Abstract: Information associated with a process is received. At least a portion of the received information is used to modify a Process Tree. Modifying the Process Tree includes at least one of: (1) adding a Tag to the Process Tree and (2) modifying a Tag in the Process Tree. An Alert is generated based at least in part in response to determining that a Strategy has been matched.

Abstract: Detection strategies for a node are selected and deployed based on the amount of data collection that is associated with various modes of telemetry available to the node.

Abstract: Monitoring is performed for the activation of a set of one or more previously attached Kprobes. A determination is made that a strategy pattern match has occurred. The strategy pattern comprises a set of one or more behaviors including the activation of the at least one Kprobe included in the set of Kprobes. A remedial action is taken in response to the determination. Examples of such remedial actions include generating an alert and terminating a network connection.

Abstract: Information associated with a process is received. At least a portion of the received information is used to modify a Process Tree. Modifying the Process Tree includes at least one of: (1) adding a Tag to the Process Tree and (2) modifying a Tag in the Process Tree. An Alert is generated based at least in part in response to determining that a Strategy has been matched.

Abstract: Telemetry associated with an Exec( ) Event denoting that a program has been invoked via a process is received. A determination is made that the process is a shell. Subsequent to determining that the invoked program is a shell, additional information comprising information that the program has attempted to obtain terminal information is received. Based at least in part on the received additional information, a determination is made that the program is an interactive shell. An action is taken in response to the determination that the program is an interactive shell.

Abstract: A kernel is monitored for occurrence of a set of Kprobes. A determination is made that a Strategy that makes use of at least one Kprobe included in the set of Kprobes has been matched. A remedial action is taken in response to the determination. Examples of such remedial actions include generating an alert and terminating a network connection.

Abstract: Telemetry associated with a system call denoting that a program has been invoked via a process is received. A determination is made that the invoked process is a shell. Subsequent to determining that the invoked program is a shell, additional information comprising at least one of a determination that the program has attempted to obtain terminal information, and keystroke timing information is received. Based at least in part on the received additional information, a determination is made that the program is an interactive shell. In response to determining that the program is an interactive shell, an action is taken.

Abstract: Information associated with a process is received. At least a portion of the received information is used to modify a Process Tree. Modifying the Process Tree includes at least one of: (1) adding a Tag to the Process Tree and (2) modifying a Tag in the Process Tree. An Alert is generated based at least in part in response to determining that a Strategy has been matched.