公开(公告)号：WO2009142832A2

公开(公告)日：2009-11-26

申请号：PCT/US2009/039606

申请日：2009-04-06

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： JIANG, Guofei ,  CHEN, Haifeng ,  YOSHIHIRA, Kenji

IPC: G06F11/30 ,  G06F9/44 ,  G06F21/00

CPC classification number: H04L43/16 ,  G06F11/0709 ,  G06F11/0781 ,  G06F21/552 ,  H04L41/0681 ,  H04L41/16

Abstract: A system and method for prioritizing alerts includes extracting invariants to determine a stable set of models for determining relationships among monitored system data. Equivalent thresholds for a plurality of rules are computed using an invariant network developed by extracting the invariants. For a given time window, a set of alerts are received from a system being monitored. A measurement value of the alerts is compared with a vector of equivalent thresholds, and the set of alerts is ranked.

Abstract translation: 用于优先化警报的系统和方法包括提取不变量以确定用于确定被监视的系统数据之间的关系的稳​​定的模型集合。 使用通过提取不变量开发的不变网络来计算多个规则的等效阈值。 对于给定的时间窗口，从被监视的系统接收到一组警报。 将警报的测量值与等效阈值的向量进行比较，并将该组警报排序。

公开(公告)号：WO2018071356A1

公开(公告)日：2018-04-19

申请号：PCT/US2017/055826

申请日：2017-10-10

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： TANG, LuAn ,  ZHANG, Hengtong ,  CHEN, Zhengzhang ,  ZONG, Bo ,  LI, Zhichun ,  JIANG, Guofei ,  YOSHIHIRA, Kenji

IPC: G06F21/55 ,  G06F21/60

CPC classification number: G06F21/554 ,  G06F21/55 ,  G06F21/60

Abstract: Methods and systems for detecting anomalous events include detecting anomalous events (42, 43) in monitored system data. An event correlation graph is generated (302) based on the monitored system data that characterizes the tendency of processes to access system targets. Kill chains are generated (310) that connect malicious events over a span of time from the event correlation graph that characterize events in an attack path over time by sorting events according to a maliciousness value and determining at least one sub-graph within the event correlation graph with an above-threshold maliciousness rank. A security management action is performed (412) based on the kill chains.

Abstract translation: 用于检测异常事件的方法和系统包括检测所监视的系统数据中的异常事件（42,43）。 基于监视的系统数据生成（302）事件关联图，表征过程访问系统目标的倾向。 通过根据恶意值对事件进行排序并确定事件相关内的至少一个子图，产生（310）从事件关联图中连接恶意事件的杀死链（310），所述事件关联图随时间表征攻击路径中的事件 图表具有高于阈值的恶意级别。 基于杀链来执行安全管理操作（412）。

公开(公告)号：WO2018071355A1

公开(公告)日：2018-04-19

申请号：PCT/US2017/055825

申请日：2017-10-10

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： TANG, LuAn ,  ZHANG, Hengtong ,  CHEN, Zhengzhang ,  ZONG, Bo ,  LI, Zhichun ,  JIANG, Guofei ,  YOSHIHIRA, Kenji

IPC: G06F21/55 ,  G06F21/60

CPC classification number: G06F21/552 ,  G06F21/554

Abstract: Methods and systems for detecting anomalous events include detecting anomalous events (42,43) in monitored system data. An event correlation graph is generated (302) by determining a tendency for a first process to access a system target, include an innate tendency of the first process to access the system target, an influence of previous events from the first process, and an influence of processes other than the first process. Kill chains are generated (310) from the event correlation graph that characterize events in an attack path over time. A security management action is performed (412) based on the kill chains.

Abstract translation: 用于检测异常事件的方法和系统包括检测监测到的系统数据中的异常事件（42,43）。 通过确定第一过程访问系统目标的趋势，包括第一过程访问系统目标的先天趋势，来自第一过程的先前事件的影响以及影响第一过程的影响来生成事件相关图（302） 除第一个过程以外的过程。 从事件关联图生成（310）杀死链，表征攻击路径随时间的事件。 基于杀链来执行安全管理操作（412）。

公开(公告)号：WO2017083148A1

公开(公告)日：2017-05-18

申请号：PCT/US2016/060131

申请日：2016-11-02

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZHANG, Hui ,  CHEN, Haifeng ,  XU, Jianwu ,  JIANG, Guofei ,  YOSHIHIRA, Kenji

