KR102028093B1 - Method of detecting abnormal behavior on the network and apparatus using the same - Google Patents

Abstract

Disclosed are an abnormal behavior detection method for a network and an apparatus using the same. Anomaly detection method according to the present invention comprises the steps of extracting a log for learning based on the traffic collected when the network is normal; Training a local (LOCAL) detection model for detecting network anomaly based on the log and a global (GLOBAL) detection model for detecting network anomaly in consideration of traffic flow; And simultaneously performing local detection and global detection on the network abnormality by using the local detection model and the global detection model.

Description

Anomaly detection method for network and device using same {METHOD OF DETECTING ABNORMAL BEHAVIOR ON THE NETWORK AND APPARATUS USING THE SAME}

The present invention relates to a technique for detecting anomalous behavior for a network, and more particularly, to a technique for detecting whether abnormal traffic occurs based on the characteristics of traffic when the network is normal.

As a technique for detecting anomalous behavior in the network, abnormal behaviors are detected based on the learned information after learning about specific values such as the traffic threshold and the range of time-to-live (ttl) values of packets. There are ways to do it. These techniques are often based on network and cyberattack knowledge, rather than the inherent characteristics of the target network, rather than the normal nature of general network traffic. Therefore, it is impossible to effectively reflect the network-specific characteristics of each application site.

Another type of anomaly detection involves learning traffic characteristics for each protocol and service, and detecting anomalies while distinguishing each protocol, service, and server-client. In this case, there are techniques for classifying services based on relevant information and knowledge about the target protocol and service or based on the behavior of a particular section of communication (eg, at the moment of session establishment). However, such a technique has a disadvantage in that an abnormal behavior cannot be detected while the corresponding communication is performed unless there is a lack of information on an analysis target or a specific section that can distinguish the behavior.

In addition, there is a technology that detects anomalous behavior while distinguishing each protocol, service, and server-client by learning traffic characteristics for each protocol and service. This technology collects traffic of each communication section (session, server-client section, etc.) and then detects anomalous behavior and abnormal communication by learning and extracting characteristics of each communication section and distinguishing the characteristics of each communication section. . This has the advantage of being able to distinguish detailed features such as service and device manufacturer. However, this technique can be applied only after the traffic of each communication has been sufficiently collected, and thus it cannot be detected at the time of anomalous behavior. As a result, abnormal behavior is always detected late, so it is difficult to apply to the abnormal behavior detection system because it is not suitable for immediate response to the occurrence of abnormal behavior in the field.

Korean Patent Publication No. 10-2012-0074041, published on July 5, 2012 (name: SCADA system and its security management method)

An object of the present invention is to provide a network traffic monitoring technology for detecting cyber threats, cyber attacks and security incidents occurring in devices used in a specific network.

In addition, an object of the present invention is to detect abnormal traffic using the learned feature when the network is normal even when it is difficult or difficult to obtain driving information or protocol specification information for the target network and devices.

It is also an object of the present invention to provide a method of finding a time and target of occurrence of abnormal behavior while monitoring network traffic, and to propose a method of using the result in additional behavior analysis of the monitored device.

Anomaly detection method according to the present invention for achieving the above object comprises the steps of extracting a log for learning based on the traffic collected when the network is normal; Training a local (LOCAL) detection model for detecting network anomaly based on the log and a global (GLOBAL) detection model for detecting network anomaly in consideration of traffic flow; And simultaneously performing local detection and global detection on the network abnormality by using the local detection model and the global detection model.

In this case, the training may include training the local detection model based on a feature extracted from the packet; And training the global detection model based on a PATTERN MATCHING scheme.

In this case, the training of the local detection model may include classifying the log by communication section corresponding to the network; And extracting a plurality of first feature points mapped to the N-dimensional space based on a plurality of packets corresponding to any one communication section, and clustering the plurality of first feature points based on a LOYID algorithm to generate one or more first feature points. It may include the step of creating one cluster.

At this time, the step of generating one or more first clusters calculates the cluster centers for the one or more first clusters, and repeats until the distance difference between the cluster centers calculated for each communication section is less than a preset error distance. Clustering can be performed.

In this case, generating one or more first clusters may include: generating a packet histogram for each of the plurality of packets by analyzing a byte (BYTE) of each of the plurality of packets; Inputting the packet histogram as input data of a stacked autoencoder based on a greedy layer based learning scheme; And learning the stacked autoencoder and extracting the plurality of first feature points based on the feature layer of the stacked autoencoder.

In this case, the training of the local detection model may include generating one or more transactions by classifying the plurality of packets based on an INTERARRIVAL TIME; Generating at least one packet type sequence by converting at least one packet included in the at least one transaction into a type corresponding to the first cluster, and generating at least one second cluster by clustering the at least one packet type sequence It may further include.

In this case, learning the local detection model may include analyzing byte of each of the plurality of packets to generate byte frequency data including the number of occurrences of each byte; The 256 frequency values included in the byte frequency data are classified into buckets to generate a plurality of buckets smaller than the frequency values, and the frequency values allocated to the plurality of buckets are summed to generate bucket frequency data. Generating; And clustering the bucket frequency data to generate one or more third clusters for any one packet.

In this case, the generating of the bucket frequency data may classify a plurality of frequency values used to distinguish packets among the 256 frequency values into different buckets.

In this case, learning the local detection model may include generating one or more transactions by classifying the plurality of packets based on a transmission time difference; Combining packet transmission direction corresponding to the packet allocated to the one or more transactions with the one or more third clusters to generate packet frequency data for knowing the byte frequency of the transaction for each communication section; And detecting a normal pattern for learning based on the packet frequency data, and training the local detection model corresponding to the normal pattern.

In this case, the training of the global detection model may include: generating a first histogram of the number of transmission paths corresponding to the communication paths corresponding to the network every first predetermined unit time based on the log; Generating a second histogram of transmission counts for each communication path corresponding to the network every second preset unit time smaller than the first preset unit time; And considering the similarity, matching the first histogram and the second histogram, calculating an average and a variance of the vector distances between the two matched histograms, and generating a CHI-SQUARE distribution corresponding to the network. It may include the step.

At this time, the generating may be classified into a plurality of log groups in consideration of a plurality of communication paths and time corresponding to the network, and may generate the chi square distribution for each of the plurality of log groups. .

At this time, the step of performing if the one of the individual packet and the individual transaction transmitted through the network does not correspond to any one of the one or more first cluster, the one or more third cluster and the normal pattern, the network It can be determined that abnormal traffic has occurred in.

In this case, if the individual transaction transmitted through the network is not included in the one or more second clusters, the performing of the step may determine the individual transaction as an abnormal transaction.

In this case, the performing of the step may include generating a histogram to be detected corresponding to the second unit time to detect the network, and selecting any one of the first histograms having the highest similarity with the detection histogram among the plurality of first histograms. Detecting; And determining that abnormal traffic has occurred in the network when the vector distance between the first histogram and the detection target histogram does not correspond to a 99% confidence interval of the chi square distribution.

