(19)
(11)EP 3 726 409 A3

(12)EUROPEAN PATENT APPLICATION

(88)Date of publication A3:
30.12.2020 Bulletin 2020/53

(43)Date of publication A2:
21.10.2020 Bulletin 2020/43

(21)Application number: 20168851.2

(22)Date of filing:  08.04.2020
(51)International Patent Classification (IPC): 
G06F 21/55(2013.01)
G06K 9/68(2006.01)
G06F 40/274(2020.01)
G06K 9/62(2006.01)
G06F 3/023(2006.01)
(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR
Designated Extension States:
BA ME
Designated Validation States:
KH MA MD TN

(30)Priority: 15.04.2019 US 201962834056 P
10.07.2019 US 201916507194

(71)Applicant: CrowdStrike, Inc.
Irvine CA 92618 (US)

(72)Inventors:
  • Nguyen, Cory-Khoi Quang
    Irvine, CA California 92618 (US)
  • Bradley, Jaron Michael
    Irvine, CA California 92618 (US)
  • PAULEY, William Leon Charles
    Irvine, CA California 92618 (US)

(74)Representative: Hanna Moore + Curley 
Garryard House 25-26 Earlsfort Terrace
Dublin 2, D02 PX51
Dublin 2, D02 PX51 (IE)

  


(54)DETECTING SECURITY-VIOLATION-ASSOCIATED EVENT DATA


(57) An event can be analyzed for association with a security violation. Characters or other values of event data (e.g., command-line text) associated with the event can be provided sequentially to a trained representation mapping to determine respective representation vectors. Respective indicators can be determined by applying the vectors to a trained classifer. A token in the event data can be located based on the indicators. The event's can be determined to be associated with a security violation based on the token satisfying a token-security criterion. The representation mapping can be trained by adjusting model parameters so the trained representation predicts, based on a character of training command-line text, an immediately following character in the training command-line text. The classifier can be determined based on the trained representation mapping and classification training data indicating whether respective portions of training event data are associated with security violations.







Search report















Search report