Patents by Inventor David F. Diehl
David F. Diehl has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11907370Abstract: A security agent implemented on a monitored computing device is described herein. The security agent has access to parametric behavioral pattern definitions that, in combination with canonical patterns of behavior, configure the security agent to match observed behavior with known computing behavior that is benign or malignant. This arrangement of the definitions and the pattern of behavior allow the security agent's behavior to be updated by a remote security service without updating a configuration of the security agent. The remote security service can create, modify, and disseminate these definitions and patterns of behavior, giving the security agent real-time ability to respond to new behaviors exhibited by the monitored computing device.Type: GrantFiled: September 11, 2020Date of Patent: February 20, 2024Assignee: CROWDSTRIKE, INC.Inventors: David F. Diehl, Daniel W. Brown, Aaron Javan Marks, Kirby J. Koster, Daniel T. Martin
-
Publication number: 20240028717Abstract: Deception-based techniques for responding to security attacks are described herein. The techniques include transitioning a security attack to a monitored computing device posing as a computing device impacted by the security attack and enabling the adversary to obtain deceptive information from the monitored computing device. Also, the adversary may obtain a document configured to report identifying information of an entity opening the document, thereby identifying the adversary associated with the attack. Further, the techniques include determining that a domain specified in a domain name request is associated with malicious activity and responding to the request with a network address of a monitored computing device to cause the requesting process to communicate with the monitored computing device in place of an adversary server. Additionally, a service may monitor dormant domains names associated with malicious activity and, in response to a change, respond with an alert or a configuration update.Type: ApplicationFiled: October 3, 2023Publication date: January 25, 2024Inventors: Adam S. Meyers, David F. Diehl, Dmitri Alperovitch, George Robert Kurtz, Sven Krasser
-
Patent number: 11861019Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.Type: GrantFiled: April 15, 2020Date of Patent: January 2, 2024Assignee: CrowdStrike, Inc.Inventors: David F. Diehl, Nikita Kalashnikov
-
Patent number: 11809555Abstract: Deception-based techniques for responding to security attacks are described herein. The techniques include transitioning a security attack to a monitored computing device posing as a computing device impacted by the security attack and enabling the adversary to obtain deceptive information from the monitored computing device. Also, the adversary may obtain a document configured to report identifying information of an entity opening the document, thereby identifying the adversary associated with the attack. Further, the techniques include determining that a domain specified in a domain name request is associated with malicious activity and responding to the request with a network address of a monitored computing device to cause the requesting process to communicate with the monitored computing device in place of an adversary server. Additionally, a service may monitor dormant domains names associated with malicious activity and, in response to a change, respond with an alert or a configuration update.Type: GrantFiled: May 27, 2020Date of Patent: November 7, 2023Assignee: CrowdStrike, Inc.Inventors: Adam S. Meyers, Dmitri Alperovitch, George Robert Kurtz, David F. Diehl, Sven Krasser
-
Publication number: 20230328076Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.Type: ApplicationFiled: March 2, 2023Publication date: October 12, 2023Inventors: David F. Diehl, Michael Edward Lusignan, Thomas Johann Essebier
-
Publication number: 20230328082Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.Type: ApplicationFiled: June 13, 2023Publication date: October 12, 2023Inventors: David F. Diehl, Thomas Johann Essebier
-
Publication number: 20230297690Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.Type: ApplicationFiled: April 12, 2023Publication date: September 21, 2023Inventors: David F. Diehl, James Robert Plush, Timothy Jason Berger
-
Patent number: 11711379Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.Type: GrantFiled: April 15, 2020Date of Patent: July 25, 2023Assignee: CrowdStrike, Inc.Inventors: David F. Diehl, Thomas Johann Essebier
-
Patent number: 11645397Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.Type: GrantFiled: April 15, 2020Date of Patent: May 9, 2023Assignee: Crowd Strike, Inc.Inventors: David F. Diehl, James Robert Plush, Timothy Jason Berger
-
Patent number: 11616790Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.Type: GrantFiled: April 15, 2020Date of Patent: March 28, 2023Assignee: CrowdStrike, Inc.Inventors: David F. Diehl, Michael Edward Lusignan, Thomas Johann Essebier
