公开(公告)号：WO2018195289A1

公开(公告)日：2018-10-25

申请号：PCT/US2018/028321

申请日：2018-04-19

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： DEBNATH, Biplob ,  ZHANG, Hui

IPC: G06F11/34

Abstract: A computer-implemented method for generating patterns from a set of heterogeneous log messages is presented. The method includes collecting the set of heterogenous log messages (101) from arbitrary or unknown systems or applications or sensors or instruments, splitting the log messages into tokens based on a set of delimiters (102), identifying datatypes of the tokens, identifying a log structure (103) of the log messages by generating pattern-signatures of all the tokens and the datatypes based on predefined pattern settings, generating a pattern (104) for each of the log structures, and enabling users to edit the pattern for each of the log structures based on user requirements.

公开(公告)号：WO2018182829A1

公开(公告)日：2018-10-04

申请号：PCT/US2018/014630

申请日：2018-01-22

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZONG, Bo ,  ZHANG, Hui

IPC: G05B23/02

CPC classification number: G06N20/00 ,  C07F1/00 ,  C07F1/08 ,  C07F3/003 ,  C07F3/02 ,  C07F3/06 ,  C07F5/003 ,  C07F7/003 ,  C07F7/28 ,  C07F9/005 ,  C07F11/005 ,  C07F13/005 ,  C07F15/0046 ,  C07F15/025 ,  C07F15/045 ,  C07F15/065 ,  C23C16/18 ,  C23C16/45553 ,  G05B23/0218 ,  G06F16/951 ,  G06N5/045 ,  H01L21/02205

Abstract: Systems and methods for automatically generating a set of meta-parameters used to train invariant-based anomaly detectors are provided. Data is transformed into a first set of time series data and a second set of time series data. A fitness threshold search is performed on the first set of time series data to automatically generate a fitness threshold, and a time resolution search is performed on the set of second time series data to automatically generate a time resolution. A set of meta-parameters including the fitness threshold and the time resolution are sent to one or more user devices across a network to govern the training of an invariant-based anomaly detector.

公开(公告)号：WO2018111355A1

公开(公告)日：2018-06-21

申请号：PCT/US2017/047285

申请日：2017-08-17

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： DEBNATH, Biplob ,  ZHANG, Hui ,  ARORA, Nipun ,  XU, Jianwu ,  JIANG, Guofei ,  ZONG, Bo

IPC: G05B23/02

Abstract: A computer-implemented method executed on a processor (214) for automatically analyzing log contents received via a network (803) and detecting content-level anomalies is presented. The computer-implemented method includes building a statistical model (103) based on contents of a set of training logs and detecting, based on the set of training logs, content-level anomalies (106) for a set of testing logs. The method further includes maintaining an index and metadata, generating attributes for fields, editing model capability to incorporate user domain knowledge, detecting anomalies using field attributes, and improving anomaly quality by using user feedback (107).

公开(公告)号：WO2017177012A1

公开(公告)日：2017-10-12

申请号：PCT/US2017/026370

申请日：2017-04-06

Applicant: NEC LABORATORIES AMERICA, INC

Inventor： XU, Jianwu ,  ZHANG, Ke ,  ZHANG, Hui ,  MIN, Renqiang ,  JIANG, Guofei

IPC: G06F11/34 ,  G06F11/00 ,  G06N3/02

Abstract: Methods for system failure prediction include clustering log files according to structural log patterns. Feature representations of the log files are determined based on the log clusters. A likelihood of a system failure is determined based on the feature representations using a neural network. An automatic system control action is performed if the likelihood of system failure exceeds a threshold.

Abstract translation:

系统故障预测的方法包括根据结构日志模式对日志文件进行聚类。 日志文件的功能表示是根据日志群集确定的。 基于使用神经网络的特征表示来确定系统故障的可能性。 如果系统故障的可能性超过阈值，则执行自动系统控制动作。

公开(公告)号：WO2017165018A1

公开(公告)日：2017-09-28

申请号：PCT/US2017/017869

申请日：2017-02-15

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZHANG, Hui ,  JIANG, Guofei

IPC: G06F11/30

CPC classification number: H04L63/1425

Abstract: A system, program, and method for detecting anomalies in heterogeneous logs. The system having a processor configured to identify pattern fields comprised of a plurality of event identifiers. The processor is further configured to generate an automata model by profiling event behaviors of the plurality of event sequences, the plurality of event sequences grouped in the automata model by combinations of one or more pattern fields and one or more event identifiers from among the plurality of event identifiers, wherein for a given combination, the one or more event identifiers therein must be respectively comprised in a same one of the one or more pattern fields with which it is combined. The processor is also configured to detect an anomaly in one of the plurality of event sequences using the automata model. The processor is additionally configured to control an anomaly-initiating one of the network devices based on the anomaly.

