公开(公告)号：US09489286B2

公开(公告)日：2016-11-08

申请号：US14168375

申请日：2014-01-30

Applicant: NEC Laboratories America, Inc.

Inventor： Nipun Arora ,  Hui Zhang ,  Junghwan Rhee ,  Guofei Jiang ,  Kenji Yoshihira

IPC: G06F9/44 ,  G06F11/36

CPC classification number: G06F11/3644 ,  G06F11/3636

Abstract: This invention provides a new mechanism for “Hot-Tracing” using a novel placeholder mechanism and binary rewriting techniques, which leverages existing compiler flags in order to enable light-weight and highly flexible dynamic instrumentation. Broadly, I-Probe can be divided in 2 distinct workflows—1. Pre-processing (ColdPatch), and 2. Hot Tracing. The first phase is a pre-processing mechanism to prepare the binary for phase 2. The second phase is the actual hot-tracing mechanism, which allows users to dynamically instrument functions (more specifically symbols) of their choice.

Abstract translation: 本发明提供了一种使用新型占位符机制和二进制重写技术的“热追踪”的新机制，其利用现有的编译器标志以便实现轻量级和高度灵活的动态仪器。 普遍来说，I-Probe可以分为两个不同的工作流程 - 1。 预处理（ColdPatch）和2.热追踪。 第一阶段是为阶段2准备二进制的预处理机制。第二阶段是实际的热追踪机制，允许用户动态地对其选择的功能（更具体地说是符号）进行仪器仪表功能。

公开(公告)号：US20160063398A1

公开(公告)日：2016-03-03

申请号：US14839363

申请日：2015-08-28

Applicant: NEC Laboratories America, Inc.

Inventor： Hui Zhang ,  Xia Ning ,  Junghwan Rhee ,  Guofei Jiang ,  Hongteng Xu

IPC: G06N99/00 ,  G06F9/50

CPC classification number: G06N99/005 ,  G06F9/5011 ,  G06F11/00 ,  G06F11/34 ,  G06F11/36 ,  G06N7/005

Abstract: A system and method for profiling a request in a service system with kernel events including a pre-processing module configured to obtain kernel event traces from the service system and determine starting and ending communication pairs of a request path for a request. A learning module is configured to learn pairwise relationships between the starting and ending communication pairs of training traces of sequential requests. A generation module is configured to generate communication paths for the request path from the starting and ending communication pairs of testing traces of concurrent requests using a heuristic procedure that is guided by the learned pairwise relationships and generate the request path for the request from the communication paths. The system and method precisely determine request paths for applications in a distributed system from kernel event traces even when there are numerous concurrent requests.

Abstract translation: 一种用于在具有内核事件的服务系统中对请求进行分析的系统和方法，所述内核事件包括预处理模块，所述预处理模块被配置为从所述服务系统获取内核事件跟踪并且确定请求的请求路径的起始和结束通信对。 学习模块被配置为学习顺序请求的训练轨迹的开始和结束通信对之间的成对关系。 生成模块被配置为使用由所学习的成对关系指导的启发式过程从并发请求的测试跟踪的起始和结束通信对生成针对请求路径的通信路径，并且从通信路径生成针对请求的请求路径 。 即使有许多并发请求，系统和方法也可以精确地确定来自内核事件跟踪的分布式系统中应用程序的请求路径。

公开(公告)号：US20150334128A1

公开(公告)日：2015-11-19

申请号：US14712421

申请日：2015-05-14

Applicant: NEC Laboratories America, Inc.

Inventor： Zhiyun Qian ,  Jun Wang ,  Zhichun Li ,  Zhenyu Wu ,  Junghwan Rhee ,  Xia Ning ,  Guofei Jiang

IPC: H04L29/06 ,  G06N99/00

CPC classification number: H04L63/1425 ,  G06F11/30 ,  G06F21/50 ,  G06F21/552 ,  G06F21/554 ,  G06N99/005 ,  H04L63/1441

Abstract: Methods and systems for process constraint include collecting system call information for a process. It is detected whether the process is idle based on the system call information and then whether the process is repeating using autocorrelation to determine whether the process issues system calls in a periodic fashion. The process is constrained if it is idle or repeating to limit an attack surface presented by the process.

