公开(公告)号：WO2015034564A1

公开(公告)日：2015-03-12

申请号：PCT/US2014/042246

申请日：2014-06-13

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： LUMEZANU, Cristian ,  YU, Curtis ,  SHARMA, Abhishek ,  JIANG, Guofei ,  XU, Qiang

IPC: H04L12/801 ,  H04L12/931 ,  H04L12/26

CPC classification number: H04L43/106 ,  H04L43/0852

Abstract: In a software defined network having switches including first and last switches and intermediate switches, wherein a default routing path exists between the first and last switches, a system and method are provided for computing path latency. The method includes inserting a respective monitoring rule(s) in each switch, mandating for each switch, forwarding a received rule matching packet to a next switch, and further mandating for the first switch and the last switch, sending a PacketIn message to a controller. The method includes inserting, in each switch, a respective monitoring probe(s) matching the respective monitoring rule(s) in a same switch to initiate mandates specified by the respective monitoring rule(s) in the same switch responsive to an arrival of the packet thereat. The method includes time-stamping the PacketIn messages to generate PacketIn timestamps, aggregating the PacketIn timestamps, and estimating the path latency from an aggregation of PacketIn timestamps.

Abstract translation: 在具有包括第一和最后交换机和中间交换机的交换机的软件定义网络中，其中在第一和最后交换机之间存在默认路由路径，提供用于计算路径等待时间的系统和方法。 该方法包括在每个交换机中插入相应的监控规则，强制每个交换机，将接收到的规则匹配分组转发到下一个交换机，以及进一步强制第一交换机和最后一个交换机，向控制器发送分组输入消息 。 该方法包括在每个交换机中插入与同一交换机中的相应监控规则相匹配的相应监视探测器，以启动响应于相应监视规则到达的相应监控规则指定的任务 包在那里 该方法包括对PacketIn消息进行时间戳，以生成PacketIn时间戳，聚合PacketIn时间戳，并从PacketIn时间戳的聚合估计路径等待时间。

公开(公告)号：WO2011140293A2

公开(公告)日：2011-11-10

申请号：PCT/US2011/035288

申请日：2011-05-05

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： DING, Min ,  SINGH, Vishal ,  ZHANG, Yueping ,  JIANG, Guofei

IPC: G06F9/44 ,  G06F15/16

CPC classification number: G06F9/54 ,  G06F11/3006 ,  G06F11/302 ,  G06F11/3051 ,  H04L41/046 ,  H04L43/0876 ,  H04L43/12

Abstract: A method and a system are disclosed for determining application dependency paths in a data center. The method and the system captures application traffic volume data on the servers with switches and monitoring agents; generates an application traffic matrix of all the components of the applications based on the application traffic volume data; estimates the number of the applications in the data center from the traffic matrix with a Rank Estimation via Singular Value Decomposition or Power Factorization Residue Errors process; and decomposes the traffic matrix into a first matrix and a second matrix with a non-negative matrix factorization process using the estimated number of applications. The first matrix represents a set of the components belonging to each of the applications and the second matrix represents the amount of traffic generated by each application over time. Any noise in the first and second matrices is removed with a concurrent volumes ratios based correlation process.

Abstract translation: 公开了一种用于确定数据中心中的应用依赖路径的方法和系统。 该方法和系统使用交换机和监控代理在服务器上捕获应用程序流量数据; 基于应用业务量数据生成应用的所有组件的应用业务矩阵; 通过奇异值分解或功率因子分解残差误差进行等级估计从业务矩阵估计数据中心中的应用数量; 并且使用估计的应用数量将业务矩阵分解为第一矩阵和具有非负矩阵分解过程的第二矩阵。 第一矩阵表示属于每个应用的组件的集合，第二矩阵表示每个应用随时间生成的流量。 第一和第二矩阵中的任何噪声均以基于并发卷比的相关过程被去除。

公开(公告)号：WO2007089285A2

公开(公告)日：2007-08-09

申请号：PCT/US2006/035889

申请日：2006-09-14

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： JIANG, Guofei ,  CHEN, Haifeng ,  UNGUREANU, Cristian ,  YOSHIHIRA, Kenji

IPC: G06F11/30

CPC classification number: G06F11/008

Abstract: A method and system that automatically derives models between monitored quantities under non-faulty conditions so that subsequent faults can be detected as deviations from the derived models. The invention identifies unusual conditions for fault detection and isolation that is absent in rule-based systems.

