公开(公告)号：WO2019032180A1

公开(公告)日：2019-02-14

申请号：PCT/US2018/037183

申请日：2018-06-13

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： LI, Ding ,  JEE, Kangkook ,  CHEN, Zhengzhang ,  TANG, LuAn ,  LI, Zhichun

IPC: G06F21/57 ,  G06F17/30

Abstract: A method and system are provided for improving threat detection in a computer system by performing an inter-application dependency analysis on events of the computer system. The method includes receiving, by a processor operatively coupled to a memory, a Tracking Description Language (TDL) query including general constraints, a tracking declaration and an output specification, parsing, by the processor, the TDL query using a language parser, executing, by the processor, a tracking analysis based on the parsed TDL query, generating, by the processor, a tracking graph by cleaning a result of the tracking analysis, and outputting, by the processor and via an interface, query results based on the tracking graph.

公开(公告)号：WO2017160409A1

公开(公告)日：2017-09-21

申请号：PCT/US2017/015294

申请日：2017-01-27

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： TANG, LuAn ,  CHEN, Zhengzhang ,  CHEN, Haifeng ,  YOSHIHIRA, Kenji ,  JIANG, Guofei

IPC: H04L12/26

CPC classification number: H04L43/10 ,  G06F11/3438 ,  H04L41/12 ,  H04L41/16 ,  H04L41/22 ,  H04L41/28 ,  H04L43/06 ,  H04L43/0811 ,  H04L67/22

Abstract: A computer-implemented method for real-time detecting of abnormal network connections is presented. The computer-implemented method includes collecting network connection events from at least one agent connected to a network, recording, via a topology graph, normal states of network connections among hosts in the network, and recording, via a port graph, relationships established between host and destination ports of all network connections.

Abstract translation: 给出了用于实时检测异常网络连接的计算机实现的方法。 该计算机实现的方法包括：从连接到网络的至少一个代理收集网络连接事件，经由拓扑图记录网络中主机之间的网络连接的正常状态，并且经由端口图记录在主机之间建立的关系 和所有网络连接的目标端口。

公开(公告)号：WO2016168531A1

公开(公告)日：2016-10-20

申请号：PCT/US2016/027659

申请日：2016-04-15

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： TANG, Lu-An ,  CHEN, Zhengzhang ,  CHEN, Ting ,  JIANG, Guofei ,  XU, Fengyuan ,  CHEN, Haifeng

IPC: H04L29/06 ,  H04L12/22

CPC classification number: H04L41/12 ,  H04L41/142 ,  H04L41/145 ,  H04L63/0421 ,  H04L63/1425

Abstract: Methods and systems for detecting anomalous communications include simulating a network graph based on community and role labels of each node in the network graph based on one or more linking rules. The community and role labels of each node are adjusted based on differences between the simulated network graph and a true network graph. The simulation and adjustment are repeated until the simulated network graph converges to the true network graph to determine a final set of community and role labels. It is determined whether a network communication is anomalous based on the final set of community and role labels.

Abstract translation: 用于检测异常通信的方法和系统包括基于一个或多个链接规则来模拟网络图中基于社区和每个节点的角色标签的网络图。 基于模拟网络图和真实网络图之间的差异来调整每个节点的社区和角色标签。 重复模拟和调整，直到模拟网络图收敛到真实的网络图，以确定最终的一组社区和角色标签。 基于社区和角色标签的最终集确定网络通信是否是异常的。

公开(公告)号：WO2022076402A1

公开(公告)日：2022-04-14

申请号：PCT/US2021/053558

申请日：2021-10-05

Applicant: NEC LABORATORIES AMERICA, INC

Inventor： TANG, Luan ,  CHENG, Wei ,  CHEN, Haifeng ,  CHEN, Zhengzhang ,  REN, Yuxiang

