WO2023129108A1 - An end-user behavior modeling system - Google Patents

An end-user behavior modeling system Download PDF

Info

Publication number
WO2023129108A1
WO2023129108A1 PCT/TR2022/051723 TR2022051723W WO2023129108A1 WO 2023129108 A1 WO2023129108 A1 WO 2023129108A1 TR 2022051723 W TR2022051723 W TR 2022051723W WO 2023129108 A1 WO2023129108 A1 WO 2023129108A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
transaction
value
authorization
authorization object
Prior art date
Application number
PCT/TR2022/051723
Other languages
French (fr)
Inventor
Eren ESGIN
Original Assignee
M.B.I.S Bilgisayar Otomasyon Danismanlik Ve Egitim Hizmetleri Sanayi Ticaret Anonim Sirketi
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by M.B.I.S Bilgisayar Otomasyon Danismanlik Ve Egitim Hizmetleri Sanayi Ticaret Anonim Sirketi filed Critical M.B.I.S Bilgisayar Otomasyon Danismanlik Ve Egitim Hizmetleri Sanayi Ticaret Anonim Sirketi
Publication of WO2023129108A1 publication Critical patent/WO2023129108A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • G06N20/20Ensemble learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N5/00Computing arrangements using knowledge-based models
    • G06N5/01Dynamic search techniques; Heuristics; Dynamic trees; Branch-and-bound
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N5/00Computing arrangements using knowledge-based models
    • G06N5/02Knowledge representation; Symbolic representation
    • G06N5/022Knowledge engineering; Knowledge acquisition
    • G06N5/025Extracting rules from data

