公开(公告)号：WO2019217023A1

公开(公告)日：2019-11-14

申请号：PCT/US2019/026695

申请日：2019-04-10

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： WU, Zhenyu ,  LI, Yue ,  RHEE, Junghwan ,  JEE, Kangkook ,  LI, Zhichun ,  KAMIMURA, Jumpei ,  TANG, LuAn ,  CHEN, Zhengzhang

IPC: G06F21/56 ,  H04L29/06

Abstract: A method for ransomware detection and prevention includes receiving an event stream associated with one or more computer system events, generating user-added-value knowledge data for one or more digital assets by modeling digital asset interactions based on the event stream, including accumulating user-added-values of each of the one or more digital assets, and detecting ransomware behavior based at least in part on the user-added-value knowledge, including analyzing destruction of the user-added values for the one or more digital assets.

公开(公告)号：WO2017177003A1

公开(公告)日：2017-10-12

申请号：PCT/US2017/026359

申请日：2017-04-06

Applicant: NEC LABORATORIES AMERICA, INC

Inventor： RHEE, Junghwan ,  LI, Zhichun ,  WU, Zhenyu ,  JEE, Kangkook ,  JIANG, Guofei

IPC: G06F21/55 ,  G06F21/57

CPC classification number: G06F21/563 ,  G06F11/3688 ,  G06F11/3692 ,  G06F21/564 ,  G06F2221/033

Abstract: Systems and methods for identifying similarities in program binaries, including extracting program binary features from one or more input program binaries to generate corresponding hybrid features. The hybrid features include a reference feature, a resource feature, an abstract control flow feature, and a structural feature. Combinations of a plurality of pairs of binaries are generated from the extracted hybrid features, and a similarity score is determined for each of the pairs of binaries. A hybrid difference score is generated based on the similarity score for each of the binaries combined with input hybrid feature parameters. A likelihood of malware in the input program is identified based on the hybrid difference score.

Abstract translation: 用于识别程序二进制文件中的相似性的系统和方法，包括从一个或多个输入程序二进制文件中提取程序二进制特征以生成对应的混合特征。 混合特征包括参考特征，资源特征，抽象控制流特征和结构特征。 从所提取的混合特征中生成多对二进制文件的组合，并且为每对二进制文件确定相似性分数。 基于与输入混合特征参数组合的每个二进制文件的相似度得分来生成混合差异评分。 根据混合差异分数识别输入程序中恶意软件的可能性。

公开(公告)号：WO2016057994A1

公开(公告)日：2016-04-14

申请号：PCT/US2015/055137

申请日：2015-10-12

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： LI, Zhichun ,  WU, Zhenyu ,  QIAN, Zhiyun ,  JIANG, Guofei ,  AKHOONDI, Masoud ,  KUSANO, Markus

IPC: H04L29/06 ,  H04L12/26

CPC classification number: H04L63/1416 ,  G06F17/30958 ,  H04L63/1425 ,  H04L63/1441 ,  H04L2463/146

Abstract: Methods and systems for intrusion attack recovery include monitoring (502) two or more hosts in a network to generate audit logs of system events. One or more dependency graphs (DGraphs) is generated (504) based on the audit logs. A relevancy score for each edge of the DGraphs is determined (510). Irrelevant events from the DGraphs are pruned (510) to generate a condensed backtracking graph. An origin is located by backtracking (512) from an attack detection point in the condensed backtracking graph.

Abstract translation: 入侵攻击恢复的方法和系统包括监视（502）网络中的两个或多个主机以生成系统事件的审核日志。 基于审计日志生成一个或多个依赖关系图（DGraph）（504）。 确定DGraph的每个边缘的相关性得分（510）。 修剪了DGraphs中不相关的事件（510），以生成一个浓缩回溯图。 原点是通过回溯（512）从浓缩回溯图中的攻击检测点定位的。

公开(公告)号：WO2019084072A1

公开(公告)日：2019-05-02

申请号：PCT/US2018/057198

申请日：2018-10-24

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： TANG, LuAn ,  CHEN, Zhengzhang ,  LI, Zhichun ,  WU, Zhenyu ,  KAMIMURA, Jumpei ,  CHEN, Haifeng

IPC: G06F21/55 ,  G06F21/57

Abstract: A computer-implemented method for implementing alert interpretation in enterprise security systems is presented. The computer-implemented method includes employing a plurality of sensors to monitor streaming data from a plurality of computing devices, generating alerts based on the monitored streaming data, automatically analyzing the alerts, in real-time, by using a graph-based alert interpretation engine employing process-star graph models, retrieving a cause of the alerts, an aftermath of the alerts, and baselines for the alert interpretation, and integrating the cause of the alerts, the aftermath of the alerts, and the baselines to output an alert interpretation graph to a user interface of a user device.

