公开(公告)号：US10915626B2

公开(公告)日：2021-02-09

申请号：US16161769

申请日：2018-10-16

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Zhengzhang Chen ,  Zhichun Li ,  Zhenyu Wu ,  Jumpei Kamimura ,  Haifeng Chen

IPC: G06F21/55 ,  H04L29/06 ,  H04L12/24 ,  G06F21/57

Abstract: A computer-implemented method for implementing alert interpretation in enterprise security systems is presented. The computer-implemented method includes employing a plurality of sensors to monitor streaming data from a plurality of computing devices, generating alerts based on the monitored streaming data, and employing an alert interpretation module to interpret the alerts in real-time, the alert interpretation module including a process-star graph constructor for retrieving relationships from the streaming data to construct process-star graph models and an alert cause detector for analyzing the alerts based on the process-star graph models to determine an entity that causes an alert.

公开(公告)号：US10853487B2

公开(公告)日：2020-12-01

申请号：US16039993

申请日：2018-07-19

Applicant: NEC Laboratories America, Inc. ,  NEC Corporation

Inventor： Junghwan Rhee ,  Zhenyu Wu ,  Lauri Korts-Parn ,  Kangkook Jee ,  Zhichun Li ,  Omid Setayeshfar

IPC: G06F21/55 ,  G06F16/21 ,  G06F16/26 ,  G06F16/901 ,  G06F21/52 ,  G06F21/56 ,  H04L29/06

Abstract: Systems and methods are disclosed for securing an enterprise environment by detecting suspicious software. A global program lineage graph is constructed. Construction of the global program lineage graph includes creating a node for each version of a program having been installed on a set of user machines. Additionally, at least two nodes are linked with a directional edge. For each version of the program, a prevalence number of the set of user machines on which each version of the program had been installed is determined; and the prevalence number is recorded to the metadata associated with the respective node. Anomalous behavior is identified based on structures formed by the at least two nodes and associated directional edge in the global program lineage graph. An alarm is displayed on a graphical user interface for each suspicious software based on the identified anomalous behavior.

公开(公告)号：US10733149B2

公开(公告)日：2020-08-04

申请号：US15979512

申请日：2018-05-15

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Kangkook Jee ,  Zhichun Li ,  Mu Zhang ,  Zhenyu Wu

IPC: G06F17/00 ,  G06F7/00 ,  G06F16/174 ,  G06F3/06 ,  G06K9/62 ,  G06F16/25 ,  G06F16/22 ,  G06F16/2455 ,  G06F21/62 ,  G06F16/901 ,  G06F21/55

Abstract: Systems and methods for data reduction including organizing data of an event stream into a file access table concurrently with receiving the event stream, the data including independent features and dependent features. A frequent pattern tree (FP-Tree) is built including nodes corresponding to the dependent features according to a frequency of occurrence of the dependent features relative to the independent features. Each single path in the FP-Tree is merged into a special node corresponding to segments of dependent features to produce a reduced FP-Tree. All path combinations in the reduced FP-Tree are identified. A compressible file access template (CFAT) is generated corresponding to each of the path combinations. The data of the event stream is compressed with the CFATs to reduce the dependent features to special events representing the dependent features.

公开(公告)号：US10572661B2

公开(公告)日：2020-02-25

申请号：US15652796

申请日：2017-07-18

Applicant: NEC Laboratories America, Inc.

Inventor： Zhenyu Wu ,  Jungwhan Rhee ,  Yuseok Jeon ,  Zhichun Li ,  Kangkook Jee ,  Guofei Jiang

IPC: G06F12/14 ,  G06F21/55 ,  G06F21/56 ,  G06F21/57

Abstract: Methods and systems for security analysis include determining whether a process has an origin internal to a system or external to the system using a processor based on monitored behavior events associated with the process. A security analysis is performed on only processes that have an external origin to determine if any of the processes having an external origin represent a security threat. A security action is performed if a process having an external origin is determined to represent a security threat.

公开(公告)号：US20190121971A1

公开(公告)日：2019-04-25

申请号：US16161769

申请日：2018-10-16

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Zhengzhang Chen ,  Zhichun Li ,  Zhenyu Wu ,  Jumpei Kamimura ,  Haifeng Chen

IPC: G06F21/55 ,  H04L12/24 ,  H04L29/06

Abstract: A computer-implemented method for implementing alert interpretation in enterprise security systems is presented. The computer-implemented method includes employing a plurality of sensors to monitor streaming data from a plurality of computing devices, generating alerts based on the monitored streaming data, and employing an alert interpretation module to interpret the alerts in real-time, the alert interpretation module including a process-star graph constructor for retrieving relationships from the streaming data to construct process-star graph models and an alert cause detector for analyzing the alerts based on the process-star graph models to determine an entity that causes an alert.

公开(公告)号：US20190121970A1

公开(公告)日：2019-04-25

申请号：US16161701

申请日：2018-10-16

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Zhengzhang Chen ,  Zhichun Li ,  Zhenyu Wu ,  Jumpei Kamimura ,  Haifeng Chen

IPC: G06F21/55 ,  H04L12/24 ,  H04L29/06

Abstract: A computer-implemented method for implementing alert interpretation in enterprise security systems is presented. The computer-implemented method includes employing a plurality of sensors to monitor streaming data from a plurality of computing devices, generating alerts based on the monitored streaming data, employing an alert interpretation module to interpret the alerts in real-time, matching problematic entities to the streaming data, retrieving following events, and generating an aftermath graph on a visualization component.

