公开(公告)号：WO2017142692A1

公开(公告)日：2017-08-24

申请号：PCT/US2017/015267

申请日：2017-01-27

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： WU, Zhenyu ,  LI, Zhichun ,  RHEE, Junghwan ,  XU, Fengyuan ,  JIANG, Guofei ,  JEE, Kangkook ,  XIAO, Xusheng ,  XU, Zhang

IPC: G06F11/30 ,  G06F21/56

CPC classification number: G06F11/30 ,  G06F21/552

Abstract: Methods and systems for dependency tracking include identifying a hot process that generates bursts of events with interleaved dependencies. Events related to the hot process are aggregated according to a process-centric dependency approximation that ignores dependencies between the events related to the hot process. Causality in a reduced event stream that comprises the aggregated events is tracked.

Abstract translation: 用于依赖关系跟踪的方法和系统包括识别产生具有交织相依性的事件突发的热进程。 与热进程相关的事件根据以进程为中心的依赖近似进行聚合，忽略与热进程相关的事件之间的依赖关系。 跟踪包含汇总事件的简化事件流中的因果关系。

公开(公告)号：WO2017087591A1

公开(公告)日：2017-05-26

申请号：PCT/US2016/062397

申请日：2016-11-17

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： XU, Jianwu ,  ZHANG, Hui ,  ARORA, Nipun ,  DEBNATH, Biplob ,  JIANG, Guofei

IPC: G06F11/34

CPC classification number: G06F11/3612 ,  G06F11/0706 ,  G06F11/0766 ,  G06F11/3636

Abstract: Systems and methods are disclosed for handling log data from one or more applications, sensors or instruments by receiving heterogeneous logs from arbitrary/unknown systems or applications; generating regular expression patterns from the heterogeneous log sources using machine learning and extracting a log pattern therefrom; generating models and profiles from training logs based on different conditions and updating a global model database storing all models generated over time; tokenizing raw log messages from one or more applications, sensors or instruments running a production system; transforming incoming tokenized streams are into data-objects for anomaly detection and forwarding of log messages to various anomaly detectors; and generating an anomaly alert from the one or more applications, sensors or instruments running a production system.

Abstract translation: 公开了用于通过从任意/未知系统或应用接收异构日志来处理来自一个或多个应用，传感器或仪器的日志数据的系统和方法; 使用机器学习从异构日志源生成正则表达式模式并从中提取日志模式; 根据不同的条件从训练日志生成模型和配置文件，并更新存储随时间生成的所有模型的全局模型数据库; 标记来自运行生产系统的一个或多个应用程序，传感器或仪器的原始日志消息; 将输入的标记化流转换成用于异常检测和将日志消息转发到各种异常检测器的数据对象; 并从运行生产系统的一个或多个应用程序，传感器或仪器生成异常警报。

公开(公告)号：WO2017083006A1

公开(公告)日：2017-05-18

申请号：PCT/US2016/051872

申请日：2016-09-15

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZHANG, Hui ,  JIANG, Guofei ,  RHEE, Junghwan ,  ARORA, Nipun

IPC: G06F9/54

CPC classification number: G06F9/542 ,  G06F9/44505 ,  G06F11/3404 ,  G06F11/3466

Abstract: Methods and systems for profiling requests include generating request units (202) based on collected kernel events that include complete request units and half-open request units. The generated request units are sequenced (204) based on a causality relationship set that describes causality relationships between kernel events.

Abstract translation: 用于分析请求的方法和系统包括基于收集的内核事件生成请求单元（202），所述内核事件包括完整请求单元和半开放请求单元。 基于描述内核事件之间的因果关系的因果关系集对所生成的请求单元排序（204）。

公开(公告)号：WO2017074595A1

公开(公告)日：2017-05-04

申请号：PCT/US2016/051865

申请日：2016-09-15

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： XU, Qiang ,  LUMEZANU, Cristian ,  JIN, Cheng ,  BAEK, Hyun-Wook ,  JIANG, Guofei

IPC: H04L12/801

CPC classification number: H04L43/0882 ,  H04L41/0823 ,  H04L41/14 ,  H04L43/0823 ,  H04L45/22 ,  H04L45/54 ,  H04L45/70 ,  H04L47/22

Abstract: Methods and systems for network management include performing (304) path regression to determine an end-to-end path across physical links for each data flow in a network. A per-flow utilization of each physical link in the network is estimated (314) based on the determined end-to-end paths. A management action is performed (316) in the network based on the estimated per-flow utilization.

