公开(公告)号：US11620492B2

公开(公告)日：2023-04-04

申请号：US16998280

申请日：2020-08-20

Applicant: NEC Laboratories America, Inc.

Inventor： Jiaping Gui ,  Zhengzhang Chen ,  Junghwan Rhee ,  Haifeng Chen ,  Pengyang Wang

IPC: G06N3/04

Abstract: Systems and methods for predicting road conditions and traffic volume is provided. The method includes generating a graph of one or more road regions including a plurality of road intersections and a plurality of road segments, wherein the road intersections are represented as nodes and the road segments are represented as edges. The method can also include embedding the nodes from the graph into a node space, translating the edges of the graph into nodes of a line graph, and embedding the nodes of the line graph into the node space. The method can also include aligning the nodes from the line graph with the nodes from the graph, and optimizing the alignment, outputting a set of node and edge representations that predicts the traffic flow for each of the road segments and road intersections based on the optimized alignment of the nodes.

公开(公告)号：US11423146B2

公开(公告)日：2022-08-23

申请号：US16991288

申请日：2020-08-12

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Xiao Yu ,  Junghwan Rhee ,  Haifeng Chen ,  Qi Wang

IPC: G06F21/56 ,  G06F21/55 ,  G06K9/62 ,  G06F21/54

Abstract: Systems and methods for a provenance based threat detection tool that builds a provenance graph including a plurality of paths using a processor device from provenance data obtained from one or more computer systems and/or networks; samples the provenance graph to form a plurality of linear sample paths, and calculates a regularity score for each of the plurality of linear sample paths using a processor device; selects a subset of linear sample paths from the plurality of linear sample paths based on the regularity score, and embeds each of the subset of linear sample paths by converting each of the subset of linear sample paths into a numerical vector using a processor device; detects anomalies in the embedded paths to identify malicious process activities, and terminates a process related to the embedded path having the identified malicious process activities.

公开(公告)号：US10853487B2

公开(公告)日：2020-12-01

申请号：US16039993

申请日：2018-07-19

Applicant: NEC Laboratories America, Inc. ,  NEC Corporation

Inventor： Junghwan Rhee ,  Zhenyu Wu ,  Lauri Korts-Parn ,  Kangkook Jee ,  Zhichun Li ,  Omid Setayeshfar

IPC: G06F21/55 ,  G06F16/21 ,  G06F16/26 ,  G06F16/901 ,  G06F21/52 ,  G06F21/56 ,  H04L29/06

Abstract: Systems and methods are disclosed for securing an enterprise environment by detecting suspicious software. A global program lineage graph is constructed. Construction of the global program lineage graph includes creating a node for each version of a program having been installed on a set of user machines. Additionally, at least two nodes are linked with a directional edge. For each version of the program, a prevalence number of the set of user machines on which each version of the program had been installed is determined; and the prevalence number is recorded to the metadata associated with the respective node. Anomalous behavior is identified based on structures formed by the at least two nodes and associated directional edge in the global program lineage graph. An alarm is displayed on a graphical user interface for each suspicious software based on the identified anomalous behavior.

公开(公告)号：US20170132278A1

公开(公告)日：2017-05-11

申请号：US15340341

申请日：2016-11-01

Applicant: NEC Laboratories America, Inc.

Inventor： Junghwan Rhee ,  Jianwu Xu ,  Hui Zhang ,  Guofei Jiang

IPC: G06F17/30

CPC classification number: G06F16/2425 ,  G06F16/116 ,  G06F16/2455

Abstract: Systems and methods are disclosed for analyzing logs generated by a machine by analyzing a log and identifying one or more abstract landmark delimiters (ALDs) representing delimiters for log tokenization; from the log and ALDs, tokenizing the log and generating an increasingly tokenized format by separating the patterns with the ALD to form an intermediate tokenized log; iteratively repeating the tokenizing of the logs until a last intermediate tokenized log is processed as a final tokenized log; and applying the tokenized logs in applications.

公开(公告)号：US20160034687A1

公开(公告)日：2016-02-04

申请号：US14812634

申请日：2015-07-29

Applicant: NEC Laboratories America, Inc.

Inventor： Junghwan Rhee ,  Yangchun Fu ,  Zhenyu Wu ,  Hui Zhang ,  Zhichun Li ,  Guofei Jiang

IPC: G06F21/52 ,  G06F11/07 ,  G06F21/60

CPC classification number: G06F21/52 ,  G06F21/554 ,  G06F21/60 ,  G06F2221/033

Abstract: Systems and methods for detection and prevention of Return-Oriented-Programming (ROP) attacks in one or more applications, including an attack detection device and a stack inspection device for performing stack inspection to detect ROP gadgets in a stack. The stack inspection includes stack walking from a stack frame at a top of the stack toward a bottom of the stack to detect one or more failure conditions, determining whether a valid stack frame and return code address is present; and determining a failure condition type if no valid stack frame and return code is present, with Type III failure conditions indicating an ROP attack. The ROP attack is contained using a containment device, and the ROP gadgets detected in the stack during the ROP attack are analyzed using an attack analysis device.

Abstract translation: 一种或多种应用中用于检测和预防面向对象编程（ROP）攻击的系统和方法，包括攻击检测设备和堆栈检测设备，用于执行堆栈检测以检测堆栈中的ROP小部件。 堆栈检查包括从堆叠顶部的堆叠框架朝向堆叠的底部行进的堆栈以检测一个或多个故障条件，确定是否存在有效堆栈帧和返回代码地址; 并且如果不存在有效的堆栈帧和返回码，则确定故障条件类型，其中III型故障条件指示ROP攻击。 使用遏制设备包含ROP攻击，并且使用攻击分析设备来分析ROP攻击期间在堆栈中检测到的ROP小部件。

公开(公告)号：US20150180755A1

公开(公告)日：2015-06-25

申请号：US14575013

申请日：2014-12-18

Applicant: NEC Laboratories America, Inc.

