公开(公告)号：US11741220B2

公开(公告)日：2023-08-29

申请号：US17398514

申请日：2021-08-10

Applicant: NEC Laboratories America, Inc.

Inventor： Xiao Yu ,  Haifeng Chen ,  Fei Zuo

IPC: G06F21/52 ,  G06F16/2458 ,  G06N5/022 ,  G06F21/55 ,  G06F9/54

CPC classification number: G06F21/52 ,  G06F9/547 ,  G06F16/2465 ,  G06F21/55 ,  G06N5/022 ,  G06F2221/033

Abstract: A computer-implemented method is provided for computer intrusion detection. The method includes establishing a mapping from low-level system calls to user functions in computer programs. The user functions run in a user space of an operating system. The method further includes identifying, using a search algorithm inputting the mapping and a system-call trace captured at runtime, any of the user functions that trigger the low-level system calls in the system-call trace. The method further includes performing, by a processor device, intrusion detection responsive to a provenance graph with program contexts. The provenance graph has nodes formed from the user functions that trigger the low-level system calls in the system-call trace. Edges in the provenance graph have edge labels describing high-level system operations for low-level system call to high-level system operation correlation-based intrusion detection.