公开(公告)号：US10915625B2

公开(公告)日：2021-02-09

申请号：US16161701

申请日：2018-10-16

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Zhengzhang Chen ,  Zhichun Li ,  Zhenyu Wu ,  Jumpei Kamimura ,  Haifeng Chen

IPC: H04L29/06 ,  G06F21/55 ,  H04L12/24 ,  G06F21/57

Abstract: A computer-implemented method for implementing alert interpretation in enterprise security systems is presented. The computer-implemented method includes employing a plurality of sensors to monitor streaming data from a plurality of computing devices, generating alerts based on the monitored streaming data, employing an alert interpretation module to interpret the alerts in real-time, matching problematic entities to the streaming data, retrieving following events, and generating an aftermath graph on a visualization component.

公开(公告)号：US10476753B2

公开(公告)日：2019-11-12

申请号：US15902369

申请日：2018-02-22

Applicant: NEC Laboratories America, Inc.

Inventor： Zhengzhang Chen ,  LuAn Tang ,  Zhichun Li ,  Cheng Cao

IPC: H04L12/24 ,  H04L29/06 ,  G06F17/18 ,  H04W12/00 ,  H04L12/26

Abstract: Methods and systems for modeling host behavior in a network include determining a first probability function for observing each of a set of process-level events at a first host based on embedding vectors for the first event and the first host. A second probability function is determined for the first host issuing each of a set of network-level events connecting to a second host based on embedding vectors for the first host and the second host. The first and second probability functions are maximized to determine a set of likely process-level and network-level events for the first host. A security action is performed based on the modeled host behavior.

公开(公告)号：US10476752B2

公开(公告)日：2019-11-12

申请号：US15477625

申请日：2017-04-03

Applicant: nec laboratories america, inc.

Inventor： Kenji Yoshihira ,  Zhichun Li ,  Zhengzhang Chen ,  Haifeng Chen ,  Guofei Jiang ,  LuAn Tang

IPC: H04L12/24 ,  H04L12/26 ,  H04L29/06

Abstract: Methods and systems for reporting anomalous events include building a process graph that models states of process-level events in a network. A topology graph is built that models source and destination relationships between connection events in the network. A set of alerts is clustered based on the process graph and the topology graph. Clustered alerts that exceed a threshold level of trustworthiness are reported.

公开(公告)号：US10333815B2

公开(公告)日：2019-06-25

申请号：US15413812

申请日：2017-01-24

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Zhengzhang Chen ,  Haifeng Chen ,  Kenji Yoshihira ,  Guofei Jiang

IPC: H04L12/26 ,  H04L29/08 ,  H04L12/24 ,  G06F11/34

Abstract: A computer-implemented method for real-time detecting of abnormal network connections is presented. The computer-implemented method includes collecting network connection events from at least one agent connected to a network, recording, via a topology graph, normal states of network connections among hosts in the network, and recording, via a port graph, relationships established between host and destination ports of all network connections.

公开(公告)号：US10298607B2

公开(公告)日：2019-05-21

申请号：US15725994

申请日：2017-10-05

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Hengtong Zhang ,  Zhengzhang Chen ,  Bo Zong ,  Zhichun Li ,  Guofei Jiang ,  Kenji Yoshihira

IPC: H04L12/24 ,  H04L12/46 ,  G06F21/55 ,  G06F21/57 ,  H04L29/06

Abstract: Methods and systems for detecting anomalous events include detecting anomalous events in monitored system data. An event correlation graph is generated by determining a tendency for a first process to access a system target, including an innate tendency of the first process to access the system target, an influence of previous events from the first process, and an influence of processes other than the first process. Kill chains are generated from the event correlation graph that characterize events in an attack path over time. A security management action is performed based on the kill chains.

公开(公告)号：US20180351971A1

公开(公告)日：2018-12-06

申请号：US16055675

申请日：2018-08-06

Applicant: NEC Laboratories America, Inc.

Inventor： Zhengzhang Chen ,  LuAn Tang ,  Zhichun Li ,  Chen Luo

IPC: H04L29/06 ,  H04L12/24

Abstract: A computer-implemented method for implementing a knowledge transfer based model for accelerating invariant network learning is presented. The computer-implemented method includes generating an invariant network from data streams, the invariant network representing an enterprise information network including a plurality of nodes representing entities, employing a multi-relational based entity estimation model for transferring the entities from a source domain graph to a target domain graph by filtering irrelevant entities from the source domain graph, employing a reference construction model for determining differences between the source and target domain graphs, and constructing unbiased dependencies between the entities to generate a target invariant network, and outputting the generated target invariant network on a user interface of a computing device.