Abstract translation: 用于网络管理的方法和系统包括执行（304）路径回归以确定网络中每个数据流的物理链路之间的端到端路径。 基于所确定的端到端路径来估计（314）网络中的每个物理链路的每流利用率。 基于估计的每流利用率，在网络中执行（316）管理动作。

公开(公告)号：WO2016019104A1

公开(公告)日：2016-02-04

申请号：PCT/US2015/042824

申请日：2015-07-30

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： RHEE, Junghwan ,  FU, Yangchun ,  WU, Zhenyu ,  ZHANG, Hui ,  LI, Zhichun ,  JIANG, Guofei

IPC: G06F21/56 ,  G06F21/50

CPC classification number: G06F21/52 ,  G06F21/554 ,  G06F21/60 ,  G06F2221/033

Abstract: Systems and methods for detection and prevention of Return-Oriented-Programming (ROP) attacks in one or more applications, including an attack detection device and a stack inspection device for performing stack inspection to detect ROP gadgets in a stack. The stack inspection includes stack walking from a stack frame at a top of the stack toward a bottom of the stack to detect one or more failure conditions, determining whether a valid stack frame and return code address is present; and determining a failure condition type if no valid stack frame and return code is present, with Type III failure conditions indicating an ROP attack. The ROP attack is contained using a containment device, and the ROP gadgets detected in the stack during the ROP attack are analyzed using an attack analysis device.

Abstract translation: 一种或多种应用中用于检测和预防面向对象编程（ROP）攻击的系统和方法，包括攻击检测设备和堆栈检测设备，用于执行堆栈检测以检测堆栈中的ROP小部件。 堆栈检查包括从堆叠顶部的堆叠框架朝向堆叠的底部行进的栈以检测一个或多个故障条件，确定是否存在有效的堆栈帧和返回代码地址; 并且如果不存在有效的堆栈帧和返回码，则确定故障条件类型，其中III型故障条件指示ROP攻击。 使用遏制设备包含ROP攻击，并且使用攻击分析设备来分析ROP攻击期间在堆栈中检测到的ROP小部件。

公开(公告)号：WO2015023617A1

公开(公告)日：2015-02-19

申请号：PCT/US2014/050615

申请日：2014-08-12

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： LUMEZANU, Cristian ,  ZANFIS, Kyriakos ,  JIANG, Guofei

IPC: H04L12/26 ,  H04L12/24

CPC classification number: H04L43/04 ,  H04L41/046 ,  H04L41/147 ,  H04L43/026

Abstract: Systems and methods for network management, including adaptively installing one or more monitoring rules in one or more network devices on a network using an intelligent network middleware, detecting application traffic on the network transparently using an application demand monitor, and predicting future network demands of the network by analyzing historical and current demands. The one or more monitoring rules are updated once counters are collected; and network paths are determined and optimized to meet network demands and maximize utilization and application performance with minimal congestion on the network.

Abstract translation: 网络管理系统和方法，包括使用智能网络中间件在网络上的一个或多个网络设备中自适应地安装一个或多个监控规则，使用应用需求监控器透明地检测网络上的应用流量，以及预测未来网络需求 分析历史和当前需求的网络。 收集计数器后，更新一个或多个监控规则; 并确定和优化网络路径以满足网络需求并最大程度地利用和应用性能，同时网络拥塞最小。

公开(公告)号：WO2015021248A1

公开(公告)日：2015-02-12

申请号：PCT/US2014/050097

申请日：2014-08-07

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ARORA, Nipun ,  ZHANG, Hui ,  LUMEZANU, Cristian ,  RHEE, Junghwan ,  JIANG, Guofei ,  LU, Hui

IPC: H04L12/24 ,  H04L12/64

CPC classification number: H04L41/082 ,  H04L12/4675 ,  H04L41/0226 ,  H04L41/0803 ,  H04L41/12 ,  H04L41/20

Abstract: Method and systems for controlling a hybrid network having software-defined network (SDN) switches and legacy switches include initializing a hybrid network topology by retrieving information on a physical and virtual infrastructure of the hybrid network; generating a path between two nodes on the hybrid network based on the physical and virtual infrastructure of the hybrid network; generating a virtual local area network by issuing remote procedure call instructions to legacy switches in accordance with a network configuration request; and generating an SDN network slice by issuing SDN commands to SDN switches in accordance with the network configuration request.