Abstract translation: 过程约束的方法和系统包括收集过程的系统调用信息。 基于系统调用信息检测进程是否空闲，然后检查进程是否使用自相关重复以确定进程是否以周期性方式发出系统调用。 如果空闲或重复限制进程所呈现的攻击面，则该进程受到约束。

公开(公告)号：US09092568B2

公开(公告)日：2015-07-28

申请号：US13873610

申请日：2013-04-30

Applicant: NEC Laboratories America, Inc.

Inventor： Junghwan Rhee ,  Hui Zhang ,  Nipun Arora ,  Guofei Jiang ,  Kenji Yoshihira ,  Myoungku Song

IPC: G06F9/44 ,  G06F11/36

CPC classification number: G06F11/3636 ,  G06F11/3604

Abstract: A system for automatically instrumenting and tracing an application program and related software components achieves a correlated tracing of the program execution. It includes tracing of endpoints that are the set of functions in the program execution path that the developers are interested. The tracing endpoints and related events become the total set of functions to be traced in the program (called instrument points). This invention automatically analyzes the program and generates such instrumentation points to enable correlated tracing. The generated set of instrumentation points addresses common questions that developers ask when they use monitoring tools.

Abstract translation: 用于自动测试和跟踪应用程序和相关软件组件的系统实现了程序执行的相关跟踪。 它包括跟踪开发人员感兴趣的程序执行路径中的一组函数的端点。 跟踪终点和相关事件成为程序中要追踪的功能的总数（称为仪器点）。 本发明自动分析程序并生成这样的仪器点以实现相关跟踪。 生成的仪器仪表组解决了开发人员在使用监控工具时所要求的常见问题。

公开(公告)号：US20140229921A1

公开(公告)日：2014-08-14

申请号：US14168375

申请日：2014-01-30

Applicant: NEC Laboratories America, Inc.

Inventor： Nipun Arora ,  Hui Zhang ,  Junghwan Rhee ,  Guofei Jiang ,  Kenji Yoshihira

IPC: G06F11/36

CPC classification number: G06F11/3644 ,  G06F11/3636

Abstract: This invention provides a new mechanism for “Hot-Tracing” using a novel placeholder mechanism and binary rewriting techniques, which leverages existing compiler flags in order to enable light-weight and highly flexible dynamic instrumentation. Broadly, I-Probe can be divided in 2 distinct workflows—1. Pre-processing (ColdPatch), and 2. Hot Tracing. The first phase is a pre-processing mechanism to prepare the binary for phase 2. The second phase is the actual hot-tracing mechanism, which allows users to dynamically instrument functions (more specifically symbols) of their choice.

Abstract translation: 本发明提供了一种使用新型占位符机制和二进制重写技术的“热追踪”的新机制，其利用现有的编译器标志以便实现轻量级和高度灵活的动态仪器。 普遍来说，I-Probe可以分为两个不同的工作流程 - 1。 预处理（ColdPatch）和2.热追踪。 第一阶段是为阶段2准备二进制的预处理机制。第二阶段是实际的热追踪机制，允许用户动态地对其选择的功能（更具体地说是符号）进行仪器仪表功能。

公开(公告)号：US11297082B2

公开(公告)日：2022-04-05

申请号：US16535521

申请日：2019-08-08

Applicant: NEC Laboratories America, Inc.

