公开(公告)号：US10289478B2

公开(公告)日：2019-05-14

申请号：US15490499

申请日：2017-04-18

Applicant: NEC Laboratories America, Inc.

Inventor： Wei Cheng ,  Kenji Yoshihira ,  Haifeng Chen ,  Guofei Jiang

IPC: G06F11/00 ,  G06F11/07 ,  H04L12/24

Abstract: Methods are provided for both single modal and multimodal fault diagnosis. In a method, a fault fingerprint is constructed based on a fault event using an invariant model. A similarity matrix between the fault fingerprint and one or more historical representative fingerprints are derived using dynamic time warping and at least one convolution. A feature vector in a feature subspace for the fault fingerprint is generated. The feature vector includes at least one status of at least one system component during the fault event. A corrective action correlated to the fault fingerprint is determined. The corrective action is initiated on a hardware device to mitigate expected harm to at least one item selected from the group consisting of the hardware device, another hardware device related to the hardware device, and a person related to the hardware device.

公开(公告)号：US20170288979A1

公开(公告)日：2017-10-05

申请号：US15477625

申请日：2017-04-03

Applicant: nec laboratories america, inc.

Inventor： Kenji Yoshihira ,  Zhichun Li ,  Zhengzhang Chen ,  Haifeng Chen ,  Guofei Jiang ,  LuAn Tang

IPC: H04L12/24 ,  H04L12/26

CPC classification number: H04L41/145 ,  H04L41/12 ,  H04L41/142 ,  H04L43/045 ,  H04L63/1425

Abstract: Methods and systems for reporting anomalous events include building a process graph that models states of process-level events in a network. A topology graph is built that models source and destination relationships between connection events in the network. A set of alerts is clustered based on the process graph and the topology graph. Clustered alerts that exceed a threshold level of trustworthiness are reported.

公开(公告)号：US20170288974A1

公开(公告)日：2017-10-05

申请号：US15477603

申请日：2017-04-03

Applicant: nec laboratories america, inc.

Inventor： Kenji Yoshihira ,  Zhichun Li ,  Zhengzhang Chen ,  Haifeng Chen ,  Guofei Jiang ,  LuAn Tang

IPC: H04L12/24 ,  H04L29/06 ,  H04L12/26

CPC classification number: H04L41/12 ,  G06F21/552 ,  H04L41/142 ,  H04L41/145 ,  H04L63/1425

Abstract: Methods and systems for reporting anomalous events include intra-host clustering a set of alerts based on a process graph that models states of process-level events in a network. Hidden relationship clustering is performed on the intra-host clustered alerts based on hidden relationships between alerts in respective clusters. Inter-host clustering is performed on the hidden relationship clustered alerts based on a topology graph that models source and destination relationships between connection events in the network. Inter-host clustered alerts that exceed a threshold level of trustworthiness are reported.

公开(公告)号：US20170149814A1

公开(公告)日：2017-05-25

申请号：US15425335

申请日：2017-02-06

Applicant: NEC Laboratories America, Inc.

Inventor： Zhengzhang Chen ,  LuAn Tang ,  Guofei Jiang ,  Kenji Yoshihira ,  Haifeng Chen

IPC: H04L29/06 ,  H04L12/24 ,  H04L12/26

CPC classification number: H04L63/1425 ,  H04L41/12 ,  H04L41/142 ,  H04L41/145 ,  H04L63/1408 ,  H04L2463/121

Abstract: Methods and systems for detecting anomalous network activity include determining whether a network event exists within an existing topology graph and port graph. A connection probability for the network event is determined if the network does not exist within the existing topology graph and port graph. The network event is identified as abnormal if the connection probability is below a threshold.

公开(公告)号：US20140108324A1

公开(公告)日：2014-04-17

申请号：US14050808

申请日：2013-10-10

Applicant: NEC Laboratories America, Inc.

