JP2020160618A - Determination device and determination method and determination program - Google Patents

Abstract

To make it possible to perform both unsupervised and semi-supervised error detection without considering a predetermined preconditions for input data for training with SOM.SOLUTION: A determination device 10 has a learning part 122 and a determination part 123. The learning part 122 obtains a threshold of these outliers from a distribution of a quantization error between a representative vector of an output layer of the SOM and the input data obtained by inputting input data into the SOM that has been unsupervised and trained, and from a value of a neighborhood distance of the representative vector generates a plurality of thresholds by combining the obtained thresholds. The determination part 123 inputs the vector data to be determined into the SOM, calculates the quantization error of the vector data to be determined, and compares the quantization error with at least one of the plurality of thresholds to determine anomalies in the vector data to be determined.SELECTED DRAWING: Figure 5

Description

The present invention relates to a determination device, a determination method, and a determination program.

Self-organizing map (SOM) is one of the clustering methods by machine learning in the technical field of data analysis (see, for example, Non-Patent Document 1). Clustering is also referred to as cluster analysis or cluster analysis.

Here, clustering is one of the analysis methods of multivariate data composed of a plurality of variables. Multivariates are generally represented by multidimensional vectors. Hereinafter, the multivariate is referred to as a vector. Then, clustering is a method of classifying a vector into several groups, that is, clusters, using only the characteristics of the value of the vector, assuming that the type of each vector is unknown without giving a label in advance. The label is information used as a reference for classifying the multivariate data to be analyzed.

Such a machine learning method for classifying data without prior knowledge is called unsupervised learning. On the other hand, a method in which data is labeled according to an external standard in advance and then the classification standard is separately learned so as to conform to the classification indicated by the label is called supervised learning.

SOM is a type of neural network that performs unsupervised learning. In general, a neural network is a computational model that simulates some functional characteristics found in the human brain on a computer.

SOM is a two-layer neural network composed of an input layer and an output layer. SOM is a method of nonlinearly mapping input data, which is a multivariate n-dimensional vector, to an output layer, which is a model of a low-dimensional (usually two-dimensional) lattice structure, while performing vector quantization.

Here, vector quantization means collecting a plurality of different input data and replacing them with a vector representing one representative value for output. The number of output vectors replaced by quantization is less than the number of input data vectors. That is, if the input data is composed of N n-dimensional vectors, the output is K n-dimensional vectors (K <N).

The procedure of vector quantization is as follows. First, N input vectors are classified into K clusters. Next, one vector representing the cluster, called a "representative vector", is assigned to each of the K clusters. There are various methods for determining the representative vector, and SOM is positioned as one of those determination methods. According to such a procedure, vector quantization is performed by replacing N input vectors with K representative vectors.

In SOM, the representative vector output by vector quantization is arranged at each grid point of the output layer. In a typical two-dimensional SOM, the output layer is a two-dimensional grid consisting of K grid points. For example, in two-dimensional Cartesian coordinates consisting of the x-axis and the y-axis, if the number of grid points on the x-axis is X and the number of grid points on the y-axis is Y, the number K of the grid points in the output layer is K =. X × Y.

Further, in SOM, representative vectors having similar characteristics are arranged on the output layer at lattice points (hereinafter referred to as nodes) that are close in distance. Euclidean distance is usually used to calculate the distance between vectors. Due to the characteristics of this SOM, the SOM can be divided into several clusters on the output layer by grouping representative vectors having similar characteristics, that is, representative vectors having a short relative Euclidean distance.

Like general machine learning, SOM has two processing phases, a learning phase and a mapping phase. In the learning phase, while performing vector quantization using input data, competitive learning is repeatedly performed to construct an output layer. In the learning phase, the input data is used to build a model of a two-layer neural network consisting of an input layer and an output layer. On the other hand, in the mapping phase, the input data is mapped from the input layer to the output layer using the model constructed in the learning phase. In the mapping phase, the input data is mapped to one representative vector on the output layer and classified by a cluster of representative vectors.

Next, an abnormality determination method using SOM will be described. There are roughly two types of abnormality determination methods using SOM: an abnormality determination method based on unsupervised learning and an abnormality determination method based on semi-supervised learning (see, for example, Non-Patent Document 2).

As the first method, an abnormality determination method by unsupervised learning will be described. In the abnormality determination by unsupervised learning, it is necessary that all the data to be clustered, that is, the input data is given in advance at the time of starting the learning. Furthermore, in the first method, it is necessary to make the assumption that the majority of the input data is normal. Under these conditions and assumptions, in the first method, data that seems to hardly match the majority of the input data is extracted from the input data by using a clustering method.

In the abnormality determination by unsupervised learning using SOM, first, in the learning phase, a model of SOM is constructed using the input data.

Next, in the abnormality determination by unsupervised learning using SOM, clustering is performed on the representative vector of the output layer of the model obtained by the learning. Then, in the abnormality determination by unsupervised learning using SOM, a set of clusters in which the majority of the input data is mapped is specified from among the clusters of a plurality of representative vectors obtained as a result of clustering. This is a process for identifying a cluster corresponding to "normal".

Subsequently, in the anomaly determination by unsupervised learning using SOM, the relative distance from the set of clusters in which a small number of input data is mapped from the remaining clusters and the majority of the input data is mapped is the largest. Identify distant clusters. Then, in the abnormality determination by unsupervised learning using SOM, the cluster of the representative vector is regarded as "abnormal". This is a process for identifying the cluster corresponding to the "abnormality".

Then, in the abnormality judgment by unsupervised learning using SOM, it is possible to extract the data judged to be abnormal from the input data by specifying the input data mapped to the cluster classified as "abnormal". Yes (see, for example, Non-Patent Document 3).

In addition, as a second method, an abnormality determination method based on semi-supervised learning will be described. In the abnormality judgment by semi-supervised learning, input data corresponding to normal, which is labeled in advance by an external standard, is required. This second method is called semi-supervised learning because learning is performed using half of normal data and abnormal data, that is, some labeled data. Under this condition, in the abnormality determination by semi-supervised learning, abnormal data that does not match the normal data can be identified by machine learning only the input data corresponding to the normal.