Definitions

  • the present invention relates to a system for collecting, transforming, digitizing and anonymizing raw transaction logs (footprints) corresponding to user behaviors in ERP systems, and performing behavior modeling.
  • ERP systems allow authorization monitoring at the most detailed level for all processes, it is not possible to establish a sustainable and reliable authorization architecture for an information system wherein all processes of organizations that are relatively competent in ERP systems are monitored and managed.
  • authorization architecture is based on a single paradigm. According to the said approach, ERP systems are process-oriented and the requirements, business rules and operational procedures obtained from customers during the analysis phase are transformed into best applications or reference business processes that have been previously practiced during the design phase. Each reference business process consists of a set of functions or operations such as customer creation, order creation, vendor invoice entry. Each program used to perform a transaction in the ERP system is called as a transaction code, and each parser object under these transaction codes is called as an authorization object.
  • the security monitoring and control system may comprise a learning system.
  • the learning system is able to apply different machine learning algorithms by using the data obtained by the security monitoring and control system. Learned knowledge is used to make decisions with the data analysis system on user activities obtained from the service provider. For example, a learning system can learn the pattern of normal or general behavior of users in an organization. In these and other examples, the learning system can build models with the information patterns it obtains, but may not store this data and other data about the organization.
  • the said United States patent document does not include a modeling process that collects, transforms, digitizes and anonymizes raw transaction logs corresponding to user behavior, and the said US document is related to the detection of possible anomalies, risks and suspicious user behavior according to normal and expected behavior patterns.
  • Figure l is a schematic view of the inventive system.
  • the inventive system (1) for collecting, transforming, digitizing and anonymizing raw transaction logs corresponding to user behaviors in ERP systems, and performing behavior modeling comprises:
  • -at least one server (3) which is configured to communicate with the source ERP system data index (K) by using any remote communication protocol; to retrieve raw transaction logs through this communication and to record them in the database (2) associated with users; to transform raw transaction logs corresponding to user behaviors, digitize them by using different information retrieval methods; and to perform modeling of behaviors by using classificationbased machine learning algorithms based on prediction of the role wherein transaction contexts are labeled in terms of the authorization object after the digitization process.
  • the database (2) included in the inventive system (1) is configured to be in communication with the server (3) and to be managed by the server (3).
  • the said database (2) is configured to record raw transaction logs therein.
  • the server (3) included in the inventive system (1) is configured to manage the database (2) by operations of registering new data in the database (2), deleting the data stored in the database (2), modifying the data stored in the database (2), and updating the data stored in the database (2).
  • the server (3) is configured to perform data management with version management, basic adaptation and basic business rule maintenance operations.
  • the server (3) is configured to maintain the version identifier, the description, the employee group to which the version belongs and the current period fields used for tracking, managing and monitoring the individual what-if scenarios in the version management adaptation process.
  • the server (3) is configured to adapt the basic hyper-parameter values to be retrieved from the user in the use cases of batch transaction logging, transaction log digitization and behavior model validation in the version configuration adaptation process.
  • the server (3) is configured to identify the current critical authorization objects for the what-if scenarios enabled in the basic adaptation process.
  • the server (3) is configured to assign the most probable role identifier with which the transaction code of each transaction record in the transaction logs of domain experts in the transaction code labeling process is associated.
  • the server (3) is configured to group the end-users by period and user group combinations with reference to the behavior modeling scope of the domain experts within the scope of the basic business rules as a last step in the data management process.
  • the server (3) is configured to retrieve the raw transaction logs of each active end user, including the user name, timestamp in date and time detail and transaction context information in the domain detail of each authorization object used on a transaction basis, from the Source ERP system data index (K) with predetermined periods by means of a plug-in and combine them into a single file.
  • the server (3) is configured to execute the process of combining in a single file separately for each user group combination by means of the version parameter in the data management process.
  • the server (3) is configured to detect critical authorization objects in the raw transaction log combination process, define the said objects as attributes in the batch transaction log, and then use them in the batch transaction logging process.
  • the server (3) is configured to list the frequencies of the related objects in the raw transaction log to filter the authorization object in the ERP system and sort the authorization objects according to the decreasing frequency value.
