-
公开(公告)号:US10402564B2
公开(公告)日:2019-09-03
申请号:US15623589
申请日:2017-06-15
Applicant: NEC Laboratories America, Inc.
Inventor: Junghwan Rhee , Yuseok Jeon , Zhichun Li , Kangkook Jee , Zhenyu Wu , Guofei Jiang
Abstract: A computer-implemented method for analyzing operations of privilege changes is presented. The computer-implemented method includes inputting a program and performing source code analysis on the program by generating a privilege control flow graph (PCFG), generating a privilege data flow graph (PDFG), and generating a privilege call context graph (PCCG). The computer-implemented method further includes, based on the source code analysis results, instrumenting the program to perform inspections on execution states at privilege change operations, and performing runtime inspection and anomaly prevention.
-
公开(公告)号:US10289843B2
公开(公告)日:2019-05-14
申请号:US15479928
申请日:2017-04-05
Applicant: NEC Laboratories America, Inc.
Inventor: Junghwan Rhee , Zhichun Li , Zhenyu Wu , Kangkook Jee , Guofei Jiang
Abstract: Systems and methods for identifying similarities in program binaries, including extracting program binary features from one or more input program binaries to generate corresponding hybrid features. The hybrid features include a reference feature, a resource feature, an abstract control flow feature, and a structural feature. Combinations of a plurality of pairs of binaries are generated from the extracted hybrid features, and a similarity score is determined for each of the pairs of binaries. A hybrid difference score is generated based on the similarity score for each of the binaries combined with input hybrid feature parameters. A likelihood of malware in the input program is identified based on the hybrid difference score.
-
公开(公告)号:US20190104108A1
公开(公告)日:2019-04-04
申请号:US16146166
申请日:2018-09-28
Applicant: NEC Laboratories America, Inc. , NEC Corporation
Inventor: Junghwan Rhee , Hongyu Li , Shuai Hao , Chung Hwan Kim , Zhenyu Wu , Zhichun Li , Kangkook Jee , Lauri Korts-Parn
IPC: H04L29/06
Abstract: Systems and methods for an automotive security gateway include an in-gateway security system that monitors local host behaviors in vehicle devices to identify anomalous local host behaviors using a blueprint model trained to recognize secure local host behaviors. An out-of-gateway security system monitors network traffic across remote hosts, local devices, hotspot network, and in-car network to identify anomalous behaviors using deep packet inspection to inspect packets of the network. A threat mitigation system issues threat mitigation instructions corresponding to the identified anomalous local host behaviors and the anomalous remote host behaviors to secure the vehicle devices by removing the identified anomalous local host behaviors and the anomalous remote host behaviors. Automotive security gateway services and vehicle electronic control units operate the vehicle devices according to the threat mitigation instructions.
-
公开(公告)号:US20180336256A1
公开(公告)日:2018-11-22
申请号:US15979512
申请日:2018-05-15
Applicant: NEC Laboratories America, Inc.
Inventor: Ding Li , Kangkook Jee , Zhichun Li , Mu Zhang , Zhenyu Wu
IPC: G06F17/30
CPC classification number: G06F16/1744 , G06F3/0643 , G06F16/2246 , G06F16/2272 , G06F16/24568 , G06F16/25 , G06F16/258 , G06F16/9027 , G06F21/552 , G06F21/6218 , G06F2216/03 , G06F2221/2143 , G06K9/6219
Abstract: Systems and methods for data reduction including organizing data of an event stream into a file access table concurrently with receiving the event stream, the data including independent features and dependent features. A frequent pattern tree (FP-Tree) is built including nodes corresponding to the dependent features according to a frequency of occurrence of the dependent features relative to the independent features. Each single path in the FP-Tree is merged into a special node corresponding to segments of dependent features to produce a reduced FP-Tree. All path combinations in the reduced FP-Tree are identified. A compressible file access template (CFAT) is generated corresponding to each of the path combinations. The data of the event stream is compressed with the CFATs to reduce the dependent features to special events representing the dependent features.
-
公开(公告)号:US20170244733A1
公开(公告)日:2017-08-24
申请号:US15416462
申请日:2017-01-26
Applicant: NEC Laboratories America, Inc.
Inventor: Zhenyu Wu , Zhichun Li , Jungwhan Rhee , Fengyuan Xu , Guofei Jiang , Kangkook Jee , Xusheng Xiao , Zhang Xu
IPC: H04L29/06
CPC classification number: H04L63/1425 , G06F21/55 , G06F21/552 , H04L63/1416
Abstract: Methods and systems for intrusion detection include determining a causality trace for a flagged event. Determining the causality trace includes identifying a hot process that generates bursts of events with interleaved dependencies, aggregating events related to the hot process according to a process-centric dependency approximation that ignores dependencies between the events related to the hot process, and tracking causality in a reduced event stream that comprises the aggregated events. It is determined whether an intrusion has occurred based on the causality trace. One or more mitigation actions is performed if it is determined that an intrusion has occurred.