Specifically, in the abnormality determination by semi-supervised learning, in the learning phase, the learner performs learning to determine a multidimensional boundary surface estimated to be a normal region from the input data. Next, in the abnormality determination by semi-supervised learning, in the determination phase, new determination target data is input to the learning device that has completed learning. Here, if the learner determines that the new input data is inside the boundary of the normal region, it becomes normal, and if it is determined that the new input data is outside the boundary, it becomes abnormal.

In the abnormality determination by semi-supervised learning using SOM, the SOM model is constructed in the learning phase using the input data as in the first method. In the abnormality determination by semi-supervised learning using SOM, all the input data are data corresponding to normal, and by learning, some input data is mapped to one node with an output layer. Here, in SOM, all the input data is always mapped to one of the representative vectors, but conversely, there is a node in the output layer having a representative vector in which no input data is mapped.

Therefore, in the abnormality determination by semi-supervised learning using SOM, nodes in which input data corresponding to normal is mapped and nodes in which nothing is mapped are distributed in the output layer of SOM after learning. As a result, in the abnormality determination by semi-supervised learning using SOM, the boundary surface of the region presumed to be normal on the output layer can be determined.

In order to determine abnormal input data in the mapping phase of SOM using the existing method, the quantization error between the representative vector of the output layer on which the data to be determined is mapped and the input data, that is, two vectors Calculate the Euclidean distance between. Then, in the abnormality determination by semi-supervised learning using SOM, when the value is larger than the threshold value set separately in advance, the input data is determined to be outside the normal region and is determined to be abnormal. Further, in the abnormality determination by semi-supervised learning using SOM, it can be determined that the input data is abnormal even when the input data corresponding to the normal is mapped to a node on which no mapping is performed (see, for example, Non-Patent Document 4). ..

Self-Organizing Map, T. Kohonen (Author), Masaaki Ohkita (Supervised), Maruzen Publishing; Revised Edition (2016/2/1), ISBN-10: 4621065513, ISBN-13: 978-4621065518, pp.60- 62, 111-117. Victoria J., Hodge and Jim Austin, “A Survey of Outlier Detection Methodologies”, Artificial Intelligence Review, 22: 2004, 2004. M. Almi'ani, AA Ghazleh, A. Al-Rahayfeh and A. Razaque, “Intelligent Intrusion Detection System Using Clustered Self Organized Map”, 2018 Fifth International Conference on Software Defined Systems (SDS), Barcelona, 2018, pp. 138 -144. Albert J. Hoglund, Kimmo Hatonen, and Antti S. Sorvari, “A COMPUTER HOST-BASED USER ANOMALY DETECTION SYSTEM USING THE SELF-ORGANIZING MAP”, Neural Networks, 2000. IJCNN 2000, Proceedings of the IEEE-INNS-ENNS International Joint Conference on. Vol. 5. IEEE, 2000.

In this way, there are roughly two types of abnormality judgment methods using SOM: an abnormality judgment method based on unsupervised learning and an abnormality judgment method based on semi-supervised learning, and there are methods for classifying data into normal and abnormal, respectively. different. At this time, the following problems occur in the existing abnormality determination methods.

The first problem will be explained. In the anomaly determination method by unsupervised learning, it is necessary that all the input data is given in advance at the time of starting learning. Therefore, in the anomaly determination method by unsupervised learning, when new input data is generated after learning, it is necessary to redo the learning using all the input data. In particular, in the abnormality judgment of the communication network, the data related to the communication to be judged is dynamically generated with the passage of time and the input data increases, so that the learning cannot be completed by the abnormality judgment method by unsupervised learning. The problem occurs.

In addition, in the anomaly determination method by unsupervised learning, it is necessary to hold the assumption that the majority of the input data is normal. However, it is generally difficult in the real world to confirm the distribution of input data types in advance without pre-labeling them by an external standard as in supervised learning. For this reason, unless the tendency that the majority of the input data is normal cannot be grasped by separate empirical analysis or the like, there arises a problem that the accuracy of abnormality determination by the abnormality determination method by unsupervised learning does not become very high.

Furthermore, as a problem of the judgment mechanism of the abnormality judgment method by unsupervised learning, if the input data contains almost the same number of normal and abnormal data, it is possible to identify the cluster that occupies the majority in the input data. There is a problem that the abnormality cannot be determined because it cannot be determined.

Next, the second problem will be described. In the abnormality determination method by semi-supervised learning, it is not necessary that all the input data is given at the time of starting the learning, but all the data input to the learning need to be the data corresponding to normal. Therefore, in the abnormality determination method by semi-supervised learning, it is necessary to classify the input data in advance according to an external standard separately from the learning device. However, in the anomaly determination method based on semi-supervised learning, there is a possibility that data corresponding to anomalies may be mixed in the input data for learning when there is no clear external classification standard of normality and anomaly. In this way, in the abnormality judgment method by semi-supervised learning, if the preconditions cannot be completely satisfied, abnormal data is also learned as normal, so that there is a problem that the judgment accuracy is lowered. ..

Furthermore, in the semi-supervised learning anomaly determination method, normality and anomaly are determined between the quantization error between the representative vector of the output layer on which the data to be determined is mapped and the input data, and a preset threshold value. Compare the size of. For this reason, in the anomaly determination method based on semi-supervised learning, a human must determine a threshold value by some means in advance and give it in order to make a determination.

Here, in the anomaly determination method by semi-supervised learning, since this threshold value is the quantization error of the multivariate input vector, if there is no information on the output layer of SOM obtained as a result of learning, an appropriate threshold value is obtained. There is a problem that it is usually not possible to determine. Therefore, in the anomaly determination method based on semi-supervised learning, a human must adjust the threshold value by trial and error to find an appropriate value. However, such adjustment is difficult without prior knowledge of the SOM output layer and abnormality determination. Further, since the threshold value is a real number that takes a continuous value and can be set arbitrarily, there is a problem that the validity of the result of the abnormality determination using the optimum threshold value and the threshold value cannot be determined.

