Abstract: Systems and methods for quality control for physical systems, including a quality control engine for transforming raw time series data collected from each of a plurality of sensors in the physical system into one or more sets of feature series by extracting features from the raw time series. Feature ranking scores are generated for each of the sensors by ranking each of the features using an ensemble of feature rankers, and fused importance scores are generated by aggregating the feature ranking scores for each of the sensors and combining ranking scores from each ranker in the ensemble. System quality is controlled by identifying sensors responsible for quality degradation based on the fused importance scores.

Abstract: A system and method for detecting sensitive user input leakages in software applications, such as applications created for smartphone platforms. The system and method are configured to parse user interface layout files of the software application to identify input fields and obtain information concerning the input fields. Input fields that contain sensitive information are identified and a list of sensitive input fields, such as contextual IDs, is generated. The sensitive information fields are identified by reviewing the attributes, hints and/or text labels of the user interface layout file. A taint analysis is performed using the list of sensitive input fields and a sink dataset in order to detect information leaks in the sensitive input fields.

Abstract: A method and system for constructing behavior queries in temporal graphs using discriminative sub-trace mining. The method includes generating system data logs to provide temporal graphs, wherein the temporal graphs include a first temporal graph corresponding to a target behavior and a second temporal graph corresponding to a set of background behaviors, generating temporal graph patterns for each of the first and second temporal graphs to determine whether a pattern exists between a first temporal graph pattern and a second temporal graph pattern, wherein the pattern between the temporal graph patterns is a non-repetitive graph pattern, pruning the pattern between the first and second temporal graph patterns to provide a discriminative temporal graph, and generating behavior queries based on the discriminative temporal graph.

Abstract: Methods and systems for intrusion attack recovery include monitoring two or more hosts in a network to generate audit logs of system events. One or more dependency graphs (DGraphs) is generated based on the audit logs. A relevancy score for each edge of the DGraphs is determined. Irrelevant events from the DGraphs are pruned to generate a condensed backtracking graph. An origin is located by backtracking from an attack detection point in the condensed backtracking graph.

Abstract: A method and system are provided. The method includes performing, by a logs-to-time-series converter, a logs-to-time-series conversion by transforming a plurality of heterogeneous logs into a set of time series. Each of the heterogeneous logs includes a time stamp and text portion with one or more fields. The method further includes performing, by a time-series-to-sequential-pattern converter, a time-series-to-sequential-pattern conversion by mining invariant relationships between the set of time series, and discovering sequential message patterns and association rules in the plurality of heterogeneous logs using the invariant relationships. The method also includes executing, by a processor, a set of log management applications, based on the sequential message patterns and the association rules.

Abstract: A system and method for profiling a request in a service system with kernel events including a pre-processing module configured to obtain kernel event traces from the service system and determine starting and ending communication pairs of a request path for a request. A learning module is configured to learn pairwise relationships between the starting and ending communication pairs of training traces of sequential requests. A generation module is configured to generate communication paths for the request path from the starting and ending communication pairs of testing traces of concurrent requests using a heuristic procedure that is guided by the learned pairwise relationships and generate the request path for the request from the communication paths. The system and method precisely determine request paths for applications in a distributed system from kernel event traces even when there are numerous concurrent requests.

Abstract: Systems and methods for controlling legacy switch routing in one or more hybrid networks of interconnected computers and switches, including generating a network underlay for the one or more hybrid networks by generating a minimum spanning tree (MST) and a forwarding graph (FWG) over a physical network topology of the one or more hybrid networks, determining an optimal path between hosts on the FWG by optimizing an initial path with a minimum cost mapping, and adjusting the initial path to enforce the optimal path by generating and installing special packets in one or more programmable switches to trigger installation of forwarding rules for one or more legacy switches.

Abstract: Systems and methods for decoupled searching and optimization for one or more data centers, including determining a network topology for one or more networks of interconnected computer systems embedded in the one or more data center, searching for routing candidates based on a network topology determined, and updating and applying one or more objective functions to the routing candidates to determine an optimal routing candidate to satisfy embedding goals based on tenant requests, and to embed the optimal routing candidate in the one or more data centers.

Abstract: Systems and methods for detection and prevention of Return-Oriented-Programming (ROP) attacks in one or more applications, including an attack detection device and a stack inspection device for performing stack inspection to detect ROP gadgets in a stack. The stack inspection includes stack walking from a stack frame at a top of the stack toward a bottom of the stack to detect one or more failure conditions, determining whether a valid stack frame and return code address is present; and determining a failure condition type if no valid stack frame and return code is present, with Type III failure conditions indicating an ROP attack. The ROP attack is contained using a containment device, and the ROP gadgets detected in the stack during the ROP attack are analyzed using an attack analysis device.

Abstract: A method implemented in a network apparatus used in a network is disclosed. The method includes sensing network topology and network utilization, receiving a request from an application, deciding path setup requirement using network state information obtained from the network topology and the network utilization, and translating the path setup requirement into a rule to be installed. Other methods, apparatuses, and systems also are disclosed.