In addition, the anomaly detection apparatus for a network according to an embodiment of the present invention, extracting a log for learning based on the traffic collected when the network is normal, and performs a network anomaly in consideration of the packet based on the log Consider a local detection model (LOCAL) detection and traffic flow, and learn a global (GLOBAL) detection model for detecting network anomalies, respectively, and local to the network anomaly using the local detection model and the global detection model A processor that performs detection and global detection simultaneously; And a memory storing at least one of the log, the local detection model, and the global detection model.

According to the present invention, the detection engine can be configured even without specific information on the network and system to be monitored, and it can be used to understand the complex characteristics of the monitoring target.

In addition, the present invention can operate its own detection engine without constantly updating the attack signature information from the outside.

In addition, the present invention can effectively monitor even where a remote network or remote update is impossible for security.

In addition, the present invention can monitor and analyze the traffic transmission amount and the change in its contents at the same time, thereby making it possible to detect abnormal behavior more finely and effectively.

In addition, the present invention obtains information such as IP network state and device state through global detection and local detection, and analyzes complex state information by matching with state information of another area such as input / output information of a controller.

In addition, the present invention can perform detailed detection without using the algorithm by using the packet number and the traffic volume of different criteria in the global detection algorithm.

1 is a diagram illustrating an anomaly detection system for a network according to an embodiment of the present invention.
2 is a flowchart illustrating an anomaly detection method for a network according to an exemplary embodiment of the present invention.
3 is a diagram illustrating an example of a packet histogram using bytes of a packet according to the present invention.
4 to 5 are diagrams showing an example of a greedy layer based learning method and a clustering process using the same according to the present invention.
6 to 7 are diagrams showing an example of a transaction classification process according to the present invention.
8 to 10 are diagrams showing an example of a process of learning a transaction according to the sequence for each cluster according to the present invention.
11 is a diagram illustrating an example of a local detection process according to the present invention.
12 to 13 illustrate an example of a process of generating byte frequency data illustrated in FIG. 11.
14 to 15 are diagrams illustrating an example of a process of generating bucket frequency data shown in FIG. 11.
16 illustrates an example of a third cluster (Bucket frequency cluster) according to the present invention.
FIG. 17 is a diagram illustrating an example of a process of generating packet frequency data shown in FIG. 11.
18 to 19 are diagrams showing an example of a histogram for a communication path and a transmission frequency for each communication path of a network according to the present invention.
20 is a view showing an example of a process of collecting the histogram shown in FIG. 19 in chronological order for pattern matching according to the present invention.
21 is a diagram illustrating an example of a concept of segmenting traffic flows analyzed according to the present invention.
22 is a flowchart illustrating a method of integrating global detection and local detection according to an embodiment of the present invention.
23 to 24 are diagrams showing the configuration and function of the abnormal behavior detection apparatus for a network according to an embodiment of the present invention.
25 is a block diagram illustrating an anomaly detection apparatus for a network according to another embodiment of the present invention.

Hereinafter, the present invention will be described in detail with reference to the accompanying drawings. Here, the repeated description, well-known functions and configurations that may unnecessarily obscure the subject matter of the present invention, and detailed description of the configuration will be omitted. Embodiments of the present invention are provided to more completely describe the present invention to those skilled in the art. Accordingly, the shape and size of elements in the drawings may be exaggerated for clarity.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings.

1 is a diagram illustrating an anomaly detection system for a network according to an embodiment of the present invention.

Referring to FIG. 1, an anomaly detection system for a network according to an embodiment of the present invention may detect an anomaly for a control traffic by performing global detection and local detection through an anomaly detection device 110. .

At this time, the global detection can determine the overall network state by applying the learning result or clustering result of the global detection model in the anomaly detection device 110, and performs a local detection according to the overall network state, You can detect if a transaction occurs.

For example, global detection can provide insight into the status of IP networks in control system operations and control system sites. At this time, by applying local detection to the communication section of the individual devices, it is possible to detect whether there is an abnormal communication by classifying packets and transactions that can be delivered according to the state of the IP network.

At this time, the abnormal behavior detection apparatus 110 according to the present invention can limit the type of traffic that can be delivered using the association of the sections corresponding to the local detection.

For example, for the communication intervals such as HMI-Main Server-Historian and HMI-Main Server-PLC shown in FIG. 1, if the HMI previously sends a transaction of type A to the main server, then the main server You can check whether and deliver the transaction of 'A' to Historian through learning and detect the abnormality. In this case, by using the state information of the entire network and some networks based on the global detection, it is possible to limit the types of transactions that can be transmitted in a specific situation.

In addition, the anomaly detection apparatus 110 according to an embodiment of the present invention analyzes the information provided by the other detection device or detection device together to detect anomalies in consideration of the relationship by expanding the surveillance area without being limited to network traffic. You can also do In other words, correlation monitoring can be extended by combining information provided from other detection devices with the results of global and local detection.

For example, in the HMI-PLC-site device section illustrated in FIG. 1, since the HMI-PLC is connected to an IP network to exchange network traffic, the HMI-PLC may be detected and monitored through the anomaly detecting apparatus 110. In addition, in the case of the PCL-site device, since communication is performed through digital and analog signals, abnormal behavior detection is performed through an input / output abnormal behavior detection apparatus 120 that is separate from the abnormal behavior detection apparatus 110 according to the present invention. Can be done.

In this case, the abnormal behavior detection apparatus 110 may grasp that the state information of the PLC is changed through the global detection and the local detection, and may transmit the information to the controller input / output abnormal behavior detection apparatus 120. At this time, the controller I / O abnormal detection device 120 may be used as a reference for monitoring whether the input / output information is appropriately changed according to the change of the state information of the PLC. It can be suitable for monitoring the whole area of the control system by monitoring the characteristic that the change of state between HMI-PLC and the change of state between PLC-site is to be carried out with each other.

2 is a flowchart illustrating an anomaly detection method for a network according to an exemplary embodiment of the present invention.

Referring to FIG. 2, in the abnormal behavior detection method for a network according to an embodiment of the present invention, a log for learning is extracted based on traffic collected when the network is normal (S210).

That is, the abnormal behavior detection method according to the present invention learns the usual characteristics of network traffic when the network is operating normally, and detects abnormal traffic or abnormal traffic caused by cyber attacks, insider mistakes and device malfunctions based on this. Can be. To this end, a log of traffic generated when the network is normal can be extracted and used.

In addition, the abnormal behavior detection method for the network according to an embodiment of the present invention to detect the network abnormal behavior in consideration of the traffic flow and local (LOCAL) detection model for detecting network abnormal behavior in consideration of the packet based on the log Train each of the global (GLOBAL) detection models (S220).

In the present invention, both local detection and global detection can be used. Each detection method may be a method of learning characteristics of network traffic and a method of detecting abnormal traffic based on the usual.

At this time, the local detection model can be trained based on the feature extracted from the packet. For example, a local detection model can be learned by extracting the feature or pattern of a packet by UNSUPERCISED LEARNING, and by using this, the packet constituting the traffic of the network can be effectively classified into a normal packet and an abnormal packet.

