Abstract: Systems and methods for contextual event sequence analysis of system failure that analyzes heterogeneous system event record logs are disclosed. The disclosure relates to analyzing event sequences for system failure in ICT and other computerized systems and determining their causes and propagation chains.

Abstract: Methods of purifying a virus from a virus-infected cell lysate using three-phase partitioning (TPP) are disclosed. The methods comprise a first round of TPP, including mixing a cell lysate comprising a virus with ammonium sulfate and t-butanol, and separating the mixture, thereby forming a first aqueous phase, a first organic phase, and a first interphase. The first aqueous phase can comprise the virus, which can be subjected to a second round of TPP, resulting in a second aqueous phase, a second organic phase, and a second interphase. The second interphase can comprise highly purified virus. The methods can comprise subjecting a first aqueous phase to further purification by column chromatography or density gradient centrifugation. Purification of AAV, including AAV2, AAV5 and AAV6, from lysates of infected insect cell cultures is demonstrated. TPP-purified AAV particles infect at least as well as those prepared by standard methods.

Abstract: Methods and systems for detecting malicious processes include modeling system data as a graph comprising vertices that represent system entities and edges that represent events between respective system entities. Each edge has one or more timestamps corresponding respective events between two system entities. A set of valid path patterns that relate to potential attacks is generated. One or more event sequences in the system are determined to be suspicious based on the graph and the valid path patterns using a random walk on the graph.

Abstract: A method is provided for root cause anomaly detection in an invariant network having a plurality of nodes that generate time series data. The method includes modeling anomaly propagation in the network. The method includes reconstructing broken invariant links in an invariant graph based on causal anomaly ranking vectors. Each broken invariant link involves a respective node pair formed from the plurality of nodes such that one of the nodes in the respective node pair has an anomaly. Each causal anomaly ranking vector is for indicating a respective node anomaly status for a given one of the plurality of nodes when paired. The method includes calculating a sparse penalty of the casual anomaly ranking vectors to obtain a set of time-dependent anomaly rankings. The method includes performing temporal smoothing of the set of rankings, and controlling an anomaly-initiating one of the plurality of nodes based on the set of rankings.

Abstract: Methods are provided for both single modal and multimodal fault diagnosis. In a method, a fault fingerprint is constructed based on a fault event using an invariant model. A similarity matrix between the fault fingerprint and one or more historical representative fingerprints are derived using dynamic time warping and at least one convolution. A feature vector in a feature subspace for the fault fingerprint is generated. The feature vector includes at least one status of at least one system component during the fault event. A corrective action correlated to the fault fingerprint is determined. The corrective action is initiated on a hardware device to mitigate expected harm to at least one item selected from the group consisting of the hardware device, another hardware device related to the hardware device, and a person related to the hardware device.

Abstract: A system and method are provided. The system includes a processor. The processor is configured to receive a plurality of events from network devices, the plurality of events including entities that are involved in the plurality of events. The processor is further configured to embed the entities into a common latent space based on co-occurrence of the entities in the plurality of events and model respective pairs of the entities for compatibility according to the embedding of the entities to form a pairwise interaction for the respective pairs of the entities. The processor is additionally configured to weigh the pairwise interaction of different ones of the respective pairs of the entities based on one or more compatibility criterion to generate a probability of an occurrence of an anomaly and alter the configuration of one or more of the network devices based on the probability of the occurrence of the anomaly.

Abstract: Methods and systems for embedding a network in a latent space include generating a representation of an input network graph in the latent space using an autoencoder model and generating a representation of a set of noise samples in the latent space using a generator model. A discriminator model discriminates between the representation of the input network graph and the representation of the set of noise samples. The autoencoder model, the generator model, and the discriminator model are jointly trained by minimizing a joint loss function that includes parameters for each model. A final representation of the input network graph is generated using the trained autoencoder model.

Abstract: A computer-implemented method for implementing alert interpretation in enterprise security systems is presented. The computer-implemented method includes employing a plurality of sensors to monitor streaming data from a plurality of computing devices, generating alerts based on the monitored streaming data, automatically analyzing the alerts, in real-time, by using a graph-based alert interpretation engine employing process-star graph models, retrieving a cause of the alerts, an aftermath of the alerts, and baselines for the alert interpretation, and integrating the cause of the alerts, the aftermath of the alerts, and the baselines to output an alert interpretation graph to a user interface of a user device.

Abstract: Systems and methods for preventing cyberattacks using a Density Estimation Network (DEN) for unsupervised anomaly detection, including constructing the DEN using acquired network traffic data by performing end-to-end training. The training includes generating low-dimensional vector representations of the network traffic data by performing dimensionality reduction of the network traffic data, predicting mixture membership distribution parameters for each of the low-dimensional representations by performing density estimation using a Gaussian Mixture Model (GMM) framework, and formulating an objective function to estimate an energy and determine a density level of the low-dimensional representations for anomaly detection, with an anomaly being identified when the energy exceeds a pre-defined threshold. Cyberattacks are prevented by blocking transmission of network flows with identified anomalies by directly filtering out the flows using a network traffic monitor.