公开(公告)号：WO2019032277A1

公开(公告)日：2019-02-14

申请号：PCT/US2018/043405

申请日：2018-07-24

Applicant: NEC LABORATORIES AMERICA, INC. ,  NEC CORPORATION

Inventor： RHEE, Junghwan ,  WU, Zhenyu ,  KORTS-PARN, Lauri ,  JEE, Kangkook ,  LI, Zhichun ,  SETAYESHFAR, Omid

IPC: G06F21/10 ,  G06F21/56 ,  G06F21/60

Abstract: Systems and methods are disclosed for enhancing cybersecurity in a computer system by detecting safeness levels of executables. An installation lineage of an executable is identified in which entities forming the installation lineage include at least an installer of the monitored executable, and a network address from which the executable is retrieved. Each entity of the entities forming the installation lineage is individually analyzed using at least one safeness analysis. Results of the at least one safeness analysis of each entity are inherited by other entities in the lineage of the executable. A backtrace result for the executable is determined based on the inherited safeness evaluation of the executable. A total safeness of the executable, based on at least the backtrace result, is evaluated against a set of thresholds to detect a safeness level of the executable. The safeness level of the executable is output on a display screen.

公开(公告)号：WO2018213061A2

公开(公告)日：2018-11-22

申请号：PCT/US2018/031559

申请日：2018-05-08

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZHANG, Mu ,  JEE, Kangkook ,  LI, Zhichun ,  LI, Ding ,  WU, Zhenyu ,  RHEE, Junghwan

CPC classification number: G06F21/554 ,  G06F2221/034

Abstract: A method and system are provided for causality analysis of Operating System-level (OS-level) events in heterogeneous enterprise hosts. The method includes storing (720F), by the processor, the OS-level events in a priority queue in a prioritized order based on priority scores determined from event rareness scores and event fanout scores for the OS-level events. The method includes processing (720G), by the processor, the OS-level events stored in the priority queue in the prioritized order to provide a set of potentially anomalous ones of the OS-level events within a set amount of time. The method includes generating (720G), by the processor, a dependency graph showing causal dependencies of at least the set of potentially anomalous ones of the OS-level events, based on results of the causality dependency analysis. The method includes initiating (730), by the processor, an action to improve a functioning of the hosts responsive to the dependency graph or information derived therefrom.

公开(公告)号：WO2017142692A1

公开(公告)日：2017-08-24

申请号：PCT/US2017/015267

申请日：2017-01-27

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： WU, Zhenyu ,  LI, Zhichun ,  RHEE, Junghwan ,  XU, Fengyuan ,  JIANG, Guofei ,  JEE, Kangkook ,  XIAO, Xusheng ,  XU, Zhang

IPC: G06F11/30 ,  G06F21/56

CPC classification number: G06F11/30 ,  G06F21/552

Abstract: Methods and systems for dependency tracking include identifying a hot process that generates bursts of events with interleaved dependencies. Events related to the hot process are aggregated according to a process-centric dependency approximation that ignores dependencies between the events related to the hot process. Causality in a reduced event stream that comprises the aggregated events is tracked.