In the present invention, the local detection model can be trained in two ways.

First, considering each traffic (or transaction, session information) of the network as a D-dimensional point, n points located in the D-dimensional space can be clustered into k clusters. The local detection model can be trained using the learnable parameter theta (θ).

For example, first, a feature space Z may be obtained through a nonlinear mapping (f _θ : X-> Z) of a data space X that is a set of points on a D-dimensional surface, and clustering may be performed on the points of the feature space Z. In this case, in general, the dimension of the feature space Z may be set smaller than the dimension of the data space X. Thereafter, iterative learning can learn the center of K clusters and the learnable parameter theta θ.

Hereinafter, a first method for training the local detection model will be described in detail with reference to FIGS. 3 to 10.

According to the present invention, in order to learn the local detection model, first, the log may be classified by communication section corresponding to the network. As described above, the logs are classified and used for each communication section, so that the learning of the local detection model may be separately performed for each communication section.

Thereafter, the plurality of first feature points mapped to the N-dimensional space are extracted based on the plurality of packets corresponding to any one communication section, and the plurality of first feature points are clustered based on the LOYID algorithm. The first cluster may be created.

For example, when 100 packets are included in any one communication section, 100 first feature points may be mapped to the 100 packets in the N-dimensional space. Thereafter, 100 first feature points may be classified into k first clusters using a LOYD algorithm, which is one of k-mean clustering techniques.

Therefore, the packet detected when the network is normal may be included in any one first cluster.

At this time, the cluster centers for one or more first clusters may be calculated, and clustering may be performed repeatedly until the distance difference between the cluster centers calculated for each communication section is less than a predetermined error distance.

For example, the Lloyd's algorithm may first obtain a center of the first cluster at random and set the mean of the data allocated to each center. Thereafter, it may be repeatedly performed until the difference with the center calculated based on the previous communication interval is smaller than the preset error distance.

At this time, in order to extract the plurality of first feature points, a packet histogram for each of the plurality of packets may be generated by first analyzing a byte of each of the plurality of packets.

For example, assuming that up to 100 th byte is used as a feature for any one of the plurality of packets, a packet histogram 320 as shown in FIG. 3 may be generated. In this case, although the packet size 310 corresponding to any one packet is 153 bytes, the packet histogram 320 may have 100 values because only the 100th byte is extracted to generate the histogram.

Thereafter, a packet histogram may be input as input data of a stacked autoencoder based on a learning method based on a greedy layer.

Thereafter, learning about the stacked autoencoder may be performed, and a plurality of first feature points may be extracted based on the feature layer of the stacked autoencoder.

For example, a plurality of packet histograms may be input as input data of a stacked auto encoder such as illustrated in FIG. 4. After that, learning based on the greedy layer may be performed. When learning is completed, a plurality of first feature points to be used for clustering may be obtained through the encoder layer part and the feature layers 410 and 420 except for the decoder layer part as shown in FIG. 5. At this time, if the clustering result illustrated in FIG. 5 is confirmed, it may be confirmed that the plurality of first feature points are classified into three first clusters.

In addition, according to another embodiment of the present invention, traffic may be classified into transaction units to learn a local detection model.

In this case, one or more transactions may be generated by classifying a plurality of packets based on an INTERARRIVAL TIME.

At this time, the transmission time difference between the plurality of packets can be measured to classify the bundle of packets transmitted within a predetermined time as a transaction.

For example, referring to FIG. 6, it may be assumed that a preset time for classifying packets as a transaction is T1 and a relationship between the times is T1 <T2 <T3. At this time, the transmission time difference from the packet 611 to the 613 packet shown in FIG. 6 was all within T1, but the transmission time difference between the packet 613 and the packet 621 corresponds to T2, so from packet 611 to packet 613 Can be bundled into one transaction. After that, the transmission time difference from packet 621 to packet 622 was all within T1. However, the transmission time difference between packet 622 and packet 631 corresponds to T3. Therefore, packet 621 to packet 622 can be bundled into one transaction. have.

In this case, as shown in FIG. 6, when the transmission time difference between packets is greater than or equal to a predetermined time, the packets may be divided into session units larger than a transaction unit.

In addition, referring to FIG. 7, as a result of transmitting and receiving a packet in the controller period communication, the transmission time difference between the packets included in the transactions 710 and 720 is very short, but the transaction 710 and the transaction 720 have a predetermined time or more. It can be seen that there is a transmission time difference.

In addition, since the controller performs only a predetermined task, the types of transactions 710 and 720 can be distinguished to some extent even in a graph showing packet sizes and transmission directions as shown in FIG. 7.

In this case, one or more packet type sequences may be generated by converting at least one packet included in one or more transactions into a type corresponding to the first cluster, and one or more second clusters may be generated by clustering one or more packet type sequences. have. That is, it is possible to learn the type of transaction when the network is normal through packet type sequence features corresponding to one or more second clusters.

For example, it may be assumed that three first clusters as illustrated in FIG. 8 are generated based on a plurality of packets included in any one communication section. Thereafter, as illustrated in FIG. 9, transactions may be generated by classifying a plurality of packets based on a transmission time difference. In this case, when one of the transactions 910 is graphed, it can be seen that the packets included in the transaction 910 are variously matched to the three first clusters shown in FIG. 8 as shown in FIG. 10. have. Thus, these packets can be arranged in chronological order to generate a packet type sequence 920 as shown in FIG.

In this way, not only packets but also transactions appearing in the communication section can be classified into a specified type, which can be used to detect transactions that do not normally occur.

In addition, in the present invention, as shown in FIG. 11, the training of the local detection model may be performed for each IP-IP section to generate a separate learning model for each IP-IP section. At this time, it may change to a learning target other than the IP-IP unit.

Hereinafter, a second method for learning a local detection model in the present invention will be described in detail with reference to FIGS. 11 to 17.

First, byte frequency data including the number of occurrences of each byte value may be generated by analyzing bytes of a plurality of packets corresponding to a communication interval between two IPs based on a log.

At this time, one byte may have 256 values from 0x00 to 0xFF. Thus, byte frequency data may correspond to data indicating how many times a value from 0x00 to 0xFF appears in all bytes included in one packet.

For example, it may be assumed that there is a packet as shown in FIG. 12. In this case, a byte value 1210 corresponding to the remaining bytes except for the header of the packet may be obtained and classified as shown in the graph of FIG. 13 to indicate the number of occurrences of each value.

As described above, when the packet is represented as byte frequency data, even if the length of the packet changes, the packet may be represented as 256 integers so that the length of the packet may not be considered in learning and detection.

At this time, a large difference in values between packets may not increase the difference between normal and abnormal. However, when the byte value is used as a comparison target for detection as it is, an error that may be determined to be a wrong abnormality may occur in the learning process of the detection model because the difference in the byte value is large. For example, if 0x00 comes out and 0x01 comes out and 0xFF comes out, it's an abnormal case, but if you simply compare byte values, you might learn that 0xFF comes out wrong. . Therefore, in the case of using the byte frequency data as in the present invention, the above-mentioned problem can be solved because only a specific byte value is compared or not compared with the byte value directly.