As described above, the first cause of the first problem is that the anomaly determination method by unsupervised learning cannot handle input data that increases with time, such as communication data. The second cause of the first problem is that there is no means to confirm the distribution of normal and abnormal contents contained in the input data in advance for the dynamically generated input data.

In addition, as the first cause of the second problem, in the abnormality judgment method by semi-supervised learning, when data corresponding to an abnormality is mixed in the input data for learning, there is a means for distinguishing the mixed data. There is no such thing. The second cause of the second problem is that in the semi-supervised learning abnormality determination method, there is no means for automatically adjusting and setting the threshold value, which is the abnormality determination criterion, without human intervention. Be done.

The present invention has been made in view of the above, and is a property of both unsupervised learning and semi-supervised learning without considering predetermined conditions for input data for learning using SOM. It is an object of the present invention to provide a determination device, a determination method, and a determination program capable of performing an abnormality determination having both.

In order to solve the above-mentioned problems and achieve the object, the determination device of the present invention includes an acquisition unit that performs statistical processing on the copied communication data or numerical data of communication and acquires vector data of multivariate variables. After performing unsupervised learning by SOM using the vector data to be learned as input data, the input data is input again to the learned SOM, and the quantization between the representative vector of the output layer of the SOM and the input data is obtained. The error and the proximity distance of the representative vector are calculated, the thresholds of these deviation values are obtained from the distribution of the quantization error and the near distance value of the representative vector, and the obtained thresholds are combined to generate a plurality of thresholds. The learning unit to be used and the vector data to be judged are input to the SOM, and the quantization error between the representative vector of the output layer on which the vector data to be judged is mapped and the vector data to be judged is calculated and calculated. It is characterized by having a determination unit for determining whether or not the vector data to be determined is abnormal by comparing the quantization error with at least one of a plurality of threshold values.

According to the present invention, it is possible to carry out an abnormality determination having both properties of unsupervised learning and semi-supervised learning without considering predetermined conditions for input data for learning using SOM. It will be possible.

FIG. 1 is a diagram showing an example of an output layer of SOM. FIG. 2 is a diagram showing a positional relationship with a representative vector in the vicinity around the j-th representative vector. FIG. 3 is a diagram showing an example of the U-matrix. FIG. 4 is a diagram illustrating a boxplot. FIG. 5 is a diagram showing an example of the configuration of the communication system according to the embodiment. FIG. 6 is a diagram illustrating a processing flow in the communication system shown in FIG. FIG. 7 is a flowchart showing a processing procedure of the learning process according to the embodiment. FIG. 8 is a flowchart showing a processing procedure of the determination process according to the embodiment. FIG. 9 is a diagram showing an example of a computer in which a determination device is realized by executing a program.

Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings. The present invention is not limited to this embodiment. Further, in the description of the drawings, the same parts are indicated by the same reference numerals.

[Embodiment]
In the determination device according to the present embodiment, after unsupervised learning by SOM in the learning phase, the quantization error between the representative vector of the output layer of SOM and the input data and the representative in the output layer of SOM. Calculate the neighborhood distance of the vector and calculate the threshold of existing outliers from the distribution of these values. In the learning phase, the determination device according to the present embodiment combines the two threshold values obtained from these to generate a plurality of threshold values for abnormality determination having the properties of unsupervised learning and semi-supervised learning.

Subsequently, the determination device according to the present embodiment inputs the data to be determined to the SOM in the mapping phase, calculates the quantization error of the data to be determined, and the calculated quantization error and a plurality of thresholds. The abnormality of the input data is determined based on the magnitude comparison with at least one of.

As described above, the determination device according to the present embodiment generates a plurality of threshold values for abnormality determination having the properties of unsupervised learning and semi-supervised learning. Then, the determination device according to the present embodiment can perform anomaly determination by combining unsupervised learning and semi-supervised learning by comparing one of the threshold values with the quantization error of the input data.

[Mathematical background]
First, the mathematical background required in the following explanation will be described. FIG. 1 is a diagram showing an example of an output layer of SOM. One hexagon in FIG. 1 represents one representative vector. The representative vectors are arranged in a hexagonal lattice in a two-dimensional space, and the lattice arrangement forms a rectangle as a whole. A square grid can also be selected as the grid shape.

When the representative vector is a hexagonal lattice, there are six lattice points equidistant around one lattice point. In the example of FIG. 1, there are 13 grid points (X) on the horizontal axis (X axis) and 13 grid points (Y) on the vertical axis (Y axis), and the total number of grid points (K) is 169. There are pieces. Counting toward the upper right with the lower left of the array of grid points as the first, the jth representative vector can be represented by m _j (j = 1, 2, ..., K), K = XY. ..

In the present embodiment, in both the learning of SOM and the mapping phase, the upper, lower, left and right boundaries of the lattice arrangement are limited to a toroidal structure that circulates in each of the upper, lower, left and right. That is, learning and mapping are performed by adjoining the upper and lower sides and the left and right sides of the rectangle of the lattice arrangement. Under this condition, there are always 6 grid points in the vicinity of one grid point.

FIG. 1 shows an example of the result of mapping the input data to the output layer using the SOM constructed in the learning phase. The numbers and colors in the hexagon represent the number of mapped input data, and the larger the number of mapped input data, the more red the color. The representative vector in which the number of mapped input data is 0 is shown in gray.

Then, the quantization error d _i between the representative vector of the output layer input data is mapped and the input data _(i = 1, 2, · · ·, N) is represented by the following formula (1) ..

FIG. 2 is a diagram showing a positional relationship with a representative vector in the vicinity around the j-th representative vector. In FIG. 2, the neighborhood distance h _j (j = 1, 2, ..., K) between the central representative vector and the surrounding representative vector is expressed by the following equation (2).

