公开(公告)号：WO2019032275A1

公开(公告)日：2019-02-14

申请号：PCT/US2018/043394

申请日：2018-07-24

Applicant: NEC LABORATORIES AMERICA, INC. ,  NEC CORPORATION

Inventor： RHEE, Junghwan ,  WU, Zhenyu ,  KORTS-PARN, Lauri ,  JEE, Kangkook ,  LI, Zhichun ,  SETAYESHFAR, Omid

IPC: G06F21/50

CPC classification number: G06F21/552 ,  G06F16/219 ,  G06F16/26 ,  G06F16/9024 ,  G06F21/52 ,  G06F21/566 ,  G06F2221/033 ,  H04L63/1425

Abstract: Systems and methods are disclosed for securing an enterprise environment by detecting suspicious software. A global program lineage graph is constructed. Construction of the global program lineage graph includes creating a node for each version of a program having been installed on a set of user machines. Additionally, at least two nodes are linked with a directional edge. For each version of the program, a prevalence number of the set of user machines on which each version of the program had been installed is determined; and the prevalence number is recorded to the metadata associated with the respective node. Anomalous behavior is identified based on structures formed by the at least two nodes and associated directional edge in the global program lineage graph. An alarm is displayed on a graphical user interface for each suspicious software based on the identified anomalous behavior.

公开(公告)号：WO2018213425A1

公开(公告)日：2018-11-22

申请号：PCT/US2018/032938

申请日：2018-05-16

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： LI, Ding ,  JEE, Kangkook ,  LI, Zhichun ,  ZHANG, Mu ,  WU, Zhenyu

IPC: G06F21/60 ,  G06F21/62

CPC classification number: G06F16/1744 ,  G06F3/0643 ,  G06F16/2246 ,  G06F16/2272 ,  G06F16/24568 ,  G06F16/25 ,  G06F16/258 ,  G06F16/9027 ,  G06F21/552 ,  G06F21/6218 ,  G06F2216/03 ,  G06F2221/2143 ,  G06K9/6219

Abstract: Systems and methods for data reduction including organizing (701) data of an event stream into a file access table concurrently with receiving the event stream, the data including independent features and dependent features. A frequent pattern tree (FP-Tree) is built (702) including nodes corresponding to the dependent features according to a frequency of occurrence of the dependent features relative to the independent features. Each single path in the FP-Tree is merged (703) into a special node corresponding to segments of dependent features to produce a reduced FP-Tree. All path combinations in the reduced FP-Tree are identified (704). A compressible file access template (CFAT) is generated (705) corresponding to each of the path combinations. The data of the event stream is compressed (706) with the CFATs to reduce the dependent features to special events representing the dependent features.

公开(公告)号：WO2017176676A1

公开(公告)日：2017-10-12

申请号：PCT/US2017/025846

申请日：2017-04-04

Applicant: NEC LABORATORIES AMERICA, INC

Inventor： TANG, LuAn ,  CHEN, Zhengzhang ,  JIANG, Guofei ,  LI, Zhichun ,  CHEN, Haifeng ,  YOSHIHIRA, Kenji

IPC: H04L29/06 ,  H04L12/26

Abstract: Methods and systems for reporting anomalous events include intra-host clustering a set of alerts based on a process graph that models states of process-level events in a network. Hidden relationship clustering is performed on the intra-host clustered alerts based on hidden relationships between alerts in respective clusters. Inter-host clustering is performed on the hidden relationship clustered alerts based on a topology graph that models source and destination relationships between connection events in the network. Inter-host clustered alerts that exceed a threshold level of trustworthiness are reported.

