公开(公告)号：US20180032724A1

公开(公告)日：2018-02-01

申请号：US15725974

申请日：2017-10-05

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Hengtong Zhang ,  Zhengzhang Chen ,  Bo Zong ,  Zhichun Li ,  Guofei Jiang ,  Kenji Yoshihira

IPC: G06F21/55 ,  G06F21/57 ,  H04L29/06

CPC classification number: G06F21/554 ,  G06F21/552 ,  G06F21/577 ,  H04L41/12 ,  H04L41/142 ,  H04L41/145 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/145

Abstract: Methods and systems for detecting anomalous events include detecting anomalous events in monitored system data. An event correlation graph is generated based on the monitored system data that characterizes the tendency of processes to access system targets. Kill chains are generated that connect malicious events over a span of time from the event correlation graph that characterize events in an attack path over time by sorting events according to a maliciousness value and determining at least one sub-graph within the event correlation graph with an above-threshold maliciousness rank. A security management action is performed based on the kill chains.

公开(公告)号：US20170272344A1

公开(公告)日：2017-09-21

申请号：US15413812

申请日：2017-01-24

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Zhengzhang Chen ,  Haifeng Chen ,  Kenji Yoshihira ,  Guofei Jiang

IPC: H04L12/26

CPC classification number: H04L43/10 ,  G06F11/3438 ,  H04L41/12 ,  H04L41/16 ,  H04L41/22 ,  H04L41/28 ,  H04L43/06 ,  H04L43/0811 ,  H04L67/22

Abstract: A computer-implemented method for real-time detecting of abnormal network connections is presented. The computer-implemented method includes collecting network connection events from at least one agent connected to a network, recording, via a topology graph, normal states of network connections among hosts in the network, and recording, via a port graph, relationships established between host and destination ports of all network connections.

公开(公告)号：US09245235B2

公开(公告)日：2016-01-26

申请号：US14050945

申请日：2013-10-10

Applicant: NEC Laboratories America, Inc.

Inventor： Haifeng Chen ,  Min Ding ,  Bin Liu ,  Abhishek Sharma ,  Kenji Yoshihira ,  Guofei Jiang

IPC: G06N5/04 ,  G06N99/00 ,  G06F17/18 ,  G06F11/30

CPC classification number: G06N99/005 ,  G06F11/3055 ,  G06F11/3072 ,  G06F17/18 ,  G06N5/048

Abstract: A system and method for analysis of complex systems which includes determining model parameters based on time series data, further including profiling a plurality of types of data properties to discover complex data properties and dependencies; classifying the data dependencies into predetermined categories for analysis; and generating a plurality of models based on the discovered properties and dependencies. The system and method may analyze, using a processor, the generated models based on a fitness score determined for each model to generate a status report for each model; integrate the status reports for each model to determine an anomaly score for the generated models; and generate an alarm when the anomaly score exceeds a predefined threshold.

Abstract translation: 一种用于分析复杂系统的系统和方法，包括基于时间序列数据确定模型参数，还包括分析多种类型的数据属性以发现复杂数据属性和依赖性; 将数据依赖关系分类为预定类别进行分析; 以及基于所发现的属性和依赖关系生成多个模型。 系统和方法可以基于为每个模型确定的适应度分数来使用处理器分析生成的模型，以生成每个模型的状态报告; 整合每个模型的状态报告，以确定生成的模型的异常得分; 并且当异常得分超过预定阈值时产生报警。

公开(公告)号：US09003240B2

公开(公告)日：2015-04-07

申请号：US14012000

申请日：2013-08-28

Applicant: NEC Laboratories America, Inc.