At this time, 256 frequency values included in the byte frequency data are classified into buckets to generate a plurality of buckets smaller than the frequency values, and the bucket frequency data is calculated by summing the assigned frequency values for each of the plurality of buckets. Can be generated.

For example, as illustrated in FIG. 14, frequency values from 0x00 to 0xFF included in byte frequency data may be classified into buckets of B ₁ to B _n , respectively.

In this case, byte frequency data may be used as it is to improve the accuracy of learning and detection. However, when performing real-time detection, comparing 256 integers per packet may cause a problem in real-time performance. Therefore, in order to improve performance in real-time detection while maintaining maximum accuracy, 256 frequency values may be collected into n buckets, and frequency values assigned to each bucket may be summed and expressed as shown in FIG. 15.

At this time, as shown in FIG. 15, the result of summing up frequency values assigned to each of the plurality of buckets may correspond to the bucket frequency data.

In this case, when 256 frequency values are allocated to the plurality of buckets, the entropy of the system for detecting network abnormal behavior should be allocated to be the maximum. For example, if all 256 frequency values are assigned to one bucket, no matter how many packets there are, the entropy of the system can be minimal. On the contrary, if a total of 256 buckets are generated by creating a separate bucket for every 256 frequency values, the entropy of the system can be maximized.

Therefore, when the number of buckets is set to n arbitrary as shown in FIG. 14 in consideration of the performance of the system, in order to assign frequency values to maximize entropy, it is used to classify packets among 256 frequency values. The plurality of frequency values may be classified into different buckets.

For example, suppose that the byte value of packet 1 corresponds to 0x00, 0xAA, 0xAA, and the byte value of packet 2 corresponds to 0x01, 0xAA, 0xAA. To maximize entropy, 0x00 and 0x01 are different. It may need to be assigned to a bucket. The process for maximizing the entropy of the system is called entropy maximization learning, and 256 frequency values can be assigned to each bucket by performing entropy maximization learning on steady-state network traffic.

As such, when a plurality of buckets are generated and allocation of 256 frequency values is completed, individual packets may be represented as bucket frequency data rather than byte frequency data.

At this time, the bucket frequency data may be clustered to generate one or more third clusters for any one packet.

For example, k-means clustering of the bucket frequency data shown in FIG. 15 may generate k third clusters as shown in FIG. 16.

In this way, learning and detection can be performed more efficiently by simply expressing information on a plurality of packets included in a transaction in k clusters P ₁ to P _k to simplify the information.

At this time, by classifying a plurality of packets based on the transmission time difference to generate one or more transactions, by combining the transmission direction corresponding to the packet assigned to one or more transactions and one or more third clusters to determine the byte frequency of the transaction for each communication section Known packet frequency data can be generated.

In this case, the packet frequency data may indicate how many packets are contained in any one transaction. Therefore, it can be shown by combining the transmission direction of each individual packet included in any one transaction and which third cluster each individual packet corresponds to.

At this time, the packets included in the individual transaction can be classified into two types according to the transmission direction. For example, referring to FIGS. 11 and 17, packets included in one transaction may be classified into packets 1110 and 1710 transmitted from IP1 to IP2 and packets 1120 and 1720 transmitted from IP2 to IP1. have.

As described above, by representing one transaction as 2n integers, it is possible to express the characteristics of packet units in the transaction and to improve the speed of learning and detecting.

At this time, the normal pattern for learning may be detected based on the packet frequency data, and the local detection model may be trained corresponding to the normal pattern.

In addition, the global detection model can be trained based on the PATTERN MATCHING method. For example, an abnormal state on a control network may be determined by applying a method called pattern matching or template matching in a histogram set obtained through transmission information of all network traffic during data preprocessing.

Hereinafter, a method of learning a global detection model in the present invention will be described in detail with reference to FIGS. 18 to 21.

First, as a preprocessing process for learning, a first histogram of transmission counts for communication paths corresponding to a network may be generated for each predetermined first unit time based on a log.

For example, after representing a network as a directed graph as shown in FIG. 18, all possible edges on the directed graph as an x-axis, as shown in FIG. 19, and the preset first It is possible to generate a histogram with the y-axis as the number of packet transmissions of each edge during the unit time.

In this case, the histogram as shown in FIG. 19 may be used to express the state of the entire network. That is, if one histogram is generated for each first unit time, as shown in FIG. 20, the network state that changes with time may be tracked through the n first histograms generated for the unit time.

For example, a tuple such as (Unix time stamp, edge-transmission histogram) can be created every unit time.

That is, when the first histogram generated per unit time is collected in chronological order as shown in FIG. 20, the change in the first histogram may represent a change in traffic flow. Therefore, in the preprocessing process, the input traffic may be divided into unit time and transformed into first histogram information.

In this case, a second histogram of the transmission frequency for each communication path corresponding to the network may be generated for each second predetermined unit time smaller than the first predetermined unit time.

At this time, the first histogram and the second histogram are matched in consideration of the similarity, and the average and the variance of the vector distances between the two matched histograms are calculated to generate a CHI-SQUARE distribution corresponding to the network. Can be.

That is, the average and the variance of the second histograms generated during the second unit time smaller than the first unit time are different from the first histograms most similar among the first histograms generated earlier.

For example, when the first histogram generated once per second is defined as one d-dimensional vector, n d-dimensional vectors may be generated when the first histogram is generated for n seconds. The set of the first histograms generated as described above may be defined as Χ = {X (1), ..., X (n)} and may be assumed to be a normal pattern. In this case, when the second set of w histograms generated for w seconds (ex: 10 seconds) which are much smaller than n in the normal pattern is Ψ = {Y (1), ..., Y (n)}, Ψ The vector distance to the pattern most similar to can be measured as shown in [Equation 1].

[Equation 1]

In this case, if the number of packet occurrences is used as it is, the change of other edges may be dominated by the change of several edges having a large number of transmissions. Therefore, the number of transfers can be a value that takes a log. However, if a log is used, the case where the number of transmissions is 0 is not defined by the log. Therefore, by adding 1 to all transmissions, the vector distance to the pattern most similar to ψ as shown in [Equation 2] can be calculated. .

[Equation 2]

In this case, the average and the variance of the difference detected by performing an operation as shown in [Equation 2] on the first set of histograms (n vectors) may correspond to the learning model. That is, it is proved that the difference information calculated in the learning process follows the chi-square distribution, and then it can be used to determine whether there is abnormal traffic.

In this case, the log may be classified into a plurality of log groups in consideration of a plurality of communication paths and time corresponding to the network, and a chi square distribution may be generated for each of the plurality of log groups.

For example, when [Equation 2] is applied to the w time and the entire network edge, the application range can be widened, but it is difficult to distinguish when the attack time and the number of edges are small in between. This can happen.

In order to prevent this, in the present invention, as shown in FIG. 21, the log is classified into a plurality of log groups 2110 to 2160 by grouping edges and time in a learning section, and a plurality of log groups 2110 to 2160. We can train the global detection model by calculating dist every time. Through this process, the monitoring target becomes smaller in group units, which not only improves the detection rate of the attack, but also makes it possible to more precisely identify the attack occurrence section.

