公开(公告)号：US10476752B2

公开(公告)日：2019-11-12

申请号：US15477625

申请日：2017-04-03

Applicant: nec laboratories america, inc.

Inventor： Kenji Yoshihira ,  Zhichun Li ,  Zhengzhang Chen ,  Haifeng Chen ,  Guofei Jiang ,  LuAn Tang

IPC: H04L12/24 ,  H04L12/26 ,  H04L29/06

Abstract: Methods and systems for reporting anomalous events include building a process graph that models states of process-level events in a network. A topology graph is built that models source and destination relationships between connection events in the network. A set of alerts is clustered based on the process graph and the topology graph. Clustered alerts that exceed a threshold level of trustworthiness are reported.

公开(公告)号：US10474642B2

公开(公告)日：2019-11-12

申请号：US15659131

申请日：2017-07-25

Applicant: NEC Laboratories America, Inc.

Inventor： Jianwu Xu ,  Biplob Debnath ,  Hui Zhang ,  Guofei Jiang

IPC: G06F17/00 ,  G06F16/178

Abstract: Methods and systems for log management include pre-processing heterogeneous logs and performing a log management action on the pre-processed plurality of heterogeneous logs. Pre-processing the logs includes performing a fixed tokenization of the heterogeneous logs based on a predefined set of symbols, performing a flexible tokenization of the heterogeneous logs based on a user-defined set of rules, converting timestamps in the heterogeneous logs to a single target timestamp format, and performing structural log tokenization of the heterogeneous logs based on user-defined structural information.

公开(公告)号：US10333815B2

公开(公告)日：2019-06-25

申请号：US15413812

申请日：2017-01-24

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Zhengzhang Chen ,  Haifeng Chen ,  Kenji Yoshihira ,  Guofei Jiang

IPC: H04L12/26 ,  H04L29/08 ,  H04L12/24 ,  G06F11/34

Abstract: A computer-implemented method for real-time detecting of abnormal network connections is presented. The computer-implemented method includes collecting network connection events from at least one agent connected to a network, recording, via a topology graph, normal states of network connections among hosts in the network, and recording, via a port graph, relationships established between host and destination ports of all network connections.

公开(公告)号：US10298607B2

公开(公告)日：2019-05-21

申请号：US15725994

申请日：2017-10-05

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Hengtong Zhang ,  Zhengzhang Chen ,  Bo Zong ,  Zhichun Li ,  Guofei Jiang ,  Kenji Yoshihira

IPC: H04L12/24 ,  H04L12/46 ,  G06F21/55 ,  G06F21/57 ,  H04L29/06

Abstract: Methods and systems for detecting anomalous events include detecting anomalous events in monitored system data. An event correlation graph is generated by determining a tendency for a first process to access a system target, including an innate tendency of the first process to access the system target, an influence of previous events from the first process, and an influence of processes other than the first process. Kill chains are generated from the event correlation graph that characterize events in an attack path over time. A security management action is performed based on the kill chains.

公开(公告)号：US10237295B2

公开(公告)日：2019-03-19

申请号：US15429849

申请日：2017-02-10

Applicant: NEC Laboratories America, Inc.

Inventor： Hui Zhang ,  Guofei Jiang

IPC: H04L29/06

Abstract: A system, program, and method for anomaly detection in heterogeneous logs. The system having a processor configured to identify pattern fields comprised of a plurality of event identifiers. The processor is further configured to generate an automata model by profiling event behaviors of the plurality of event sequences, the plurality of event sequences grouped in the automata model by combinations of one or more pattern fields and one or more event identifiers from among the plurality of event identifiers, wherein for a given combination, the one or more event identifiers therein must be respectively comprised in a same one of the one or more pattern fields with which it is combined. The processor is additionally configured to detect an anomaly in one of the plurality of event sequences using the automata model. The processor is also configured to control an anomaly-initiating one of the network devices based on the anomaly.

公开(公告)号：US10114728B2

公开(公告)日：2018-10-30

申请号：US14250340

申请日：2014-04-10

Applicant: NEC Laboratories America, Inc.

