公开(公告)号：US10296844B2

公开(公告)日：2019-05-21

申请号：US14846093

申请日：2015-09-04

Applicant: NEC Laboratories America, Inc.

Inventor： Hui Zhang ,  Jianwu Xu ,  Guofei Jiang ,  Kenji Yoshihira ,  Pallavi Joshi

IPC: G06N7/02 ,  G06N7/04 ,  G06N7/06 ,  G06N7/08 ,  G06N20/00

Abstract: A method and system are provided. The method includes performing, by a logs-to-time-series converter, a logs-to-time-series conversion by transforming a plurality of heterogeneous logs into a set of time series. Each of the heterogeneous logs includes a time stamp and text portion with one or more fields. The method further includes performing, by a time-series-to-sequential-pattern converter, a time-series-to-sequential-pattern conversion by mining invariant relationships between the set of time series, and discovering sequential message patterns and association rules in the plurality of heterogeneous logs using the invariant relationships. The method also includes executing, by a processor, a set of log management applications, based on the sequential message patterns and the association rules.

公开(公告)号：US10289509B2

公开(公告)日：2019-05-14

申请号：US15478714

申请日：2017-04-04

Applicant: NEC Laboratories America, Inc.

Inventor： Jianwu Xu ,  Ke Zhang ,  Hui Zhang ,  Renqiang Min ,  Guofei Jiang

IPC: G06F11/22 ,  G06F11/00 ,  G06N3/08

Abstract: Methods for system failure prediction include clustering log files according to structural log patterns. Feature representations of the log files are determined based on the log clusters. A likelihood of a system failure is determined based on the feature representations using a neural network. An automatic system control action is performed if the likelihood of system failure exceeds a threshold.

公开(公告)号：US10289478B2

公开(公告)日：2019-05-14

申请号：US15490499

申请日：2017-04-18

Applicant: NEC Laboratories America, Inc.

Inventor： Wei Cheng ,  Kenji Yoshihira ,  Haifeng Chen ,  Guofei Jiang

IPC: G06F11/00 ,  G06F11/07 ,  H04L12/24

Abstract: Methods are provided for both single modal and multimodal fault diagnosis. In a method, a fault fingerprint is constructed based on a fault event using an invariant model. A similarity matrix between the fault fingerprint and one or more historical representative fingerprints are derived using dynamic time warping and at least one convolution. A feature vector in a feature subspace for the fault fingerprint is generated. The feature vector includes at least one status of at least one system component during the fault event. A corrective action correlated to the fault fingerprint is determined. The corrective action is initiated on a hardware device to mitigate expected harm to at least one item selected from the group consisting of the hardware device, another hardware device related to the hardware device, and a person related to the hardware device.

公开(公告)号：US09904780B2

公开(公告)日：2018-02-27

申请号：US14812634

申请日：2015-07-29

Applicant: NEC Laboratories America, Inc.

Inventor： Junghwan Rhee ,  Yangchun Fu ,  Zhenyu Wu ,  Hui Zhang ,  Zhichun Li ,  Guofei Jiang

IPC: G06F21/52 ,  G06F21/60 ,  G06F21/55

CPC classification number: G06F21/52 ,  G06F21/554 ,  G06F21/60 ,  G06F2221/033

Abstract: Systems and methods for detection and prevention of Return-Oriented-Programming (ROP) attacks in one or more applications, including an attack detection device and a stack inspection device for performing stack inspection to detect ROP gadgets in a stack. The stack inspection includes stack walking from a stack frame at a top of the stack toward a bottom of the stack to detect one or more failure conditions, determining whether a valid stack frame and return code address is present; and determining a failure condition type if no valid stack frame and return code is present, with Type III failure conditions indicating an ROP attack. The ROP attack is contained using a containment device, and the ROP gadgets detected in the stack during the ROP attack are analyzed using an attack analysis device.

公开(公告)号：US20170288979A1

公开(公告)日：2017-10-05

申请号：US15477625

申请日：2017-04-03

Applicant: nec laboratories america, inc.

Inventor： Kenji Yoshihira ,  Zhichun Li ,  Zhengzhang Chen ,  Haifeng Chen ,  Guofei Jiang ,  LuAn Tang

IPC: H04L12/24 ,  H04L12/26

CPC classification number: H04L41/145 ,  H04L41/12 ,  H04L41/142 ,  H04L43/045 ,  H04L63/1425

Abstract: Methods and systems for reporting anomalous events include building a process graph that models states of process-level events in a network. A topology graph is built that models source and destination relationships between connection events in the network. A set of alerts is clustered based on the process graph and the topology graph. Clustered alerts that exceed a threshold level of trustworthiness are reported.

公开(公告)号：US20170288974A1

公开(公告)日：2017-10-05

申请号：US15477603

申请日：2017-04-03

Applicant: nec laboratories america, inc.