公开(公告)号：US20180336218A1

公开(公告)日：2018-11-22

申请号：US15979514

申请日：2018-05-15

Applicant: NEC Laboratories America, Inc.

Inventor： Ding Li ,  Kangkook Jee ,  Zhichun Li ,  Mu Zhang ,  Zhenyu Wu

IPC: G06F17/30 ,  G06F3/06 ,  G06K9/62

Abstract: Systems and methods for mining and compressing commercial data including a network of point of sale devices to log commercial activity data including independent commercial events and corresponding dependent features. A middleware system is in communication with the network of point of sale devices to continuously collect and compress a stream of the commercial activity data and concurrently store the compressed commercial activity data. Compressing the stream includes a file access table corresponding to the commercial activity data, producing compressible file access templates (CFATs) according to frequent patterns of commercial activity data using the file access table, and replacing dependent feature sequences with a matching compressible file access template. A database is in communication with the middleware system to store the compressed commercial data. A commercial pattern analysis system is in communication with the database to determine patterns in commercial activities across the network of point of sale devices.

公开(公告)号：US20160283531A1

公开(公告)日：2016-09-29

申请号：US15063157

申请日：2016-03-07

Applicant: NEC Laboratories America, Inc.

Inventor： Xusheng Xiao ,  Zhichun Li ,  Zhenyu Wu ,  Fengyuan Xu ,  Guofei Jiang

IPC: G06F17/30

CPC classification number: G06F16/24568

Abstract: A data stream system includes one or more monitored machines generating real-time data stream that describes system activities of the monitored machines; a data stream management module receiving the real-time data stream; and a data stream archiving module coupled to the data stream management module, the data stream archiving module including a data stream receiver and a data stream inserter.

Abstract translation: 数据流系统包括生成实时数据流的一个或多个监视的机器，其描述被监视机器的系统活动; 接收实时数据流的数据流管理模块; 以及耦合到数据流管理模块的数据流存档模块，数据流存档模块包括数据流接收器和数据流插入器。

公开(公告)号：US20160132679A1

公开(公告)日：2016-05-12

申请号：US14939366

申请日：2015-11-12

Applicant: NEC Laboratories America, Inc.

Inventor： Zhichun Li ,  Xusheng Xiao ,  Zhenyu Wu ,  Jianjun Huang ,  Guofei Jiang

IPC: G06F21/55 ,  G06F17/27

CPC classification number: G06F21/6245 ,  G06F21/577

Abstract: A system and method for detecting sensitive user input leakages in software applications, such as applications created for smartphone platforms. The system and method are configured to parse user interface layout files of the software application to identify input fields and obtain information concerning the input fields. Input fields that contain sensitive information are identified and a list of sensitive input fields, such as contextual IDs, is generated. The sensitive information fields are identified by reviewing the attributes, hints and/or text labels of the user interface layout file. A taint analysis is performed using the list of sensitive input fields and a sink dataset in order to detect information leaks in the sensitive input fields.

Abstract translation: 用于检测软件应用程序中敏感的用户输入漏洞的系统和方法，例如为智能手机平台创建的应用程序。 系统和方法被配置为解析软件应用的用户界面布局文件以识别输入字段并获得关于输入字段的信息。 识别包含敏感信息的输入字段，并生成敏感输入字段（如上下文ID）的列表。 通过查看用户界面布局文件的属性，提示和/或文本标签来标识敏感信息字段。 使用敏感输入字段和接收器数据集列表执行污染分析，以便检测敏感输入字段中的信息泄漏。

公开(公告)号：US20160034687A1

公开(公告)日：2016-02-04

申请号：US14812634

申请日：2015-07-29

Applicant: NEC Laboratories America, Inc.

Inventor： Junghwan Rhee ,  Yangchun Fu ,  Zhenyu Wu ,  Hui Zhang ,  Zhichun Li ,  Guofei Jiang

IPC: G06F21/52 ,  G06F11/07 ,  G06F21/60

CPC classification number: G06F21/52 ,  G06F21/554 ,  G06F21/60 ,  G06F2221/033

Abstract: Systems and methods for detection and prevention of Return-Oriented-Programming (ROP) attacks in one or more applications, including an attack detection device and a stack inspection device for performing stack inspection to detect ROP gadgets in a stack. The stack inspection includes stack walking from a stack frame at a top of the stack toward a bottom of the stack to detect one or more failure conditions, determining whether a valid stack frame and return code address is present; and determining a failure condition type if no valid stack frame and return code is present, with Type III failure conditions indicating an ROP attack. The ROP attack is contained using a containment device, and the ROP gadgets detected in the stack during the ROP attack are analyzed using an attack analysis device.

Abstract translation: 一种或多种应用中用于检测和预防面向对象编程（ROP）攻击的系统和方法，包括攻击检测设备和堆栈检测设备，用于执行堆栈检测以检测堆栈中的ROP小部件。 堆栈检查包括从堆叠顶部的堆叠框架朝向堆叠的底部行进的堆栈以检测一个或多个故障条件，确定是否存在有效堆栈帧和返回代码地址; 并且如果不存在有效的堆栈帧和返回码，则确定故障条件类型，其中III型故障条件指示ROP攻击。 使用遏制设备包含ROP攻击，并且使用攻击分析设备来分析ROP攻击期间在堆栈中检测到的ROP小部件。