KR20170082934A - System for detecting abnomal behaviors allowing for personalized early use behavior occurrence probability deviation - Google Patents
System for detecting abnomal behaviors allowing for personalized early use behavior occurrence probability deviation Download PDFInfo
- Publication number
- KR20170082934A KR20170082934A KR1020160002286A KR20160002286A KR20170082934A KR 20170082934 A KR20170082934 A KR 20170082934A KR 1020160002286 A KR1020160002286 A KR 1020160002286A KR 20160002286 A KR20160002286 A KR 20160002286A KR 20170082934 A KR20170082934 A KR 20170082934A
- Authority
- KR
- South Korea
- Prior art keywords
- behavior
- abnormal
- normal range
- occurrence probability
- profile
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/30—Profiles
- H04L67/306—User profiles
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Technology Law (AREA)
- Debugging And Monitoring (AREA)
Abstract
The abnormality detection unit of the abnormal behavior detection system according to the present invention may be configured such that when predetermined situation information is received from the situation information collection system in a BYOD (Bring Your Own Device) and a smart work environment, A detection request classifying module for classifying a detection request message and transmitting the classified information to each analysis section of the abnormal behavior analysis module; and an abnormal behavior detection module An abnormal behavior analysis module for analyzing whether the user's use behavior is abnormal by performing a 'comparison of similarity of service page use order' and a 'use speed comparison' through an initial use behavior pattern analysis procedure; When the result of the analysis is stored, a normal or abnormal result is generated The abnormal behavior analysis module calculates an occurrence probability (X) of the currently used initial page sequence, sets a normal range interval for each occurrence probability (N) And an initial use behavior analyzing unit for determining whether the utilization probability of the current user is abnormal by checking whether the occurrence probability X is within a normal range.
Unlike existing network-based security devices through network traffic analysis, the present invention provides a method for detecting abnormal behavior by patterning actions based on various action factors such as time, location, access network, Respectively. The abnormal behavior detection system according to the present invention is to improve the system security in the BYOD and smart work environment. After processing the status information into connection, use, agent situation information and profile information, And the abnormal occurrence and the occurrence probability of the terminal.
Description
The present invention relates to a system for protecting internal resources in a BYOD and a smart work environment, and more particularly, to a system for detecting abnormal behavior in a BYOD and a smart work environment.
The spread of the Internet infrastructure and the development of mobile communication have brought about a great change that can be seen as a transformation in our society. In particular, mobile devices such as smartphones have become deeply embedded in our lives beyond the means of communication. This trend has spread to our workplace and has introduced a new business environment called BYOD (Bring Your Own Device). BYOD is a concept that utilizes personal devices for business purposes. It is a proprietary mobile device such as a smart phone, laptop, or tablet that accesses internal IT resources such as databases and applications in the company, . BYOD can expect the speedy, efficient, and productive work through more efficient business process from the standpoint of the enterprise. Moreover, since BYOD utilizes the personal device, there is no economic burden to pay for the separate business device. As a result, many companies are struggling to successfully introduce BYOD, and users have already used personal devices for their work before they are ready.
The new IT environment, BYOD and smart work environment, accelerated the formation of wireless Internet environment, the popularization of smart devices such as tablet PCs and smart phones, increased use of desktop virtualization and cloud services, and emphasis on real-time communication and business continuity .
And, as the BYOD era comes, the internal infrastructure of the enterprise is being transformed from a closed environment to an open environment. Anytime, anywhere access to corporate infrastructure is allowed.
It is possible to access the corporate infrastructure through a wireless router (AP), switch, etc. inside the enterprise and access the corporate infrastructure from outside the company through mobile communication network, public Wi-Fi, It is possible.
As such, changes to an open environment have achieved business continuity and convenience, while a number of previously unexpected security threats can also occur. Above all, there is a high risk that internal data may be leaked as individual devices access the internal infrastructure of the enterprise. That is, there is a possibility of leakage of internal data due to the loss or theft of the personal device, and the corporate IT asset caused by accessing the internal intranet of the personal device infected by the malicious code may be threatened.
