公开(公告)号：US10574674B2

公开(公告)日：2020-02-25

申请号：US15644018

申请日：2017-07-07

Applicant: NEC Laboratories America, Inc. ,  NEC Corporation

Inventor： Kangkook Jee ,  Zhichun Li ,  Guofei Jiang ,  Lauri Korts-Parn ,  Zhenyu Wu ,  Yixin Sun ,  Junghwan Rhee

IPC: H04L29/06 ,  H04L29/12

Abstract: A system and computer-implemented method are provided for host level detection of malicious Domain Name System (DNS) activities in a network environment having multiple end-hosts. The system includes a set of DNS resolver agents configured to (i) gather DNS activities from each of the multiple end-hosts by recording DNS queries and DNS responses corresponding to the DNS queries, and (ii) associate the DNS activities with Program Identifiers (PIDs) that identify programs that issued the DNS queries. The system further includes a backend server configured to detect one or more of the malicious DNS activities based on the gathered DNS activities and the PIDs.

公开(公告)号：US20190342330A1

公开(公告)日：2019-11-07

申请号：US16379024

申请日：2019-04-09

Applicant: NEC Laboratories America, Inc.

Inventor： Zhenyu Wu ,  Yue Li ,  Junghwan Rhee ,  Kangkook Jee ,  Zichun Li ,  Jumpei Kamimura ,  LuAn Tang ,  Zhengzhang Chen

IPC: H04L29/06 ,  G06F11/34 ,  G06F16/901

Abstract: A method for ransomware detection and prevention includes receiving an event stream associated with one or more computer system events, generating user-added-value knowledge data for one or more digital assets by modeling digital asset interactions based on the event stream, including accumulating user-added-values of each of the one or more digital assets, and detecting ransomware behavior based at least in part on the user-added-value knowledge, including analyzing destruction of the user-added values for the one or more digital assets.

公开(公告)号：US20180336349A1

公开(公告)日：2018-11-22

申请号：US15972911

申请日：2018-05-07

Applicant: NEC Laboratories America, Inc.

Inventor： Mu Zhang ,  Kangkook Jee ,  Zhichun Li ,  Ding Li ,  Zhenyu Wu ,  Junghwan Rhee

IPC: G06F21/55

Abstract: A method and system are provided for causality analysis of Operating System-level (OS-level) events in heterogeneous enterprise hosts. The method includes storing, by the processor, the OS-level events in a priority queue in a prioritized order based on priority scores determined from event rareness scores and event fanout scores for the OS-level events. The method includes processing, by the processor, the OS-level events stored in the priority queue in the prioritized order to provide a set of potentially anomalous ones of the OS-level events within a set amount of time. The method includes generating, by the processor, a dependency graph showing causal dependencies of at least the set of potentially anomalous ones of the OS-level events, based on results of the causality dependency analysis. The method includes initiating, by the processor, an action to improve a functioning of the hosts responsive to the dependency graph or information derived therefrom.

公开(公告)号：US09904780B2

公开(公告)日：2018-02-27

申请号：US14812634

申请日：2015-07-29

Applicant: NEC Laboratories America, Inc.

Inventor： Junghwan Rhee ,  Yangchun Fu ,  Zhenyu Wu ,  Hui Zhang ,  Zhichun Li ,  Guofei Jiang

IPC: G06F21/52 ,  G06F21/60 ,  G06F21/55

CPC classification number: G06F21/52 ,  G06F21/554 ,  G06F21/60 ,  G06F2221/033

Abstract: Systems and methods for detection and prevention of Return-Oriented-Programming (ROP) attacks in one or more applications, including an attack detection device and a stack inspection device for performing stack inspection to detect ROP gadgets in a stack. The stack inspection includes stack walking from a stack frame at a top of the stack toward a bottom of the stack to detect one or more failure conditions, determining whether a valid stack frame and return code address is present; and determining a failure condition type if no valid stack frame and return code is present, with Type III failure conditions indicating an ROP attack. The ROP attack is contained using a containment device, and the ROP gadgets detected in the stack during the ROP attack are analyzed using an attack analysis device.

公开(公告)号：US09736064B2

公开(公告)日：2017-08-15

申请号：US14571778

申请日：2014-12-16

Applicant: NEC Laboratories America, Inc.

Inventor： Hui Zhang ,  Behnaz Arzani ,  Franjo Ivancic ,  Junghwan Rhee ,  Nipun Arora ,  Guofei Jiang

IPC: H04L12/717 ,  H04L12/701 ,  H04L12/841

CPC classification number: H04L45/42 ,  H04L41/12 ,  H04L41/145 ,  H04L43/0864 ,  H04L43/106 ,  H04L45/00 ,  H04L45/64 ,  H04L47/283

Abstract: Methods and systems for finding a packet's routing path in a network includes intercepting control messages sent by a controller to one or more switches in a software defined network (SDN). A state of the SDN at a requested time is emulated and one or more possible routing paths through the emulated SDN is identified by replaying the intercepted control messages to one or more emulated switches in the emulated SDN. The one or more possible routing paths correspond to a requested packet injected into the SDN at the requested time.

公开(公告)号：US09602338B2

公开(公告)日：2017-03-21

申请号：US14575013

申请日：2014-12-18

Applicant: NEC Laboratories America, Inc.

Inventor： Hui Zhang ,  Junghwan Rhee ,  Nipun Arora ,  Cristian Lumezanu ,  Guofei Jiang

IPC: H04L12/26 ,  H04L12/24

CPC classification number: H04L41/0631 ,  H04L41/069 ,  H04L41/14 ,  H04L43/0858

Abstract: A computer implemented method for network monitoring includes providing network packet event characterization and analysis for network monitoring that includes supporting summarization and characterization of network packet traces collected across multiple processing elements of different types in a virtual network, including a trace slicing to organize individual packet events into path-based trace slices, a trace characterization to extract at least 2 types of feature matrix describing those trace slices, and a trace analysis to cluster, rank and query packet traces based on metrics of the feature matrix.

