公开(公告)号：WO2018093807A1

公开(公告)日：2018-05-24

申请号：PCT/US2017/061664

申请日：2017-11-15

Applicant: NEC LABORATORIES AMERICA, INC

Inventor： ZONG, Bo ,  TANG, LuAn ,  SONG, Qi ,  DEBNATH, Biplob ,  ZHANG, Hui ,  JIANG, Guofei

IPC: G06N3/08 ,  G06F11/34

Abstract: A method is provided that includes transforming training data into a neural network based learning model using a set of temporal graphs derived from the training data. The method includes performing model learning on the learning model by automatically adjusting learning model parameters based on the set of the temporal graphs to minimize differences between a predetermined ground-truth ranking list and a learning model output ranking list. The method includes transforming testing data into a neural network based inference model using another set of temporal graphs derived from the testing data. The method includes performing model inference by applying the inference and learning models to test data to extract context features for alerts in the test data and calculate a ranking list for the alerts based on the extracted context features. Top-ranked alerts are identified as critical alerts. Each alert represents an anomaly in the test data.

公开(公告)号：WO2018071625A1

公开(公告)日：2018-04-19

申请号：PCT/US2017/056270

申请日：2017-10-12

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： CHEN, Zhengzhang ,  TANG, LuAn ,  LIN, Ying ,  LI, Zhichun ,  CHEN, Haifeng ,  JIANG, Guofei

IPC: H04L29/06 ,  G06N7/00

CPC classification number: H04L63/1425 ,  G06F21/55 ,  G06F21/57 ,  G06N7/005 ,  H04L63/20

Abstract: Methods and systems for detecting security intrusions include detecting alerts in monitored system data. Temporal dependencies are determined (306) between the alerts based on a prefix tree formed from the detected alerts. Content dependencies between the alerts are determined (308) based on a distance between alerts in a graph representation of the detected alerts. The alerts are ranked (310) based on an optimization problem that includes the temporal dependencies and the content dependencies. A security management action (614) is performed based on the ranked alerts.

Abstract translation: 用于检测安全入侵的方法和系统包括检测所监视的系统数据中的警报。 基于由检测到的警报形成的前缀树，在警报之间确定（306）时间依赖性。 基于检测到的警报的图表表示中的警报之间的距离来确定（308）警报之间的内容依赖性。 基于包括时间依赖性和内容依赖性的优化问题对警报进行排名（310）。 基于排名的警报执行安全管理行动（614）。

公开(公告)号：WO2018039446A1

公开(公告)日：2018-03-01

申请号：PCT/US2017/048406

申请日：2017-08-24

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： XU, Jianwu ,  DEBNATH, Biplob ,  ZONG, Bo ,  ZHANG, Hui ,  JIANG, Guofei ,  GE, Hancheng

IPC: G06F11/34

CPC classification number: G06N5/047 ,  G06F17/16 ,  G06F17/20 ,  G06F17/2282 ,  G06F17/277 ,  G06N7/00

Abstract: A heterogeneous log pattern editing recommendation system and computer- implemented method are provided. The system (600) has a processor (605) configured to identify, from heterogeneous logs, patterns including variable fields and constant fields. The processor (605) is also configured to extract a category feature, a cardinality feature, and a before-after n-gram feature by tokenizing the variable fields in the identified patterns. The processor (605) is additionally configured to generate target similarity scores between target fields to be potentially edited and other fields from among the variable fields in the heterogeneous logs using pattern editing operations based on the extracted category feature, the extracted cardinality feature, and the extracted before-after n-gram feature. The processor (605) is further configured to recommend, to a user, log pattern edits for at least one of the target fields based on the target similarity scores between the target fields in the heterogeneous logs.

Abstract translation: 提供了异构日志模式编辑推荐系统和计算机实现的方法。 系统（600）具有配置成从异构日志中识别包括可变字段和常量字段的模式的处理器（605）。 处理器（605）还被配置为通过对所识别的模式中的变量字段进行标记来提取类别特征，基数特征以及之前后的n元特征。 处理器（605）另外被配置为使用基于提取的类别特征，提取的基数特征和基于所提取的类别特征的模式编辑操作，从而在可能编辑的目标字段与异构日志中的可变字段之中的其他字段之间生成目标相似度分数 在n-gram特征前后提取。 处理器（605）还被配置为基于异构日志中的目标字段之间的目标相似度分数向用户推荐至少一个目标字段的日志模式编辑。