Abstract translation: 在非故障条件下，在监测量之间自动导出模型的方法和系统，以便随后的故障可以被检测为与衍生模型的偏差。 本发明确定了在基于规则的系统中不存在的用于故障检测和隔离的异常情况。

公开(公告)号：WO2018085320A1

公开(公告)日：2018-05-11

申请号：PCT/US2017/059436

申请日：2017-11-01

Applicant: NEC LABORATORIES AMERICA, INC

Inventor： CHENG, Wei ,  CHEN, Haifeng ,  JIANG, Guofei

IPC: G05B23/02

Abstract: Methods and systems for detecting a system fault include determining a network of broken correlations for a current timestamp, relative to a predicted set of correlations, based on a current set of sensor data. The network of broken correlations for the current timestamp is compared to networks of broken correlations for previous timestamps to determine a fault propagation pattern. It is determined whether a fault has occurred based on the fault propagation pattern. A system management action is performed if a fault has occurred.

Abstract translation: 用于检测系统故障的方法和系统包括基于当前一组传感器数据确定当前时间戳相对于预测相关集合的损坏相关性的网络。 将当前时间戳的断开相关网络与先前时间戳的断开相关网络进行比较，以确定故障传播模式。 根据故障传播模式确定是否发生故障。 如果发生故障，则执行系统管理操作。

公开(公告)号：WO2018039424A1

公开(公告)日：2018-03-01

申请号：PCT/US2017/048360

申请日：2017-08-24

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： XIAO, Xusheng ,  LI, Zhichun ,  ZHANG, Mu ,  JIANG, Guofei ,  GUI, Jiaping

IPC: G06F17/30

CPC classification number: G06F16/24532 ,  G06F16/22 ,  G06F16/245 ,  G06F16/24535 ,  G06F16/24545 ,  G06F21/57 ,  G06F21/6227 ,  G06F2221/034

Abstract: Methods for querying a database and database systems include optimizing (304) a database query for parallel execution using spatial and temporal information relating to elements in the database, the optimized database query being split into sub-queries with sub-queries being divided spatially according to host and temporally according to time window. The sub-queries are executed (306) in parallel. The results of the database query are outputted (310) progressively.

Abstract translation: 用于查询数据库和数据库系统的方法包括使用与数据库中的元素相关的空间和时间信息优化（304）用于并行执行的数据库查询，优化的数据库查询被拆分为子查询 子查询根据主机在时间上按照时间窗口进行空间划分。 子查询并行执行（306）。 数据库查询的结果逐步输出（310）。

公开(公告)号：WO2017177003A1

公开(公告)日：2017-10-12

申请号：PCT/US2017/026359

申请日：2017-04-06

Applicant: NEC LABORATORIES AMERICA, INC

Inventor： RHEE, Junghwan ,  LI, Zhichun ,  WU, Zhenyu ,  JEE, Kangkook ,  JIANG, Guofei

IPC: G06F21/55 ,  G06F21/57

CPC classification number: G06F21/563 ,  G06F11/3688 ,  G06F11/3692 ,  G06F21/564 ,  G06F2221/033

Abstract: Systems and methods for identifying similarities in program binaries, including extracting program binary features from one or more input program binaries to generate corresponding hybrid features. The hybrid features include a reference feature, a resource feature, an abstract control flow feature, and a structural feature. Combinations of a plurality of pairs of binaries are generated from the extracted hybrid features, and a similarity score is determined for each of the pairs of binaries. A hybrid difference score is generated based on the similarity score for each of the binaries combined with input hybrid feature parameters. A likelihood of malware in the input program is identified based on the hybrid difference score.

Abstract translation: 用于识别程序二进制文件中的相似性的系统和方法，包括从一个或多个输入程序二进制文件中提取程序二进制特征以生成对应的混合特征。 混合特征包括参考特征，资源特征，抽象控制流特征和结构特征。 从所提取的混合特征中生成多对二进制文件的组合，并且为每对二进制文件确定相似性分数。 基于与输入混合特征参数组合的每个二进制文件的相似度得分来生成混合差异评分。 根据混合差异分数识别输入程序中恶意软件的可能性。

公开(公告)号：WO2017164946A1

公开(公告)日：2017-09-28

申请号：PCT/US2016/067730

申请日：2016-12-20

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ANCHURI, Pranay ,  ZHANG, Hui ,  JIANG, Guofei

IPC: G06F11/00 ,  G06F11/30

Abstract: A computer-implemented method provides an early warning of an impending failure in a monitored system. The method includes performing, by a processor, an offline model learning process that generates a model of expected log rates in the monitored system from historical log data. The model represents a normal behavior of the monitored system. The method further includes performing an online detection process that detects the impending failure in the monitored system prior to an actual occurrence thereof based on (i) the model of expected log rates and (ii) observed log rates. The method also includes displaying, by a display device based on (i) the model of expected log rates and (ii) observed log rates in the monitored system, information relating to the impending failure prior to the actual occurrence of the impending failure. The online detection process identifies short term and long term failures and long term failures.

