公开(公告)号：WO2021030133A1

公开(公告)日：2021-02-18

申请号：PCT/US2020/045150

申请日：2020-08-06

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： YU, Xiao ,  HAN, Xueyuan ,  LI, Ding ,  RHEE, Junghwan ,  CHEN, Haifeng

IPC: G06F21/51 ,  G06F21/56 ,  G06F21/14 ,  G06F21/16 ,  G06F11/36 ,  G06N20/00

Abstract: A computer-implemented method for securing software installation through deep graph learning includes extracting (810) a new software installation graph (SIG) corresponding to a new software installation based on installation data associated with the new software installation, using (820) at least two node embedding models to generate a first vector representation by embedding the nodes of the new SIG and inferring any embeddings for out-of-vocabulary (OOV) words corresponding to unseen pathnames, utilizing (830) a deep graph autoencoder to reconstruct nodes of the new SIG from latent vector representations encoded by the graph LSTM, wherein reconstruction losses resulting from a difference of a second vector representation generated by the deep graph autoencoder and the first vector representation represent anomaly scores for each node, and performing (840) anomaly detection by comparing an overall anomaly score of the anomaly scores to a threshold of normal software installation.

公开(公告)号：WO2019032180A1

公开(公告)日：2019-02-14

申请号：PCT/US2018/037183

申请日：2018-06-13

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： LI, Ding ,  JEE, Kangkook ,  CHEN, Zhengzhang ,  TANG, LuAn ,  LI, Zhichun

IPC: G06F21/57 ,  G06F17/30

Abstract: A method and system are provided for improving threat detection in a computer system by performing an inter-application dependency analysis on events of the computer system. The method includes receiving, by a processor operatively coupled to a memory, a Tracking Description Language (TDL) query including general constraints, a tracking declaration and an output specification, parsing, by the processor, the TDL query using a language parser, executing, by the processor, a tracking analysis based on the parsed TDL query, generating, by the processor, a tracking graph by cleaning a result of the tracking analysis, and outputting, by the processor and via an interface, query results based on the tracking graph.

公开(公告)号：WO2018213425A1

公开(公告)日：2018-11-22

申请号：PCT/US2018/032938

申请日：2018-05-16

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： LI, Ding ,  JEE, Kangkook ,  LI, Zhichun ,  ZHANG, Mu ,  WU, Zhenyu

IPC: G06F21/60 ,  G06F21/62

CPC classification number: G06F16/1744 ,  G06F3/0643 ,  G06F16/2246 ,  G06F16/2272 ,  G06F16/24568 ,  G06F16/25 ,  G06F16/258 ,  G06F16/9027 ,  G06F21/552 ,  G06F21/6218 ,  G06F2216/03 ,  G06F2221/2143 ,  G06K9/6219

Abstract: Systems and methods for data reduction including organizing (701) data of an event stream into a file access table concurrently with receiving the event stream, the data including independent features and dependent features. A frequent pattern tree (FP-Tree) is built (702) including nodes corresponding to the dependent features according to a frequency of occurrence of the dependent features relative to the independent features. Each single path in the FP-Tree is merged (703) into a special node corresponding to segments of dependent features to produce a reduced FP-Tree. All path combinations in the reduced FP-Tree are identified (704). A compressible file access template (CFAT) is generated (705) corresponding to each of the path combinations. The data of the event stream is compressed (706) with the CFATs to reduce the dependent features to special events representing the dependent features.

公开(公告)号：WO2021055239A1

公开(公告)日：2021-03-25

申请号：PCT/US2020/050302

申请日：2020-09-11

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： XU, Jianwu ,  LI, Ding ,  CHENG, Wei ,  CHEN, Haifeng

IPC: G06F8/41 ,  G06F8/35 ,  G06F8/38 ,  G06N20/00 ,  G06N3/08

Abstract: A method for automatically recommending a reviewer for submitted codes is presented. The method includes employing (801), in a learning phase, an artificial intelligence agent for learning an underlying and contextual structure of code regions, mapping (803) the code regions into a distributed representation to define code region representations, employing (805), in a recommendation phase, the artificial intelligence agent to produce a ranked list of recommended reviewers for any given submitted code review request, and outputting (807) the ranked list of recommended reviewers to a visualization device.

公开(公告)号：WO2018213061A2

公开(公告)日：2018-11-22

申请号：PCT/US2018/031559

申请日：2018-05-08

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZHANG, Mu ,  JEE, Kangkook ,  LI, Zhichun ,  LI, Ding ,  WU, Zhenyu ,  RHEE, Junghwan

CPC classification number: G06F21/554 ,  G06F2221/034

Abstract: A method and system are provided for causality analysis of Operating System-level (OS-level) events in heterogeneous enterprise hosts. The method includes storing (720F), by the processor, the OS-level events in a priority queue in a prioritized order based on priority scores determined from event rareness scores and event fanout scores for the OS-level events. The method includes processing (720G), by the processor, the OS-level events stored in the priority queue in the prioritized order to provide a set of potentially anomalous ones of the OS-level events within a set amount of time. The method includes generating (720G), by the processor, a dependency graph showing causal dependencies of at least the set of potentially anomalous ones of the OS-level events, based on results of the causality dependency analysis. The method includes initiating (730), by the processor, an action to improve a functioning of the hosts responsive to the dependency graph or information derived therefrom.

公开(公告)号：WO2020028008A1

公开(公告)日：2020-02-06

申请号：PCT/US2019/041514

申请日：2019-07-12

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： LI, Ding ,  JEE, Kangkook ,  CHEN, Zhengzhang ,  LI, Zhichun ,  HASSAN, Wajih Ul

IPC: G06F21/55 ,  G06F21/57

Abstract: A method for implementing automated threat alert triage via data provenance includes receiving a set of alerts and security provenance data, separating true alert events within the set of alert events corresponding to malicious activity from false alert events within the set of alert events corresponding to benign activity based on an alert anomaly score assigned to the at least one alert event, and automatically generating a set of triaged alert events based on the separation.

公开(公告)号：WO2018213061A3

公开(公告)日：2018-11-22

申请号：PCT/US2018/031559

申请日：2018-05-08

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZHANG, Mu ,  JEE, Kangkook ,  LI, Zhichun ,  LI, Ding ,  WU, Zhenyu ,  RHEE, Junghwan

IPC: G06F21/50 ,  H04L29/06

Abstract: A method and system are provided for causality analysis of Operating System-level (OS-level) events in heterogeneous enterprise hosts. The method includes storing (720F), by the processor, the OS-level events in a priority queue in a prioritized order based on priority scores determined from event rareness scores and event fanout scores for the OS-level events. The method includes processing (720G), by the processor, the OS-level events stored in the priority queue in the prioritized order to provide a set of potentially anomalous ones of the OS-level events within a set amount of time. The method includes generating (720G), by the processor, a dependency graph showing causal dependencies of at least the set of potentially anomalous ones of the OS-level events, based on results of the causality dependency analysis. The method includes initiating (730), by the processor, an action to improve a functioning of the hosts responsive to the dependency graph or information derived therefrom.