公开(公告)号：WO2018071355A1

公开(公告)日：2018-04-19

申请号：PCT/US2017/055825

申请日：2017-10-10

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： TANG, LuAn ,  ZHANG, Hengtong ,  CHEN, Zhengzhang ,  ZONG, Bo ,  LI, Zhichun ,  JIANG, Guofei ,  YOSHIHIRA, Kenji

IPC: G06F21/55 ,  G06F21/60

CPC classification number: G06F21/552 ,  G06F21/554

Abstract: Methods and systems for detecting anomalous events include detecting anomalous events (42,43) in monitored system data. An event correlation graph is generated (302) by determining a tendency for a first process to access a system target, include an innate tendency of the first process to access the system target, an influence of previous events from the first process, and an influence of processes other than the first process. Kill chains are generated (310) from the event correlation graph that characterize events in an attack path over time. A security management action is performed (412) based on the kill chains.

Abstract translation: 用于检测异常事件的方法和系统包括检测监测到的系统数据中的异常事件（42,43）。 通过确定第一过程访问系统目标的趋势，包括第一过程访问系统目标的先天趋势，来自第一过程的先前事件的影响以及影响第一过程的影响来生成事件相关图（302） 除第一个过程以外的过程。 从事件关联图生成（310）杀死链，表征攻击路径随时间的事件。 基于杀链来执行安全管理操作（412）。

公开(公告)号：WO2017139147A1

公开(公告)日：2017-08-17

申请号：PCT/US2017/015969

申请日：2017-02-01

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： CHENG, Wei ,  ZHANG, Kai ,  CHEN, Haifeng ,  JIANG, Guofei

IPC: H04L12/24

CPC classification number: G06F11/079 ,  G06F11/0709 ,  G06F11/0751 ,  G06F2201/805 ,  G06F2201/81 ,  G06N99/005

Abstract: A method is provided for root cause anomaly detection in an invariant network having a plurality of nodes that generate time series data. The method includes modeling anomaly propagation in the network. The method includes reconstructing broken invariant links in an invariant graph based on causal anomaly ranking vectors. Each broken invariant link involves a respective node pair formed from the plurality of nodes such that one of the nodes in the respective node pair has an anomaly. Each causal anomaly ranking vector is for indicating a respective node anomaly status for a given one of the plurality of nodes when paired. The method includes calculating a sparse penalty of the casual anomaly ranking vectors to obtain a set of time-dependent anomaly rankings. The method includes performing temporal smoothing of the set of rankings, and controlling an anomaly-initiating one of the plurality of nodes based on the set of rankings.

Abstract translation: 提供了一种用于在具有生成时间序列数据的多个节点的不变网络中进行根本原因异常检测的方法。 该方法包括对网络中的异常传播进行建模。 该方法包括基于因果异常排序向量重建不变图中的断裂不变链接。 每个断开的不变链路涉及由多个节点形成的相应节点对，使得相应节点对中的节点之一具有异常。 每个因果异常排名向量用于在配对时指示多个节点中给定的一个节点的相应节点异常状态。 该方法包括计算偶然异常排名向量的稀疏惩罚以获得一组时间异常排名。 该方法包括执行该组排名的时间平滑，并基于该组排名控制多个节点中的异常发起的一个。

公开(公告)号：WO2017131899A1

公开(公告)日：2017-08-03

申请号：PCT/US2016/067737

申请日：2016-12-20

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： XIAO, Xusheng ,  LI, Zhichun ,  XU, Fengyuan ,  GAO, Peng ,  JIANG, Guofei

IPC: G06F17/30

CPC classification number: G06F17/30469 ,  G06F11/30 ,  G06F17/30389 ,  G06F17/30421 ,  G06F17/30424 ,  G06F17/30486 ,  G06F17/30551 ,  G06F21/00 ,  G06F21/554

Abstract: Systems and a method are provided. A system includes a Temporal Behavior Query Language (TBQL) server having a processor and a memory operably coupled to the processor. The TBQL server configured to construct a TBQL query using a grammar inference technique based on syntactic sugar to expedite query construction. The TBQL server is further configured to execute the TBQL, query to generate TBQL query results.

Abstract translation:

提供了系统和方法。 一种系统包括具有处理器和可操作地耦合到处理器的存储器的时间行为查询语言（TBQL）服务器。 TBQL服务器配置为使用基于语法糖的语法推理技术来构建TBQL查询以加速查询构建。 TBQL服务器进一步配置为执行TBQL，查询以生成TBQL查询结果。

公开(公告)号：WO2017083148A1

公开(公告)日：2017-05-18

申请号：PCT/US2016/060131

申请日：2016-11-02

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZHANG, Hui ,  CHEN, Haifeng ,  XU, Jianwu ,  JIANG, Guofei ,  YOSHIHIRA, Kenji

IPC: G06F11/34 ,  G06F17/10

CPC classification number: G06N5/047 ,  G06N99/005

Abstract: Systems and methods are disclosed for detecting periodic event behaviors from machine generated logging by: capturing heterogeneous log messages, each log message including a time stamp and text content with one or more fields; recognizing log formats from log messages; transforming the text content into a set of time series data, one time series for each log format; during a training phase, analyzing the set of time series data and building a category model for each periodic event type in heterogeneous logs; and during live operation, applying the category model to a stream of time series data from live heterogeneous log messages and generating a flag on a time series data point violating the category model and generating an alarm report for the corresponding log message.