In order to solve these problems, the KISA implemented an abnormal behavior detection system (Korean Patent Laid-Open No. 10-2015-0000990, hereinafter referred to as "prior art") using a personalized initial use behavior pattern analysis.
However, the prior literature should determine whether the use behavior is normal according to the individual behavioral deviation, but it is limited in the calculation of the normal range. The process of judging whether or not the user's behavior is abnormal is somewhat inadequate and ineffective. There is a need for an additional analysis algorithm that can overcome these problems and improve the performance of abnormal behavior detection.
SUMMARY OF THE INVENTION The present invention has been conceived to solve the above-described problems, and it is an object of the present invention to provide a device and a method for processing a status information of a BYOD and a smart work environment and detecting a device abnormal connection and detecting a real- The present invention provides an abnormal detection system that detects an abnormal behavior based on the detected abnormal behavior.
Another object of the present invention is to provide a method and apparatus for comparing an order and a use rate of a page used immediately after a user's connection with a pattern at a past connection through analysis of an initial use behavior pattern, And to provide a behavior detection system.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the invention. The objectives and other advantages of the present invention will be realized and attained by the structure particularly pointed out in the claims, as well as the following description and the annexed drawings.
Unlike existing network-based security devices through network traffic analysis, the present invention provides a method for detecting abnormal behavior by patterning actions based on various action factors such as time, location, access network, Respectively.
The abnormal behavior detection system according to the present invention is to improve the system security in the BYOD and smart work environment. After processing the status information into connection, use, agent situation information and profile information, And the abnormal occurrence and the occurrence probability of the terminal.
The present invention relates to a method and apparatus for detecting unusual access / use behavior, including atypical data that can occur in a business scenario, that is, a type of used equipment, a connection time (e.g., work time, And usage time as user behavior pattern, system security is improved in BYOD and smart work environment.
BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 is an illustration of a BYOD and smart work environment;
2 is a block diagram of an abnormal behavior detection system according to the present invention;
3 is a block diagram of an abnormal detection unit according to the present invention;
4 is a flowchart illustrating an operation of a status information processing unit according to the present invention.
5 is a block diagram of an initial use behavior analyzing unit according to the present invention;
6 is a block diagram of an initial usage behavior analyzing unit according to the present invention;
7A is a flowchart illustrating an operation of the abnormal detection unit according to the present invention.
7B is a flowchart illustrating an initial usage behavior pattern analysis procedure according to the present invention.
Figure 7c is a flow diagram illustrating a string similarity (LCS) comparison according to the present invention.
FIG. 8A is a diagram illustrating a process table of current occurrence information for pattern analysis and detection of an initial use behavior; FIG.
FIG. 8B is a diagram illustrating a processing table of past behavior information for pattern analysis and detection of an initial use behavior; FIG.
FIG. 9 is a diagram illustrating an example of an operation of analyzing and detecting an initial usage behavior pattern according to the present invention; FIG.
10 is an exemplary view showing a method of obtaining an average occurrence probability N of past past page use procedures according to the present invention.
In order to accomplish the object of the present invention as described above, the abnormal detection unit of the abnormal behavior detection system according to the present invention, when receiving predetermined situation information from the situation information collection system in the BYOD (Bring Your Own Device) And an abnormality detection unit of an abnormal behavior detection system that detects an abnormal use behavior by comparing a user's use behavior pattern at the beginning of connection with a past usage behavior pattern,
A detection request classification module for classifying the detection request message and transmitting the classified information to each analysis section of the abnormal behavior analysis module, and an initial usage behavior pattern analysis process for comparing the similarity of the service page usage order and the usage speed comparison An abnormality analysis module for analyzing whether the user's use behavior is abnormal or not, and an abnormality analysis module for generating an abnormal or abnormal result value according to the result of the abnormality analysis module, Wherein the abnormal behavior analysis module sets a normal range interval for each occurrence probability N after obtaining the occurrence probability X of the currently used initial page sequence, Is within the normal range and judges whether or not the use behavior of the current user is abnormal It is open configuration.
