公开(公告)号：US10999247B2

公开(公告)日：2021-05-04

申请号：US16169012

申请日：2018-10-24

Applicant: NEC Laboratories America, Inc.

Inventor： Bo Zong ,  Daeki Cho ,  Cristian Lumezanu ,  Haifeng Chen ,  Qi Song

IPC: H04L29/06 ,  G06N3/08 ,  G06N3/04

Abstract: Systems and methods for preventing cyberattacks using a Density Estimation Network (DEN) for unsupervised anomaly detection, including constructing the DEN using acquired network traffic data by performing end-to-end training. The training includes generating low-dimensional vector representations of the network traffic data by performing dimensionality reduction of the network traffic data, predicting mixture membership distribution parameters for each of the low-dimensional representations by performing density estimation using a Gaussian Mixture Model (GMM) framework, and formulating an objective function to estimate an energy and determine a density level of the low-dimensional representations for anomaly detection, with an anomaly being identified when the energy exceeds a pre-defined threshold. Cyberattacks are prevented by blocking transmission of network flows with identified anomalies by directly filtering out the flows using a network traffic monitor.

公开(公告)号：US20190098048A1

公开(公告)日：2019-03-28

申请号：US16101794

申请日：2018-08-13

Applicant: NEC Laboratories America, Inc.

Inventor： Cristian Lumezanu ,  Nipun Arora ,  Haifeng Chen ,  Bo Zong ,  Daeki Cho ,  Mingda Li

IPC: H04L29/06 ,  H04L12/733 ,  H04L12/741 ,  H04L12/26 ,  G06N3/08 ,  G06K9/62

Abstract: Methods and systems for mitigating a spoofing-based attack include calculating a travel distance between a source Internet Protocol (IP) address and a target IP address from a received packet based on time-to-live information from the received packet. An expected travel distance between the source IP address and the target IP address is estimated based on a sparse set of known source/target distances. It is determined that the received packet has a spoofed source IP address based on a comparison between the calculated travel distance and the expected travel distance. A security action is performed responsive to the determination that the received packet has a spoofed source IP address.

公开(公告)号：US10999323B2

公开(公告)日：2021-05-04

申请号：US16101834

申请日：2018-08-13

Applicant: NEC Laboratories America, Inc.

Inventor： Cristian Lumezanu ,  Nipun Arora ,  Haifeng Chen ,  Bo Zong ,  Daeki Cho ,  Mingda Li

IPC: G06F21/00 ,  H04L29/06 ,  H04L12/733 ,  H04L12/26 ,  H04L12/741 ,  G06N20/00 ,  H04L12/751 ,  H04L12/893 ,  G06K9/62 ,  G06N3/08

Abstract: Endpoint security systems and methods include a distance estimation module configured to calculate a travel distance between a source Internet Protocol (IP) address and an IP address for a target network endpoint system from a received packet received by a network gateway system based on time-to-live (TTL) information from the received packet. A machine learning model is configured to estimate an expected travel distance between the source IP address and the target network endpoint system IP address based on a sparse set of known source/target distances. A spoof detection module is configured to determine that the received packet has a spoofed source IP address based on a comparison between the calculated travel distance and the expected travel distance. A security module is configured to perform a security action at the network gateway system responsive to the determination that the received packet has a spoofed source IP address.

公开(公告)号：US10915535B2

公开(公告)日：2021-02-09

申请号：US15983404

申请日：2018-05-18

Applicant: NEC Laboratories America, Inc.

Inventor： Haifeng Chen ,  Youfu Li ,  Daeki Cho ,  Bo Zong ,  Nipun Arora ,  Cristian Lumezanu

IPC: G06F16/2455 ,  G06N20/00 ,  G06F16/22 ,  G06F16/2453 ,  G06N5/04

Abstract: Systems and methods for optimizing query execution to improve query processing by a computer are provided. A query is analyzed and translated into a logical plan. A runtime query optimizer is applied to the logical plan to identify a physical plan including operators for execution. The logical plan is translated into the physical plan. Execution of the query is scheduled according to the physical plan.

公开(公告)号：US10911488B2

公开(公告)日：2021-02-02

申请号：US16101794

申请日：2018-08-13

Applicant: NEC Laboratories America, Inc.

Inventor： Cristian Lumezanu ,  Nipun Arora ,  Haifeng Chen ,  Bo Zong ,  Daeki Cho ,  Mingda Li

IPC: G06F11/00 ,  H04L29/06 ,  H04L12/733 ,  H04L12/26 ,  H04L12/741 ,  G06N20/00 ,  H04L12/751 ,  H04L12/893 ,  G06K9/62 ,  G06N3/08

Abstract: Methods and systems for mitigating a spoofing-based attack include calculating a travel distance between a source Internet Protocol (IP) address and a target IP address from a received packet based on time-to-live information from the received packet. An expected travel distance between the source IP address and the target IP address is estimated based on a sparse set of known source/target distances. It is determined that the received packet has a spoofed source IP address based on a comparison between the calculated travel distance and the expected travel distance. A security action is performed responsive to the determination that the received packet has a spoofed source IP address.

