JP5199201B2 - High speed binary classification system and method and program - Google Patents

Description

  The present invention relates to a technique for classifying an object into binary values, for example, classification of normality / abnormality of cells in the medical field, normality / abnormality of flow in an IP network, and the like. The present invention relates to a suitable technique.

  Binary classification is to classify a given set of objects into two classes based on the characteristics of each object, including medical tests in the medical field and quality control of communication in the communication field. This technology is applied to various fields such as spam mail classification and unnecessary traffic classification.

  For example, in Patent Document 1, a traffic flow that passes through a certain line in a network is targeted. Based on the characteristics of the traffic flow, for example, the traffic flow is normal or abnormal in two classes. Techniques for classifying them are proposed.

  In particular, in networks, the number of objects to be handled has been steadily increasing in recent years due to the advancement of the information society. For this reason, there are many cases where the number of data to be processed per unit time is also enormous.

  As an example, consider a case where a packet that arrives from time to time on an ultra-high-speed network line is subject to binary classification, the packet is classified into binary, and the packet is processed based on the classified class. Assuming that the line speed is 10 Gbps, for example, the time allowed to process one packet can be as short as 8 ns.

  Therefore, in order to realize class classification for each packet in the network, it is necessary to greatly reduce the overhead required for class classification. By calculating the probability in binary classification with a small number of processing, high speed binary processing is possible. It is desirable to realize classification.

JP 2006-295576 A

  The problem to be solved is that the conventional technique cannot calculate the probability in the binary classification with a small number of processes.

  An object of the present invention is to solve these problems of the prior art and realize high-speed binary classification.

In order to achieve the above object, according to the present invention, an object is classified into two classes C1 and C2 based on features of the object that arrives from moment to moment. Here, the observed object x has a characteristic “A (x) = {A ₁ (x), A ₂ (x),..., A _γ (x)}” that can be arbitrarily specified. (The total number of features is γ). The feature extraction unit 1a extracts the feature A (x) of the observed object x, and the class estimation unit 1c, based on the feature extracted by the feature extraction unit 1a, class C1 or C2 to which the object belongs. Is estimated. The class learning unit 1b learns the relationship between features and classes by separately using information on the actual class of the object. The counter unit 1d includes a counter for holding the results learned by the class learning unit 1b as numerical values. In the class estimation calculation in the class estimation unit 1c, based on the observed feature A (x), the probability belonging to the class C1 is p, the probability q belonging to the class C2 is “q = 1−p”, and p is Approximate estimation is performed as “p = 1 ÷ (1 + 2 ^Λ )” using Λ calculated by the equation shown in Equation 1.

尚、λ（ｎ；Ｍ）は、整数ｎをＭビットの二進数で表現した際に先頭から続く０の数を返す関数である。例えばｎ＝２２，Ｍ＝８とすると、ｎの８ビットでの二進数表現は｛０００１０１１０｝であり、先頭から３つの０が続くので、λ（２２；８）＝３である。
また、ｎ_１，ｎ_２は、それぞれ過去に実際に対象物がクラスＣ１，Ｃ２であった数を記録するカウンター値であり、ｎ_１Ａｊ，ｎ_２Ａｊは、それぞれｊ番目の特徴がある値Ａｊであった条件の下でクラスがＣ１あるいはＣ２であった数である。これらの数値は、カウンター部１ｄにおける各々のカウンターにて管理される。
さらに、Λと確率ｐの関係に関して、例えばΛ＝−５，−４，…，４，５に対して、確率ｐの値を予め計算しておき、この計算結果を用いることにより、観測した対象物ｘに対する確率ｐを高速に計算する。そして、求めた確率ｐがある閾値θより高ければクラスをＣ１，そうでなければ、クラスをＣ２と推定する。
尚、クラス学習部１ｂでは、別途得られた対象物の実際のクラスの情報を利用することで、カウンター部１ｄにおけるカウンター値ｎ_１，ｎ_２およびｎ_１Ａｊ，ｎ_２Ａｊを更新する。
また、クラス学習部１ｂでは、カウンター値ｎ_１Ａｊ，ｎ_２Ａｊが０であった場合、それらを十分に小さな値（例えば「１」）で補正する。

