-
公开(公告)号:US20190050562A1
公开(公告)日:2019-02-14
申请号:US16039993
申请日:2018-07-19
Applicant: NEC Laboratories America, Inc. , NEC Corporation
Inventor: Junghwan Rhee , Zhenyu Wu , Lauri Korts-Parn , Kangkook Jee , Zhichun Li , Omid Setayeshfar
Abstract: Systems and methods are disclosed for securing an enterprise environment by detecting suspicious software. A global program lineage graph is constructed. Construction of the global program lineage graph includes creating a node for each version of a program having been installed on a set of user machines. Additionally, at least two nodes are linked with a directional edge. For each version of the program, a prevalence number of the set of user machines on which each version of the program had been installed is determined; and the prevalence number is recorded to the metadata associated with the respective node. Anomalous behavior is identified based on structures formed by the at least two nodes and associated directional edge in the global program lineage graph. An alarm is displayed on a graphical user interface for each suspicious software based on the identified anomalous behavior.
-
公开(公告)号:US20180052998A1
公开(公告)日:2018-02-22
申请号:US15623589
申请日:2017-06-15
Applicant: NEC Laboratories America, Inc.
Inventor: Junghwan Rhee , Yuseok Jeon , Zhichun Li , Kangkook Jee , Zhenyu Wu , Guofei Jiang
CPC classification number: G06F21/566 , G06F21/54 , G06F21/563 , G06F21/577 , G06F21/6218 , G06F2221/034 , G06F2221/2141
Abstract: A computer-implemented method for analyzing operations of privilege changes is presented. The computer-implemented method includes inputting a program and performing source code analysis on the program by generating a privilege control flow graph (PCFG), generating a privilege data flow graph (PDFG), and generating a privilege call context graph (PCCG). The computer-implemented method further includes, based on the source code analysis results, instrumenting the program to perform inspections on execution states at privilege change operations, and performing runtime inspection and anomaly prevention.
-
公开(公告)号:US20180013775A1
公开(公告)日:2018-01-11
申请号:US15644018
申请日:2017-07-07
Applicant: NEC Laboratories America, Inc. , NEC Corporation
Inventor: Kangkook Jee , Zhichun Li , Guofei Jiang , Lauri Korts-Parn , Zhenyu Wu , Yixin Sun , Junghwan Rhee
CPC classification number: H04L63/1416 , H04L61/1511 , H04L61/2007 , H04L63/1425
Abstract: A system and computer-implemented method are provided for host level detection of malicious Domain Name System (DNS) activities in a network environment having multiple end-hosts. The system includes a set of DNS resolver agents configured to (i) gather DNS activities from each of the multiple end-hosts by recording DNS queries and DNS responses corresponding to the DNS queries, and (ii) associate the DNS activities with Program Identifiers (PIDs) that identify programs that issued the DNS queries. The system further includes a backend server configured to detect one or more of the malicious DNS activities based on the gathered DNS activities and the PIDs.
-
公开(公告)号:US20170293761A1
公开(公告)日:2017-10-12
申请号:US15479928
申请日:2017-04-05
Applicant: NEC Laboratories America, Inc.
Inventor: Junghwan Rhee , Zhichun Li , Zhenyu Wu , Kangkook Jee , Guofei Jiang
CPC classification number: G06F21/563 , G06F11/3688 , G06F11/3692 , G06F21/564 , G06F2221/033
Abstract: Systems and methods for identifying similarities in program binaries, including extracting program binary features from one or more input program binaries to generate corresponding hybrid features. The hybrid features include a reference feature, a resource feature, an abstract control flow feature, and a structural feature. Combinations of a plurality of pairs of binaries are generated from the extracted hybrid features, and a similarity score is determined for each of the pairs of binaries. A hybrid difference score is generated based on the similarity score for each of the binaries combined with input hybrid feature parameters. A likelihood of malware in the input program is identified based on the hybrid difference score.
-
公开(公告)号:US09602528B2
公开(公告)日:2017-03-21
申请号:US14712421
申请日:2015-05-14
Applicant: NEC Laboratories America, Inc.
Inventor: Zhiyun Qian , Jun Wang , Zhichun Li , Zhenyu Wu , Junghwan Rhee , Xia Ning , Guofei Jiang
CPC classification number: H04L63/1425 , G06F11/30 , G06F21/50 , G06F21/552 , G06F21/554 , G06N99/005 , H04L63/1441
Abstract: Methods and systems for process constraint include collecting system call information for a process. It is detected whether the process is idle based on the system call information and then whether the process is repeating using autocorrelation to determine whether the process issues system calls in a periodic fashion. The process is constrained if it is idle or repeating to limit an attack surface presented by the process.
-
Patent Agency Ranking
16.发明授权Dynamic border line tracing for tracking message flows across distributed systems 有权用于跟踪跨分布式系统的消息流的动态边界线跟踪公开(公告)号:US09535814B2
公开(公告)日:2017-01-03
申请号:US14665519
申请日:2015-03-23
Applicant: NEC Laboratories America, Inc.