  • the server (3) is configured to ignore related authorization objects and to detect high value-added information and low- frequency special authorization objects according to domain experts
  • the server (3) is also configured to decide the list of important authorization objects according to certain thumb business rules such as Pareto 80/20 rule, break value parameter, etc.
  • the server (3) is configured to filter raw job logging records by using the critical authorization objects defined in the data management process and to group each transaction log record for each user, and sort them in descending order by timestamp.
  • the server (3) is configured to combine each raw transaction log row in a transaction cycle that contains the entire context of the transaction in terms of the authorization object, domain, and domain value for the relevant transaction in a start-to-end time range, by domain and domain value, and to process the resulting value row into the relevant authorization object attribute of the row defined for the transaction cycle to which the row belongs.
  • the server (3) is configured to detect and delete transaction cycle records with empty authorization object attribute values in the batch transaction log after processing to the authorization object attribute, and to list occupancy rates for transaction and authorization object combinations according to the missing authorization object filling threshold value set in the data management process.
  • the server (3) is configured to process the median value calculated for combinations exceeding the missing authorization object filling threshold value into the empty authorization object attribute and to execute operations for each user group separately by using the version selection parameter specified in the data management operation.
  • the server (3) is configured to retrieve an average transaction log (average behavior, AB-average behavior) from the normalized transaction log and process the minimum, median, or maximum value in the sample for each authorization object attribute in the average transaction log.
  • the server (3) is configured to identify the average behavior as the ground truth in a cosine similarity measure, to position each transaction log with respect to said reference, to reduce the authorization object content of the relevant transaction log or average behavior to field-based dimensions in the positioning process, and to vectorize the field values according to the support (frequency) value in the entire data set.
  • the server (3) is configured to calculate the cosine similarity value between the average behavior and the corresponding transaction cycle for a given authorization object.
  • the server (3) is configured to apply two transformation functions, arc-cosine and standard distance, to the calculated cosine similarity value.
  • the server (3) is configured to transform the similarity score calculated from the range [-1, +1] according to the arc cosine function to the range [0 ,+l] as a distance measure.
  • the server (3) is configured to apply a standard distance transform function to the calculated cosine similarity value and multiply the result by a factor of 0.5 according to the distribution of the similarity score (VI)
  • the server (3) is configured to use the outlier threshold limit selection parameter defined for version configuration adaptation in data management to detect possible outlier transaction cycles or records according to digitized authorization object values, and to label authorization object values other than the first and third quartile values (QI, Q3) as outliers.
  • the server (3) is configured to ignore the corresponding transaction cycle when the number of labeled authorization objects exceeds the prescribed limit, and to transform the authorization object values into a Gaussian-like distribution by deleting outliers outside the first and third quartile.
  • the server (3) is configured to execute the transaction log digitization process separately for each user group.
  • the server (3) is configured to process the transaction results into a database (2) and to enable them to be used for behavior modeling and validation.
  • the server (3) performs behavior modeling and validation to measure how effective and successful batch transaction logging and transaction log digitization are in anonymizing user behavior and behavior modeling.
  • the server (3) is configured to label the role value to which each individual transaction record or transaction cycle is associated according to the transaction code labeling adaptation and to use basic machine learning algorithms of the classification type to retrieve patterns in terms of anonymized authorization objects that play an active role in determining role values in the behavior modeling and validation process.
  • the server (3) is configured to use at least one of the following classification algorithms: Artificial Neural Network, Support Vector Machine, K Nearest Neighborhood, C2.3, Random Forest.
  • the server (3) is configured to use the tree-based classification algorithm in the behavior modeling process.
  • the server (3) determines the best performing digitized transaction log dataset and delimiter through a behavior modeling validation process.
  • the server (3) receives daily raw transaction logs from the source ERP system data index (K) and stores them in the database (2).
  • the server (3) is configured to combine and transform daily raw transaction logs into a batch log at prescribed time intervals.
  • the system is preferably configured to combine batch transaction logs, preferably on a weekly basis, and transform them into digitized transaction logs on the basis of prescribed time intervals.
  • the system (1) is configured to collect the transaction log and process the transaction normalization results into the database (2). Finally, the system (1) determines the best-performing digitized transaction log dataset and the best-performing delimiter, and is able to measure the performance in dataset and classifier detail, and obtain behavior models.

