公开(公告)号：US10909242B2

公开(公告)日：2021-02-02

申请号：US16169081

申请日：2018-10-24

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Xusheng Xiao ,  Zhichun Li ,  Guofei Jiang ,  Peng Gao

IPC: G06F21/55 ,  G06F9/54 ,  G06F16/33 ,  G06F21/57 ,  G06F16/2455

Abstract: A system and method are provided for identifying security risks in a computer system. The system includes an event stream generator configured to collect system event data from the computer system. The system further includes a query device configured to receive query requests that specify parameters of a query. Each query request includes at least one anomaly model. The query request and the anomaly model are included in a first syntax in which a system event is expressed as {subject-operation-object}. The system further includes a detection device configured to receive at least one query request from the query device and continuously compare the system event data to the anomaly models of the query requests to detect a system event that poses a security risk. The system also includes a reporting device configured to generate an alert for system events that pose a security risk detected by the detection device.

公开(公告)号：US20200250308A1

公开(公告)日：2020-08-06

申请号：US16781366

申请日：2020-02-04

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Kangkook Jee ,  Zhichun Li ,  Zhengzhang Chen ,  Xiao Yu

IPC: G06F21/55

Abstract: Methods and systems for security monitoring and response include assigning an anomaly score to each of a plurality of event paths that are stored in a first memory. Events that are cold, events that are older than a threshold, and events that are not part of a top-k anomalous path are identified. The identified events are evicted from the first memory to a second memory. A threat associated with events in the first memory is identified. A security action is performed responsive to the identified threat.

公开(公告)号：US20200042700A1

公开(公告)日：2020-02-06

申请号：US16507353

申请日：2019-07-10

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Kangkook Jee ,  Zhengzhang Chen ,  Zhichun Li ,  Wajih Ul Hassan

IPC: G06F21/55

Abstract: A method for implementing automated threat alert triage via data provenance includes receiving a set of alerts and security provenance data, separating true alert events within the set of alert events corresponding to malicious activity from false alert events within the set of alert events corresponding to benign activity based on an alert anomaly score assigned to the at least one alert event, and automatically generating a set of triaged alert events based on the separation.

公开(公告)号：US20180336256A1

公开(公告)日：2018-11-22

申请号：US15979512

申请日：2018-05-15

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Kangkook Jee ,  Zhichun Li ,  Mu Zhang ,  Zhenyu Wu

IPC: G06F17/30

CPC classification number: G06F16/1744 ,  G06F3/0643 ,  G06F16/2246 ,  G06F16/2272 ,  G06F16/24568 ,  G06F16/25 ,  G06F16/258 ,  G06F16/9027 ,  G06F21/552 ,  G06F21/6218 ,  G06F2216/03 ,  G06F2221/2143 ,  G06K9/6219

Abstract: Systems and methods for data reduction including organizing data of an event stream into a file access table concurrently with receiving the event stream, the data including independent features and dependent features. A frequent pattern tree (FP-Tree) is built including nodes corresponding to the dependent features according to a frequency of occurrence of the dependent features relative to the independent features. Each single path in the FP-Tree is merged into a special node corresponding to segments of dependent features to produce a reduced FP-Tree. All path combinations in the reduced FP-Tree are identified. A compressible file access template (CFAT) is generated corresponding to each of the path combinations. The data of the event stream is compressed with the CFATs to reduce the dependent features to special events representing the dependent features.

公开(公告)号：US11194906B2

公开(公告)日：2021-12-07

申请号：US16507353

申请日：2019-07-10

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Kangkook Jee ,  Zhengzhang Chen ,  Zhichun Li ,  Wajih Ul Hassan

IPC: G06F21/55 ,  G06F21/56

Abstract: A method for implementing automated threat alert triage via data provenance includes receiving a set of alerts and security provenance data, separating true alert events within the set of alert events corresponding to malicious activity from false alert events within the set of alert events corresponding to benign activity based on an alert anomaly score assigned to the at least one alert event, and automatically generating a set of triaged alert events based on the separation.

