公开(公告)号：US10305917B2

公开(公告)日：2019-05-28

申请号：US15213896

申请日：2016-07-19

Applicant: NEC Laboratories America, Inc.

Inventor： Zhengzhang Chen ,  LuAn Tang ,  Boxiang Dong ,  Guofei Jiang ,  Haifeng Chen

IPC: H04L29/06 ,  G06F21/55 ,  H04L12/24

Abstract: Methods and systems for detecting malicious processes include modeling system data as a graph comprising vertices that represent system entities and edges that represent events between respective system entities. Each edge has one or more timestamps corresponding respective events between two system entities. A set of valid path patterns that relate to potential attacks is generated. One or more event sequences in the system are determined to be suspicious based on the graph and the valid path patterns using a random walk on the graph.

公开(公告)号：US10291483B2

公开(公告)日：2019-05-14

申请号：US15427654

申请日：2017-02-08

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Zhengzhang Chen ,  Kai Zhang ,  Haifeng Chen ,  Zhichun Li

IPC: G06F15/173 ,  G06F15/16 ,  H04L12/24

Abstract: A system and method are provided. The system includes a processor. The processor is configured to receive a plurality of events from network devices, the plurality of events including entities that are involved in the plurality of events. The processor is further configured to embed the entities into a common latent space based on co-occurrence of the entities in the plurality of events and model respective pairs of the entities for compatibility according to the embedding of the entities to form a pairwise interaction for the respective pairs of the entities. The processor is additionally configured to weigh the pairwise interaction of different ones of the respective pairs of the entities based on one or more compatibility criterion to generate a probability of an occurrence of an anomaly and alter the configuration of one or more of the network devices based on the probability of the occurrence of the anomaly.

公开(公告)号：US20180183680A1

公开(公告)日：2018-06-28

申请号：US15902369

申请日：2018-02-22

Applicant: NEC Laboratories America, Inc.

Inventor： Zhengzhang Chen ,  LuAn Tang ,  Zhichun Li ,  Cheng Cao

IPC: H04L12/24 ,  H04L29/06 ,  G06F17/18

CPC classification number: H04L41/145 ,  G06F17/18 ,  H04L41/046 ,  H04L43/08 ,  H04L63/1425 ,  H04L63/20 ,  H04W12/00505

Abstract: Methods and systems for modeling host behavior in a network include determining a first probability function for observing each of a set of process-level events at a first host based on embedding vectors for the first event and the first host. A second probability function is determined for the first host issuing each of a set of network-level events connecting to a second host based on embedding vectors for the first host and the second host. The first and second probability functions are maximized to determine a set of likely process-level and network-level events for the first host. A security action is performed based on the modeled host behavior.

公开(公告)号：US20180048667A1

公开(公告)日：2018-02-15

申请号：US15725994

申请日：2017-10-05

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Hengtong Zhang ,  Zhengzhang Chen ,  Bo Zong ,  Zhichun Li ,  Guofei Jiang ,  Kenji Yoshihira

IPC: H04L29/06 ,  G06F21/55

CPC classification number: H04L63/1425 ,  G06F21/552 ,  G06F21/554 ,  G06F21/57 ,  H04L12/4625 ,  H04L41/12 ,  H04L41/142 ,  H04L41/145 ,  H04L63/1416 ,  H04L63/1441 ,  H04L63/145 ,  H04L63/20

Abstract: Methods and systems for detecting anomalous events include detecting anomalous events in monitored system data. An event correlation graph is generated by determining a tendency for a first process to access a system target, including an innate tendency of the first process to access the system target, an influence of previous events from the first process, and an influence of processes other than the first process. Kill chains are generated from the event correlation graph that characterize events in an attack path over time. A security management action is performed based on the kill chains.

公开(公告)号：US20180032724A1

公开(公告)日：2018-02-01

申请号：US15725974

申请日：2017-10-05

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Hengtong Zhang ,  Zhengzhang Chen ,  Bo Zong ,  Zhichun Li ,  Guofei Jiang ,  Kenji Yoshihira

IPC: G06F21/55 ,  G06F21/57 ,  H04L29/06

CPC classification number: G06F21/554 ,  G06F21/552 ,  G06F21/577 ,  H04L41/12 ,  H04L41/142 ,  H04L41/145 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/145

Abstract: Methods and systems for detecting anomalous events include detecting anomalous events in monitored system data. An event correlation graph is generated based on the monitored system data that characterizes the tendency of processes to access system targets. Kill chains are generated that connect malicious events over a span of time from the event correlation graph that characterize events in an attack path over time by sorting events according to a maliciousness value and determining at least one sub-graph within the event correlation graph with an above-threshold maliciousness rank. A security management action is performed based on the kill chains.

公开(公告)号：US20170272344A1

公开(公告)日：2017-09-21

申请号：US15413812

申请日：2017-01-24

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Zhengzhang Chen ,  Haifeng Chen ,  Kenji Yoshihira ,  Guofei Jiang

IPC: H04L12/26

CPC classification number: H04L43/10 ,  G06F11/3438 ,  H04L41/12 ,  H04L41/16 ,  H04L41/22 ,  H04L41/28 ,  H04L43/06 ,  H04L43/0811 ,  H04L67/22

Abstract: A computer-implemented method for real-time detecting of abnormal network connections is presented. The computer-implemented method includes collecting network connection events from at least one agent connected to a network, recording, via a topology graph, normal states of network connections among hosts in the network, and recording, via a port graph, relationships established between host and destination ports of all network connections.