Yizheng Y Zhou

US Patent:

20100011031, Jan 14, 2010

Filed:

Sep 4, 2009

Appl. No.:

12/554541

Inventors:

Wei Huang - Fremont CA, US
Yizheng Zhou - Cupertino CA, US
Bin Yu - San Ramon CA, US
Wenting Tang - Sunnyvale CA, US
Christian F. Beedgen - Cupertino CA, US

Assignee:

ARCSIGHT, INC. - Cupertino CA

International Classification:

G06F 17/30
G06F 9/44

US Classification:

707202, 719318, 707E17007

Abstract:

A logging system includes an event receiver and a storage manager. The receiver receives log data, processes it, and outputs a column-based data “chunk.” The manager receives and stores chunks. The receiver includes buffers that store events and a metadata structure that stores metadata about the contents of the buffers. Each buffer is associated with a particular event field and includes values from that field from one or more events. The metadata includes, for each “field of interest,” a minimum value and a maximum value that reflect the range of values of that field over all of the events in the buffers. A chunk is generated for each buffer and includes the metadata structure and a compressed version of the buffer contents. The metadata structure acts as a search index when querying event data. The logging system can be used in conjunction with a security information/event management (SIEM) system.

US Patent:

20130073573, Mar 21, 2013

Filed:

Jun 10, 2011

Appl. No.:

13/699953

Inventors:

Wei Huang - Fremont CA, US
Yizheng Zhou - Cupertino CA, US
Bin Yu - San Ramon CA, US

International Classification:

G06F 17/30

US Classification:

707755, 707774, 707E17014

Abstract:

A query pipeline is created () from a query request. The query pipeline includes multiple query operations including multiple query operators. A first query operator and a second query operator perform first and second query operations on a database () and on data outside the database (). A result from the first query operation in the query pipeline is fed to the second query operation in the query pipeline.

US Patent:

20200322363, Oct 8, 2020

Filed:

Apr 2, 2020

Appl. No.:

16/838991

Inventors:

- Redwood City CA, US
Yizheng Zhou - San Mateo CA, US
Peizhou Guo - Cupertino CA, US
Mohsen Imani - Redwood City CA, US

International Classification:

H04L 29/06
H04L 29/08
H04L 12/26
G06F 16/22

Abstract:

A system and a method are disclosed for describing a mechanism for tracking malicious activity detected on a network. For example, based on network data collected from a server, the disclosed system may detect malicious activity originating from a client device directed to the server. To detect the malicious activity, network data may be captured by the server and analyzed. When malicious activity is detected, the system may track the malicious activity, using the network data, to an earliest connection date of a client device from where the malicious activity potentially originated. The earliest connection date may indicate a potential start date of the malicious activity

US Patent:

20190319975, Oct 17, 2019

Filed:

Apr 17, 2019

Appl. No.:

16/387027

Inventors:

- Redwood City CA, US
Yizheng Zhou - Cupertino CA, US
Hugh Seretse Njemanze - Redwood City CA, US
Zhong Deng - San Jose CA, US

International Classification:

H04L 29/06
G06F 16/906
G06F 16/28

Abstract:

A universal link to extract and classify log data is disclosed. In various embodiments, a set of candidate data values that match a top level pattern that is common to two or more types of data value of interest is identified. The candidate data values are processed through a plurality of successive filtering stages, each stage of which includes determining which, if any, of said candidates match a more specific pattern associated more specifically with a specific data value type. Candidates, if any, which match the more specific pattern are classified as being of a corresponding specific data type and are removed from the set of candidate data values. A structured data record that associates each candidate data value determined to be of a corresponding one of said types of data value of interest with said corresponding one of said types of data value of interest is generated and stored.

US Patent:

20190158514, May 23, 2019

Filed:

Jan 23, 2019

Appl. No.:

16/255708

Inventors:

- Redwood City CA, US
Yizheng Zhou - Cupertino CA, US
Hugh Njemanze - Redwood City CA, US

International Classification:

H04L 29/06
G06F 21/55
G06F 21/62

Abstract:

A security monitoring system operated by a downstream client continually collects event information indicating events that have occurred within the computing environment of the downstream client. The monitoring system, using software provided by a threat analytics system, aggregates the event information into a secure and space efficient data structure. The monitoring system transmits the data structures storing event information to the threat analytics system for further processing. The threat analytics system also receives threat indicators from intelligence feed data sources. The threat analytics system compares the event information received from each security monitoring system against the threat indicators collected from the intelligence feed data sources to identify red flag events. The threat analytics system processes the event information to synthesize all information related to the red flag event and reports the red flag event to the downstream client.

US Patent:

20180109550, Apr 19, 2018

Filed:

Oct 19, 2016

Appl. No.:

15/298150

Inventors:

- Redwood City CA, US
Yizheng Zhou - Cupertino CA, US
Hugh Seretse Njemanze - Redwood City CA, US
Zhong Deng - San Jose CA, US

International Classification:

H04L 29/06
G06F 17/30

Abstract:

A universal link to extract and classify log data is disclosed. In various embodiments, a set of candidate data values that match a top level pattern that is common to two or more types of data value of interest is identified. The candidate data values are processed through a plurality of successive filtering stages, each stage of which includes determining which, if any, of said candidates match a more specific pattern associated more specifically with a specific data value type. Candidates, if any, which match the more specific pattern are classified as being of a corresponding specific data type and are removed from the set of candidate data values. A structured data record that associates each candidate data value determined to be of a corresponding one of said types of data value of interest with said corresponding one of said types of data value of interest is generated and stored.

US Patent:

20170149802, May 25, 2017

Filed:

Nov 19, 2015

Appl. No.:

14/946088

Inventors:

- Redwood City CA, US
Yizheng Zhou - Cupertino CA, US
Hugh Njemanze - Redwood City CA, US

International Classification:

H04L 29/06
G06F 21/14

Abstract:

A threat analytics system expends significant resources to acquire, structure, and filter the threat indicators provided to the client-side monitoring systems. To protect the threat indicators from misuse, the threat analytics system only provides enough information about the threat indicators to the client-side systems to allow the client-side systems to detect past and ongoing threats. Specifically, the threat analytics system provides obfuscated threat indicators to the client-side monitoring systems. The obfuscated threat indicators enable the client-side systems to detect threats while protecting the threat indicators from misuse or malicious actors.

US Patent:

20160226895, Aug 4, 2016

Filed:

Jan 26, 2016

Appl. No.:

15/007131

Inventors:

- REDWOOD CITY CA, US
YIZHENG ZHOU - CUPERTINO CA, US
HUGH NJEMANZE - REDWOOD CITY CA, US

International Classification:

H04L 29/06

Abstract:

A security monitoring system operated by a downstream client continually collects event information indicating events that have occurred within the computing environment of the downstream client. The monitoring system, using software provided by a threat analytics system, aggregates the event information into a secure and space efficient data structure. The monitoring system transmits the data structures storing event information to the threat analytics system for further processing. The threat analytics system also receives threat indicators from intelligence feed data sources. The threat analytics system compares the event information received from each security monitoring system against the threat indicators collected from the intelligence feed data sources to identify red flag events. The threat analytics system processes the event information to synthesize all information related to the red flag event and reports the red flag event to the downstream client.