公开(公告)号：US10289843B2

公开(公告)日：2019-05-14

申请号：US15479928

申请日：2017-04-05

Applicant: NEC Laboratories America, Inc.

Inventor： Junghwan Rhee ,  Zhichun Li ,  Zhenyu Wu ,  Kangkook Jee ,  Guofei Jiang

IPC: G06F21/56 ,  G06F11/36

Abstract: Systems and methods for identifying similarities in program binaries, including extracting program binary features from one or more input program binaries to generate corresponding hybrid features. The hybrid features include a reference feature, a resource feature, an abstract control flow feature, and a structural feature. Combinations of a plurality of pairs of binaries are generated from the extracted hybrid features, and a similarity score is determined for each of the pairs of binaries. A hybrid difference score is generated based on the similarity score for each of the binaries combined with input hybrid feature parameters. A likelihood of malware in the input program is identified based on the hybrid difference score.

公开(公告)号：US20190104108A1

公开(公告)日：2019-04-04

申请号：US16146166

申请日：2018-09-28

Applicant: NEC Laboratories America, Inc. ,  NEC Corporation

Inventor： Junghwan Rhee ,  Hongyu Li ,  Shuai Hao ,  Chung Hwan Kim ,  Zhenyu Wu ,  Zhichun Li ,  Kangkook Jee ,  Lauri Korts-Parn

IPC: H04L29/06

Abstract: Systems and methods for an automotive security gateway include an in-gateway security system that monitors local host behaviors in vehicle devices to identify anomalous local host behaviors using a blueprint model trained to recognize secure local host behaviors. An out-of-gateway security system monitors network traffic across remote hosts, local devices, hotspot network, and in-car network to identify anomalous behaviors using deep packet inspection to inspect packets of the network. A threat mitigation system issues threat mitigation instructions corresponding to the identified anomalous local host behaviors and the anomalous remote host behaviors to secure the vehicle devices by removing the identified anomalous local host behaviors and the anomalous remote host behaviors. Automotive security gateway services and vehicle electronic control units operate the vehicle devices according to the threat mitigation instructions.

公开(公告)号：US20180336256A1

公开(公告)日：2018-11-22

申请号：US15979512

申请日：2018-05-15

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Kangkook Jee ,  Zhichun Li ,  Mu Zhang ,  Zhenyu Wu

IPC: G06F17/30

CPC classification number: G06F16/1744 ,  G06F3/0643 ,  G06F16/2246 ,  G06F16/2272 ,  G06F16/24568 ,  G06F16/25 ,  G06F16/258 ,  G06F16/9027 ,  G06F21/552 ,  G06F21/6218 ,  G06F2216/03 ,  G06F2221/2143 ,  G06K9/6219

Abstract: Systems and methods for data reduction including organizing data of an event stream into a file access table concurrently with receiving the event stream, the data including independent features and dependent features. A frequent pattern tree (FP-Tree) is built including nodes corresponding to the dependent features according to a frequency of occurrence of the dependent features relative to the independent features. Each single path in the FP-Tree is merged into a special node corresponding to segments of dependent features to produce a reduced FP-Tree. All path combinations in the reduced FP-Tree are identified. A compressible file access template (CFAT) is generated corresponding to each of the path combinations. The data of the event stream is compressed with the CFATs to reduce the dependent features to special events representing the dependent features.

公开(公告)号：US09870485B2

公开(公告)日：2018-01-16

申请号：US14939366

申请日：2015-11-12

Applicant: NEC Laboratories America, Inc.

Inventor： Zhichun Li ,  Xusheng Xiao ,  Zhenyu Wu ,  Jianjun Huang ,  Guofei Jiang

IPC: G06F21/57 ,  G06F21/62

CPC classification number: G06F21/6245 ,  G06F21/577

Abstract: A system and method for detecting sensitive user input leakages in software applications, such as applications created for smartphone platforms. The system and method are configured to parse user interface layout files of the software application to identify input fields and obtain information concerning the input fields. Input fields that contain sensitive information are identified and a list of sensitive input fields, such as contextual IDs, is generated. The sensitive information fields are identified by reviewing the attributes, hints and/or text labels of the user interface layout file. A taint analysis is performed using the list of sensitive input fields and a sink dataset in order to detect information leaks in the sensitive input fields.

公开(公告)号：US20170244733A1

公开(公告)日：2017-08-24

申请号：US15416462

申请日：2017-01-26

Applicant: NEC Laboratories America, Inc.

Inventor： Zhenyu Wu ,  Zhichun Li ,  Jungwhan Rhee ,  Fengyuan Xu ,  Guofei Jiang ,  Kangkook Jee ,  Xusheng Xiao ,  Zhang Xu

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06F21/55 ,  G06F21/552 ,  H04L63/1416

Abstract: Methods and systems for intrusion detection include determining a causality trace for a flagged event. Determining the causality trace includes identifying a hot process that generates bursts of events with interleaved dependencies, aggregating events related to the hot process according to a process-centric dependency approximation that ignores dependencies between the events related to the hot process, and tracking causality in a reduced event stream that comprises the aggregated events. It is determined whether an intrusion has occurred based on the causality trace. One or more mitigation actions is performed if it is determined that an intrusion has occurred.