In addition, if the criteria for performing grouping are randomized, there is an advantage that the attacker can prevent the detection through the precise attack considering the grouping characteristics.

In addition, the abnormal behavior detection method for the network according to an embodiment of the present invention performs a local detection and global detection of the network abnormal behavior at the same time using the local detection model and the global detection model (S230).

At this time, if global detection and local detection are used simultaneously, complementary and accurate monitoring can be performed.

For example, even if the local detection transmits an abnormal form in a packet or transaction unit, the detection of whether the transmission time or the transmission amount is abnormal can be performed in the global detection.

In another example, an attack in which only the transmission value is changed or only the contents of a packet is replaced without a change in the transmission amount may not be detected in the global detection but may be detected in the local detection.

In addition, by combining the results of the global detection and local detection, anomaly detection may be performed in consideration of the relationship between the devices.

In this case, when any one of the individual packets and individual transactions transmitted through the network does not correspond to any one of the one or more first cluster, one or more third cluster, and the normal pattern, it may be determined that abnormal traffic has occurred in the network. have.

For example, when any one packet to be monitored is not included in one or more first clusters, the packet to be monitored may be determined to be an abnormal packet.

For another example, when any one packet to be monitored is not included in one or more third clusters, the packet to be monitored may be determined to be an abnormal packet that has not previously appeared.

For another example, when the packet frequency data corresponding to any one of the monitored transactions does not match the normal pattern, the monitored transaction may be determined as an abnormal transaction.

In this case, when individual transactions transmitted through the network are not included in one or more second clusters, the individual transactions may be determined as abnormal transactions.

For example, when any one of the monitored transactions is not included in one or more second clusters, the monitored transaction may be determined to be an abnormal transaction.

In this case, in order to detect a transaction unit, it is necessary to confirm which cluster is included for each packet in advance, so that additional detection of a packet unit may not be an overhead.

In this case, the detection target histogram may be generated to correspond to the second unit time to detect the network, and any one first histogram having the highest similarity to the detection target histogram among the plurality of first histograms may be detected.

In this case, when the vector distance between any one first histogram and the detection target histogram does not correspond to a 99% confidence interval of the chi square distribution, it may be determined that abnormal traffic has occurred in the network.

At this time, the target of the global detection can be applied to not only the packet count per unit time but also the traffic data length (data length) per unit time to detect the attack.

For example, most buffer overflows add malicious data to the back of a packet, in which case the number of packets does not change and the length of the packet changes. As such, in the case of an attack that transmits only data without changing the number of packets, the attack can be detected only by checking the traffic volume.

In another example, when a large number of short packets are sent, such as in a SYN flooding attack, the total data size does not change much, but the number of packets changes. As described above, in case of an abnormal pattern sending only a short packet, an attack can be detected only by monitoring based on a change in the number of packets.

Another example, DNP3 over TCP, is that the packet size does not exceed a certain size. This ratio may change due to vulnerability attack and transmission data size change. Therefore, it is possible to monitor the characteristics of the network service by detecting the average change in the length of the packet by inputting the ratio of the amount of packets to the number of packets.

In addition, the present invention performs a global detection as shown in Figure 22 (S2210), determines whether or not abnormal traffic generation interval is detected (S2215), if abnormal traffic generation interval is detected local detection for the corresponding interval In operation S2220, an edge through which abnormal traffic is actually transmitted may be detected.

For example, when performing global detection, it may be possible to detect unusual traffic flows on some edges of a particular time band, but it may be difficult to determine exactly at which edge the problem occurred. In this case, by analyzing the data transmission history of the edges in which the abnormal traffic flow is detected in the corresponding time band by using a local detection method, it is possible to accurately find the edge that transmitted the abnormal data.

At this time, since local detection needs to perform detection on a packet basis, it may require a higher performance monitoring device than global detection. Therefore, it is possible to secure the real-time performance of the detection algorithm and the improvement of the detection performance by using a method in which a global detection proactively finds an abnormal section in advance, by leaving only a log so that all detection algorithms can be performed.

In addition, although not shown in Figure 2, the abnormal behavior detection method for the network according to an embodiment of the present invention may store a variety of information generated in the above-described abnormal behavior detection process through a separate storage module.

Through this method of detecting abnormal behavior for a network, a detection engine can be configured without specific information about a network and a system to be monitored, and can be used to understand the complex characteristics of the monitoring object.

In addition, it can effectively monitor even where it is operated as a closed network or cannot be remotely updated for security, and it can monitor and analyze the changes in traffic volume and its contents at the same time so that it can detect anomalies more effectively and effectively.

23 to 24 are diagrams showing the configuration and function of the abnormal behavior detection apparatus for a network according to an embodiment of the present invention.

FIG. 23 illustrates a configuration of an anomaly detection apparatus for a network according to an embodiment of the present invention, and functions related to each module constituting the detection apparatus are as shown in FIG. 24.

First, referring to FIG. 23, an abnormal behavior detection apparatus for a network according to an embodiment of the present invention is a system for continuously monitoring normal traffic traffic by continuously monitoring control system network traffic, and detecting abnormal behaviors that deviate from them. .

The detection apparatus shown in FIG. 23 learns the types of packets transmitted between individual controllers, and simultaneously performs local detection for detecting anomalies and global detection for detecting anomalies by learning changes in traffic flow of the entire network. Can be.

At this time, local detection can detect the abnormal operation of the system or detailed attacks, such as abnormal data or malicious command delivery, vulnerability attack based on the type of packets transmitted between the controller devices.

At this time, global detection may be aimed at detecting the data flow of a different pattern than usual by learning the communication correlation of the controller period in the entire network without considering the type of individual packet.

In this way, both local and global detections with different characteristics can be detected to detect both the type of packet and the flow change of the entire traffic.

For example, a payload change attack in which an attacker changes the data in the payload and delivers a malicious command is difficult to detect with global detection because the traffic flow is the same. Can be detected. On the other hand, if the main server and the redundant server are connected to a specific controller, the redundant server should not control the controller when the main server is operating.However, local detection is difficult to detect and global detection detects changes in traffic flow. This can be detected.

As such, the detection apparatus illustrated in FIG. 23 may simultaneously perform a local detection function and a global detection function. For each detection function, there may be a learner that normally learns a normal pattern from the traffic, and a detector that detects abnormal traffic based on the learned model. In addition, the detection apparatus may provide the detected information to the user, and may store the corresponding information for later checking.

25 is a block diagram illustrating an anomaly detection apparatus for a network according to another embodiment of the present invention.

Referring to FIG. 25, an anomaly detection apparatus for a network according to another embodiment of the present invention includes a communication unit 2510, a processor 2520, and a memory 2530.

The communication unit 2510 may play a role of transmitting and receiving information necessary for detecting abnormal behavior on a network. In particular, the communication unit 2510 according to an embodiment of the present invention may transmit abnormal traffic information to the user.

