Abstract: Methods and systems for detecting anomalies include determining a predictive model for each pair of a set of time series, each time series being associated with a component of a system. New values of each pair of time series are compared to values predicted by the respective predictive model to determine if the respective predictive model is broken. A number of broken predictive models is determined. An anomaly alert is generated if the number of broken predictive models exceeds a threshold.

Abstract: A computer-implemented method for analyzing operations of privilege changes is presented. The computer-implemented method includes inputting a program and performing source code analysis on the program by generating a privilege control flow graph (PCFG), generating a privilege data flow graph (PDFG), and generating a privilege call context graph (PCCG). The computer-implemented method further includes, based on the source code analysis results, instrumenting the program to perform inspections on execution states at privilege change operations, and performing runtime inspection and anomaly prevention.

Abstract: A computer-implemented method for performing privilege flow analysis is presented. The computer-implemented method includes monitoring at least one program operating system (OS) event handled by a program, generating a privilege flow graph, determining an inferred program behavior context, and generating, based on a combination of the privilege flow graph and the inferred program behavior context, an inferred behavior context-aware privilege flow graph to distinguish different roles of processes and/or threads within the program.

Abstract: A power generator system with anomaly detection and methods for detecting anomalies include a power generator that includes one or more physical components configured to provide electrical power. Sensors are configured to make measurements of a state of respective physical components, outputting respective time series of said measurements. A monitoring system includes a fitting module configured to determine a predictive model for each pair of a set of time series, an anomaly detection module configured to compare new values of each pair of time series to values predicted by the respective predictive model to determine if the respective predictive model is broken and to determine a number of broken predictive model, and an alert module configured to generate an anomaly alert if the number of broken predictive models exceeds a threshold.

Abstract: Methods and systems for security analysis include determining whether a process has an origin internal to a system or external to the system using a processor based on monitored behavior events associated with the process. A security analysis is performed on only processes that have an external origin to determine if any of the processes having an external origin represent a security threat. A security action is performed if a process having an external origin is determined to represent a security threat.

Abstract: Methods and systems for detecting anomalous events include detecting anomalous events in monitored system data. An event correlation graph is generated by determining a tendency for a first process to access a system target, including an innate tendency of the first process to access the system target, an influence of previous events from the first process, and an influence of processes other than the first process. Kill chains are generated from the event correlation graph that characterize events in an attack path over time. A security management action is performed based on the kill chains.

Abstract: Methods and systems for detecting anomalous events include detecting anomalous events in monitored system data. An event correlation graph is generated based on the monitored system data that characterizes the tendency of processes to access system targets. Kill chains are generated that connect malicious events over a span of time from the event correlation graph that characterize events in an attack path over time by sorting events according to a maliciousness value and determining at least one sub-graph within the event correlation graph with an above-threshold maliciousness rank. A security management action is performed based on the kill chains.

Abstract: Methods and systems for detecting security intrusions include detecting alerts in monitored system data. Temporal dependencies are determined between the alerts based on a prefix tree formed from the detected alerts. Content dependencies between the alerts are determined based on a distance between alerts in a graph representation of the detected alerts. The alerts are ranked based on an optimization problem that includes the temporal dependencies and the content dependencies. A security management action is performed based on the ranked alerts.

Abstract: A system and method for detecting sensitive user input leakages in software applications, such as applications created for smartphone platforms. The system and method are configured to parse user interface layout files of the software application to identify input fields and obtain information concerning the input fields. Input fields that contain sensitive information are identified and a list of sensitive input fields, such as contextual IDs, is generated. The sensitive information fields are identified by reviewing the attributes, hints and/or text labels of the user interface layout file. A taint analysis is performed using the list of sensitive input fields and a sink dataset in order to detect information leaks in the sensitive input fields.

Abstract: A system, method and computer program product for hierarchical sparse dictionary learning (“HiSDL”) to construct a learned dictionary regularized by an a priori over-complete dictionary, includes providing at least one a priori over-complete dictionary for regularization, performing sparse coding of the at least one a priori over-complete dictionary to provide a sparse coded dictionary, using a processor, updating the sparse coded dictionary with regularization using at least one auxiliary variable to provide a learned dictionary, determining whether the learned dictionary converges to an input data set, and outputting the learned dictionary regularized by the at least one a priori over-complete dictionary when the learned dictionary converges to the input data set. The system and method includes, when the learned dictionary lacks convergence, repeating the steps of performing sparse coding, updating the sparse coded dictionary, and determining whether the learned dictionary converges to the input data set.

