Patents by Inventor Cory-Khoi Quang Nguyen
Cory-Khoi Quang Nguyen has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11899786Abstract: An event can be analyzed for association with a security violation. Characters or other values of event data (e.g., command-line text) associated with the event can be provided sequentially to a trained representation mapping to determine respective representation vectors. Respective indicators can be determined by applying the vectors to a trained classifer. A token in the event data can be located based on the indicators. The event's can be determined to be associated with a security violation based on the token satisfying a token-security criterion. The representation mapping can be trained by adjusting model parameters so the trained representation predicts, based on a character of training command-line text, an immediately following character in the training command-line text. The classifier can be determined based on the trained representation mapping and classification training data indicating whether respective portions of training event data are associated with security violations.Type: GrantFiled: July 10, 2019Date of Patent: February 13, 2024Assignee: CrowdStrike, Inc.Inventors: Cory-Khoi Quang Nguyen, Jaron Michael Bradley, William Leon Charles Pauley
-
Patent number: 11392689Abstract: Event vectors can be determined for respective events based on respective command-line records and a trained representation mapping. Respective coordinate vectors can be determined, each having fewer elements than the respective event vector. Respective representations of at least some of the events can be presented via an electronic display at the respective coordinate vectors. A selection of a first representation can be received via a user interface. The events can be clustered based on the event vectors. A first cluster can be selected based on the selection. An indication of a tag can be received via the user interface. Each event of the first cluster can be associated with the tag. Some examples include transmitting a security command to cause a monitored computing device associated with an event in the first cluster to perform a mitigation action.Type: GrantFiled: March 28, 2019Date of Patent: July 19, 2022Assignee: CrowdStrike, Inc.Inventors: Cory-Khoi Quang Nguyen, Jaron Michael Bradley, John Lee, Brody Nisbet
-
Patent number: 11258805Abstract: An event can be associated with a monitored computing device and a command-line record. An event vector can be determined for each of a plurality of events based at least in part on at least a portion of the respective command-line record and on a trained representation mapping. A respective reduced event vector can be determined having fewer elements. The reduced event vectors can be clustered to determine cluster identifiers. A first event can be determined to be associated with a security violation based on a corresponding cluster identifier matching a cluster identifier of a second event that is associated with a security violation. In some examples, a cluster can include a relatively larger first group of events and a relatively smaller second group of events. That cluster can be determined to satisfy a criterion based on the numbers of events in at least one of the groups.Type: GrantFiled: March 28, 2019Date of Patent: February 22, 2022Assignee: CrowdStrike, Inc.Inventors: Cory-Khoi Quang Nguyen, Jaron Michael Bradley, John Lee, Brody Nisbet
-
Patent number: 11062024Abstract: Example techniques herein determine that an event associated with a monitored computing device is associated with a security violation. Terms are extracted from at least two command lines associated with the event. Term representations of the at least two terms are determined based at least in part on a trained representation mapping. Two or more first filter outputs are determined based at least in part on the term representations of terms in a respective first subset of the terms. An indication of whether the event is associated with a security violation is determined at least partly by operating a trained classification computational model (CM) based at least in part on the two or more first filter outputs. Various examples train a word2vec or other x2vec model to provide the representation mapping. Various examples train a CM having convolutional and classification sections to provide the indication.Type: GrantFiled: November 15, 2018Date of Patent: July 13, 2021Assignee: CrowdStrike, Inc.Inventors: Cory-Khoi Quang Nguyen, John Lee
-
Publication number: 20200327225Abstract: An event can be analyzed for association with a security violation. Characters or other values of event data (e.g., command-line text) associated with the event can be provided sequentially to a trained representation mapping to determine respective representation vectors. Respective indicators can be determined by applying the vectors to a trained classifer. A token in the event data can be located based on the indicators. The event's can be determined to be associated with a security violation based on the token satisfying a token-security criterion. The representation mapping can be trained by adjusting model parameters so the trained representation predicts, based on a character of training command-line text, an immediately following character in the training command-line text. The classifier can be determined based on the trained representation mapping and classification training data indicating whether respective portions of training event data are associated with security violations.Type: ApplicationFiled: July 10, 2019Publication date: October 15, 2020Inventors: Cory-Khoi Quang Nguyen, Jaron Michael Bradley, William Leon Charles Pauley
-
Publication number: 20200314117Abstract: An event can be associated with a monitored computing device and a command-line record. An event vector can be determined for each of a plurality of events based at least in part on at least a portion of the respective command-line record and on a trained representation mapping. A respective reduced event vector can be determined having fewer elements. The reduced event vectors can be clustered to determine cluster identifiers. A first event can be determined to be associated with a security violation based on a corresponding cluster identifier matching a cluster identifier of a second event that is associated with a security violation. In some examples, a cluster can include a relatively larger first group of events and a relatively smaller second group of events. That cluster can be determined to satisfy a criterion based on the numbers of events in at least one of the groups.Type: ApplicationFiled: March 28, 2019Publication date: October 1, 2020Inventors: Cory-Khoi Quang Nguyen, Jaron Michael Bradley, John Lee, Brody Nisbet
-
Publication number: 20200311262Abstract: Event vectors can be determined for respective events based on respective command-line records and a trained representation mapping. Respective coordinate vectors can be determined, each having fewer elements than the respective event vector. Respective representations of at least some of the events can be presented via an electronic display at the respective coordinate vectors. A selection of a first representation can be received via a user interface. The events can be clustered based on the event vectors. A first cluster can be selected based on the selection. An indication of a tag can be received via the user interface. Each event of the first cluster can be associated with the tag. Some examples include transmitting a security command to cause a monitored computing device associated with an event in the first cluster to perform a mitigation action.Type: ApplicationFiled: March 28, 2019Publication date: October 1, 2020Inventors: Cory-Khoi Quang Nguyen, Jaron Michael Bradley, John Lee, Brody Nisbet
-
Publication number: 20200159916Abstract: Example techniques herein determine that an event associated with a monitored computing device is associated with a security violation. Terms are extracted from at least two command lines associated with the event. Term representations of the at least two terms are determined based at least in part on a trained representation mapping. Two or more first filter outputs are determined based at least in part on the term representations of terms in a respective first subset of the terms. An indication of whether the event is associated with a security violation is determined at least partly by operating a trained classification computational model (CM) based at least in part on the two or more first filter outputs. Various examples train a word2vec or other x2vec model to provide the representation mapping. Various examples train a CM having convolutional and classification sections to provide the indication.Type: ApplicationFiled: November 15, 2018Publication date: May 21, 2020Inventors: Cory-Khoi Quang Nguyen, John Lee
-
Publication number: 20190266323Abstract: A security service system and method for using a process based on ancestry relationship as a pattern for identifying a suspicious activity, such as a possible malicious attack or malware, are described herein. The security service system identifies a trigger command in a process running on a monitored computing device, identifies an ancestry command associated with the trigger command, determines an ancestry level of the ancestry command, and upon determining that the ancestry level of the ancestry command is different from an expected ancestry level of the ancestry command for the trigger command, identify a pattern based on the trigger command, the ancestry command, and the ancestry level of the ancestry command.Type: ApplicationFiled: October 23, 2018Publication date: August 29, 2019Inventors: Cory-Khoi Quang Nguyen, Brody Nisbet, John Lee