Patents by Inventor LuAn Tang

LuAn Tang has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 10367842
    Abstract: Systems and methods for determining a risk level of a host in a network include modeling a target host's behavior based on historical events recorded at the target host. One or more original peer hosts having behavior similar to the target host's behavior are determined. An anomaly score for the target host is determined based on how the target host's behavior changes relative to behavior of the one or more original peer hosts over time. A security management action is performed based on the anomaly score.
    Type: Grant
    Filed: February 22, 2018
    Date of Patent: July 30, 2019
    Assignee: NEC Corporation
    Inventors: Zhengzhang Chen, LuAn Tang, Zhichun Li, Cheng Cao
  • Patent number: 10367838
    Abstract: Methods and systems for detecting anomalous network activity include determining whether a network event exists within an existing topology graph and port graph. A connection probability for the network event is determined if the network does not exist within the existing topology graph and port graph. The network event is identified as abnormal if the connection probability is below a threshold.
    Type: Grant
    Filed: February 6, 2017
    Date of Patent: July 30, 2019
    Assignee: NEC CORPORATION
    Inventors: Zhengzhang Chen, LuAn Tang, Guofei Jiang, Kenji Yoshihira, Haifeng Chen
  • Patent number: 10333815
    Abstract: A computer-implemented method for real-time detecting of abnormal network connections is presented. The computer-implemented method includes collecting network connection events from at least one agent connected to a network, recording, via a topology graph, normal states of network connections among hosts in the network, and recording, via a port graph, relationships established between host and destination ports of all network connections.
    Type: Grant
    Filed: January 24, 2017
    Date of Patent: June 25, 2019
    Assignee: NEC Corporation
    Inventors: LuAn Tang, Zhengzhang Chen, Haifeng Chen, Kenji Yoshihira, Guofei Jiang
  • Patent number: 10333952
    Abstract: Methods and systems for detecting security intrusions include detecting alerts in monitored system data. Temporal dependencies are determined between the alerts based on a prefix tree formed from the detected alerts. Content dependencies between the alerts are determined based on a distance between alerts in a graph representation of the detected alerts. The alerts are ranked based on an optimization problem that includes the temporal dependencies and the content dependencies. A security management action is performed based on the ranked alerts.
    Type: Grant
    Filed: October 10, 2017
    Date of Patent: June 25, 2019
    Assignee: NEC Corporation
    Inventors: Zhengzhang Chen, LuAn Tang, Ying Lin, Zhichun Li, Haifeng Chen, Guofei Jiang
  • Patent number: 10305917
    Abstract: Methods and systems for detecting malicious processes include modeling system data as a graph comprising vertices that represent system entities and edges that represent events between respective system entities. Each edge has one or more timestamps corresponding respective events between two system entities. A set of valid path patterns that relate to potential attacks is generated. One or more event sequences in the system are determined to be suspicious based on the graph and the valid path patterns using a random walk on the graph.
    Type: Grant
    Filed: July 19, 2016
    Date of Patent: May 28, 2019
    Assignee: NEC Corporation
    Inventors: Zhengzhang Chen, LuAn Tang, Boxiang Dong, Guofei Jiang, Haifeng Chen
  • Patent number: 10298607
    Abstract: Methods and systems for detecting anomalous events include detecting anomalous events in monitored system data. An event correlation graph is generated by determining a tendency for a first process to access a system target, including an innate tendency of the first process to access the system target, an influence of previous events from the first process, and an influence of processes other than the first process. Kill chains are generated from the event correlation graph that characterize events in an attack path over time. A security management action is performed based on the kill chains.
    Type: Grant
    Filed: October 5, 2017
    Date of Patent: May 21, 2019
    Assignee: NEC Corporation
    Inventors: LuAn Tang, Hengtong Zhang, Zhengzhang Chen, Bo Zong, Zhichun Li, Guofei Jiang, Kenji Yoshihira
  • Patent number: 10291483
    Abstract: A system and method are provided. The system includes a processor. The processor is configured to receive a plurality of events from network devices, the plurality of events including entities that are involved in the plurality of events. The processor is further configured to embed the entities into a common latent space based on co-occurrence of the entities in the plurality of events and model respective pairs of the entities for compatibility according to the embedding of the entities to form a pairwise interaction for the respective pairs of the entities. The processor is additionally configured to weigh the pairwise interaction of different ones of the respective pairs of the entities based on one or more compatibility criterion to generate a probability of an occurrence of an anomaly and alter the configuration of one or more of the network devices based on the probability of the occurrence of the anomaly.