公开(公告)号：US20180365291A1

公开(公告)日：2018-12-20

申请号：US15983404

申请日：2018-05-18

Applicant: NEC Laboratories America, Inc.

Inventor： Haifeng Chen ,  Youfu Li ,  Daeki Cho ,  Bo Zong ,  Nipun Arora ,  Cristian Lumezanu

IPC: G06F17/30

Abstract: Systems and methods for optimizing query execution to improve query processing by a computer are provided. A query is analyzed and translated into a logical plan. A runtime query optimizer is applied to the logical plan to identify a physical plan including operators for execution. The logical plan is translated into the physical plan. Execution of the query is scheduled according to the physical plan.

公开(公告)号：US10887344B2

公开(公告)日：2021-01-05

申请号：US16101815

申请日：2018-08-13

Applicant: NEC Laboratories America, Inc.

Inventor： Cristian Lumezanu ,  Nipun Arora ,  Haifeng Chen ,  Bo Zong ,  Daeki Cho ,  Mingda Li

IPC: H04L29/00 ,  H04L29/06 ,  H04L12/733 ,  H04L12/26 ,  H04L12/741 ,  G06N20/00 ,  H04L12/751 ,  H04L12/893 ,  G06K9/62 ,  G06N3/08

Abstract: Endpoint security systems and methods include a distance estimation module configured to calculate a travel distance between a source Internet Protocol (IP) address and an IP address for a target network endpoint system from a received packet received by the target network endpoint system based on time-to-live (TTL) information from the received packet. A machine learning model is configured to estimate an expected travel distance between the source IP address and the target network endpoint system IP address based on a sparse set of known source/target distances. A spoof detection module is configured to determine that the received packet has a spoofed source IP address based on a comparison between the calculated travel distance and the expected travel distance. A security module is configured to perform a security action at the target network endpoint system responsive to the determination that the received packet has a spoofed source IP address.

公开(公告)号：US20190098050A1

公开(公告)日：2019-03-28

申请号：US16101834

申请日：2018-08-13

Applicant: NEC Laboratories America, Inc.

Inventor： Cristian Lumezanu ,  Nipun Arora ,  Haifeng Chen ,  Bo Zong ,  Daeki Cho ,  Mingda Li

IPC: H04L29/06 ,  H04L12/733 ,  H04L12/741 ,  H04L12/26 ,  G06F15/18

Abstract: Endpoint security systems and methods include a distance estimation module configured to calculate a travel distance between a source Internet Protocol (IP) address and an IP address for a target network endpoint system from a received packet received by a network gateway system based on time-to-live (TTL) information from the received packet. A machine learning model is configured to estimate an expected travel distance between the source IP address and the target network endpoint system IP address based on a sparse set of known source/target distances. A spoof detection module is configured to determine that the received packet has a spoofed source IP address based on a comparison between the calculated travel distance and the expected travel distance. A security module is configured to perform a security action at the network gateway system responsive to the determination that the received packet has a spoofed source IP address.

公开(公告)号：US20190124045A1

公开(公告)日：2019-04-25

申请号：US16169012

申请日：2018-10-24

Applicant: NEC Laboratories America, Inc.

Inventor： Bo Zong ,  Daeki Cho ,  Cristian Lumezanu ,  Haifeng Chen ,  Qi Song

IPC: H04L29/06 ,  G06N3/08 ,  G06N3/04

Abstract: Systems and methods for preventing cyberattacks using a Density Estimation Network (DEN) for unsupervised anomaly detection, including constructing the DEN using acquired network traffic data by performing end-to-end training. The training includes generating low-dimensional vector representations of the network traffic data by performing dimensionality reduction of the network traffic data, predicting mixture membership distribution parameters for each of the low-dimensional representations by performing density estimation using a Gaussian Mixture Model (GMM) framework, and formulating an objective function to estimate an energy and determine a density level of the low-dimensional representations for anomaly detection, with an anomaly being identified when the energy exceeds a pre-defined threshold. Cyberattacks are prevented by blocking transmission of network flows with identified anomalies by directly filtering out the flows using a network traffic monitor.

公开(公告)号：US20190098049A1

公开(公告)日：2019-03-28

申请号：US16101815

申请日：2018-08-13

Applicant: NEC Laboratories America, Inc.

Inventor： Cristian Lumezanu ,  Nipun Arora ,  Haifeng Chen ,  Bo Zong ,  Daeki Cho ,  Mingda Li

IPC: H04L29/06 ,  H04L12/733 ,  H04L12/751 ,  H04L12/893

Abstract: Endpoint security systems and methods include a distance estimation module configured to calculate a travel distance between a source Internet Protocol (IP) address and an IP address for a target network endpoint system from a received packet received by the target network endpoint system based on time-to-live (TTL) information from the received packet. A machine learning model is configured to estimate an expected travel distance between the source IP address and the target network endpoint system IP address based on a sparse set of known source/target distances. A spoof detection module is configured to determine that the received packet has a spoofed source IP address based on a comparison between the calculated travel distance and the expected travel distance. A security module is configured to perform a security action at the target network endpoint system responsive to the determination that the received packet has a spoofed source IP address.