公开(公告)号：US10367842B2

公开(公告)日：2019-07-30

申请号：US15902318

申请日：2018-02-22

Applicant: NEC Laboratories America, Inc.

Inventor： Zhengzhang Chen ,  LuAn Tang ,  Zhichun Li ,  Cheng Cao

IPC: H04L29/06 ,  G06F21/55

Abstract: Systems and methods for determining a risk level of a host in a network include modeling a target host's behavior based on historical events recorded at the target host. One or more original peer hosts having behavior similar to the target host's behavior are determined. An anomaly score for the target host is determined based on how the target host's behavior changes relative to behavior of the one or more original peer hosts over time. A security management action is performed based on the anomaly score.

公开(公告)号：US10367838B2

公开(公告)日：2019-07-30

申请号：US15425335

申请日：2017-02-06

Applicant: NEC Laboratories America, Inc.

Inventor： Zhengzhang Chen ,  LuAn Tang ,  Guofei Jiang ,  Kenji Yoshihira ,  Haifeng Chen

IPC: H04L12/00 ,  H04L29/06 ,  H04L12/24

Abstract: Methods and systems for detecting anomalous network activity include determining whether a network event exists within an existing topology graph and port graph. A connection probability for the network event is determined if the network does not exist within the existing topology graph and port graph. The network event is identified as abnormal if the connection probability is below a threshold.

公开(公告)号：US10333952B2

公开(公告)日：2019-06-25

申请号：US15729030

申请日：2017-10-10

Applicant: NEC Laboratories America, Inc.

Inventor： Zhengzhang Chen ,  LuAn Tang ,  Ying Lin ,  Zhichun Li ,  Haifeng Chen ,  Guofei Jiang

IPC: H04L29/06 ,  H04L12/24

Abstract: Methods and systems for detecting security intrusions include detecting alerts in monitored system data. Temporal dependencies are determined between the alerts based on a prefix tree formed from the detected alerts. Content dependencies between the alerts are determined based on a distance between alerts in a graph representation of the detected alerts. The alerts are ranked based on an optimization problem that includes the temporal dependencies and the content dependencies. A security management action is performed based on the ranked alerts.

公开(公告)号：US10289841B2

公开(公告)日：2019-05-14

申请号：US15725974

申请日：2017-10-05

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Hengtong Zhang ,  Zhengzhang Chen ,  Bo Zong ,  Zhichun Li ,  Guofei Jiang ,  Kenji Yoshihira

IPC: G06F21/55 ,  H04L12/24 ,  H04L29/06 ,  G06F21/57

Abstract: Methods and systems for detecting anomalous events include detecting anomalous events in monitored system data. An event correlation graph is generated based on the monitored system data that characterizes the tendency of processes to access system targets. Kill chains are generated that connect malicious events over a span of time from the event correlation graph that characterize events in an attack path over time by sorting events according to a maliciousness value and determining at least one sub-graph within the event correlation graph with an above-threshold maliciousness rank. A security management action is performed based on the kill chains.

公开(公告)号：US20190121969A1

公开(公告)日：2019-04-25

申请号：US16161564

申请日：2018-10-16

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Zhengzhang Chen ,  Zhichun Li ,  Zhenyu Wu ,  Jumpei Kamimura ,  Haifeng Chen

IPC: G06F21/55 ,  H04L12/24 ,  H04L29/06

Abstract: A computer-implemented method for implementing alert interpretation in enterprise security systems is presented. The computer-implemented method includes employing a plurality of sensors to monitor streaming data from a plurality of computing devices, generating alerts based on the monitored streaming data, automatically analyzing the alerts, in real-time, by using a graph-based alert interpretation engine employing process-star graph models, retrieving a cause of the alerts, an aftermath of the alerts, and baselines for the alert interpretation, and integrating the cause of the alerts, the aftermath of the alerts, and the baselines to output an alert interpretation graph to a user interface of a user device.

公开(公告)号：US20180034836A1

公开(公告)日：2018-02-01

申请号：US15729030

申请日：2017-10-10

Applicant: NEC Laboratories America, Inc.

Inventor： Zhengzhang Chen ,  LuAn Tang ,  Ying Lin ,  Zhichun Li ,  Haifeng Chen ,  Guofei Jiang

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  G06F21/554 ,  H04L41/12 ,  H04L41/142 ,  H04L41/145 ,  H04L63/1425

Abstract: Methods and systems for detecting security intrusions include detecting alerts in monitored system data. Temporal dependencies are determined between the alerts based on a prefix tree formed from the detected alerts. Content dependencies between the alerts are determined based on a distance between alerts in a graph representation of the detected alerts. The alerts are ranked based on an optimization problem that includes the temporal dependencies and the content dependencies. A security management action is performed based on the ranked alerts.