In the case of a hexagonal lattice, there are six representative vectors in the neighborhood, so for the neighborhood distance, calculate the Euclidean distance between the representative vector in the center and each of the six representative vectors, and calculate the average value of them. Obtained by doing.

FIG. 3 is a diagram showing an example of the U-matrix. The U-matrix is a diagram in which the neighborhood distance h _j (j = 1, 2, ..., K) calculated as described above is calculated for all grid points and visualized in shade gradation according to the magnitude of h _j . .. The numbers in the hexagon indicate the value of h _j .

A representative vector in which the value of h _j is large and represented by a dark U-matrix indicates that the distance from the representative vector in the vicinity is large. On the other hand, the representative vector in which the value of h _j is small and represented thinly indicates that the distance is close to the representative vector in the vicinity.

In SOM, representative vectors with similar characteristics are placed at close grid points on the output layer. Therefore, a group of representative vectors having small h _j adjacent to each other (a region of continuous light gradation) can be regarded as forming a cluster of representative vectors. On the other hand, the adjacent representative vectors having a large h _j are relatively separated from the neighboring representative vectors, and can be regarded as isolated from the set of the entire representative vectors of the output layer.

Therefore, the input vector mapped to the representative vector having a large h _j becomes an abnormal cluster that is relatively far from the set of clusters to which the majority of the input data in the anomaly determination method by unsupervised learning is mapped. It can be considered to belong.

FIG. 4 is a diagram illustrating a boxplot. Box plots are one of the simplest outlier detection methods in existence. Box plots are a technique for calculating the threshold of outlier detection boundaries using a summary statistic called a quintuple summary given a distribution of data. The _quintuplet summary of the data distribution consists of five values: Q _0/4 , Q _1/4 , Q _2/4 , Q _3/4 , and Q _4/4 .

_{Q0 / 4} is the minimum value. Q _1/4 is the first lower quartile, and is the value of the data corresponding to 1/4 of the total number of data arranged in ascending order. Q2 _{/ 4} is the median (second quartile, median), which is the value of the data in which the data is arranged in ascending order and corresponds to 1/2 of the total number of data. Q _3/4 is the upper quartile, which is the value of the data in which the data is arranged in ascending order and corresponds to 3/4 of the total number of data. Q4 / ₄ is the maximum value.

When dealing with outliers using a box plot, the upper limit of the whiskers and the lower limit of the whiskers are calculated as in the following equations (3) to (5). IQR is called the interquartile range.

The top value of the whiskers is the maximum value of the given data that is smaller than the upper limit of the whiskers. The lower end value of the whiskers is the minimum value of the given data that is larger than the lower limit of the whiskers.

Determining apparatus according to this embodiment, with respect to box plots, given the quantization error d _i between the representative vector and the input data of SOM output layer, the distribution of the neighborhood distance h _j of the representative vectors, Calculate the value of each "beard edge". Here, d _i and h _j, for a and negative values are not taken distance, the minimum value is 0. In this embodiment, only the top value of the whiskers is calculated.

From the above, the distribution of the near distance h _j of the representative vectors and quantization error d _i, and the upper end value of the maximum value and the whiskers are obtained. In the following description, these are expressed by Dmax (the maximum value of the quantization error _{d i),} Dwhi (beard upper end value of the quantization error _{d i),} Hwhi (beard upper values of the neighboring distance _{h j).}

In the determination device according to the present embodiment, four types of threshold values T1 to T4 for selecting an abnormality determination method are calculated by combining these values and adding them together. The threshold values T1 to T4 are expressed as equations (6) to (9).

Threshold T1 is the maximum value Dmax of the quantization error d _i of the mapping that is obtained by inputting the input data used for learning again for trained SOM. Therefore, when mapping the input data at the time of learning, the quantization error d _i is less than or equal to Dmax. Here, assuming that all the input data at the time of learning correspond normally, the threshold value T1 corresponds to the maximum value of the distance from the mapped representative vector to the boundary surface of the region estimated to be normal. That threshold T1 can be considered to correspond to one of the threshold of the quantization error d _i in the abnormality determination by semi-supervised learning.

Threshold T2 is the upper end value Hwhi beard neighborhood distance _{h j} of the learned SOM. Therefore, when a certain neighborhood distance h _j is larger than Hwhi, the neighborhood distance of the representative vector is an outlier in the distribution of the neighborhood distance h _j , and is considered to be isolated from the set of the entire representative vector of the output layer. Can be done. That is, the threshold value T2 can be regarded as one of the threshold values of the proximity distance h _j of the cluster on which the input data is mapped in the anomaly determination method by unsupervised learning.

The threshold value T3 is a value obtained by adding the threshold value T1 and the threshold value T2. In other words, the threshold value T3 is a value that is a combination of the abnormality determination of the quantization error by semi-supervised learning and the threshold value of the abnormality determination of the representative vector by unsupervised learning.

That is, by using the threshold value T3 which is the sum of the threshold value T1 and the threshold value T2, even if it cannot be completely assumed that all the input data at the time of learning correspond to normal, the element of the abnormality determination method by unsupervised learning is included. However, it becomes possible to determine the threshold value. The threshold value T3 is a method in which each threshold value used in the abnormality determination of semi-supervised learning and unsupervised learning is combined. Threshold T3 is said minute using the maximum value Dmax of the quantization error d _i, is an abnormality determination threshold value close to the threshold (T1) in assumed semi-supervised learning more input data at the time of learning all correspond correctly ..

Threshold T4, instead of the maximum value Dmax of the quantization error _{d i} at the threshold T3, the upper value Dwhi beard quantization error _{d i,} is summed with Hwhi. Simple By using the threshold value T4 using Dwhi, without input data at the time of learning in the threshold T3 is assumed that all corresponding normally, outliers in the distribution of the quantization error d _i, the abnormality determination of the quantization error Can be carried out.