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Human Resources & Organizations (AREA)
  • Strategic Management (AREA)
  • Economics (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Educational Administration (AREA)
  • Game Theory and Decision Science (AREA)
  • Development Economics (AREA)
  • Marketing (AREA)
  • Operations Research (AREA)
  • Quality & Reliability (AREA)
  • Tourism & Hospitality (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The present invention relates to a system (1) for collecting, transforming, digitizing and anonymizing raw transaction logs (footprints) corresponding to user behaviors in ERP systems, and performing behavior modeling.

Description

DESCRIPTION
AN END-USER BEHAVIOR MODELING SYSTEM
Technical Field
The present invention relates to a system for collecting, transforming, digitizing and anonymizing raw transaction logs (footprints) corresponding to user behaviors in ERP systems, and performing behavior modeling.
Background of the Invention
Although ERP systems allow authorization monitoring at the most detailed level for all processes, it is not possible to establish a sustainable and reliable authorization architecture for an information system wherein all processes of organizations that are relatively competent in ERP systems are monitored and managed. In ERP systems, authorization architecture is based on a single paradigm. According to the said approach, ERP systems are process-oriented and the requirements, business rules and operational procedures obtained from customers during the analysis phase are transformed into best applications or reference business processes that have been previously practiced during the design phase. Each reference business process consists of a set of functions or operations such as customer creation, order creation, vendor invoice entry. Each program used to perform a transaction in the ERP system is called as a transaction code, and each parser object under these transaction codes is called as an authorization object.
In the current ERP systems, specific roles are designed for users within the framework of "reference business process^transaction^authorization object" relationships, the contents of the designed roles are limited by the envisaged authorization objects, and the transaction logs of the transactions carried out under the responsibility of the end users can be accessed after the live transition. The main problem encountered when analyzing these transaction logs, i.e. users’ footprints, is that some transactions are not executed over time or, in other words, become silent, even though they are in the role assigned to the user. For this reason, today, instead of role contents determined based on reference business processes, there is a need for solutions wherein the transaction logs stored in the ERP system of end users are transformed and anonymized with different data preparation operations.
The United States patent document no. US20200128027A1, an application in the state of the art, discloses discloses a system that enables autonomous surveillance of applications in the cloud system. In some embodiments of the present invention, the security monitoring and control system may comprise a learning system. The learning system is able to apply different machine learning algorithms by using the data obtained by the security monitoring and control system. Learned knowledge is used to make decisions with the data analysis system on user activities obtained from the service provider. For example, a learning system can learn the pattern of normal or general behavior of users in an organization. In these and other examples, the learning system can build models with the information patterns it obtains, but may not store this data and other data about the organization. The said United States patent document does not include a modeling process that collects, transforms, digitizes and anonymizes raw transaction logs corresponding to user behavior, and the said US document is related to the detection of possible anomalies, risks and suspicious user behavior according to normal and expected behavior patterns.
Summary of the Invention
The objective of the present invention is to realize a system that enables the collection of raw transaction logs corresponding to user behaviors in ERP systems, the transformation of the collected transaction logs, their digitization according to different information retrieval methods, and the modeling of behaviors by using classification-based machine learning algorithms based on the prediction of the role wherein the transaction contexts are labeled in terms of the digitized authorization object.
Detailed Description of the Invention
“An End-User Behavior Modeling System” realized to achieve the objective of this invention is shown in the figure attached, in which:
Figure l is a schematic view of the inventive system.
The components illustrated in the figure are individually numbered, where the numbers refer to the following:
1. System
2. Database
3. Server
K: Source ERP system data index
The inventive system (1) for collecting, transforming, digitizing and anonymizing raw transaction logs corresponding to user behaviors in ERP systems, and performing behavior modeling comprises:
-at least one database (2) which is configured to record the raw transaction logs retrieved from a source ERP system and associated with at least the users; and
-at least one server (3) which is configured to communicate with the source ERP system data index (K) by using any remote communication protocol; to retrieve raw transaction logs through this communication and to record them in the database (2) associated with users; to transform raw transaction logs corresponding to user behaviors, digitize them by using different information retrieval methods; and to perform modeling of behaviors by using classificationbased machine learning algorithms based on prediction of the role wherein transaction contexts are labeled in terms of the authorization object after the digitization process.
The database (2) included in the inventive system (1) is configured to be in communication with the server (3) and to be managed by the server (3). The said database (2) is configured to record raw transaction logs therein. The server (3) included in the inventive system (1) is configured to manage the database (2) by operations of registering new data in the database (2), deleting the data stored in the database (2), modifying the data stored in the database (2), and updating the data stored in the database (2).
In a preferred embodiment of the invention, the server (3) is configured to perform data management with version management, basic adaptation and basic business rule maintenance operations. The server (3) is configured to maintain the version identifier, the description, the employee group to which the version belongs and the current period fields used for tracking, managing and monitoring the individual what-if scenarios in the version management adaptation process. The server (3) is configured to adapt the basic hyper-parameter values to be retrieved from the user in the use cases of batch transaction logging, transaction log digitization and behavior model validation in the version configuration adaptation process. The server (3) is configured to identify the current critical authorization objects for the what-if scenarios enabled in the basic adaptation process. The server (3) is configured to assign the most probable role identifier with which the transaction code of each transaction record in the transaction logs of domain experts in the transaction code labeling process is associated. The server (3) is configured to group the end-users by period and user group combinations with reference to the behavior modeling scope of the domain experts within the scope of the basic business rules as a last step in the data management process. The server (3) is configured to retrieve the raw transaction logs of each active end user, including the user name, timestamp in date and time detail and transaction context information in the domain detail of each authorization object used on a transaction basis, from the Source ERP system data index (K) with predetermined periods by means of a plug-in and combine them into a single file. The server (3) is configured to execute the process of combining in a single file separately for each user group combination by means of the version parameter in the data management process. The server (3) is configured to detect critical authorization objects in the raw transaction log combination process, define the said objects as attributes in the batch transaction log, and then use them in the batch transaction logging process. The server (3) is configured to list the frequencies of the related objects in the raw transaction log to filter the authorization object in the ERP system and sort the authorization objects according to the decreasing frequency value. In the preferred embodiment, the server (3) is configured to ignore related authorization objects and to detect high value-added information and low- frequency special authorization objects according to domain experts The server (3) is also configured to decide the list of important authorization objects according to certain thumb business rules such as Pareto 80/20 rule, break value parameter, etc.