公开(公告)号：US20250124279A1

公开(公告)日：2025-04-17

申请号：US18889610

申请日：2024-09-19

Applicant: NEC Laboratories America, Inc.

Inventor： Yuncong Chen ,  Wenchao Yu ,  Wei Cheng ,  Yanchi Liu ,  Haifeng Chen ,  Zhengzhang Chen ,  LuAn Tang ,  Liri Fang

IPC: G06N3/08 ,  G06N3/0455

Abstract: Systems and methods for training a time-series-language (TSLa) model adapted for domain-specific tasks. An encoder-decoder neural network can be trained to tokenize time-series data to obtain a discrete-to-language embedding space. The TSLa model can learn a linear mapping function by concatenating token embeddings from the discrete-to-language embedding space with positional encoding to obtain mixed-modality token sequences. Token augmentation can transform the tokens from the mixed-modality token sequences with to obtain augmented tokens. The augmented tokens can train the TSLa model using a computed token likelihood to predict next tokens for the mixed-modality token sequences to obtain a trained TSLa model. A domain-specific dataset can fine-tune the trained TSLa model to adapt the trained TSLa model to perform a domain-specific task.

公开(公告)号：US20250094271A1

公开(公告)日：2025-03-20

申请号：US18829545

申请日：2024-09-10

Applicant: NEC Laboratories America, Inc.

Inventor： Zhengzhang Chen ,  Lecheng Zheng ,  Haifeng Chen ,  Yanchi Liu ,  Xujiang Zhao ,  Yuncong Chen ,  LuAn Tang

IPC: G06F11/07 ,  G06N3/08 ,  G16H10/60

Abstract: Systems and methods for log representation learning for automated system maintenance. An optimized parser can transform collected system logs into log templates. A tokenizer can tokenize the log templates partitioned into time windows to obtain log template tokens. The log template tokens can train a language model (LM) with deep learning to obtain a trained LM. The trained LM can detect anomalies from system logs to obtain detected anomalies. A corrective action can be performed on a monitored entity based on the detected anomalies.

公开(公告)号：US20240231994A9

公开(公告)日：2024-07-11

申请号：US18493374

申请日：2023-10-24

Applicant: NEC Laboratories America, Inc.

Inventor： Yuncong Chen ,  LuAn Tang ,  Yanchi Liu ,  Zhengzhang Chen ,  Haifeng Chen

IPC: G06F11/07

CPC classification number: G06F11/079 ,  G06F11/0709 ,  G06F11/0793 ,  G16H50/20

Abstract: Methods and systems for anomaly detection include encoding a multivariate time series and a multi-type event sequence using respective transformers and an aggregation network to generate a feature vector. Anomaly detection is performed using the feature vector to identify an anomaly within a system. A corrective action is performed responsive to the anomaly to correct or mitigate an effect of the anomaly. The detected anomaly can be used in a healthcare context to support decision making by medical professionals with respect to the treatment of a patient. The encoding may include machine learning models to implement the transformers and the aggregation network using deep learning.

公开(公告)号：US20230376589A1

公开(公告)日：2023-11-23

申请号：US18302908

申请日：2023-04-19

Applicant: NEC Laboratories America, Inc.

Inventor： Zhengzhang Chen ,  Yuncong Chen ,  LuAn Tang ,  Haifeng Chen

IPC: G06F21/55 ,  G06F21/57

CPC classification number: G06F21/552 ,  G06F21/577 ,  G06F2221/034 ,  G06F2221/2101

Abstract: A method for detecting an origin of a computer attack given a detection point based on multi-modality data is presented. The method includes monitoring a plurality of hosts in different enterprise system entities to audit log data and metrics data, generating causal dependency graphs to learn statistical causal relationships between the different enterprise system entities based on the log data and the metrics data, detecting a computer attack by pinpointing attack detection points, backtracking from the attack detection points by employing the causal dependency graphs to locate an origin of the computer attack, and analyzing computer attack data resulting from the backtracking to prevent present and future computer attacks.