Inventor： Junghwan Rhee ,  Hui Zhang ,  Nipun Arora ,  Guofei Jiang ,  Kenji Yoshihira

IPC: G06F11/00 ,  G06F11/30 ,  G06F11/34 ,  G06F11/36

CPC classification number: G06F11/3034 ,  G06F11/073 ,  G06F11/079 ,  G06F11/30 ,  G06F11/3037 ,  G06F11/3051 ,  G06F11/3476 ,  G06F11/3604 ,  G06F11/3636 ,  G06F2201/865

Abstract: A computer implemented method provides efficient monitoring and analysis of a program's memory objects in the operation stage. The invention can visualize and analyze a monitored program's data status with improved semantic information without requiring source code at runtime. The invention can provide higher quality of system management, performance debugging, and root-cause error analysis of enterprise software in the production stage.

Abstract translation: 计算机实现的方法在操作阶段提供对程序的存储器对象的有效监视和分析。 本发明可以使用改进的语义信息可视化和分析被监视程序的数据状态，而不需要运行时的源代码。 本发明可以在生产阶段提供更高质量的系统管理，性能调试和企业软件的根本原因误差分析。

公开(公告)号：US08898644B2

公开(公告)日：2014-11-25

申请号：US13901964

申请日：2013-05-24

Applicant: NEC Laboratories America, Inc.

Inventor： Junghwan Rhee ,  Hui Zhang ,  Nipun Arora ,  Guofei Jiang ,  Kenji Yoshihira

IPC: G06F9/44 ,  G06F11/36 ,  G06F11/34

CPC classification number: G06F11/3636 ,  G06F11/3466 ,  G06F11/3476 ,  G06F2201/86 ,  G06F2201/865

Abstract: The invention efficiently provides user code information for kernel level tracing approaches. It applies an advanced variation of stack walking called multi-mode stack walking to the entire system level and generates the unified trace where the user code and kernel events are integrated. The invention uses runtime stack information and internal kernel data structures. Therefore, source code for user level code and libraries are not required for inspection. The invention introduces the mechanism to narrow down the monitoring focus to specific application software and improve monitoring performance.

Abstract translation: 本发明有效地提供用于内核级跟踪方法的用户代码信息。 它将堆栈行走的高级变体称为多模式堆栈走向整个系统级别，并生成用户代码和内核事件集成的统一跟踪。 本发明使用运行时堆栈信息和内部内核数据结构。 因此，用户级代码和库的源代码不需要进行检查。 本发明介绍了将监控重点缩小到具体应用软件的机制，提高监控性能。

公开(公告)号：US08875158B2

公开(公告)日：2014-10-28

申请号：US13850531

申请日：2013-03-26

Applicant: NEC Laboratories America, Inc.

Inventor： Hui Zhang ,  Junghwan Rhee ,  Guofei Jiang ,  Kenji Yoshihira

IPC: G06F3/00 ,  G06F9/44 ,  G06F9/54

CPC classification number: G06F9/542 ,  G06F11/3466 ,  G06F11/3636 ,  G06F2201/86 ,  G06F2201/865

Abstract: A method for request profiling in service systems with kernel events includes collecting kernel events traces from a target system, the kernel event traces being obtainable from individual service machines by instrumenting core kernel functions, analyzing kernel event traces for constructing end-to-end request profiling traces consisting of kernel events belonging to service processes, and categorizing request traces responsive to the analyzing with the constructing including grouping requests based on marking kernel events used in the analyzing.

Abstract translation: 在具有内核事件的服务系统中请求分析的方法包括从目标系统收集内核事件跟踪，内核事件跟踪可通过测试核心内核功能从各个服务机器获得，分析内核事件跟踪以构建端到端请求分析 由属于服务进程的内核事件组成的跟踪，以及响应于构建分析的分类请求分类，包括基于分析中使用的内核事件的分组请求。

公开(公告)号：US20140109112A1

公开(公告)日：2014-04-17

申请号：US13850531

申请日：2013-03-26

Applicant: NEC Laboratories America, Inc.

Inventor： Hui Zhang ,  Jungwhan Rhee ,  Guofei Jiang ,  Kenji Yoshihira

IPC: G06F9/54

CPC classification number: G06F9/542 ,  G06F11/3466 ,  G06F11/3636 ,  G06F2201/86 ,  G06F2201/865

Abstract: A method for request profiling in service systems with kernel events includes collecting kernel events traces from a target system, the kernel event traces being obtainable from individual service machines by instrumenting core kernel functions, analyzing kernel event traces for constructing end-to-end request profiling traces consisting of kernel events belonging to service processes, and categorizing request traces responsive to the analyzing with the constructing including grouping requests based on marking kernel events used in the analyzing.

