公开(公告)号：US11423142B2

公开(公告)日：2022-08-23

申请号：US16693710

申请日：2019-11-25

Applicant: NEC Laboratories America, Inc.

Inventor： Chung Hwan Kim ,  Junghwan Rhee ,  Kangkook Jee ,  Zhichun Li

IPC: G06F21/54 ,  G06N20/00 ,  G06F8/73 ,  G06F8/41 ,  G06F21/53 ,  G06F8/75

Abstract: A method for implementing confidential machine learning with program compartmentalization includes implementing a development stage to design an ML program, including annotating source code of the ML program to generate an ML program annotation, performing program analysis based on the development stage, including compiling the source code of the ML program based on the ML program annotation, inserting binary code based on the program analysis, including inserting run-time code into a confidential part of the ML program and a non-confidential part of the ML program, and generating an ML model by executing the ML program with the inserted binary code to protect the confidentiality of the ML model and the ML program from attack.

公开(公告)号：US11030308B2

公开(公告)日：2021-06-08

申请号：US16006164

申请日：2018-06-12

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Kangkook Jee ,  Zhengzhang Chen ,  LuAn Tang ,  Zhichun Li

IPC: G06F21/55 ,  G06F9/48 ,  G06F16/2455 ,  G06F16/248

Abstract: A method and system are provided for improving threat detection in a computer system by performing an inter-application dependency analysis on events of the computer system. The method includes receiving, by a processor operatively coupled to a memory, a Tracking Description Language (TDL) query including general constraints, a tracking declaration and an output specification, parsing, by the processor, the TDL query using a language parser, executing, by the processor, a tracking analysis based on the parsed TDL query, generating, by the processor, a tracking graph by cleaning a result of the tracking analysis, and outputting, by the processor and via an interface, query results based on the tracking graph.

公开(公告)号：US11030157B2

公开(公告)日：2021-06-08

申请号：US15979514

申请日：2018-05-15

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Kangkook Jee ,  Zhichun Li ,  Mu Zhang ,  Zhenyu Wu

IPC: G06F16/00 ,  G06F16/174 ,  G06F3/06 ,  G06K9/62 ,  G06F16/25 ,  G06F16/22 ,  G06F16/2455 ,  G06F21/62 ,  G06F16/901 ,  G06F21/55

Abstract: Systems and methods for mining and compressing commercial data including a network of point of sale devices to log commercial activity data including independent commercial events and corresponding dependent features. A middleware system is in communication with the network of point of sale devices to continuously collect and compress a stream of the commercial activity data and concurrently store the compressed commercial activity data. Compressing the stream includes a file access table corresponding to the commercial activity data, producing compressible file access templates (CFATs) according to frequent patterns of commercial activity data using the file access table, and replacing dependent feature sequences with a matching compressible file access template. A database is in communication with the middleware system to store the compressed commercial data. A commercial pattern analysis system is in communication with the database to determine patterns in commercial activities across the network of point of sale devices.

公开(公告)号：US10574674B2

公开(公告)日：2020-02-25

申请号：US15644018

申请日：2017-07-07

Applicant: NEC Laboratories America, Inc. ,  NEC Corporation

Inventor： Kangkook Jee ,  Zhichun Li ,  Guofei Jiang ,  Lauri Korts-Parn ,  Zhenyu Wu ,  Yixin Sun ,  Junghwan Rhee

IPC: H04L29/06 ,  H04L29/12

Abstract: A system and computer-implemented method are provided for host level detection of malicious Domain Name System (DNS) activities in a network environment having multiple end-hosts. The system includes a set of DNS resolver agents configured to (i) gather DNS activities from each of the multiple end-hosts by recording DNS queries and DNS responses corresponding to the DNS queries, and (ii) associate the DNS activities with Program Identifiers (PIDs) that identify programs that issued the DNS queries. The system further includes a backend server configured to detect one or more of the malicious DNS activities based on the gathered DNS activities and the PIDs.

公开(公告)号：US20190342330A1

公开(公告)日：2019-11-07

申请号：US16379024

申请日：2019-04-09

Applicant: NEC Laboratories America, Inc.

Inventor： Zhenyu Wu ,  Yue Li ,  Junghwan Rhee ,  Kangkook Jee ,  Zichun Li ,  Jumpei Kamimura ,  LuAn Tang ,  Zhengzhang Chen

IPC: H04L29/06 ,  G06F11/34 ,  G06F16/901

Abstract: A method for ransomware detection and prevention includes receiving an event stream associated with one or more computer system events, generating user-added-value knowledge data for one or more digital assets by modeling digital asset interactions based on the event stream, including accumulating user-added-values of each of the one or more digital assets, and detecting ransomware behavior based at least in part on the user-added-value knowledge, including analyzing destruction of the user-added values for the one or more digital assets.

