公开(公告)号：WO2019032180A1

公开(公告)日：2019-02-14

申请号：PCT/US2018/037183

申请日：2018-06-13

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： LI, Ding ,  JEE, Kangkook ,  CHEN, Zhengzhang ,  TANG, LuAn ,  LI, Zhichun

IPC: G06F21/57 ,  G06F17/30

Abstract: A method and system are provided for improving threat detection in a computer system by performing an inter-application dependency analysis on events of the computer system. The method includes receiving, by a processor operatively coupled to a memory, a Tracking Description Language (TDL) query including general constraints, a tracking declaration and an output specification, parsing, by the processor, the TDL query using a language parser, executing, by the processor, a tracking analysis based on the parsed TDL query, generating, by the processor, a tracking graph by cleaning a result of the tracking analysis, and outputting, by the processor and via an interface, query results based on the tracking graph.

公开(公告)号：WO2017177003A1

公开(公告)日：2017-10-12

申请号：PCT/US2017/026359

申请日：2017-04-06

Applicant: NEC LABORATORIES AMERICA, INC

Inventor： RHEE, Junghwan ,  LI, Zhichun ,  WU, Zhenyu ,  JEE, Kangkook ,  JIANG, Guofei

IPC: G06F21/55 ,  G06F21/57

CPC classification number: G06F21/563 ,  G06F11/3688 ,  G06F11/3692 ,  G06F21/564 ,  G06F2221/033

Abstract: Systems and methods for identifying similarities in program binaries, including extracting program binary features from one or more input program binaries to generate corresponding hybrid features. The hybrid features include a reference feature, a resource feature, an abstract control flow feature, and a structural feature. Combinations of a plurality of pairs of binaries are generated from the extracted hybrid features, and a similarity score is determined for each of the pairs of binaries. A hybrid difference score is generated based on the similarity score for each of the binaries combined with input hybrid feature parameters. A likelihood of malware in the input program is identified based on the hybrid difference score.

Abstract translation: 用于识别程序二进制文件中的相似性的系统和方法，包括从一个或多个输入程序二进制文件中提取程序二进制特征以生成对应的混合特征。 混合特征包括参考特征，资源特征，抽象控制流特征和结构特征。 从所提取的混合特征中生成多对二进制文件的组合，并且为每对二进制文件确定相似性分数。 基于与输入混合特征参数组合的每个二进制文件的相似度得分来生成混合差异评分。 根据混合差异分数识别输入程序中恶意软件的可能性。