Inventor： Haifeng Chen ,  Min Ding ,  Bin Liu ,  Abhishek Sharma ,  Kenji Yoshihira ,  Guofei Jiang

IPC: G06N5/04

CPC classification number: G06N20/00 ,  G06F11/3055 ,  G06F11/3072 ,  G06F17/18 ,  G06N5/048

Abstract: Systems and method for modeling system dynamics, including extracting features representative of a temporal evolution of a dynamical system, further including deriving one or more vector trajectories by performing sliding window segmentation of one or more time series; applying a linear test to determine whether the one or more vector trajectories are linear or nonlinear; and performing linear or nonlinear subspace decomposition on the vector trajectory based on the linear test. The system and method may generate a system evolution model from the extracted features of the dynamical system and determine a fitness score of the system evolution model.

Abstract translation: 用于建模系统动力学的系统和方法，包括提取表示动力系统的时间演化的特征，还包括通过执行一个或多个时间序列的滑动窗口分割来导出一个或多个矢量轨迹; 应用线性测试来确定一个或多个矢量轨迹是线性还是非线性; 并基于线性测试对矢量轨迹进行线性或非线性子空间分解。 系统和方法可以从动力系统的提取特征生成系统演化模型，并确定系统演化模型的适应度。

公开(公告)号：US20140047279A1

公开(公告)日：2014-02-13

申请号：US13950523

申请日：2013-07-25

Applicant: NEC Laboratories America, Inc.

Inventor： Abishek Sharma ,  Heifeng Chen ,  Min Ding ,  Kenji Yoshihira ,  Guofei Jiang

IPC: G06F11/07

CPC classification number: G06F11/0751 ,  G06F11/0709 ,  G06F11/079 ,  H04L41/064 ,  H04L41/0677 ,  H04L43/0817

Abstract: A computer implemented method for temporal ranking in invariant networks includes considering an invariant network and a set of broken invariants in the invariant network, assuming, for each time point inside a window W, that each metric with broken invariants is affected by a fault at that time point, computing an expected pattern for each invariant of a metric with assumed fault, said pattern indicative of time points at which an invariant will be broken given that its associated metric was affected by a fault at time t, comparing the expected pattern with the pattern observed over the time window W; and determining a temporal score based on a match from the prior comparing

Abstract translation: 用于不变网络中的时间排序的计算机实现方法包括考虑不变网络中的不变网络和一组破坏的不变量，假设对于窗口W内的每个时间点，具有破坏不变量的每个度量受到该故障的影响 时间点，计算具有假定故障的度量的每个不变量的预期模式，所述模式指示在时间t处其相关联度量受到故障影响时不变量将被破坏的时间点，将预期模式与 在时间窗口W上观察到的图案; 以及基于来自所述先前比较的匹配来确定时间分数

公开(公告)号：US20130318505A1

公开(公告)日：2013-11-28

申请号：US13901964

申请日：2013-05-24

Applicant: NEC Laboratories America, Inc.

Inventor： Junghwan Rhee ,  Hui Zhang ,  Nipun Arora ,  Guofei Jiang ,  Kenji Yoshihira

IPC: G06F11/36

CPC classification number: G06F11/3636 ,  G06F11/3466 ,  G06F11/3476 ,  G06F2201/86 ,  G06F2201/865

Abstract: The invention efficiently provides user code information for kernel level tracing approaches. It applies an advanced variation of stack walking called multi-mode stack walking to the entire system level and generates the unified trace where the user code and kernel events are integrated. The invention uses runtime stack information and internal kernel data structures. Therefore, source code for user level code and libraries are not required for inspection. The invention introduces the mechanism to narrow down the monitoring focus to specific application software and improve monitoring performance.

Abstract translation: 本发明有效地提供用于内核级跟踪方法的用户代码信息。 它将堆栈行走的高级变体称为多模式堆栈走向整个系统级别，并生成用户代码和内核事件集成的统一跟踪。 本发明使用运行时堆栈信息和内部内核数据结构。 因此，用户级代码和库的源代码不需要进行检查。 本发明介绍了将监控重点缩小到具体应用软件的机制，提高监控性能。