公开(公告)号：US20180183681A1

公开(公告)日：2018-06-28

申请号：US15902432

申请日：2018-02-22

Applicant: NEC Laboratories America, Inc.

Inventor： Zhengzhang Chen ,  LuAn Tang ,  Zhichun Li ,  Cheng Cao

IPC: H04L12/24 ,  G06F21/55 ,  H04L12/26 ,  H04L29/06

CPC classification number: H04L41/145 ,  G06F21/554 ,  H04L41/046 ,  H04L41/142 ,  H04L43/08 ,  H04L63/1416 ,  H04L63/1441

Abstract: Methods and systems for detecting host community include modeling a target host's behavior based on historical events recorded at the target host. One or more original peer hosts having behavior similar to the target host's behavior are found by determining a distance in a latent space that embeds the historical events between events of the target host and events of the one or more original peer hosts. A security management action is performed based on behavior of the target host and the determined one or more original peer hosts.

公开(公告)号：US20170288979A1

公开(公告)日：2017-10-05

申请号：US15477625

申请日：2017-04-03

Applicant: nec laboratories america, inc.

Inventor： Kenji Yoshihira ,  Zhichun Li ,  Zhengzhang Chen ,  Haifeng Chen ,  Guofei Jiang ,  LuAn Tang

IPC: H04L12/24 ,  H04L12/26

CPC classification number: H04L41/145 ,  H04L41/12 ,  H04L41/142 ,  H04L43/045 ,  H04L63/1425

Abstract: Methods and systems for reporting anomalous events include building a process graph that models states of process-level events in a network. A topology graph is built that models source and destination relationships between connection events in the network. A set of alerts is clustered based on the process graph and the topology graph. Clustered alerts that exceed a threshold level of trustworthiness are reported.

公开(公告)号：US20170288974A1

公开(公告)日：2017-10-05

申请号：US15477603

申请日：2017-04-03

Applicant: nec laboratories america, inc.

Inventor： Kenji Yoshihira ,  Zhichun Li ,  Zhengzhang Chen ,  Haifeng Chen ,  Guofei Jiang ,  LuAn Tang

IPC: H04L12/24 ,  H04L29/06 ,  H04L12/26

CPC classification number: H04L41/12 ,  G06F21/552 ,  H04L41/142 ,  H04L41/145 ,  H04L63/1425

Abstract: Methods and systems for reporting anomalous events include intra-host clustering a set of alerts based on a process graph that models states of process-level events in a network. Hidden relationship clustering is performed on the intra-host clustered alerts based on hidden relationships between alerts in respective clusters. Inter-host clustering is performed on the hidden relationship clustered alerts based on a topology graph that models source and destination relationships between connection events in the network. Inter-host clustered alerts that exceed a threshold level of trustworthiness are reported.

公开(公告)号：US20170149814A1

公开(公告)日：2017-05-25

申请号：US15425335

申请日：2017-02-06

Applicant: NEC Laboratories America, Inc.

Inventor： Zhengzhang Chen ,  LuAn Tang ,  Guofei Jiang ,  Kenji Yoshihira ,  Haifeng Chen

IPC: H04L29/06 ,  H04L12/24 ,  H04L12/26

CPC classification number: H04L63/1425 ,  H04L41/12 ,  H04L41/142 ,  H04L41/145 ,  H04L63/1408 ,  H04L2463/121

Abstract: Methods and systems for detecting anomalous network activity include determining whether a network event exists within an existing topology graph and port graph. A connection probability for the network event is determined if the network does not exist within the existing topology graph and port graph. The network event is identified as abnormal if the connection probability is below a threshold.

公开(公告)号：US20160330226A1

公开(公告)日：2016-11-10

申请号：US15213896

申请日：2016-07-19

Applicant: NEC Laboratories America, Inc.

Inventor： Zhengzhang Chen ,  LuAn Tang ,  Boxiang Dong ,  Guofei Jiang ,  Haifeng Chen

IPC: H04L29/06 ,  H04L12/24

CPC classification number: H04L63/14 ,  G06F21/55 ,  H04L29/06877 ,  H04L29/06891 ,  H04L29/06911 ,  H04L41/12 ,  H04L41/142 ,  H04L63/1416 ,  H04L2463/121

Abstract: Methods and systems for detecting malicious processes include modeling system data as a graph comprising vertices that represent system entities and edges that represent events between respective system entities. Each edge has one or more timestamps corresponding respective events between two system entities. A set of valid path patterns that relate to potential attacks is generated. One or more event sequences in the system are determined to be suspicious based on the graph and the valid path patterns using a random walk on the graph.

Abstract translation: 用于检测恶意进程的方法和系统包括将系统数据建模为包括表示系统实体的顶点和表示各个系统实体之间的事件的边的图。 每个边缘具有对应于两个系统实体之间的相应事件的一个或多个时间戳。 产生一组与潜在攻击有关的有效路径模式。 系统中的一个或多个事件序列被确定为可疑的基于图和有效的路径模式使用图形上的随机游走。