公开(公告)号：US20220116782A1

公开(公告)日：2022-04-14

申请号：US17495391

申请日：2021-10-06

Applicant: Qatar Foundation for Education, Science and Community Development

Inventor： Mashael Al Sabah ,  Mohamed Nabeel ,  Euijin Choo ,  Issa M Khalil ,  Ting Yu ,  Wei Wang

IPC: H04W12/121 ,  G06F16/901 ,  H04W12/30

Abstract: A system is provided for identifying compromised mobile devices from a network administrator's point of view. The provided system utilizes a graph-based inference approach that leverages an assumed correlation that devices sharing a similar set of installed applications will have a similar probability of being compromised. Stated differently, the provided system determines whether a given unknown device is compromised or not by analyzing its connections to known devices. Such connections are generated from a small set of known compromised mobile devices and the network traffic data of mobile devices collected by a service provider or network administrator. The proposed system is accordingly able to reliably detect unknown compromised devices without relying on device-specific features.

公开(公告)号：US11991196B2

公开(公告)日：2024-05-21

申请号：US17685687

申请日：2022-03-03

Applicant: Qatar Foundation for Education, Science and Community Development

Inventor： Issa M. Khalil ,  Ting Yu ,  Eui J. Choo ,  Lun-Pin Yuan ,  Sencun Zhu

IPC: H04L9/40

CPC classification number: H04L63/1425 ,  H04L63/0876

Abstract: Autoencoder-based anomaly detection methods have been used in identifying anomalous users from large-scale enterprise logs with the assumption that adversarial activities do not follow past habitual patterns. Most existing approaches typically build models by reconstructing single-day and individual-user behaviors. However, without capturing long-term signals and group-correlation signals, the models cannot identify low-signal yet long-lasting threats, and will incorrectly report many normal users as anomalies on busy days, which, in turn, leads to a high false positive rate. A method is provided based on compound behavior, which takes into consideration long-term patterns and group behaviors. The provided method leverages a novel behavior representation and an ensemble of deep autoencoders and produces an ordered investigation list.

公开(公告)号：US20220201036A1

公开(公告)日：2022-06-23

申请号：US17558986

申请日：2021-12-22

Applicant: Qatar Foundation for Education, Science and Community Development

Inventor： Mohamed Nabeel ,  Issa M. Khalil ,  Ting Yu

IPC: H04L9/40 ,  H04L61/4511 ,  G06K9/62

Abstract: The present application provides a system for detecting brand squatting domains with a three-stage detection pipeline having three different classifiers. The provided system helps predict whether an unknown domain will be malicious. The first classifier detects abusive brand squatting domains, such as those that impersonate exact popular brand names, as soon as the domains are registered. The second classifier detects abusive brand squatting domains when hosting information becomes available, in combination with the information available for the first classifier. The third classifier detects abusive brand squatting domains when certificate information associated with domains is available, in combination with the information available for the first and second classifiers. The performance of each classifier improves from the first to the second to the third with the first classifier making determinations with the least information and the third classifier making determinations with the most information.

公开(公告)号：US20220103498A1

公开(公告)日：2022-03-31

申请号：US17490252

申请日：2021-09-30

Applicant: Qatar Foundation for Education, Science and Community Development ,  Stevens Institute of Technology

Inventor： Mohamed Nabeel ,  Issa Khalil ,  Ting Yu ,  Haipei Sun ,  Hui Wang

IPC: H04L12/58 ,  G06K9/62 ,  G06N20/00

Abstract: The present disclosure provides new and innovative systems and methods for filtering encrypted messages. In an example, a computer-implemented method includes obtaining a message, determining sender profiling features of the message, determining enterprise graph features of the message, determining header features of the message, determining a message flag based on the sender profiling features, the enterprise graph features, and the header features, and processing the message based on the message flag.

公开(公告)号：US11784953B2

公开(公告)日：2023-10-10

申请号：US18103046

申请日：2023-01-30

Applicant: Qatar Foundation for Education, Science and Community Development ,  Stevens Institute of Technology

Inventor： Mohamed Nabeel ,  Issa Khalil ,  Ting Yu ,  Haipei Sun ,  Hui Wang

IPC: H04L51/212 ,  H04L51/23 ,  G06N20/00 ,  G06F18/22

CPC classification number: H04L51/212 ,  G06F18/22 ,  G06N20/00 ,  H04L51/23

Abstract: The present disclosure provides new and innovative systems and methods for filtering encrypted messages. In an example, a computer-implemented method includes obtaining a message, determining sender profiling features of the message, determining enterprise graph features of the message, determining header features of the message, determining a message flag based on the sender profiling features, the enterprise graph features, and the header features, and processing the message based on the message flag.