公开(公告)号：WO2017087437A1

公开(公告)日：2017-05-26

申请号：PCT/US2016/062135

申请日：2016-11-16

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： DEBNATH, Biplob ,  XU, Jianwu ,  ZHANG, Hui ,  JIANG, Guofei ,  HAMOONI, Hossein

IPC: G06F11/34

CPC classification number: G06K9/4604 ,  G06F11/34 ,  G06F17/30625 ,  G06F17/40

Abstract: Systems and methods are disclosed for parsing logs from arbitrary or unknown systems or applications by capturing heterogeneous logs from the arbitrary or unknown systems or applications; generating one pattern for every unique log message; building a pattern hierarchy tree by grouping patterns based on similarity metrics, and for every group it generates one pattern by combing all constituting patterns of that group; and selecting a set of patterns from the pattern hierarchy tree.

Abstract translation: 公开了系统和方法，用于通过从任意或未知系统或应用程序捕获异构日志来解析来自任意或未知系统或应用程序的日志; 为每个唯一的日志消息生成一个模式; 通过基于相似性度量对模式进行分组来构建模式层次树，并且对于每个组，通过组合所有组成模式来生成一个模式; 并从模式层次树中选择一组模式。

公开(公告)号：WO2017019391A1

公开(公告)日：2017-02-02

申请号：PCT/US2016/043040

申请日：2016-07-20

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： CHEN, Zhengzhang ,  TANG, LuAn ,  DONG, Boxiang ,  JIANG, Guofei ,  CHEN, Haifeng

IPC: G06F21/55

CPC classification number: G06F21/566 ,  G06F21/552

Abstract: Methods and systems for detecting malicious processes include modeling system data as a graph comprising vertices that represent system entities and edges that represent events between respective system entities. Each edge has one or more timestamps corresponding respective events between two system entities. A set of valid path patterns that relate to potential attacks is generated. One or more event sequences in the system are determined to be suspicious based on the graph and the valid path patterns using a random walk on the graph.

Abstract translation: 用于检测恶意进程的方法和系统包括将系统数据建模为包括表示系统实体的顶点和表示各个系统实体之间的事件的边的图。 每个边缘具有对应于两个系统实体之间的相应事件的一个或多个时间戳。 产生一组与潜在攻击有关的有效路径模式。 系统中的一个或多个事件序列被确定为可疑的基于图和有效的路径模式使用图形上的随机游走。

公开(公告)号：WO2016073765A1

公开(公告)日：2016-05-12

申请号：PCT/US2015/059306

申请日：2015-11-05

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： LI, Zhichun ,  XIAO, Xusheng ,  WU, Zhenyu ,  ZONG, Bo ,  JIANG, Guofei

IPC: G06F21/50 ,  G06F17/30 ,  G06F17/00

CPC classification number: G06F17/30958 ,  G06F21/552

Abstract: A method and system for constructing behavior queries in temporal graphs using discriminative sub-trace mining. The method (100) includes generating system data logs to provide temporal graphs (102), wherein the temporal graphs include a first temporal graph corresponding to a target behavior and a second temporal graph corresponding to a set of background behaviors (102), generating temporal graph patterns for each of the first and second temporal graphs to determine whether a pattern exists between a first temporal graph pattern and a second temporal graph pattern, wherein the pattern between the temporal graph patterns is a non-repetitive graph pattern (104), pruning the pattern between the first and second temporal graph patterns to provide a discriminative temporal graph (106), and generating behavior queries based on the discriminative temporal graph (110).

Abstract translation: 使用区分性子跟踪挖掘在时间图中构建行为查询的方法和系统。 方法（100）包括生成系统数据日志以提供时间图（102），其中时间图包括对应于目标行为的第一时间图和对应于一组背景行为（102）的第二时间图，产生时间 用于确定在第一时间图形图案和第二时间图形图案之间是否存在图案的第一和第二时间图形的图形图案，其中时间图形图案之间的图案是非重复图形图案（104），修剪 所述第一和第二时间图形图案之间的图案提供鉴别时间图（106），以及基于所述辨别性时间图（110）生成行为查询。

公开(公告)号：WO2016032898A1

公开(公告)日：2016-03-03

申请号：PCT/US2015/046313

申请日：2015-08-21

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： LUMEZANU, Cristian ,  JIN, Cheng ,  ZHANG, Hui ,  SHARMA, Abhishek ,  XU, Qiang ,  ARORA, Nipun ,  JIANG, Guofei

IPC: H04L12/721 ,  H04L12/761 ,  H04L12/937 ,  H04L12/64

CPC classification number: H04L45/48 ,  H04L12/462 ,  H04L45/14 ,  H04L45/16 ,  H04L45/18 ,  H04L45/64

Abstract: Systems and methods for controlling legacy switch routing in one or more hybrid networks of interconnected computers and switches, including generating a network underlay (304) for the one or more hybrid networks by generating a minimum spanning tree (MST) (306) and a forwarding graph (FWG) (308) over a physical network topology of the one or more hybrid networks (400), determining an optimal path between hosts on the FWG by optimizing an initial path with a minimum cost mapping (312), and adjusting the initial path (310) to enforce the optimal path (314) by generating and installing special packets in one or more programmable switches to trigger installation of forwarding rules for one or more legacy switches (516).

