公开(公告)号：WO2008045709A1

公开(公告)日：2008-04-17

申请号：PCT/US2007/080057

申请日：2007-10-01

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： JIANG, Guofei ,  CHEN, Haifeng, E. ,  YOSHIHIRA, Kenji

IPC: G06F13/368

CPC classification number: H04L43/16 ,  H04L41/145

Abstract: Disclosed is a method and apparatus for performing capacity planning and resource optimization in a distributed system. In particular, the capacity needs of individual components (e.g., server, operating system, CPU, application software, memory, networking device, storage device, etc.) in a distributed system can±>e analyzed using relationships between measurements collected from the distributed system. These relationships, called invariants, do not change over time. From these measurements, a network of invariants are determined. The network of invariants characterize the relationships between the measurements. The capacity need of at least one component in the distributed system can be determined from the network of invariants.

Abstract translation: 公开了一种在分布式系统中执行容量规划和资源优化的方法和装置。 特别地，分布式系统中的各个组件（例如，服务器，操作系统，CPU，应用软件，存储器，网络设备，存储设备等）的容量需求可以使用从分布式系统收集的测量之间的关系进行分析 系统。 这些关系，称为不变量，不会随时间而变化。 从这些测量中，确定不变量网络。 不变量网络表征测量之间的关系。 可以从不变量网络确定分布式系统中至少一个组件的容量需求。

公开(公告)号：WO2018106624A1

公开(公告)日：2018-06-14

申请号：PCT/US2017/064591

申请日：2017-12-05

Applicant: NEC LABORATORIES AMERICA, INC

Inventor： DEBNATH, Biplob ,  ZHANG, Hui ,  JIANG, Guofei

IPC: G06F17/30

Abstract: A computer-implemented method, computer program product, and computer processing system are provided. The method includes preprocessing, by a processor, a set of heterogeneous logs by splitting each of the logs into tokens to obtain preprocessed logs. Each of the logs in the set is associated with a timestamp and textual content in one or more fields. The method further includes generating, by the processor, a set of regular expressions from the preprocessed logs. The method also includes performing, by the processor, an unsupervised parsing operation by applying the regular expressions to the preprocessed logs to obtain a set of parsed logs and a set of unparsed logs, if any. The method additionally includes storing, by the processor, the set of parsed logs in a log analytics database and the set of unparsed logs in a debugging database.

公开(公告)号：WO2018044465A1

公开(公告)日：2018-03-08

申请号：PCT/US2017/044883

申请日：2017-08-01

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： XU, Jianwu ,  DEBNATH, Biplob ,  ZHANG, Hui ,  JIANG, Guofei

IPC: G06F11/34

Abstract: Methods and systems for log management include pre-processing heterogeneous logs and performing a log management action (112) on the pre-processed plurality of heterogeneous logs. Pre-processing the logs includes performing a fixed tokenization (104) of the heterogeneous logs based on a predefined set of symbols, performing a flexible tokenization (106) of the heterogeneous logs based on a user-defined set of rules, converting timestamps (108) in the heterogeneous logs to a single target timestamp format, and performing structural log tokenization (110) of the heterogeneous logs based on user-defined structural information.

Abstract translation: 用于日志管理的方法和系统包括预处理异构日志并对预处理的多个异构日志执行日志管理动作（112）。 预处理日志包括基于预定义的一组符号执行异构日志的固定标记（104），基于用户定义的一组规则执行异构日志的灵活标记（106），将时间戳（108） ）映射到单个目标时间戳格式，并且基于用户定义的结构信息执行异构日志的结构日志标记化（110）。

公开(公告)号：WO2017177018A1

公开(公告)日：2017-10-12

申请号：PCT/US2017/026377

申请日：2017-04-06

Applicant: NEC LABORATORIES AMERICA, INC

Inventor： XU, Jianwu ,  ZHANG, Ke ,  ZHANG, Hui ,  MIN, Renqiang ,  JIANG, Guofei

IPC: G06F11/00 ,  G06F11/07 ,  G06F11/34

Abstract: Mobile phones and methods for mobile phone failure prediction include receiving respective log files from one or more mobile phone components, including at least one user application. The log files have heterogeneous formats. A likelihood of failure of one or more mobile phone components is determined based on the received log files by clustering the plurality of log files according to structural log patterns and determining feature representations of the log files based on the log clusters. A user is alerted to a potential failure if the likelihood of component failure exceeds a first threshold. An automatic system control action is performed if the likelihood of component failure exceeds a second threshold.