The processor 2520 extracts a log for learning based on the traffic collected when the network is normal.

That is, the anomaly detection apparatus for the network according to the present invention learns the usual characteristics of network traffic when the network is operating normally, and based on this, abnormal traffic or abnormal traffic generated by cyber attack, insider mistake and device malfunction, etc. Can be detected. To this end, a log of traffic generated when the network is normal can be extracted and used.

In addition, the processor 2520 learns a local (LOCAL) detection model that detects network anomalies in consideration of packets and a global (GLOBAL) detection model that detects network anomalies in consideration of traffic flow.

In the present invention, both local detection and global detection can be used. Each detection method may be a method of learning characteristics of network traffic and a method of detecting abnormal traffic based on the usual.

At this time, the local detection model can be trained based on the feature extracted from the packet. For example, a local detection model can be learned by extracting the feature or pattern of a packet by UNSUPERCISED LEARNING, and by using this, the packet constituting the traffic of the network can be effectively classified into a normal packet and an abnormal packet.

In the present invention, the local detection model can be trained in two ways.

First, considering each traffic (or transaction, session information) of the network as a D-dimensional point, n points located in the D-dimensional space can be clustered into k clusters. The local detection model can be trained using the learnable parameter theta (θ).

For example, first, a feature space Z may be obtained through a nonlinear mapping (f _θ : X-> Z) of a data space X that is a set of points on a D-dimensional surface, and clustering may be performed on the points of the feature space Z. In this case, in general, the dimension of the feature space Z may be set smaller than the dimension of the data space X. Thereafter, iterative learning can learn the center of K clusters and the learnable parameter theta θ.

According to the present invention, in order to learn the local detection model, first, the log may be classified by communication section corresponding to the network. As described above, the logs are classified and used for each communication section, so that the learning of the local detection model may be separately performed for each communication section.

Thereafter, the plurality of first feature points mapped to the N-dimensional space are extracted based on the plurality of packets corresponding to any one communication section, and the plurality of first feature points are clustered based on the LOYID algorithm. The first cluster may be created.

For example, when 100 packets are included in any one communication section, 100 first feature points may be mapped to the 100 packets in the N-dimensional space. Thereafter, 100 first feature points may be classified into k first clusters using a LOYD algorithm, which is one of k-mean clustering techniques.

Therefore, the packet detected when the network is normal may be included in any one first cluster.

At this time, the cluster centers for one or more first clusters may be calculated, and clustering may be performed repeatedly until the distance difference between the cluster centers calculated for each communication section is less than a predetermined error distance.

For example, the Lloyd's algorithm may first obtain a center of the first cluster at random and set the mean of the data allocated to each center. Thereafter, it may be repeatedly performed until the difference with the center calculated based on the previous communication interval is smaller than the preset error distance.

At this time, in order to extract the plurality of first feature points, a packet histogram for each of the plurality of packets may be generated by first analyzing a byte of each of the plurality of packets.

Thereafter, a packet histogram may be input as input data of a stacked autoencoder based on a learning method based on a greedy layer.

Thereafter, learning about the stacked autoencoder may be performed, and a plurality of first feature points may be extracted based on the feature layer of the stacked autoencoder.

In addition, according to another embodiment of the present invention, traffic may be classified into transaction units to learn a local detection model.

In this case, one or more transactions may be generated by classifying a plurality of packets based on an INTERARRIVAL TIME.

At this time, the transmission time difference between the plurality of packets can be measured to classify the bundle of packets transmitted within a predetermined time as a transaction.

In this case, one or more packet type sequences may be generated by converting at least one packet included in one or more transactions into a type corresponding to the first cluster, and one or more second clusters may be generated by clustering one or more packet type sequences. have. That is, it is possible to learn the type of transaction when the network is normal through packet type sequence features corresponding to one or more second clusters.

In addition, in the present invention, a learning model may be generated for each IP-IP section to generate a separate learning model for each IP-IP section. At this time, it may change to a learning target other than the IP-IP unit.

First, byte frequency data including the number of occurrences of each byte value may be generated by analyzing bytes of a plurality of packets corresponding to a communication interval between two IPs based on a log.

At this time, one byte may have 256 values from 0x00 to 0xFF. Thus, byte frequency data may correspond to data indicating how many times a value from 0x00 to 0xFF appears in all bytes included in one packet.

At this time, a large difference in values between packets may not increase the difference between normal and abnormal. However, when the byte value is used as a comparison target for detection as it is, an error that may be determined to be a wrong abnormality may occur in the learning process of the detection model because the difference in the byte value is large. For example, if 0x00 comes out and 0x01 comes out and 0xFF comes out, it's an abnormal case, but if you simply compare byte values, you might learn that 0xFF comes out wrong. . Therefore, in the case of using the byte frequency data as in the present invention, the above-mentioned problem can be solved because only a specific byte value is compared or not compared with the byte value directly.

At this time, 256 frequency values included in the byte frequency data are classified into buckets to generate a plurality of buckets smaller than the frequency values, and the bucket frequency data is calculated by summing the assigned frequency values for each of the plurality of buckets. Can be generated.

In this case, byte frequency data may be used as it is to improve the accuracy of learning and detection. However, when performing real-time detection, comparing 256 integers per packet may cause a problem in real-time performance. Therefore, in order to improve performance in real-time detection while maintaining the maximum accuracy, 256 frequency values may be collected into n buckets, and the frequency values assigned to each bucket may be summed and expressed.

At this time, the result of summing the frequency values assigned to each of the plurality of buckets may correspond to the bucket frequency data.

In this case, when 256 frequency values are allocated to the plurality of buckets, the entropy of the system for detecting network abnormal behavior should be allocated to be the maximum. For example, if all 256 frequency values are assigned to one bucket, no matter how many packets there are, the entropy of the system can be minimal. On the contrary, if a total of 256 buckets are generated by creating a separate bucket for every 256 frequency values, the entropy of the system can be maximized.

Therefore, when the number of buckets is set to any number of n in consideration of the performance of the system, in order to allocate frequency values to maximize entropy, a plurality of frequency values used to distinguish packets among 256 frequency values may be used. It may need to be classified as a different bucket.

For example, suppose that the byte value of packet 1 corresponds to 0x00, 0xAA, 0xAA, and the byte value of packet 2 corresponds to 0x01, 0xAA, 0xAA. To maximize entropy, 0x00 and 0x01 are different. It may need to be assigned to a bucket. The process for maximizing the entropy of the system is called entropy maximization learning, and 256 frequency values can be assigned to each bucket by performing entropy maximization learning on steady-state network traffic.

As such, when a plurality of buckets are generated and allocation of 256 frequency values is completed, individual packets may be represented as bucket frequency data rather than byte frequency data.

At this time, the bucket frequency data may be clustered to generate one or more third clusters for any one packet.

As such, the information about the plurality of packets included in the transaction may be simply represented by one or more third clusters, thereby simplifying the information, and thus learning and detection may be performed more efficiently.