Inventor： Junghwan Rhee ,  LuAn Tang ,  Zhengzhang Chen ,  Chung Hwan Kim ,  Zhichun Li ,  Ziqiao Zhou

IPC: H04L29/06 ,  G05B19/418

Abstract: A computer-implemented method for implementing protocol-independent anomaly detection within an industrial control system (ICS) includes implementing a detection stage, including performing byte filtering using a byte filtering model based on at least one new network packet associated with the ICS, performing horizontal detection to determine whether a horizontal constraint anomaly exists in the at least one network packet based on the byte filtering and a horizontal model, including analyzing constraints across different bytes of the at least one new network packet, performing message clustering based on the horizontal detection to generate first cluster information, and performing vertical detection to determine whether a vertical anomaly exists based on the first cluster information and a vertical model, including analyzing a temporal pattern of each byte of the at least one new network packet.

公开(公告)号：US20210350636A1

公开(公告)日：2021-11-11

申请号：US17241481

申请日：2021-04-27

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Haifeng Chen ,  Wei Cheng ,  Junghwan Rhee ,  Jumpei Kamimura

IPC: G07C5/08 ,  G06N3/04 ,  G06N3/08 ,  B60W50/02 ,  G07C5/00 ,  B60W50/035 ,  B60W50/038

Abstract: Methods and systems for vehicle fault detection include collecting operational data from sensors in a vehicle. The sensors are associated with vehicle sub-systems. The operational data is processed with a neural network to generate a fault score, which represents a similarity to fault state training scenarios, and an anomaly score, which represents a dissimilarity to normal state training scenarios. The fault score is determined to be above a fault score threshold and the anomaly score is determined to be above an anomaly score threshold to detect a fault. A corrective action is performed responsive the fault, based on a sub-system associated with the fault.

公开(公告)号：US20210350232A1

公开(公告)日：2021-11-11

申请号：US17241430

申请日：2021-04-27

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Haifeng Chen ,  Wei Cheng ,  Junghwan Rhee ,  Jumpei Kamimura

IPC: G06N3/08 ,  G06N3/04 ,  G07C5/08

Abstract: Methods and systems for training a neural network model include processing a set of normal state training data and a set of fault state training data to generate respective normal state inputs and fault state inputs that each include data features and sensor correlation graph information. A neural network model is trained, using the normal state inputs and the fault state inputs, to generate a fault score that provides a similarity of an input to the fault state training data and an anomaly score that provides a dissimilarity of the input to the normal state training data.

公开(公告)号：US20210067549A1

公开(公告)日：2021-03-04

申请号：US17004752

申请日：2020-08-27

Applicant: NEC Laboratories America, Inc.

Inventor： Zhengzhang Chen ,  Jiaping Gui ,  Haifeng Chen ,  Junghwan Rhee ,  Shen Wang

IPC: H04L29/06 ,  G06N3/08

Abstract: Methods and systems for detecting and responding to an intrusion in a computer network include generating an adversarial training data set that includes original samples and adversarial samples, by perturbing one or more of the original samples with an integrated gradient attack to generate the adversarial samples. The original and adversarial samples are encoded to generate respective original and adversarial graph representations, based on node neighborhood aggregation. A graph-based neural network is trained to detect anomalous activity in a computer network, using the adversarial training data set. A security action is performed responsive to the detected anomalous activity.

公开(公告)号：US20210064959A1

公开(公告)日：2021-03-04

申请号：US16998280

申请日：2020-08-20

Applicant: NEC Laboratories America, Inc.

Inventor： Jiaping Gui ,  Zhengzhang Chen ,  Junghwan Rhee ,  Haifeng Chen ,  Pengyang Wang

IPC: G06N3/04

Abstract: Systems and methods for predicting road conditions and traffic volume is provided. The method includes generating a graph of one or more road regions including a plurality of road intersections and a plurality of road segments, wherein the road intersections are represented as nodes and the road segments are represented as edges. The method can also include embedding the nodes from the graph into a node space, translating the edges of the graph into nodes of a line graph, and embedding the nodes of the line graph into the node space. The method can also include aligning the nodes from the line graph with the nodes from the graph, and optimizing the alignment, outputting a set of node and edge representations that predicts the traffic flow for each of the road segments and road intersections based on the optimized alignment of the nodes.