Abstract translation: 用于检测异构日志中的异常的系统，程序和方法

该系统具有配置成识别由多个事件标识符组成的模式字段的处理器。 所述处理器进一步被配置为通过分析所述多个事件序列的事件行为来生成自动机模型，所述多个事件序列通过一个或多个模式字段与所述多个事件序列中的一个或多个事件标识符的组合来分组在自动机模型中 事件标识符，其中对于给定组合，其中的一个或多个事件标识符必须分别包含在与其组合的一个或多个模式字段中的相同一个模式字段中。 处理器还被配置成使用自动机模型来检测多个事件序列之一中的异常。 处理器还被配置为基于异常控制异常发起的网络设备中的一个。

公开(公告)号：WO2017087591A1

公开(公告)日：2017-05-26

申请号：PCT/US2016/062397

申请日：2016-11-17

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： XU, Jianwu ,  ZHANG, Hui ,  ARORA, Nipun ,  DEBNATH, Biplob ,  JIANG, Guofei

IPC: G06F11/34

CPC classification number: G06F11/3612 ,  G06F11/0706 ,  G06F11/0766 ,  G06F11/3636

Abstract: Systems and methods are disclosed for handling log data from one or more applications, sensors or instruments by receiving heterogeneous logs from arbitrary/unknown systems or applications; generating regular expression patterns from the heterogeneous log sources using machine learning and extracting a log pattern therefrom; generating models and profiles from training logs based on different conditions and updating a global model database storing all models generated over time; tokenizing raw log messages from one or more applications, sensors or instruments running a production system; transforming incoming tokenized streams are into data-objects for anomaly detection and forwarding of log messages to various anomaly detectors; and generating an anomaly alert from the one or more applications, sensors or instruments running a production system.

Abstract translation: 公开了用于通过从任意/未知系统或应用接收异构日志来处理来自一个或多个应用，传感器或仪器的日志数据的系统和方法; 使用机器学习从异构日志源生成正则表达式模式并从中提取日志模式; 根据不同的条件从训练日志生成模型和配置文件，并更新存储随时间生成的所有模型的全局模型数据库; 标记来自运行生产系统的一个或多个应用程序，传感器或仪器的原始日志消息; 将输入的标记化流转换成用于异常检测和将日志消息转发到各种异常检测器的数据对象; 并从运行生产系统的一个或多个应用程序，传感器或仪器生成异常警报。

公开(公告)号：WO2017083006A1

公开(公告)日：2017-05-18

申请号：PCT/US2016/051872

申请日：2016-09-15

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZHANG, Hui ,  JIANG, Guofei ,  RHEE, Junghwan ,  ARORA, Nipun

IPC: G06F9/54

CPC classification number: G06F9/542 ,  G06F9/44505 ,  G06F11/3404 ,  G06F11/3466

Abstract: Methods and systems for profiling requests include generating request units (202) based on collected kernel events that include complete request units and half-open request units. The generated request units are sequenced (204) based on a causality relationship set that describes causality relationships between kernel events.

