公开(公告)号：US20160086097A1

公开(公告)日：2016-03-24

申请号：US14846093

申请日：2015-09-04

Applicant: NEC Laboratories America, Inc.

Inventor： Hui Zhang ,  Jianwu Xu ,  Guofei Jiang ,  Kenji Yoshihira ,  Pallavi Joshi

IPC: G06N99/00 ,  G06N5/04

CPC classification number: G06N99/005

Abstract: A method and system are provided. The method includes performing, by a logs-to-time-series converter, a logs-to-time-series conversion by transforming a plurality of heterogeneous logs into a set of time series. Each of the heterogeneous logs includes a time stamp and text portion with one or more fields. The method further includes performing, by a time-series-to-sequential-pattern converter, a time-series-to-sequential-pattern conversion by mining invariant relationships between the set of time series, and discovering sequential message patterns and association rules in the plurality of heterogeneous logs using the invariant relationships. The method also includes executing, by a processor, a set of log management applications, based on the sequential message patterns and the association rules.

Abstract translation: 提供了一种方法和系统。 该方法包括：通过日志到时间序列转换器，通过将多个异构日志转换为一组时间序列来进行日志到时间序列转换。 每个异类日志包括具有一个或多个字段的时间戳和文本部分。 该方法还包括通过时间序列到顺序模式转换器，通过在时间序列集合之间挖掘不变关系，并且发现顺序消息模式和关联规则来执行时间序列到顺序模式转换 使用不变关系的多个异类日志。 该方法还包括基于顺序消息模式和关联规则由处理器执行一组日志管理应用程序。

公开(公告)号：US20160034687A1

公开(公告)日：2016-02-04

申请号：US14812634

申请日：2015-07-29

Applicant: NEC Laboratories America, Inc.

Inventor： Junghwan Rhee ,  Yangchun Fu ,  Zhenyu Wu ,  Hui Zhang ,  Zhichun Li ,  Guofei Jiang

IPC: G06F21/52 ,  G06F11/07 ,  G06F21/60

CPC classification number: G06F21/52 ,  G06F21/554 ,  G06F21/60 ,  G06F2221/033

Abstract: Systems and methods for detection and prevention of Return-Oriented-Programming (ROP) attacks in one or more applications, including an attack detection device and a stack inspection device for performing stack inspection to detect ROP gadgets in a stack. The stack inspection includes stack walking from a stack frame at a top of the stack toward a bottom of the stack to detect one or more failure conditions, determining whether a valid stack frame and return code address is present; and determining a failure condition type if no valid stack frame and return code is present, with Type III failure conditions indicating an ROP attack. The ROP attack is contained using a containment device, and the ROP gadgets detected in the stack during the ROP attack are analyzed using an attack analysis device.

Abstract translation: 一种或多种应用中用于检测和预防面向对象编程（ROP）攻击的系统和方法，包括攻击检测设备和堆栈检测设备，用于执行堆栈检测以检测堆栈中的ROP小部件。 堆栈检查包括从堆叠顶部的堆叠框架朝向堆叠的底部行进的堆栈以检测一个或多个故障条件，确定是否存在有效堆栈帧和返回代码地址; 并且如果不存在有效的堆栈帧和返回码，则确定故障条件类型，其中III型故障条件指示ROP攻击。 使用遏制设备包含ROP攻击，并且使用攻击分析设备来分析ROP攻击期间在堆栈中检测到的ROP小部件。

公开(公告)号：US20150180755A1

公开(公告)日：2015-06-25

申请号：US14575013

申请日：2014-12-18

Applicant: NEC Laboratories America, Inc.

Inventor： Hui Zhang ,  Junghwan Rhee ,  Nipun Arora ,  Cristian Lumezanu ,  Guofei Jiang

IPC: H04L12/26

CPC classification number: H04L41/0631 ,  H04L41/069 ,  H04L41/14 ,  H04L43/0858

Abstract: A computer implemented method for network monitoring includes providing network packet event characterization and analysis for network monitoring that includes supporting summarization and characterization of network packet traces collected across multiple processing elements of different types in a virtual network, including a trace slicing to organize individual packet events into path-based trace slices, a trace characterization to extract at least 2 types of feature matrix describing those trace slices, and a trace analysis to cluster, rank and query packet traces based on metrics of the feature matrix.

Abstract translation: 一种用于网络监测的计算机实现方法包括为网络监测提供网络分组事件表征和分析，其包括支持在虚拟网络中跨越不同类型的多个处理元件收集的网络分组跟踪的概括和表征，包括用于组织各个分组事件的跟踪分片 基于路径的跟踪切片，提取描述这些跟踪切片的至少2种类型的特征矩阵的跟踪表征，以及基于特征矩阵的度量的集群，排序和查询分组跟踪的跟踪分析。

公开(公告)号：US20150106794A1

公开(公告)日：2015-04-16

申请号：US14512653

申请日：2014-10-13

Applicant: NEC Laboratories America, Inc.

Inventor： Junghwan Rhee ,  Hui Zhang ,  Nipun Arora ,  Guofei Jiang ,  Chung Hwan Kim

IPC: G06F11/36 ,  G06F9/44

CPC classification number: G06F11/3636 ,  G06F11/3419

Abstract: Methods and systems for performance inference include inferring an internal application status based on a unified call stack trace that includes both user and kernel information by inferring user function instances. A calling context encoding is generated that includes information regarding function calling paths. Application performance is analyzed based on the encoded calling contexts. The analysis includes performing a top-down latency breakdown and ranking calling contexts according to how costly each function calling path is.