At this time, by classifying a plurality of packets based on the transmission time difference to generate one or more transactions, by combining the transmission direction corresponding to the packet assigned to one or more transactions and one or more third clusters to determine the byte frequency of the transaction for each communication section Known packet frequency data can be generated.

In this case, the packet frequency data may indicate how many packets are contained in any one transaction. Therefore, it can be shown by combining the transmission direction of each individual packet included in any one transaction and which third cluster each individual packet corresponds to.

At this time, the packets included in the individual transaction can be classified into two types according to the transmission direction. For example, packets included in one transaction corresponding to a communication interval between IP1 and IP2 may be classified into packets transmitted from IP1 to IP2 and packets transmitted from IP2 to IP1.

As described above, by representing one transaction as 2n integers, it is possible to express the characteristics of packet units in the transaction and to improve the speed of learning and detecting.

At this time, the normal pattern for learning may be detected based on the packet frequency data, and the local detection model may be trained corresponding to the normal pattern.

In addition, the global detection model can be trained based on the PATTERN MATCHING method. For example, an abnormal state on a control network may be determined by applying a method called pattern matching or template matching in a histogram set obtained through transmission information of all network traffic during data preprocessing.

First, as a preprocessing process for learning, a first histogram of transmission counts for communication paths corresponding to a network may be generated for each predetermined first unit time based on a log.

In this case, the histogram may be used to express the state of the entire network. That is, if one histogram is generated for each first unit time, the network state that changes with time may be tracked through the n first histograms generated for the unit time.

In this case, a second histogram of the transmission frequency for each communication path corresponding to the network may be generated for each second predetermined unit time smaller than the first predetermined unit time.

At this time, the first histogram and the second histogram are matched in consideration of the similarity, and the average and the variance of the vector distances between the two matched histograms are calculated to generate a CHI-SQUARE distribution corresponding to the network. Can be.

That is, the average and the variance of the second histograms generated during the second unit time smaller than the first unit time are different from the first histograms most similar among the first histograms generated earlier.

In this case, the log may be classified into a plurality of log groups in consideration of a plurality of communication paths and time corresponding to the network, and a chi square distribution may be generated for each of the plurality of log groups. Through this process, the monitoring target becomes smaller in group units, which not only improves the detection rate of the attack, but also makes it possible to more precisely identify the attack occurrence section.

In addition, if the criteria for performing grouping are randomized, there is an advantage that the attacker can prevent the detection through the precise attack considering the grouping characteristics.

In addition, the processor 2520 may simultaneously perform local detection and global detection for network abnormalities using the local detection model and the global detection model.

At this time, if global detection and local detection are used simultaneously, complementary and accurate monitoring can be performed.

For example, even if the local detection transmits an abnormal form in a packet or transaction unit, the detection of whether the transmission time or the transmission amount is abnormal can be performed in the global detection.

In another example, an attack in which only the transmission value is changed or only the contents of a packet is replaced without a change in the transmission amount may not be detected in the global detection but may be detected in the local detection.

In addition, by combining the results of the global detection and local detection, anomaly detection may be performed in consideration of the relationship between the devices.

In this case, when any one of the individual packets and individual transactions transmitted through the network does not correspond to any one of the one or more first cluster, one or more third cluster, and the normal pattern, it may be determined that abnormal traffic has occurred in the network. have.

For example, when any one packet to be monitored is not included in one or more first clusters, the packet to be monitored may be determined to be an abnormal packet.

For another example, when any one packet to be monitored is not included in one or more third clusters, the packet to be monitored may be determined to be an abnormal packet that has not previously appeared.

For another example, when the packet frequency data corresponding to any one of the monitored transactions does not match the normal pattern, the monitored transaction may be determined as an abnormal transaction.

In this case, when individual transactions transmitted through the network are not included in one or more second clusters, the individual transactions may be determined as abnormal transactions.

For example, when any one of the monitored transactions is not included in one or more second clusters, the monitored transaction may be determined to be an abnormal transaction.

In this case, in order to detect a transaction unit, it is necessary to confirm which cluster is included for each packet in advance, so that additional detection of a packet unit may not be an overhead.

In this case, the detection target histogram may be generated to correspond to the second unit time to detect the network, and any one first histogram having the highest similarity to the detection target histogram among the plurality of first histograms may be detected.

In this case, when the vector distance between any one first histogram and the detection target histogram does not correspond to a 99% confidence interval of the chi square distribution, it may be determined that abnormal traffic has occurred in the network.

At this time, the target of the global detection can be applied to not only the packet count per unit time but also the traffic data length (data length) per unit time to detect the attack.

For example, most buffer overflows add malicious data to the back of a packet, in which case the number of packets does not change and the length of the packet changes. As such, in the case of an attack that transmits only data without changing the number of packets, the attack can be detected only by checking the traffic volume.

In another example, when a large number of short packets are sent, such as in a SYN flooding attack, the total data size does not change much, but the number of packets changes. As described above, in case of an abnormal pattern sending only a short packet, an attack can be detected only by monitoring based on a change in the number of packets.

Another example, DNP3 over TCP, is that the packet size does not exceed a certain size. This ratio may change due to vulnerability attack and transmission data size change. Therefore, it is possible to monitor the characteristics of the network service by detecting the average change in the length of the packet by inputting the ratio of the amount of packets to the number of packets.

In addition, the present invention may perform a global detection, determine whether the abnormal traffic generation section is detected, and if the abnormal traffic generation section is detected, it is possible to detect the edge that actually delivered the abnormal traffic by performing a local detection for the section. have.

For example, when performing global detection, it may be possible to detect unusual traffic flows on some edges of a particular time band, but it may be difficult to determine exactly at which edge the problem occurred. In this case, by analyzing the data transmission history of the edges in which the abnormal traffic flow is detected in the corresponding time band by using a local detection method, it is possible to accurately find the edge that transmitted the abnormal data.

At this time, since local detection needs to perform detection on a packet basis, it may require a higher performance monitoring device than global detection. Therefore, it is possible to secure the real-time performance of the detection algorithm and the improvement of the detection performance by using a method in which a global detection proactively finds an abnormal section in advance, by leaving only a log so that all detection algorithms can be performed.

The memory 2530 stores at least one of a log, a local detection model, and a global detection model.

In addition, the memory 2530 stores various kinds of information generated by the apparatus for detecting abnormal behavior of the network according to the embodiment of the present invention as described above.

According to an embodiment, the memory 2530 may be configured independently of the anomaly detection device to support a function for anomaly detection for a network. In this case, the memory 2530 may operate as a separate mass storage and may include a control function for performing an operation.

In one implementation, the memory 2530 is a computer readable medium. In one implementation, the memory 2530 may be a volatile memory unit, and for other implementations, the memory 2530 may be a nonvolatile memory unit. In one embodiment, the storage device is a computer readable medium. In various different implementations, the storage device may include, for example, a hard disk device, an optical disk device, or some other mass storage device.

As described above, the abnormal behavior detection method and the apparatus using the same according to the present invention may not be limitedly applied to the configuration and method of the embodiments described as described above, but the embodiments may be modified in various ways. All or part of each of the embodiments may be configured to be selectively combined so that.

