公开(公告)号：WO2018213061A3

公开(公告)日：2018-11-22

申请号：PCT/US2018/031559

申请日：2018-05-08

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZHANG, Mu ,  JEE, Kangkook ,  LI, Zhichun ,  LI, Ding ,  WU, Zhenyu ,  RHEE, Junghwan

IPC: G06F21/50 ,  H04L29/06

Abstract: A method and system are provided for causality analysis of Operating System-level (OS-level) events in heterogeneous enterprise hosts. The method includes storing (720F), by the processor, the OS-level events in a priority queue in a prioritized order based on priority scores determined from event rareness scores and event fanout scores for the OS-level events. The method includes processing (720G), by the processor, the OS-level events stored in the priority queue in the prioritized order to provide a set of potentially anomalous ones of the OS-level events within a set amount of time. The method includes generating (720G), by the processor, a dependency graph showing causal dependencies of at least the set of potentially anomalous ones of the OS-level events, based on results of the causality dependency analysis. The method includes initiating (730), by the processor, an action to improve a functioning of the hosts responsive to the dependency graph or information derived therefrom.

公开(公告)号：WO2020167949A1

公开(公告)日：2020-08-20

申请号：PCT/US2020/017929

申请日：2020-02-12

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： KIM, Chung, Hwan ,  RHEE, Junghwan ,  JEE, Kangkook ,  LI, Zhichun ,  AHMAD, Adil ,  CHEN, Haifeng

IPC: G06F21/57 ,  G06F9/445 ,  G06F9/455

Abstract: Systems and methods for implementing a system architecture to support a trusted execution environment (TEE) with computational acceleration are provided. The method includes establishing a first trusted channel between a user application stored on an enclave and a graphics processing unit (GPU) driver loaded on a hypervisor (640). Establishing the first trusted channel includes leveraging page permissions in an extended page table (EPT) to isolate the first trusted channel between the enclave and the GPU driver in a physical memory of an operating system (OS). The method further includes establishing a second trusted channel between the GPU driver and a GPU device (650). The method also includes launching a unified TEE that includes the enclave and the hypervisor with execution of application code of the user application (660).

公开(公告)号：WO2017177003A1

公开(公告)日：2017-10-12

申请号：PCT/US2017/026359

申请日：2017-04-06

Applicant: NEC LABORATORIES AMERICA, INC

Inventor： RHEE, Junghwan ,  LI, Zhichun ,  WU, Zhenyu ,  JEE, Kangkook ,  JIANG, Guofei

IPC: G06F21/55 ,  G06F21/57

CPC classification number: G06F21/563 ,  G06F11/3688 ,  G06F11/3692 ,  G06F21/564 ,  G06F2221/033

Abstract: Systems and methods for identifying similarities in program binaries, including extracting program binary features from one or more input program binaries to generate corresponding hybrid features. The hybrid features include a reference feature, a resource feature, an abstract control flow feature, and a structural feature. Combinations of a plurality of pairs of binaries are generated from the extracted hybrid features, and a similarity score is determined for each of the pairs of binaries. A hybrid difference score is generated based on the similarity score for each of the binaries combined with input hybrid feature parameters. A likelihood of malware in the input program is identified based on the hybrid difference score.

Abstract translation: 用于识别程序二进制文件中的相似性的系统和方法，包括从一个或多个输入程序二进制文件中提取程序二进制特征以生成对应的混合特征。 混合特征包括参考特征，资源特征，抽象控制流特征和结构特征。 从所提取的混合特征中生成多对二进制文件的组合，并且为每对二进制文件确定相似性分数。 基于与输入混合特征参数组合的每个二进制文件的相似度得分来生成混合差异评分。 根据混合差异分数识别输入程序中恶意软件的可能性。

公开(公告)号：WO2015153178A1

公开(公告)日：2015-10-08

申请号：PCT/US2015/022116

申请日：2015-03-24

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ARORA, Nipun ,  RHEE, Junghwan ,  ZHANG, Hui ,  JIANG, Guofei

IPC: G06F9/30 ,  G06F9/445

CPC classification number: G06F11/3466

Abstract: The present invention enables capturing API level calls using a combination of dynamic instrumentation and library overriding. The invention allows event level tracing of API function calls and returns, and is able to generate an execution trace. The instrumentation is lightweight and relies on dynamic library/shared library linking mechanisms in most operating systems. Hence we need no source code modification or binary injection. The tool can be used to capture parameter values, and return values, which can be used to correlate traces across API function calls to generate transaction flow logic.

Abstract translation: 本发明可以使用动态检测和库重写的组合捕获API级别调用。 本发明允许API函数调用和返回的事件级别跟踪，并且能够生成执行跟踪。 该仪器是轻量级的，并且依赖于大多数操作系统中的动态库/共享库链接机制。 因此，我们不需要源代码修改或二进制注入。 该工具可用于捕获参数值和返回值，可用于将API函数调用之间的跟踪相关联，以生成事务流逻辑。

公开(公告)号：WO2021055007A1

公开(公告)日：2021-03-25

申请号：PCT/US2020/022541

申请日：2020-03-13

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： KIM, Chung Hwan ,  RHEE, Junghwan ,  YU, Xiao ,  TANG, LuAn ,  CHEN, Haifeng ,  KIM, Kyungtae

IPC: G06N20/00 ,  G06N3/08 ,  G06F21/12

Abstract: A computer-implemented method for efficient and scalable enclave protection for machine learning (ML) programs includes tailoring at least one ML program to generate at least one tailored ML program for execution within at least one enclave, and executing the at least one tailored ML program within the at least one enclave.