Abstract translation: 用于控制具有软件定义网络（SDN）交换机和传统交换机的混合网络的方法和系统包括通过检索混合网络的物理和虚拟基础设施上的信息来初始化混合网络拓扑; 基于混合网络的物理和虚拟基础设施，在混合网络上生成两个节点之间的路径; 通过根据网络配置请求向传统交换机发出远程过程呼叫指令来生成虚拟局域网; 以及根据网络配置请求向SDN交换机发出SDN命令来生成SDN网络切片。

公开(公告)号：WO2013106386A2

公开(公告)日：2013-07-18

申请号：PCT/US2013/020765

申请日：2013-01-09

Applicant: NEC LABORATORIES AMERICA, Inc.

Inventor： LUMEZANU, Cristian ,  JIANG, Guofei ,  ZHANG, Yueping ,  SINGH, Vishal ,  WANG, Ye

IPC: H04L12/26

CPC classification number: H04L47/12 ,  H04L43/026 ,  H04L43/16 ,  H04L47/2441 ,  H04L47/41 ,  H04L63/1425 ,  Y02D50/30

Abstract: A device used in a network is disclosed. The device includes a network monitor to monitor a network state and to collect statistics for flows going through the network, a flow aggregation unit to aggregate flows into clusters and identify flows that can cause a network problem, and an adaptive control unit to adaptively regulate the identified flow according to network feedback. Other methods and systems also are disclosed.

Abstract translation: 公开了在网络中使用的设备。 该设备包括：网络监控器，用于监控网络状态并收集流经网络的流量的统计数据;流量聚合单元，用于将流量聚合到群集中并识别可引起网络问题的流量;自适应控制单元，用于自适应地调节 根据网络反馈识别流量。 其他方法和系统也被公开。

公开(公告)号：WO2009058412A1

公开(公告)日：2009-05-07

申请号：PCT/US2008/055896

申请日：2008-03-05

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： CHEN, Haifeng ,  JIANG, Guofei ,  YOSHIHIRA, Kenji ,  ZHANG, Hui ,  MENG, Xiaoqiao

IPC: G06F17/00 ,  G06F19/00

CPC classification number: G06F9/44505 ,  G06F11/3409 ,  G06F11/3447 ,  G06F11/3452 ,  G06F2201/885

Abstract: A system and method for optimizing system performance includes applying (160) sampling based optimization to identify optimal configurations of a computing system by selecting (162) a number of configuration samples and evaluating (166) system performance based on the samples. Based on feedback of evaluated samples, a location of an optimal configuration is inferred (170). Additional samples are generated (176) towards the location of the inferred optimal configuration to further optimize a system configuration.

Abstract translation: 用于优化系统性能的系统和方法包括通过基于样本选择（162）多个配置样本和评估（166）系统性能来应用（160）基于抽样的优化来识别计算系统的最佳配置。 基于评估样本的反馈，推断最佳配置的位置（170）。 生成附加样本（176）朝向推断的最佳配置的位置，以进一步优化系统配置。

公开(公告)号：WO2018071356A1

公开(公告)日：2018-04-19

申请号：PCT/US2017/055826

申请日：2017-10-10

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： TANG, LuAn ,  ZHANG, Hengtong ,  CHEN, Zhengzhang ,  ZONG, Bo ,  LI, Zhichun ,  JIANG, Guofei ,  YOSHIHIRA, Kenji

IPC: G06F21/55 ,  G06F21/60

CPC classification number: G06F21/554 ,  G06F21/55 ,  G06F21/60

Abstract: Methods and systems for detecting anomalous events include detecting anomalous events (42, 43) in monitored system data. An event correlation graph is generated (302) based on the monitored system data that characterizes the tendency of processes to access system targets. Kill chains are generated (310) that connect malicious events over a span of time from the event correlation graph that characterize events in an attack path over time by sorting events according to a maliciousness value and determining at least one sub-graph within the event correlation graph with an above-threshold maliciousness rank. A security management action is performed (412) based on the kill chains.

Abstract translation: 用于检测异常事件的方法和系统包括检测所监视的系统数据中的异常事件（42,43）。 基于监视的系统数据生成（302）事件关联图，表征过程访问系统目标的倾向。 通过根据恶意值对事件进行排序并确定事件相关内的至少一个子图，产生（310）从事件关联图中连接恶意事件的杀死链（310），所述事件关联图随时间表征攻击路径中的事件 图表具有高于阈值的恶意级别。 基于杀链来执行安全管理操作（412）。