Mcafee, Inc. | System, method, and computer program product for detecting unwanted activity associated with an object, based on an attribute associated with the object |
US20120124594A1 (en) * | 2009-07-23 | 2012-05-17 | Nec Corporation | Event processing system, distribution controller, event processing method, distribution control method, and program storage medium |
US20110107419A1 (en) * | 2009-11-02 | 2011-05-05 | Seth Kelby Vidal | Systems and methods for improved identification and analysis of threats to a computing system |
US20120063649A1 (en) * | 2010-09-15 | 2012-03-15 | Microsoft Corporation | User-specific attribute customization |
US20120137375A1 (en) * | 2010-09-20 | 2012-05-31 | Georgia Tech Research Corporation | Security systems and methods to reduce data leaks in enterprise networks |
US20140223555A1 (en) * | 2011-02-10 | 2014-08-07 | Telefonica, S.A. | Method and system for improving security threats detection in communication networks |
US20130051624A1 (en) * | 2011-03-22 | 2013-02-28 | Panasonic Corporation | Moving object detection apparatus and moving object detection method |
US20120304247A1 (en) * | 2011-05-25 | 2012-11-29 | John Badger | System and process for hierarchical tagging with permissions |
US20130332981A1 (en) * | 2012-06-08 | 2013-12-12 | Eric Paris | Method and system for extending selinux policy with enforcement of file name translations |
US20140115010A1 (en) * | 2012-10-18 | 2014-04-24 | Google Inc. | Propagating information through networks |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10015199B2 (en) | 2014-01-31 | 2018-07-03 | Crowdstrike, Inc. | Processing security-relevant events using tagged trees |
US9888031B2 (en) * | 2014-11-19 | 2018-02-06 | Cyber Secdo Ltd. | System and method thereof for identifying and responding to security incidents based on preemptive forensics |
US10270805B2 (en) * | 2014-11-19 | 2019-04-23 | Cyber Secdo Ltd. | System and method thereof for identifying and responding to security incidents based on preemptive forensics |
US20190253437A1 (en) * | 2014-11-19 | 2019-08-15 | Palo Alto Networks | Identifying and responding to security incidents based on preemptive forensics |
US20160142424A1 (en) * | 2014-11-19 | 2016-05-19 | Sec.Do Technologies Ltd. | System and method thereof for identifying and responding to security incidents based on preemptive forensics |
US10652274B2 (en) * | 2014-11-19 | 2020-05-12 | Palo Alto Networks, Inc. | Identifying and responding to security incidents based on preemptive forensics |
US11386041B1 (en) | 2015-12-08 | 2022-07-12 | Amazon Technologies, Inc. | Policy tag management for data migration |
US10594730B1 (en) * | 2015-12-08 | 2020-03-17 | Amazon Technologies, Inc. | Policy tag management |
US10938842B2 (en) | 2016-03-24 | 2021-03-02 | Carbon Black, Inc. | Systems and techniques for guiding a response to a cybersecurity incident |
US10320820B2 (en) | 2016-03-24 | 2019-06-11 | Carbon Black, Inc. | Systems and techniques for guiding a response to a cybersecurity incident |
US11750626B2 (en) | 2016-03-24 | 2023-09-05 | Carbon Black, Inc. | Systems and techniques for guiding a response to a cybersecurity incident |
US20200034558A1 (en) * | 2016-05-10 | 2020-01-30 | Cyberark Software Ltd. | Application control |
US10929568B2 (en) * | 2016-05-10 | 2021-02-23 | Cyberark Software Ltd. | Application control |
US10681059B2 (en) | 2016-05-25 | 2020-06-09 | CyberOwl Limited | Relating to the monitoring of network security |
CN110383319A (en) * | 2017-01-31 | 2019-10-25 | 益百利信息解决方案公司 | Large scale scale heterogeneous data intake and user's parsing |
US10325109B2 (en) * | 2017-09-14 | 2019-06-18 | International Business Machines Corporation | Automatic and dynamic selection of cryptographic modules for different security contexts within a computer network |
US11171994B2 (en) * | 2017-09-28 | 2021-11-09 | At&T Intellectual Property I, L.P. | Tag-based security policy creation in a distributed computing environment |
US10943022B2 (en) * | 2018-03-05 | 2021-03-09 | Microsoft Technology Licensing, Llc | System for automatic classification and protection unified to both cloud and on-premise environments |
Also Published As
Publication number | Publication date |
---|---|
WO2015116819A1 (en) | 2015-08-06 |
EP3100202B1 (en) | 2020-05-06 |
EP3100202A4 (en) | 2017-10-04 |
US10015199B2 (en) | 2018-07-03 |
JP2017512329A (en) | 2017-05-18 |
AU2015210929A1 (en) | 2016-07-14 |
EP3100202A1 (en) | 2016-12-07 |
IL246866A0 (en) | 2016-08-31 |
CA2935764A1 (en) | 2015-08-06 |
US20170163686A1 (en) | 2017-06-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10015199B2 (en) | Processing security-relevant events using tagged trees | |
US11928631B2 (en) | Threat detection with business impact scoring | |
US11636206B2 (en) | Deferred malware scanning | |
US9832216B2 (en) | System and method for network data characterization | |
US9798882B2 (en) | Real-time model of states of monitored devices | |
US10216934B2 (en) | Inferential exploit attempt detection | |
US20230328076A1 (en) | Distributed digital security system | |
US11645397B2 (en) | Distributed digital security system | |
US11711379B2 (en) | Distributed digital security system | |
US20230164151A1 (en) | Distributed digital security system | |
US11861019B2 (en) | Distributed digital security system | |
US10630715B1 (en) | Methods and system for characterizing infrastructure security-related events | |
WO2021016517A1 (en) | Methods and system for identifying infrastructure attack progressions | |
US11397808B1 (en) | Attack detection based on graph edge context | |
US20230229717A1 (en) | Optimized real-time streaming graph queries in a distributed digital security system | |
Vähäkainu et al. | Use of artificial intelligence in a cybersecurity environment | |
Carvallo et al. | A Study of Threat Detection Systems and Techniques in the Cloud |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: CROWDSTRIKE, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:DIEHL, DAVID F.;LAMOTHE-BRASSARD, MAXIME;SIGNING DATES FROM 20140127 TO 20140130;REEL/FRAME:032104/0348 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: SILICON VALLEY BANK, CALIFORNIA Free format text: SECURITY INTEREST;ASSIGNOR:CROWDSTRIKE, INC.;REEL/FRAME:043300/0283 Effective date: 20170301 |