-
Patent number: 11563756Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.Type: GrantFiled: April 15, 2020Date of Patent: January 24, 2023Assignee: CrowdStrike, Inc.Inventors: David F. Diehl, Nora Lillian Sandler, Matthew Edward Noonan, Christopher Robert Gwinn, Thomas Johann Essebier
-
Publication number: 20210329013Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.Type: ApplicationFiled: April 15, 2020Publication date: October 21, 2021Inventors: David F. Diehl, Michael Edward Lusignan, Thomas Johann Essebier
-
Publication number: 20210329014Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.Type: ApplicationFiled: April 15, 2020Publication date: October 21, 2021Inventors: David F. Diehl, Thomas Johann Essebier
-
Publication number: 20210326453Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.Type: ApplicationFiled: April 15, 2020Publication date: October 21, 2021Inventors: David F. Diehl, Nikita Kalashnikov
-
Publication number: 20210329012Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.Type: ApplicationFiled: April 15, 2020Publication date: October 21, 2021Inventors: David F. Diehl, Nora Lillian Sandler, Matthew Edward Noonan, Christopher Robert Gwinn, Thomas Johann Essebier
-
Publication number: 20210326452Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.Type: ApplicationFiled: April 15, 2020Publication date: October 21, 2021Inventors: David F. Diehl, James Robert Plush, Timothy Jason Berger
-
Patent number: 11063966Abstract: Example techniques herein search a graph data structure and retrieve data associated with a result node or edge. The graph can include nodes and edges between them. A control unit can produce a discrete finite automaton (DFA) based on a query. The control unit can traverse the DFA in conjunction with the graph, from an initial DFA state and an entry-point graph node, to reach a result graph node associated with a DFA triggering state. Traversal can include, e.g., unwinding upon reaching a terminal state of the DFA. Some examples can determine a schema of output data. Some examples can store information associated with nodes while traversing, and discard the information when unwinding traversal. Some examples can process queries including edge types not members of a set of edge types associated with a graph. Some examples can apply traversal-limiting instructions specified in a query.Type: GrantFiled: May 15, 2018Date of Patent: July 13, 2021Assignee: CrowdStrike, Inc.Inventors: Daniel W. Brown, David F. Diehl
-
Patent number: 10983995Abstract: Example techniques herein search a graph data structure and retrieve data associated with a result node or edge. The graph can include nodes representing, e.g., processes or files, and edges between the nodes. A control unit can produce a discrete finite automaton (DFA) based on a query. The control unit can traverse the DFA in conjunction with the graph, beginning at an initial state of the DFA and an entry-point node of the graph, to reach a result node of the graph associated with a triggering state of the DFA. Traversal can include unwinding upon reaching a terminal state of the DFA, in some examples. The control unit can retrieve data associated with the result node or an edge connected there to, and can provide the data via a communications interface. A data-retrieval system can communicate with a data-storage system via the communications interface, in some examples.Type: GrantFiled: June 15, 2017Date of Patent: April 20, 2021Assignee: Crowdstrike, Inc.Inventors: Daniel W. Brown, David F. Diehl
-
Publication number: 20200410099Abstract: A security agent implemented on a monitored computing device is described herein. The security agent has access to parametric behavioral pattern definitions that, in combination with canonical patterns of behavior, configure the security agent to match observed behavior with known computing behavior that is benign or malignant. This arrangement of the definitions and the pattern of behavior allow the security agent's behavior to be updated by a remote security service without updating a configuration of the security agent. The remote security service can create, modify, and disseminate these definitions and patterns of behavior, giving the security agent real-time ability to respond to new behaviors exhibited by the monitored computing device.Type: ApplicationFiled: September 11, 2020Publication date: December 31, 2020Inventors: David F. Diehl, Daniel W. Brown, Aaron Javan Marks, Kirby J. Koster, Daniel T. Martin
-
Patent number: 10853491Abstract: A security agent is described herein. The security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The security agent may also deceive an adversary associated with malicious code. Further, the security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.Type: GrantFiled: June 13, 2018Date of Patent: December 1, 2020Assignee: CrowdStrike, Inc.Inventors: David F. Diehl, Dmitri Alperovitch, Ion-Alexandru Ionescu, George Robert Kurtz