公开(公告)号：WO2020028008A1

公开(公告)日：2020-02-06

申请号：PCT/US2019/041514

申请日：2019-07-12

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： LI, Ding ,  JEE, Kangkook ,  CHEN, Zhengzhang ,  LI, Zhichun ,  HASSAN, Wajih Ul

IPC: G06F21/55 ,  G06F21/57

Abstract: A method for implementing automated threat alert triage via data provenance includes receiving a set of alerts and security provenance data, separating true alert events within the set of alert events corresponding to malicious activity from false alert events within the set of alert events corresponding to benign activity based on an alert anomaly score assigned to the at least one alert event, and automatically generating a set of triaged alert events based on the separation.

公开(公告)号：WO2019032502A1

公开(公告)日：2019-02-14

申请号：PCT/US2018/045493

申请日：2018-08-07

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： CHEN, Zhengzhang ,  TANG, LuAn ,  LI, Zhichun ,  LUO, Chen

IPC: H04L29/06 ,  H04L12/26

CPC classification number: H04L63/1425 ,  G06N5/003 ,  G06N5/022 ,  G06N20/00

Abstract: A computer-implemented method for implementing a knowledge transfer based model for accelerating invariant network learning is presented. The computer-implemented method includes generating an invariant network from data streams, the invariant network representing an enterprise information network including a plurality of nodes representing entities, employing a multi-relational based entity estimation model for transferring the entities from a source domain graph to a target domain graph by filtering irrelevant entities from the source domain graph, employing a reference construction model for determining differences between the source and target domain graphs, and constructing unbiased dependencies between the entities to generate a target invariant network, and outputting the generated target invariant network on a user interface of a computing device.

公开(公告)号：WO2018217259A2

公开(公告)日：2018-11-29

申请号：PCT/US2018/019829

申请日：2018-02-27

Applicant: NEC LABORATORIES AMERICA, INC

Inventor： CHEN, Zhengzhang ,  TANG, LuAn ,  LI, Zhichun ,  CAO, Cheng

IPC: H04L12/24 ,  G06F21/55 ,  H04L29/06 ,  H04L12/26 ,  G06F17/18

CPC classification number: H04L63/1425 ,  G06F21/552 ,  G06K9/00496 ,  G06K2009/00738

Abstract: Systems and methods for determining a risk level of a host in a network include modeling (402) a target host's behavior based on historical events recorded at the target host. One or more original peer hosts having behavior similar to the target host's behavior are determined (404). An anomaly score for the target host is determined (406) based on how the target host's behavior changes relative to behavior of the one or more original peer hosts over time. A security management action is performed based on the anomaly score.

公开(公告)号：WO2018071625A1

公开(公告)日：2018-04-19

申请号：PCT/US2017/056270

申请日：2017-10-12

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： CHEN, Zhengzhang ,  TANG, LuAn ,  LIN, Ying ,  LI, Zhichun ,  CHEN, Haifeng ,  JIANG, Guofei

IPC: H04L29/06 ,  G06N7/00

CPC classification number: H04L63/1425 ,  G06F21/55 ,  G06F21/57 ,  G06N7/005 ,  H04L63/20

Abstract: Methods and systems for detecting security intrusions include detecting alerts in monitored system data. Temporal dependencies are determined (306) between the alerts based on a prefix tree formed from the detected alerts. Content dependencies between the alerts are determined (308) based on a distance between alerts in a graph representation of the detected alerts. The alerts are ranked (310) based on an optimization problem that includes the temporal dependencies and the content dependencies. A security management action (614) is performed based on the ranked alerts.

Abstract translation: 用于检测安全入侵的方法和系统包括检测所监视的系统数据中的警报。 基于由检测到的警报形成的前缀树，在警报之间确定（306）时间依赖性。 基于检测到的警报的图表表示中的警报之间的距离来确定（308）警报之间的内容依赖性。 基于包括时间依赖性和内容依赖性的优化问题对警报进行排名（310）。 基于排名的警报执行安全管理行动（614）。

公开(公告)号：WO2017019391A1

公开(公告)日：2017-02-02

申请号：PCT/US2016/043040

申请日：2016-07-20

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： CHEN, Zhengzhang ,  TANG, LuAn ,  DONG, Boxiang ,  JIANG, Guofei ,  CHEN, Haifeng

IPC: G06F21/55

CPC classification number: G06F21/566 ,  G06F21/552

Abstract: Methods and systems for detecting malicious processes include modeling system data as a graph comprising vertices that represent system entities and edges that represent events between respective system entities. Each edge has one or more timestamps corresponding respective events between two system entities. A set of valid path patterns that relate to potential attacks is generated. One or more event sequences in the system are determined to be suspicious based on the graph and the valid path patterns using a random walk on the graph.

Abstract translation: 用于检测恶意进程的方法和系统包括将系统数据建模为包括表示系统实体的顶点和表示各个系统实体之间的事件的边的图。 每个边缘具有对应于两个系统实体之间的相应事件的一个或多个时间戳。 产生一组与潜在攻击有关的有效路径模式。 系统中的一个或多个事件序列被确定为可疑的基于图和有效的路径模式使用图形上的随机游走。

公开(公告)号：EP4476638A1

公开(公告)日：2024-12-18

申请号：EP23753312.0

申请日：2023-01-11

Applicant: NEC Laboratories America, Inc.

Inventor： TONG, Liang ,  MIZOGUCHI, Takehiko ,  CHEN, Zhengzhang ,  CHENG, Wei ,  CHEN, Haifeng ,  AHAD, Nauman

IPC: G06F18/241 ,  G16H50/20 ,  G06N3/0455 ,  G06N3/044 ,  G06N3/0895