Abstract translation: 用于控制互连计算机和交换机的一个或多个混合网络中的传统交换机路由的系统和方法，包括通过生成最小生成树（MST）（306）和转发来为所述一个或多个混合网络生成网络底层（304） 通过一个或多个混合网络（400）的物理网络拓扑图（FWG）（308），通过利用最小成本映射优化初始路径（312）来确定FWG上的主机之间的最佳路径，并且调整初始 路径（310），以通过在一个或多个可编程交换机中生成和安装特殊分组来触发一个或多个传统交换机（516）的转发规则的安装来强制实现最佳路径（314）。

公开(公告)号：WO2016029031A1

公开(公告)日：2016-02-25

申请号：PCT/US2015/046138

申请日：2015-08-20

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： XU, Qiang ,  LUMEZANU, Cristian ,  LIU, Zhuotao ,  ARORA, Nipun ,  SHARMA, Abhishek ,  ZHANG, Hui ,  JIANG, Guofei

IPC: H04L12/751 ,  G06F9/455

CPC classification number: H04L41/12 ,  G06F9/45533 ,  H04L41/083 ,  H04L43/087 ,  H04L45/02 ,  H04L45/121 ,  H04L45/123 ,  H04L45/124

Abstract: Systems and methods for decoupled searching and optimization for one or more data centers, including determining a network topology for one or more networks of interconnected computer systems embedded in the one or more data centers (304), searching for routing candidates based on a network topology determined (310), and updating (314) and applying (316) one or more objective functions to the routing candidates to determine an optimal routing candidate to satisfy embedding goals based on tenant requests, and to embed the optimal routing candidate in the one or more data centers (412).

Abstract translation: 一种用于一个或多个数据中心的去耦合搜索和优化的系统和方法，包括确定嵌入在一个或多个数据中心（304）中的互连计算机系统的一个或多个网络的网络拓扑，基于网络拓扑搜索路由选择 确定（310）并且更新（314）并且将（316）一个或多个目标函数应用于路由候选以基于租户请求来确定最佳路由选择以满足嵌入目标，并且将最佳路由候选嵌入在一个或 更多数据中心（412）。

公开(公告)号：WO2013048605A1

公开(公告)日：2013-04-04

申请号：PCT/US2012/044768

申请日：2012-06-29

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： CHEN, Haifeng ,  JIANG, Guofei

IPC: G06F9/46 ,  G06F9/44

CPC classification number: G06F9/4856

Abstract: Systems and methods are disclosed to schedule virtual machine (VM) migrations by analyzing VM migration behavior; building a simulation tool to predict time for multiple migrations under different links conditions and VM characteristics; determing a predetermined bandwidth sharing policy for each network link; applying a bin-packing technique to organize bandwidth resources from all network links, and allocating the links to different migration tasks.

Abstract translation: 公开了系统和方法，通过分析VM迁移行为来调度虚拟机（VM）迁移; 构建一个模拟工具，以预测不同链接条件和VM特性下的多个迁移的时间; 确定每个网络链路的预定带宽共享策略; 应用二进制包装技术来组织来自所有网络链路的带宽资源，并将链路分配给不同的迁移任务。

公开(公告)号：WO2011088256A3

公开(公告)日：2011-07-21

申请号：PCT/US2011/021200

申请日：2011-01-13

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： GU, Yu ,  PAN, Ke ,  SINGH, Atul ,  JIANG, Guofei

IPC: G06F9/44 ,  G06F15/16

Abstract: A method and system for predicting the performance of a multi-tier computer software system operating on a distributed computer system, sends client requests to one or more tiers of software components of the multi-tier computer software system in a time selective manner; collects traffic traces among all the one or more tiers of the software components of the multi-tier computer software system; collects CPU time at the software components of the multi-tier computer software system; infers performance data of the multi-tier computer software system from the collected traffic traces; and determines disk input/output waiting time from the inferred performance data.