Abstract translation: 用于报告异常事件的方法和系统包括基于对网络中的过程级事件的状态建模的过程图的主机内集群化一组警报。 基于各个群集中警报之间的隐藏关系，在主机内群集警报上执行隐藏关系群集。 基于模拟网络中的连接事件之间的源和目标关系的拓扑图，在隐藏关系群集警报上执行主机间群集。 报告超过可信赖阈值水平的主机间群集警报。

公开(公告)号：WO2015175865A1

公开(公告)日：2015-11-19

申请号：PCT/US2015/030950

申请日：2015-05-15

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： QIAN, Zhiyun ,  WANG, Jun ,  LI, Zhichun ,  WU, Zhenyu ,  RHEE, Junghwan ,  NING, Xia ,  JIANG, Guofei

IPC: G06F21/50 ,  G06F11/30

CPC classification number: H04L63/1425 ,  G06F11/30 ,  G06F21/50 ,  G06F21/552 ,  G06F21/554 ,  G06N99/005 ,  H04L63/1441

Abstract: Methods and systems for process constraint include collecting system call information for a process. It is detected whether the process is idle based on the system call information and then whether the process is repeating using autocorrelation to determine whether the process issues system calls in a periodic fashion. The process is constrained if it is idle or repeating the limit an attack surface presented by the process.

Abstract translation: 过程约束的方法和系统包括收集过程的系统调用信息。 基于系统调用信息检测进程是否空闲，然后检查进程是否使用自相关重复以确定进程是否以周期性方式发出系统调用。 如果过程是空闲的或者重复限制过程所呈现的攻击面，则该过程受到约束。

公开(公告)号：WO2020167949A1

公开(公告)日：2020-08-20

申请号：PCT/US2020/017929

申请日：2020-02-12

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： KIM, Chung, Hwan ,  RHEE, Junghwan ,  JEE, Kangkook ,  LI, Zhichun ,  AHMAD, Adil ,  CHEN, Haifeng

IPC: G06F21/57 ,  G06F9/445 ,  G06F9/455

Abstract: Systems and methods for implementing a system architecture to support a trusted execution environment (TEE) with computational acceleration are provided. The method includes establishing a first trusted channel between a user application stored on an enclave and a graphics processing unit (GPU) driver loaded on a hypervisor (640). Establishing the first trusted channel includes leveraging page permissions in an extended page table (EPT) to isolate the first trusted channel between the enclave and the GPU driver in a physical memory of an operating system (OS). The method further includes establishing a second trusted channel between the GPU driver and a GPU device (650). The method also includes launching a unified TEE that includes the enclave and the hypervisor with execution of application code of the user application (660).

公开(公告)号：WO2019032180A1

公开(公告)日：2019-02-14

申请号：PCT/US2018/037183

申请日：2018-06-13

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： LI, Ding ,  JEE, Kangkook ,  CHEN, Zhengzhang ,  TANG, LuAn ,  LI, Zhichun

IPC: G06F21/57 ,  G06F17/30

Abstract: A method and system are provided for improving threat detection in a computer system by performing an inter-application dependency analysis on events of the computer system. The method includes receiving, by a processor operatively coupled to a memory, a Tracking Description Language (TDL) query including general constraints, a tracking declaration and an output specification, parsing, by the processor, the TDL query using a language parser, executing, by the processor, a tracking analysis based on the parsed TDL query, generating, by the processor, a tracking graph by cleaning a result of the tracking analysis, and outputting, by the processor and via an interface, query results based on the tracking graph.

公开(公告)号：WO2018039424A1

公开(公告)日：2018-03-01

申请号：PCT/US2017/048360

申请日：2017-08-24

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： XIAO, Xusheng ,  LI, Zhichun ,  ZHANG, Mu ,  JIANG, Guofei ,  GUI, Jiaping

IPC: G06F17/30

CPC classification number: G06F16/24532 ,  G06F16/22 ,  G06F16/245 ,  G06F16/24535 ,  G06F16/24545 ,  G06F21/57 ,  G06F21/6227 ,  G06F2221/034

Abstract: Methods for querying a database and database systems include optimizing (304) a database query for parallel execution using spatial and temporal information relating to elements in the database, the optimized database query being split into sub-queries with sub-queries being divided spatially according to host and temporally according to time window. The sub-queries are executed (306) in parallel. The results of the database query are outputted (310) progressively.