Abstract translation: 在具有内核事件的服务系统中请求分析的方法包括从目标系统收集内核事件跟踪，内核事件跟踪可通过测试核心内核功能从各个服务机器获得，分析内核事件跟踪以构建端到端请求分析 由属于服务进程的内核事件组成的跟踪，以及响应于构建分析的分类请求分类，包括基于分析中使用的内核事件的分组请求。

公开(公告)号：US20130290936A1

公开(公告)日：2013-10-31

申请号：US13873610

申请日：2013-04-30

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： Junghwan Rhee ,  Hui Zhang ,  Nipun Arora ,  Guofei Jiang ,  Kenji Yoshihira ,  Myoungku Song

IPC: G06F11/36

CPC classification number: G06F11/3636 ,  G06F11/3604

Abstract: A system for automatically instrumenting and tracing an application program and related software components achieves a correlated tracing of the program execution. It includes tracing of endpoints that are the set of functions in the program execution path that the developers are interested. The tracing endpoints and related events become the total set of functions to be traced in the program (called instrument points). This invention automatically analyzes the program and generates such instrumentation points to enable correlated tracing. The generated set of instrumentation points addresses common questions that developers ask when they use monitoring tools.

Abstract translation: 用于自动测试和跟踪应用程序和相关软件组件的系统实现了程序执行的相关跟踪。 它包括跟踪开发人员感兴趣的程序执行路径中的一组函数的端点。 跟踪终点和相关事件成为程序中要追踪的功能的总数（称为仪器点）。 本发明自动分析程序并生成这样的仪器点以实现相关跟踪。 生成的仪器仪表组解决了开发人员在使用监控工具时所要求的常见问题。

公开(公告)号：US10679135B2

公开(公告)日：2020-06-09

申请号：US15340255

申请日：2016-11-01

Applicant: NEC Laboratories America, Inc.

Inventor： Hui Zhang ,  Haifeng Chen ,  Jianwu Xu ,  Kenji Yoshihira ,  Guofei Jiang

IPC: G06N3/08 ,  H04L12/26 ,  G06N5/04 ,  G06N20/00

Abstract: Systems and methods are disclosed for detecting periodic event behaviors from machine generated logging by: capturing heterogeneous log messages, each log message including a time stamp and text content with one or more fields; recognizing log formats from log messages; transforming the text content into a set of time series data, one time series for each log format; during a training phase, analyzing the set of time series data and building a category model for each periodic event type in heterogeneous logs; and during live operation, applying the category model to a stream of time series data from live heterogeneous log messages and generating a flag on a time series data point violating the category model and generating an alarm report for the corresponding log message.

公开(公告)号：US10296844B2

公开(公告)日：2019-05-21

申请号：US14846093

申请日：2015-09-04

Applicant: NEC Laboratories America, Inc.

Inventor： Hui Zhang ,  Jianwu Xu ,  Guofei Jiang ,  Kenji Yoshihira ,  Pallavi Joshi

IPC: G06N7/02 ,  G06N7/04 ,  G06N7/06 ,  G06N7/08 ,  G06N20/00

Abstract: A method and system are provided. The method includes performing, by a logs-to-time-series converter, a logs-to-time-series conversion by transforming a plurality of heterogeneous logs into a set of time series. Each of the heterogeneous logs includes a time stamp and text portion with one or more fields. The method further includes performing, by a time-series-to-sequential-pattern converter, a time-series-to-sequential-pattern conversion by mining invariant relationships between the set of time series, and discovering sequential message patterns and association rules in the plurality of heterogeneous logs using the invariant relationships. The method also includes executing, by a processor, a set of log management applications, based on the sequential message patterns and the association rules.