公开(公告)号：US20210089992A1

公开(公告)日：2021-03-25

申请号：US17016709

申请日：2020-09-10

Applicant: NEC Laboratories America, Inc.

Inventor： Jianwu Xu ,  Ding Li ,  Wei Cheng ,  Haifeng Chen

IPC: G06Q10/06 ,  G06K9/62 ,  G06N3/08

Abstract: A method for automatically recommending a reviewer for submitted codes is presented. The method includes employing, in a learning phase, an artificial intelligence agent for learning an underlying and contextual structure of code regions, mapping the code regions into a distributed representation to define code region representations, employing, in a recommendation phase, the artificial intelligence agent to produce a ranked list of recommended reviewers for any given submitted code review request, and outputting the ranked list of recommended reviewers to a visualization device.

公开(公告)号：US20190121973A1

公开(公告)日：2019-04-25

申请号：US16169081

申请日：2018-10-24

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Xusheng Xiao ,  Zhichun Li ,  Guofei Jiang ,  Peng Gao

IPC: G06F21/55 ,  G06F17/30 ,  G06F9/54

Abstract: A system and method are provided for identifying security risks in a computer system. The system includes an event stream generator configured to collect system event data from the computer system. The system further includes a query device configured to receive query requests that specify parameters of a query. Each query request includes at least one anomaly model. The query request and the anomaly model are included in a first syntax in which a system event is expressed as {subject-operation-object}. The system further includes a detection device configured to receive at least one query request from the query device and continuously compare the system event data to the anomaly models of the query requests to detect a system event that poses a security risk. The system also includes a reporting device configured to generate an alert for system events that pose a security risk detected by the detection device.

公开(公告)号：US11463472B2

公开(公告)日：2022-10-04

申请号：US16653259

申请日：2019-10-15

Applicant: NEC Laboratories America, Inc.

Inventor： Zhengzhang Chen ,  Ding Li ,  Zhichun Li ,  Shen Wang

IPC: H04L29/06 ,  H04L9/40 ,  G06K9/62 ,  G06F16/901 ,  G06N3/04

Abstract: A method for detecting malicious program behavior includes performing program verification based on system activity data, analyzing unverified program data identified from the program verification to detect abnormal events, including analyzing host-level events to detect abnormal host-level events by learning a program representation as a graph embedding through an attentional architecture based on an invariant graph between different system entities, generating detection results based on the analysis, and performing at least one corrective action based on the detection results.

公开(公告)号：US11423146B2

公开(公告)日：2022-08-23

申请号：US16991288

申请日：2020-08-12

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Xiao Yu ,  Junghwan Rhee ,  Haifeng Chen ,  Qi Wang

IPC: G06F21/56 ,  G06F21/55 ,  G06K9/62 ,  G06F21/54

Abstract: Systems and methods for a provenance based threat detection tool that builds a provenance graph including a plurality of paths using a processor device from provenance data obtained from one or more computer systems and/or networks; samples the provenance graph to form a plurality of linear sample paths, and calculates a regularity score for each of the plurality of linear sample paths using a processor device; selects a subset of linear sample paths from the plurality of linear sample paths based on the regularity score, and embeds each of the subset of linear sample paths by converting each of the subset of linear sample paths into a numerical vector using a processor device; detects anomalies in the embedded paths to identify malicious process activities, and terminates a process related to the embedded path having the identified malicious process activities.

公开(公告)号：US11275832B2

公开(公告)日：2022-03-15

申请号：US16781366

申请日：2020-02-04

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Kangkook Jee ,  Zhichun Li ,  Zhengzhang Chen ,  Xiao Yu

IPC: G06F21/55 ,  G06F21/56

Abstract: Methods and systems for security monitoring and response include assigning an anomaly score to each of a plurality of event paths that are stored in a first memory. Events that are cold, events that are older than a threshold, and events that are not part of a top-k anomalous path are identified. The identified events are evicted from the first memory to a second memory. A threat associated with events in the first memory is identified. A security action is performed responsive to the identified threat.