Preferably, the initial use behavior analyzing unit checks the service page usage amount (N) of the current connection session, and if the checked usage amount N is smaller than the reference value, it is determined that the initial behavior for analyzing the abnormal behavior is insufficient A usage order detecting unit for obtaining a current initial service page usage order when the service page usage amount N is larger than a reference value; A connection pattern analyzing unit for inquiring a past initial service page usage order having the same connection pattern and calculating an average utilization rate in the past, and a usage pattern analyzing unit for determining whether a user's initial use behavior pattern is within a normal range And determines whether or not the usage behavior of the user is abnormality by comparing the use behavior speed in the case of the normal range It is characterized in that comprises a seokbu.
Preferably, the usage pattern analyzing unit includes: a past average occurrence probability calculating unit that obtains an average occurrence probability (N) related to a past initial page use order with reference to profile information of a storage unit; A normal range selection unit for determining a normal range of the average occurrence probability X such that the width of the maximum / minimum value is reduced, and the similarity between the current 'service page use order' and all past 'service page use order' A current average occurrence probability calculating unit for calculating an average of the calculated similarity result values and obtaining an average occurrence probability X related to a current initial page use order; When the normal range is within the specified range, the normal result is output. If the range is larger than or smaller than the normal range, the abnormal range is output. A utilization rate comparing unit for comparing the present initial utilization rate with a past initial utilization rate when the occurrence probability X is within a normal range; And a normal state determination unit that determines that the current user's use behavior is a normal operation when the current usage state belongs to the normal user.
According to another aspect of the present invention, there is provided a method for detecting anomalous behavior of an abnormal detection unit in a abnormal operation detection system under BYOD (Bring Your Own Device) and a smart work environment, The present invention relates to an abnormal behavior detection method of an abnormal detection unit that detects an abnormal usage behavior by comparing a usage pattern of a user performed at the beginning of a connection with a past usage behavior pattern when context information is received,
A step in which the detection request classification module classifies the detection request message and transmits the classified information to each analysis section of the abnormal behavior analysis module; Analyzing whether the user's use behavior is abnormality by performing a comparison between the usage rate and the utilization rate of the user and analyzing whether the usage behavior of the user is abnormal when the analysis result of the abnormal behavior analysis module is stored; The abnormal behavior analysis module drives the initial use behavior analyzing unit to obtain an occurrence probability X related to a current initial page order and then generates an average occurrence probability N) is established, and it is confirmed whether the probability of occurrence (X) is within the normal range, And performs an initial use behavior pattern analysis procedure to determine whether the behavior is abnormal.
Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings, so that those skilled in the art can easily carry out the present invention. In the drawings, like reference numerals refer to the same or similar functions throughout the several views.
BYOD and SmartWall service can analyze the status information of the user accessing / using the company internal service and judge whether the user behavior is abnormal in real time and control the connection / use of the user when necessary. The abnormal behavior detection system according to the present invention determines whether the user behavior is abnormal based on a previously stored normal profile, a previously set security policy, and a currently occurring behavior.
The status information refers to information related to connection, use, and termination of a user collected in the collection system and transmitted to the abnormal behavior detection system. The profile is an information set that identifies a user and quantifies a behavior of a user, and is information obtained by accumulating information on a user from the past and patterning the information. A series of behaviors for profile management such as profile creation, modification, deletion, and storage is called profiling.
1 is an exemplary view showing a BYOD and a smart work environment.
As shown in FIG. 1, the BYOD and smart work environment includes a situation
The situation
At this time, the collected situation information includes a connection address (e.g., id, affiliation, authority, current state, etc.), a connection pattern (authentication result, Time information. Such situation information exists as periodic transmission data and aperiodic (real time) transmission data, but the situation
1, the abnormal
The abnormal
The
The
The
The
2 is a block diagram of an abnormal behavior detection system according to the present invention.
