| 摘要 |
A security system and method secures and responds to security threats in a computer having a CPU, a Kernel/OS, and software applications. A low-level data collector intercepts a selection of first tier calls between the CPU and Kernel/OS, and stores associated first tier call IDs. A Kernel module intercepts a selection of second tier calls between applications and the Kernel/OS, and stores associated second tier call IDs. An Analytic Engine maps the stored first and second tier call IDs to a rulebase containing patterns of security threats, to generate a threat analysis, and then responds to the threat analysis. The Analytic Engine enlarges or contracts the selection of first and second tier calls to increase or decrease specificity of the threat analysis. A Management Module generates user interfaces accessible remotely by a user device, to update the rulebase and configure the low-level collector, the Kernel module, and the Analytic Engine. |
| 主权项 |
1. A security system for securing and responding to security threats in a computer having a Central Processing Unit (CPU), a Kernel/Operating System, and a plurality of software applications, the system including:
a low-level data collector module, implemented with a processor, configured to intermediate a predetermined selection of first tier calls between the CPU and the Kernel/Operating System, and to store identifying information pertaining to the intermediated first tier calls (first tier call IDs) in a data store; a kernel module, implemented with a processor, configured to intermediate a predetermined selection of second tier calls between the Kernel/Operating System and the applications, and to store identifying information pertaining to the intermediated second tier calls (second tier call IDs) in the data store; an Analytic Engine, implemented with a processor, configured to aggregate and map the stored first tier call IDs and second tier call IDs to a rulebase, to generate a threat analysis, the rulebase including patterns of first tier call IDs and second tier call IDs associated with identifiable security threats; the Analytic Engine being configured to selectively enlarge or contract the predetermined selection of first tier calls and the predetermined selection of second tier calls to respectively increase or decrease specificity of said threat analysis; the Analytic Engine being further configured to implement one or more of a plurality of responsive actions in response to said threat analysis; and a Management Module, implemented with a processor, communicably coupled to the rulebase, the low-level data collector module, the Kernel module and the Analytic Engine, the Management Module configured to generate a plurality of user interfaces accessible by a user computer communicably couplable to the system, the user interfaces configured to enable a user to update the rulebase and configure the low-level collector module, the Kernel module, and the Analytic Engine. |