IPC: B60W50/02 ,  B60W30/08 ,  B60W10/20 ,  B60W40/107 ,  B60W10/18 ,  H04L65/40

Abstract: A method for vehicle fault detection is provided. The method includes training (810), by a cloud module controlled by a processor device, an entity-shared modular and a shared modular connection controller. The entity- shared modular stores common knowledge for a transfer scope, and is formed from a set of sub- networks which are dynamically assembled for different target entities of a vehicle by the shared modular connection controller. The method further includes training (820), by an edge module controlled by another processor device, an entity-specific decoder and an entity-specific connection controller. The entity-specific decoder is for filtering entity- specific information from the common knowledge in the entity- shared modular by dynamically assembling the set of sub-networks in a manner decided by the entity specific connection controller.

公开(公告)号：WO2019217023A1

公开(公告)日：2019-11-14

申请号：PCT/US2019/026695

申请日：2019-04-10

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： WU, Zhenyu ,  LI, Yue ,  RHEE, Junghwan ,  JEE, Kangkook ,  LI, Zhichun ,  KAMIMURA, Jumpei ,  TANG, LuAn ,  CHEN, Zhengzhang

IPC: G06F21/56 ,  H04L29/06

Abstract: A method for ransomware detection and prevention includes receiving an event stream associated with one or more computer system events, generating user-added-value knowledge data for one or more digital assets by modeling digital asset interactions based on the event stream, including accumulating user-added-values of each of the one or more digital assets, and detecting ransomware behavior based at least in part on the user-added-value knowledge, including analyzing destruction of the user-added values for the one or more digital assets.

公开(公告)号：WO2018217259A3

公开(公告)日：2018-11-29

申请号：PCT/US2018/019829

申请日：2018-02-27

Applicant: NEC LABORATORIES AMERICA, INC

Inventor： CHEN, Zhengzhang ,  TANG, LuAn ,  LI, Zhichun ,  CAO, Cheng

IPC: H04L12/24 ,  G06F21/55 ,  H04L29/06 ,  H04L12/26 ,  G06F17/18

Abstract: Systems and methods for determining a risk level of a host in a network include modeling (402) a target host's behavior based on historical events recorded at the target host. One or more original peer hosts having behavior similar to the target host's behavior are determined (404). An anomaly score for the target host is determined (406) based on how the target host's behavior changes relative to behavior of the one or more original peer hosts over time. A security management action is performed based on the anomaly score.

公开(公告)号：WO2018071356A1

公开(公告)日：2018-04-19

申请号：PCT/US2017/055826

申请日：2017-10-10

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： TANG, LuAn ,  ZHANG, Hengtong ,  CHEN, Zhengzhang ,  ZONG, Bo ,  LI, Zhichun ,  JIANG, Guofei ,  YOSHIHIRA, Kenji

IPC: G06F21/55 ,  G06F21/60

CPC classification number: G06F21/554 ,  G06F21/55 ,  G06F21/60

Abstract: Methods and systems for detecting anomalous events include detecting anomalous events (42, 43) in monitored system data. An event correlation graph is generated (302) based on the monitored system data that characterizes the tendency of processes to access system targets. Kill chains are generated (310) that connect malicious events over a span of time from the event correlation graph that characterize events in an attack path over time by sorting events according to a maliciousness value and determining at least one sub-graph within the event correlation graph with an above-threshold maliciousness rank. A security management action is performed (412) based on the kill chains.

Abstract translation: 用于检测异常事件的方法和系统包括检测所监视的系统数据中的异常事件（42,43）。 基于监视的系统数据生成（302）事件关联图，表征过程访问系统目标的倾向。 通过根据恶意值对事件进行排序并确定事件相关内的至少一个子图，产生（310）从事件关联图中连接恶意事件的杀死链（310），所述事件关联图随时间表征攻击路径中的事件 图表具有高于阈值的恶意级别。 基于杀链来执行安全管理操作（412）。

