	US 11,943,238 B1
	Process tree and tags
Brandon M. Edwards, Brooklyn, NY (US)
Assigned to Capsule8, Inc., New York, NY (US)
Filed by Capsule8, Inc., New York, NY (US)
Filed on Jun. 1, 2021, as Appl. No. 17/336,128.
Application 17/336,128 is a continuation of application No. 16/698,918, filed on Nov. 27, 2019, granted, now 11,070,573.
Claims priority of provisional application 62/825,737, filed on Mar. 28, 2019.
Claims priority of provisional application 62/773,892, filed on Nov. 30, 2018.
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 21/57 (2013.01); G06F 21/55 (2013.01); H04L 9/40 (2022.01)

CPC H04L 63/1416 (2013.01) [G06F 21/554 (2013.01); G06F 21/577 (2013.01); H04L 63/1425 (2013.01); H04L 63/1433 (2013.01)]

20 Claims

1. A system, comprising:

a memory storing instructions: and

a processor coupled to the memory and configured by the instructions to:

receive information associated with a process event including a transition;

use at least a portion of the received information to modify a Process Tree_by propagating tag information according to tag propagation logic, wherein modifying the Process Tree includes at least one of:

(1) adding a Tag to the Process Tree for a process created by the process event, and

(2) modifying an original authorized shell Tag in the Process Tree for an existing process exited by the process event;

determine that at least a portion of the Process Tree matches a malware pattern: and

generate an Alert, based at least in part in response to determining that the malware pattern has been matched.