2, the abnormal
The situation
All the received status information is transmitted to the status
As shown in FIG. 4, the status
The situation
The situation
If the status information related to the 'network connection' is received, the situation
When the situation information on 'service use' is received, the situation
Then, when the status information on 'DB use' is received, the information is updated to the processed information. When the status information on the 'Agent variation' is received, the UAID is inquired and updated to the processing information of the user matching the corresponding information. When the status information on 'connection termination' is received, the process of terminating the current connection ID and the connection termination time are updated.
Thereafter, when all the context information is received, a detection request message is generated and transmitted to the
Next, the
Upon inputting various types of context information, the detection
The abnormal behavior analysis module 234 is a module for analyzing various abnormal behaviors and includes normal profile based
The normal profile-based
The
The abnormal web
The
The security policy set by the administrator is composed of a series of conditions (criteria) and control results applied when the conditions are met. The security policy of the development target system uses the type of information used for constructing the user's processing information and profile information Setting.
The
When the behavior analysis result is stored in the abnormal behavior analysis module 234, the abnormal
As shown in FIG. 6B, the
When the
Next, the
At this time, the stored profile information includes a user profile, a terminal device profile, an access behavior profile, and a usage behavior profile. Wherein the terminal profile includes at least one of a device ID, a type, an OS, a browser, a device name, a MAC, a user ID, a user ID, a total authentication failure time, Whether or not the agent is installed, whether the screen is locked, installation program information, automatic login setting, and the latest connection date and time. The connection behavior profile includes connection behavior pattern information, and the usage behavior profile includes user's initial usage behavior pattern information.
The
The present invention stores (& manages) 100 initial usage behavior profiles (or connection behavior profiles) for each user in the
4 is a flowchart illustrating an operation of the status information processing unit according to the present invention.
As shown in FIG. 4, the status
In the case of the 'connection' status information, the status
In the case of 'service utilization' status information, the service utilization information is updated by searching for the session being accessed based on the connection ID, and the related behavior analysis information is calculated.
Also, in case of 'DB use' situation information, keep the information in the repository until the information is utilized and delete the old list that is older than a certain time.
Also, in the case of the agent change / end information, the user having the corresponding UAID is searched to update the change information.
In the case of the 'end' status information, the connection of the corresponding connection ID is terminated and the processing information is updated.
5 is a block diagram of an initial use behavior analyzing unit according to the present invention.
The normal profile-based
Among the elements constituting the normal profile-based behavior analysis unit, the initial usage
When the status information on 'Web service use' is inputted to the abnormal
If the checked service page usage amount N is smaller than the reference value, the page
If the service page usage amount N is greater than a reference value (e.g., 3), the usage
Then, the
The connection
6, the usage
The
The
The current average occurrence
The past average occurrence
The past average occurrence
[Equation 1]
Profile I = ((similarity of
+ Similarity of profile 100) - similarity of profile I) / 99
(Where I is an integer from 1 to 100)
The probability of occurrence of the first profile (profile 1) is obtained by adding all similarities from the second profile (profile 2) to the 100th profile (profile 100) and dividing the sum by the number of profiles (99).
The probability of occurrence of the second profile (profile 2) is calculated by adding all similarities of the profiles other than the second profile (profile 2) (for example,
The past average occurrence
If all the occurrence probabilities of the first profile (profile 1) to the 100th profile (profile 100) are obtained, the probability of occurrence of these profiles is all added, and the resultant value is divided by the total number of profiles (100) The average occurrence probability (N) regarding the order of use is obtained.
The normal
For example, the normal range of the average occurrence probability (X) is set so that the maximum and minimum are in the range of N ± 3% when the average occurrence probability (N) is 90% or more and less than 100%. A user with an average probability of occurrence (N) of 90% or more uses the initial service in an almost similar pattern, so the width of the normal range can be caught at about 3%.
