Patents by Inventor Ion-Alexandru Ionescu
Ion-Alexandru Ionescu has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20170213031Abstract: A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.Type: ApplicationFiled: April 10, 2017Publication date: July 27, 2017Inventors: David F. Diehl, Dmitri Alperovitch, Ion-Alexandru Ionescu, George Robert Kurtz
-
Publication number: 20170109530Abstract: A security agent is described herein. The security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The security agent may also deceive an adversary associated with malicious code. Further, the security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.Type: ApplicationFiled: December 29, 2016Publication date: April 20, 2017Inventors: David F. Diehl, Dmitri Alperovitch, Ion-Alexandru Ionescu, George Robert Kurtz
-
Patent number: 9621515Abstract: A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.Type: GrantFiled: May 12, 2015Date of Patent: April 11, 2017Assignee: CrowdStrike, Inc.Inventors: David F. Diehl, Dmitri Alperovitch, Ion-Alexandru Ionescu, George Robert Kurtz
-
Publication number: 20170061127Abstract: Techniques utilizing library and pre-boot components to ensure that a driver associated with a kernel-mode component is initialized before other drivers during a boot phase are described herein. The library component is processed during a boot phase; the pre-boot component, which may be an alternative to the library component, is processed during a pre-boot phase. By ensuring that the driver is the first driver initialized, the components enable the driver to launch the kernel-mode component before other drivers are initialized. The library component may also determine whether another driver is to be initialized before the kernel-mode component driver, may ensure that kernel-mode component driver is initialized first, and may alert the kernel-mode component. Also, the library component may retrieve information that is to be deleted by the operating system before initialization of drivers and may provide that information to the kernel-mode component.Type: ApplicationFiled: July 28, 2015Publication date: March 2, 2017Inventor: Ion-Alexandru Ionescu
-
Patent number: 9571453Abstract: A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.Type: GrantFiled: December 24, 2013Date of Patent: February 14, 2017Assignee: CrowdStrike, Inc.Inventors: David F. Diehl, Dmitri Alperovitch, Ion-Alexandru Ionescu, George Robert Kurtz
-
Publication number: 20170039367Abstract: Techniques are described herein for loading a user-mode component of a security agent based on an asynchronous procedure call (APC) built by a kernel-mode component of the security agent. The APC is executed while a process loads, causing the process to load the user-mode component. The user-mode component then identifies slack space of the process, stores instructions in the slack space, and hooks function(s) of the process, including modifying instruction(s) of the function(s) to call the instructions stored in the slack space. When those modified instruction(s) call the stored instructions, the stored instructions invoke the user-mode component, which receives data from the hooked function(s). Also, the security agent may bypass a control-flow protection mechanism of the operating system by setting a pointer of the control-flow protection mechanism to point to an alternate verification function.Type: ApplicationFiled: March 22, 2016Publication date: February 9, 2017Inventors: Ion-Alexandru Ionescu, Loren C. Robinson
-
Publication number: 20170039366Abstract: Techniques are described herein for loading a user-mode component associated with a kernel-mode component based on an asynchronous procedure call (APC) built by the kernel-mode component. The APC is provided to the main thread of a user-mode process while that user-mode process loads, causing the user-mode process to load the user-mode component. The APC also causes allocation of memory at a location adjacent to that of the user-mode process and stores instructions at the allocated memory. The user-mode component then atomically hooks function(s) of the user-mode process, including modifying a single instruction or set of instructions of the function(s) to jump to the allocated memory. When that modified instruction is executed and jumps to the allocated memory, the instructions at the allocated memory request loading of the user-mode component, which receives data from the hooked function. The user-mode component then provides that data to the kernel-mode component.Type: ApplicationFiled: August 5, 2015Publication date: February 9, 2017Inventors: Ion-Alexandru Ionescu, Loren C. Robinson
-
Publication number: 20160170740Abstract: Techniques are described herein for, without rebooting a computing device, unloading at least a component of a kernel-mode component of the computing device and loading an updated version of the component of the kernel-mode component. The techniques may be performed by an integrity manager associated with the kernel-mode component. The integrity manager may also determine integrity of the kernel-mode component by causing the kernel-mode component to perform an action associated with a known reaction, determining whether the known reaction occurred, and in response, performing a remediation action or notifying a remote security service. Further, the integrity manager may determine whether any computing device lists include representations of components or connections associated with the kernel-mode component. The integrity manager may then remove the representations from the lists or remove the representations from responses to requests for contents of the computing device lists.Type: ApplicationFiled: February 23, 2016Publication date: June 16, 2016Inventor: Ion-Alexandru Ionescu
