Abstract: Methods and systems for training a model include distinguishing hidden states of a monitored system based on condition information. An encoder and decoder are generated for each respective hidden state using forward and backward autoencoder losses. A hybrid hidden state is determined for an input sequence based on the hidden states. The input sequence is reconstructed using the encoders and decoders and the hybrid hidden state. Parameters of the encoders and decoders are updated based on a reconstruction loss.

Abstract: A computer-implemented method for simulating vehicle data and improving driving scenario detection is provided.

Abstract: Methods and systems for allocating network resources responsive to network traffic include modeling spatial correlations between fine spatial granularity traffic and coarse spatial granularity traffic for different sites and regions to determine spatial feature vectors for one or more sites in a network. Temporal correlations at a fine spatial granularity are modeled across multiple temporal scales, based on the spatial feature vectors. Temporal correlations at a coarse spatial granularity are modeled across multiple temporal scales, based on the spatial feature vectors. A traffic flow prediction is determined for the one or more sites in the network, based on the temporal correlations at the fine spatial granularity and the temporal correlations at the coarse spatial granularity. Network resources are provisioned at the one or more sites in accordance with the traffic flow prediction.

Abstract: A method for detecting an origin of a computer attack given a detection point based on multi-modality data is presented. The method includes monitoring a plurality of hosts in different enterprise system entities to audit log data and metrics data, generating causal dependency graphs to learn statistical causal relationships between the different enterprise system entities based on the log data and the metrics data, detecting a computer attack by pinpointing attack detection points, backtracking from the attack detection points by employing the causal dependency graphs to locate an origin of the computer attack, and analyzing computer attack data resulting from the backtracking to prevent present and future computer attacks.

Abstract: A method for employing root cause analysis is presented. The method includes embedding, by an embedding layer, a sequence of events into a low-dimension space, employing a feature extractor and representation learner to convert log data from the sequence of events to time series data, the feature extractor including an auto-encoder model and a language model, and detecting root causes of failure or fault activities from the time series data.

Abstract: A method for detecting pod and node candidates from cloud computing systems representing potential root causes of failure or fault activities is presented. The method includes collecting, by a monitoring agent, multi-modality data including key performance indicator (KPI) data, metrics data, and log data, employing a feature extractor and representation learner to convert the log data to time series data, applying a metric prioritizer based on extreme value theory to prioritize metrics for root cause analysis and learn an importance of different metrics, ranking root causes of failure or fault activities by using a hierarchical graph neural network, and generating one or more root cause reports outlining the potential root causes of failure or fault activities.

Abstract: Methods and systems for anomaly correction include detecting an anomaly in a time series of categorical data values generated by a sensor, displaying a visual depiction of an anomalous time series, corresponding to the detected anomaly, on a user interface with a visual depiction of an expected normal behavior to contrast to the anomalous time series, and performing a corrective action responsive to the displayed detected anomaly. Detecting the anomaly includes framing the time series with a sliding window, generating a histogram for the categorical data values using a histogram template, generating an anomaly score for the time series using an anomaly detection histogram model on the generated histogram, and comparing the anomaly score to an anomaly threshold.

Abstract: Methods and systems for anomaly detection include training an anomaly detection histogram model using historical categorical value data. Training the anomaly detection histogram model includes generating a histogram template based on historical categorical data, converting the historical categorical data to a histogram using the histogram template, and determining a normal range and anomaly threshold for the categorical data using the histogram.

Abstract: Methods and systems for anomaly detection include determining whether a system is in a stable state or a dynamic state based on input data from one or more sensors in the system, using reconstruction errors from a respective stable model and dynamic model. It is determined that the input data represents anomalous operation of the system, responsive to a determination that the system is in a stable state, using the reconstruction errors. A corrective operation is performed on the system responsive to a determination that the input data represents anomalous operation of the system.

Abstract: Methods and systems for optimizing performance of a cyber-physical system include training a machine learning model, according to sensor data from the cyber-physical system, to generate one or more parameters for controllable sensors in the cyber-physical system that optimize a performance indicator. New sensor data is collected from the cyber-physical system. One or more parameters for the controllable sensors are generated using the trained machine learning module and the new sensor data. The one or more parameters are applied to the controllable sensors to optimize the performance of the cyber-physical system.

Abstract: Systems and methods for defect detection for vehicle operations, including collecting a multiple modality input data stream from a plurality of different types of vehicle sensors, extracting one or more features from the input data stream using a grid-based feature extractor, and retrieving spatial attributes of objects positioned in any of a plurality of cells of the grid-based feature extractor. One or more anomalies are detected based on residual scores generated by each of cross attention-based anomaly detection and time-series-based anomaly detection. One or more defects are identified based on a generated overall defect score determined by integrating the residual scores for the cross attention-based anomaly detection and the time-series based anomaly detection being above a predetermined defect score threshold. Operation of the vehicle is controlled based on the one or more defects identified.