Inventor： Hui Zhang ,  Nipun Arora ,  Junghwan Rhee ,  Kai Ma ,  Guofei Jiang

IPC: G06F11/36

Abstract: The invention is directed to a computer implemented method and a system that implements an application performance profiler with hardware performance event information. The profiler provides dynamic tracing of application programs, and offers fine-grained hardware performance event profiling at function levels. To control the perturbation on target applications, the profiler also includes a control mechanism to constraint the function profiling overhead within a budget configured by users.

公开(公告)号：US10110458B2

公开(公告)日：2018-10-23

申请号：US15264706

申请日：2016-09-14

Applicant: NEC Laboratories America, Inc.

Inventor： Qiang Xu ,  Cristian Lumezanu ,  Cheng Jin ,  Hyun-Wook Baek ,  Guofei Jiang

IPC: H04L12/26 ,  H04L12/707 ,  H04L12/741 ,  H04L12/721 ,  H04L12/815 ,  H04L12/24

Abstract: Methods and systems for network management include performing path regression to determine an end-to-end path across physical links for each data flow in a network. A per-flow utilization of each physical link in the network is estimated based on the determined end-to-end paths. A management action is performed in the network based on the estimated per-flow utilization.

公开(公告)号：US20180131560A1

公开(公告)日：2018-05-10

申请号：US15793358

申请日：2017-10-25

Applicant: NEC Laboratories America, Inc.

Inventor： Wei Cheng ,  Haifeng Chen ,  Guofei Jiang

IPC: H04L12/24 ,  H04L12/26

Abstract: Methods and systems for detecting a system fault include determining a network of broken correlations for a current timestamp, relative to a predicted set of correlations, based on a current set of sensor data. The network of broken correlations for the current timestamp is compared to networks of broken correlations for previous timestamps to determine a fault propagation pattern. It is determined whether a fault has occurred based on the fault propagation pattern. A system management action is performed if a fault has occurred.

公开(公告)号：US09928155B2

公开(公告)日：2018-03-27

申请号：US15352546

申请日：2016-11-15

Applicant: NEC Laboratories America, Inc.

Inventor： Jianwu Xu ,  Biplob Debnath ,  Hui Zhang ,  Guofei Jiang ,  Nipun Arora

IPC: G06F9/44 ,  G06F11/36 ,  G06F11/07

CPC classification number: G06F11/3612 ,  G06F11/0706 ,  G06F11/0766 ,  G06F11/3636

Abstract: Systems and methods are disclosed for handling log data from one or more applications, sensors or instruments by receiving heterogeneous logs from arbitrary/unknown systems or applications; generating regular expression patterns from the heterogeneous log sources using machine learning and extracting a log pattern therefrom; generating models and profiles from training logs based on different conditions and updating a global model database storing all models generated over time; tokenizing raw log messages from one or more applications, sensors or instruments running a production system; transforming incoming tokenized streams are into data-objects for anomaly detection and forwarding of log messages to various anomaly detectors; and generating an anomaly alert from the one or more applications, sensors or instruments running a production system.

公开(公告)号：US20180067831A1

公开(公告)日：2018-03-08

申请号：US15661625

申请日：2017-07-27

Applicant: NEC Laboratories America, Inc.

Inventor： Wei Cheng ,  Haifeng Chen ,  Guofei Jiang ,  Jingchao Ni

IPC: G06F11/22 ,  G06N99/00

CPC classification number: G06F11/2257 ,  G06F17/504 ,  G06N5/048 ,  G06N20/00

Abstract: A computer-implemented method for diagnosing system faults by fine-grained causal anomaly inference is presented. The computer-implemented method includes identifying functional modules impacted by causal anomalies and backtracking causal anomalies in impaired functional modules by a low-rank network diffusion model. An invariant network and a broken network are inputted into the system, the invariant network and the broken network being jointly clustered to learn a degree of broken severities of different clusters as a result of fault propagations.