Inventor： Kenji Yoshihira ,  Zhichun Li ,  Zhengzhang Chen ,  Haifeng Chen ,  Guofei Jiang ,  LuAn Tang

IPC: H04L12/24 ,  H04L29/06 ,  H04L12/26

CPC classification number: H04L41/12 ,  G06F21/552 ,  H04L41/142 ,  H04L41/145 ,  H04L63/1425

Abstract: Methods and systems for reporting anomalous events include intra-host clustering a set of alerts based on a process graph that models states of process-level events in a network. Hidden relationship clustering is performed on the intra-host clustered alerts based on hidden relationships between alerts in respective clusters. Inter-host clustering is performed on the hidden relationship clustered alerts based on a topology graph that models source and destination relationships between connection events in the network. Inter-host clustered alerts that exceed a threshold level of trustworthiness are reported.

公开(公告)号：US20170279840A1

公开(公告)日：2017-09-28

申请号：US15429849

申请日：2017-02-10

Applicant: NEC Laboratories America, Inc.

Inventor： Hui Zhang ,  Guofei Jiang

IPC: H04L29/06

CPC classification number: H04L63/1425

Abstract: A system, program, and method for anomaly detection in heterogeneous logs. The system having a processor configured to identify pattern fields comprised of a plurality of event identifiers. The processor is further configured to generate an automata model by profiling event behaviors of the plurality of event sequences, the plurality of event sequences grouped in the automata model by combinations of one or more pattern fields and one or more event identifiers from among the plurality of event identifiers, wherein for a given combination, the one or more event identifiers therein must be respectively comprised in a same one of the one or more pattern fields with which it is combined. The processor is additionally configured to detect an anomaly in one of the plurality of event sequences using the automata model. The processor is also configured to control an anomaly-initiating one of the network devices based on the anomaly.

公开(公告)号：US20170278007A1

公开(公告)日：2017-09-28

申请号：US15375291

申请日：2016-12-12

Applicant: NEC Laboratories America, Inc.

Inventor： Pranay Anchuri ,  Hui Zhang ,  Guofei Jiang

IPC: G06N7/00 ,  G06N99/00

CPC classification number: G06N7/005 ,  G06F11/30 ,  G06N20/00

Abstract: A computer-implemented method provides an early warning of an impending failure in a monitored system. The method includes performing, by a processor, an offline model learning process that generates a model of expected log rates in the monitored system from historical log data. The model represents a normal behavior of the monitored system. The method further includes performing an online detection process that detects the impending failure in the monitored system prior to an actual occurrence thereof based on (i) the model of expected log rates and (ii) observed log rates. The method also includes displaying, by a display device based on (i) the model of expected log rates and (ii) observed log rates in the monitored system, information relating to the impending failure prior to the actual occurrence of the impending failure. The online detection process identifies short term and long term failures and long term failures.

公开(公告)号：US09736064B2

公开(公告)日：2017-08-15

申请号：US14571778

申请日：2014-12-16

Applicant: NEC Laboratories America, Inc.

Inventor： Hui Zhang ,  Behnaz Arzani ,  Franjo Ivancic ,  Junghwan Rhee ,  Nipun Arora ,  Guofei Jiang

IPC: H04L12/717 ,  H04L12/701 ,  H04L12/841

CPC classification number: H04L45/42 ,  H04L41/12 ,  H04L41/145 ,  H04L43/0864 ,  H04L43/106 ,  H04L45/00 ,  H04L45/64 ,  H04L47/283

Abstract: Methods and systems for finding a packet's routing path in a network includes intercepting control messages sent by a controller to one or more switches in a software defined network (SDN). A state of the SDN at a requested time is emulated and one or more possible routing paths through the emulated SDN is identified by replaying the intercepted control messages to one or more emulated switches in the emulated SDN. The one or more possible routing paths correspond to a requested packet injected into the SDN at the requested time.

公开(公告)号：US20170149814A1

公开(公告)日：2017-05-25

申请号：US15425335

申请日：2017-02-06

Applicant: NEC Laboratories America, Inc.

Inventor： Zhengzhang Chen ,  LuAn Tang ,  Guofei Jiang ,  Kenji Yoshihira ,  Haifeng Chen

IPC: H04L29/06 ,  H04L12/24 ,  H04L12/26

CPC classification number: H04L63/1425 ,  H04L41/12 ,  H04L41/142 ,  H04L41/145 ,  H04L63/1408 ,  H04L2463/121

Abstract: Methods and systems for detecting anomalous network activity include determining whether a network event exists within an existing topology graph and port graph. A connection probability for the network event is determined if the network does not exist within the existing topology graph and port graph. The network event is identified as abnormal if the connection probability is below a threshold.