If the average occurrence probability N is 92%, the normal range of the average occurrence probability X will be 89% <X <95%, and if the average occurrence probability N is 96% The normal range of the average occurrence probability X becomes 96% < X < 100% when the average occurrence probability N is 99% will be.
When the average occurrence probability N is 80% or more and less than 90%, the normal
If the maximum and minimum are 70% or more and less than 80%, the normal range is set to have a range of N ± 10%. If the average occurrence probability (N) is 60% or more and less than 70% If the average occurrence probability (N) is between 50% and 60%, the normal range is determined to have a range of N ± 30%. If the average occurrence probability (N) is less than 50% 40%, and if the average occurrence probability (N) is 30% or more and less than 40%, the normal range is set to have a range of N ± 50%.
Since a user having an average occurrence probability (N) of 30% or more and less than 40% uses an initial service page in a pattern that is not substantially the same, the width of the normal range is estimated to be about 50% Pattern.
The present invention is based on a conventional method (for example, a method of setting only a reference value) in which a normal range estimation based on an individual behavior variation is limited by setting a normal range of the average occurrence probability (X) according to the average occurrence probability (N) Can be solved.
As described above, the normal range setting method of the present invention analyzes the past average profile similarity average for each user to determine how many users use the service initially in the same order or randomly use the service (Using the initial page) (considering the deviation from each user), thereby making a difference in the width of the normal range.
The normal
When the normal
The normal-
FIG. 7A is an operation flowchart of the abnormality detecting unit according to the present invention, and particularly relates to analysis of an initial use behavior pattern of a normal profile-based behavior analyzing unit constituting the abnormality detecting unit.
As shown in FIG. 3, the
The abnormal behavior analysis module 234 is a module for analyzing various patterns of abnormal behavior and includes normal profile-based
The normal profile-based
The initial use
In step S20, if the service page usage amount N is larger than a reference value (e.g., 3), it is determined that sufficient initial action has been performed for the abnormal behavior analysis and the initial usage behavior pattern analysis is started.
The initial usage
Thereafter, as shown in FIG. 7B, 'comparison of similarity of service page usage order' and 'comparison of utilization rate' are performed through an initial usage behavior pattern analysis procedure to determine whether or not it is an abnormal behavior. (S50) FIG. 7B is a flowchart illustrating an initial usage behavior pattern analysis procedure according to the present invention.
As shown in FIG. 7C, the initial
Thereafter, as shown in FIG. 7C, similarity between the current and past 'service page use order' is calculated and stored in the comparison matrix. (S52b, S52c), and the similarity calculation procedure (S52a, LCS comparison) is repeatedly performed to calculate similarity for all past actions. (S52d)
Then, as the following expression (2), the average value of all similarity result values thus obtained is obtained. (S54) At this time, the obtained average value is the occurrence probability (X) of the initial page order used at present.
&Quot; (2) "
Probability of occurrence (X) = total likelihood / total inquiry item
9B, the initial use
The initial use
If the occurrence probability X value is included in the normal range period, the initial use
Then, in accordance with the comparison result (S58), it is finally determined whether or not the current user's use behavior is an abnormal behavior. (S59)
If the current initial utilization rate belongs to the normal range of the initial utilization rate of the past (for example, within Z%), the initial usage
On the other hand, if the occurrence probability X is not included in the normal range period or the current initial use rate deviates from the normal range (e.g., Z%) of the past initial usage rate, It is determined to be an abnormal behavior.
The abnormal
If the result of the judgment (S60) is normal (normal behavior), the abnormal
If the result of the determination (S60) is abnormal (abnormal behavior), the abnormal
The abnormal
According to a hardware implementation, the abnormal
While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it will be understood by those skilled in the art that various changes and modifications may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. May be constructed by selectively or in combination. Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims.
As described above, according to the present invention, unlike existing network-based security equipment through network traffic analysis, actions are patterned based on various behavior factors such as time, location, access network, We implemented a method to detect abnormal behavior.