That is, the threshold value T4 is a value that combines the quantization error due to unsupervised learning and the threshold value for determining the abnormality of the representative vector. Similar to the threshold value T3, the threshold value T4 can be determined by including the elements of the abnormality determination method by unsupervised learning even when it cannot be completely assumed that all the input data at the time of learning correspond to normal. .. Threshold T4, the partial use of the upper end value of the beard of the quantization error d _i to the threshold, the bias of distribution of the input data at the time of learning, because the tendency to classify the outliers of the quantization error becomes stronger, more unsupervised It can be said that the threshold value for determining an abnormality is close to the threshold value (T2) in.

In the mapping phase, the determination device according to the present embodiment inputs input data x'that is newly determined to be normal or abnormal to the trained SOM, and calculates the quantization error d'by the following equation (10). Calculate using the formula.

In the anomaly determination method by semi-supervised learning, assuming that all the input data at the time of learning correspond to normal, a node having a representative vector in which no learning data is mapped can be determined to be anomaly. Therefore, in the determination device according to the present embodiment, when the input data x'is mapped to a representative vector in which the input data is not mapped at all (that is, the number of maps is 0) in the learning phase, the quantization error of x'itself By adding the proximity distance of the representative vector of the mapping destination, an abnormality determination that combines unsupervised learning and semi-supervised learning is performed by comparing d'with any of the thresholds T1 to T4.

Specifically, in the determination device according to the present embodiment, whether or not the data x'to be determined is normal is determined as follows. First, in the determination device according to the present embodiment, one threshold value for determination is selected from the threshold values T1 to T4. Let T'be the threshold to be selected. Then, in the determination device according to the present embodiment, the quantization error d'is calculated from the data x'and compared with the threshold value T'. Then, in the determination device according to the present embodiment, the determination is performed as in the equation (11).

[Communication system configuration]
Next, the configuration of the determination device according to the embodiment will be described. FIG. 5 is a diagram showing an example of the configuration of the communication system according to the embodiment. As shown in FIG. 5, the communication system 1 according to the embodiment includes a network device 3 connected to a plurality of computer terminals 2 and a determination device 10 connected to the network device 3.

The network device 3 is one of the network devices constituting the computer network. The network device 3 copies the communication data of the computer terminal 2 and the device connected to the own device as it is, and outputs the copied communication data from another connection port. Alternatively, the network device 3 digitizes the data of the communication performed by the computer terminal 22 or the device connected to the own device, digitizes the data, and outputs the numerical data.

The determination device 10 uses the copied communication data or numerical communication data output by the network device 3 as input data, and executes an abnormality determination by SOM. In the learning phase, the determination device 10 calculates the proximity distance between the quantization error of the input data and the representative vector in the output layer of the SOM after performing unsupervised learning by SOM, and the existing distribution of these values is used as the determination device 10. Calculate the outlier threshold. Then, in the learning phase, the determination device 10 combines the two threshold values obtained from these to generate four types of threshold values for abnormality determination having the properties of unsupervised learning and semi-supervised learning. In the mapping phase, the determination device 10 calculates a quantization error for the data to be determined, and determines an abnormality in the input data based on a magnitude comparison with four types of threshold values.

[Configuration of judgment device]
Next, the configuration of the determination device 10 will be described with reference to FIG. As shown in FIG. 5, the determination device 10 includes a communication unit 11, a control unit 12, a storage unit 13, an input unit 14, and an output unit 15.

The communication unit 11 is a communication interface for transmitting and receiving various information to and from other devices connected via a network or the like. The communication unit 11 is realized by a NIC (Network Interface Card) or the like, and communicates between another device and the control unit 12 (described later) via a telecommunication line such as a LAN (Local Area Network) or the Internet. For example, the communication unit 11 receives the communication data copied by the network device 3 or the numerical data of the communication from the network device 3 via the network. Further, the communication unit 11 transmits the determination result by the SOM by the determination unit 123 (described later) to, for example, another device for coping.

The control unit 12 controls the entire determination device 10. The control unit 12 is, for example, an electronic circuit such as a CPU (Central Processing Unit) or an MPU (Micro Processing Unit), or an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or an FPGA (Field Programmable Gate Array). In addition, the control unit 12 has an internal memory for storing programs and control data that define various processing procedures, and executes each process using the internal memory. Further, the control unit 12 functions as various processing units by operating various programs.

The control unit 12 has a statistical processing unit 121 (acquisition unit), a learning unit 122, and a determination unit 123. The processes executed by each functional unit of the control unit 12 include a learning phase in which learning of the SOM model 132 (described later) and calculation of a threshold value are performed, and a mapping phase in which data to be determined is input to the SOM model to perform abnormality determination. It is roughly divided into. The learning unit 122 in the control unit 12 is a functional unit that performs processing in the learning phase. The determination unit 123 is a functional unit that performs a mapping phase.

The statistical processing unit 121 acquires the copied communication data or the numerical data of the communication received from the network device 3. The statistical processing unit 121 performs statistical processing on these data to obtain a vector of multivariate variables. The statistical processing unit 121 stores the statistical data including the acquired vector in the secondary storage area (for example, the statistical data storage unit 131 (described later) of the storage unit 13). Examples of vector variables include packet size, average payload size and coefficient of variation, and coefficient of variation of packet arrival interval time.

The learning unit 122 executes each process of the learning phase described in the mathematical background of the present embodiment. The learning unit 122 reads the vector data to be learned by the statistical data storage unit 131, and uses this vector data as input data to generate an SOM model in which unsupervised learning is performed by SOM. As a unit for generating SOM, it may be generated for each computer terminal 2, or a plurality of computer terminals 2 may be combined.

Then, the learning unit 122 calculates the quantization error between the representative vector and the input data of the output layer of the SOM obtained by inputting the input data into the learned SOM again, and the proximity distance of the representative vector. To do. The learning unit 122 generates thresholds for these outliers from the distribution of the quantization error and the value of the proximity distance of the representative vector. The learning unit 122 combines at least the two thresholds obtained from this calculation to generate a plurality of thresholds T1 to T4. The learning unit 122 sets the SOM model 132, the neighborhood distance data 133 including the neighborhood distance h _j of all the representative vectors, and the threshold data 134 including the thresholds T1 to T4 into a set, and the secondary storage area (storage unit 13). It is stored in the learning data storage unit 130).

