Patents by Inventor Xiaokui Shu

Xiaokui Shu has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20200201989
    Abstract: This disclosure provides an automatic causality tracking system that meets real-time analysis needs. It solves causality tracking for cybersecurity, preferably as three sub-tasks: backward tracking, forward tracking, and path-finding. Given a set of threat indicators, the first sub-task yields the system elements (e.g., entities such as processes, files, network sockets, and the like) that contribute information to a set of threat indicators backward in time. The second sub-task yields system elements forward in time. Given two sets of threat indicators, the third sub-task yields shortest paths between them, e.g., how the two sets of indicators are connected to one another. The system enables efficient multi-point traversal analysis with respect to a set of potential compromise points, and using data from real information flows.
    Type: Application
    Filed: October 12, 2018
    Publication date: June 25, 2020
    Applicant: International Business Machines Corporation
    Inventors: Xiaokui Shu, Douglas L. Schales, Marc Philippe Stoecklin
  • Patent number: 10643141
    Abstract: A webpage navigation of a user over a timeframe and a second webpage navigation of a second user over a second timeframe may be received. A time-variant variable-order Markov model, comprising a context tree, may be generated utilizing the webpage navigation and the second webpage navigation. A third webpage navigation of a third user may be received. A probability that the third user may interact with content, that the third user is a non-human entity, and/or that the third user will access a website may be determined based upon an evaluation of the third webpage navigation using the time-variant variable-order Markov model. A second client device is instructed to present the content to the third user, to present a human verification mechanism to the third user, and/or to instruct a server, providing the website, to alter a server capacity for the website.
    Type: Grant
    Filed: September 9, 2015
    Date of Patent: May 5, 2020
    Assignee: Oath Inc.
    Inventors: Nikolay Pavlovich Laptev, Xiaokui Shu
  • Patent number: 10631168
    Abstract: Advanced persistent threats to a mobile device are detected and prevented by leveraging the built-in mandatory access control (MAC) environment in the mobile operating system in a “stateful” manner. To this end, the MAC mechanism is placed in a permissive mode of operation wherein permission denials are logged but not enforced. The mobile device security environment is augmented to include a monitoring application that is instantiated with system privileges. The application monitors application execution parameters of one or more mobile applications executing on the device. These application execution parameters including, without limitation, the permission denials, are collected and used by the monitoring application to facilitate a stateful monitoring of the operating system security environment. By assembling security-sensitive events over a time period, the system identifies an advanced persistent threat (APT) that otherwise leverages multiple steps using benign components.
    Type: Grant
    Filed: March 28, 2018
    Date of Patent: April 21, 2020
    Assignee: International Business Machines Corporation
    Inventors: Suresh Chari, Zhongshu Gu, Heqing Huang, Xiaokui Shu, Jialong Zhang
  • Publication number: 20200120109
    Abstract: A technique for storage-efficient cyber incident reasoning by graph matching. The method begins with a graph pattern that comprises a set of elements with constraints and connections among them. A graph of constraint relations (GoC) in the graph pattern is derived. An activity graph representing activity data captured in association with a host machine is then obtained. In response to a query, one or more subgraphs of the activity graph that satisfy the graph pattern are then located and, in particular, by iteratively solving constraints in the graph pattern. In particular, a single element constraint is solved to generate a result, and that result is propagated to connected constraints in the graph of constraint relations. This process continues until all single element constraints have been evaluated, and all propagations have been performed. The subgraphs of the activity graph that result are then returned in response to a database query.
    Type: Application
    Filed: October 12, 2018
    Publication date: April 16, 2020
    Applicant: International Business Machines Corporation
    Inventors: Xiaokui Shu, Douglas L. Schales, Marc Philippe Stoecklin, Frederico Araujo
  • Publication number: 20200120118
    Abstract: An automated method for cyberattack detection and prevention in an endpoint. The technique monitors and protects the endpoint by recording inter-process events, creating an inter-process activity graph based on the recorded inter-process events, matching the inter-process activity (as represented in the activity graph) against known malicious or suspicious behavior (as embodied in a set of one or more pattern graphs), and performing a post-detection operation in response to a match between an inter-process activity and a known malicious or suspicious behavior pattern. Preferably, matching involves matching a subgraph in the activity graph with a known malicious or suspicious behavior pattern as represented in the pattern graph. During this processing, preferably both direct and indirect inter-process activities at the endpoint (or across a set of endpoints) are compared to the known behavior patterns.