公开(公告)号：US20160105454A1

公开(公告)日：2016-04-14

申请号：US14879876

申请日：2015-10-09

Applicant: NEC Laboratories America, Inc.

Inventor： Zhichun Li ,  Zhenyu Wu ,  Zhiyun Qian ,  Guofei Jiang ,  Masoud Akhoondi ,  Markus Kusano

IPC: H04L29/06 ,  G06F17/30

CPC classification number: H04L63/1416 ,  G06F17/30958 ,  H04L63/1425 ,  H04L63/1441 ,  H04L2463/146

Abstract: Methods and systems for intrusion attack recovery include monitoring two or more hosts in a network to generate audit logs of system events. One or more dependency graphs (DGraphs) is generated based on the audit logs. A relevancy score for each edge of the DGraphs is determined. Irrelevant events from the DGraphs are pruned to generate a condensed backtracking graph. An origin is located by backtracking from an attack detection point in the condensed backtracking graph.

Abstract translation: 入侵攻击恢复的方法和系统包括监控网络中的两个或多个主机以生成系统事件的审核日志。 基于审计日志生成一个或多个依赖关系图（DGraphs）。 确定DGraph的每个边缘的相关性得分。 修剪来自DGraphs的不相关事件，以生成一个浓缩回溯图。 原点是通过从浓缩回溯图中的攻击检测点进行回溯定位。

公开(公告)号：US11223649B2

公开(公告)日：2022-01-11

申请号：US16379024

申请日：2019-04-09

Applicant: NEC Laboratories America, Inc.

Inventor： Zhenyu Wu ,  Yue Li ,  Junghwan Rhee ,  Kangkook Jee ,  Zichun Li ,  Jumpei Kamimura ,  LuAn Tang ,  Zhengzhang Chen

IPC: H04L29/06 ,  G06F16/901 ,  G06F11/34

Abstract: A method for ransomware detection and prevention includes receiving an event stream associated with one or more computer system events, generating user-added-value knowledge data for one or more digital assets by modeling digital asset interactions based on the event stream, including accumulating user-added-values of each of the one or more digital assets, and detecting ransomware behavior based at least in part on the user-added-value knowledge, including analyzing destruction of the user-added values for the one or more digital assets.

公开(公告)号：US10885185B2

公开(公告)日：2021-01-05

申请号：US16161564

申请日：2018-10-16

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Zhengzhang Chen ,  Zhichun Li ,  Zhenyu Wu ,  Jumpei Kamimura ,  Haifeng Chen

IPC: H04L29/06 ,  G06F21/55 ,  H04L12/24 ,  G06F21/57

Abstract: A computer-implemented method for implementing alert interpretation in enterprise security systems is presented. The computer-implemented method includes employing a plurality of sensors to monitor streaming data from a plurality of computing devices, generating alerts based on the monitored streaming data, automatically analyzing the alerts, in real-time, by using a graph-based alert interpretation engine employing process-star graph models, retrieving a cause of the alerts, an aftermath of the alerts, and baselines for the alert interpretation, and integrating the cause of the alerts, the aftermath of the alerts, and the baselines to output an alert interpretation graph to a user interface of a user device.

公开(公告)号：US20190121969A1

公开(公告)日：2019-04-25

申请号：US16161564

申请日：2018-10-16

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Zhengzhang Chen ,  Zhichun Li ,  Zhenyu Wu ,  Jumpei Kamimura ,  Haifeng Chen

IPC: G06F21/55 ,  H04L12/24 ,  H04L29/06

Abstract: A computer-implemented method for implementing alert interpretation in enterprise security systems is presented. The computer-implemented method includes employing a plurality of sensors to monitor streaming data from a plurality of computing devices, generating alerts based on the monitored streaming data, automatically analyzing the alerts, in real-time, by using a graph-based alert interpretation engine employing process-star graph models, retrieving a cause of the alerts, an aftermath of the alerts, and baselines for the alert interpretation, and integrating the cause of the alerts, the aftermath of the alerts, and the baselines to output an alert interpretation graph to a user interface of a user device.

公开(公告)号：US20190050571A1

公开(公告)日：2019-02-14

申请号：US16040086

申请日：2018-07-19

Applicant: NEC Laboratories America, Inc. ,  NEC Corporation

Inventor： Jungwhan Rhee ,  Zhenyu Wu ,  Lauri Korts-Parn ,  Kangkook Jee ,  Zhichun Li ,  Omid Setayeshfar

IPC: G06F21/57 ,  G06F21/12 ,  G06F11/34 ,  G06F21/55 ,  G06F21/56 ,  H04L29/06

Abstract: Systems and methods are disclosed for enhancing cybersecurity in a computer system by detecting safeness levels of executables. An installation lineage of an executable is identified in which entities forming the installation lineage include at least an installer of the monitored executable, and a network address from which the executable is retrieved. Each entity of the entities forming the installation lineage is individually analyzed using at least one safeness analysis. Results of the at least one safeness analysis of each entity are inherited by other entities in the lineage of the executable. A backtrace result for the executable is determined based on the inherited safeness evaluation of the executable. A total safeness of the executable, based on at least the backtrace result, is evaluated against a set of thresholds to detect a safeness level of the executable. The safeness level of the executable is output on a display screen.