IPC: G06F11/34 ,  G06F17/10

CPC classification number: G06N5/047 ,  G06N99/005

Abstract: Systems and methods are disclosed for detecting periodic event behaviors from machine generated logging by: capturing heterogeneous log messages, each log message including a time stamp and text content with one or more fields; recognizing log formats from log messages; transforming the text content into a set of time series data, one time series for each log format; during a training phase, analyzing the set of time series data and building a category model for each periodic event type in heterogeneous logs; and during live operation, applying the category model to a stream of time series data from live heterogeneous log messages and generating a flag on a time series data point violating the category model and generating an alarm report for the corresponding log message.

Abstract translation: 公开了系统和方法，用于通过以下方式检测来自机器生成日志记录的周期性事件行为：捕获异构日志消息，每个日志消息包括具有一个或多个字段的时间戳和文本内容; 从日志消息中识别日志格式; 将文本内容转换为一组时间序列数据，每个日志格式的一个时间序列; 在训练阶段期间，分析该组时间序列数据并为异构日志中的每个周期性事件类型建立类别模型; 并在实时操作期间，将类别模型应用于来自实时异构日志消息的时间序列数据流，并在违反类别模型的时间序列数据点上生成标志，并为相应日志消息生成警报报告。

公开(公告)号：WO2017015184A1

公开(公告)日：2017-01-26

申请号：PCT/US2016/042721

申请日：2016-07-18

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZHANG, Kai ,  CHEN, Haifeng ,  YOSHIHIRA, Kenji ,  JIANG, Guofei

IPC: G05B19/418

CPC classification number: F01K13/02 ,  F01K13/003 ,  G05B13/048

Abstract: Systems and methods are provided for optimizing system output in production systems, comprising. The method includes separating, by a processor, one or more initial input variables into a plurality of output variables, the output variables including environmental variables and system response variables. The method also includes building, using the processor, a nonparametric estimation that determines a relationship between one or more initial control variables and the system response variables, and estimating a global input-output mapping function, using the determined relationship, and a range of the environmental variables. The method further includes generating one or more optimal control variables from the initial control variables by maximizing the input-output mapping function and the range of the environmental variables. The method additionally includes incorporating one or more of the optimal control variables into a production system to increase production output of the production system.

Abstract translation: 提供了用于优化生产系统中的系统输出的系统和方法，包括。 该方法包括将处理器将一个或多个初始输入变量分离成多个输出变量，输出变量包括环境变量和系统响应变量。 该方法还包括使用处理器构建非参数估计，其确定一个或多个初始控制变量与系统响应变量之间的关系，以及使用所确定的关系估计全局输入 - 输出映射函数，以及范围的 环境变量。 该方法还包括通过最大化输入 - 输出映射函数和环境变量的范围从初始控制变量产生一个或多个最优控制变量。 该方法还包括将一个或多个最佳控制变量并入到生产系统中以增加生产系统的生产输出。

公开(公告)号：WO2015051061A1

公开(公告)日：2015-04-09

申请号：PCT/US2014/058730

申请日：2014-10-02

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： NING, Xia ,  JIANG, Guofei ,  CHEN, Haifeng ,  YOSHIHIRA, Kenji

IPC: G06F17/00 ,  G06F17/30

CPC classification number: G01V99/005

Abstract: A method and system are provided for heterogeneous log analysis. The method includes performing hierarchical log clustering on heterogeneous logs to generate a log cluster hierarchy for the heterogeneous logs. The method further includes performing, by a log pattern recognizer device having a processor, log pattern recognition on the log cluster hierarchy to generate log pattern representations. The method also includes performing log field analysis on the log pattern representations to generate log field statistics. The method additionally includes performing log indexing on the log pattern representations to generate log indexes.