The server (3) is configured to limit the authorization object context of each transaction cycle executed by a specific user in batch transaction logging and to combine each authorization object context used between the triggering of two consecutive identical transactions in the raw transaction log with the domain label(s) and domain value(s) in the corresponding row to group the raw transaction log and process the resulting values into the corresponding authorization object attribute. The server (3) is configured to list the transition frequencies of authorization objects in the raw transaction log in order to filter out the ones with relatively high information added value among a large number of authorization objects in the raw transaction log grouping process, and to include the authorization objects with relatively high frequencies and emphasized by domain experts in the batch logging creation process. The server (3) is configured to filter raw job logging records by using the critical authorization objects defined in the data management process and to group each transaction log record for each user, and sort them in descending order by timestamp. The server (3) is configured to combine each raw transaction log row in a transaction cycle that contains the entire context of the transaction in terms of the authorization object, domain, and domain value for the relevant transaction in a start-to-end time range, by domain and domain value, and to process the resulting value row into the relevant authorization object attribute of the row defined for the transaction cycle to which the row belongs. The server (3) is configured to detect and delete transaction cycle records with empty authorization object attribute values in the batch transaction log after processing to the authorization object attribute, and to list occupancy rates for transaction and authorization object combinations according to the missing authorization object filling threshold value set in the data management process. The server (3) is configured to process the median value calculated for combinations exceeding the missing authorization object filling threshold value into the empty authorization object attribute and to execute operations for each user group separately by using the version selection parameter specified in the data management operation.
The server (3) is configured to digitize the categorical type authorization object attribute values of the transaction logs grouped by the user and transaction detail and anonymize them according to the transformation function combinations in the transaction log digitization, that is, anonymization process. In a preferred embodiment, the server (3) is configured to use the leverage and cosine similarity functions. The server (3) is configured to proportion the confidence value of the transitions of the categorical role content in the relevant authorization object attribute together with the target attribute or transaction value to the support value of the target domain and to obtain the leverage values in order to digitize the categorical attribute value according to its association with the target domain value in the relevant transaction cycle and to anonymize the categorical authorization object value. (I)
Figure imgf000008_0001
The server (3) is configured to apply two normalization functions, z-score and MIN/MAX, on the leverage values obtained. The server (3) is configured to perform normalization with the Z-score function and determine how many standard deviations away the calculated score value and leverage value are from the average value of the relevant authorization object. (II)
Figure imgf000008_0002
The server (3) is configured to perform the normalization process with the MIN/MAX function and interpolate the leverage value calculated for the relevant authorization object so that its minimum value is equal to 0 and its maximum value is equal to 1. (Ill)
Figure imgf000008_0003
The server (3) is configured to retrieve an average transaction log (average behavior, AB-average behavior) from the normalized transaction log and process the minimum, median, or maximum value in the sample for each authorization object attribute in the average transaction log. The server (3) is configured to identify the average behavior as the ground truth in a cosine similarity measure, to position each transaction log with respect to said reference, to reduce the authorization object content of the relevant transaction log or average behavior to field-based dimensions in the positioning process, and to vectorize the field values according to the support (frequency) value in the entire data set. The server (3) is configured to calculate the cosine similarity value between the average behavior and the corresponding transaction cycle for a given authorization object. (IV)
Figure imgf000009_0001
The server (3) is configured to apply two transformation functions, arc-cosine and standard distance, to the calculated cosine similarity value. The server (3) is configured to transform the similarity score calculated from the range [-1, +1] according to the arc cosine function to the range [0 ,+l] as a distance measure. (V)
Figure imgf000009_0002
The server (3) is configured to apply a standard distance transform function to the calculated cosine similarity value and multiply the result by a factor of 0.5 according to the distribution of the similarity score (VI)
Figure imgf000009_0003
The server (3) is configured to use the outlier threshold limit selection parameter defined for version configuration adaptation in data management to detect possible outlier transaction cycles or records according to digitized authorization object values, and to label authorization object values other than the first and third quartile values (QI, Q3) as outliers. The server (3) is configured to ignore the corresponding transaction cycle when the number of labeled authorization objects exceeds the prescribed limit, and to transform the authorization object values into a Gaussian-like distribution by deleting outliers outside the first and third quartile. The server (3) is configured to execute the transaction log digitization process separately for each user group. The server (3) is configured to process the transaction results into a database (2) and to enable them to be used for behavior modeling and validation.
The server (3) performs behavior modeling and validation to measure how effective and successful batch transaction logging and transaction log digitization are in anonymizing user behavior and behavior modeling. The server (3) is configured to label the role value to which each individual transaction record or transaction cycle is associated according to the transaction code labeling adaptation and to use basic machine learning algorithms of the classification type to retrieve patterns in terms of anonymized authorization objects that play an active role in determining role values in the behavior modeling and validation process. The server (3) is configured to use at least one of the following classification algorithms: Artificial Neural Network, Support Vector Machine, K Nearest Neighborhood, C2.3, Random Forest. In the preferred embodiment, the server (3) is configured to use the tree-based classification algorithm in the behavior modeling process. The server (3) determines the best performing digitized transaction log dataset and delimiter through a behavior modeling validation process.
In the inventive system (1), the server (3) receives daily raw transaction logs from the source ERP system data index (K) and stores them in the database (2). The server (3) is configured to combine and transform daily raw transaction logs into a batch log at prescribed time intervals. The system is preferably configured to combine batch transaction logs, preferably on a weekly basis, and transform them into digitized transaction logs on the basis of prescribed time intervals. The system (1) is configured to collect the transaction log and process the transaction normalization results into the database (2). Finally, the system (1) determines the best-performing digitized transaction log dataset and the best-performing delimiter, and is able to measure the performance in dataset and classifier detail, and obtain behavior models. Within these basic concepts; it is possible to develop a wide variety of embodiments of the inventive “An End-User Behavior Modeling System (1)”; the invention cannot be limited to examples disclosed herein and it is essentially according to claims.

