公开(公告)号：US10831750B2

公开(公告)日：2020-11-10

申请号：US15684325

申请日：2017-08-23

Applicant: NEC Laboratories America, Inc.

Inventor： Xusheng Xiao ,  Zhichun Li ,  Mu Zhang ,  Guofei Jiang ,  Jiaping Gui ,  Ding Li

IPC: G06F7/00 ,  G06F16/2453 ,  G06F21/62 ,  G06F16/245 ,  G06F21/57 ,  G06F16/22

Abstract: Automated security systems and methods include a set monitored systems, each having one or more corresponding monitors configured to record system state information. A progressive software behavioral query language (PROBEQL) database is configured to store the system state information from the monitored systems. A query optimizing module is configured to optimize a database query for parallel execution using spatial and temporal information relating to elements in the PROBEQL database. The optimized database query is split into sub-queries with sub-queries being divided spatially according to host and temporally according to time window. A parallel execution module is configured to execute the sub-queries on the PROBEQL database in parallel. A results module is configured to output progressive results of the database query. A security control system is configured to perform a security control action in accordance with the progressive results.

公开(公告)号：US10733149B2

公开(公告)日：2020-08-04

申请号：US15979512

申请日：2018-05-15

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Kangkook Jee ,  Zhichun Li ,  Mu Zhang ,  Zhenyu Wu

IPC: G06F17/00 ,  G06F7/00 ,  G06F16/174 ,  G06F3/06 ,  G06K9/62 ,  G06F16/25 ,  G06F16/22 ,  G06F16/2455 ,  G06F21/62 ,  G06F16/901 ,  G06F21/55

Abstract: Systems and methods for data reduction including organizing data of an event stream into a file access table concurrently with receiving the event stream, the data including independent features and dependent features. A frequent pattern tree (FP-Tree) is built including nodes corresponding to the dependent features according to a frequency of occurrence of the dependent features relative to the independent features. Each single path in the FP-Tree is merged into a special node corresponding to segments of dependent features to produce a reduced FP-Tree. All path combinations in the reduced FP-Tree are identified. A compressible file access template (CFAT) is generated corresponding to each of the path combinations. The data of the event stream is compressed with the CFATs to reduce the dependent features to special events representing the dependent features.

公开(公告)号：US20180336218A1

公开(公告)日：2018-11-22

申请号：US15979514

申请日：2018-05-15

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Kangkook Jee ,  Zhichun Li ,  Mu Zhang ,  Zhenyu Wu

IPC: G06F17/30 ,  G06F3/06 ,  G06K9/62

Abstract: Systems and methods for mining and compressing commercial data including a network of point of sale devices to log commercial activity data including independent commercial events and corresponding dependent features. A middleware system is in communication with the network of point of sale devices to continuously collect and compress a stream of the commercial activity data and concurrently store the compressed commercial activity data. Compressing the stream includes a file access table corresponding to the commercial activity data, producing compressible file access templates (CFATs) according to frequent patterns of commercial activity data using the file access table, and replacing dependent feature sequences with a matching compressible file access template. A database is in communication with the middleware system to store the compressed commercial data. A commercial pattern analysis system is in communication with the database to determine patterns in commercial activities across the network of point of sale devices.

公开(公告)号：US11321066B2

公开(公告)日：2022-05-03

申请号：US16985647

申请日：2020-08-05

Applicant: NEC Laboratories America, Inc.

Inventor： Xiao Yu ,  Xueyuan Han ,  Ding Li ,  Junghwan Rhee ,  Haifeng Chen

IPC: G06F8/61 ,  G06F16/901 ,  G06N3/04

Abstract: A computer-implemented method for securing software installation through deep graph learning includes extracting a new software installation graph (SIG) corresponding to a new software installation based on installation data associated with the new software installation, using at least two node embedding models to generate a first vector representation by embedding the nodes of the new SIG and inferring any embeddings for out-of-vocabulary (OOV) words corresponding to unseen pathnames, utilizing a deep graph autoencoder to reconstruct nodes of the new SIG from latent vector representations encoded by the graph LSTM, wherein reconstruction losses resulting from a difference of a second vector representation generated by the deep graph autoencoder and the first vector representation represent anomaly scores for each node, and performing anomaly detection by comparing an overall anomaly score of the anomaly scores to a threshold of normal software installation.

公开(公告)号：US20210064751A1

公开(公告)日：2021-03-04

申请号：US16991288

申请日：2020-08-12

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Xiao Yu ,  Junghwan Rhee ,  Haifeng Chen ,  Qi Wang

IPC: G06F21/56 ,  G06F21/54 ,  G06F21/55 ,  G06K9/62

Abstract: Systems and methods for a provenance based threat detection tool that builds a provenance graph including a plurality of paths using a processor device from provenance data obtained from one or more computer systems and/or networks; samples the provenance graph to form a plurality of linear sample paths, and calculates a regularity score for each of the plurality of linear sample paths using a processor device; selects a subset of linear sample paths from the plurality of linear sample paths based on the regularity score, and embeds each of the subset of linear sample paths by converting each of the subset of linear sample paths into a numerical vector using a processor device; detects anomalies in the embedded paths to identify malicious process activities, and terminates a process related to the embedded path having the identified malicious process activities.