Abstract translation: 提供了一种用于异构对数分析的方法和系统。 该方法包括在异构日志上执行分层日志聚类，以生成异类日志的日志群集层次结构。 该方法还包括通过具有处理器的日志模式识别器装置执行日志簇层级上的日志模式识别以产生日志模式表示。 该方法还包括对日志模式表示执行日志字段分析以生成日志字段统计。 该方法还包括对日志模式表示执行日志索引以生成日志索引。

公开(公告)号：WO2011084296A2

公开(公告)日：2011-07-14

申请号：PCT/US2010/059058

申请日：2010-12-06

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： CHEN, Haifeng ,  JIANG, Guofei ,  YOSHIHIRA, Kenji ,  SAXENA, Akhilesh

IPC: G06F17/00 ,  G06F17/10 ,  G06F15/16

CPC classification number: G06F9/5066 ,  Y02D10/22 ,  Y02D10/36

Abstract: A method and apparatus for consolidating a plurality of applications into one or more servers. The method and apparatus organizes consolidation constraints representing preferences about placing applications into the one or more servers, and allocates the applications into the one or more servers in a manner that maximally satisfies the consolidation constraints.

Abstract translation: 一种用于将多个应用程序合并到一个或多个服务器中的方法和装置。 方法和装置组织表示将应用放置到一个或多个服务器中的偏好的合并约束，并且以最大程度地满足合并约束的方式将应用分配给一个或多个服务器。

公开(公告)号：WO2011034649A1

公开(公告)日：2011-03-24

申请号：PCT/US2010/039932

申请日：2010-06-25

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： JIANG, Guofei ,  SHAN, Hanuai ,  YOSHIHIRA, Kenji

IPC: G06F17/00 ,  G06F17/30 ,  G06F15/16 ,  G06F17/16

CPC classification number: G06F9/5061 ,  G06F9/5027 ,  G06F11/3442 ,  G06F11/3452 ,  H04L41/0896 ,  H04L41/142 ,  H04L67/1008

Abstract: A method and system determines capacity needs of components in a distributed computer system. In the method and system, a pair-wise invariant network is determined from collected flow intensity measurements. The network includes at least two separate and unconnected pair-wise invariant subnetworks, each of the subnetworks including two of the flow intensity measurements connected by a pairwise invariant, each of the pair-wise invariants characterizing a constant relationship between their two connected flow intensity measurements. At least one overlay invariant is determined from the pair-wise invariant network and from the collected flow intensity measurements using a minimal redundancy least regression process. The capacity needs of the components are determined using the pair-wise and overlay invariants.

Abstract translation: 方法和系统确定分布式计算机系统中组件的容量需求。 在方法和系统中，从收集的流量强度测量中确定成对不变网络。 网络包括至少两个分离的和未连接的成对不变子网络，每个子网络包括通过成对不变量连接的两个流量强度测量值，每个成对不变量表示它们两个连接的流量强度测量值之间的恒定关系 。 从成对不变网络和使用最小冗余最小回归过程的收集的流量强度测量中确定至少一个覆盖不变量。 使用成对和重叠不变量确定组件的容量需求。

公开(公告)号：EP2524322A2

公开(公告)日：2012-11-21

申请号：EP10842450.8

申请日：2010-12-06

Applicant: NEC Laboratories America, Inc.

Inventor： CHEN, Haifeng ,  JIANG, Guofei ,  YOSHIHIRA, Kenji ,  SAXENA, Akhilesh

IPC: G06F17/00 ,  G06F17/10 ,  G06F15/16

CPC classification number: G06F9/5066 ,  Y02D10/22 ,  Y02D10/36

Abstract: A method and apparatus for consolidating a plurality of applications into one or more servers. The method and apparatus organizes consolidation constraints representing preferences about placing applications into the one or more servers, and allocates the applications into the one or more servers in a manner that maximally satisfies the consolidation constraints.

公开(公告)号：EP2286337A2

公开(公告)日：2011-02-23

申请号：EP09751062.2

申请日：2009-04-06

Applicant: NEC Laboratories America, Inc.

Inventor： JIANG, Guofei ,  CHEN, Haifeng ,  YOSHIHIRA, Kenji

IPC: G06F11/30 ,  G06F9/44 ,  G06F21/00

CPC classification number: H04L43/16 ,  G06F11/0709 ,  G06F11/0781 ,  G06F21/552 ,  H04L41/0681 ,  H04L41/16

Abstract: A system and method for prioritizing alerts includes extracting invariants to determine a stable set of models for determining relationships among monitored system data. Equivalent thresholds for a plurality of rules are computed using an invariant network developed by extracting the invariants. For a given time window, a set of alerts are received from a system being monitored. A measurement value of the alerts is compared with a vector of equivalent thresholds, and the set of alerts is ranked.