公开(公告)号：WO2017142692A1

公开(公告)日：2017-08-24

申请号：PCT/US2017/015267

申请日：2017-01-27

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： WU, Zhenyu ,  LI, Zhichun ,  RHEE, Junghwan ,  XU, Fengyuan ,  JIANG, Guofei ,  JEE, Kangkook ,  XIAO, Xusheng ,  XU, Zhang

IPC: G06F11/30 ,  G06F21/56

CPC classification number: G06F11/30 ,  G06F21/552

Abstract: Methods and systems for dependency tracking include identifying a hot process that generates bursts of events with interleaved dependencies. Events related to the hot process are aggregated according to a process-centric dependency approximation that ignores dependencies between the events related to the hot process. Causality in a reduced event stream that comprises the aggregated events is tracked.

Abstract translation: 用于依赖关系跟踪的方法和系统包括识别产生具有交织相依性的事件突发的热进程。 与热进程相关的事件根据以进程为中心的依赖近似进行聚合，忽略与热进程相关的事件之间的依赖关系。 跟踪包含汇总事件的简化事件流中的因果关系。

公开(公告)号：WO2016019104A1

公开(公告)日：2016-02-04

申请号：PCT/US2015/042824

申请日：2015-07-30

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： RHEE, Junghwan ,  FU, Yangchun ,  WU, Zhenyu ,  ZHANG, Hui ,  LI, Zhichun ,  JIANG, Guofei

IPC: G06F21/56 ,  G06F21/50

CPC classification number: G06F21/52 ,  G06F21/554 ,  G06F21/60 ,  G06F2221/033

Abstract: Systems and methods for detection and prevention of Return-Oriented-Programming (ROP) attacks in one or more applications, including an attack detection device and a stack inspection device for performing stack inspection to detect ROP gadgets in a stack. The stack inspection includes stack walking from a stack frame at a top of the stack toward a bottom of the stack to detect one or more failure conditions, determining whether a valid stack frame and return code address is present; and determining a failure condition type if no valid stack frame and return code is present, with Type III failure conditions indicating an ROP attack. The ROP attack is contained using a containment device, and the ROP gadgets detected in the stack during the ROP attack are analyzed using an attack analysis device.

Abstract translation: 一种或多种应用中用于检测和预防面向对象编程（ROP）攻击的系统和方法，包括攻击检测设备和堆栈检测设备，用于执行堆栈检测以检测堆栈中的ROP小部件。 堆栈检查包括从堆叠顶部的堆叠框架朝向堆叠的底部行进的栈以检测一个或多个故障条件，确定是否存在有效的堆栈帧和返回代码地址; 并且如果不存在有效的堆栈帧和返回码，则确定故障条件类型，其中III型故障条件指示ROP攻击。 使用遏制设备包含ROP攻击，并且使用攻击分析设备来分析ROP攻击期间在堆栈中检测到的ROP小部件。

公开(公告)号：WO2020028008A1

公开(公告)日：2020-02-06

申请号：PCT/US2019/041514

申请日：2019-07-12

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： LI, Ding ,  JEE, Kangkook ,  CHEN, Zhengzhang ,  LI, Zhichun ,  HASSAN, Wajih Ul

IPC: G06F21/55 ,  G06F21/57

Abstract: A method for implementing automated threat alert triage via data provenance includes receiving a set of alerts and security provenance data, separating true alert events within the set of alert events corresponding to malicious activity from false alert events within the set of alert events corresponding to benign activity based on an alert anomaly score assigned to the at least one alert event, and automatically generating a set of triaged alert events based on the separation.

公开(公告)号：WO2019032502A1

公开(公告)日：2019-02-14

申请号：PCT/US2018/045493

申请日：2018-08-07

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： CHEN, Zhengzhang ,  TANG, LuAn ,  LI, Zhichun ,  LUO, Chen

IPC: H04L29/06 ,  H04L12/26

CPC classification number: H04L63/1425 ,  G06N5/003 ,  G06N5/022 ,  G06N20/00

Abstract: A computer-implemented method for implementing a knowledge transfer based model for accelerating invariant network learning is presented. The computer-implemented method includes generating an invariant network from data streams, the invariant network representing an enterprise information network including a plurality of nodes representing entities, employing a multi-relational based entity estimation model for transferring the entities from a source domain graph to a target domain graph by filtering irrelevant entities from the source domain graph, employing a reference construction model for determining differences between the source and target domain graphs, and constructing unbiased dependencies between the entities to generate a target invariant network, and outputting the generated target invariant network on a user interface of a computing device.

