Patents by Inventor Dhilung Hang Kirat

Dhilung Hang Kirat has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20200007512
    Abstract: A computer system trains an AI model to generate a key generated as a same key based on multiple different feature vectors, which are based on specified target environment attributes of a target environment domain. The computer system uses the key to encrypt concealed information as an encrypted payload and distributes the encrypted payload and the trained AI model to another computer system. The other computer system extracts environment attributes based on an environment domain accessible by the other computer system and decodes a candidate key by using the trained AI model that uses the extracted environment attributes of the domain environment as input. The trained AI model is trained to generate a key that is generated as a same key from multiple different feature vectors corresponding to specified target environment attributes of a target environment domain. The other computer system determines whether the candidate key is a correct key.
    Type: Application
    Filed: June 29, 2018
    Publication date: January 2, 2020
    Inventors: Dhilung Hang Kirat, Jiyong Jang, Marc Philippe Stoecklin
  • Publication number: 20190394225
    Abstract: Optimizing ingestion of security structured data into a graph database for security analytics is provided. A plurality of streams of information is received from a plurality of security information sources. Respective subsets of information are ingested from each of the plurality of security information sources to generate small subgraphs of security information. Each of the small subgraphs comply to a schema used by a master knowledge graph. A batch process is performed to ingest a plurality of small subgraphs into the master knowledge graph.
    Type: Application
    Filed: June 22, 2018
    Publication date: December 26, 2019
    Inventors: Sulakshan Vajipayajula, Stephen C. Will, Dhilung Hang Kirat, Kaushal K. Kapadia, Anne Tilstra
  • Publication number: 20190190945
    Abstract: A cognitive security analytics platform is enhanced by providing a computationally- and storage-efficient data mining technique to improve the confidence and support for one or more hypotheses presented to a security analyst. The approach herein enables the security analyst to more readily validate a hypothesis and thereby corroborate threat assertions to identify the true causes of a security offense or alert. The data mining technique is entirely automated but involves an efficient search strategy that significantly reduces the number of data queries to be made against a data store of historical data. To this end, the algorithm makes use of maliciousness information attached to each hypothesis, and it uses a confidence schema to sequentially test indicators of a given hypothesis to generate a rank-ordered (by confidence) list of hypotheses to be presented for analysis and response by the security analyst.
    Type: Application
    Filed: December 20, 2017
    Publication date: June 20, 2019
    Inventors: Jiyong Jang, Dhilung Hang Kirat, Youngja Park, Marc Philippe Stoecklin
  • Patent number: 10313365
    Abstract: An automated method for processing security events begins upon receipt of information representing an offense. Based in part on context data extracted from the offense, an offense context graph is built. The offense context graph comprises nodes and edges, with an edge therein representing a relationship between a pair of nodes, at least one of the nodes being a root node representing an entity associated with the offense. The method then continues by mining information about other events that are determined to share a local contextual relationship with the offense represented by the offense context graph. This operation generates an enriched offense context graph. The enriched offense context graph is then pruned to identify an offense context for further examination. Pruning may involve applying a metric to events associated with the offense and removing nodes that, based on evaluation of the metric, do not contribute to the offense.
    Type: Grant
    Filed: August 15, 2016
    Date of Patent: June 4, 2019
    Assignee: International Business Machines Corporation
    Inventors: Jiyong Jang, Dhilung Hang Kirat, Youngja Park, Marc Philippe Stoecklin
  • Publication number: 20190108339
    Abstract: Approaches to deactivating evasive malware. In an approach, a computer system installs an imitating resource in the computer system and the imitating resource creates an imitating environment of malware analysis, wherein the imitating resource causes the evasive malware to respond to the imitating environment of the malware analysis as to a real environment of the malware analysis. In the imitating environment of malware analysis, the evasive malware determines not to perform malicious behavior. In another approach, a computer system intercepts a call from the evasive malware to a resource on the computer system and returns a virtual resource to the call, wherein in the virtual resource one or more values of the resource on the computer system are modified.
    Type: Application
    Filed: October 6, 2017
    Publication date: April 11, 2019
    Inventors: ZHONGSHU GU, HEQING HUANG, JIYONG JANG, DHILUNG HANG KIRAT, XIAOKUI SHU, MARC P. STOECKLIN, JIALONG ZHANG
  • Patent number: 10216673
    Abstract: Communications are intercepted between a universal serial bus (USB) device and a host, at least by implementing first device firmware of the USB device. The USB device contains its own second device firmware. Using at least the implemented first device firmware, intercepted communications from the USB device toward the host are sanitized. The sanitizing is performed so that no communication from the USB device is directly forwarded to the host and instead only sanitized communications are forwarded to the host. Methods, apparatus, and computer program products are disclosed.
    Type: Grant
    Filed: January 16, 2017
    Date of Patent: February 26, 2019
    Assignee: International Business Machines Corporation
    Inventors: Anton Beitler, Jiyong Jang, Dhilung Hang Kirat, Anil Kurmus, Matthias Neugschwandtner, Marc Philippe Stoecklin
  • Publication number: 20180367547
    Abstract: A computer-implemented method (and apparatus) includes receiving input data comprising bipartite graph data in a format of source MAC (Machine Access Code) data versus destination IP (Internet Protocol) data and timestamp information. The input bipartite graph data is provided into a first processing to detect malicious beaconing activities using a lockstep detection method on the input bipartite graph data to detect possible synchronized attacks against a targeted infrastructure. The input bipartite graph data is also provided into a second processing, the second processing initially converting the bipartite graph data into a co-occurrence graph format that indicates in a graph format how devices in the targeted infrastructure communicate with different external destination servers over time. The second processing detects malicious beaconing activities by analyzing data exchanges with the external destination servers to detect anomalies.