公开(公告)号：US11030308B2

公开(公告)日：2021-06-08

申请号：US16006164

申请日：2018-06-12

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Kangkook Jee ,  Zhengzhang Chen ,  LuAn Tang ,  Zhichun Li

IPC: G06F21/55 ,  G06F9/48 ,  G06F16/2455 ,  G06F16/248

Abstract: A method and system are provided for improving threat detection in a computer system by performing an inter-application dependency analysis on events of the computer system. The method includes receiving, by a processor operatively coupled to a memory, a Tracking Description Language (TDL) query including general constraints, a tracking declaration and an output specification, parsing, by the processor, the TDL query using a language parser, executing, by the processor, a tracking analysis based on the parsed TDL query, generating, by the processor, a tracking graph by cleaning a result of the tracking analysis, and outputting, by the processor and via an interface, query results based on the tracking graph.

公开(公告)号：US11030157B2

公开(公告)日：2021-06-08

申请号：US15979514

申请日：2018-05-15

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Kangkook Jee ,  Zhichun Li ,  Mu Zhang ,  Zhenyu Wu

IPC: G06F16/00 ,  G06F16/174 ,  G06F3/06 ,  G06K9/62 ,  G06F16/25 ,  G06F16/22 ,  G06F16/2455 ,  G06F21/62 ,  G06F16/901 ,  G06F21/55

Abstract: Systems and methods for mining and compressing commercial data including a network of point of sale devices to log commercial activity data including independent commercial events and corresponding dependent features. A middleware system is in communication with the network of point of sale devices to continuously collect and compress a stream of the commercial activity data and concurrently store the compressed commercial activity data. Compressing the stream includes a file access table corresponding to the commercial activity data, producing compressible file access templates (CFATs) according to frequent patterns of commercial activity data using the file access table, and replacing dependent feature sequences with a matching compressible file access template. A database is in communication with the middleware system to store the compressed commercial data. A commercial pattern analysis system is in communication with the database to determine patterns in commercial activities across the network of point of sale devices.

公开(公告)号：US20210048994A1

公开(公告)日：2021-02-18

申请号：US16985647

申请日：2020-08-05

Applicant: NEC Laboratories America, Inc.

Inventor： Xiao Yu ,  Xueyuan Han ,  Ding Li ,  Junghwan Rhee ,  Haifeng Chen

IPC: G06F8/61 ,  G06N3/04 ,  G06F16/901

Abstract: A computer-implemented method for securing software installation through deep graph learning includes extracting a new software installation graph (SIG) corresponding to a new software installation based on installation data associated with the new software installation, using at least two node embedding models to generate a first vector representation by embedding the nodes of the new SIG and inferring any embeddings for out-of-vocabulary (OOV) words corresponding to unseen pathnames, utilizing a deep graph autoencoder to reconstruct nodes of the new SIG from latent vector representations encoded by the graph LSTM, wherein reconstruction losses resulting from a difference of a second vector representation generated by the deep graph autoencoder and the first vector representation represent anomaly scores for each node, and performing anomaly detection by comparing an overall anomaly score of the anomaly scores to a threshold of normal software installation.

公开(公告)号：US20190050561A1

公开(公告)日：2019-02-14

申请号：US16006164

申请日：2018-06-12

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Kangkook Jee ,  Zhengzhang Chen ,  LuAn Tang ,  Zhichun Li

IPC: G06F21/55 ,  G06F17/30 ,  G06F9/48

Abstract: A method and system are provided for improving threat detection in a computer system by performing an inter-application dependency analysis on events of the computer system. The method includes receiving, by a processor operatively coupled to a memory, a Tracking Description Language (TDL) query including general constraints, a tracking declaration and an output specification, parsing, by the processor, the TDL query using a language parser, executing, by the processor, a tracking analysis based on the parsed TDL query, generating, by the processor, a tracking graph by cleaning a result of the tracking analysis, and outputting, by the processor and via an interface, query results based on the tracking graph.

公开(公告)号：US20180336349A1

公开(公告)日：2018-11-22

申请号：US15972911

申请日：2018-05-07

Applicant: NEC Laboratories America, Inc.

Inventor： Mu Zhang ,  Kangkook Jee ,  Zhichun Li ,  Ding Li ,  Zhenyu Wu ,  Junghwan Rhee

IPC: G06F21/55

Abstract: A method and system are provided for causality analysis of Operating System-level (OS-level) events in heterogeneous enterprise hosts. The method includes storing, by the processor, the OS-level events in a priority queue in a prioritized order based on priority scores determined from event rareness scores and event fanout scores for the OS-level events. The method includes processing, by the processor, the OS-level events stored in the priority queue in the prioritized order to provide a set of potentially anomalous ones of the OS-level events within a set amount of time. The method includes generating, by the processor, a dependency graph showing causal dependencies of at least the set of potentially anomalous ones of the OS-level events, based on results of the causality dependency analysis. The method includes initiating, by the processor, an action to improve a functioning of the hosts responsive to the dependency graph or information derived therefrom.