公开(公告)号：WO2018217259A2

公开(公告)日：2018-11-29

申请号：PCT/US2018/019829

申请日：2018-02-27

Applicant: NEC LABORATORIES AMERICA, INC

Inventor： CHEN, Zhengzhang ,  TANG, LuAn ,  LI, Zhichun ,  CAO, Cheng

IPC: H04L12/24 ,  G06F21/55 ,  H04L29/06 ,  H04L12/26 ,  G06F17/18

CPC classification number: H04L63/1425 ,  G06F21/552 ,  G06K9/00496 ,  G06K2009/00738

Abstract: Systems and methods for determining a risk level of a host in a network include modeling (402) a target host's behavior based on historical events recorded at the target host. One or more original peer hosts having behavior similar to the target host's behavior are determined (404). An anomaly score for the target host is determined (406) based on how the target host's behavior changes relative to behavior of the one or more original peer hosts over time. A security management action is performed based on the anomaly score.

公开(公告)号：WO2018213061A3

公开(公告)日：2018-11-22

申请号：PCT/US2018/031559

申请日：2018-05-08

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZHANG, Mu ,  JEE, Kangkook ,  LI, Zhichun ,  LI, Ding ,  WU, Zhenyu ,  RHEE, Junghwan

IPC: G06F21/50 ,  H04L29/06

Abstract: A method and system are provided for causality analysis of Operating System-level (OS-level) events in heterogeneous enterprise hosts. The method includes storing (720F), by the processor, the OS-level events in a priority queue in a prioritized order based on priority scores determined from event rareness scores and event fanout scores for the OS-level events. The method includes processing (720G), by the processor, the OS-level events stored in the priority queue in the prioritized order to provide a set of potentially anomalous ones of the OS-level events within a set amount of time. The method includes generating (720G), by the processor, a dependency graph showing causal dependencies of at least the set of potentially anomalous ones of the OS-level events, based on results of the causality dependency analysis. The method includes initiating (730), by the processor, an action to improve a functioning of the hosts responsive to the dependency graph or information derived therefrom.

公开(公告)号：WO2018071625A1

公开(公告)日：2018-04-19

申请号：PCT/US2017/056270

申请日：2017-10-12

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： CHEN, Zhengzhang ,  TANG, LuAn ,  LIN, Ying ,  LI, Zhichun ,  CHEN, Haifeng ,  JIANG, Guofei

IPC: H04L29/06 ,  G06N7/00

CPC classification number: H04L63/1425 ,  G06F21/55 ,  G06F21/57 ,  G06N7/005 ,  H04L63/20

Abstract: Methods and systems for detecting security intrusions include detecting alerts in monitored system data. Temporal dependencies are determined (306) between the alerts based on a prefix tree formed from the detected alerts. Content dependencies between the alerts are determined (308) based on a distance between alerts in a graph representation of the detected alerts. The alerts are ranked (310) based on an optimization problem that includes the temporal dependencies and the content dependencies. A security management action (614) is performed based on the ranked alerts.

Abstract translation: 用于检测安全入侵的方法和系统包括检测所监视的系统数据中的警报。 基于由检测到的警报形成的前缀树，在警报之间确定（306）时间依赖性。 基于检测到的警报的图表表示中的警报之间的距离来确定（308）警报之间的内容依赖性。 基于包括时间依赖性和内容依赖性的优化问题对警报进行排名（310）。 基于排名的警报执行安全管理行动（614）。

公开(公告)号：WO2016073765A1

公开(公告)日：2016-05-12

申请号：PCT/US2015/059306

申请日：2015-11-05

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： LI, Zhichun ,  XIAO, Xusheng ,  WU, Zhenyu ,  ZONG, Bo ,  JIANG, Guofei

IPC: G06F21/50 ,  G06F17/30 ,  G06F17/00

CPC classification number: G06F17/30958 ,  G06F21/552

Abstract: A method and system for constructing behavior queries in temporal graphs using discriminative sub-trace mining. The method (100) includes generating system data logs to provide temporal graphs (102), wherein the temporal graphs include a first temporal graph corresponding to a target behavior and a second temporal graph corresponding to a set of background behaviors (102), generating temporal graph patterns for each of the first and second temporal graphs to determine whether a pattern exists between a first temporal graph pattern and a second temporal graph pattern, wherein the pattern between the temporal graph patterns is a non-repetitive graph pattern (104), pruning the pattern between the first and second temporal graph patterns to provide a discriminative temporal graph (106), and generating behavior queries based on the discriminative temporal graph (110).