Claims

1. A system (1) for collecting, transforming, digitizing and anonymizing raw transaction logs corresponding to user behaviors in ERP systems, and performing behavior modeling; characterized by: at least one database (2) which is configured to record the raw transaction logs retrieved from a source ERP system and associated with at least the users; and at least one server (3) which is configured to communicate with the source ERP system data index (K) by using any remote communication protocol; to retrieve raw transaction logs through this communication and to record them in the database (2) associated with users; to transform raw transaction logs corresponding to user behaviors, digitize them by using different information retrieval methods; and to perform modeling of behaviors by using classification-based machine learning algorithms based on prediction of the role wherein transaction contexts are labeled in terms of the authorization object after the digitization process.
2. A system (1) according to Claim 1; characterized by the database (2) which is configured to be in communication with the server (3) and managed by the server (3).
3. A system (1) according to Claim 1 or 2; characterized by the server (3) which is configured to manage the database (2) by operations of registering new data in the database (2), deleting the data stored in the database (2), modifying the data stored in the database (2), and updating the data stored in the database (2).
4. A system (1) according to any one of the preceding claims; characterized by the server (3) which is configured to perform data management with version management, basic adaptation and basic business rule maintenance operations.
5. A system (1) according to any one of the preceding claims; characterized by the server (3) which is configured to maintain the version identifier, the description, the employee group to which the version belongs and the current period fields used for tracking, managing and monitoring the individual what-if scenarios in the version management adaptation process.
6. A system (1) according to any one of the preceding claims; characterized by the server (3) which is configured to adapt the basic hyper-parameter values to be retrieved from the user in the use cases of batch transaction logging, transaction log digitization and behavior model validation in the version configuration adaptation process.
7. A system (1) according to any one of the preceding claims; characterized by the server (3) which is configured to identify the current critical authorization objects for the what-if scenarios enabled in the basic adaptation process.
8. A system (1) according to any one of the preceding claims; characterized by the server (3) which is configured to assign the most probable role identifier with which the transaction code of each transaction record in the transaction logs of domain experts in the transaction code labeling process is associated.
9. A system (1) according to any one of the preceding claims; characterized by the server (3) which is configured to group the end-users by period and user group combinations with reference to the behavior modeling scope of the domain experts within the scope of the basic business rules as a last step in the data management process.
10. A system (1) according to any one of the preceding claims; characterized by the server (3) which is configured to retrieve the raw transaction logs of each active end user, including the user name, timestamp in date and time detail and transaction context information in the domain detail of each authorization object used on a transaction basis, from the Source ERP system data index (K) with predetermined periods by means of a plug-in and combine them into a single file.
11. A system (1) according to any one of the preceding claims; characterized by the server (3) which is configured to execute the process of combining in a single file separately for each user group combination by means of the version parameter in the data management process.
12. A system (1) according to any one of the preceding claims; characterized by the server (3) which is configured to detect critical authorization objects in the raw transaction log combination process, define the said objects as attributes in the batch transaction log, and then use them in the batch transaction logging process.
13. A system (1) according to any one of the preceding claims; characterized by the server (3) which is configured to list the frequencies of the related objects in the raw transaction log to filter the authorization object in the ERP system and sort the authorization objects according to the decreasing frequency value.
14. A system (1) according to any one of the preceding claims, characterized by the server (3) which is configured to ignore related authorization objects and to detect high value-added information and low-frequency special authorization objects according to domain experts
15. A system (1) according to any one of the preceding claims; characterized by the server (3) which is configured to limit the authorization object context of each transaction cycle executed by a specific user in batch transaction logging and to combine each authorization object context used between the triggering of two consecutive identical transactions in the raw transaction log with the domain label(s) and domain value(s) in the corresponding row to group the raw transaction log and process the resulting values into the corresponding authorization object attribute.
16. A system (1) according to any one of the preceding claims; characterized by the server (3) which is configured to list the transition frequencies of authorization objects in the raw transaction log in order to filter out the ones with relatively high information added value among a large number of authorization objects in the raw transaction log grouping process, and to include the authorization objects with relatively high frequencies and emphasized by domain experts in the batch logging creation process.
17. A system (1) according to any one of the preceding claims; characterized by the server (3) which is configured to filter raw job logging records by using the critical authorization objects defined in the data management process and to group each transaction log record for each user, and sort them in descending order by timestamp.
18. A system (1) according to any one of the preceding claims; characterized by the server (3) which is configured to combine each raw transaction log row in a transaction cycle that contains the entire context of the transaction in terms of the authorization object, domain, and domain value for the relevant transaction in a start-to-end time range, by domain and domain value, and to process the resulting value row into the relevant authorization object attribute of the row defined for the transaction cycle to which the row belongs.