Abstract translation: 计算机实现的方法提供受监控系统即将发生故障的早期预警。 该方法包括由处理器执行离线模型学习过程，该离线模型学习过程从历史日志数据中生成所监视的系统中的期望的日志率的模型。 该模型表示受监视系统的正常行为。 该方法进一步包括基于（i）预期的测井速率模型和（ii）观察到的测井速率，执行在线检测过程，其在实际发生之前检测被监测系统中的即将发生的故障。 该方法还包括由显示装置基于（i）预期的测井速率模型和（ii）在被监测的系统中观测到的测井速率来显示与即将发生的即将发生的失效之前即将发生的失效有关的信息。 在线检测流程可识别短期和长期故障以及长期故障。

公开(公告)号：WO2017160409A1

公开(公告)日：2017-09-21

申请号：PCT/US2017/015294

申请日：2017-01-27

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： TANG, LuAn ,  CHEN, Zhengzhang ,  CHEN, Haifeng ,  YOSHIHIRA, Kenji ,  JIANG, Guofei

IPC: H04L12/26

CPC classification number: H04L43/10 ,  G06F11/3438 ,  H04L41/12 ,  H04L41/16 ,  H04L41/22 ,  H04L41/28 ,  H04L43/06 ,  H04L43/0811 ,  H04L67/22

Abstract: A computer-implemented method for real-time detecting of abnormal network connections is presented. The computer-implemented method includes collecting network connection events from at least one agent connected to a network, recording, via a topology graph, normal states of network connections among hosts in the network, and recording, via a port graph, relationships established between host and destination ports of all network connections.

Abstract translation: 给出了用于实时检测异常网络连接的计算机实现的方法。 该计算机实现的方法包括：从连接到网络的至少一个代理收集网络连接事件，经由拓扑图记录网络中主机之间的网络连接的正常状态，并且经由端口图记录在主机之间建立的关系 和所有网络连接的目标端口。

公开(公告)号：WO2016168531A1

公开(公告)日：2016-10-20

申请号：PCT/US2016/027659

申请日：2016-04-15

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： TANG, Lu-An ,  CHEN, Zhengzhang ,  CHEN, Ting ,  JIANG, Guofei ,  XU, Fengyuan ,  CHEN, Haifeng

IPC: H04L29/06 ,  H04L12/22

CPC classification number: H04L41/12 ,  H04L41/142 ,  H04L41/145 ,  H04L63/0421 ,  H04L63/1425

Abstract: Methods and systems for detecting anomalous communications include simulating a network graph based on community and role labels of each node in the network graph based on one or more linking rules. The community and role labels of each node are adjusted based on differences between the simulated network graph and a true network graph. The simulation and adjustment are repeated until the simulated network graph converges to the true network graph to determine a final set of community and role labels. It is determined whether a network communication is anomalous based on the final set of community and role labels.

Abstract translation: 用于检测异常通信的方法和系统包括基于一个或多个链接规则来模拟网络图中基于社区和每个节点的角色标签的网络图。 基于模拟网络图和真实网络图之间的差异来调整每个节点的社区和角色标签。 重复模拟和调整，直到模拟网络图收敛到真实的网络图，以确定最终的一组社区和角色标签。 基于社区和角色标签的最终集确定网络通信是否是异常的。

公开(公告)号：WO2016057994A1

公开(公告)日：2016-04-14

申请号：PCT/US2015/055137

申请日：2015-10-12

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： LI, Zhichun ,  WU, Zhenyu ,  QIAN, Zhiyun ,  JIANG, Guofei ,  AKHOONDI, Masoud ,  KUSANO, Markus

IPC: H04L29/06 ,  H04L12/26

CPC classification number: H04L63/1416 ,  G06F17/30958 ,  H04L63/1425 ,  H04L63/1441 ,  H04L2463/146

Abstract: Methods and systems for intrusion attack recovery include monitoring (502) two or more hosts in a network to generate audit logs of system events. One or more dependency graphs (DGraphs) is generated (504) based on the audit logs. A relevancy score for each edge of the DGraphs is determined (510). Irrelevant events from the DGraphs are pruned (510) to generate a condensed backtracking graph. An origin is located by backtracking (512) from an attack detection point in the condensed backtracking graph.

Abstract translation: 入侵攻击恢复的方法和系统包括监视（502）网络中的两个或多个主机以生成系统事件的审核日志。 基于审计日志生成一个或多个依赖关系图（DGraph）（504）。 确定DGraph的每个边缘的相关性得分（510）。 修剪了DGraphs中不相关的事件（510），以生成一个浓缩回溯图。 原点是通过回溯（512）从浓缩回溯图中的攻击检测点定位的。