The abnormal behavior detection system according to the present invention is to improve the system security in the BYOD and smart work environment. After processing the status information into connection, use, agent situation information and profile information, And the abnormal occurrence and the occurrence probability of the terminal.
The present invention relates to a method and apparatus for detecting unusual access / use behavior, including atypical data that can occur in a business scenario, that is, a type of used equipment, a connection time (e.g., work time, And usage time as user behavior pattern, system security is improved in BYOD and smart work environment.
100: situation information collection system 200: abnormal behavior detection system
210: Situation information receiving unit 220: Situation information processing unit
230: abnormal detection unit 232: detection request classification module
234: abnormal
234b: initial use
234d: continuous
234f:
234b-10: a page
234b-30: Usage
234b-50: usage
234b-52: normal
234b-54: current average occurrence
234b-56: Usage
236: abnormal behavior detection module 250:
260: information analysis unit 270: storage unit
300: Control system 400: Personal use device
500: Security system
Claims (12)
A detection request classification module 232 for classifying the detection request message and transmitting the classified information to each analysis section of the abnormal behavior analysis module 234,
An abnormal behavior analysis module 234 for analyzing whether the user's use behavior is abnormal by performing 'comparison of similarity of service page use order' and 'use speed comparison' through an initial use behavior pattern analysis procedure,
And an abnormal behavior detection module 236 for generating an abnormal or abnormal result value when the analysis result of the abnormal behavior analysis module 234 is stored and transmitting the resultant result to the control system 240,
The abnormal behavior analysis module 234 determines the occurrence probability X of the currently used initial page order and then sets a normal range interval for each occurrence probability N and determines whether the occurrence probability X is within the normal range And an initial usage behavior analyzer 234b for determining whether the current user's usage is abnormal or not.
Checking the service page usage amount N of the current connection session and determining that the initial action for analyzing the abnormal behavior is not sufficient if the checked usage amount N is smaller than the reference value, (234b-10)
A usage order detecting unit 234b-20 for obtaining a current initial service page usage order when the service page usage amount N is larger than a reference value,
A utilization rate calculator 234b-30 for calculating the utilization rate of the current initial service,
A connection pattern analyzing unit 234b-40 for inquiring the past initial service page use order having the same connection pattern and calculating the past average utilization speed,
And a usage pattern analyzer 234b-50 for determining whether the user's initial use behavior pattern is within the normal range, and for determining whether the user's use behavior is abnormal through comparison of the use behavior speed in the case of a normal range Characterized in that the abnormality detection unit of the abnormal behavior detection system.
A past average occurrence probability calculation unit 234b-51 that obtains an average occurrence probability N regarding past past page use procedures by referring to the profile information of the storage unit 270,
A normal range selection unit 234b-52 for determining the normal range of the average occurrence probability X such that the width of the maximum / minimum value becomes smaller as the average occurrence probability value N becomes larger,
A similarity calculating unit 234b-53 for calculating the similarity between the current 'service page use order' and all past 'service page use order'
A current average occurrence probability calculation unit 234b-54 for calculating the average occurrence probability X related to the current initial page use order by calculating the average of the calculated similarity result values,
And outputs a normal result value when the occurrence probability X is within the normal range set by the normal range selection unit 234b-52, and outputs an abnormal result value when the occurrence probability X is larger or smaller than the normal range, (234b-55)
A utilization rate comparing unit 234b-56 for comparing the current initial utilization rate with a past initial utilization rate when the occurrence probability X is within a normal range,
And a normal state determining unit (234b-57) for determining that the current user's use behavior is a normal behavior when the current initial use speed belongs to a normal range of past initial use speed. Abnormal detection of detection system.
According to the following equation
The probability of occurrence of the initial page use order from the first profile (profile 1) to the 100th profile (profile 100) is obtained,
And an average occurrence probability (N) related to a past initial page use order is obtained by adding all of the obtained profile occurrence probabilities and dividing the added value by the total number of profiles (100) part.
