公开(公告)号：US20200092315A1

公开(公告)日：2020-03-19

申请号：US16562805

申请日：2019-09-06

Applicant: NEC Laboratories America, Inc.

Inventor： Wei Cheng ,  LuAn Tang ,  Haifeng Chen ,  Bo Zong ,  Jingchao Ni

IPC: H04L29/06 ,  G06N3/08

Abstract: Systems and methods for implementing sequence data based temporal behavior analysis (SDTBA) to extract features for characterizing temporal behavior of network traffic are provided. The method includes extracting communication and profile data associated with one or more devices to determine sequences of data associated with the devices. The method includes generating temporal features to model anomalous network traffic. The method also includes inputting, into an anomaly detection process for anomalous network traffic, the temporal features and the sequences of data associated with the devices and formulating a list of prediction results of anomalous network traffic associated with the devices.

公开(公告)号：US20190171644A1

公开(公告)日：2019-06-06

申请号：US16207644

申请日：2018-12-03

Applicant: NEC Laboratories America, Inc.

Inventor： Jianwu Xu ,  Bo Zong ,  Haifeng Chen

IPC: G06F16/2453 ,  G06F16/2455 ,  G06F16/2458

Abstract: Methods and systems for event detection and correction include determining a log pattern for a received event. The log pattern is translated to an event search query. The event search query is weighted according to discriminative dimensions using term-frequency inverse-document-frequency. The event search query is matched to one or more known events. A corrective action is automatically performed based on a solution associated with the one or more known events.

公开(公告)号：US10298607B2

公开(公告)日：2019-05-21

申请号：US15725994

申请日：2017-10-05

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Hengtong Zhang ,  Zhengzhang Chen ,  Bo Zong ,  Zhichun Li ,  Guofei Jiang ,  Kenji Yoshihira

IPC: H04L12/24 ,  H04L12/46 ,  G06F21/55 ,  G06F21/57 ,  H04L29/06

Abstract: Methods and systems for detecting anomalous events include detecting anomalous events in monitored system data. An event correlation graph is generated by determining a tendency for a first process to access a system target, including an innate tendency of the first process to access the system target, an influence of previous events from the first process, and an influence of processes other than the first process. Kill chains are generated from the event correlation graph that characterize events in an attack path over time. A security management action is performed based on the kill chains.

公开(公告)号：US20190124045A1

公开(公告)日：2019-04-25

申请号：US16169012

申请日：2018-10-24

Applicant: NEC Laboratories America, Inc.

Inventor： Bo Zong ,  Daeki Cho ,  Cristian Lumezanu ,  Haifeng Chen ,  Qi Song

IPC: H04L29/06 ,  G06N3/08 ,  G06N3/04

Abstract: Systems and methods for preventing cyberattacks using a Density Estimation Network (DEN) for unsupervised anomaly detection, including constructing the DEN using acquired network traffic data by performing end-to-end training. The training includes generating low-dimensional vector representations of the network traffic data by performing dimensionality reduction of the network traffic data, predicting mixture membership distribution parameters for each of the low-dimensional representations by performing density estimation using a Gaussian Mixture Model (GMM) framework, and formulating an objective function to estimate an energy and determine a density level of the low-dimensional representations for anomaly detection, with an anomaly being identified when the energy exceeds a pre-defined threshold. Cyberattacks are prevented by blocking transmission of network flows with identified anomalies by directly filtering out the flows using a network traffic monitor.

公开(公告)号：US20190098049A1

公开(公告)日：2019-03-28

申请号：US16101815

申请日：2018-08-13

Applicant: NEC Laboratories America, Inc.

Inventor： Cristian Lumezanu ,  Nipun Arora ,  Haifeng Chen ,  Bo Zong ,  Daeki Cho ,  Mingda Li

IPC: H04L29/06 ,  H04L12/733 ,  H04L12/751 ,  H04L12/893

Abstract: Endpoint security systems and methods include a distance estimation module configured to calculate a travel distance between a source Internet Protocol (IP) address and an IP address for a target network endpoint system from a received packet received by the target network endpoint system based on time-to-live (TTL) information from the received packet. A machine learning model is configured to estimate an expected travel distance between the source IP address and the target network endpoint system IP address based on a sparse set of known source/target distances. A spoof detection module is configured to determine that the received packet has a spoofed source IP address based on a comparison between the calculated travel distance and the expected travel distance. A security module is configured to perform a security action at the target network endpoint system responsive to the determination that the received packet has a spoofed source IP address.

公开(公告)号：US20170277997A1

公开(公告)日：2017-09-28

申请号：US15430024

申请日：2017-02-10

Applicant: NEC Laboratories America, Inc.

