Patents by Inventor Bo Zong

Bo Zong has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20190197432
    Abstract: Systems and methods for automatically generating a set of meta-parameters used to train invariant-based anomaly detectors are provided. Data is transformed into a first set of time series data and a second set of time series data. A fitness threshold search is performed on the first set of time series data to automatically generate a fitness threshold, and a time resolution search is performed on the set of second time series data to automatically generate a time resolution. A set of meta-parameters including the fitness threshold and the time resolution are sent to one or more user devices across a network to govern the training of an invariant-based anomaly detector.
    Type: Application
    Filed: January 18, 2018
    Publication date: June 27, 2019
    Inventors: Hui Zhang, Bo Zong
  • Publication number: 20190171644
    Abstract: Methods and systems for event detection and correction include determining a log pattern for a received event. The log pattern is translated to an event search query. The event search query is weighted according to discriminative dimensions using term-frequency inverse-document-frequency. The event search query is matched to one or more known events. A corrective action is automatically performed based on a solution associated with the one or more known events.
    Type: Application
    Filed: December 3, 2018
    Publication date: June 6, 2019
    Inventors: Jianwu Xu, Bo Zong, Haifeng Chen
  • Publication number: 20190171622
    Abstract: Systems and methods for system event searching based on heterogeneous logs are provided. A system can include a processor device operatively coupled to a memory device wherein the processor device is configured to mine a variety of log patterns from various of heterogeneous logs to obtain known-event log patterns and unknown-event log patterns, as well as to build a weighted vector representation of the log patterns. The processor device is also configured to evaluate a similarity between the vector representation of the unknown-event and known-event log patterns, identify a known event that is most similar to an unknown event to troubleshoot system faults based on past actions for similar events to improve an operation of a computer system.
    Type: Application
    Filed: November 28, 2018
    Publication date: June 6, 2019
    Inventors: Bo Zong, Jianwu Xu, Haifeng Chen
  • Patent number: 10298607
    Abstract: Methods and systems for detecting anomalous events include detecting anomalous events in monitored system data. An event correlation graph is generated by determining a tendency for a first process to access a system target, including an innate tendency of the first process to access the system target, an influence of previous events from the first process, and an influence of processes other than the first process. Kill chains are generated from the event correlation graph that characterize events in an attack path over time. A security management action is performed based on the kill chains.
    Type: Grant
    Filed: October 5, 2017
    Date of Patent: May 21, 2019
    Assignee: NEC Corporation
    Inventors: LuAn Tang, Hengtong Zhang, Zhengzhang Chen, Bo Zong, Zhichun Li, Guofei Jiang, Kenji Yoshihira
  • Patent number: 10289841
    Abstract: Methods and systems for detecting anomalous events include detecting anomalous events in monitored system data. An event correlation graph is generated based on the monitored system data that characterizes the tendency of processes to access system targets. Kill chains are generated that connect malicious events over a span of time from the event correlation graph that characterize events in an attack path over time by sorting events according to a maliciousness value and determining at least one sub-graph within the event correlation graph with an above-threshold maliciousness rank. A security management action is performed based on the kill chains.
    Type: Grant
    Filed: October 5, 2017
    Date of Patent: May 14, 2019
    Assignee: NEC Corporation
    Inventors: LuAn Tang, Hengtong Zhang, Zhengzhang Chen, Bo Zong, Zhichun Li, Guofei Jiang, Kenji Yoshihira
  • Publication number: 20190124045
    Abstract: Systems and methods for preventing cyberattacks using a Density Estimation Network (DEN) for unsupervised anomaly detection, including constructing the DEN using acquired network traffic data by performing end-to-end training. The training includes generating low-dimensional vector representations of the network traffic data by performing dimensionality reduction of the network traffic data, predicting mixture membership distribution parameters for each of the low-dimensional representations by performing density estimation using a Gaussian Mixture Model (GMM) framework, and formulating an objective function to estimate an energy and determine a density level of the low-dimensional representations for anomaly detection, with an anomaly being identified when the energy exceeds a pre-defined threshold. Cyberattacks are prevented by blocking transmission of network flows with identified anomalies by directly filtering out the flows using a network traffic monitor.
    Type: Application
    Filed: October 24, 2018
    Publication date: April 25, 2019
    Inventors: Bo Zong, Daeki Cho, Cristian Lumezanu, Haifeng Chen, Qi Song
  • Publication number: 20190098048
    Abstract: Methods and systems for mitigating a spoofing-based attack include calculating a travel distance between a source Internet Protocol (IP) address and a target IP address from a received packet based on time-to-live information from the received packet. An expected travel distance between the source IP address and the target IP address is estimated based on a sparse set of known source/target distances. It is determined that the received packet has a spoofed source IP address based on a comparison between the calculated travel distance and the expected travel distance. A security action is performed responsive to the determination that the received packet has a spoofed source IP address.
