公开(公告)号：WO2019112867A1

公开(公告)日：2019-06-13

申请号：PCT/US2018/062991

申请日：2018-11-29

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： XU, Jianwu ,  ZONG, Bo ,  CHEN, Haifeng

IPC: G06F11/34 ,  G06F11/30

Abstract: Systems and methods for system event searching based on heterogeneous logs are provided. A system can include a processor device operatively coupled to a memory device wherein the processor device is configured to mine a variety of log patterns from various of heterogeneous logs to obtain known-event log patterns and unknown-event log patterns, as well as to build a weighted vector representation of the log patterns. The processor device is also configured to evaluate a similarity between the vector representation of the unknown-event and known-event log patterns, identify a known event that is most similar to an unknown event to troubleshoot system faults based on past actions for similar events to improve an operation of a computer system.

公开(公告)号：WO2018071356A1

公开(公告)日：2018-04-19

申请号：PCT/US2017/055826

申请日：2017-10-10

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： TANG, LuAn ,  ZHANG, Hengtong ,  CHEN, Zhengzhang ,  ZONG, Bo ,  LI, Zhichun ,  JIANG, Guofei ,  YOSHIHIRA, Kenji

IPC: G06F21/55 ,  G06F21/60

CPC classification number: G06F21/554 ,  G06F21/55 ,  G06F21/60

Abstract: Methods and systems for detecting anomalous events include detecting anomalous events (42, 43) in monitored system data. An event correlation graph is generated (302) based on the monitored system data that characterizes the tendency of processes to access system targets. Kill chains are generated (310) that connect malicious events over a span of time from the event correlation graph that characterize events in an attack path over time by sorting events according to a maliciousness value and determining at least one sub-graph within the event correlation graph with an above-threshold maliciousness rank. A security management action is performed (412) based on the kill chains.

Abstract translation: 用于检测异常事件的方法和系统包括检测所监视的系统数据中的异常事件（42,43）。 基于监视的系统数据生成（302）事件关联图，表征过程访问系统目标的倾向。 通过根据恶意值对事件进行排序并确定事件相关内的至少一个子图，产生（310）从事件关联图中连接恶意事件的杀死链（310），所述事件关联图随时间表征攻击路径中的事件 图表具有高于阈值的恶意级别。 基于杀链来执行安全管理操作（412）。

公开(公告)号：WO2018071355A1

公开(公告)日：2018-04-19

申请号：PCT/US2017/055825

申请日：2017-10-10

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： TANG, LuAn ,  ZHANG, Hengtong ,  CHEN, Zhengzhang ,  ZONG, Bo ,  LI, Zhichun ,  JIANG, Guofei ,  YOSHIHIRA, Kenji

IPC: G06F21/55 ,  G06F21/60

CPC classification number: G06F21/552 ,  G06F21/554

Abstract: Methods and systems for detecting anomalous events include detecting anomalous events (42,43) in monitored system data. An event correlation graph is generated (302) by determining a tendency for a first process to access a system target, include an innate tendency of the first process to access the system target, an influence of previous events from the first process, and an influence of processes other than the first process. Kill chains are generated (310) from the event correlation graph that characterize events in an attack path over time. A security management action is performed (412) based on the kill chains.

Abstract translation: 用于检测异常事件的方法和系统包括检测监测到的系统数据中的异常事件（42,43）。 通过确定第一过程访问系统目标的趋势，包括第一过程访问系统目标的先天趋势，来自第一过程的先前事件的影响以及影响第一过程的影响来生成事件相关图（302） 除第一个过程以外的过程。 从事件关联图生成（310）杀死链，表征攻击路径随时间的事件。 基于杀链来执行安全管理操作（412）。

公开(公告)号：WO2021158409A1

公开(公告)日：2021-08-12

申请号：PCT/US2021/015280

申请日：2021-01-27

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： NI, Jingchao ,  CHEN, Zhengzhang ,  CHENG, Wei ,  ZONG, Bo ,  CHEN, Haifeng

IPC: G06N3/08 ,  G06N3/04 ,  G06T3/40

Abstract: A method interprets a convolutional sequence model. The method converts (610) an input data sequence having input segments into output features. The method clusters (620) the input segments into clusters using respective resolution-controllable class prototypes allocated to each of classes. Each respective class prototype includes a respective output feature subset characterizing a respective associated class. The method calculates (630), using the clusters, similarity scores that indicate a similarity of an output feature to a respective class prototypes responsive to distances between the output feature and the respective class prototypes. The method concatenates (640) the similarity scores to obtain a similarity vector. The method performs (650) a prediction and prediction support operation that provides a value of prediction and an interpretation for the value responsive to the input segments and similarity vector. The interpretation for the value of prediction is provided using only non-negative weights and lacking a weight bias in the fully connected layer.

公开(公告)号：WO2020060814A1

公开(公告)日：2020-03-26

申请号：PCT/US2019/050549

申请日：2019-09-11

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： CHEN, Haifeng ,  ZONG, Bo ,  CHENG, Wei ,  TANG, LuAn ,  NI, Jingchao

IPC: H04L29/06 ,  G06F21/55 ,  G06N3/08

Abstract: Systems and methods for implementing heterogeneous feature integration for device behavior analysis (HFIDBA) are provided. The method includes representing (620) each of multiple devices as a sequence of vectors for communications and as a separate vector for a device profile. The method also includes extracting (630) static features, temporal features, and deep embedded features from the sequence of vectors to represent behavior of each device. The method further includes determining (650), by a processor device, a status of a device based on vector representations of each of the multiple devices.

