| CPC G06F 16/1734 (2019.01) [G06F 9/545 (2013.01); G06F 16/13 (2019.01); G06F 16/172 (2019.01); G06F 21/6218 (2013.01)] | 15 Claims |
|
1. A method, comprising:
intercepting an event at a filter driver in a kernel space, wherein the event is associated with a resource of a computing system, wherein the event is associated with a session and wherein the session includes an entry for each event associated with the resource that occurred in the session;
directing the event to a proxy engine operating in a user space;
determining the session associated with the event is a session of interest by the proxy engine;
generating a reconstructed session from entries in the session, which is stored in a session cache, wherein the reconstructed session includes the event;
applying a policy to the reconstructed session to determine an action to be performed on the event using metadata and/or data stored in the session, wherein the metadata is related to the event;
forwarding the reconstructed session to an external system, wherein the action is performed by the external system and wherein the action includes injecting an external processing into an IO (input/output) associated with the event based on the reconstructed session before the event is committed in the computing system, wherein the action is obscuring data, by the external system, associated with the event, wherein the data is unobscured when authorized at a later time; and
returning the event to the filter driver to resume processing in the kernel space.
|