Abstract translation: 用于手机故障预测的移动电话和方法包括从一个或多个移动电话组件接收各个日志文件，所述移动电话组件包括至少一个用户应用程序。 日志文件具有不同的格式。 基于接收到的日志文件，通过根据结构化日志模式对多个日志文件进行群集并且基于日志群集来确定日志文件的特征表示来确定一个或多个移动电话部件的故障的可能性。 如果组件故障的可能性超过第一阈值，则用户被警告潜在的故障。 如果组件故障的可能性超过第二阈值，则执行自动系统控制动作。

公开(公告)号：WO2017176676A1

公开(公告)日：2017-10-12

申请号：PCT/US2017/025846

申请日：2017-04-04

Applicant: NEC LABORATORIES AMERICA, INC

Inventor： TANG, LuAn ,  CHEN, Zhengzhang ,  JIANG, Guofei ,  LI, Zhichun ,  CHEN, Haifeng ,  YOSHIHIRA, Kenji

IPC: H04L29/06 ,  H04L12/26

Abstract: Methods and systems for reporting anomalous events include intra-host clustering a set of alerts based on a process graph that models states of process-level events in a network. Hidden relationship clustering is performed on the intra-host clustered alerts based on hidden relationships between alerts in respective clusters. Inter-host clustering is performed on the hidden relationship clustered alerts based on a topology graph that models source and destination relationships between connection events in the network. Inter-host clustered alerts that exceed a threshold level of trustworthiness are reported.

Abstract translation: 用于报告异常事件的方法和系统包括基于对网络中的过程级事件的状态建模的过程图的主机内集群化一组警报。 基于各个群集中警报之间的隐藏关系，在主机内群集警报上执行隐藏关系群集。 基于模拟网络中的连接事件之间的源和目标关系的拓扑图，在隐藏关系群集警报上执行主机间群集。 报告超过可信赖阈值水平的主机间群集警报。

公开(公告)号：WO2017165019A1

公开(公告)日：2017-09-28

申请号：PCT/US2017/017874

申请日：2017-02-15

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZONG, Bo ,  XU, Jianwu ,  JIANG, Guofei

IPC: G06F11/34 ,  G06F17/30

CPC classification number: G06F16/2477 ,  G06F11/3072 ,  G06F16/35 ,  G06N5/045

Abstract: A method is provided that is performed in a network having nodes that generate heterogeneous logs including performance logs and text logs. The method includes performing, during a heterogeneous log training stage, (i) a log-to-time sequence conversion process for transforming clustered ones of training logs, from among the heterogeneous logs, into a set of time sequences that are each formed as a plurality of data pairs of a first configuration and a second configuration based on cluster type, (ii) a time series generation process for synchronizing particular ones of the time sequences in the set based on a set of criteria to output a set of fused time series, and (iii) an invariant model generation process for building invariant models for each time series data pair in the set of fused time series. The method includes controlling an anomaly-initiating one of the plurality of nodes based on the invariant models.

Abstract translation: 提供一种在具有生成包括性能日志和文本日志的异构日志的节点的网络中执行的方法。 该方法包括在异构日志训练阶段期间执行（i）日志到时间序列转换过程，用于将群集中的多个训练日志从异构日志中转换成一组时间序列，每个时间序列形成为 （ii）时间序列生成过程，用于基于一组准则同步该组中的特定时间序列，以输出一组融合时间序列 （iii）不变模型生​​成过程，用于为该组融合时间序列中的每个时间序列数据对构建不变模型。 该方法包括基于不变模型控制多个节点中异常发起的一个节点。

公开(公告)号：WO2017087440A1

公开(公告)日：2017-05-26

申请号：PCT/US2016/062140

申请日：2016-11-16

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZHANG, Kai ,  ZHANG, Hui ,  XU, Jianwu ,  JIANG, Guofei

IPC: G06F11/32 ,  G06F11/30

CPC classification number: G06F11/0775 ,  G06F11/0709 ,  G06F11/0751 ,  G06F11/079 ,  G06F11/3452 ,  G06F2201/83 ,  G06F2201/86 ,  G06N5/04 ,  G06N7/00

Abstract: An exemplary method for detecting one or more anomalies in a system includes building a temporal causality graph describing functional relationship among local components in normal period; applying the causality graph as a propagation template to predict a system status by iteratively applying current system event signatures; and detecting the one or more anomalies of the system by examining related patterns on the template causality graph that specifies normal system behaviors. The system can aligning event patterns on the causality graph to determine an anomaly score.