The determination unit 123 executes each process of the mapping phase described in the mathematical background of the present embodiment. The determination unit 123 inputs the vector data to be determined to the SOM model, and makes an abnormality determination on the vector data to be determined. Of the vector data stored in the statistical data storage unit 131, the determination unit 123 reads data that is not included in the input data of the learning phase or data that is newly designated to be determined as vector data to be determined.

The determination unit 123 inputs the vector data to be determined to the SOM model 132, and calculates the quantization error d'between the representative vector of the output layer on which the vector data to be determined is mapped and the vector data to be determined. To do. Subsequently, the determination unit 123 compares the quantization error d'with each of the threshold values T1, T2, T3, and T4, and determines whether or not the data to be determined is abnormal.

The determination unit 123 adds the determination result to the data to be determined and stores it in the secondary storage area (determination data storage unit 135 of the storage unit 13). An operator (not shown) may acquire the saved determination result to make a determination such as a countermeasure, or the content may be separately notified as an alarm. Then, based on the content, instruction information for filtering abnormal communication in the network device 3 may be transmitted to the network device 3.

The storage unit 13 is a storage device for an HDD (Hard Disk Drive), an SSD (Solid State Drive), an optical disk, or the like. The storage unit 13 may be a semiconductor memory in which data such as a RAM (Random Access Memory), a flash memory, and an NVSRAM (Non Volatile Static Random Access Memory) can be rewritten. The storage unit 13 stores the OS (Operating System) and various programs executed by the determination device 10. Further, the storage unit 13 stores various information used in executing the program.

The storage unit 13 includes a statistical data storage unit 131, a learning data storage unit 130, and a determination data storage unit 135. The statistical data storage unit 131 stores statistical data including a multivariate variable vector acquired by the statistical processing unit 121 by statistical processing. The learning data storage unit 130 includes the SOM model 132 generated by the learning unit 122, the neighborhood distance data 133 including the neighborhood distance of the representative vector calculated by the learning unit 122, and the thresholds T1 to T4 calculated by the learning unit 122. Contains data 134. The determination data storage unit 135 stores the data to be determined and the determination result by the determination unit 123 in association with each other.

The input unit 14 is an input interface that receives various operations from the operator of the determination device 10. For example, the input unit 14 is composed of an input device such as a touch panel, a voice input device, and a keyboard and a mouse. The input unit 14 receives, for example, a learning phase start instruction, a mapping phase start instruction, and a determination result transmission instruction in response to an operation by the operator.

The output unit 15 is realized by, for example, a display device such as a liquid crystal display, a printing device such as a printer, an information communication device, or the like. The output unit 15 displays, for example, a screen display of the determination result.

[Processing flow]
Next, the processing flow in the communication system 1 will be described. FIG. 6 is a diagram illustrating a processing flow in the communication system 1 shown in FIG.

As shown in FIG. 6, the network device 3 outputs the communication data obtained by copying the communication data performed by the computer terminal 2 or the numerical data of the communication to the statistical processing unit 121 of the determination device 10 ((1) of FIG. 6). reference).

In the determination device 10, the statistical processing unit 121 performs statistical processing on the copied communication data or the numerical data of the communication, acquires the vector data of the multivariate variable, and stores it in the secondary storage area ((2) in FIG. 6). )reference).

The learning unit 122 reads the vector data of the statistical data storage unit 131 as input data (see (3) in FIG. 6). Then, the learning unit 122 generates a SOM model as a result of the processing of the learning phase, calculates the quantization error of the input data and the neighborhood distance h _j of the representative vector, and the threshold value combining the threshold values of these outliers. Calculations of T1 to T4 are performed. Then, the learning unit 122 saves the SOM model 132, the neighborhood distance data 133 including the neighborhood distance h _j of all the representative vectors, and the threshold data 134 including the thresholds T1 to T4 (see (4) in FIG. 6).

Then, the determination unit 123 reads the SOM model 132, the proximity distance h _j of all the representative vectors, and the threshold values T1 to T4 from the secondary storage area (see (5) in FIG. 6). The determination unit 123 reads the vector data to be determined from the secondary storage area (see (6) in FIG. 6).

The determination unit 123 inputs the vector data to be determined to the SOM model 132 and maps it to calculate the quantization error d'. Subsequently, the determination unit 123 compares the magnitude of the quantization error d'with each of the threshold values T1, T2, T3, and T4, and determines whether or not the vector data to be determined is abnormal. The determination unit 123 adds the determination result to the data to be determined and stores it in the secondary storage area (see (7) in FIG. 6).

[Processing procedure of learning process]
Next, the processing procedure of the learning process in the learning phase will be described. FIG. 7 is a flowchart showing a processing procedure of the learning process according to the embodiment.

In the learning phase, the learning unit 122 performs the process shown in FIG. 7 using only the given input data. The learning unit 122 performs unsupervised learning by SOM using the input data (step S1). The learning unit 122 saves the SOM output layer data (step S2). Then, the learning unit 122 calculates the quantization error of the input data (step S6). The learning unit 122 calculates the proximity distance of the representative vector (step S3) and stores it in the storage unit 13 (step S4).

The learning unit 122 calculates the upper end of each whiskers from the distribution of the quantization error and the value of the distance near the representative vector (steps S5 and S7). The learning unit 122 calculates the threshold values T1, T2, T3, and T4 based on the maximum value of the quantization error, the upper end value of the whiskers in the vicinity distance, and the upper end value of the whiskers of the quantization error (step S8). The learning unit 122 stores the calculated threshold values T1, T2, T3, and T4 in the storage unit 13 (step S9), and ends the learning process.

[Judgment processing procedure]
Next, the processing procedure of the determination process in the mapping phase will be described. FIG. 8 is a flowchart showing a processing procedure of the determination process according to the embodiment.