    Type: Grant
    Filed: February 8, 2017
    Date of Patent: May 14, 2019
    Assignee: NEC Corporation
    Inventors: LuAn Tang, Zhengzhang Chen, Kai Zhang, Haifeng Chen, Zhichun Li
  • Patent number: 10289841
    Abstract: Methods and systems for detecting anomalous events include detecting anomalous events in monitored system data. An event correlation graph is generated based on the monitored system data that characterizes the tendency of processes to access system targets. Kill chains are generated that connect malicious events over a span of time from the event correlation graph that characterize events in an attack path over time by sorting events according to a maliciousness value and determining at least one sub-graph within the event correlation graph with an above-threshold maliciousness rank. A security management action is performed based on the kill chains.
    Type: Grant
    Filed: October 5, 2017
    Date of Patent: May 14, 2019
    Assignee: NEC Corporation
    Inventors: LuAn Tang, Hengtong Zhang, Zhengzhang Chen, Bo Zong, Zhichun Li, Guofei Jiang, Kenji Yoshihira
  • Publication number: 20190121969
    Abstract: A computer-implemented method for implementing alert interpretation in enterprise security systems is presented. The computer-implemented method includes employing a plurality of sensors to monitor streaming data from a plurality of computing devices, generating alerts based on the monitored streaming data, automatically analyzing the alerts, in real-time, by using a graph-based alert interpretation engine employing process-star graph models, retrieving a cause of the alerts, an aftermath of the alerts, and baselines for the alert interpretation, and integrating the cause of the alerts, the aftermath of the alerts, and the baselines to output an alert interpretation graph to a user interface of a user device.
    Type: Application
    Filed: October 16, 2018
    Publication date: April 25, 2019
    Inventors: LuAn Tang, Zhengzhang Chen, Zhichun Li, Zhenyu Wu, Jumpei Kamimura, Haifeng Chen
  • Publication number: 20190121970
    Abstract: A computer-implemented method for implementing alert interpretation in enterprise security systems is presented. The computer-implemented method includes employing a plurality of sensors to monitor streaming data from a plurality of computing devices, generating alerts based on the monitored streaming data, employing an alert interpretation module to interpret the alerts in real-time, matching problematic entities to the streaming data, retrieving following events, and generating an aftermath graph on a visualization component.
    Type: Application
    Filed: October 16, 2018
    Publication date: April 25, 2019
    Inventors: LuAn Tang, Zhengzhang Chen, Zhichun Li, Zhenyu Wu, Jumpei Kamimura, Haifeng Chen
  • Publication number: 20190121971
    Abstract: A computer-implemented method for implementing alert interpretation in enterprise security systems is presented. The computer-implemented method includes employing a plurality of sensors to monitor streaming data from a plurality of computing devices, generating alerts based on the monitored streaming data, and employing an alert interpretation module to interpret the alerts in real-time, the alert interpretation module including a process-star graph constructor for retrieving relationships from the streaming data to construct process-star graph models and an alert cause detector for analyzing the alerts based on the process-star graph models to determine an entity that causes an alert.
    Type: Application
    Filed: October 16, 2018
    Publication date: April 25, 2019
    Inventors: LuAn Tang, Zhengzhang Chen, Zhichun Li, Zhenyu Wu, Jumpei Kamimura, Haifeng Chen
  • Publication number: 20190050561
    Abstract: A method and system are provided for improving threat detection in a computer system by performing an inter-application dependency analysis on events of the computer system. The method includes receiving, by a processor operatively coupled to a memory, a Tracking Description Language (TDL) query including general constraints, a tracking declaration and an output specification, parsing, by the processor, the TDL query using a language parser, executing, by the processor, a tracking analysis based on the parsed TDL query, generating, by the processor, a tracking graph by cleaning a result of the tracking analysis, and outputting, by the processor and via an interface, query results based on the tracking graph.
    Type: Application
    Filed: June 12, 2018
    Publication date: February 14, 2019
    Inventors: Ding Li, Kangkook Jee, Zhengzhang Chen, LuAn Tang, Zhichun Li
  • Publication number: 20180364655
    Abstract: A computer-implemented method, system, and computer program product are provided for anomaly detection. The method includes receiving, by a processor, sensor data from a plurality of sensors in a system. The method also includes generating, by the processor, a relationship model based on the sensor data. The method additionally includes updating, by the processor, the relationship model with new sensor data. The method further includes identifying, by the processor, an anomaly based on a fused single-variant time series fitness score in the relationship model. The method also includes controlling an operation of a processor-based machine to change a state of the processor-based machine, responsive to the anomaly.