Abstract translation: 用于依赖关系跟踪的方法和系统包括识别产生具有交织相依性的事件突发的热进程。 与热进程相关的事件根据以进程为中心的依赖近似进行聚合，忽略与热进程相关的事件之间的依赖关系。 跟踪包含汇总事件的简化事件流中的因果关系。

公开(公告)号：WO2016019104A1

公开(公告)日：2016-02-04

申请号：PCT/US2015/042824

申请日：2015-07-30

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： RHEE, Junghwan ,  FU, Yangchun ,  WU, Zhenyu ,  ZHANG, Hui ,  LI, Zhichun ,  JIANG, Guofei

IPC: G06F21/56 ,  G06F21/50

CPC classification number: G06F21/52 ,  G06F21/554 ,  G06F21/60 ,  G06F2221/033

Abstract: Systems and methods for detection and prevention of Return-Oriented-Programming (ROP) attacks in one or more applications, including an attack detection device and a stack inspection device for performing stack inspection to detect ROP gadgets in a stack. The stack inspection includes stack walking from a stack frame at a top of the stack toward a bottom of the stack to detect one or more failure conditions, determining whether a valid stack frame and return code address is present; and determining a failure condition type if no valid stack frame and return code is present, with Type III failure conditions indicating an ROP attack. The ROP attack is contained using a containment device, and the ROP gadgets detected in the stack during the ROP attack are analyzed using an attack analysis device.

Abstract translation: 一种或多种应用中用于检测和预防面向对象编程（ROP）攻击的系统和方法，包括攻击检测设备和堆栈检测设备，用于执行堆栈检测以检测堆栈中的ROP小部件。 堆栈检查包括从堆叠顶部的堆叠框架朝向堆叠的底部行进的栈以检测一个或多个故障条件，确定是否存在有效的堆栈帧和返回代码地址; 并且如果不存在有效的堆栈帧和返回码，则确定故障条件类型，其中III型故障条件指示ROP攻击。 使用遏制设备包含ROP攻击，并且使用攻击分析设备来分析ROP攻击期间在堆栈中检测到的ROP小部件。

公开(公告)号：WO2018213061A3

公开(公告)日：2018-11-22

申请号：PCT/US2018/031559

申请日：2018-05-08

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZHANG, Mu ,  JEE, Kangkook ,  LI, Zhichun ,  LI, Ding ,  WU, Zhenyu ,  RHEE, Junghwan

IPC: G06F21/50 ,  H04L29/06

Abstract: A method and system are provided for causality analysis of Operating System-level (OS-level) events in heterogeneous enterprise hosts. The method includes storing (720F), by the processor, the OS-level events in a priority queue in a prioritized order based on priority scores determined from event rareness scores and event fanout scores for the OS-level events. The method includes processing (720G), by the processor, the OS-level events stored in the priority queue in the prioritized order to provide a set of potentially anomalous ones of the OS-level events within a set amount of time. The method includes generating (720G), by the processor, a dependency graph showing causal dependencies of at least the set of potentially anomalous ones of the OS-level events, based on results of the causality dependency analysis. The method includes initiating (730), by the processor, an action to improve a functioning of the hosts responsive to the dependency graph or information derived therefrom.

公开(公告)号：WO2016073765A1

公开(公告)日：2016-05-12

申请号：PCT/US2015/059306

申请日：2015-11-05

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： LI, Zhichun ,  XIAO, Xusheng ,  WU, Zhenyu ,  ZONG, Bo ,  JIANG, Guofei

IPC: G06F21/50 ,  G06F17/30 ,  G06F17/00

CPC classification number: G06F17/30958 ,  G06F21/552

Abstract: A method and system for constructing behavior queries in temporal graphs using discriminative sub-trace mining. The method (100) includes generating system data logs to provide temporal graphs (102), wherein the temporal graphs include a first temporal graph corresponding to a target behavior and a second temporal graph corresponding to a set of background behaviors (102), generating temporal graph patterns for each of the first and second temporal graphs to determine whether a pattern exists between a first temporal graph pattern and a second temporal graph pattern, wherein the pattern between the temporal graph patterns is a non-repetitive graph pattern (104), pruning the pattern between the first and second temporal graph patterns to provide a discriminative temporal graph (106), and generating behavior queries based on the discriminative temporal graph (110).

Abstract translation: 使用区分性子跟踪挖掘在时间图中构建行为查询的方法和系统。 方法（100）包括生成系统数据日志以提供时间图（102），其中时间图包括对应于目标行为的第一时间图和对应于一组背景行为（102）的第二时间图，产生时间 用于确定在第一时间图形图案和第二时间图形图案之间是否存在图案的第一和第二时间图形的图形图案，其中时间图形图案之间的图案是非重复图形图案（104），修剪 所述第一和第二时间图形图案之间的图案提供鉴别时间图（106），以及基于所述辨别性时间图（110）生成行为查询。