公开(公告)号：US08875298B2

公开(公告)日：2014-10-28

申请号：US13768439

申请日：2013-02-15

Applicant: NEC Laboratories America, Inc.

Inventor： Zhichun Li ,  Long Lu ,  Zhenyu Wu ,  Guofei Jiang

IPC: G06F21/57 ,  G06F11/36 ,  G06F21/56

CPC classification number: G06F21/577 ,  G06F11/3604 ,  G06F21/562 ,  G06F2221/033

Abstract: A method for scalable analysis of Android applications for security includes applying Android application analytics to an Android application, which in turn includes applying an application taint tracking to the Android application and applying application repacking detection to the Android application, and determining security vulnerabilities in the Android application responsive to the analytics.

Abstract translation: Android应用程序的可扩展分析方法包括将Android应用程序分析应用于Android应用程序，Android应用程序分析应用程序将应用程序污染跟踪应用于Android应用程序，并将应用程序重新包装检测应用于Android应用程序，并确定Android中的安全漏洞 响应分析的应用程序。

公开(公告)号：US11030157B2

公开(公告)日：2021-06-08

申请号：US15979514

申请日：2018-05-15

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Kangkook Jee ,  Zhichun Li ,  Mu Zhang ,  Zhenyu Wu

IPC: G06F16/00 ,  G06F16/174 ,  G06F3/06 ,  G06K9/62 ,  G06F16/25 ,  G06F16/22 ,  G06F16/2455 ,  G06F21/62 ,  G06F16/901 ,  G06F21/55

Abstract: Systems and methods for mining and compressing commercial data including a network of point of sale devices to log commercial activity data including independent commercial events and corresponding dependent features. A middleware system is in communication with the network of point of sale devices to continuously collect and compress a stream of the commercial activity data and concurrently store the compressed commercial activity data. Compressing the stream includes a file access table corresponding to the commercial activity data, producing compressible file access templates (CFATs) according to frequent patterns of commercial activity data using the file access table, and replacing dependent feature sequences with a matching compressible file access template. A database is in communication with the middleware system to store the compressed commercial data. A commercial pattern analysis system is in communication with the database to determine patterns in commercial activities across the network of point of sale devices.

公开(公告)号：US10574674B2

公开(公告)日：2020-02-25

申请号：US15644018

申请日：2017-07-07

Applicant: NEC Laboratories America, Inc. ,  NEC Corporation

Inventor： Kangkook Jee ,  Zhichun Li ,  Guofei Jiang ,  Lauri Korts-Parn ,  Zhenyu Wu ,  Yixin Sun ,  Junghwan Rhee

IPC: H04L29/06 ,  H04L29/12

Abstract: A system and computer-implemented method are provided for host level detection of malicious Domain Name System (DNS) activities in a network environment having multiple end-hosts. The system includes a set of DNS resolver agents configured to (i) gather DNS activities from each of the multiple end-hosts by recording DNS queries and DNS responses corresponding to the DNS queries, and (ii) associate the DNS activities with Program Identifiers (PIDs) that identify programs that issued the DNS queries. The system further includes a backend server configured to detect one or more of the malicious DNS activities based on the gathered DNS activities and the PIDs.

公开(公告)号：US20190342330A1

公开(公告)日：2019-11-07

申请号：US16379024

申请日：2019-04-09

Applicant: NEC Laboratories America, Inc.

Inventor： Zhenyu Wu ,  Yue Li ,  Junghwan Rhee ,  Kangkook Jee ,  Zichun Li ,  Jumpei Kamimura ,  LuAn Tang ,  Zhengzhang Chen

IPC: H04L29/06 ,  G06F11/34 ,  G06F16/901

Abstract: A method for ransomware detection and prevention includes receiving an event stream associated with one or more computer system events, generating user-added-value knowledge data for one or more digital assets by modeling digital asset interactions based on the event stream, including accumulating user-added-values of each of the one or more digital assets, and detecting ransomware behavior based at least in part on the user-added-value knowledge, including analyzing destruction of the user-added values for the one or more digital assets.

公开(公告)号：US20180336349A1

公开(公告)日：2018-11-22

申请号：US15972911

申请日：2018-05-07

Applicant: NEC Laboratories America, Inc.

Inventor： Mu Zhang ,  Kangkook Jee ,  Zhichun Li ,  Ding Li ,  Zhenyu Wu ,  Junghwan Rhee

IPC: G06F21/55

Abstract: A method and system are provided for causality analysis of Operating System-level (OS-level) events in heterogeneous enterprise hosts. The method includes storing, by the processor, the OS-level events in a priority queue in a prioritized order based on priority scores determined from event rareness scores and event fanout scores for the OS-level events. The method includes processing, by the processor, the OS-level events stored in the priority queue in the prioritized order to provide a set of potentially anomalous ones of the OS-level events within a set amount of time. The method includes generating, by the processor, a dependency graph showing causal dependencies of at least the set of potentially anomalous ones of the OS-level events, based on results of the causality dependency analysis. The method includes initiating, by the processor, an action to improve a functioning of the hosts responsive to the dependency graph or information derived therefrom.

公开(公告)号：US09904780B2

公开(公告)日：2018-02-27

申请号：US14812634

申请日：2015-07-29

Applicant: NEC Laboratories America, Inc.