公开(公告)号：WO2019032275A1

公开(公告)日：2019-02-14

申请号：PCT/US2018/043394

申请日：2018-07-24

Applicant: NEC LABORATORIES AMERICA, INC. ,  NEC CORPORATION

Inventor： RHEE, Junghwan ,  WU, Zhenyu ,  KORTS-PARN, Lauri ,  JEE, Kangkook ,  LI, Zhichun ,  SETAYESHFAR, Omid

IPC: G06F21/50

CPC classification number: G06F21/552 ,  G06F16/219 ,  G06F16/26 ,  G06F16/9024 ,  G06F21/52 ,  G06F21/566 ,  G06F2221/033 ,  H04L63/1425

Abstract: Systems and methods are disclosed for securing an enterprise environment by detecting suspicious software. A global program lineage graph is constructed. Construction of the global program lineage graph includes creating a node for each version of a program having been installed on a set of user machines. Additionally, at least two nodes are linked with a directional edge. For each version of the program, a prevalence number of the set of user machines on which each version of the program had been installed is determined; and the prevalence number is recorded to the metadata associated with the respective node. Anomalous behavior is identified based on structures formed by the at least two nodes and associated directional edge in the global program lineage graph. An alarm is displayed on a graphical user interface for each suspicious software based on the identified anomalous behavior.

公开(公告)号：WO2017083149A1

公开(公告)日：2017-05-18

申请号：PCT/US2016/060139

申请日：2016-11-02

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： RHEE, Junghwan ,  XU, Jianwu ,  ZHANG, Hui ,  JIANG, Guofei

IPC: G01N21/17 ,  G01N21/39

CPC classification number: G06F17/30395 ,  G06F17/30076 ,  G06F17/30477

Abstract: Systems and methods are disclosed for analyzing logs generated by a machine by analyzing a log and identifying one or more abstract landmark delimiters (ALDs) representing delimiters for log tokenization; from the log and ALD, tokenizing the log and generating an increasingly tokenized format by separating the patterns with the ALD to form an intermediate tokenized log; iteratively repeating the tokenizing of the logs until a last intermediate tokenized log is processed as a final tokenized log; and applying the tokenized logs in applications.

Abstract translation: 公开了系统和方法，用于通过分析日志并识别表示用于日志标记化的分隔符的一个或多个抽象标志定界符（ALD）来分析由机器生成的日志; 从日志和ALD中，将日志标记化，并通过将模式与ALD分离以形成中间标记日志来生成日益标记化的格式; 迭代地重复日志的标记，直到最后的中间标记日志被处理为最终的标记日志; 并在应用程序中应用标记日志。

公开(公告)号：WO2015175865A1

公开(公告)日：2015-11-19

申请号：PCT/US2015/030950

申请日：2015-05-15

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： QIAN, Zhiyun ,  WANG, Jun ,  LI, Zhichun ,  WU, Zhenyu ,  RHEE, Junghwan ,  NING, Xia ,  JIANG, Guofei

IPC: G06F21/50 ,  G06F11/30

CPC classification number: H04L63/1425 ,  G06F11/30 ,  G06F21/50 ,  G06F21/552 ,  G06F21/554 ,  G06N99/005 ,  H04L63/1441

Abstract: Methods and systems for process constraint include collecting system call information for a process. It is detected whether the process is idle based on the system call information and then whether the process is repeating using autocorrelation to determine whether the process issues system calls in a periodic fashion. The process is constrained if it is idle or repeating the limit an attack surface presented by the process.

Abstract translation: 过程约束的方法和系统包括收集过程的系统调用信息。 基于系统调用信息检测进程是否空闲，然后检查进程是否使用自相关重复以确定进程是否以周期性方式发出系统调用。 如果过程是空闲的或者重复限制过程所呈现的攻击面，则该过程受到约束。

公开(公告)号：WO2021030133A1

公开(公告)日：2021-02-18

申请号：PCT/US2020/045150

申请日：2020-08-06

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： YU, Xiao ,  HAN, Xueyuan ,  LI, Ding ,  RHEE, Junghwan ,  CHEN, Haifeng

IPC: G06F21/51 ,  G06F21/56 ,  G06F21/14 ,  G06F21/16 ,  G06F11/36 ,  G06N20/00

Abstract: A computer-implemented method for securing software installation through deep graph learning includes extracting (810) a new software installation graph (SIG) corresponding to a new software installation based on installation data associated with the new software installation, using (820) at least two node embedding models to generate a first vector representation by embedding the nodes of the new SIG and inferring any embeddings for out-of-vocabulary (OOV) words corresponding to unseen pathnames, utilizing (830) a deep graph autoencoder to reconstruct nodes of the new SIG from latent vector representations encoded by the graph LSTM, wherein reconstruction losses resulting from a difference of a second vector representation generated by the deep graph autoencoder and the first vector representation represent anomaly scores for each node, and performing (840) anomaly detection by comparing an overall anomaly score of the anomaly scores to a threshold of normal software installation.

公开(公告)号：WO2020117551A1

公开(公告)日：2020-06-11

申请号：PCT/US2019/063184

申请日：2019-11-26

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： KIM, Chung, Hwan ,  RHEE, Junghwan ,  JEE, Kangkook ,  LI, Zhichun

IPC: G06F21/56 ,  G06F21/53

Abstract: A method for implementing confidential machine learning with program compartmentalization includes implementing a development stage to design an ML program (510), including annotating source code of the ML program to generate an ML program annotation, performing program analysis based on the development stage (520), including compiling the source code of the ML program based on the ML program annotation, inserting binary code based on the program analysis (530), including inserting run-time code into a confidential part of the ML program and a non-confidential part of the ML program, and generating an ML model by executing the ML program with the inserted binary code to protect the confidentiality of the ML model and the ML program from attack (542).