Abstract: A computer-implemented method for implementing alert interpretation in enterprise security systems is presented. The computer-implemented method includes employing a plurality of sensors to monitor streaming data from a plurality of computing devices, generating alerts based on the monitored streaming data, employing an alert interpretation module to interpret the alerts in real-time, matching problematic entities to the streaming data, retrieving following events, and generating an aftermath graph on a visualization component.

Abstract: A computer-implemented method for implementing alert interpretation in enterprise security systems is presented. The computer-implemented method includes employing a plurality of sensors to monitor streaming data from a plurality of computing devices, generating alerts based on the monitored streaming data, and employing an alert interpretation module to interpret the alerts in real-time, the alert interpretation module including a process-star graph constructor for retrieving relationships from the streaming data to construct process-star graph models and an alert cause detector for analyzing the alerts based on the process-star graph models to determine an entity that causes an alert.

Abstract: To detect annotation lines in medical image data. Horizontal annotation pixel determination means obtains the color component value difference between each pixel of a predetermined number of connected adjacent pixels in a first direction of the target pixel and an adjacent pixel thereof. If the total number of pixels having color component value differences, of the predetermined number of pixels is equal to or smaller than a first threshold, the horizontal annotation pixel determination means determines that the target pixel is an annotation pixel. If annotation pixels are successive in the horizontal direction in a predetermined number, horizontal annotation line determination means determines that the annotation pixels form an annotation line. The same applies to the vertical direction. The determined annotation lines are provided to border detection means.

Abstract: Methods and systems for mitigating a spoofing-based attack include calculating a travel distance between a source Internet Protocol (IP) address and a target IP address from a received packet based on time-to-live information from the received packet. An expected travel distance between the source IP address and the target IP address is estimated based on a sparse set of known source/target distances. It is determined that the received packet has a spoofed source IP address based on a comparison between the calculated travel distance and the expected travel distance. A security action is performed responsive to the determination that the received packet has a spoofed source IP address.

Abstract: Endpoint security systems and methods include a distance estimation module configured to calculate a travel distance between a source Internet Protocol (IP) address and an IP address for a target network endpoint system from a received packet received by the target network endpoint system based on time-to-live (TTL) information from the received packet. A machine learning model is configured to estimate an expected travel distance between the source IP address and the target network endpoint system IP address based on a sparse set of known source/target distances. A spoof detection module is configured to determine that the received packet has a spoofed source IP address based on a comparison between the calculated travel distance and the expected travel distance. A security module is configured to perform a security action at the target network endpoint system responsive to the determination that the received packet has a spoofed source IP address.

Abstract: Methods and systems for system maintenance include identifying patterns in heterogeneous logs. Predictive features are extracted from a set of input logs based on the identified patterns. It is determined that the predictive features indicate a future system failure using a first model. A second model is trained, based on a target sample from the predictive features and based on weights associated with a distance between the target sample and a set of samples from the predictive features, to identify one or more parameters of the second model associated with the future system failure. A system maintenance action is performed in accordance with the identified one or more parameters.

Abstract: A computer-implemented method, system, and computer program product are provided for content aware heterogeneous log pattern comparative analysis. The method includes receiving, by a processor-device, a plurality of heterogeneous logs. The method also includes extracting, by the processor-device, a plurality of log syntactic patterns from the plurality of heterogenous logs. The method additionally includes generating, by the processor-device, latent representation vectors for each of the plurality of log syntactic patterns. The method further includes predicting, by the processor-device, an anomaly from the clustered latent representation vectors. The method also includes controlling an operation of a processor-based machine to react in accordance with the anomaly.

Abstract: Endpoint security systems and methods include a distance estimation module configured to calculate a travel distance between a source Internet Protocol (IP) address and an IP address for a target network endpoint system from a received packet received by a network gateway system based on time-to-live (TTL) information from the received packet. A machine learning model is configured to estimate an expected travel distance between the source IP address and the target network endpoint system IP address based on a sparse set of known source/target distances. A spoof detection module is configured to determine that the received packet has a spoofed source IP address based on a comparison between the calculated travel distance and the expected travel distance. A security module is configured to perform a security action at the network gateway system responsive to the determination that the received packet has a spoofed source IP address.

Abstract: A method and system are provided for processing computer log messages for log visualization and log retrieval. The method includes collecting log messages from one or more computer system components, performing a log tokenization process on the log messages to generate tokens, transforming the tokens into log vectors associated with a metric space, performing dimensionality reduction on the metric space to project the metric space into a lower dimensional sub-space, storing similarity distances between respective pairs of the log vectors, and in response to receiving a query associated with a query log message for reducing operational inefficiencies of the one or more computer system components, employing the similarity distances to retrieve one or more similar log messages corresponding to the query log message for reducing the operational inefficiencies of the one or more computer system components.

Abstract: A computer-implemented method for employing deep learning for time series representation and retrieval is presented. The method includes retrieving multivariate time series segments from a plurality of sensors, storing the multivariate time series segments in a multivariate time series database constructed by a sliding window over a raw time series of data, applying an input attention based recurrent neural network to extract real value features and corresponding hash codes, executing similarity measurements by an objective function, given a query, obtaining a relevant time series segment from the multivariate time series segments retrieved from the plurality of sensors, and generating an output including a visual representation of the relevant time series segment on a user interface.