Abstract translation: 使用区分性子跟踪挖掘在时间图中构建行为查询的方法和系统。 方法（100）包括生成系统数据日志以提供时间图（102），其中时间图包括对应于目标行为的第一时间图和对应于一组背景行为（102）的第二时间图，产生时间 用于确定在第一时间图形图案和第二时间图形图案之间是否存在图案的第一和第二时间图形的图形图案，其中时间图形图案之间的图案是非重复图形图案（104），修剪 所述第一和第二时间图形图案之间的图案提供鉴别时间图（106），以及基于所述辨别性时间图（110）生成行为查询。

公开(公告)号：EP3205072A1

公开(公告)日：2017-08-16

申请号：EP15848332.1

申请日：2015-10-12

Applicant: NEC Laboratories America, Inc.

Inventor： LI, Zhichun ,  WU, Zhenyu ,  QIAN, Zhiyun ,  JIANG, Guofei ,  AKHOONDI, Masoud ,  KUSANO, Markus

IPC: H04L29/06 ,  H04L12/26

CPC classification number: H04L63/1416 ,  G06F17/30958 ,  H04L63/1425 ,  H04L63/1441 ,  H04L2463/146

Abstract: Methods and systems for intrusion attack recovery include monitoring two or more hosts in a network to generate audit logs of system events. One or more dependency graphs (DGraphs) is generated based on the audit logs. A relevancy score for each edge of the DGraphs is determined. Irrelevant events from the DGraphs are pruned to generate a condensed backtracking graph. An origin is located by backtracking from an attack detection point in the condensed backtracking graph.

Abstract translation: 用于入侵攻击恢复的方法和系统包括监视网络中的两个或更多主机以生成系统事件的审计日志。 根据审计日志生成一个或多个依赖关系图（DGraphs）。 确定DGraphs每个边缘的相关性分数。 DGraphs中的不相关事件被修剪以产生浓缩的回溯图。 通过凝聚回溯图中的攻击检测点回溯来确定原点。

公开(公告)号：EP3175386A1

公开(公告)日：2017-06-07

申请号：EP15827986.9

申请日：2015-07-30

Applicant: NEC Laboratories America, Inc.

Inventor： RHEE, Junghwan ,  FU, Yangchun ,  WU, Zhenyu ,  ZHANG, Hui ,  LI, Zhichun ,  JIANG, Guofei

IPC: G06F21/56 ,  G06F21/50

CPC classification number: G06F21/52 ,  G06F21/554 ,  G06F21/60 ,  G06F2221/033

Abstract: Systems and methods for detection and prevention of Return-Oriented-Programming (ROP) attacks in one or more applications, including an attack detection device and a stack inspection device for performing stack inspection to detect ROP gadgets in a stack. The stack inspection includes stack walking from a stack frame at a top of the stack toward a bottom of the stack to detect one or more failure conditions, determining whether a valid stack frame and return code address is present; and determining a failure condition type if no valid stack frame and return code is present, with Type III failure conditions indicating an ROP attack. The ROP attack is contained using a containment device, and the ROP gadgets detected in the stack during the ROP attack are analyzed using an attack analysis device.

Abstract translation: 用于在一个或多个应用中检测和防止返回导向编程（ROP）攻击的系统和方法，包括用于执行堆栈检查以检测堆栈中的ROP小配件的攻击检测设备和堆栈检查设备。 堆栈检查包括堆栈从堆栈顶部的堆栈帧向堆栈底部行进以检测一个或多个故障条件，确定是否存在有效的堆栈帧和返回码地址; 如果不存在有效的堆栈帧和返回码，则确定故障条件类型，III类故障条件指示ROP攻击。 使用遏制设备来包含ROP攻击，并且使用攻击分析设备分析在ROP攻击期间在堆栈中检测到的ROP小配件。