Abstract: A computer-implemented method for multi-model representation learning is provided. The method includes encoding, by a trained time series (TS) encoder, an input TS segment into a TS-shared latent representation and a TS-private latent representation. The method further includes generating, by a trained text generator, a natural language text that explains the input TS segment, responsive to the TS-shared latent representation, the TS-private latent representation, and a text-private latent representation.

Abstract: Systems and methods for data fusion and analysis of vehicle sensor data, including receiving a multiple modality input data stream from a plurality of different types of vehicle sensors, determining latent features by extracting modality-specific features from the input data stream, and aligning a distribution of the latent features of different modalities by feature-level data fusion. Classification probabilities can be determined for the latent features using a fused modality scene classifier. A tree-organized neural network can be trained to determine path probabilities and issue driving pattern judgments, with the tree-organized neural network including a soft tree model and a hard decision leaf. One or more driving pattern judgments can be issued based on a probability of possible driving patterns derived from the modality-specific features.

Abstract: Systems and methods for predicting system device failure are provided. The method includes representing device failure related data associated with the devices from a predetermined domain by temporal graphs for each of the devices. The method also includes extracting vector representations based on temporal graph features from the temporal graphs that capture both temporal and structural correlation in the device failure related data. The method further includes predicting, based on the vector representations and device failure related metrics in the predetermined domain, one or more of the devices that is expected to fail within a predetermined time.

Abstract: Methods and systems for detecting and responding to anomalous nodes in a network include inferring temporal factors, using a computer-implemented neural network, that represent changes in a network graph across time steps, with a temporal factor for each time step depending on a temporal factor for a previous time step. An invariant factor is inferred that represents information about the network graph that does not change across the time steps. The temporal factors and the invariant factor are combined into a combined temporal-invariant representation. It is determined that an unlabeled node is anomalous, based on the combined temporal-invariant representation. A security action is performed responsive to the determination that unlabeled node is anomalous.

Abstract: A computer-implemented method for efficient and scalable enclave protection for machine learning (ML) programs includes tailoring at least one ML program to generate at least one tailored ML program for execution within at least one enclave, and executing the at least one tailored ML program within the at least one enclave.

Abstract: Systems and methods for implementing dynamic graph analysis (DGA) to detect anomalous network traffic are provided. The method includes processing communications and profile data associated with multiple devices to determine dynamic graphs. The method includes generating features to model temporal behaviors of network traffic generated by the multiple devices based on the dynamic graphs. The method also includes formulating a list of prediction results for sources of the anomalous network traffic from the multiple devices based on the temporal behaviors.

Abstract: Systems and methods for implementing sequence data based temporal behavior analysis (SDTBA) to extract features for characterizing temporal behavior of network traffic are provided. The method includes extracting communication and profile data associated with one or more devices to determine sequences of data associated with the devices. The method includes generating temporal features to model anomalous network traffic. The method also includes inputting, into an anomaly detection process for anomalous network traffic, the temporal features and the sequences of data associated with the devices and formulating a list of prediction results of anomalous network traffic associated with the devices.

Abstract: A method for vehicle fault detection is provided. The method includes training, by a cloud module controlled by a processor device, an entity-shared modular and a shared modular connection controller. The entity-shared modular stores common knowledge for a transfer scope, and is formed from a set of sub-networks which are dynamically assembled for different target entities of a vehicle by the shared modular connection controller. The method further includes training, by an edge module controlled by another processor device, an entity-specific decoder and an entity-specific connection controller. The entity-specific decoder is for filtering entity-specific information from the common knowledge in the entity-shared modular by dynamically assembling the set of sub-networks in a manner decided by the entity specific connection controller.

Abstract: A computer-implemented method for implementing protocol-independent anomaly detection within an industrial control system (ICS) includes implementing a detection stage, including performing byte filtering using a byte filtering model based on at least one new network packet associated with the ICS, performing horizontal detection to determine whether a horizontal constraint anomaly exists in the at least one network packet based on the byte filtering and a horizontal model, including analyzing constraints across different bytes of the at least one new network packet, performing message clustering based on the horizontal detection to generate first cluster information, and performing vertical detection to determine whether a vertical anomaly exists based on the first cluster information and a vertical model, including analyzing a temporal pattern of each byte of the at least one new network packet.