    Type: Application
    Filed: June 19, 2017
    Publication date: December 20, 2018
    Inventors: Jiyong JANG, Dhilung Hang Kirat, Bum Jun Kwon, Douglas Lee Schales, Marc Philippe Stoecklin
  • Publication number: 20180367549
    Abstract: An automated method for processing security event data in association with a cybersecurity knowledge graph having nodes and edges. It begins by receiving from a security system (e.g., a SIEM) information representing an offense. An offense context graph is built. Thereafter, and to enhance the offense context graph, given nodes and edges of the knowledge graph are prioritized for traversal based on an encoding captured from a security analyst workflow. This prioritization is defined in a set of weights associated to the graph nodes and edges, and these weights may be derived using machine learning. The offense context graph is then refined by traversing the nodes and edges of the knowledge graph according to a prioritization tailored at least in part by the encoding. In addition to using security analyst workflow to augment generation of weights, preferably the machine learning system provides recommendations back to the security analysts to thereby influence their workflow.
    Type: Application
    Filed: June 14, 2017
    Publication date: December 20, 2018
    Inventors: Jiyong Jang, Dhilung Hang Kirat, Marc Philippe Stoecklin
  • Publication number: 20180270194
    Abstract: USB traffic is intercepted between a USB device and a computer system. It is determined whether the USB device has previously had a policy associated with it as to whether USB traffic from the device should be blocked, allowed, or sanitized. In response to not having a previous policy for the USB device, a request is made for a user to be prompted to provide a policy of one of block, allow, or sanitize for the USB device. In response to a user-provided-policy, one of the following are performed: blocking the traffic, allowing the traffic, or sanitizing the traffic between the USB device and the computer system. Apparatus, methods, and computer program products are disclosed.
    Type: Application
    Filed: March 17, 2017
    Publication date: September 20, 2018
    Inventors: Anton BEITLER, Jiyong JANG, Dhilung Hang KIRAT, Anil KURMUS, Matthias NEUGSCHWANDTNER, Marc Philippe STOECKLIN
  • Publication number: 20180203819
    Abstract: Communications are intercepted between a universal serial bus (USB) device and a host, at least by implementing first device firmware of the USB device. The USB device contains its own second device firmware. Using at least the implemented first device firmware, intercepted communications from the USB device toward the host are sanitized. The sanitizing is performed so that no communication from the USB device is directly forwarded to the host and instead only sanitized communications are forwarded to the host. Methods, apparatus, and computer program products are disclosed.
    Type: Application
    Filed: January 16, 2017
    Publication date: July 19, 2018
    Inventors: Anton Beitler, Jiyong Jang, Dhilung Hang Kirat, Anil Kurmus, Matthias Neugschwandtner, Marc Philippe Stoecklin
  • Publication number: 20180159876
    Abstract: An automated method for processing security events. It begins by building an initial version of a knowledge graph based on security information received from structured data sources. Using entities identified in the initial version, additional security information is then received. The additional information is extracted from one or more unstructured data sources. The additional information includes text in which the entities (from the structured data sources) appear. The text is processed to extract relationships involving the entities (from the structured data sources) to generate entities and relationships extracted from the unstructured data sources. The initial version of the knowledge graph is then augmented with the entities and relationships extracted from the unstructured data sources to build a new version of the knowledge graph that consolidates the intelligence received from the structured data sources and the unstructured data sources. The new version is then used to process security event data.
    Type: Application
    Filed: December 5, 2016
    Publication date: June 7, 2018
    Inventors: Youngja Park, Jiyong Jang, Dhilung Hang Kirat, Josyula R. Rao, Marc Philippe Stoecklin
  • Publication number: 20180048662
    Abstract: An automated method for processing security events begins upon receipt of information representing an offense. Based in part on context data extracted from the offense, an offense context graph is built. The offense context graph comprises nodes and edges, with an edge therein representing a relationship between a pair of nodes, at least one of the nodes being a root node representing an entity associated with the offense. The method then continues by mining information about other events that are determined to share a local contextual relationship with the offense represented by the offense context graph. This operation generates an enriched offense context graph. The enriched offense context graph is then pruned to identify an offense context for further examination. Pruning may involve applying a metric to events associated with the offense and removing nodes that, based on evaluation of the metric, do not contribute to the offense.
    Type: Application
    Filed: August 15, 2016
    Publication date: February 15, 2018
    Inventors: Jiyong Jang, Dhilung Hang Kirat, Youngja Park, Marc Philippe Stoecklin
  • Publication number: 20180046928
    Abstract: This disclosure provides for a signal flow analysis-based exploration of security knowledge represented in a graph structure comprising nodes and edges. “Conductance” values are associated to each of a set of edges. Each node has an associated “toxicity” value representing a degree of maliciousness associated with the node. The conductance value associated with an edge is a function of at least the toxicity values of the nodes to which the edge is incident. A signal flow analysis is conducted with respect to an input node representing an observable associated with an offense. The flow analysis seeks to identify a subset of the nodes that, based on their conductance values, are reached by flow of a signal representing a threat, wherein signal flow over a path in the graph continues until a signal threshold is met. Based on the analysis, nodes within the subset are designated as hypothesis nodes for further examination.
    Type: Application
    Filed: August 15, 2016
    Publication date: February 15, 2018
    Inventors: Jiyong Jang, Dhilung Hang Kirat, Youngja Park, Marc Philippe Stoecklin