公开(公告)号：US10367838B2

公开(公告)日：2019-07-30

申请号：US15425335

申请日：2017-02-06

Applicant: NEC Laboratories America, Inc.

Inventor： Zhengzhang Chen ,  LuAn Tang ,  Guofei Jiang ,  Kenji Yoshihira ,  Haifeng Chen

IPC: H04L12/00 ,  H04L29/06 ,  H04L12/24

Abstract: Methods and systems for detecting anomalous network activity include determining whether a network event exists within an existing topology graph and port graph. A connection probability for the network event is determined if the network does not exist within the existing topology graph and port graph. The network event is identified as abnormal if the connection probability is below a threshold.

公开(公告)号：US10333952B2

公开(公告)日：2019-06-25

申请号：US15729030

申请日：2017-10-10

Applicant: NEC Laboratories America, Inc.

Inventor： Zhengzhang Chen ,  LuAn Tang ,  Ying Lin ,  Zhichun Li ,  Haifeng Chen ,  Guofei Jiang

IPC: H04L29/06 ,  H04L12/24

Abstract: Methods and systems for detecting security intrusions include detecting alerts in monitored system data. Temporal dependencies are determined between the alerts based on a prefix tree formed from the detected alerts. Content dependencies between the alerts are determined based on a distance between alerts in a graph representation of the detected alerts. The alerts are ranked based on an optimization problem that includes the temporal dependencies and the content dependencies. A security management action is performed based on the ranked alerts.

公开(公告)号：US10289841B2

公开(公告)日：2019-05-14

申请号：US15725974

申请日：2017-10-05

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Hengtong Zhang ,  Zhengzhang Chen ,  Bo Zong ,  Zhichun Li ,  Guofei Jiang ,  Kenji Yoshihira

IPC: G06F21/55 ,  H04L12/24 ,  H04L29/06 ,  G06F21/57

Abstract: Methods and systems for detecting anomalous events include detecting anomalous events in monitored system data. An event correlation graph is generated based on the monitored system data that characterizes the tendency of processes to access system targets. Kill chains are generated that connect malicious events over a span of time from the event correlation graph that characterize events in an attack path over time by sorting events according to a maliciousness value and determining at least one sub-graph within the event correlation graph with an above-threshold maliciousness rank. A security management action is performed based on the kill chains.

公开(公告)号：US20190121969A1

公开(公告)日：2019-04-25

申请号：US16161564

申请日：2018-10-16

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Zhengzhang Chen ,  Zhichun Li ,  Zhenyu Wu ,  Jumpei Kamimura ,  Haifeng Chen

IPC: G06F21/55 ,  H04L12/24 ,  H04L29/06

Abstract: A computer-implemented method for implementing alert interpretation in enterprise security systems is presented. The computer-implemented method includes employing a plurality of sensors to monitor streaming data from a plurality of computing devices, generating alerts based on the monitored streaming data, automatically analyzing the alerts, in real-time, by using a graph-based alert interpretation engine employing process-star graph models, retrieving a cause of the alerts, an aftermath of the alerts, and baselines for the alert interpretation, and integrating the cause of the alerts, the aftermath of the alerts, and the baselines to output an alert interpretation graph to a user interface of a user device.

公开(公告)号：US20180034836A1

公开(公告)日：2018-02-01

申请号：US15729030

申请日：2017-10-10

Applicant: NEC Laboratories America, Inc.

Inventor： Zhengzhang Chen ,  LuAn Tang ,  Ying Lin ,  Zhichun Li ,  Haifeng Chen ,  Guofei Jiang

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  G06F21/554 ,  H04L41/12 ,  H04L41/142 ,  H04L41/145 ,  H04L63/1425

Abstract: Methods and systems for detecting security intrusions include detecting alerts in monitored system data. Temporal dependencies are determined between the alerts based on a prefix tree formed from the detected alerts. Content dependencies between the alerts are determined based on a distance between alerts in a graph representation of the detected alerts. The alerts are ranked based on an optimization problem that includes the temporal dependencies and the content dependencies. A security management action is performed based on the ranked alerts.

公开(公告)号：US20170302516A1

公开(公告)日：2017-10-19

申请号：US15427654

申请日：2017-02-08

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Zhengzhang Chen ,  Kai Zhang ,  Haifeng Chen ,  Zhichun Li

IPC: H04L12/24 ,  G06F17/30

CPC classification number: H04L41/145 ,  H04L41/0672 ,  H04L41/0813

Abstract: A system and method are provided. The system includes a processor. The processor is configured to receive a plurality of events from network devices, the plurality of events including entities that are involved in the plurality of events. The processor is further configured to embed the entities into a common latent space based on co-occurrence of the entities in the plurality of events and model respective pairs of the entities for compatibility according to the embedding of the entities to form a pairwise interaction for the respective pairs of the entities. The processor is additionally configured to weigh the pairwise interaction of different ones of the respective pairs of the entities based on one or more compatibility criterion to generate a probability of an occurrence of an anomaly and alter the configuration of one or more of the network devices based on the probability of the occurrence of the anomaly.