    Type: Application
    Filed: August 13, 2018
    Publication date: March 28, 2019
    Inventors: Cristian Lumezanu, Nipun Arora, Haifeng Chen, Bo Zong, Daeki Cho, Mingda Li
  • Publication number: 20190098050
    Abstract: Endpoint security systems and methods include a distance estimation module configured to calculate a travel distance between a source Internet Protocol (IP) address and an IP address for a target network endpoint system from a received packet received by a network gateway system based on time-to-live (TTL) information from the received packet. A machine learning model is configured to estimate an expected travel distance between the source IP address and the target network endpoint system IP address based on a sparse set of known source/target distances. A spoof detection module is configured to determine that the received packet has a spoofed source IP address based on a comparison between the calculated travel distance and the expected travel distance. A security module is configured to perform a security action at the network gateway system responsive to the determination that the received packet has a spoofed source IP address.
    Type: Application
    Filed: August 13, 2018
    Publication date: March 28, 2019
    Inventors: Cristian Lumezanu, Nipun Arora, Haifeng Chen, Bo Zong, Daeki Cho, Mingda Li
  • Publication number: 20190098049
    Abstract: Endpoint security systems and methods include a distance estimation module configured to calculate a travel distance between a source Internet Protocol (IP) address and an IP address for a target network endpoint system from a received packet received by the target network endpoint system based on time-to-live (TTL) information from the received packet. A machine learning model is configured to estimate an expected travel distance between the source IP address and the target network endpoint system IP address based on a sparse set of known source/target distances. A spoof detection module is configured to determine that the received packet has a spoofed source IP address based on a comparison between the calculated travel distance and the expected travel distance. A security module is configured to perform a security action at the target network endpoint system responsive to the determination that the received packet has a spoofed source IP address.
    Type: Application
    Filed: August 13, 2018
    Publication date: March 28, 2019
    Inventors: Cristian Lumezanu, Nipun Arora, Haifeng Chen, Bo Zong, Daeki Cho, Mingda Li
  • Publication number: 20180365291
    Abstract: Systems and methods for optimizing query execution to improve query processing by a computer are provided. A query is analyzed and translated into a logical plan. A runtime query optimizer is applied to the logical plan to identify a physical plan including operators for execution. The logical plan is translated into the physical plan. Execution of the query is scheduled according to the physical plan.
    Type: Application
    Filed: May 18, 2018
    Publication date: December 20, 2018
    Inventors: Haifeng Chen, Youfu Li, Daeki Cho, Bo Zong, Nipun Arora, Cristian Lumezanu
  • Publication number: 20180276566
    Abstract: Systems and methods for automatically generating a set of meta-parameters used to train invariant-based anomaly detectors are provided. Data is transformed into a first set of time series data and a second set of time series data. A fitness threshold search is performed on the first set of time series data to automatically generate a fitness threshold, and a time resolution search is performed on the set of second time series data to automatically generate a time resolution. A set of meta-parameters including the fitness threshold and the time resolution are sent to one or more user devices across a network to govern the training of an invariant-based anomaly detector.
    Type: Application
    Filed: January 18, 2018
    Publication date: September 27, 2018
    Inventors: Hui Zhang, Bo Zong
  • Publication number: 20180270263
    Abstract: A security system using automatic and scalable log pattern learning in security log analysis is provided. The security system includes one or more management services configured to generate security logs, and a security log analysis service operatively coupled to the one or more management services. The security log analysis service is configured to collect the security logs generated by the one or more management services, implement an incremental learning process to generate a set of log patterns from the collected security logs, parse the collected security logs using the set of log patterns, and analyze the parsed security logs for one or more security applications.
    Type: Application
    Filed: February 6, 2018
    Publication date: September 20, 2018
    Inventors: Hui Zhang, Jianwu Xu, Bo Zong
  • Publication number: 20180270262
    Abstract: A method for implementing automatic and scalable log pattern learning in security log analysis is provided. The method includes collecting security logs generated by a computer system. An incremental learning process is implemented to generate a set of log patterns from the collected security logs. The collected security logs are parsed using the set of log patterns.
    Type: Application
    Filed: February 6, 2018
    Publication date: September 20, 2018
    Inventors: Hui Zhang, Jianwu Xu, Bo Zong
  • Publication number: 20180174065
    Abstract: A computer-implemented method for automatically analyzing log contents received via a network and detecting content-level anomalies is presented. The computer-implemented method includes building a statistical model based on contents of a set of training logs and detecting, based on the set of training logs, content-level anomalies for a set of testing logs. The method further includes maintaining an index and metadata, generating attributes for fields, editing model capability to incorporate user domain knowledge, detecting anomalies using field attributes, and improving anomaly quality by using user feedback.
