公开(公告)号：WO2019217023A1

公开(公告)日：2019-11-14

申请号：PCT/US2019/026695

申请日：2019-04-10

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： WU, Zhenyu ,  LI, Yue ,  RHEE, Junghwan ,  JEE, Kangkook ,  LI, Zhichun ,  KAMIMURA, Jumpei ,  TANG, LuAn ,  CHEN, Zhengzhang

IPC: G06F21/56 ,  H04L29/06

Abstract: A method for ransomware detection and prevention includes receiving an event stream associated with one or more computer system events, generating user-added-value knowledge data for one or more digital assets by modeling digital asset interactions based on the event stream, including accumulating user-added-values of each of the one or more digital assets, and detecting ransomware behavior based at least in part on the user-added-value knowledge, including analyzing destruction of the user-added values for the one or more digital assets.

公开(公告)号：WO2018217259A3

公开(公告)日：2018-11-29

申请号：PCT/US2018/019829

申请日：2018-02-27

Applicant: NEC LABORATORIES AMERICA, INC

Inventor： CHEN, Zhengzhang ,  TANG, LuAn ,  LI, Zhichun ,  CAO, Cheng

IPC: H04L12/24 ,  G06F21/55 ,  H04L29/06 ,  H04L12/26 ,  G06F17/18

Abstract: Systems and methods for determining a risk level of a host in a network include modeling (402) a target host's behavior based on historical events recorded at the target host. One or more original peer hosts having behavior similar to the target host's behavior are determined (404). An anomaly score for the target host is determined (406) based on how the target host's behavior changes relative to behavior of the one or more original peer hosts over time. A security management action is performed based on the anomaly score.

公开(公告)号：WO2018071356A1

公开(公告)日：2018-04-19

申请号：PCT/US2017/055826

申请日：2017-10-10

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： TANG, LuAn ,  ZHANG, Hengtong ,  CHEN, Zhengzhang ,  ZONG, Bo ,  LI, Zhichun ,  JIANG, Guofei ,  YOSHIHIRA, Kenji

IPC: G06F21/55 ,  G06F21/60

CPC classification number: G06F21/554 ,  G06F21/55 ,  G06F21/60

Abstract: Methods and systems for detecting anomalous events include detecting anomalous events (42, 43) in monitored system data. An event correlation graph is generated (302) based on the monitored system data that characterizes the tendency of processes to access system targets. Kill chains are generated (310) that connect malicious events over a span of time from the event correlation graph that characterize events in an attack path over time by sorting events according to a maliciousness value and determining at least one sub-graph within the event correlation graph with an above-threshold maliciousness rank. A security management action is performed (412) based on the kill chains.

Abstract translation: 用于检测异常事件的方法和系统包括检测所监视的系统数据中的异常事件（42,43）。 基于监视的系统数据生成（302）事件关联图，表征过程访问系统目标的倾向。 通过根据恶意值对事件进行排序并确定事件相关内的至少一个子图，产生（310）从事件关联图中连接恶意事件的杀死链（310），所述事件关联图随时间表征攻击路径中的事件 图表具有高于阈值的恶意级别。 基于杀链来执行安全管理操作（412）。

公开(公告)号：WO2018071355A1

公开(公告)日：2018-04-19

申请号：PCT/US2017/055825

申请日：2017-10-10

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： TANG, LuAn ,  ZHANG, Hengtong ,  CHEN, Zhengzhang ,  ZONG, Bo ,  LI, Zhichun ,  JIANG, Guofei ,  YOSHIHIRA, Kenji

IPC: G06F21/55 ,  G06F21/60

CPC classification number: G06F21/552 ,  G06F21/554

Abstract: Methods and systems for detecting anomalous events include detecting anomalous events (42,43) in monitored system data. An event correlation graph is generated (302) by determining a tendency for a first process to access a system target, include an innate tendency of the first process to access the system target, an influence of previous events from the first process, and an influence of processes other than the first process. Kill chains are generated (310) from the event correlation graph that characterize events in an attack path over time. A security management action is performed (412) based on the kill chains.

Abstract translation: 用于检测异常事件的方法和系统包括检测监测到的系统数据中的异常事件（42,43）。 通过确定第一过程访问系统目标的趋势，包括第一过程访问系统目标的先天趋势，来自第一过程的先前事件的影响以及影响第一过程的影响来生成事件相关图（302） 除第一个过程以外的过程。 从事件关联图生成（310）杀死链，表征攻击路径随时间的事件。 基于杀链来执行安全管理操作（412）。

公开(公告)号：WO2017131899A1

公开(公告)日：2017-08-03

申请号：PCT/US2016/067737

申请日：2016-12-20

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： XIAO, Xusheng ,  LI, Zhichun ,  XU, Fengyuan ,  GAO, Peng ,  JIANG, Guofei

IPC: G06F17/30

CPC classification number: G06F17/30469 ,  G06F11/30 ,  G06F17/30389 ,  G06F17/30421 ,  G06F17/30424 ,  G06F17/30486 ,  G06F17/30551 ,  G06F21/00 ,  G06F21/554

Abstract: Systems and a method are provided. A system includes a Temporal Behavior Query Language (TBQL) server having a processor and a memory operably coupled to the processor. The TBQL server configured to construct a TBQL query using a grammar inference technique based on syntactic sugar to expedite query construction. The TBQL server is further configured to execute the TBQL, query to generate TBQL query results.