Note that λ (n; M) is a function that returns the number of 0s that continues from the beginning when the integer n is represented by an M-bit binary number. For example, if n = 22 and M = 8, the binary number representation of 8 bits of n is {00010110}, and three 0s are continued from the beginning, so λ (22; 8) = 3.
In addition, n ₁ and n ₂ are counter values that record the number of objects that were actually class C1 and C2 in the past, respectively, and n _1Aj and n _2Aj are values Aj each having a j-th feature. This is the number where the class was C1 or C2 under certain conditions. These numerical values are managed by each counter in the counter unit 1d.
Further, regarding the relationship between Λ and probability p, for example, the value of probability p is calculated in advance for Λ = −5, −4,. The probability p for the object x is calculated at high speed. If the obtained probability p is higher than a certain threshold value θ, the class is estimated as C1, and if not, the class is estimated as C2.
In the class learning unit 1b, by using the information of the actual class separately obtained object, counter value _n 1, _{n 2} and _n 1aj the counter unit _1d, and it updates the _{n 2AJ.}
Further, in the class learning unit 1b, when the counter values n _1Aj and n _2Aj are 0, they are corrected with a sufficiently small value (for example, “1”).

  According to the present invention, high-speed binary classification can be realized. For example, medical tests in the medical field, communication quality control in the communication field, identification of spam mail, and identification of unnecessary traffic can be made more efficient. Is possible.

It is a block diagram which shows the structural example of the high-speed binary classification system which concerns on this invention. It is a flowchart which shows the processing operation example which concerns on this invention of the class learning part in FIG. It is a flowchart which shows the process operation example which concerns on this invention of the high-speed binary classification system in FIG. It is explanatory drawing which shows the structural example of the table which matched the learning result and probability which are hold | maintained in the class learning part in FIG. It is explanatory drawing which shows the 1st table structural example of the counter value hold | maintained at the counter part in FIG. It is explanatory drawing which shows the 2nd table structural example of the counter value hold | maintained at the counter part in FIG.

  Hereinafter, embodiments for carrying out the present invention will be described with reference to the drawings. FIG. 1 is a block diagram showing a configuration example of a high-speed binary classification system according to the present invention. The high-speed binary classification system (described as “binary classification system” in the figure) 1 of this example is a CPU (Central Processing unit), a main memory, a display device, an input device, an external storage device, etc., and a computer configuration including the program and data recorded on a storage medium such as a CD-ROM via an optical disk drive device etc. After being installed in the system, each function for executing the processing according to the present invention is configured by reading this external storage device into the main memory and processing by the CPU.

  That is, the high-speed binary classification system 1 in FIG. 1 has a feature extraction unit 1a, a class learning unit 1b, a class estimation unit 1c, and a counter unit 1d as functions for executing programmed computer processing, and is input from the outside. Binary classification is performed on the target 2 and the result is output as a classification result 4 in this example.

  In this example, the high-speed binary classification system 1 sets a processing target as a packet that flows on a network line, and the packet is classified into two classes C1 and C2 due to the characteristics of an object (packet) that arrives from moment to moment. Classify.

The observed packet (object) x is a total of γ features “A (x) = {A ₁ (x), A ₂ (x),..., A _γ (x)}” that can be arbitrarily specified. It shall have.

  The feature extraction unit 1a extracts the feature A (x) of the observed packet (described as “target” in the figure) 2, and the class estimation unit 1c based on the feature A (x) extracted by the feature extraction unit 1a. , Specify whether packet 2 belongs to either class C1 or C2.

  In the class learning unit 1b, by using the actual class identification result by the class estimation unit 1c for the packet 2 and the class information input from the outside as the external information 3 separately, the feature A (x) and the class C1, Learn the relationship of C2.

  The counter unit 1d includes a counter, and the counter learns the result learned by the class learning unit 1b as a numerical value.

In the class estimation calculation in the class estimation unit 1c, based on the observed feature information A (x), the probability that the packet 2 belongs to the class C1 is p, and the probability q that the packet 2 belongs to the class C2 is “q = 1−p”. Estimate p approximately as “p = 1 ÷ (1 + ^2Λ )”.

  Here, “Λ” is a numerical value indicating the learning result in the class learning unit 1b, which is expressed by the following equation (2).

  In the equation (2), λ (n; M) is a function that returns the number of 0s that continue from the beginning when the integer n is represented by an M-bit binary number. For example, if n = 22 and M = 8, the binary number representation of 8 bits of n is {00010110}, and three 0s are continued from the beginning, so λ (22; 8) = 3.