Wherein an occurrence probability of an initial page use order from a first profile (profile 1) to a 100th profile (profile 100) is obtained according to the following equation.
Profile I = ((similarity of profile 1 + similarity of profile 2 +
+ Similarity of profile 100) - similarity of profile I) / 99
(Where I is an integer from 1 to 100)
When the average probability of occurrence (N) is 90 or more and less than 100, the normal range is set so that the maximum and minimum are in the range of N ± 3,
If it is 80 or more and less than 90, it is set to have a normal range of N ± 5,
If it is 70 or more and less than 80, it is set to have a normal range of N ± 10,
If it is less than 60 and less than 70, it is determined to have a normal range of N + 20,
50 to less than 60, it is determined to have a normal range of N ± 30,
40 to less than 50, it is determined to have a normal range of N ± 40,
And if it is 30 or more and less than 40, it has a normal range of N + 50.
Classifying the detection request message by the detection request classification module 232 and delivering the classified information to the analysis sections of the abnormal behavior analysis module 234;
The abnormal behavior analysis module 234 analyzes the similarity of the service page use order and the use speed comparison through the initial use behavior pattern analysis procedure to analyze whether the user's use behavior is abnormal,
When the analysis result of the abnormal behavior analysis module is stored, the abnormal behavior detection module 236 generates a normal or abnormal result value and transmits it to the control system 240,
The abnormal behavior analysis module 234 drives the initial use behavior analysis unit 234b to obtain the occurrence probability X related to the current initial page order and then sets a normal range interval for each average occurrence probability N And performing an initial usage behavior pattern analysis procedure to determine whether the usage probability of the current user is abnormal by checking whether the occurrence probability X is within a normal range.
The page usage checking unit 234b-10 checks the service page usage amount N of the current connection session, and if the checked usage amount N is smaller than the reference value, the initial action for analyzing the abnormal behavior is not sufficient And terminating the analysis,
When the service page usage amount N is larger than a reference value, the use order detection unit 234b-20 obtains a current initial service page use order,
The utilization rate calculation unit 234b-30 calculates the utilization rate of the current initial service,
A process in which the connection pattern analyzing unit 234b-40 retrieves a past initial service page use order having the same connection pattern and calculates a past average use speed,
The usage pattern analyzing unit 234b-50 determines whether the user's initial use behavior pattern is within a normal range, and if the usage pattern analyzing unit 234b-50 determines that the user's use behavior is abnormal, And detecting an abnormal behavior of the abnormal detection unit.
Calculating a mean occurrence probability N of the past initial page use order by referring to the profile information of the storage unit 270 by the past average occurrence probability calculation unit 234b-51,
The normal range selection unit 234b-52 determines a normal range of the average occurrence probability X such that the width of the maximum / minimum value becomes smaller as the average occurrence probability value N increases,
Calculating a degree of similarity between the current 'service page use order' and all past 'service page use order' by the similarity calculating unit 234b-53;
Calculating a mean occurrence probability (X) related to a current initial page usage order by the current average occurrence probability calculation unit 234b-54 calculating an average of the calculated similarity result values;
If the occurrence probability X is within the normal range defined by the normal range selection unit 234b-52, the normal range determination unit 234b-55 outputs a normal result value. If the occurrence probability X is larger or smaller than the normal range, And outputting a result of the comparison;
Comparing the present initial use speed with a past initial use speed when the occurrence probability X is within a normal range;
And determining that the current use utilization rate of the current user is a normal operation when the current initial utilization rate belongs to the normal range of the initial usage rate of the past. Detection of abnormal behavior of detection unit.
Obtaining probabilities of occurrence of the initial page use order from the first profile (profile 1) to the 100th profile (profile 100)
Calculating an average occurrence probability (N) related to a past initial page use order by adding all of the obtained profile occurrence probabilities and dividing the sum by the total number of profiles (100). Behavior detection method.
Wherein the abnormal behavior detecting unit detects the abnormal behavior of the abnormal detecting unit.