Inventor： Junghwan Rhee ,  Yangchun Fu ,  Zhenyu Wu ,  Hui Zhang ,  Zhichun Li ,  Guofei Jiang

IPC: G06F21/52 ,  G06F21/60 ,  G06F21/55

CPC classification number: G06F21/52 ,  G06F21/554 ,  G06F21/60 ,  G06F2221/033

Abstract: Systems and methods for detection and prevention of Return-Oriented-Programming (ROP) attacks in one or more applications, including an attack detection device and a stack inspection device for performing stack inspection to detect ROP gadgets in a stack. The stack inspection includes stack walking from a stack frame at a top of the stack toward a bottom of the stack to detect one or more failure conditions, determining whether a valid stack frame and return code address is present; and determining a failure condition type if no valid stack frame and return code is present, with Type III failure conditions indicating an ROP attack. The ROP attack is contained using a containment device, and the ROP gadgets detected in the stack during the ROP attack are analyzed using an attack analysis device.

公开(公告)号：US20160125094A1

公开(公告)日：2016-05-05

申请号：US14932799

申请日：2015-11-04

Applicant: NEC Laboratories America, Inc.

Inventor： Zhichun Li ,  Xusheng Xiao ,  Zhenyu Wu ,  Bo Zong ,  Guofei Jiang

IPC: G06F17/30

CPC classification number: G06F16/9024 ,  G06F21/552

Abstract: A method and system for constructing behavior queries in temporal graphs using discriminative sub-trace mining. The method includes generating system data logs to provide temporal graphs, wherein the temporal graphs include a first temporal graph corresponding to a target behavior and a second temporal graph corresponding to a set of background behaviors, generating temporal graph patterns for each of the first and second temporal graphs to determine whether a pattern exists between a first temporal graph pattern and a second temporal graph pattern, wherein the pattern between the temporal graph patterns is a non-repetitive graph pattern, pruning the pattern between the first and second temporal graph patterns to provide a discriminative temporal graph, and generating behavior queries based on the discriminative temporal graph.

Abstract translation: 一种使用区分性子跟踪挖掘在时间图中构建行为查询的方法和系统。 该方法包括生成系统数据日志以提供时间图，其中时间图包括对应于目标行为的第一时间图和对应于一组背景行为的第二时间图，为第一和第二 时间图以确定在第一时间图形图案和第二时间图形图案之间是否存在图案，其中时间图形图案之间的图案是非重复图形图案，修剪第一和第二时间图形图案之间的图案以提供 判别时间图，并基于辨别时间图生成行为查询。

公开(公告)号：US20140059690A1

公开(公告)日：2014-02-27

申请号：US13768439

申请日：2013-02-15

Applicant: NEC Laboratories America, Inc.

Inventor： Zhichun Li ,  Long Lu ,  Zhenyu Wu ,  Guofei Jiang

IPC: G06F21/57

CPC classification number: G06F21/577 ,  G06F11/3604 ,  G06F21/562 ,  G06F2221/033

Abstract: A method for scalable analysis of Android applications for security includes applying Android application analytics to an Android application, which in turn includes applying an application taint tracking to the Android application and applying application repacking detection to the Android application, and determining security vulnerabilities in the Android application responsive to the analytics.

Abstract translation: Android应用程序的可扩展分析方法包括将Android应用程序分析应用于Android应用程序，Android应用程序分析应用程序将应用程序污染跟踪应用于Android应用程序，并将应用程序重新包装检测应用于Android应用程序，并确定Android中的安全漏洞 响应分析的应用程序。

公开(公告)号：US10931635B2

公开(公告)日：2021-02-23

申请号：US16146166

申请日：2018-09-28

Applicant: NEC Laboratories America, Inc. ,  NEC Corporation

Inventor： Junghwan Rhee ,  Hongyu Li ,  Shuai Hao ,  Chung Hwan Kim ,  Zhenyu Wu ,  Zhichun Li ,  Kangkook Jee ,  Lauri Korts-Parn

IPC: H04L29/06 ,  G06N20/00 ,  H04W4/44 ,  H04W4/40 ,  H04W4/48 ,  H04L29/08

Abstract: Systems and methods for an automotive security gateway include an in-gateway security system that monitors local host behaviors in vehicle devices to identify anomalous local host behaviors using a blueprint model trained to recognize secure local host behaviors. An out-of-gateway security system monitors network traffic across remote hosts, local devices, hotspot network, and in-car network to identify anomalous behaviors using deep packet inspection to inspect packets of the network. A threat mitigation system issues threat mitigation instructions corresponding to the identified anomalous local host behaviors and the anomalous remote host behaviors to secure the vehicle devices by removing the identified anomalous local host behaviors and the anomalous remote host behaviors. Automotive security gateway services and vehicle electronic control units operate the vehicle devices according to the threat mitigation instructions.

公开(公告)号：US10402564B2

公开(公告)日：2019-09-03

申请号：US15623589

申请日：2017-06-15

Applicant: NEC Laboratories America, Inc.

Inventor： Junghwan Rhee ,  Yuseok Jeon ,  Zhichun Li ,  Kangkook Jee ,  Zhenyu Wu ,  Guofei Jiang

IPC: G06F21/56 ,  G06F21/62 ,  G06F21/54 ,  G06F21/57

Abstract: A computer-implemented method for analyzing operations of privilege changes is presented. The computer-implemented method includes inputting a program and performing source code analysis on the program by generating a privilege control flow graph (PCFG), generating a privilege data flow graph (PDFG), and generating a privilege call context graph (PCCG). The computer-implemented method further includes, based on the source code analysis results, instrumenting the program to perform inspections on execution states at privilege change operations, and performing runtime inspection and anomaly prevention.