Abstract translation: 公开了系统和方法，用于通过以下方式检测来自机器生成日志记录的周期性事件行为：捕获异构日志消息，每个日志消息包括具有一个或多个字段的时间戳和文本内容; 从日志消息中识别日志格式; 将文本内容转换为一组时间序列数据，每个日志格式的一个时间序列; 在训练阶段期间，分析该组时间序列数据并为异构日志中的每个周期性事件类型建立类别模型; 并在实时操作期间，将类别模型应用于来自实时异构日志消息的时间序列数据流，并在违反类别模型的时间序列数据点上生成标志，并为相应日志消息生成警报报告。

公开(公告)号：WO2017015184A1

公开(公告)日：2017-01-26

申请号：PCT/US2016/042721

申请日：2016-07-18

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZHANG, Kai ,  CHEN, Haifeng ,  YOSHIHIRA, Kenji ,  JIANG, Guofei

IPC: G05B19/418

CPC classification number: F01K13/02 ,  F01K13/003 ,  G05B13/048

Abstract: Systems and methods are provided for optimizing system output in production systems, comprising. The method includes separating, by a processor, one or more initial input variables into a plurality of output variables, the output variables including environmental variables and system response variables. The method also includes building, using the processor, a nonparametric estimation that determines a relationship between one or more initial control variables and the system response variables, and estimating a global input-output mapping function, using the determined relationship, and a range of the environmental variables. The method further includes generating one or more optimal control variables from the initial control variables by maximizing the input-output mapping function and the range of the environmental variables. The method additionally includes incorporating one or more of the optimal control variables into a production system to increase production output of the production system.

Abstract translation: 提供了用于优化生产系统中的系统输出的系统和方法，包括。 该方法包括将处理器将一个或多个初始输入变量分离成多个输出变量，输出变量包括环境变量和系统响应变量。 该方法还包括使用处理器构建非参数估计，其确定一个或多个初始控制变量与系统响应变量之间的关系，以及使用所确定的关系估计全局输入 - 输出映射函数，以及范围的 环境变量。 该方法还包括通过最大化输入 - 输出映射函数和环境变量的范围从初始控制变量产生一个或多个最优控制变量。 该方法还包括将一个或多个最佳控制变量并入到生产系统中以增加生产系统的生产输出。

公开(公告)号：WO2016196079A1

公开(公告)日：2016-12-08

申请号：PCT/US2016/033905

申请日：2016-05-24

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZHANG, Kai ,  CHEN, Zhengzhang ,  CHEN, Haifeng ,  JIANG, Guofei

IPC: G06F17/18 ,  G06F9/48 ,  G06N99/00 ,  G06F15/18

CPC classification number: G06N99/005 ,  G06F19/34

Abstract: Systems and methods are provided for acquiring data from an input signal using multitask regression. The method includes: receiving the input signal, the input signal including data that includes a plurality of features; determining at least two computational tasks to analyze within the input signal; regularizing all of the at least two tasks using shared adaptive weights; performing a multitask regression on the input signal to create a solution path for all of the at least two tasks, wherein the multitask regression includes updating a model coefficient and a regularization weight together under an equality norm constraint until convergence is reached, and updating the model coefficient and regularization weight together under an updated equality norm constraint that has a greater l1-penalty than the previous equality norm constraint until convergence is reached; selecting a sparse model from the solution path; constructing an image using the sparse model; and displaying the image.

Abstract translation: 提供了系统和方法，用于使用多任务回归从输入信号中获取数据。 所述方法包括：接收所述输入信号，所述输入信号包括包括多个特征的数据; 确定在输入信号内分析的至少两个计算任务; 使用共享自适应权重对所有至少两个任务进行规则化; 对输入信号执行多任务回归，以创建用于所有至少两个任务的解决路径，其中所述多任务回归包括在等式范数约束下一起更新模型系数和正则化权重直到达到收敛，并且更新所述模型 系数和正则化权重在更新的等式规范约束下一起，其具有比先前的等式范数约束更大的l1惩罚，直到达到收敛; 从解决路径中选择稀疏模型; 使用稀疏模型构建图像; 并显示图像。

公开(公告)号：WO2016094339A1

公开(公告)日：2016-06-16

申请号：PCT/US2015/064373

申请日：2015-12-08

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： YAN, Tan ,  JIANG, Guofei ,  CHEN, Haifeng ,  ZHANG, Kai

IPC: G06F11/34 ,  G06F11/00

CPC classification number: G07C3/00 ,  G05B23/0232 ,  G05B23/0283

Abstract: Systems and methods for managing components of physical systems, including decomposing raw time series by extracting an aging trend and a fluctuation term from the time series using an objective function of an optimization problem, the objective function minimizing reconstruction error and ensuring flatness of the fluctuation term over time. The optimization problem is transformed into a Quadratic Programming (QP) formulation including a monotonicity constraint and a non-negativity constraint, the constraints being merged together to reduce computational costs. An aging score and a confidence score are generated for the extracted aging trend to determine a severeness of aging for one or more components of the physical system, and the aging score and confidence score are fused to provide a fused ranking for the extracted aging trend for predicting future failures of the components.