In the mapping phase, the processing shown in FIG. 8 is performed using the SOM model obtained in the learning phase, the value of the representative vector neighborhood distance, and the threshold values T1, T2, T3, and T4. The determination unit 123 inputs the data x'to be determined to the learned SOM input layer (step S11). The determination unit 123 calculates the quantization error d'of the data x'to be determined (step S12).

Subsequently, the determination unit 123 selects the threshold value T'for the threshold value T1 to the threshold value T4 in order (step S13). The determination unit 123 compares the threshold value T'and the quantization error d'and makes a determination using the equation (11) (step S14). The determination unit 123 saves the determination result in association with the data x'to be determined (step S15).

Then, when the determination unit 123 compares all the threshold values T1 to T4 with the quantization error d'(step S16: Yes), the determination unit 123 ends the process. On the other hand, when the determination unit 123 does not compare all the threshold values T1 to T4 with the quantization error d'(step S16: No), the determination unit 123 selects the next threshold value (step S13) and performs the quantization error d'. (Step S14).

The final abnormality determination regarding the data x'to be determined may be performed based on the determination result of any one of the threshold values T1 to T4. Further, the final abnormality determination regarding the data x'to be determined may be performed comprehensively by combining a plurality of determination results among the determination results using the threshold values T1 to T4.

For example, a case where the input data used for learning and the data to be judged are selected from the same group and the abnormality detection by supervised learning is applied will be described. In this case, since it is assumed that all the input data are normal data, the possibility that the data input for the determination becomes abnormal is zero. In this case, the determination unit 123 may use the threshold value T2, which is the threshold value of the abnormality detection method by unsupervised learning, or the threshold value T4, which is close to the threshold value T2.

In addition, it is generally difficult to guarantee (prove) that all the data used for learning is normal data, but when it can be determined that the data is almost normal, although it is not perfect, the judgment unit. For 123, the threshold value T1 of the abnormality detection method by semi-supervised learning or the threshold value T3 close to the threshold value T1 may be used as the threshold value.

Furthermore, when the overall distribution of the data cannot be determined at the time of learning, such as input data that increases with time, it becomes difficult to use the anomaly detection method by unsupervised learning. In this case, the determination unit 123 may use a threshold value T3 close to the threshold value T1 in semi-supervised learning or a threshold value T4 close to the threshold value T2 in unsupervised learning. Since the determination unit 123 uses a threshold value for abnormality determination having the properties of unsupervised learning and semi-supervised learning, it is possible to perform abnormality determination by combining unsupervised learning and semi-supervised learning.

[Effect of Embodiment]
The determination device 10 according to the present embodiment is located in the output layer of the SOM and the quantization error between the representative vector of the output layer of the SOM and the input data after unsupervised learning by the SOM in the learning phase. The neighborhood distance of the representative vector is calculated, and the threshold of existing outliers is calculated from the distribution of these values. In the learning phase, the determination device 10 combines the two thresholds obtained from these to generate a plurality of thresholds for abnormality determination having the properties of unsupervised learning and semi-supervised learning.

Subsequently, in the mapping phase, the determination device 10 inputs the data to be determined to the SOM, calculates the quantization error of the data to be determined, and determines the calculated quantization error and at least one of a plurality of thresholds. The abnormality of the input data is judged based on the magnitude comparison.

In this way, the determination device 10 generates a plurality of threshold values for abnormality determination having the properties of unsupervised learning and semi-supervised learning. Then, the determination device according to the present embodiment can perform anomaly determination by combining unsupervised learning and semi-supervised learning by comparing one of the threshold values with the quantization error of the input data.

Therefore, since it is not necessary for the determination device 10 to be given all the input data at the time of starting the learning, it is possible to determine the abnormality by the SOM even for the input data that increases with time like a communication network.

Further, since the determination device 10 can detect anomalies using the proximity distance of the representative vector in the output layer of the SOM, the distribution of normals and anomalies included in the input data is preliminarily distributed as in the anomaly detection method by unsupervised learning. You don't have to figure it out.

Further, since the determination device 10 does not need to assume that all the input data at the time of learning is normal as in the abnormality detection method by semi-supervised learning, data corresponding to the abnormality is mixed in the input data to be learned. However, abnormality can be detected.

Further, since the determination device 10 automatically generates a plurality of threshold values for abnormality determination having the properties of unsupervised learning and semi-supervised learning, complicated processing of determining the threshold values in advance is unnecessary.

Further, the determination device 10 automatically generates four types of threshold values T1 to T4 from the quantization error of the input data at the time of learning and the proximity distance of the representative vector, and performs abnormality determination by comparing with each threshold value. .. Since these thresholds T1 to T4 enable abnormality determination having both unsupervised learning and semi-supervised learning properties, the determination device 10 uses unsupervised learning or semi-supervised learning depending on the preconditions related to the input data. It does not have to be limited to either supervised learning.

Then, the determination device 10 may make a final abnormality determination based on the determination result using any one of the four types of threshold values T1 to T4. Further, the determination device 10 may perform a final abnormality determination by combining a plurality of determination results performed using the threshold values T1 to T4.

As described above, in the present embodiment, an abnormality determination having both properties of unsupervised learning and semi-supervised learning is performed without considering predetermined conditions for input data for learning using SOM. It will be possible to carry out all at once.

[System configuration, etc.]
Each component of each of the illustrated devices is a functional concept and does not necessarily have to be physically configured as shown in the figure. That is, the specific form of distribution / integration of each device is not limited to the one shown in the figure, and all or part of the device is functionally or physically distributed in arbitrary units according to various loads and usage conditions. It can be integrated and configured. Further, each processing function performed by each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

Further, among the processes described in the present embodiment, all or part of the processes described as being automatically performed can be manually performed, or the processes described as being manually performed. It is also possible to automatically perform all or part of the above by a known method. In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the above document and drawings can be arbitrarily changed unless otherwise specified.