Abstract translation: 用于检测系统中的一个或多个异常的示例性方法包括：建立描述正常时期中的局部分量之间的函数关系的时间因果关系图; 通过迭代地应用当前系统事件签名来应用因果图作为传播模板来预测系统状态; 以及通过检查指定正常系统行为的模板因果关系图上的相关模式来检测系统的一个或多个异常。 系统可以对因果关系图上的事件模式进行排列，以确定异常分数。

公开(公告)号：WO2017083149A1

公开(公告)日：2017-05-18

申请号：PCT/US2016/060139

申请日：2016-11-02

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： RHEE, Junghwan ,  XU, Jianwu ,  ZHANG, Hui ,  JIANG, Guofei

IPC: G01N21/17 ,  G01N21/39

CPC classification number: G06F17/30395 ,  G06F17/30076 ,  G06F17/30477

Abstract: Systems and methods are disclosed for analyzing logs generated by a machine by analyzing a log and identifying one or more abstract landmark delimiters (ALDs) representing delimiters for log tokenization; from the log and ALD, tokenizing the log and generating an increasingly tokenized format by separating the patterns with the ALD to form an intermediate tokenized log; iteratively repeating the tokenizing of the logs until a last intermediate tokenized log is processed as a final tokenized log; and applying the tokenized logs in applications.

Abstract translation: 公开了系统和方法，用于通过分析日志并识别表示用于日志标记化的分隔符的一个或多个抽象标志定界符（ALD）来分析由机器生成的日志; 从日志和ALD中，将日志标记化，并通过将模式与ALD分离以形成中间标记日志来生成日益标记化的格式; 迭代地重复日志的标记，直到最后的中间标记日志被处理为最终的标记日志; 并在应用程序中应用标记日志。

公开(公告)号：WO2016089933A1

公开(公告)日：2016-06-09

申请号：PCT/US2015/063310

申请日：2015-12-02

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： YAN, Tan ,  JIANG, Guofei ,  CHEN, Haifeng ,  TAKEHIKO, Mizoguchi

IPC: G05B23/02

CPC classification number: G05B19/4184 ,  G05B2219/32179 ,  Y02P90/14 ,  Y02P90/22

Abstract: Systems and methods for quality control for physical systems, including a quality control engine for transforming raw time series data collected from each of a plurality of sensors in the physical system into one or more sets of feature series by extracting features from the raw time series. Feature ranking scores are generated for each of the sensors by ranking each of the features using an ensemble of feature rankers, and fused importance scores are generated by aggregating the feature ranking scores for each of the sensors and combining ranking scores from each ranker in the ensemble. System quality is controlled by identifying sensors responsible for quality degradation based on the fused importance scores.

Abstract translation: 用于物理系统的质量控制的系统和方法，包括质量控制引擎，用于通过从原始时间序列中提取特征，将从物理系统中的多个传感器中的每一个收集的原始时间序列数据转换成一组或多组特征序列。 通过使用特征排列器的集合对每个特征进行排序来生成每个传感器的特征排名分数，并且通过聚合每个传感器的特征排名得分并组合来自集合中的每个游客的排名得分来生成融合重要度分数 。 基于融合重要性分数，识别负责质量退化的传感器来控制系统质量。

公开(公告)号：WO2015175865A1

公开(公告)日：2015-11-19

申请号：PCT/US2015/030950

申请日：2015-05-15

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： QIAN, Zhiyun ,  WANG, Jun ,  LI, Zhichun ,  WU, Zhenyu ,  RHEE, Junghwan ,  NING, Xia ,  JIANG, Guofei

IPC: G06F21/50 ,  G06F11/30

CPC classification number: H04L63/1425 ,  G06F11/30 ,  G06F21/50 ,  G06F21/552 ,  G06F21/554 ,  G06N99/005 ,  H04L63/1441

Abstract: Methods and systems for process constraint include collecting system call information for a process. It is detected whether the process is idle based on the system call information and then whether the process is repeating using autocorrelation to determine whether the process issues system calls in a periodic fashion. The process is constrained if it is idle or repeating the limit an attack surface presented by the process.

Abstract translation: 过程约束的方法和系统包括收集过程的系统调用信息。 基于系统调用信息检测进程是否空闲，然后检查进程是否使用自相关重复以确定进程是否以周期性方式发出系统调用。 如果过程是空闲的或者重复限制过程所呈现的攻击面，则该过程受到约束。