公开(公告)号：US20170302516A1

公开(公告)日：2017-10-19

申请号：US15427654

申请日：2017-02-08

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Zhengzhang Chen ,  Kai Zhang ,  Haifeng Chen ,  Zhichun Li

IPC: H04L12/24 ,  G06F17/30

CPC classification number: H04L41/145 ,  H04L41/0672 ,  H04L41/0813

Abstract: A system and method are provided. The system includes a processor. The processor is configured to receive a plurality of events from network devices, the plurality of events including entities that are involved in the plurality of events. The processor is further configured to embed the entities into a common latent space based on co-occurrence of the entities in the plurality of events and model respective pairs of the entities for compatibility according to the embedding of the entities to form a pairwise interaction for the respective pairs of the entities. The processor is additionally configured to weigh the pairwise interaction of different ones of the respective pairs of the entities based on one or more compatibility criterion to generate a probability of an occurrence of an anomaly and alter the configuration of one or more of the network devices based on the probability of the occurrence of the anomaly.

公开(公告)号：US20160308725A1

公开(公告)日：2016-10-20

申请号：US15098861

申请日：2016-04-14

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Zhengzhang Chen ,  Ting Chen ,  Guofei Jiang ,  Fengyuan Xu ,  Haifeng Chen

IPC: H04L12/24 ,  H04L29/06

CPC classification number: H04L41/12 ,  H04L41/142 ,  H04L41/145 ,  H04L63/0421 ,  H04L63/1425

Abstract: Methods and systems for detecting anomalous communications include simulating a network graph based on community and role labels of each node in the network graph based on one or more linking rules. The community and role labels of each node are adjusted based on differences between the simulated network graph and a true network graph. The simulation and adjustment are repeated until the simulated network graph converges to the true network graph to determine a final set of community and role labels. It is determined whether a network communication is anomalous based on the final set of community and role labels.

Abstract translation: 用于检测异常通信的方法和系统包括基于一个或多个链接规则来模拟网络图中基于社区和每个节点的角色标签的网络图。 基于模拟网络图和真实网络图之间的差异来调整每个节点的社区和角色标签。 重复模拟和调整，直到模拟网络图收敛到真实的网络图，以确定最终的一组社区和角色标签。 基于社区和角色标签的最终集确定网络通信是否是异常的。

公开(公告)号：US20250149133A1

公开(公告)日：2025-05-08

申请号：US18922837

申请日：2024-10-22

Applicant: NEC Laboratories America, Inc.

Inventor： LuAn Tang ,  Yuyang Ye ,  Haifeng Chen ,  Haoyu Wang ,  Zhengzhang Chen ,  Wenchao Yu

IPC: G16H10/60 ,  G06N3/0455

Abstract: Systems and methods for optimizing key performance indicators (KPIs) using adversarial imitation deep learning include processing sensor data received from sensors to remove irrelevant data based on correlation to a final KPI and generating, using a policy generator network with a transformer-based architecture, an optimal sequence of actions based on the processed sensor data. A discriminator network is employed to differentiate between the generated action sequences and real-world high performance sequences employing. Final KPI results are estimated based on the generated action sequences using a performance prediction network. The generated action sequences are applied to the process to optimize the KPI in real-time.

公开(公告)号：US20250148431A1

公开(公告)日：2025-05-08

申请号：US18938823

申请日：2024-11-06

Applicant: NEC Laboratories America, Inc.

Inventor： Haoyu Wang ,  Christopher A. White ,  Haifeng Chen ,  LuAn Tang ,  Zhengzhang Chen ,  Xujiang Zhao

IPC: G06Q10/30 ,  G06Q10/0637

Abstract: Systems and methods for an agent-based carbon emission reduction system. A carbon product of a supply chain system can be limited below a carbon product threshold by performing a corrective action to monitored entities based on a calculated carbon emission. The carbon emission can be calculated based on carbon-relevant data and a calculation route by utilizing an agent-based simulation model that simulates a learned relationship between a supply chain system and the carbon-relevant data. The calculation route can be determined based on the carbon-relevant data based on a relevance of a carbon product contribution of monitored entities to a goal of the monitored entities. Carbon-relevant data can be extracted from the monitored entities.