In the above formula 2, “n ₁ ” is a counter value that records the number of packets 2 that are actually objects in the past in the class C1, and “n ₂ ” It is a counter value that records the number of packets 2 that are objects of the class C2.

Further, in the above formula 2, “n _1Aj ” is the number that the packet 2 that is the target object is the class C1 in the past under the condition that the jth feature is the value Aj. _Yes , “n _2Aj ,” is the number in which the packet 2 that is the target was class C2 in the past and under the condition that the jth feature is a certain value Aj.

These numerical values of “n ₁ ”, “n ₂ ”, “n _1Aj ”, “n _2Aj ” are managed by each counter in the counter unit 1d.

  In the class estimation unit 1c, the probability for the observed packet (object) is calculated in advance by calculating the probability p that the packet 2 is class C1 according to the value of Λ and storing it in the storage device. p can be calculated at high speed.

  If the probability p is higher than a predetermined threshold θ, the class estimation unit 1c identifies the class of the packet 2 as the target object as C1, and otherwise identifies the class as C2.

Further, the class learning unit 1b sets the counter values n ₁ and n ₂ in the counter unit 1d by using the information on the actual class of the object obtained separately, and specifies the class by the class estimation unit 1c. The counter values n _1Aj and n _2Aj are updated according to the result.

When the counter values n _1Aj and n _2Aj are “0”, they are corrected by a sufficiently small value, for example, “1”.

  Hereinafter, in the high-speed binary classification system 1, a packet that flows on a network line, which is an object of processing, and arrives from time to time is set as an object, and the network prefix of the source IP address is used as a feature of the packet, Details of the processing operation for classifying the packet into two classes C1 and C2 will be described. It is assumed that the bit size (M) is 8 and the counter is managed in binary.

  Here, only one feature is considered for the packet that is the object. It is assumed that the network prefix of the IP address as a characteristic of this packet can be grasped from the route information managed internally or externally.

  Further, the class is a binary value indicating whether a network abnormality is caused (C1) or not (C2).

  In FIG. 1, a high-speed binary classification system 1 takes in a packet 2 as an object x in a feature extraction unit 1a, and extracts a feature related to the packet 2 by the feature extraction unit 1a.

  That is, the feature extraction unit 1a refers to the source IP address of the packet 2 and acquires, for example, “192.168.1.13” and associates it with this IP address (192.168.1.13). The network prefix (feature) is acquired by referring to network route information managed internally or externally.

Here, it is assumed that the corresponding network prefix (feature of packet 2) is “192.168.1.0/2 4”. As a result, since the number of features (A (x)) included in the packet (object x) is one, the feature A ₁ (x) = 192.168.1.0 / 2 4.

Thus, in the feature extraction unit 1a, the acquired packet (object x: 192.168.1.13) and its feature (feature A ₁ (x) = 192.168.1.0 / 2 4) are It is sent to the class learning unit 1b.

  In the class learning unit 1b, the class information to be managed by the counter unit 1d and the corresponding counter value are updated according to the flowchart shown in FIG. Note that the processing in the class learning unit 1b may not be real-time processing.

5 and FIG. 6 show specific examples of counter values n _1Aj and n _2Aj 51 and counter values n ₁ and n ₂ 61 managed by the counter unit 1. Here, it is assumed that all the counters are managed as 8-bit integers, and the numerical values of the counters (n1, n2, n1A1, n2A1) are all expressed in binary numbers.

  As a result of inquiring the class of packet 2 (target x: 192.168.1.13) to the outside (steps S201 to S203), it is assumed that the class is found to be C1.

Since one class C1 is observed, the counter n1 is incremented by one (step S204). As a result, the value “00101101” of the counter n1 in the counter values n ₁ and n ₂ 61 in FIG. 6 becomes “00101110”.

Regarding the feature A1 of the packet 2 (target x), since the class of the packet 2 (target x) is C1, the numerical value of the counter n1A1 is also counted up by one (step S204). As a result, the value “00100011” of the counter n1A1 in the counter values n _1Aj and n _2Aj 51 of FIG. 5 becomes “00100100”.