公开(公告)号：US20160308725A1

公开(公告)日：2016-10-20

申请号：US15098861

申请日：2016-04-14

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Zhengzhang Chen ,  Ting Chen ,  Guofei Jiang ,  Fengyuan Xu ,  Haifeng Chen

IPC: H04L12/24 ,  H04L29/06

CPC classification number: H04L41/12 ,  H04L41/142 ,  H04L41/145 ,  H04L63/0421 ,  H04L63/1425

Abstract: Methods and systems for detecting anomalous communications include simulating a network graph based on community and role labels of each node in the network graph based on one or more linking rules. The community and role labels of each node are adjusted based on differences between the simulated network graph and a true network graph. The simulation and adjustment are repeated until the simulated network graph converges to the true network graph to determine a final set of community and role labels. It is determined whether a network communication is anomalous based on the final set of community and role labels.

Abstract translation: 用于检测异常通信的方法和系统包括基于一个或多个链接规则来模拟网络图中基于社区和每个节点的角色标签的网络图。 基于模拟网络图和真实网络图之间的差异来调整每个节点的社区和角色标签。 重复模拟和调整，直到模拟网络图收敛到真实的网络图，以确定最终的一组社区和角色标签。 基于社区和角色标签的最终集确定网络通信是否是异常的。

公开(公告)号：US20250062953A1

公开(公告)日：2025-02-20

申请号：US18800726

申请日：2024-08-12

Applicant: NEC Laboratories America, Inc.

Inventor： Zhengzhang Chen ,  Haifeng Chen ,  Haoyu Wang ,  Xujiang Zhao ,  Chengyuan Deng

IPC: H04L41/08

Abstract: Systems and methods for correlation-aware explainable online change point detection. Collected data metrics from the cloud system can be transformed to correlation matrices. Correlation shifts from the correlation matrices can be captured as differences of correlation between batches of collected data metrics through determined statistics of the batches of collected data metrics across timesteps. Change points in the cloud system can be detected based on the correlation shifts to obtain detected change points. System maintenance can be performed autonomously based on the detected change points from identified system entities to optimize the cloud system with an updated configuration.

公开(公告)号：US12204398B2

公开(公告)日：2025-01-21

申请号：US18359309

申请日：2023-07-26

Applicant: NEC Laboratories America, Inc.

Inventor： Zhengzhang Chen ,  Haifeng Chen ,  Liang Tong ,  Dongjie Wang

IPC: G06F11/07 ,  G06F11/34

Abstract: A computer-implemented method for identifying root cause failure and fault events is provided. The method includes detecting a trigger point, converting, via an encoder, previous system state data, new batch data in a next system state, and a causal graph to system state-invariant embeddings and system state-dependent embeddings, generating a learned causal graph, via a graph generation layer, by integrating state-invariant and state-dependent information, and predicting, by a prediction layer, future time-series data on the learned causal graph.

公开(公告)号：US20240354184A1

公开(公告)日：2024-10-24

申请号：US18594487

申请日：2024-03-04

Applicant: NEC Laboratories America, Inc.

Inventor： Peng Yuan ,  LuAn Tang ,  Haifeng Chen ,  Yuncong Chen ,  Zhengzhang Chen ,  Motoyuki Sato

IPC: G06F11/07

CPC classification number: G06F11/079 ,  G06F11/0736 ,  G06F11/0793

Abstract: Systems and methods are provided for incident analysis in Cyber-Physical Systems (CPS) using a Temporal Graph-based Incident Analysis System (TGIAS) and/or Transition Based Categorical Anomaly Detection (TCAD). Dynamically gathered multimodal data from a distributed network of sensors across the CPS are preprocessed to identify abnormal sensor readings indicative of potential incidents, and a multi-layered incident timeline graph, representing abnormal sensor readings, relationships to specific CPS components, and temporal sequencing of events is constructed. Severity scores are calculated, and severity rankings are assigned to identified anomalies based on a composite index including impact on CPS operation, comparison with historical incident data, and predictive risk assessments. Probable root causes of incidents and pathways for anomaly propagation through the CPS are identified using causal interference and the incident timeline graph to detect underlying vulnerabilities and predict future system weaknesses. Recommended actions are generated and executed for incident resolution and system optimization.