    Type: Application
    Filed: August 16, 2017
    Publication date: June 21, 2018
    Inventors: Biplob Debnath, Hui Zhang, Jianwu Xu, Nipun Arora, Guofei Jiang, Bo Zong
  • Publication number: 20180137001
    Abstract: A method is provided that includes transforming training data into a neural network based learning model using a set of temporal graphs derived from the training data. The method includes performing model learning on the learning model by automatically adjusting learning model parameters based on the set of the temporal graphs to minimize differences between a predetermined ground-truth ranking list and a learning model output ranking list. The method includes transforming testing data into a neural network based inference model using another set of temporal graphs derived from the testing data. The method includes performing model inference by applying the inference and learning models to test data to extract context features for alerts in the test data and calculate a ranking list for the alerts based on the extracted context features. Top-ranked alerts are identified as critical alerts. Each alert represents an anomaly in the test data.
    Type: Application
    Filed: November 13, 2017
    Publication date: May 17, 2018
    Inventors: Bo Zong, LuAn Tang, Qi Song, Biplob Debnath, Hui Zhang, Guofei Jiang
  • Publication number: 20180060748
    Abstract: A heterogeneous log pattern editing recommendation system and computer-implemented method are provided. The system has a processor configured to identify, from heterogeneous logs, patterns including variable fields and constant fields. The processor is also configured to extract a category feature, a cardinality feature, and a before-after n-gram feature by tokenizing the variable fields in the identified patterns. The processor is additionally configured to generate target similarity scores between target fields to be potentially edited and other fields from among the variable fields in the heterogeneous logs using pattern editing operations based on the extracted category feature, the extracted cardinality feature, and the extracted before-after n-gram feature. The processor is further configured to recommend, to a user, log pattern edits for at least one of the target fields based on the target similarity scores between the target fields in the heterogeneous logs.
    Type: Application
    Filed: August 23, 2017
    Publication date: March 1, 2018
    Inventors: Jianwu Xu, Biplob Debnath, Bo Zong, Hui Zhang, Guofei Jiang, Hancheng Ge
  • Publication number: 20180048667
    Abstract: Methods and systems for detecting anomalous events include detecting anomalous events in monitored system data. An event correlation graph is generated by determining a tendency for a first process to access a system target, including an innate tendency of the first process to access the system target, an influence of previous events from the first process, and an influence of processes other than the first process. Kill chains are generated from the event correlation graph that characterize events in an attack path over time. A security management action is performed based on the kill chains.
    Type: Application
    Filed: October 5, 2017
    Publication date: February 15, 2018
    Inventors: LuAn Tang, Hengtong Zhang, Zhengzhang Chen, Bo Zong, Zhichun Li, Guofei Jiang, Kenji Yoshihira
  • Publication number: 20180032724
    Abstract: Methods and systems for detecting anomalous events include detecting anomalous events in monitored system data. An event correlation graph is generated based on the monitored system data that characterizes the tendency of processes to access system targets. Kill chains are generated that connect malicious events over a span of time from the event correlation graph that characterize events in an attack path over time by sorting events according to a maliciousness value and determining at least one sub-graph within the event correlation graph with an above-threshold maliciousness rank. A security management action is performed based on the kill chains.
    Type: Application
    Filed: October 5, 2017
    Publication date: February 1, 2018
    Inventors: LuAn Tang, Hengtong Zhang, Zhengzhang Chen, Bo Zong, Zhichun Li, Guofei Jiang, Kenji Yoshihira
  • Patent number: 9819558
    Abstract: Streaming query resource control is described, for example, to allocate streaming queries to servers in a data center providing a streaming query platform. In various embodiments streaming queries are allocated to servers in a manner seeking to balance load between the servers and also to reduce network traffic costs between data stream sources and the servers. In various examples, query types are taken into account, where a query type is the identity of one or more data stream sources used by the query, and optionally also traffic rates of the data stream sources. In some examples, processes for allocating incoming queries in an online fashion are described and in some examples, processes for allocating queries in an offline fashion are described. In examples, a network traffic cost metric is used which takes into account an incremental network traffic cost of adding a given query at a server.
    Type: Grant
    Filed: March 3, 2014
    Date of Patent: November 14, 2017
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Milan Vojnovic, Christos Gkantsidis, Bo Zong
  • Publication number: 20170277997
    Abstract: A method is provided that is performed in a network having nodes that generate heterogeneous logs including performance logs and text logs. The method includes performing, during a heterogeneous log training stage, (i) a log-to-time sequence conversion process for transforming clustered ones of training logs, from among the heterogeneous logs, into a set of time sequences that are each formed as a plurality of data pairs of a first configuration and a second configuration based on cluster type, (ii) a time series generation process for synchronizing particular ones of the time sequences in the set based on a set of criteria to output a set of fused time series, and (iii) an invariant model generation process for building invariant models for each time series data pair in the set of fused time series. The method includes controlling an anomaly-initiating one of the plurality of nodes based on the invariant models.
    Type: Application
    Filed: February 10, 2017
    Publication date: September 28, 2017
    Inventors: Bo Zong, Jianwu Xu, Guofei Jiang