Inventor： Bo Zong ,  Jianwu Xu ,  Guofei Jiang

IPC: G06N5/02 ,  G06N99/00

CPC classification number: G06F16/2477 ,  G06F11/3072 ,  G06F16/35 ,  G06N5/045

Abstract: A method is provided that is performed in a network having nodes that generate heterogeneous logs including performance logs and text logs. The method includes performing, during a heterogeneous log training stage, (i) a log-to-time sequence conversion process for transforming clustered ones of training logs, from among the heterogeneous logs, into a set of time sequences that are each formed as a plurality of data pairs of a first configuration and a second configuration based on cluster type, (ii) a time series generation process for synchronizing particular ones of the time sequences in the set based on a set of criteria to output a set of fused time series, and (iii) an invariant model generation process for building invariant models for each time series data pair in the set of fused time series. The method includes controlling an anomaly-initiating one of the plurality of nodes based on the invariant models.

公开(公告)号：US12154024B2

公开(公告)日：2024-11-26

申请号：US17398476

申请日：2021-08-10

Applicant: NEC Laboratories America, Inc.

Inventor： Bo Zong ,  Haifeng Chen ,  Zhen Wang

IPC: G06F40/30 ,  G06F18/211 ,  G06F18/213 ,  G06N3/048 ,  G06N5/02 ,  G06F16/33

Abstract: A method trains a recursive reasoning unit (RRU). The method receives a graph for a set of words and a matrix for a different set of words. The graph maps each word in the set of words to a node with node label and indicates a relation between adjacent nodes by an edge with edge label. The matrix indicates word co-occurrence frequency of the different set of words. The method discovers, by the RRU, reasoning paths from the graph for word pairs by mapping word pairs from the set of words into a source word and a destination word and finding the reasoning paths therebetween. The method predicts word co-occurrence frequency using the reasoning paths. The method updates, responsive to the word co-occurrence frequency, model parameters of the RRU until a difference between a predicted and true word occurrence are less than a threshold amount to provide a trained RRU.

公开(公告)号：US20240037397A1

公开(公告)日：2024-02-01

申请号：US18479385

申请日：2023-10-02

Applicant: NEC Laboratories America, Inc.

Inventor： Jingchao Ni ,  Zhengzhang Chen ,  Wei Cheng ,  Bo Zong ,  Haifeng Chen

IPC: G06N3/08 ,  G06N3/04

CPC classification number: G06N3/08 ,  G06N3/04

Abstract: A method interprets a convolutional sequence model. The method converts an input data sequence having input segments into output features. The method clusters the input segments into clusters using respective resolution-controllable class prototypes allocated to each of classes. Each respective class prototype includes a respective output feature subset characterizing a respective associated class. The method calculates, using the clusters, similarity scores that indicate a similarity of an output feature to a respective class prototypes responsive to distances between the output feature and the respective class prototypes. The method concatenates the similarity scores to obtain a similarity vector. The method performs a prediction and prediction support operation that provides a value of prediction and an interpretation for the value responsive to the input segments and similarity vector. The interpretation for the value of prediction is provided using only non-negative weights and lacking a weight bias in the fully connected layer.

公开(公告)号：US20240028897A1

公开(公告)日：2024-01-25

申请号：US18479326

申请日：2023-10-02

Applicant: NEC Laboratories America, Inc.

Inventor： Jingchao Ni ,  Zhengzhang Chen ,  Wei Cheng ,  Bo Zong ,  Haifeng Chen

IPC: G06N3/08 ,  G06N3/04

CPC classification number: G06N3/08 ,  G06N3/04

Abstract: A method interprets a convolutional sequence model. The method converts an input data sequence having input segments into output features. The method clusters the input segments into clusters using respective resolution-controllable class prototypes allocated to each of classes. Each respective class prototype includes a respective output feature subset characterizing a respective associated class. The method calculates, using the clusters, similarity scores that indicate a similarity of an output feature to a respective class prototypes responsive to distances between the output feature and the respective class prototypes. The method concatenates the similarity scores to obtain a similarity vector. The method performs a prediction and prediction support operation that provides a value of prediction and an interpretation for the value responsive to the input segments and similarity vector. The interpretation for the value of prediction is provided using only non-negative weights and lacking a weight bias in the fully connected layer.

公开(公告)号：US11842271B2

公开(公告)日：2023-12-12

申请号：US17003112

申请日：2020-08-26

Applicant: NEC Laboratories America, Inc.

Inventor： Yanchi Liu ,  Wei Cheng ,  Bo Zong ,  LuAn Tang ,  Haifeng Chen ,  Denghui Zhang

IPC: G06N3/04 ,  G06N3/08 ,  G06N3/049

CPC classification number: G06N3/08 ,  G06N3/049

Abstract: Methods and systems for allocating network resources responsive to network traffic include modeling spatial correlations between fine spatial granularity traffic and coarse spatial granularity traffic for different sites and regions to determine spatial feature vectors for one or more sites in a network. Temporal correlations at a fine spatial granularity are modeled across multiple temporal scales, based on the spatial feature vectors. Temporal correlations at a coarse spatial granularity are modeled across multiple temporal scales, based on the spatial feature vectors. A traffic flow prediction is determined for the one or more sites in the network, based on the temporal correlations at the fine spatial granularity and the temporal correlations at the coarse spatial granularity. Network resources are provisioned at the one or more sites in accordance with the traffic flow prediction.