19. A system (1) according to any one of the preceding claims; characterized by the server (3) which is configured to detect and delete transaction cycle records with empty authorization object attribute values in the batch transaction log after processing to the authorization object attribute, and to list occupancy rates for transaction and authorization object combinations according to the missing authorization object filling threshold value set in the data management process.
20. A system (1) according to any one of the preceding claims; characterized by the server (3) which is configured to process the median value calculated for combinations exceeding the missing authorization object filling threshold value into the empty authorization object attribute and to execute operations for each user group separately by using the version selection parameter specified in the data management operation.
21. A system (1) according to any one of the preceding claims; characterized by the server (3) which is configured to digitize the categorical type authorization object attribute values of the transaction logs grouped by the user and transaction detail and anonymize them according to the transformation function combinations in the transaction log digitization, that is, anonymization process.
22. A system (1) according to Claim 21; characterized by the server (3) which is configured to use the leverage and cosine similarity functions.
23. A system (1) according to Claim 22; characterized by the server (3) which is configured to proportion the confidence value of the transitions of the categorical role content in the relevant authorization object attribute together with the target attribute or transaction value to the support value of the target domain and to obtain the leverage values in order to digitize the categorical attribute value according to its association with the target domain value in the relevant transaction cycle and to anonymize the categorical authorization object value.
24. A system (1) according to Claim 22 or 23; characterized by the server (3) which is configured to apply two normalization functions, z-score and MIN/MAX, on the leverage values obtained.
25. A system (1) according to Claim 24; characterized by the server (3) which is configured to perform normalization with the Z-score function and determine how many standard deviations away the calculated score value and leverage value are from the average value of the relevant authorization object.
26. A system (1) according to Claim 24; characterized by the server (3) which is configured to perform the normalization process with the MIN/MAX function and interpolate the leverage value calculated for the relevant authorization object so that its minimum value is equal to 0 and its maximum value is equal to 1.
27. A system (1) according to any one of the preceding claims; characterized by the server (3) which is configured to retrieve an average transaction log (average behavior, AB-average behavior) from the normalized transaction log and process the minimum, median, or maximum value in the sample for each authorization object attribute in the average transaction log.
28. A system (1) according to Claim 27; characterized by the server (3) which is configured to identify the average behavior as the ground truth in a cosine similarity measure, to position each transaction log with respect to said reference, to reduce the authorization object content of the relevant transaction log or average behavior to field-based dimensions in the positioning process, and to vectorize the field values according to the support (frequency) value in the entire data set.
29. A system (1) according to Claim 27 or 28; characterized by the server (3) which is configured to calculate the cosine similarity value between the average behavior and the corresponding transaction cycle for a given authorization object.
30. A system (1) according to Claim 29; characterized by the server (3) which is configured to apply two transformation functions, arc-cosine and standard distance, to the calculated cosine similarity value.
31. A system (1) according to Claim 30; characterized by the server (3) which is configured to transform the similarity score calculated from the range [- 1, +1] according to the arc cosine function to the range [0 ,+l] as a distance measure.
32. A system (1) according to Claim 30; characterized by the server (3) which is configured to apply a standard distance transform function to the calculated cosine similarity value and multiply the result by a factor of 0.5 according to the distribution of the similarity score.
33. A system (1) according to Claim 31 or 32; characterized by the server (3) which is configured to use the outlier threshold limit selection parameter defined for version configuration adaptation in data management to detect possible outlier transaction cycles or records according to digitized authorization object values, and to label authorization object values other than the first and third quartile values (QI, Q3) as outliers.
34. A system (1) according to Claim 33; characterized by the server (3) which is configured to ignore the corresponding transaction cycle when the number of labeled authorization objects exceeds the prescribed limit, and to transform the authorization object values into a Gaussian-like distribution by deleting outliers outside the first and third quartile.
35. A system (1) according to any one of the preceding claims; characterized by the server (3) which is configured to label the role value to which each individual transaction record or transaction cycle is associated according to the transaction code labeling adaptation and to use basic machine learning algorithms of the classification type to retrieve patterns in terms of anonymized authorization objects that play an active role in determining role values in the behavior modeling and validation process.
36. A system (1) according to Claim 35; characterized by the server (3) which is configured to use at least one of the following classification algorithms: Artificial Neural Network, Support Vector Machine, K Nearest Neighborhood, C2.3, Random Forest.
37. A system (1) according to Claim 36; characterized by the server (3) which is configured to use the tree-based classification algorithm in the behavior modeling process.
PCT/TR2022/051723 2021-12-31 2022-12-30 An end-user behavior modeling system WO2023129108A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
TR2021/022093 2021-12-31
TR2021/022093A TR2021022093A2 (en) 2021-12-31 2021-12-31 AN END USER BEHAVIOR MODELING SYSTEM