110: anomaly detection device
120: controller input / output abnormal behavior detection device
310: packet size 320: packet histogram
410, 420: feature layers 610, 620, 710, 720, 910: transactions
611, 612, 613, 621, 622, 631: packets
920: packet type sequence
1110, 1710: Packets sent from IP1 to IP2
1120, 1720: Packets sent from IP2 to IP1
1210: value per byte 2010, 2020: first histogram
2120 ~ 2160: Log group 2510: Communication unit
2520: Processor 2530: Memory

Claims (20)

Extracting a log for learning based on the collected traffic when the network is normal;
Training a local (LOCAL) detection model for detecting network anomaly based on the log and a global (GLOBAL) detection model for detecting network anomaly in consideration of traffic flow; And
Simultaneously performing a local detection and a global detection of the network anomaly by using the local detection model and the global detection model.
Including,
The learning step
Training the global detection model based on a PATTERN MATCHING scheme;
Training the global detection model
Generating a first histogram of the number of transmissions for each communication path corresponding to the network every first predetermined unit time based on the log;
Generating a second histogram of the transmission frequency for each communication path corresponding to the network every second predetermined unit time smaller than the predetermined first unit time; And
The first histogram and the second histogram are matched in consideration of similarity, and an average and variance of the vector distances between the two matched histograms are calculated to generate a CHI-SQUARE distribution corresponding to the network. Anomaly detection method for a network, characterized in that it comprises a step. The method according to claim 1,
The learning step
And learning the local detection model based on the features extracted from the packet. The method according to claim 2,
Training the local detection model
Classifying the log by communication section corresponding to the network; And
Extract a plurality of first feature points mapped to an N-dimensional space based on a plurality of packets corresponding to any one communication section, and cluster the plurality of first feature points based on a LOYID algorithm to cluster one or more first features. Anomaly detection method for a network comprising the step of creating a cluster. The method according to claim 3,
Creating the at least one first cluster
The cluster center for the one or more first clusters is calculated, and clustering is repeatedly performed until the distance difference between the cluster centers calculated for each communication section is less than a predetermined error distance. Behavior detection method. The method according to claim 3,
Creating the at least one first cluster
Analyzing a byte (BYTE) of each of the plurality of packets to generate a packet histogram for each of the plurality of packets;
Inputting the packet histogram as input data of a stacked autoencoder based on a greedy layer based learning scheme; And
Performing learning about the stacked autoencoder, and extracting the plurality of first feature points based on the feature layer of the stacked autoencoder. The method according to claim 3,
Training the local detection model
Classifying the plurality of packets based on an INTERARRIVAL TIME to generate one or more transactions (TRANSACTION);
Generating at least one packet type sequence by converting at least one packet included in the at least one transaction into a type corresponding to the first cluster, and generating at least one second cluster by clustering the at least one packet type sequence Anomaly detection method for a network, characterized in that it further comprises. The method according to claim 3,
Learning the local detection model
Analyzing byte of each of the plurality of packets to generate byte frequency data including the number of occurrences of each byte;
The 256 frequency values included in the byte frequency data are classified into buckets to generate a plurality of buckets smaller than the frequency values, and the frequency values allocated to the plurality of buckets are summed to generate bucket frequency data. Generating; And
Clustering the bucket frequency data to generate one or more third clusters for any one packet. The method according to claim 7,
Generating the bucket frequency data
And a plurality of frequency values used to classify packets among the 256 frequency values are classified into different buckets. The method according to claim 7,
Learning the local detection model
Generating one or more transactions by classifying the plurality of packets based on a transmission time difference;
Combining packet transmission direction corresponding to the packet allocated to the one or more transactions with the one or more third clusters to generate packet frequency data for knowing the byte frequency of the transaction for each communication section; And
Detecting a normal pattern for learning based on the packet frequency data, and learning the local detection model corresponding to the normal pattern. delete The method according to claim 1,
The generating step
Anomalous behavior for a network, wherein the log is classified into a plurality of log groups in consideration of a plurality of communication paths corresponding to the network and time, and the chi square distribution is generated for each of the plurality of log groups. Detection method. The method according to claim 9,
The step of performing
If any one of the individual packet and the individual transaction transmitted through the network does not correspond to any one of the one or more first cluster, the one or more third cluster, and the normal pattern, it is determined that the abnormal traffic in the network Anomaly detection method for a network, characterized in that. The method according to claim 6,
The step of performing
If the individual transaction transmitted through the network is not included in the one or more second cluster, the abnormal transaction detection method for the network, characterized in that determining the individual transaction as an abnormal transaction. The method according to claim 1,
The step of performing
Generating a histogram to be detected corresponding to the second unit time to detect the network, and detecting one of the first histograms having the highest similarity to the histogram to be detected among a plurality of first histograms; And
Determining that abnormal traffic has occurred in the network when the vector distance between the first histogram and the detection histogram does not correspond to a 99% confidence interval of the chi square distribution. Anomaly detection for. Extract the log for learning based on the collected traffic when the network is normal, and detect the network abnormality by considering the local (LOCAL) detection model and the traffic flow that detect the network abnormality based on the packet. A processor configured to learn a global detection model, and simultaneously perform a local detection and a global detection of the network anomaly using the local detection model and the global detection model; And
A memory storing at least one of the log, the local detection model and the global detection model
Including,
The processor is
Train the global detection model based on a PATTERN MATCHING method, generate a first histogram for the number of transmissions for each communication path corresponding to the network at a first predetermined unit time based on the log; Generate a second histogram of the transmission frequency for each communication path corresponding to the network every second predetermined unit time smaller than a first predetermined unit time, and match the first and second histograms in consideration of similarity. And generating an CHI-SQUARE distribution corresponding to the network by calculating an average and a variance of the vector distances between the matched two histograms. The method according to claim 15,
The processor is
Anomaly detection apparatus for a network, characterized in that for learning the local detection model based on the feature extracted from the packet. The method according to claim 16,
The processor is
The log is classified according to a communication section corresponding to the network, and a plurality of first feature points mapped to a predetermined N-dimensional space are extracted based on a plurality of packets corresponding to any one communication section, and a LOYID algorithm Anomaly detection apparatus for a network, characterized in that for generating at least one first cluster by clustering the plurality of first feature points based on. The method according to claim 17,
The processor is
The cluster center for the one or more first clusters is calculated, and clustering is repeatedly performed until the distance difference between the cluster centers calculated for each communication section is less than a predetermined error distance. Behavior detection device. The method according to claim 17,
The processor is
When the individual packet transmitted through the network is not included in the one or more first cluster, the abnormal behavior detection apparatus for the network, characterized in that the individual packet is determined as an abnormal packet. The method according to claim 17,
The processor is
In order to detect the network, a detection target histogram is generated corresponding to the second unit time, and among the plurality of first histograms, any one first histogram having the highest similarity to the detection target histogram is detected, and the one And determining that abnormal traffic has occurred in the network when the vector distance between the first histogram and the target histogram does not correspond to a 99% confidence interval of the chisquare distribution.

Images