公开(公告)号：US20190050561A1

公开(公告)日：2019-02-14

申请号：US16006164

申请日：2018-06-12

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Kangkook Jee ,  Zhengzhang Chen ,  LuAn Tang ,  Zhichun Li

IPC: G06F21/55 ,  G06F17/30 ,  G06F9/48

Abstract: A method and system are provided for improving threat detection in a computer system by performing an inter-application dependency analysis on events of the computer system. The method includes receiving, by a processor operatively coupled to a memory, a Tracking Description Language (TDL) query including general constraints, a tracking declaration and an output specification, parsing, by the processor, the TDL query using a language parser, executing, by the processor, a tracking analysis based on the parsed TDL query, generating, by the processor, a tracking graph by cleaning a result of the tracking analysis, and outputting, by the processor and via an interface, query results based on the tracking graph.

公开(公告)号：US20180336349A1

公开(公告)日：2018-11-22

申请号：US15972911

申请日：2018-05-07

Applicant: NEC Laboratories America, Inc.

Inventor： Mu Zhang ,  Kangkook Jee ,  Zhichun Li ,  Ding Li ,  Zhenyu Wu ,  Junghwan Rhee

IPC: G06F21/55

Abstract: A method and system are provided for causality analysis of Operating System-level (OS-level) events in heterogeneous enterprise hosts. The method includes storing, by the processor, the OS-level events in a priority queue in a prioritized order based on priority scores determined from event rareness scores and event fanout scores for the OS-level events. The method includes processing, by the processor, the OS-level events stored in the priority queue in the prioritized order to provide a set of potentially anomalous ones of the OS-level events within a set amount of time. The method includes generating, by the processor, a dependency graph showing causal dependencies of at least the set of potentially anomalous ones of the OS-level events, based on results of the causality dependency analysis. The method includes initiating, by the processor, an action to improve a functioning of the hosts responsive to the dependency graph or information derived therefrom.

公开(公告)号：US10931635B2

公开(公告)日：2021-02-23

申请号：US16146166

申请日：2018-09-28

Applicant: NEC Laboratories America, Inc. ,  NEC Corporation

Inventor： Junghwan Rhee ,  Hongyu Li ,  Shuai Hao ,  Chung Hwan Kim ,  Zhenyu Wu ,  Zhichun Li ,  Kangkook Jee ,  Lauri Korts-Parn

IPC: H04L29/06 ,  G06N20/00 ,  H04W4/44 ,  H04W4/40 ,  H04W4/48 ,  H04L29/08

Abstract: Systems and methods for an automotive security gateway include an in-gateway security system that monitors local host behaviors in vehicle devices to identify anomalous local host behaviors using a blueprint model trained to recognize secure local host behaviors. An out-of-gateway security system monitors network traffic across remote hosts, local devices, hotspot network, and in-car network to identify anomalous behaviors using deep packet inspection to inspect packets of the network. A threat mitigation system issues threat mitigation instructions corresponding to the identified anomalous local host behaviors and the anomalous remote host behaviors to secure the vehicle devices by removing the identified anomalous local host behaviors and the anomalous remote host behaviors. Automotive security gateway services and vehicle electronic control units operate the vehicle devices according to the threat mitigation instructions.

公开(公告)号：US20200250308A1

公开(公告)日：2020-08-06

申请号：US16781366

申请日：2020-02-04

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Kangkook Jee ,  Zhichun Li ,  Zhengzhang Chen ,  Xiao Yu

IPC: G06F21/55

Abstract: Methods and systems for security monitoring and response include assigning an anomaly score to each of a plurality of event paths that are stored in a first memory. Events that are cold, events that are older than a threshold, and events that are not part of a top-k anomalous path are identified. The identified events are evicted from the first memory to a second memory. A threat associated with events in the first memory is identified. A security action is performed responsive to the identified threat.

公开(公告)号：US20200042700A1

公开(公告)日：2020-02-06

申请号：US16507353

申请日：2019-07-10

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Kangkook Jee ,  Zhengzhang Chen ,  Zhichun Li ,  Wajih Ul Hassan

IPC: G06F21/55

Abstract: A method for implementing automated threat alert triage via data provenance includes receiving a set of alerts and security provenance data, separating true alert events within the set of alert events corresponding to malicious activity from false alert events within the set of alert events corresponding to benign activity based on an alert anomaly score assigned to the at least one alert event, and automatically generating a set of triaged alert events based on the separation.