-
Patent number: 9158914Abstract: Techniques for causing a component loader associated with a hotpatch mechanism to execute a user-mode component which, when executed, creates a user-mode process, thread, or held reference are described herein. The component may further indicate to the component loader that it lacks hotpatch data, causing the component loader to unload the component. In some implementations, a kernel-mode module may initially provide the component to the hotpatch mechanism with an entrypoint of the component set to zero and with hotpatch data for the component loader. The hotpatch mechanism may apply the hotpatch data, modifying the component loader such that the component loader requests execute rights for a section object for the component. The kernel-mode module may then set the entrypoint such that the component becomes executable, and provides the section object and component to the hotpatch mechanism to cause the component loader to execute the component.Type: GrantFiled: April 19, 2013Date of Patent: October 13, 2015Assignee: CrowdStrike, Inc.Inventor: Ion-Alexandru Ionescu
-
Publication number: 20150268947Abstract: Techniques are described herein for, without rebooting a computing device, unloading at least a component of a kernel-mode component of the computing device and loading an updated version of the component of the kernel-mode component. The techniques may be performed by an integrity manager associated with the kernel-mode component. The integrity manager may also determine integrity of the kernel-mode component by causing the kernel-mode component to perform an action associated with a known reaction, determining whether the known reaction occurred, and in response, performing a remediation action or notifying a remote security service. Further, the integrity manager may determine whether any computing device lists include representations of components or connections associated with the kernel-mode component. The integrity manager may then remove the representations from the lists or remove the representations from responses to requests for contents of the computing device lists.Type: ApplicationFiled: March 20, 2014Publication date: September 24, 2015Applicant: CrowdStrike, Inc.Inventor: Ion-Alexandru Ionescu
-
Publication number: 20150244679Abstract: A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.Type: ApplicationFiled: May 12, 2015Publication date: August 27, 2015Inventors: David F. Diehl, Dmitri Alperovitch, Ion-Alexandru Ionescu, George Robert Kurtz
-
Publication number: 20150163109Abstract: A service proxy is described herein. The service proxy is configured to act as an intermediary between a client and a service. The service proxy may observe communications, modify communications, log communications, or the like, particularly so as to enhance the security and reliability of the host device. In some implementations, the service proxy may cooperate with an operating system to take over a named port object. In some implementations, the service proxy may receive messages as an intermediary between the client and the server. In some implementations, the service proxy may attach to a shared memory to intercept communications. In some implementations, the service proxy may be injected into a client process to appear to be the client itself.Type: ApplicationFiled: December 5, 2013Publication date: June 11, 2015Applicant: CrowdStrike, Inc.Inventor: Ion-Alexandru Ionescu
-
Patent number: 9043903Abstract: A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.Type: GrantFiled: June 8, 2012Date of Patent: May 26, 2015Assignee: CrowdStrike, Inc.Inventors: David F. Diehl, Dmitri Alperovitch, Ion-Alexandru Ionescu, George Robert Kurtz
-
Publication number: 20140317731Abstract: Techniques for causing a component loader associated with a hotpatch mechanism to execute a user-mode component which, when executed, creates a user-mode process, thread, or held reference are described herein. The component may further indicate to the component loader that it lacks hotpatch data, causing the component loader to unload the component. In some implementations, a kernel-mode module may initially provide the component to the hotpatch mechanism with an entrypoint of the component set to zero and with hotpatch data for the component loader. The hotpatch mechanism may apply the hotpatch data, modifying the component loader such that the component loader requests execute rights for a section object for the component. The kernel-mode module may then set the entrypoint such that the component becomes executable, and provides the section object and component to the hotpatch mechanism to cause the component loader to execute the component.Type: ApplicationFiled: April 19, 2013Publication date: October 23, 2014Applicant: CrowdStrike, Inc.Inventor: Ion-Alexandru Ionescu
-
Publication number: 20140109226Abstract: A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.Type: ApplicationFiled: December 24, 2013Publication date: April 17, 2014Applicant: CrowdStrike, Inc.Inventors: David F. Diehl, Dmitri Alperovitch, Ion-Alexandru Ionescu, George Robert Kurtz
-
Publication number: 20130333040Abstract: A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.Type: ApplicationFiled: June 8, 2012Publication date: December 12, 2013Applicant: CROWDSTRIKE, INC.Inventors: David F. Diehl, Dmitri Alperovitch, Ion-Alexandru Ionescu, George Robert Kurtz