    Type: Application
    Filed: October 12, 2018
    Publication date: April 16, 2020
    Applicant: International Business Machines Corporation
    Inventors: Xiaokui Shu, Zhongshu Gu, Heqing Huang, Marc Philippe Stoecklin, Jialong Zhang
  • Publication number: 20200089879
    Abstract: A computer-implemented method, a computer program product, and a computer system. The computer system installs and configures a virtual imitating resource in the computer system, wherein the virtual imitating resource imitates a set of resources in the computer system. Installing and configuring the virtual imitating resource includes modifying respective values of an installed version of the virtual imitating resource for an environment of the computer system, determining whether the virtual imitating resource is a static imitating resource or a dynamic imitating resource, and comparing a call graph of the evasive malware with patterns of dynamic imitating resources on a database. The computer system returns a response from an appropriate element of the virtual imitating resource, in response to a call from the evasive malware to a real computing resource, return, by the computer system.
    Type: Application
    Filed: November 25, 2019
    Publication date: March 19, 2020
    Inventors: ZHONGSHU GU, HEQING HUANG, JIYONG JANG, DHILUNG HANG KIRAT, XIAOKUI SHU, MARC P. STOECKLIN, JIALONG ZHANG
  • Patent number: 10546128
    Abstract: Approaches to deactivating evasive malware. In an approach, a computer system installs an imitating resource in the computer system and the imitating resource creates an imitating environment of malware analysis, wherein the imitating resource causes the evasive malware to respond to the imitating environment of the malware analysis as to a real environment of the malware analysis. In the imitating environment of malware analysis, the evasive malware determines not to perform malicious behavior. In another approach, a computer system intercepts a call from the evasive malware to a resource on the computer system and returns a virtual resource to the call, wherein in the virtual resource one or more values of the resource on the computer system are modified.
    Type: Grant
    Filed: October 6, 2017
    Date of Patent: January 28, 2020
    Assignee: International Business Machines Corporation
    Inventors: Zhongshu Gu, Heqing Huang, Jiyong Jang, Dhilung Hang Kirat, Xiaokui Shu, Marc P. Stoecklin, Jialong Zhang
  • Publication number: 20190306719
    Abstract: Advanced persistent threats to a mobile device are detected and prevented by leveraging the built-in mandatory access control (MAC) environment in the mobile operating system in a “stateful” manner. To this end, the MAC mechanism is placed in a permissive mode of operation wherein permission denials are logged but not enforced. The mobile device security environment is augmented to include a monitoring application that is instantiated with system privileges. The application monitors application execution parameters of one or more mobile applications executing on the device. These application execution parameters including, without limitation, the permission denials, are collected and used by the monitoring application to facilitate a stateful monitoring of the operating system security environment. By assembling security-sensitive events over a time period, the system identifies an advanced persistent threat (APT) that otherwise leverages multiple steps using benign components.
    Type: Application
    Filed: March 28, 2018
    Publication date: October 3, 2019
    Applicant: International Business Machines Corporation
    Inventors: Suresh Chari, Zhongshu Gu, Heqing Huang, Xiaokui Shu, Jialong Zhang
  • Publication number: 20190108339
    Abstract: Approaches to deactivating evasive malware. In an approach, a computer system installs an imitating resource in the computer system and the imitating resource creates an imitating environment of malware analysis, wherein the imitating resource causes the evasive malware to respond to the imitating environment of the malware analysis as to a real environment of the malware analysis. In the imitating environment of malware analysis, the evasive malware determines not to perform malicious behavior. In another approach, a computer system intercepts a call from the evasive malware to a resource on the computer system and returns a virtual resource to the call, wherein in the virtual resource one or more values of the resource on the computer system are modified.
    Type: Application
    Filed: October 6, 2017
    Publication date: April 11, 2019
    Inventors: ZHONGSHU GU, HEQING HUANG, JIYONG JANG, DHILUNG HANG KIRAT, XIAOKUI SHU, MARC P. STOECKLIN, JIALONG ZHANG
  • Publication number: 20170068899
    Abstract: As provided herein, a webpage navigation of a user over a timeframe and a second webpage navigation of a second user over a second timeframe may be received. A time-variant variable-order Markov model, comprising a context tree, may be generated utilizing the webpage navigation and the second webpage navigation. A third webpage navigation of a third user may be received. A probability that the third user may interact with content, that the third user is a non-human entity, and/or that the third user will access a website may be determined based upon an evaluation of the third webpage navigation using the time-variant variable-order Markov model. A second client device is instructed to present the content to the third user, to present a human verification mechanism to the third user, and/or to instruct a server, providing the website, to alter a server capacity for the website.
    Type: Application
    Filed: September 9, 2015
    Publication date: March 9, 2017
    Inventors: Nikolay Pavlovich Laptev, Xiaokui Shu