公开(公告)号：US09367428B2

公开(公告)日：2016-06-14

申请号：US14512653

申请日：2014-10-13

Applicant: NEC Laboratories America, Inc.

Inventor： Junghwan Rhee ,  Hui Zhang ,  Nipun Arora ,  Guofei Jiang ,  Chung Hwan Kim

IPC: G06F11/36 ,  G06F9/44

CPC classification number: G06F11/3636 ,  G06F11/3419

Abstract: Methods and systems for performance inference include inferring an internal application status based on a unified call stack trace that includes both user and kernel information by inferring user function instances. A calling context encoding is generated that includes information regarding function calling paths. Application performance is analyzed based on the encoded calling contexts. The analysis includes performing a top-down latency breakdown and ranking calling contexts according to how costly each function calling path is.

Abstract translation: 用于性能推理的方法和系统包括通过推断用户功能实例来推断基于包括用户和内核信息的统一调用堆栈跟踪的内部应用程序状态。 生成包含有关函数调用路径的信息的调用上下文编码。 基于编码的呼叫上下文来分析应用性能。 分析包括根据每个功能调用路径的代价昂贵地执行自上而下的延迟故障和排序呼叫上下文。

公开(公告)号：US20150281076A1

公开(公告)日：2015-10-01

申请号：US14665069

申请日：2015-03-23

Applicant: NEC Laboratories America, Inc.

Inventor： Hui Zhang ,  Cristian Lumezanu ,  Junghwan Rhee ,  Nipun Arora ,  Qiang Xu ,  Guofei Jiang

IPC: H04L12/741 ,  H04L12/721 ,  H04L12/801 ,  H04L12/947

CPC classification number: H04L45/02 ,  H04L43/12 ,  H04L45/64 ,  H04L45/70

Abstract: A computer implemented method for network monitoring includes providing network packet event characterization and analysis for network monitoring that includes supporting summarization and characterization of network packet traces collected across multiple processing elements of different types in a virtual network, including a trace slicing to organize individual packet events into path-based trace slices, a trace characterization to extract at least 2 types of feature matrix describing those trace slices, and a trace analysis to cluster, rank and query packet traces based on metrics of the feature matrix.

Abstract translation: 一种用于网络监测的计算机实现方法包括为网络监测提供网络分组事件表征和分析，其包括支持在虚拟网络中跨越不同类型的多个处理元件收集的网络分组跟踪的概括和表征，包括用于组织各个分组事件的跟踪分片 基于路径的跟踪切片，提取描述这些跟踪切片的至少2种类型的特征矩阵的跟踪表征，以及基于特征矩阵的度量的集群，排序和查询分组跟踪的跟踪分析。

公开(公告)号：US20150278069A1

公开(公告)日：2015-10-01

申请号：US14665519

申请日：2015-03-23

Applicant: NEC Laboratories America, Inc.

Inventor： Nipun Arora ,  Junghwan Rhee ,  Hui Zhang ,  Guofei Jiang

IPC: G06F11/34

CPC classification number: G06F11/3466

Abstract: The present invention enables capturing API level calls using a combination of dynamic instrumentation and library overriding. The invention allows event level tracing of API function calls and returns, and is able to generate an execution trace. The instrumentation is lightweight and relies on dynamic library/shared library linking mechanisms in most operating systems. Hence we need no source code modification or binary injection. The tool can be used to capture parameter values, and return values, which can be used to correlate traces across API function calls to generate transaction flow logic.

Abstract translation: 本发明可以使用动态检测和库重写的组合捕获API级别调用。 本发明允许API函数调用和返回的事件级别跟踪，并且能够生成执行跟踪。 该仪器是轻量级的，并且依赖于大多数操作系统中的动态库/共享库链接机制。 因此，我们不需要源代码修改或二进制注入。 该工具可用于捕获参数值和返回值，可用于将API函数调用之间的跟踪相关联，以生成事务流逻辑。

公开(公告)号：US20150172185A1

公开(公告)日：2015-06-18

申请号：US14571778

申请日：2014-12-16

Applicant: NEC Laboratories America, Inc.

Inventor： Hui Zhang ,  Behnaz Arzani ,  Franjo Ivancic ,  Junghwan Rhee ,  Nipun Arora ,  Guofei Jiang

IPC: H04L12/721

CPC classification number: H04L45/42 ,  H04L41/12 ,  H04L41/145 ,  H04L43/0864 ,  H04L43/106 ,  H04L45/00 ,  H04L45/64 ,  H04L47/283

Abstract: Methods and systems for finding a packet's routing path in a network includes intercepting control messages sent by a controller to one or more switches in a software defined network (SDN). A state of the SDN at a requested time is emulated and one or more possible routing paths through the emulated SDN is identified by replaying the intercepted control messages to one or more emulated switches in the emulated SDN. The one or more possible routing paths correspond to a requested packet injected into the SDN at the requested time.

Abstract translation: 用于在网络中找到分组的路由路径的方法和系统包括将由控制器发送的控制消息拦截在软件定义网络（SDN）中的一个或多个交换机上。 仿真在请求时间的SDN的状态，并且通过在被仿真的SDN中重放被拦截的控制消息给一个或多个仿真的交换机来识别通过仿真的SDN的一个或多个可能的路由路径。 一个或多个可能的路由路径对应于在请求的时间内注入到SDN中的请求的分组。