Abstract translation: 用于性能推理的方法和系统包括通过推断用户功能实例来推断基于包括用户和内核信息的统一调用堆栈跟踪的内部应用程序状态。 生成包含有关函数调用路径的信息的调用上下文编码。 基于编码的呼叫上下文来分析应用性能。 分析包括根据每个功能调用路径的代价昂贵地执行自上而下的延迟故障和排序呼叫上下文。

公开(公告)号：US11294754B2

公开(公告)日：2022-04-05

申请号：US16200950

申请日：2018-11-27

Applicant: NEC Laboratories America, Inc.

Inventor： Jianwu Xu ,  Hui Zhang ,  Haifeng Chen ,  Tanay Kumar Saha

IPC: G06F11/00 ,  G06F11/07 ,  G06N20/10

Abstract: Systems and methods for contextual event sequence analysis of system failure that analyzes heterogeneous system event record logs are disclosed. The disclosure relates to analyzing event sequences for system failure in ICT and other computerized systems and determining their causes and propagation chains.

公开(公告)号：US10795753B2

公开(公告)日：2020-10-06

申请号：US16207851

申请日：2018-12-03

Applicant: NEC Laboratories America, Inc.

Inventor： Jianwu Xu ,  Hui Zhang ,  Haifeng Chen ,  Tanay Kumar Saha ,  Pranay Anchuri

IPC: G06F11/07 ,  G06K9/62 ,  G06F11/14 ,  G06K9/68

Abstract: Methods and systems for system failure diagnosis and correction include extracting syntactic patterns from a plurality of logs with heterogeneous formats. The syntactic patterns are clustered according to categories of system failure. A single semantically unique pattern is extracted for each category of system failure. The semantically unique patterns are matched to recent log information to detect a corresponding system failure. A corrective action us performed responsive to the detected system failure.

公开(公告)号：US10678669B2

公开(公告)日：2020-06-09

申请号：US15956381

申请日：2018-04-18

Applicant: NEC Laboratories America, Inc.

Inventor： Biplob Debnath ,  Hui Zhang

IPC: G06F11/00 ,  G06F11/34 ,  G06F11/07 ,  G06F11/30 ,  G06F16/35

Abstract: A system and method are provided for pattern discovery in input heterogeneous logs having unstructured text content and one or more fields. The system includes a memory. The system further includes a processor in communication with the memory. The processor runs program code to preprocess the input heterogeneous logs to obtain pre-processed logs by splitting the input heterogeneous logs into tokens. The processor runs program code to generate seed patterns from the preprocessed logs. The processor runs program code to generate final patterns by specializing a selected set of fields in each of the seed patterns to generate a final pattern set.

公开(公告)号：US10567409B2

公开(公告)日：2020-02-18

申请号：US15889733

申请日：2018-02-06

Applicant: NEC Laboratories America, Inc.

Inventor： Hui Zhang ,  Jianwu Xu ,  Bo Zong

IPC: G06F11/00 ,  H04L29/06 ,  G06N20/00 ,  G06N5/04

Abstract: A method for implementing automatic and scalable log pattern learning in security log analysis is provided. The method includes collecting security logs generated by a computer system. An incremental learning process is implemented to generate a set of log patterns from the collected security logs. The collected security logs are parsed using the set of log patterns.

公开(公告)号：US10296430B2

公开(公告)日：2019-05-21

申请号：US15478753

申请日：2017-04-04

Applicant: NEC Laboratories America, Inc.

Inventor： Jianwu Xu ,  Ke Zhang ,  Hui Zhang ,  Renqiang Min ,  Guofei Jiang

IPC: G06F11/22 ,  G06F11/00 ,  G06N3/08

Abstract: Mobile phones and methods for mobile phone failure prediction include receiving respective log files from one or more mobile phone components, including at least one user application. The log files have heterogeneous formats. A likelihood of failure of one or more mobile phone components is determined based on the received log files by clustering the plurality of log files according to structural log patterns and determining feature representations of the log files based on the log clusters. A user is alerted to a potential failure if the likelihood of component failure exceeds a first threshold. An automatic system control action is performed if the likelihood of component failure exceeds a second threshold.

公开(公告)号：US20180276566A1

公开(公告)日：2018-09-27

申请号：US15874220

申请日：2018-01-18

Applicant: NEC Laboratories America, Inc.

Inventor： Hui Zhang ,  Bo Zong

IPC: G06N99/00 ,  G06F17/30

CPC classification number: C07F1/00 ,  C07F1/08 ,  C07F3/003 ,  C07F3/02 ,  C07F3/06 ,  C07F5/003 ,  C07F7/003 ,  C07F7/28 ,  C07F9/005 ,  C07F11/005 ,  C07F13/005 ,  C07F15/0046 ,  C07F15/025 ,  C07F15/045 ,  C07F15/065 ,  C23C16/18 ,  C23C16/45553 ,  G05B23/0218 ,  G06F16/951 ,  G06N20/00 ,  H01L21/02205 ,  H01L21/32051

Abstract: Systems and methods for automatically generating a set of meta-parameters used to train invariant-based anomaly detectors are provided. Data is transformed into a first set of time series data and a second set of time series data. A fitness threshold search is performed on the first set of time series data to automatically generate a fitness threshold, and a time resolution search is performed on the set of second time series data to automatically generate a time resolution. A set of meta-parameters including the fitness threshold and the time resolution are sent to one or more user devices across a network to govern the training of an invariant-based anomaly detector.