Abstract translation:

提供了系统和方法。 一种系统包括具有处理器和可操作地耦合到处理器的存储器的时间行为查询语言（TBQL）服务器。 TBQL服务器配置为使用基于语法糖的语法推理技术来构建TBQL查询以加速查询构建。 TBQL服务器进一步配置为执行TBQL，查询以生成TBQL查询结果。

公开(公告)号：WO2020036850A1

公开(公告)日：2020-02-20

申请号：PCT/US2019/046112

申请日：2019-08-12

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： RHEE, Junghwan ,  TANG, LuAn ,  CHEN, Zhengzhang ,  KIM, Chung ,  LI, Zhichun ,  ZHOU, Ziqiao

IPC: G05B23/02 ,  G05B19/42 ,  G05B19/418

Abstract: A computer-implemented method for implementing protocol-independent anomaly detection within an industrial control system (ICS) includes implementing a detection stage (1400), including performing byte filtering using a byte filtering model based on at least one new network packet associated with the ICS (1430), performing horizontal detection to determine whether a horizontal constraint anomaly exists in the at least one network packet based on the byte filtering and a horizontal model (1440), including analyzing constraints across different bytes of the at least one new network packet, performing message clustering based on the horizontal detection to generate first cluster information (1450), and performing vertical detection to determine whether a vertical anomaly exists based on the first cluster information and a vertical model (1460), including analyzing a temporal pattern of each byte of the at least one new network packet.

公开(公告)号：WO2019084072A1

公开(公告)日：2019-05-02

申请号：PCT/US2018/057198

申请日：2018-10-24

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： TANG, LuAn ,  CHEN, Zhengzhang ,  LI, Zhichun ,  WU, Zhenyu ,  KAMIMURA, Jumpei ,  CHEN, Haifeng

IPC: G06F21/55 ,  G06F21/57

Abstract: A computer-implemented method for implementing alert interpretation in enterprise security systems is presented. The computer-implemented method includes employing a plurality of sensors to monitor streaming data from a plurality of computing devices, generating alerts based on the monitored streaming data, automatically analyzing the alerts, in real-time, by using a graph-based alert interpretation engine employing process-star graph models, retrieving a cause of the alerts, an aftermath of the alerts, and baselines for the alert interpretation, and integrating the cause of the alerts, the aftermath of the alerts, and the baselines to output an alert interpretation graph to a user interface of a user device.

公开(公告)号：WO2019032277A1

公开(公告)日：2019-02-14

申请号：PCT/US2018/043405

申请日：2018-07-24

Applicant: NEC LABORATORIES AMERICA, INC. ,  NEC CORPORATION

Inventor： RHEE, Junghwan ,  WU, Zhenyu ,  KORTS-PARN, Lauri ,  JEE, Kangkook ,  LI, Zhichun ,  SETAYESHFAR, Omid

IPC: G06F21/10 ,  G06F21/56 ,  G06F21/60

Abstract: Systems and methods are disclosed for enhancing cybersecurity in a computer system by detecting safeness levels of executables. An installation lineage of an executable is identified in which entities forming the installation lineage include at least an installer of the monitored executable, and a network address from which the executable is retrieved. Each entity of the entities forming the installation lineage is individually analyzed using at least one safeness analysis. Results of the at least one safeness analysis of each entity are inherited by other entities in the lineage of the executable. A backtrace result for the executable is determined based on the inherited safeness evaluation of the executable. A total safeness of the executable, based on at least the backtrace result, is evaluated against a set of thresholds to detect a safeness level of the executable. The safeness level of the executable is output on a display screen.

公开(公告)号：WO2018213061A2

公开(公告)日：2018-11-22

申请号：PCT/US2018/031559

申请日：2018-05-08

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZHANG, Mu ,  JEE, Kangkook ,  LI, Zhichun ,  LI, Ding ,  WU, Zhenyu ,  RHEE, Junghwan

CPC classification number: G06F21/554 ,  G06F2221/034

Abstract: A method and system are provided for causality analysis of Operating System-level (OS-level) events in heterogeneous enterprise hosts. The method includes storing (720F), by the processor, the OS-level events in a priority queue in a prioritized order based on priority scores determined from event rareness scores and event fanout scores for the OS-level events. The method includes processing (720G), by the processor, the OS-level events stored in the priority queue in the prioritized order to provide a set of potentially anomalous ones of the OS-level events within a set amount of time. The method includes generating (720G), by the processor, a dependency graph showing causal dependencies of at least the set of potentially anomalous ones of the OS-level events, based on results of the causality dependency analysis. The method includes initiating (730), by the processor, an action to improve a functioning of the hosts responsive to the dependency graph or information derived therefrom.

公开(公告)号：WO2017176673A1

公开(公告)日：2017-10-12

申请号：PCT/US2017/025843

申请日：2017-04-04

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： TANG, LuAn ,  CHEN, Zhengzhang ,  JIANG, Guofei ,  LI, Zhichun ,  CHEN, Haifeng ,  YOSHIHIRA, Kenji

IPC: H04L29/06 ,  H04L12/26

Abstract: Methods and systems for reporting anomalous events include building a process graph that models states of process-level events in a network. A topology graph is built that models source and destination relationships between connection events in the network. A set of alerts is clustered based on the process graph and the topology graph. Clustered alerts that exceed a threshold level of trustworthiness are reported.

Abstract translation: 用于报告异常事件的方法和系统包括构建对网络中的过程级事件的状态建模的过程图。 建立一个拓扑图，模拟网络中连接事件之间的源和目标关系。 基于过程图和拓扑图来聚集一组警报。 报告超过可信赖阈值级别的群集警报。