Abstract: A system and method for analysis of complex systems which includes determining model parameters based on time series data, further including profiling a plurality of types of data properties to discover complex data properties and dependencies; classifying the data dependencies into predetermined categories for analysis; and generating a plurality of models based on the discovered properties and dependencies. The system and method may analyze, using a processor, the generated models based on a fitness score determined for each model to generate a status report for each model; integrate the status reports for each model to determine an anomaly score for the generated models; and generate an alarm when the anomaly score exceeds a predefined threshold.

Abstract: Systems and methods are disclosed for protecting privacy in an application software (app) by detecting application repacking; detecting application tainting, including: detecting descrying information leakage; detecting vulnerability espial; and detecting a privacy leak.

Abstract: A system, method and computer program product for hierarchical sparse dictionary learning (“HiSDL”) to construct a learned dictionary regularized by an a priori over-complete dictionary, includes providing at least one a priori over-complete dictionary for regularization, performing sparse coding of the at least one a priori over-complete dictionary to provide a sparse coded dictionary, using a processor, updating the sparse coded dictionary with regularization using at least one auxiliary variable to provide a learned dictionary, determining whether the learned dictionary converges to an input data set, and outputting the learned dictionary regularized by the at least one a priori over-complete dictionary when the learned dictionary converges to the input data set. The system and method includes, when the learned dictionary lacks convergence, repeating the steps of performing sparse coding, updating the sparse coded dictionary, and determining whether the learned dictionary converges to the input data set.

Abstract: Systems and methods for determining whether networked system migrations are successful are disclosed. In accordance with one method, a first set of properties of the networked system on a source platform in a first administrative domain is determined. Further, the method includes transferring the networked system to a destination platform in a second administrative domain. In addition, a second set of properties of the transferred system on the destination platform is determined, where the first and second sets of properties include functional properties and at least one of: performance properties, security properties or reliability properties. The method also includes outputting an indication that the transfer of the system to the destination platform is successful in response to determining that one or more of the properties of the second set are equivalent to corresponding properties of the first set.

Abstract: A method and system are provided. The method includes determining from a data matrix having rows and columns, a clustering vector of the rows and a clustering vector of the columns. Each row in the clustering vector of the rows is a row instance and each row in the clustering vector of the columns is a column instance. The method further includes performing correlation of the row and column instances. The method also includes building a normalizing graph using a graph-based manifold regularization that enforces a smooth target function which, in turn, assigns a value on each node of the normalizing graph to obtain a Lapacian matrix. The method additionally includes performing Eigenvalue decomposition on the Lapacian matrix to obtain Eigenvectors. The method further includes providing a canonical co-clustering analysis function by maximizing a coupling between clustering vectors while concurrently enforcing regularization on each clustering vector using the Eigenvectors.

Abstract: Methods and systems for process constraint include collecting system call information for a process. It is detected whether the process is idle based on the system call information and then whether the process is repeating using autocorrelation to determine whether the process issues system calls in a periodic fashion. The process is constrained if it is idle or repeating to limit an attack surface presented by the process.

Abstract: A computer implemented method for network monitoring includes providing network packet event characterization and analysis for network monitoring that includes supporting summarization and characterization of network packet traces collected across multiple processing elements of different types in a virtual network, including a trace slicing to organize individual packet events into path-based trace slices, a trace characterization to extract at least 2 types of feature matrix describing those trace slices, and a trace analysis to cluster, rank and query packet traces based on metrics of the feature matrix.

Abstract: The present invention enables capturing API level calls using a combination of dynamic instrumentation and library overriding. The invention allows event level tracing of API function calls and returns, and is able to generate an execution trace. The instrumentation is lightweight and relies on dynamic library/shared library linking mechanisms in most operating systems. Hence we need no source code modification or binary injection. The tool can be used to capture parameter values, and return values, which can be used to correlate traces across API function calls to generate transaction flow logic.

Abstract: A method implemented in a network apparatus used in a network is disclosed. The method comprises collecting information about network topology from a network controller, collecting information about data movement, deciding routing in the network according to the information about network topology and the information about data movement, and providing information about the routing to the network controller, wherein the network controller enforces the routing in the network. Other methods, apparatuses, and systems also are disclosed.

Abstract: A method for producing a set of optimized node placement solutions for plural nodes of a computer network includes temporarily relocating movable ones of the nodes in the network; for each temporarily relocated movable node, determining a thermal energy of the network resulting from its temporary relocation in the network; for each temporarily relocated movable node, determining a potential energy reduction in the network resulting from its temporary relocation in the network; for each temporarily relocated movable node, determining whether to accept or reject its temporary relocation in the network; accepting the temporary relocation if an acceptance probability is greater than a randomly generated number, the acceptance probability being a function of the potential energy reduction in the network; and repeating the aforementioned steps to generate a set of optimized node placement solutions.