Abstract: A system and computer-implemented method are provided for host level detection of malicious Domain Name System (DNS) activities in a network environment having multiple end-hosts. The system includes a set of DNS resolver agents configured to (i) gather DNS activities from each of the multiple end-hosts by recording DNS queries and DNS responses corresponding to the DNS queries, and (ii) associate the DNS activities with Program Identifiers (PIDs) that identify programs that issued the DNS queries. The system further includes a backend server configured to detect one or more of the malicious DNS activities based on the gathered DNS activities and the PIDs.

Abstract: Systems and methods for decoupled searching and optimization for one or more data centers, including determining a network topology for one or more networks of interconnected computer systems embedded in the one or more data center, searching for routing candidates based on a network topology determined, and updating and applying one or more objective functions to the routing candidates to determine an optimal routing candidate to satisfy embedding goals based on tenant requests, and to embed the optimal routing candidate in the one or more data centers.

Abstract: Systems and methods for anomaly detection in complex physical systems, including extracting features representative of a temporal evolution of the complex physical system, and analyzing the extracted features by deriving vector trajectories using sliding window segmentation of time series, applying a linear test to determine whether the vector trajectories are linear, and performing subspace decomposition on the vector trajectory based on the linear test. A system evolution model is generated from an ensemble of models, and a fitness score is determined by analyzing different data properties of the system based on specific data dependency relationships. An alarm is generated if the fitness score exceeds a predetermined number of threshold violations for the different data properties.

Abstract: Methods are provided for both single modal and multimodal fault diagnosis. In a method, a fault fingerprint is constructed based on a fault event using an invariant model. A similarity matrix between the fault fingerprint and one or more historical representative fingerprints are derived using dynamic time warping and at least one convolution. A feature vector in a feature subspace for the fault fingerprint is generated. The feature vector includes at least one status of at least one system component during the fault event. A corrective action correlated to the fault fingerprint is determined. The corrective action is initiated on a hardware device to mitigate expected harm to at least one item selected from the group consisting of the hardware device, another hardware device related to the hardware device, and a person related to the hardware device.

Abstract: Methods for system failure prediction include clustering log files according to structural log patterns. Feature representations of the log files are determined based on the log clusters. A likelihood of a system failure is determined based on the feature representations using a neural network. An automatic system control action is performed if the likelihood of system failure exceeds a threshold.

Abstract: Mobile phones and methods for mobile phone failure prediction include receiving respective log files from one or more mobile phone components, including at least one user application. The log files have heterogeneous formats. A likelihood of failure of one or more mobile phone components is determined based on the received log files by clustering the plurality of log files according to structural log patterns and determining feature representations of the log files based on the log clusters. A user is alerted to a potential failure if the likelihood of component failure exceeds a first threshold. An automatic system control action is performed if the likelihood of component failure exceeds a second threshold.

Abstract: Systems and methods for identifying similarities in program binaries, including extracting program binary features from one or more input program binaries to generate corresponding hybrid features. The hybrid features include a reference feature, a resource feature, an abstract control flow feature, and a structural feature. Combinations of a plurality of pairs of binaries are generated from the extracted hybrid features, and a similarity score is determined for each of the pairs of binaries. A hybrid difference score is generated based on the similarity score for each of the binaries combined with input hybrid feature parameters. A likelihood of malware in the input program is identified based on the hybrid difference score.

Abstract: Methods and systems for reporting anomalous events include building a process graph that models states of process-level events in a network. A topology graph is built that models source and destination relationships between connection events in the network. A set of alerts is clustered based on the process graph and the topology graph. Clustered alerts that exceed a threshold level of trustworthiness are reported.

Abstract: Methods and systems for reporting anomalous events include intra-host clustering a set of alerts based on a process graph that models states of process-level events in a network. Hidden relationship clustering is performed on the intra-host clustered alerts based on hidden relationships between alerts in respective clusters. Inter-host clustering is performed on the hidden relationship clustered alerts based on a topology graph that models source and destination relationships between connection events in the network. Inter-host clustered alerts that exceed a threshold level of trustworthiness are reported.

Abstract: A method is provided that is performed in a network having nodes that generate heterogeneous logs including performance logs and text logs. The method includes performing, during a heterogeneous log training stage, (i) a log-to-time sequence conversion process for transforming clustered ones of training logs, from among the heterogeneous logs, into a set of time sequences that are each formed as a plurality of data pairs of a first configuration and a second configuration based on cluster type, (ii) a time series generation process for synchronizing particular ones of the time sequences in the set based on a set of criteria to output a set of fused time series, and (iii) an invariant model generation process for building invariant models for each time series data pair in the set of fused time series. The method includes controlling an anomaly-initiating one of the plurality of nodes based on the invariant models.