Profile I = ((similarity of profile 1 + similarity of profile 2 +
+ Similarity of profile 100) - similarity of profile I) / 99
(Where I is an integer from 1 to 100)
Determining a normal range such that a maximum and a minimum are in a range of N ± 3 when the average occurrence probability (N) is 90 or more and less than 100,
Determining a normal range to have a range of N < RTI ID = 0.0 > + 5 < / RTI &
Determining a normal range so as to have a range of N +/- 10 when the ratio is 70 or more and less than 80,
Determining a normal range so as to have a range of N 20 if the ratio is less than 60 and less than 70;
Determining a normal range so as to have a range of N +/- 30 when the ratio is 50 or more and less than 60;
Determining a normal range so as to have a range of N +/- 40 when the ratio is less than 40 and less than 50;
And determining a normal range so as to have a range of N + 50 when the ratio is less than 30 and less than 40. The method of claim 1,
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020160002286A KR20170082934A (en) | 2016-01-07 | 2016-01-07 | System for detecting abnomal behaviors allowing for personalized early use behavior occurrence probability deviation |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020160002286A KR20170082934A (en) | 2016-01-07 | 2016-01-07 | System for detecting abnomal behaviors allowing for personalized early use behavior occurrence probability deviation |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20170082934A true KR20170082934A (en) | 2017-07-17 |
Family
ID=59442930
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020160002286A KR20170082934A (en) | 2016-01-07 | 2016-01-07 | System for detecting abnomal behaviors allowing for personalized early use behavior occurrence probability deviation |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20170082934A (en) |
-
2016
- 2016-01-07 KR KR1020160002286A patent/KR20170082934A/en not_active Application Discontinuation
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101600295B1 (en) | System for detecting abnomal behaviors using personalized the whole access period use behavior pattern analsis | |
KR101619414B1 (en) | System for detecting abnomal behaviors using personalized early use behavior pattern analsis | |
KR20170082937A (en) | System for detecting abnomal behaviors using personalized the whole access period use behavior second analysis | |
US11658992B2 (en) | Lateral movement candidate detection in a computer network | |
KR101501669B1 (en) | Behavior detection system for detecting abnormal behavior | |
US11003773B1 (en) | System and method for automatically generating malware detection rule recommendations | |
KR20170082936A (en) | System for detecting abnomal behaviors allowing for personalized the whole access period use behavior pattern error rate deviation | |
US9609010B2 (en) | System and method for detecting insider threats | |
US11962611B2 (en) | Cyber security system and method using intelligent agents | |
US20200045075A1 (en) | Real-time mitigations for unfamiliar threat scenarios | |
CN111092852A (en) | Network security monitoring method, device, equipment and storage medium based on big data | |
JP5363305B2 (en) | Method for determining the ID of an electronic device | |
WO2020081603A1 (en) | Multi-dimensional periodicity detection of iot device behavior | |
US20220094689A1 (en) | Automatically Executing Responsive Actions Based on a Verification of an Account Lineage Chain | |
CN104871171B (en) | Distributed mode is found | |
Wu et al. | Efficient fingerprinting-based android device identification with zero-permission identifiers | |
US11811812B1 (en) | Classification model to detect unauthorized network behavior | |
CN111510463B (en) | Abnormal behavior recognition system | |
US20230362263A1 (en) | Automatically Executing Responsive Actions Upon Detecting an Incomplete Account Lineage Chain | |
US20070050755A1 (en) | Identification of input sequences | |
KR101619419B1 (en) | System for detecting abnomal behaviors using personalized continuative behavior pattern analsis | |
KR20170082934A (en) | System for detecting abnomal behaviors allowing for personalized early use behavior occurrence probability deviation | |
CN112581129A (en) | Block chain transaction data management method and device, computer equipment and storage medium | |
KR101500448B1 (en) | Nonnormal access detection method using normal behavior profile | |
US11360883B1 (en) | Intelligent real-time adaptive cohort selection for testing of computer security application features |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
E601 | Decision to refuse application |