-
Patent Agency Ranking
公开(公告)号:US11295008B2
公开(公告)日:2022-04-05
申请号:US16787610
申请日:2020-02-11
Applicant: NEC Laboratories America, Inc.
Inventor: Chung Hwan Kim , Junghwan Rhee , Kangkook Jee , Zhichun Li , Adil Ahmad , Haifeng Chen
Abstract: Systems and methods for implementing a system architecture to support a trusted execution environment (TEE) with computational acceleration are provided. The method includes establishing a first trusted channel between a user application stored on an enclave and a graphics processing unit (GPU) driver loaded on a hypervisor. Establishing the first trusted channel includes leveraging page permissions in an extended page table (EPT) to isolate the first trusted channel between the enclave and the GPU driver in a physical memory of an operating system (OS). The method further includes establishing a second trusted channel between the GPU driver and a GPU device. The method also includes launching a unified TEE that includes the enclave and the hypervisor with execution of application code of the user application.
-
公开(公告)号:US11223649B2
公开(公告)日:2022-01-11
申请号:US16379024
申请日:2019-04-09
Applicant: NEC Laboratories America, Inc.
Inventor: Zhenyu Wu , Yue Li , Junghwan Rhee , Kangkook Jee , Zichun Li , Jumpei Kamimura , LuAn Tang , Zhengzhang Chen
IPC: H04L29/06 , G06F16/901 , G06F11/34
Abstract: A method for ransomware detection and prevention includes receiving an event stream associated with one or more computer system events, generating user-added-value knowledge data for one or more digital assets by modeling digital asset interactions based on the event stream, including accumulating user-added-values of each of the one or more digital assets, and detecting ransomware behavior based at least in part on the user-added-value knowledge, including analyzing destruction of the user-added values for the one or more digital assets.
-
公开(公告)号:US11194906B2
公开(公告)日:2021-12-07
申请号:US16507353
申请日:2019-07-10
Applicant: NEC Laboratories America, Inc.
Inventor: Ding Li , Kangkook Jee , Zhengzhang Chen , Zhichun Li , Wajih Ul Hassan
Abstract: A method for implementing automated threat alert triage via data provenance includes receiving a set of alerts and security provenance data, separating true alert events within the set of alert events corresponding to malicious activity from false alert events within the set of alert events corresponding to benign activity based on an alert anomaly score assigned to the at least one alert event, and automatically generating a set of triaged alert events based on the separation.
-
29.发明申请公开(公告)号:US20190050571A1
公开(公告)日:2019-02-14
申请号:US16040086
申请日:2018-07-19
Applicant: NEC Laboratories America, Inc. , NEC Corporation
Inventor: Jungwhan Rhee , Zhenyu Wu , Lauri Korts-Parn , Kangkook Jee , Zhichun Li , Omid Setayeshfar
Abstract: Systems and methods are disclosed for enhancing cybersecurity in a computer system by detecting safeness levels of executables. An installation lineage of an executable is identified in which entities forming the installation lineage include at least an installer of the monitored executable, and a network address from which the executable is retrieved. Each entity of the entities forming the installation lineage is individually analyzed using at least one safeness analysis. Results of the at least one safeness analysis of each entity are inherited by other entities in the lineage of the executable. A backtrace result for the executable is determined based on the inherited safeness evaluation of the executable. A total safeness of the executable, based on at least the backtrace result, is evaluated against a set of thresholds to detect a safeness level of the executable. The safeness level of the executable is output on a display screen.
-
公开(公告)号:US20190050562A1
公开(公告)日:2019-02-14
申请号:US16039993
申请日:2018-07-19
Applicant: NEC Laboratories America, Inc. , NEC Corporation
Inventor: Junghwan Rhee , Zhenyu Wu , Lauri Korts-Parn , Kangkook Jee , Zhichun Li , Omid Setayeshfar
Abstract: Systems and methods are disclosed for securing an enterprise environment by detecting suspicious software. A global program lineage graph is constructed. Construction of the global program lineage graph includes creating a node for each version of a program having been installed on a set of user machines. Additionally, at least two nodes are linked with a directional edge. For each version of the program, a prevalence number of the set of user machines on which each version of the program had been installed is determined; and the prevalence number is recorded to the metadata associated with the respective node. Anomalous behavior is identified based on structures formed by the at least two nodes and associated directional edge in the global program lineage graph. An alarm is displayed on a graphical user interface for each suspicious software based on the identified anomalous behavior.
-
-
-
-
-
-
-
-
-
Search Results
34
records
(took 0.017 seconds)