Abstract translation: 用于分析请求的方法和系统包括基于收集的内核事件生成请求单元（202），所述内核事件包括完整请求单元和半开放请求单元。 基于描述内核事件之间的因果关系的因果关系集对所生成的请求单元排序（204）。

公开(公告)号：WO2016019104A1

公开(公告)日：2016-02-04

申请号：PCT/US2015/042824

申请日：2015-07-30

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： RHEE, Junghwan ,  FU, Yangchun ,  WU, Zhenyu ,  ZHANG, Hui ,  LI, Zhichun ,  JIANG, Guofei

IPC: G06F21/56 ,  G06F21/50

CPC classification number: G06F21/52 ,  G06F21/554 ,  G06F21/60 ,  G06F2221/033

Abstract: Systems and methods for detection and prevention of Return-Oriented-Programming (ROP) attacks in one or more applications, including an attack detection device and a stack inspection device for performing stack inspection to detect ROP gadgets in a stack. The stack inspection includes stack walking from a stack frame at a top of the stack toward a bottom of the stack to detect one or more failure conditions, determining whether a valid stack frame and return code address is present; and determining a failure condition type if no valid stack frame and return code is present, with Type III failure conditions indicating an ROP attack. The ROP attack is contained using a containment device, and the ROP gadgets detected in the stack during the ROP attack are analyzed using an attack analysis device.

Abstract translation: 一种或多种应用中用于检测和预防面向对象编程（ROP）攻击的系统和方法，包括攻击检测设备和堆栈检测设备，用于执行堆栈检测以检测堆栈中的ROP小部件。 堆栈检查包括从堆叠顶部的堆叠框架朝向堆叠的底部行进的栈以检测一个或多个故障条件，确定是否存在有效的堆栈帧和返回代码地址; 并且如果不存在有效的堆栈帧和返回码，则确定故障条件类型，其中III型故障条件指示ROP攻击。 使用遏制设备包含ROP攻击，并且使用攻击分析设备来分析ROP攻击期间在堆栈中检测到的ROP小部件。

公开(公告)号：WO2015021248A1

公开(公告)日：2015-02-12

申请号：PCT/US2014/050097

申请日：2014-08-07

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ARORA, Nipun ,  ZHANG, Hui ,  LUMEZANU, Cristian ,  RHEE, Junghwan ,  JIANG, Guofei ,  LU, Hui

IPC: H04L12/24 ,  H04L12/64

CPC classification number: H04L41/082 ,  H04L12/4675 ,  H04L41/0226 ,  H04L41/0803 ,  H04L41/12 ,  H04L41/20

Abstract: Method and systems for controlling a hybrid network having software-defined network (SDN) switches and legacy switches include initializing a hybrid network topology by retrieving information on a physical and virtual infrastructure of the hybrid network; generating a path between two nodes on the hybrid network based on the physical and virtual infrastructure of the hybrid network; generating a virtual local area network by issuing remote procedure call instructions to legacy switches in accordance with a network configuration request; and generating an SDN network slice by issuing SDN commands to SDN switches in accordance with the network configuration request.

Abstract translation: 用于控制具有软件定义网络（SDN）交换机和传统交换机的混合网络的方法和系统包括通过检索混合网络的物理和虚拟基础设施上的信息来初始化混合网络拓扑; 基于混合网络的物理和虚拟基础设施，在混合网络上生成两个节点之间的路径; 通过根据网络配置请求向传统交换机发出远程过程呼叫指令来生成虚拟局域网; 以及根据网络配置请求向SDN交换机发出SDN命令来生成SDN网络切片。

公开(公告)号：WO2009058412A1

公开(公告)日：2009-05-07

申请号：PCT/US2008/055896

申请日：2008-03-05

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： CHEN, Haifeng ,  JIANG, Guofei ,  YOSHIHIRA, Kenji ,  ZHANG, Hui ,  MENG, Xiaoqiao

IPC: G06F17/00 ,  G06F19/00

CPC classification number: G06F9/44505 ,  G06F11/3409 ,  G06F11/3447 ,  G06F11/3452 ,  G06F2201/885

Abstract: A system and method for optimizing system performance includes applying (160) sampling based optimization to identify optimal configurations of a computing system by selecting (162) a number of configuration samples and evaluating (166) system performance based on the samples. Based on feedback of evaluated samples, a location of an optimal configuration is inferred (170). Additional samples are generated (176) towards the location of the inferred optimal configuration to further optimize a system configuration.

Abstract translation: 用于优化系统性能的系统和方法包括通过基于样本选择（162）多个配置样本和评估（166）系统性能来应用（160）基于抽样的优化来识别计算系统的最佳配置。 基于评估样本的反馈，推断最佳配置的位置（170）。 生成附加样本（176）朝向推断的最佳配置的位置，以进一步优化系统配置。