    Type: Application
    Filed: June 15, 2018
    Publication date: December 20, 2018
    Inventors: Tan Yan, Haifeng Chen, LuAn Tang
  • Publication number: 20180351971
    Abstract: A computer-implemented method for implementing a knowledge transfer based model for accelerating invariant network learning is presented. The computer-implemented method includes generating an invariant network from data streams, the invariant network representing an enterprise information network including a plurality of nodes representing entities, employing a multi-relational based entity estimation model for transferring the entities from a source domain graph to a target domain graph by filtering irrelevant entities from the source domain graph, employing a reference construction model for determining differences between the source and target domain graphs, and constructing unbiased dependencies between the entities to generate a target invariant network, and outputting the generated target invariant network on a user interface of a computing device.
    Type: Application
    Filed: August 6, 2018
    Publication date: December 6, 2018
    Inventors: Zhengzhang Chen, LuAn Tang, Zhichun Li, Chen Luo
  • Publication number: 20180183824
    Abstract: Systems and methods for determining a risk level of a host in a network include modeling a target host's behavior based on historical events recorded at the target host. One or more original peer hosts having behavior similar to the target host's behavior are determined. An anomaly score for the target host is determined based on how the target host's behavior changes relative to behavior of the one or more original peer hosts over time. A security management action is performed based on the anomaly score.
    Type: Application
    Filed: February 22, 2018
    Publication date: June 28, 2018
    Inventors: Zhengzhang Chen, LuAn Tang, Zhichun Li, Cheng Cao
  • Publication number: 20180183680
    Abstract: Methods and systems for modeling host behavior in a network include determining a first probability function for observing each of a set of process-level events at a first host based on embedding vectors for the first event and the first host. A second probability function is determined for the first host issuing each of a set of network-level events connecting to a second host based on embedding vectors for the first host and the second host. The first and second probability functions are maximized to determine a set of likely process-level and network-level events for the first host. A security action is performed based on the modeled host behavior.
    Type: Application
    Filed: February 22, 2018
    Publication date: June 28, 2018
    Inventors: Zhengzhang Chen, LuAn Tang, Zhichun Li, Cheng Cao
  • Publication number: 20180183681
    Abstract: Methods and systems for detecting host community include modeling a target host's behavior based on historical events recorded at the target host. One or more original peer hosts having behavior similar to the target host's behavior are found by determining a distance in a latent space that embeds the historical events between events of the target host and events of the one or more original peer hosts. A security management action is performed based on behavior of the target host and the determined one or more original peer hosts.
    Type: Application
    Filed: February 22, 2018
    Publication date: June 28, 2018
    Inventors: Zhengzhang Chen, LuAn Tang, Zhichun Li, Cheng Cao
  • Publication number: 20180137001
    Abstract: A method is provided that includes transforming training data into a neural network based learning model using a set of temporal graphs derived from the training data. The method includes performing model learning on the learning model by automatically adjusting learning model parameters based on the set of the temporal graphs to minimize differences between a predetermined ground-truth ranking list and a learning model output ranking list. The method includes transforming testing data into a neural network based inference model using another set of temporal graphs derived from the testing data. The method includes performing model inference by applying the inference and learning models to test data to extract context features for alerts in the test data and calculate a ranking list for the alerts based on the extracted context features. Top-ranked alerts are identified as critical alerts. Each alert represents an anomaly in the test data.
    Type: Application
    Filed: November 13, 2017
    Publication date: May 17, 2018
    Inventors: Bo Zong, LuAn Tang, Qi Song, Biplob Debnath, Hui Zhang, Guofei Jiang
  • Publication number: 20180048667
    Abstract: Methods and systems for detecting anomalous events include detecting anomalous events in monitored system data. An event correlation graph is generated by determining a tendency for a first process to access a system target, including an innate tendency of the first process to access the system target, an influence of previous events from the first process, and an influence of processes other than the first process. Kill chains are generated from the event correlation graph that characterize events in an attack path over time. A security management action is performed based on the kill chains.
    Type: Application
    Filed: October 5, 2017
    Publication date: February 15, 2018
    Inventors: LuAn Tang, Hengtong Zhang, Zhengzhang Chen, Bo Zong, Zhichun Li, Guofei Jiang, Kenji Yoshihira
  • Publication number: 20180034836
    Abstract: Methods and systems for detecting security intrusions include detecting alerts in monitored system data. Temporal dependencies are determined between the alerts based on a prefix tree formed from the detected alerts. Content dependencies between the alerts are determined based on a distance between alerts in a graph representation of the detected alerts. The alerts are ranked based on an optimization problem that includes the temporal dependencies and the content dependencies. A security management action is performed based on the ranked alerts.
    Type: Application
    Filed: October 10, 2017
    Publication date: February 1, 2018
    Inventors: Zhengzhang Chen, LuAn Tang, Ying Lin, Zhichun Li, Haifeng Chen, Guofei Jiang