Dmitri Mikhailovich Alperovitch

US Patent:

8606910, Dec 10, 2013

Filed:

Dec 15, 2011

Appl. No.:

13/326896

Inventors:

Dmitri Alperovitch - Gaithersburg MD, US
Sven Krasser - Atlanta GA, US
Phyllis Adele Schneck - Reston VA, US
Jonathan Torrez - Villa Rica GA, US

Assignee:

McAfee, Inc. - Santa Clara CA

International Classification:

G06F 15/173

US Classification:

709224, 709217, 709229

Abstract:

Methods, systems and apparatus, including computer programs encoded on a computer storage medium, for receiving, at a global server system, from each of a plurality of local network devices, network data specifying network communication activity at the local network device, wherein the plurality of local network devices collectively provide backbone communications facilities for multiple networks; aggregating, at the global server system, the network data from each of the local network devices; analyzing, at the global server system, the aggregated network data to identify network activities; generating, at the global server system, update data based on the analysis of the aggregated network data, the update data including instructions for the local network devices for processing network communications to or from the local network devices; and transmitting from the global server system the update data to the local network devices.

US Patent:

8621559, Dec 31, 2013

Filed:

May 1, 2012

Appl. No.:

13/460878

Inventors:

Dmitri Alperovitch - Gaithersburg MD, US
Paula Greve - Lino Lakes MN, US
Sven Krasser - Pasadena CA, US
Tomo Foote-Lennox - Maple Grove MN, US

Assignee:

McAfee, Inc. - Santa Clara CA

International Classification:

G06F 17/00

US Classification:

726 1, 726 22, 726 24, 713154, 713161, 380232, 380255, 709206

Abstract:

Methods and systems for managing data communications are described. The method includes receiving a data communication; analyzing the data communication to determine a particular type of sender or recipient activity associated with the data communication based at least in part on an application of a plurality of tests to the data communication; assigning a total risk level to the data communication based at least in part on one or more risks associated with the particular type of sender or recipient activity and a tolerance for each of the one or more risks; comparing the total risk level assigned to the data communication with a maximum total acceptable level of risk; and allowing the data communication to be delivered to a recipient in response to the comparison indicating that the total risk level assigned to the data communication does not exceed the maximum total acceptable level of risk.

US Patent:

20140007190, Jan 2, 2014

Filed:

Jun 29, 2012

Appl. No.:

13/538439

Inventors:

Dmitri Alperovitch - Gaithersburg MD, US
George Robert Kurtz - Ladera Ranch CA, US
David F. Diehl - Minneapolis MN, US
Sven Krasser - Pasadena CA, US
Adam S. Meyers - Washington DC, US

Assignee:

CROWDSTRIKE, INC. - Laguna Niguel CA

International Classification:

G06F 21/00

US Classification:

726 3

Abstract:

Techniques for social sharing security information between client entities forming a group are described herein. The group of client entities is formed as a result of a security server providing one or more secure mechanisms for forming a group among client entities, the client entities each belonging to a different organization. The security service then automatically shares security information of a client entity in the group with one or more other client entities in the group.

US Patent:

20210117544, Apr 22, 2021

Filed:

Jun 28, 2019

Appl. No.:

17/255958

Inventors:

- Irvine CA, US
Dmitri Alperovitch - Gaithersburg MD, US
Amol Kulkarni - Bothell WA, US
Jan Miller - Hamburg, DE
Daniel Radu - Bucharest, RO

International Classification:

G06F 21/56

Abstract:

A security service can determine a synthetic context based at least in part on context data associated with a first malware sample, and detonate the first malware sample in the synthetic context to provide one or more first event records representing events performed by the first malware sample and detected during detonation. Additionally or alternatively, the security service can detonate the first malware sample and locate a second malware sample in a corpus based at least in part on the one or more first event records. Additionally or alternatively, the security service can receive event records representing events detected during a detonation of a first malware sample, the detonation based at least in part on context data, and locate a second malware sample in the corpus based at least in part on the one or more reference event records.

US Patent:

20200285739, Sep 10, 2020

Filed:

May 27, 2020

Appl. No.:

16/885169

Inventors:

- Irvine CA, US
Dmitri Alperovitch - Gaithersburg MD, US
George Robert Kurtz - Ladera Ranch CA, US
David F. Diehl - Minneapolis MN, US
Sven Krasser - Los Angeles CA, US

International Classification:

G06F 21/56
G06F 21/55
H04L 29/06
H04L 29/12
G06F 21/62

Abstract:

Deception-based techniques for responding to security attacks are described herein. The techniques include transitioning a security attack to a monitored computing device posing as a computing device impacted by the security attack and enabling the adversary to obtain deceptive information from the monitored computing device. Also, the adversary may obtain a document configured to report identifying information of an entity opening the document, thereby identifying the adversary associated with the attack. Further, the techniques include determining that a domain specified in a domain name request is associated with malicious activity and responding to the request with a network address of a monitored computing device to cause the requesting process to communicate with the monitored computing device in place of an adversary server. Additionally, a service may monitor dormant domains names associated with malicious activity and, in response to a change, respond with an alert or a configuration update.

US Patent:

20200285740, Sep 10, 2020

Filed:

May 27, 2020

Appl. No.:

16/885174

Inventors:

- Irvine CA, US
Dmitri Alperovitch - Gaithersburg MD, US
George Robert Kurtz - Ladera Ranch CA, US
David F. Diehl - Minneapolis MN, US
Sven Krasser - Los Angeles CA, US

International Classification:

G06F 21/56
G06F 21/55
H04L 29/06
H04L 29/12
G06F 21/62

Abstract:

Deception-based techniques for responding to security attacks are described herein. The techniques include transitioning a security attack to a monitored computing device posing as a computing device impacted by the security attack and enabling the adversary to obtain deceptive information from the monitored computing device. Also, the adversary may obtain a document configured to report identifying information of an entity opening the document, thereby identifying the adversary associated with the attack. Further, the techniques include determining that a domain specified in a domain name request is associated with malicious activity and responding to the request with a network address of a monitored computing device to cause the requesting process to communicate with the monitored computing device in place of an adversary server. Additionally, a service may monitor dormant domains names associated with malicious activity and, in response to a change, respond with an alert or a configuration update.

US Patent:

20170213031, Jul 27, 2017

Filed:

Apr 10, 2017

Appl. No.:

15/483153

Inventors:

- Irvine CA, US
Dmitri Alperovitch - Gaithersburg MD, US
George Robert Kurtz - Ladera Ranch CA, US

International Classification:

G06F 21/56

Abstract:

A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.

US Patent:

20170109530, Apr 20, 2017

Filed:

Dec 29, 2016

Appl. No.:

15/393797

Inventors:

- Irvine CA, US
Dmitri Alperovitch - Gaithersburg MD, US
George Robert Kurtz - Ladera Ranch CA, US

International Classification:

G06F 21/56
G06N 5/04

Abstract:

A security agent is described herein. The security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The security agent may also deceive an adversary associated with malicious code. Further, the security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.