[program]
FIG. 9 is a diagram showing an example of a computer in which the determination device 10 is realized by executing the program. The computer 1000 has, for example, a memory 1010 and a CPU 1020. The computer 1000 also has a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. Each of these parts is connected by a bus 1080.

The memory 1010 includes a ROM 1011 and a RAM 1012. The ROM 1011 stores, for example, a boot program such as a BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090. The disk drive interface 1040 is connected to the disk drive 1100. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100. The serial port interface 1050 is connected to, for example, a mouse 1110 and a keyboard 1120. The video adapter 1060 is connected to, for example, the display 1130.

The hard disk drive 1090 stores, for example, an OS (Operating System) 1091, an application program 1092, a program module 1093, and program data 1094. That is, the program that defines each process of the determination device 10 is implemented as a program module 1093 in which a code that can be executed by a computer is described. The program module 1093 is stored in, for example, the hard disk drive 1090. For example, the program module 1093 for executing the same processing as the functional configuration in the determination device 10 is stored in the hard disk drive 1090. The hard disk drive 1090 may be replaced by an SSD (Solid State Drive).

Further, the setting data used in the processing of the above-described embodiment is stored as program data 1094 in, for example, a memory 1010 or a hard disk drive 1090. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1090 into the RAM 1012 and executes them as needed.

The program module 1093 and the program data 1094 are not limited to those stored in the hard disk drive 1090, but may be stored in, for example, a removable storage medium and read by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program module 1093 and the program data 1094 may be stored in another computer connected via a network (LAN, WAN (Wide Area Network), etc.). Then, the program module 1093 and the program data 1094 may be read by the CPU 1020 from another computer via the network interface 1070.

Although the embodiment to which the invention made by the present inventor is applied has been described above, the present invention is not limited by the description and drawings which form a part of the disclosure of the present invention according to the present embodiment. That is, all other embodiments, examples, operational techniques, and the like made by those skilled in the art based on the present embodiment are included in the category of the present invention.

1 Communication system 2 Computer terminal 3 Network equipment 10 Judgment device 11 Communication unit 12 Control unit 13 Storage unit 14 Input unit 15 Output unit 121 Statistical processing unit 122 Learning unit 123 Judgment unit 130 Learning data storage unit 131 Statistical data storage unit 132 SOM model 133 Proximity distance data 134 Threshold data 135 Judgment data storage unit

Claims (6)

An acquisition unit that performs statistical processing on the copied communication data or numerical data of communication and acquires vector data of multivariate variables.
After performing unsupervised learning by SOM (Self Organizing Map) using the vector data to be learned as input data, the input data is input to the learned SOM again to obtain a representative vector of the output layer of the SOM. The quantization error between the input data and the proximity distance of the representative vector are calculated, and the threshold values of these outliers are obtained from the distribution of the quantization error and the neighborhood distance value of the representative vector. A learning unit that combines the obtained thresholds to generate multiple thresholds,
The vector data to be determined is input to the SOM, the quantization error between the representative vector of the output layer on which the vector data to be determined is mapped and the vector data to be determined is calculated, and the calculated quantum is calculated. A determination unit that compares the conversion error with at least one of the plurality of thresholds to determine whether or not the vector data to be determined is abnormal.
A determination device characterized by having. The learning unit gives a distribution of the quantization error and the neighborhood distance to the box whiskers diagram, which is a method of calculating the threshold value of the boundary of outlier detection, and obtains a whiskers of the quantization error and the neighborhood distance. Claim 1 is characterized in that the upper end value is calculated and the plurality of thresholds are generated by using the maximum value of the quantization error, the upper end value of the whiskers of the quantization error, and the upper end value of the whiskers of the neighborhood distance. Judgment device described in. The learning unit is a sum of a first threshold value which is the maximum value of the quantization error, a second threshold value which is the upper end value of the whiskers at the vicinity distance, the first threshold value, and the second threshold value. The determination device according to claim 2, wherein the threshold value of 3 and the fourth threshold value, which is the sum of the upper end value of the whiskers of the quantization error and the second threshold value, are generated. The determination unit compares any one of the first threshold value, the second threshold value, the third threshold value, and the fourth threshold value with the quantization error of the vector data to be determined, and determines the determination target. The determination device according to claim 3, wherein when the quantization error of the vector data of the above exceeds the threshold value of the comparison target, it is determined that the vector data of the determination target is abnormal. It is a judgment method executed by the judgment device.
The process of statistically processing the copied communication data or numerical data of communication to acquire the vector data of multivariate variables, and
After performing unsupervised learning by SOM (Self Organizing Map) using the vector data to be learned as input data, the input data is input to the learned SOM again to obtain a representative vector of the output layer of the SOM. The quantization error between the input data and the proximity distance of the representative vector are calculated, and the threshold values of these outliers are obtained from the distribution of the quantization error and the neighborhood distance value of the representative vector. The process of generating multiple thresholds by combining the obtained thresholds and
The vector data to be determined is input to the SOM, the quantization error between the representative vector of the output layer on which the vector data to be determined is mapped and the vector data to be determined is calculated, and the calculated quantum is calculated. A step of comparing the conversion error with at least one of the plurality of thresholds to determine whether or not the vector data to be determined is abnormal.
A determination method characterized by including. Steps to perform statistical processing on the copied communication data or numerical data of communication and acquire vector data of multivariate variables,
After performing unsupervised learning by SOM (Self Organizing Map) using the vector data to be learned as input data, the input data is input to the learned SOM again to obtain a representative vector of the output layer of the SOM. The quantization error between the input data and the proximity distance of the representative vector are calculated, and the threshold values of these outliers are obtained from the distribution of the quantization error and the neighborhood distance value of the representative vector. A step to generate multiple thresholds by combining the obtained thresholds, and
The vector data to be determined is input to the SOM, the quantization error between the representative vector of the output layer on which the vector data to be determined is mapped and the vector data to be determined is calculated, and the calculated quantum is calculated. A step of comparing the conversion error with at least one of the plurality of thresholds to determine whether or not the vector data to be determined is abnormal.
A judgment program characterized by having a computer execute.