公开(公告)号：US20230205884A1

公开(公告)日：2023-06-29

申请号：US18087290

申请日：2022-12-22

Applicant: Qatar Foundation for Education, Science and Community Development

Inventor： Mohamed Nabeel ,  Saravanan Thirumuruganathan ,  Euijin Choo ,  Issa M. Khalil ,  Ting Yu

IPC: G06F21/56

CPC classification number: G06F21/566 ,  G06F2221/034

Abstract: Generating high-quality threat intelligence from aggregated threat reports is provided via developing a generative model that identifies relationships between a plurality of threat assessment scanners; pre-training a plurality of individual encoders based on a corresponding plurality of pretext tasks and the generative model; combining the individual encoders into a pre-trained encoder; fine-tuning the pre-trained encoder using threat data; and marking a candidate threat, as evaluated via the pre-trained encoder as fine-tuned, as one of benign or malicious.

公开(公告)号：US20220286472A1

公开(公告)日：2022-09-08

申请号：US17685687

申请日：2022-03-03

Applicant: Qatar Foundation for Education, Science and Community Development

Inventor： Issa M. Khalil ,  Ting Yu ,  Eui J. Choo ,  Lun-Pin Yuan ,  Sencun Zhu

IPC: H04L9/40

Abstract: Autoencoder-based anomaly detection methods have been used in identifying anomalous users from large-scale enterprise logs with the assumption that adversarial activities do not follow past habitual patterns. Most existing approaches typically build models by reconstructing single-day and individual-user behaviors. However, without capturing long-term signals and group-correlation signals, the models cannot identify low-signal yet long-lasting threats, and will incorrectly report many normal users as anomalies on busy days, which, in turn, leads to a high false positive rate. A method is provided based on compound behavior, which takes into consideration long-term patterns and group behaviors. The provided method leverages a novel behavior representation and an ensemble of deep autoencoders and produces an ordered investigation list.

公开(公告)号：US20200382533A1

公开(公告)日：2020-12-03

申请号：US16426477

申请日：2019-05-30

Applicant: Qatar Foundation for Education, Science and Community Development

Inventor： Mohamed Nabeel ,  Issa M. Khalil ,  Ting Yu ,  Eui J. Choo

IPC: H04L29/06 ,  G06N20/00 ,  H04L12/26 ,  H04L29/12

Abstract: The presently disclosed method and system exploits information and traces contained in DNS data to determine the maliciousness of a domain based on the relationship it has with other domains. A method may comprise providing data to a machine learning module that was previously trained on domain and IP address attributes or classifiers. The method then may comprise classifying apex domains and IP addresses based on the IP address and domain attributes or classifiers. Additionally, the method may comprise associated each of the domains and IP addresses based on the corresponding classification. The method may further comprise building a weighted domain graph at real-time utilizing the DNS data based on the aforementioned associations among domains. The method may then comprise assessing the maliciousness of a domain based on the weighted domain graph that was built.

公开(公告)号：US11570132B2

公开(公告)日：2023-01-31

申请号：US17490252

申请日：2021-09-30

Applicant: Qatar Foundation for Education, Science and Community Development ,  Stevens Institute of Technology

Inventor： Mohamed Nabeel ,  Issa Khalil ,  Ting Yu ,  Haipei Sun ,  Hui Wang

IPC: H04L51/212 ,  H04L51/23 ,  G06N20/00 ,  G06K9/62

Abstract: The present disclosure provides new and innovative systems and methods for filtering encrypted messages. In an example, a computer-implemented method includes obtaining a message, determining sender profiling features of the message, determining enterprise graph features of the message, determining header features of the message, determining a message flag based on the sender profiling features, the enterprise graph features, and the header features, and processing the message based on the message flag.

公开(公告)号：US20250111049A1

公开(公告)日：2025-04-03

申请号：US18903354

申请日：2024-10-01

Applicant: Qatar Foundation for Education, Science and Community Development

Inventor： Issa M. Khalil ,  Ting Yu ,  Dorde Popovic ,  Mohammad Amin Sadeghi ,  Sanjay Chawla

IPC: G06F21/56

Abstract: Example systems, methods, and apparatus are disclosed herein for zero-shot black-box detection of neural Trojans.