Abstract translation: 用于管理物理系统组件的系统和方法，包括通过使用优化问题的目标函数从时间序列中提取老化趋势和波动项来分解原始时间序列，目标函数最小化重建误差并确保波动项的平坦度 随着时间的推移。 优化问题被转换成二次规划（QP）公式，包括单调约束和非负性约束，约束被合并在一起以减少计算成本。 对于提取的老化趋势产生老化评分和置信度分数，以确定物理系统的一个或多个组分的老化度，并且老化得分和置信度得分被融合，以提供提取的老化趋势的融合排名 预测组件的未来故障。

公开(公告)号：WO2015148429A1

公开(公告)日：2015-10-01

申请号：PCT/US2015/022115

申请日：2015-03-24

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZHANG, Hui ,  LUMEZANU, Cristian ,  RHEE, Junghwan ,  ARORA, Nipun ,  XU, Qiang ,  JIANG, Guofei

IPC: H04L12/26 ,  H04L12/937

CPC classification number: H04L45/02 ,  H04L43/12 ,  H04L45/64 ,  H04L45/70

Abstract: A computer implemented method for network monitoring includes providing network packet event characterization and analysis for network monitoring that includes supporting summarization and characterization of network packet traces collected across multiple processing elements of different types in a virtual network, including a trace slicing to organize individual packet events into path-based trace slices, a trace characterization to extract at least 2 types of feature matrix describing those trace slices, and a trace analysis to cluster, rank and query packet traces based on metrics of the feature matrix.

Abstract translation: 一种用于网络监测的计算机实现方法包括为网络监测提供网络分组事件表征和分析，其包括支持在虚拟网络中跨越不同类型的多个处理元件收集的网络分组跟踪的概括和表征，包括用于组织各个分组事件的跟踪分片 基于路径的跟踪切片，提取描述这些跟踪切片的至少2种类型的特征矩阵的跟踪表征，以及基于特征矩阵的度量的集群，排序和查询分组跟踪的跟踪分析。

公开(公告)号：WO2015095630A1

公开(公告)日：2015-06-25

申请号：PCT/US2014/071340

申请日：2014-12-19

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZHANG, Hui ,  RHEE, Junghwan ,  ARORA, Nipun ,  LUMEZANU, Cristian ,  JIANG, Guofei

IPC: H04L12/26

CPC classification number: H04L41/0631 ,  H04L41/069 ,  H04L41/14 ,  H04L43/0858

Abstract: A computer implemented method for network monitoring includes providing network packet event characterization and analysis for network monitoring that includes supporting summarization and characterization of network packet traces collected across multiple processing elements of different types in a virtual network, including a trace slicing to organize individual packet events into path-based trace slices, a trace characterization to extract at least 2 types of feature matrix describing those trace slices, and a trace analysis to cluster, rank and query packet traces based on metrics of the feature matrix.

Abstract translation: 一种用于网络监测的计算机实现方法包括为网络监测提供网络分组事件表征和分析，其包括支持在虚拟网络中跨越不同类型的多个处理元件收集的网络分组跟踪的概括和表征，包括用于组织各个分组事件的跟踪分片 基于路径的跟踪切片，提取描述这些跟踪切片的至少2种类型的特征矩阵的跟踪表征，以及基于特征矩阵的度量的集群，排序和查询分组跟踪的跟踪分析。

公开(公告)号：WO2015095277A1

公开(公告)日：2015-06-25

申请号：PCT/US2014/070749

申请日：2014-12-17

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZHANG, Hui ,  ARZANI, Behnaz ,  IVANCIC, Franjo ,  RHEE, Junghwan ,  ARORA, Nipun ,  JIANG, Guofei

IPC: H04L12/701 ,  H04L12/841

CPC classification number: H04L45/42 ,  H04L41/12 ,  H04L41/145 ,  H04L43/0864 ,  H04L43/106 ,  H04L45/00 ,  H04L45/64 ,  H04L47/283

Abstract: Methods and systems for finding a packet's routing path in a network includes intercepting control messages sent by a controller to one or more switches in a software defined network (SDN). A state of the SDN at a requested time is emulated and one or more possible routing paths through the emulated SDN is identified by replaying the intercepted control messages to one or more emulated switches in the emulated SDN. The one or more possible routing paths correspond to a requested packet injected into the SDN at the requested time.

Abstract translation: 用于在网络中找到分组的路由路径的方法和系统包括将由控制器发送的控制消息拦截在软件定义网络（SDN）中的一个或多个交换机上。 仿真在请求时间的SDN的状态，并且通过在被仿真的SDN中重放截取的控制消息给一个或多个仿真开关来识别通过仿真SDN的一个或多个可能的路由路径。 一个或多个可能的路由路径对应于在请求的时间内注入到SDN中的请求的分组。