  In the class estimation unit 1c, as shown in the flowchart of FIG. 3, the packet information (192.168.1.13) and the feature A1 (x) (192) that are the object x sent from the feature extraction unit 1a. 168.1.0 / 2 4), class determination is performed using information managed by the counter unit 1d.

  That is, in the class estimation unit 1c, the information (192.168.1.13) of the packet that is the object x sent from the feature extraction unit 1a and the feature A1 (x) (192.168.1.0/2 4). ), Information (n1Aj, n2Aj, n1, n2) managed by the counter unit 1d is read (step S301), and class determination is performed using these information (steps S302 to S305). This process must be implemented at high speed so that it can be performed in real time.

  It is assumed that n1 = “00101101”, n2 = “00010110”, n1A1 = “00100011”, and n2A1 = “00001011” are read from each counter in the counter unit 1d (step S301). These values may be values before updating in learning by the class learning unit 1b.

In this case, since Λ = λ (n ₁ ; M) −λ (n ₂ ; M) + λ (n _1A1 ; M) −λ (n _2A1 ; M) = 2−3 + 2−4 = −3, FIG. , The value of the probability p corresponding to Λ = “− 3” is “8/9” (the value of the probability p corresponding to Λ = “− 3” in FIG. 4 is p = 1 ÷ (1 + 2 ^Λ ) 1 ÷ (1 + 2 ⁻³ ) = 1 ÷ (1 + 2 ^1/8 ) = 8/9), the estimated value p * of the probability p is “8 ÷ 9 = 0.8888. "(Step S302).

  For example, when the threshold θ is “θ = 0.8”, the estimated value p *> θ is satisfied (step S303), so the class estimating unit 1c can classify the packet 2 (target x) as the class C1. (Step S304). Further, when the threshold θ is “θ = 0.9”, since the estimated value p * <θ (step S303), the class estimation unit 1c can classify the packet 2 (target x) as the class C2 (step S303). S305).

  The processing performed by the class estimation unit 1c described above is summarized as follows: (1) reading of a corresponding counter value based on information transmitted from the feature extraction unit 1a (step S301), (2) Λ and probability p (estimation) (Value p *) is calculated (step S302), and (3) the probability p (estimated value p *) is compared with the threshold value θ (steps S303 to S305).

  Among these processes, the calculation with the highest processing load is the calculation of [Lambda]. In the calculation of [Lambda], the number of "0" s continuing from the top in each counter value is counted. This calculation procedure is generally known as NLZ (Number of Leading Zero) operation and can be processed at high speed.

  As described above with reference to FIGS. 1 to 6, in the high-speed binary classification system 1 of this example, the input object (packet) is divided into two classes C1 and C2 based on the characteristics of the object. In order to classify at high speed, the feature extraction unit 1a extracts feature information A (x) (network prefix) of the input object x (packet), and the class estimation unit 1c extracts the feature extraction unit 1a. It is determined whether the class associated with the feature information A (x) of the target object x is the class C1 or C2.

At that time, the class estimation unit 1c sets the probability of belonging to the class C1 based on the input feature information A (x) to p, the probability of belonging to C2 to q = 1−p, and sets the probability p to the above-described formula 2. A function λ (n; M) that returns the number of zeros that follow from the beginning when the integer n is represented by an M-bit binary number, and a number n ₁ that the object x was actually a class C1 in the past, Number n ₂ in which object x was actually class C2 in the past, and number in which class of object x was C1 under the condition that the _jth feature of object x was value A _j and n _1aj, under the j-th condition characteristics is a value a _j of the object x, with Λ class of the object x is calculated by the formula consisting of a number n _2AJ was C2 the probability p is calculated by p = 1 ÷ (1 + 2 Λ), compared the calculated value of the probability p is a predetermined threshold theta, click the higher Scan C1, determines that the class C2 if lower.

In the high-speed binary classification system 1, the counter unit 1d individually stores the object x (numbers n ₁ , n ₂ , n _1Aj , n _2Aj for each packet 9), and the class learning unit 1 b The result x information that the object x (packet) is actually class C1 or C2 in the past, and the jth feature (network prefix) of the object x (packet), which is input via the input device as information 3 ) Is a value A _j , using the result result information in which the class of the object x is C1 or C2, the number n ₁ , n ₂ , for each object x stored in the counter unit 1d Each of n _1Aj and n _2Aj is updated.