公开(公告)号：WO2019160641A1

公开(公告)日：2019-08-22

申请号：PCT/US2019/013947

申请日：2019-01-17

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： CHEN, Haifeng ,  ZONG, Bo ,  LUMEZANU, Cristian

IPC: H04L29/06

Abstract: A method for detecting spoofing attacks from network traffic log data is presented. The method includes training a spoofing attack detector with the network traffic log data received from one or more mobile networks by extracting features that are relevant to spoofing attacks for training data, building a first set of vector representations for the network traffic log data, training an anomaly detection model by employing DAGMM, and obtaining learned parameters of DAGMM. The method includes testing the spoofing attack detector with the network traffic log data received from the one or more mobile networks by extracting features that are relevant to spoofing attacks for testing data, building a second set of vector representations for the network traffic log data, obtaining latent representations of the testing data, computing a z-score of the testing data, and creating a spoofing attack alert report listing traffic logs generating z-scores exceeding a predetermined threshold.

公开(公告)号：WO2020060854A1

公开(公告)日：2020-03-26

申请号：PCT/US2019/050974

申请日：2019-09-13

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： TANG, LuAn ,  NI, Jingchao ,  CHENG, Wei ,  CHEN, Haifeng ,  SONG, Dongjin ,  ZONG, Bo ,  YU, Wenchao

IPC: H04L29/06 ,  G06F21/55 ,  G06N3/08

Abstract: Systems and methods for implementing dynamic graph analysis (DGA) to detect anomalous network traffic are provided. The method includes processing (510) communications and profile data associated with multiple devices to determine dynamic graphs. The method includes generating (520) features to model temporal behaviors of network traffic generated by the multiple devices based on the dynamic graphs. The method also includes formulating (550) a list of prediction results for sources of the anomalous network traffic from the multiple devices based on the temporal behaviors.

公开(公告)号：WO2018175021A1

公开(公告)日：2018-09-27

申请号：PCT/US2018/018339

申请日：2018-02-15

Applicant: NEC LABORATORIES AMERICA, INC

Inventor： ZHANG, Hui ,  XU, Jianwu ,  ZONG, Bo

IPC: G06F21/36 ,  G06F21/45 ,  G06K9/62

Abstract: A method for implementing automatic and scalable log pattern learning in security log analysis is provided. The method includes collecting security logs generated by a computer system. An incremental learning process is implemented to generate a set of log patterns from the collected security logs. The collected security logs are parsed using the set of log patterns.

公开(公告)号：WO2018175020A1

公开(公告)日：2018-09-27

申请号：PCT/US2018/018337

申请日：2018-02-15

Applicant: NEC LABORATORIES AMERICA, INC

Inventor： ZHANG, Hui ,  XU, Jianwu ,  ZONG, Bo

IPC: G06F21/36 ,  G06F21/45 ,  G06K9/62

Abstract: A security system using automatic and scalable log pattern learning in security log analysis is provided. The security system includes one or more management services configured to generate security logs, and a security log analysis service operatively coupled to the one or more management services. The security log analysis service is configured to collect the security logs generated by the one or more management services, implement an incremental learning process to generate a set of log patterns from the collected security logs, parse the collected security logs using the set of log patterns, and analyze the parsed security logs for one or more security applications.

公开(公告)号：WO2017165019A1

公开(公告)日：2017-09-28

申请号：PCT/US2017/017874

申请日：2017-02-15

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZONG, Bo ,  XU, Jianwu ,  JIANG, Guofei

IPC: G06F11/34 ,  G06F17/30

CPC classification number: G06F16/2477 ,  G06F11/3072 ,  G06F16/35 ,  G06N5/045

Abstract: A method is provided that is performed in a network having nodes that generate heterogeneous logs including performance logs and text logs. The method includes performing, during a heterogeneous log training stage, (i) a log-to-time sequence conversion process for transforming clustered ones of training logs, from among the heterogeneous logs, into a set of time sequences that are each formed as a plurality of data pairs of a first configuration and a second configuration based on cluster type, (ii) a time series generation process for synchronizing particular ones of the time sequences in the set based on a set of criteria to output a set of fused time series, and (iii) an invariant model generation process for building invariant models for each time series data pair in the set of fused time series. The method includes controlling an anomaly-initiating one of the plurality of nodes based on the invariant models.

Abstract translation: 提供一种在具有生成包括性能日志和文本日志的异构日志的节点的网络中执行的方法。 该方法包括在异构日志训练阶段期间执行（i）日志到时间序列转换过程，用于将群集中的多个训练日志从异构日志中转换成一组时间序列，每个时间序列形成为 （ii）时间序列生成过程，用于基于一组准则同步该组中的特定时间序列，以输出一组融合时间序列 （iii）不变模型生​​成过程，用于为该组融合时间序列中的每个时间序列数据对构建不变模型。 该方法包括基于不变模型控制多个节点中异常发起的一个节点。