公开(公告)号：WO2020117551A1

公开(公告)日：2020-06-11

申请号：PCT/US2019/063184

申请日：2019-11-26

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： KIM, Chung, Hwan ,  RHEE, Junghwan ,  JEE, Kangkook ,  LI, Zhichun

IPC: G06F21/56 ,  G06F21/53

Abstract: A method for implementing confidential machine learning with program compartmentalization includes implementing a development stage to design an ML program (510), including annotating source code of the ML program to generate an ML program annotation, performing program analysis based on the development stage (520), including compiling the source code of the ML program based on the ML program annotation, inserting binary code based on the program analysis (530), including inserting run-time code into a confidential part of the ML program and a non-confidential part of the ML program, and generating an ML model by executing the ML program with the inserted binary code to protect the confidentiality of the ML model and the ML program from attack (542).

公开(公告)号：WO2019217023A1

公开(公告)日：2019-11-14

申请号：PCT/US2019/026695

申请日：2019-04-10

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： WU, Zhenyu ,  LI, Yue ,  RHEE, Junghwan ,  JEE, Kangkook ,  LI, Zhichun ,  KAMIMURA, Jumpei ,  TANG, LuAn ,  CHEN, Zhengzhang

IPC: G06F21/56 ,  H04L29/06

Abstract: A method for ransomware detection and prevention includes receiving an event stream associated with one or more computer system events, generating user-added-value knowledge data for one or more digital assets by modeling digital asset interactions based on the event stream, including accumulating user-added-values of each of the one or more digital assets, and detecting ransomware behavior based at least in part on the user-added-value knowledge, including analyzing destruction of the user-added values for the one or more digital assets.

公开(公告)号：WO2020028008A1

公开(公告)日：2020-02-06

申请号：PCT/US2019/041514

申请日：2019-07-12

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： LI, Ding ,  JEE, Kangkook ,  CHEN, Zhengzhang ,  LI, Zhichun ,  HASSAN, Wajih Ul

IPC: G06F21/55 ,  G06F21/57

Abstract: A method for implementing automated threat alert triage via data provenance includes receiving a set of alerts and security provenance data, separating true alert events within the set of alert events corresponding to malicious activity from false alert events within the set of alert events corresponding to benign activity based on an alert anomaly score assigned to the at least one alert event, and automatically generating a set of triaged alert events based on the separation.

公开(公告)号：WO2018213061A3

公开(公告)日：2018-11-22

申请号：PCT/US2018/031559

申请日：2018-05-08

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZHANG, Mu ,  JEE, Kangkook ,  LI, Zhichun ,  LI, Ding ,  WU, Zhenyu ,  RHEE, Junghwan

IPC: G06F21/50 ,  H04L29/06

Abstract: A method and system are provided for causality analysis of Operating System-level (OS-level) events in heterogeneous enterprise hosts. The method includes storing (720F), by the processor, the OS-level events in a priority queue in a prioritized order based on priority scores determined from event rareness scores and event fanout scores for the OS-level events. The method includes processing (720G), by the processor, the OS-level events stored in the priority queue in the prioritized order to provide a set of potentially anomalous ones of the OS-level events within a set amount of time. The method includes generating (720G), by the processor, a dependency graph showing causal dependencies of at least the set of potentially anomalous ones of the OS-level events, based on results of the causality dependency analysis. The method includes initiating (730), by the processor, an action to improve a functioning of the hosts responsive to the dependency graph or information derived therefrom.

公开(公告)号：WO2019032275A1

公开(公告)日：2019-02-14

申请号：PCT/US2018/043394

申请日：2018-07-24

Applicant: NEC LABORATORIES AMERICA, INC. ,  NEC CORPORATION

Inventor： RHEE, Junghwan ,  WU, Zhenyu ,  KORTS-PARN, Lauri ,  JEE, Kangkook ,  LI, Zhichun ,  SETAYESHFAR, Omid

IPC: G06F21/50

CPC classification number: G06F21/552 ,  G06F16/219 ,  G06F16/26 ,  G06F16/9024 ,  G06F21/52 ,  G06F21/566 ,  G06F2221/033 ,  H04L63/1425

Abstract: Systems and methods are disclosed for securing an enterprise environment by detecting suspicious software. A global program lineage graph is constructed. Construction of the global program lineage graph includes creating a node for each version of a program having been installed on a set of user machines. Additionally, at least two nodes are linked with a directional edge. For each version of the program, a prevalence number of the set of user machines on which each version of the program had been installed is determined; and the prevalence number is recorded to the metadata associated with the respective node. Anomalous behavior is identified based on structures formed by the at least two nodes and associated directional edge in the global program lineage graph. An alarm is displayed on a graphical user interface for each suspicious software based on the identified anomalous behavior.