Inventor: Nipun Arora , Junghwan Rhee , Hui Zhang , Guofei Jiang
CPC classification number: G06F11/3466
Abstract: The present invention enables capturing API level calls using a combination of dynamic instrumentation and library overriding. The invention allows event level tracing of API function calls and returns, and is able to generate an execution trace. The instrumentation is lightweight and relies on dynamic library/shared library linking mechanisms in most operating systems. Hence we need no source code modification or binary injection. The tool can be used to capture parameter values, and return values, which can be used to correlate traces across API function calls to generate transaction flow logic.
Abstract translation: 本发明可以使用动态检测和库重写的组合捕获API级别调用。 本发明允许API函数调用和返回的事件级别跟踪,并且能够生成执行跟踪。 该仪器是轻量级的,并且依赖于大多数操作系统中的动态库/共享库链接机制。 因此,我们不需要源代码修改或二进制注入。 该工具可用于捕获参数值和返回值,可用于将API函数调用之间的跟踪相关联,以生成事务流逻辑。
-
17.发明申请Blackbox Memory Monitoring with a Calling Context Memory Map and Semantic Extraction 有权Blackbox内存监控与调用上下文存储器映射和语义提取公开(公告)号:US20140068351A1
公开(公告)日:2014-03-06
申请号:US14012000
申请日:2013-08-28
Applicant: NEC Laboratories America, Inc.
Inventor: Junghwan Rhee , Hui Zhang , Nipun Arora , Guofei Jiang , Kenji Yoshihira
IPC: G06F11/30
CPC classification number: G06F11/3034 , G06F11/073 , G06F11/079 , G06F11/30 , G06F11/3037 , G06F11/3051 , G06F11/3476 , G06F11/3604 , G06F11/3636 , G06F2201/865
Abstract: A computer implemented method provides efficient monitoring and analysis of a program's memory objects in the operation stage. The invention can visualize and analyze a monitored program's data status with improved semantic information without requiring source code at runtime. The invention can provide higher quality of system management, performance debugging, and root-cause error analysis of enterprise software in the production stage.
Abstract translation: 计算机实现的方法在操作阶段提供对程序的存储器对象的有效监视和分析。 本发明可以使用改进的语义信息可视化和分析被监视程序的数据状态,而不需要运行时的源代码。 本发明可以在生产阶段提供更高质量的系统管理,性能调试和企业软件的根本原因误差分析。
-
公开(公告)号:US11606389B2
公开(公告)日:2023-03-14
申请号:US17004752
申请日:2020-08-27
Applicant: NEC Laboratories America, Inc.
Inventor: Zhengzhang Chen , Jiaping Gui , Haifeng Chen , Junghwan Rhee , Shen Wang
Abstract: Methods and systems for detecting and responding to an intrusion in a computer network include generating an adversarial training data set that includes original samples and adversarial samples, by perturbing one or more of the original samples with an integrated gradient attack to generate the adversarial samples. The original and adversarial samples are encoded to generate respective original and adversarial graph representations, based on node neighborhood aggregation. A graph-based neural network is trained to detect anomalous activity in a computer network, using the adversarial training data set. A security action is performed responsive to the detected anomalous activity.
-
公开(公告)号:US11423142B2
公开(公告)日:2022-08-23
申请号:US16693710
申请日:2019-11-25
Applicant: NEC Laboratories America, Inc.
Inventor: Chung Hwan Kim , Junghwan Rhee , Kangkook Jee , Zhichun Li
Abstract: A method for implementing confidential machine learning with program compartmentalization includes implementing a development stage to design an ML program, including annotating source code of the ML program to generate an ML program annotation, performing program analysis based on the development stage, including compiling the source code of the ML program based on the ML program annotation, inserting binary code based on the program analysis, including inserting run-time code into a confidential part of the ML program and a non-confidential part of the ML program, and generating an ML model by executing the ML program with the inserted binary code to protect the confidentiality of the ML model and the ML program from attack.
-
公开(公告)号:US20210048994A1
公开(公告)日:2021-02-18
申请号:US16985647
申请日:2020-08-05
Applicant: NEC Laboratories America, Inc.
Inventor: Xiao Yu , Xueyuan Han , Ding Li , Junghwan Rhee , Haifeng Chen
IPC: G06F8/61 , G06N3/04 , G06F16/901
Abstract: A computer-implemented method for securing software installation through deep graph learning includes extracting a new software installation graph (SIG) corresponding to a new software installation based on installation data associated with the new software installation, using at least two node embedding models to generate a first vector representation by embedding the nodes of the new SIG and inferring any embeddings for out-of-vocabulary (OOV) words corresponding to unseen pathnames, utilizing a deep graph autoencoder to reconstruct nodes of the new SIG from latent vector representations encoded by the graph LSTM, wherein reconstruction losses resulting from a difference of a second vector representation generated by the deep graph autoencoder and the first vector representation represent anomaly scores for each node, and performing anomaly detection by comparing an overall anomaly score of the anomaly scores to a threshold of normal software installation.
-
-
-
-
-
-
-
-
-
Search Results
63
records
(took 0.021 seconds)