Inventor： Hui Zhang ,  Junghwan Rhee ,  Nipun Arora ,  Cristian Lumezanu ,  Guofei Jiang

IPC: H04L12/26

CPC classification number: H04L41/0631 ,  H04L41/069 ,  H04L41/14 ,  H04L43/0858

Abstract: A computer implemented method for network monitoring includes providing network packet event characterization and analysis for network monitoring that includes supporting summarization and characterization of network packet traces collected across multiple processing elements of different types in a virtual network, including a trace slicing to organize individual packet events into path-based trace slices, a trace characterization to extract at least 2 types of feature matrix describing those trace slices, and a trace analysis to cluster, rank and query packet traces based on metrics of the feature matrix.

Abstract translation: 一种用于网络监测的计算机实现方法包括为网络监测提供网络分组事件表征和分析，其包括支持在虚拟网络中跨越不同类型的多个处理元件收集的网络分组跟踪的概括和表征，包括用于组织各个分组事件的跟踪分片 基于路径的跟踪切片，提取描述这些跟踪切片的至少2种类型的特征矩阵的跟踪表征，以及基于特征矩阵的度量的集群，排序和查询分组跟踪的跟踪分析。

公开(公告)号：US20150106794A1

公开(公告)日：2015-04-16

申请号：US14512653

申请日：2014-10-13

Applicant: NEC Laboratories America, Inc.

Inventor： Junghwan Rhee ,  Hui Zhang ,  Nipun Arora ,  Guofei Jiang ,  Chung Hwan Kim

IPC: G06F11/36 ,  G06F9/44

CPC classification number: G06F11/3636 ,  G06F11/3419

Abstract: Methods and systems for performance inference include inferring an internal application status based on a unified call stack trace that includes both user and kernel information by inferring user function instances. A calling context encoding is generated that includes information regarding function calling paths. Application performance is analyzed based on the encoded calling contexts. The analysis includes performing a top-down latency breakdown and ranking calling contexts according to how costly each function calling path is.

Abstract translation: 用于性能推理的方法和系统包括通过推断用户功能实例来推断基于包括用户和内核信息的统一调用堆栈跟踪的内部应用程序状态。 生成包含有关函数调用路径的信息的调用上下文编码。 基于编码的呼叫上下文来分析应用性能。 分析包括根据每个功能调用路径的代价昂贵地执行自上而下的延迟故障和排序呼叫上下文。

公开(公告)号：US11295008B2

公开(公告)日：2022-04-05

申请号：US16787610

申请日：2020-02-11

Applicant: NEC Laboratories America, Inc.

Inventor： Chung Hwan Kim ,  Junghwan Rhee ,  Kangkook Jee ,  Zhichun Li ,  Adil Ahmad ,  Haifeng Chen

IPC: G06F21/53 ,  G06F21/60 ,  G06F21/12 ,  G06F9/455 ,  G06F21/54 ,  G06F21/44

Abstract: Systems and methods for implementing a system architecture to support a trusted execution environment (TEE) with computational acceleration are provided. The method includes establishing a first trusted channel between a user application stored on an enclave and a graphics processing unit (GPU) driver loaded on a hypervisor. Establishing the first trusted channel includes leveraging page permissions in an extended page table (EPT) to isolate the first trusted channel between the enclave and the GPU driver in a physical memory of an operating system (OS). The method further includes establishing a second trusted channel between the GPU driver and a GPU device. The method also includes launching a unified TEE that includes the enclave and the hypervisor with execution of application code of the user application.

公开(公告)号：US11223649B2

公开(公告)日：2022-01-11

申请号：US16379024

申请日：2019-04-09

Applicant: NEC Laboratories America, Inc.

Inventor： Zhenyu Wu ,  Yue Li ,  Junghwan Rhee ,  Kangkook Jee ,  Zichun Li ,  Jumpei Kamimura ,  LuAn Tang ,  Zhengzhang Chen

IPC: H04L29/06 ,  G06F16/901 ,  G06F11/34

Abstract: A method for ransomware detection and prevention includes receiving an event stream associated with one or more computer system events, generating user-added-value knowledge data for one or more digital assets by modeling digital asset interactions based on the event stream, including accumulating user-added-values of each of the one or more digital assets, and detecting ransomware behavior based at least in part on the user-added-value knowledge, including analyzing destruction of the user-added values for the one or more digital assets.

公开(公告)号：US20200059484A1

公开(公告)日：2020-02-20

申请号：US16535521

申请日：2019-08-08

Applicant: NEC Laboratories America, Inc.

Inventor： Junghwan Rhee ,  LuAn Tang ,  Zhengzhang Chen ,  Chung Hwan Kim ,  Zhichun Li ,  Ziqiao Zhou

IPC: H04L29/06 ,  G05B19/418

Abstract: A computer-implemented method for implementing protocol-independent anomaly detection within an industrial control system (ICS) includes implementing a detection stage, including performing byte filtering using a byte filtering model based on at least one new network packet associated with the ICS, performing horizontal detection to determine whether a horizontal constraint anomaly exists in the at least one network packet based on the byte filtering and a horizontal model, including analyzing constraints across different bytes of the at least one new network packet, performing message clustering based on the horizontal detection to generate first cluster information, and performing vertical detection to determine whether a vertical anomaly exists based on the first cluster information and a vertical model, including analyzing a temporal pattern of each byte of the at least one new network packet.