Abstract translation: 用于查询数据库和数据库系统的方法包括使用与数据库中的元素相关的空间和时间信息优化（304）用于并行执行的数据库查询，优化的数据库查询被拆分为子查询 子查询根据主机在时间上按照时间窗口进行空间划分。 子查询并行执行（306）。 数据库查询的结果逐步输出（310）。

公开(公告)号：WO2017177003A1

公开(公告)日：2017-10-12

申请号：PCT/US2017/026359

申请日：2017-04-06

Applicant: NEC LABORATORIES AMERICA, INC

Inventor： RHEE, Junghwan ,  LI, Zhichun ,  WU, Zhenyu ,  JEE, Kangkook ,  JIANG, Guofei

IPC: G06F21/55 ,  G06F21/57

CPC classification number: G06F21/563 ,  G06F11/3688 ,  G06F11/3692 ,  G06F21/564 ,  G06F2221/033

Abstract: Systems and methods for identifying similarities in program binaries, including extracting program binary features from one or more input program binaries to generate corresponding hybrid features. The hybrid features include a reference feature, a resource feature, an abstract control flow feature, and a structural feature. Combinations of a plurality of pairs of binaries are generated from the extracted hybrid features, and a similarity score is determined for each of the pairs of binaries. A hybrid difference score is generated based on the similarity score for each of the binaries combined with input hybrid feature parameters. A likelihood of malware in the input program is identified based on the hybrid difference score.

Abstract translation: 用于识别程序二进制文件中的相似性的系统和方法，包括从一个或多个输入程序二进制文件中提取程序二进制特征以生成对应的混合特征。 混合特征包括参考特征，资源特征，抽象控制流特征和结构特征。 从所提取的混合特征中生成多对二进制文件的组合，并且为每对二进制文件确定相似性分数。 基于与输入混合特征参数组合的每个二进制文件的相似度得分来生成混合差异评分。 根据混合差异分数识别输入程序中恶意软件的可能性。

公开(公告)号：WO2016057994A1

公开(公告)日：2016-04-14

申请号：PCT/US2015/055137

申请日：2015-10-12

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： LI, Zhichun ,  WU, Zhenyu ,  QIAN, Zhiyun ,  JIANG, Guofei ,  AKHOONDI, Masoud ,  KUSANO, Markus

IPC: H04L29/06 ,  H04L12/26

CPC classification number: H04L63/1416 ,  G06F17/30958 ,  H04L63/1425 ,  H04L63/1441 ,  H04L2463/146

Abstract: Methods and systems for intrusion attack recovery include monitoring (502) two or more hosts in a network to generate audit logs of system events. One or more dependency graphs (DGraphs) is generated (504) based on the audit logs. A relevancy score for each edge of the DGraphs is determined (510). Irrelevant events from the DGraphs are pruned (510) to generate a condensed backtracking graph. An origin is located by backtracking (512) from an attack detection point in the condensed backtracking graph.

Abstract translation: 入侵攻击恢复的方法和系统包括监视（502）网络中的两个或多个主机以生成系统事件的审核日志。 基于审计日志生成一个或多个依赖关系图（DGraph）（504）。 确定DGraph的每个边缘的相关性得分（510）。 修剪了DGraphs中不相关的事件（510），以生成一个浓缩回溯图。 原点是通过回溯（512）从浓缩回溯图中的攻击检测点定位的。

公开(公告)号：WO2020117551A1

公开(公告)日：2020-06-11

申请号：PCT/US2019/063184

申请日：2019-11-26

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： KIM, Chung, Hwan ,  RHEE, Junghwan ,  JEE, Kangkook ,  LI, Zhichun

IPC: G06F21/56 ,  G06F21/53

Abstract: A method for implementing confidential machine learning with program compartmentalization includes implementing a development stage to design an ML program (510), including annotating source code of the ML program to generate an ML program annotation, performing program analysis based on the development stage (520), including compiling the source code of the ML program based on the ML program annotation, inserting binary code based on the program analysis (530), including inserting run-time code into a confidential part of the ML program and a non-confidential part of the ML program, and generating an ML model by executing the ML program with the inserted binary code to protect the confidentiality of the ML model and the ML program from attack (542).