Publications (1)

Publication Number Publication Date
WO2023129108A1 true WO2023129108A1 (en) 2023-07-06

Family

ID=84100897

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/TR2022/051723 WO2023129108A1 (en) 2021-12-31 2022-12-30 An end-user behavior modeling system

Country Status (2)

Country Link
TR (1) TR2021022093A2 (en)
WO (1) WO2023129108A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200021620A1 (en) * 2018-07-16 2020-01-16 Securityadvisor Technologies, Inc. Contextual security behavior management and change execution
KR102307632B1 (en) * 2021-05-31 2021-10-05 주식회사 아미크 Unusual Insider Behavior Detection Framework on Enterprise Resource Planning Systems using Adversarial Recurrent Auto-encoder

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200021620A1 (en) * 2018-07-16 2020-01-16 Securityadvisor Technologies, Inc. Contextual security behavior management and change execution
KR102307632B1 (en) * 2021-05-31 2021-10-05 주식회사 아미크 Unusual Insider Behavior Detection Framework on Enterprise Resource Planning Systems using Adversarial Recurrent Auto-encoder

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
AKTÜRK CEMAL: "Artifıcial Intelligence in Enterprise Resource Planning Systems: A Bibliometric Study", JOURNAL OF INTERNATIONAL LOGISTICS AND TRADE, vol. 19, no. 2, 30 June 2021 (2021-06-30), pages 69 - 82, XP093078306, ISSN: 2508-7592, DOI: 10.24006/jilt.2021.19.2.069 *
ANONYMOUS: "Development of AI/ML based User Anomaly Detection Solution for Enterprise Resource Planning System", KMATRIX, 6 October 2020 (2020-10-06), XP093078303, Retrieved from the Internet <URL:https://kmatrix.kaist.ac.kr/development-of-aiml-based-user-anomaly-detection-solution-for-enterprise-resource-planning-system/> [retrieved on 20230904] *

Also Published As

Publication number Publication date
TR2021022093A2 (en) 2022-08-22

Similar Documents

Publication Publication Date Title
CN112699175B (en) Data management system and method thereof
US11755628B2 (en) Data relationships storage platform
US11516219B2 (en) System and method for role mining in identity management artificial intelligence systems using cluster based analysis of network identity graphs
US20230051814A1 (en) System and method for role validation in identity management artificial intelligence systems using analysis of network identity graphs
US20230325723A1 (en) System and method for incremental training of machine learning models in artificial intelligence systems, including incremental training using analysis of network identity graphs
US6567814B1 (en) Method and apparatus for knowledge discovery in databases
US9892026B2 (en) Data records selection
CN110020687B (en) Abnormal behavior analysis method and device based on operator situation perception portrait
CN112527774A (en) Data center building method and system and storage medium
US20210256396A1 (en) System and method of providing and updating rules for classifying actions and transactions in a computer system
CN116738449A (en) DSMM-based data security management and control and operation system
CN117235524A (en) Learning training platform of automatic valuation model
Luo et al. Design and Implementation of an Efficient Electronic Bank Management Information System Based Data Warehouse and Data Mining Processing
CN102902614B (en) A kind of dynamic monitoring and intelligent guide method
Gabriel et al. Analyzing malware log data to support security information and event management: Some research results
Norton Predictive policing: The future of law enforcement in the Trinidad and Tobago Police Service (TTPS)
WO2023129108A1 (en) An end-user behavior modeling system
Rahman et al. Integrated data mining and business intelligence
Li et al. Analytic model and assessment framework for data quality evaluation in state grid
Hong et al. Large Scale Network Intrusion Detection Model Based on FS Feature Selection
Pan et al. Data checking method of intelligent warehouse data inventory based on digital filtering and correlation analysis
Ayyavaraiah Data Mining For Business Intelligence
Popov et al. Big data and information security
CN116523665A (en) Data index analysis method and medium based on tax data and electronic equipment
Ventrella Data Science for Information Security with Open Source technologies

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22917105

Country of ref document: EP

Kind code of ref document: A1