公开(公告)号：WO2018071355A1

公开(公告)日：2018-04-19

申请号：PCT/US2017/055825

申请日：2017-10-10

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： TANG, LuAn ,  ZHANG, Hengtong ,  CHEN, Zhengzhang ,  ZONG, Bo ,  LI, Zhichun ,  JIANG, Guofei ,  YOSHIHIRA, Kenji

IPC: G06F21/55 ,  G06F21/60

CPC classification number: G06F21/552 ,  G06F21/554

Abstract: Methods and systems for detecting anomalous events include detecting anomalous events (42,43) in monitored system data. An event correlation graph is generated (302) by determining a tendency for a first process to access a system target, include an innate tendency of the first process to access the system target, an influence of previous events from the first process, and an influence of processes other than the first process. Kill chains are generated (310) from the event correlation graph that characterize events in an attack path over time. A security management action is performed (412) based on the kill chains.

Abstract translation: 用于检测异常事件的方法和系统包括检测监测到的系统数据中的异常事件（42,43）。 通过确定第一过程访问系统目标的趋势，包括第一过程访问系统目标的先天趋势，来自第一过程的先前事件的影响以及影响第一过程的影响来生成事件相关图（302） 除第一个过程以外的过程。 从事件关联图生成（310）杀死链，表征攻击路径随时间的事件。 基于杀链来执行安全管理操作（412）。

公开(公告)号：WO2016196079A1

公开(公告)日：2016-12-08

申请号：PCT/US2016/033905

申请日：2016-05-24

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZHANG, Kai ,  CHEN, Zhengzhang ,  CHEN, Haifeng ,  JIANG, Guofei

IPC: G06F17/18 ,  G06F9/48 ,  G06N99/00 ,  G06F15/18

CPC classification number: G06N99/005 ,  G06F19/34

Abstract: Systems and methods are provided for acquiring data from an input signal using multitask regression. The method includes: receiving the input signal, the input signal including data that includes a plurality of features; determining at least two computational tasks to analyze within the input signal; regularizing all of the at least two tasks using shared adaptive weights; performing a multitask regression on the input signal to create a solution path for all of the at least two tasks, wherein the multitask regression includes updating a model coefficient and a regularization weight together under an equality norm constraint until convergence is reached, and updating the model coefficient and regularization weight together under an updated equality norm constraint that has a greater l1-penalty than the previous equality norm constraint until convergence is reached; selecting a sparse model from the solution path; constructing an image using the sparse model; and displaying the image.

Abstract translation: 提供了系统和方法，用于使用多任务回归从输入信号中获取数据。 所述方法包括：接收所述输入信号，所述输入信号包括包括多个特征的数据; 确定在输入信号内分析的至少两个计算任务; 使用共享自适应权重对所有至少两个任务进行规则化; 对输入信号执行多任务回归，以创建用于所有至少两个任务的解决路径，其中所述多任务回归包括在等式范数约束下一起更新模型系数和正则化权重直到达到收敛，并且更新所述模型 系数和正则化权重在更新的等式规范约束下一起，其具有比先前的等式范数约束更大的l1惩罚，直到达到收敛; 从解决路径中选择稀疏模型; 使用稀疏模型构建图像; 并显示图像。

公开(公告)号：WO2022251004A1

公开(公告)日：2022-12-01

申请号：PCT/US2022/029614

申请日：2022-05-17

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： CHEN, Zhengzhang ,  CHEN, Haifeng ,  CHEN, Yuncong

IPC: G06N3/08 ,  G06N3/04 ,  H04L41/0695 ,  H04L67/1001

Abstract: Methods and systems for detecting and responding to an anomaly include determining (404) a first system-level performance prediction using system-level statistics. A second system-level performance prediction is determined (406) using system-level statistics and service-level statistics. The first prediction to the second prediction are compared (408) to identify a discrepancy. It is determined (308) that a service corresponding to the service-level statistics is a cause of a detected failure in a distributed computing system. An action directed to the service is performed (310) responsive to the detected failure.