公开(公告)号：WO2018213425A1

公开(公告)日：2018-11-22

申请号：PCT/US2018/032938

申请日：2018-05-16

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： LI, Ding ,  JEE, Kangkook ,  LI, Zhichun ,  ZHANG, Mu ,  WU, Zhenyu

IPC: G06F21/60 ,  G06F21/62

CPC classification number: G06F16/1744 ,  G06F3/0643 ,  G06F16/2246 ,  G06F16/2272 ,  G06F16/24568 ,  G06F16/25 ,  G06F16/258 ,  G06F16/9027 ,  G06F21/552 ,  G06F21/6218 ,  G06F2216/03 ,  G06F2221/2143 ,  G06K9/6219

Abstract: Systems and methods for data reduction including organizing (701) data of an event stream into a file access table concurrently with receiving the event stream, the data including independent features and dependent features. A frequent pattern tree (FP-Tree) is built (702) including nodes corresponding to the dependent features according to a frequency of occurrence of the dependent features relative to the independent features. Each single path in the FP-Tree is merged (703) into a special node corresponding to segments of dependent features to produce a reduced FP-Tree. All path combinations in the reduced FP-Tree are identified (704). A compressible file access template (CFAT) is generated (705) corresponding to each of the path combinations. The data of the event stream is compressed (706) with the CFATs to reduce the dependent features to special events representing the dependent features.

公开(公告)号：WO2019032277A1

公开(公告)日：2019-02-14

申请号：PCT/US2018/043405

申请日：2018-07-24

Applicant: NEC LABORATORIES AMERICA, INC. ,  NEC CORPORATION

Inventor： RHEE, Junghwan ,  WU, Zhenyu ,  KORTS-PARN, Lauri ,  JEE, Kangkook ,  LI, Zhichun ,  SETAYESHFAR, Omid

IPC: G06F21/10 ,  G06F21/56 ,  G06F21/60

Abstract: Systems and methods are disclosed for enhancing cybersecurity in a computer system by detecting safeness levels of executables. An installation lineage of an executable is identified in which entities forming the installation lineage include at least an installer of the monitored executable, and a network address from which the executable is retrieved. Each entity of the entities forming the installation lineage is individually analyzed using at least one safeness analysis. Results of the at least one safeness analysis of each entity are inherited by other entities in the lineage of the executable. A backtrace result for the executable is determined based on the inherited safeness evaluation of the executable. A total safeness of the executable, based on at least the backtrace result, is evaluated against a set of thresholds to detect a safeness level of the executable. The safeness level of the executable is output on a display screen.

公开(公告)号：WO2018213061A2

公开(公告)日：2018-11-22

申请号：PCT/US2018/031559

申请日：2018-05-08

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZHANG, Mu ,  JEE, Kangkook ,  LI, Zhichun ,  LI, Ding ,  WU, Zhenyu ,  RHEE, Junghwan

CPC classification number: G06F21/554 ,  G06F2221/034

Abstract: A method and system are provided for causality analysis of Operating System-level (OS-level) events in heterogeneous enterprise hosts. The method includes storing (720F), by the processor, the OS-level events in a priority queue in a prioritized order based on priority scores determined from event rareness scores and event fanout scores for the OS-level events. The method includes processing (720G), by the processor, the OS-level events stored in the priority queue in the prioritized order to provide a set of potentially anomalous ones of the OS-level events within a set amount of time. The method includes generating (720G), by the processor, a dependency graph showing causal dependencies of at least the set of potentially anomalous ones of the OS-level events, based on results of the causality dependency analysis. The method includes initiating (730), by the processor, an action to improve a functioning of the hosts responsive to the dependency graph or information derived therefrom.

公开(公告)号：WO2017142692A1

公开(公告)日：2017-08-24

申请号：PCT/US2017/015267

申请日：2017-01-27

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： WU, Zhenyu ,  LI, Zhichun ,  RHEE, Junghwan ,  XU, Fengyuan ,  JIANG, Guofei ,  JEE, Kangkook ,  XIAO, Xusheng ,  XU, Zhang

IPC: G06F11/30 ,  G06F21/56

CPC classification number: G06F11/30 ,  G06F21/552

Abstract: Methods and systems for dependency tracking include identifying a hot process that generates bursts of events with interleaved dependencies. Events related to the hot process are aggregated according to a process-centric dependency approximation that ignores dependencies between the events related to the hot process. Causality in a reduced event stream that comprises the aggregated events is tracked.

Abstract translation: 用于依赖关系跟踪的方法和系统包括识别产生具有交织相依性的事件突发的热进程。 与热进程相关的事件根据以进程为中心的依赖近似进行聚合，忽略与热进程相关的事件之间的依赖关系。 跟踪包含汇总事件的简化事件流中的因果关系。

公开(公告)号：WO2020167949A1

公开(公告)日：2020-08-20

申请号：PCT/US2020/017929

申请日：2020-02-12

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： KIM, Chung, Hwan ,  RHEE, Junghwan ,  JEE, Kangkook ,  LI, Zhichun ,  AHMAD, Adil ,  CHEN, Haifeng

IPC: G06F21/57 ,  G06F9/445 ,  G06F9/455

Abstract: Systems and methods for implementing a system architecture to support a trusted execution environment (TEE) with computational acceleration are provided. The method includes establishing a first trusted channel between a user application stored on an enclave and a graphics processing unit (GPU) driver loaded on a hypervisor (640). Establishing the first trusted channel includes leveraging page permissions in an extended page table (EPT) to isolate the first trusted channel between the enclave and the GPU driver in a physical memory of an operating system (OS). The method further includes establishing a second trusted channel between the GPU driver and a GPU device (650). The method also includes launching a unified TEE that includes the enclave and the hypervisor with execution of application code of the user application (660).