In the high-speed binary classification system 1, when the number n _1Aj and n _2Aj of the object x (packet) stored in the counter unit 1d is 0 in the class learning unit 1b, a predetermined number, for example, Update to a sufficiently small value including 1.

  Furthermore, in the high-speed binary classification system 1, the class estimation unit 1c calculates in advance the probabilities p for the values of Λ in the above equation 2 and stores them as relation information between Λ and p as shown in FIG. The class estimation unit 1c stores the probability p with respect to Λ calculated by the formula 2 with reference to the relation information between Λ and p stored in the storage device.

  As a result, in the high-speed binary classification system 1 of this example, it is possible to calculate the probability in the binary classification with a small number of processes, greatly reducing the overhead required for the class classification process, and high-speed binary Classification can be realized, and class classification for each packet in the network can be performed efficiently.

  In addition, this invention is not limited to the example demonstrated using FIGS. 1-6, In the range which does not deviate from the summary, various changes are possible. For example, in this example, the class learning unit 1b updates the information (counter value) in the counter unit 1d based on the external information 3, but the class classification result 4 by the class estimation unit 1c is changed to the information in the counter unit 1d ( The counter value may be reflected.

  Further, in this example, a description is given of a configuration example in which a packet on the network is set as an object x, and normality / abnormality is estimated / determined. -It is good also as a structure which estimates and determines abnormality.

  The computer configuration of this example may be a computer configuration without a keyboard or optical disk drive. In this example, an optical disk is used as a recording medium. However, an FD (Flexible Disk) or the like may be used as a recording medium. As for the program installation, the program may be downloaded and installed via a network via a communication device.

1: fast binary classification system (“binary classification system”), 1a: feature extraction unit, 1b: class learning unit, 1c: class estimation unit, 1d: counter unit, 2: object (“packet”), 3 : External information, 4: class classification result, 41: relation information between Λ and probability p, 51: counter values n _1Aj , n _2Aj , 61: counter values n ₁ , n ₂ .

Claims (6)

A high-speed binary classification system that classifies an input object into two classes C1 and C2 based on characteristics of the object,
Feature extraction means for extracting feature information A (x) of the input object x;
Class estimation means for determining which of the classes C1 and C2 is the class associated with the feature information A (x) of the object x extracted by the feature extraction means;
The class estimation means includes:
Based on the input feature information A (x), the probability belonging to class C1 is p, the probability belonging to C2 is q = 1-p, and the probability p is
Shown in Equation 1 below
A function λ (n; M) that returns the number of zeros that follow from the beginning when the integer n is represented in an M-bit binary number;
The number n ₁ in which the object x was actually class C1 in the past,
The number n ₂ that the object x was actually class C2 in the past,
Under the condition that the j-th feature of the object x is the value A _j , the number n _1Aj whose class of the object x was C1;
Under the condition that the j-th feature of the object x is the value A _j , the probability p is calculated by using Λ calculated by an expression consisting of the number n _2Aj where the class of the object x is C2. ^Is calculated by p = 1 ÷ (1 + 2 ^Λ ),
A high-speed binary classification system, wherein the calculated probability p is determined to be class C1 if it is high and class C2 if it is low, compared to a predetermined threshold value θ.

The fast binary classification system according to claim 1,
Counter means for individually storing each of the numbers n ₁ , n ₂ , n _1Aj , n _2Aj for each object x;
Under the condition that the target object x is actually class C1 or C2 in the past and the j-th feature of the target object x is the value A _j that is input via the input device. Then, each of the numbers n ₁ , n ₂ , n _1Aj , n _2Aj for each of the objects x stored in the counter means is updated using the actual result information in which the class of the object x is C1 or C2. And a high-speed binary classification system characterized by comprising: The fast binary classification system according to claim 2,
The class learning means
A high-speed binary classification system, wherein when the number n _1Aj , n _{2Aj of the} object x stored in the counter means is 0, the number is updated to a predetermined number. A high-speed binary classification system according to any one of claims 1 to 3,
The class estimation means is
Means for pre-calculating each probability p for each value of Λ in Equation 1 and storing it in the storage device as relation information between Λ and p;
A high-speed binary classification system characterized in that the probability p for Λ calculated by the equation (1) is obtained by referring to the relation information between Λ and p stored in the storage device.   The program for functioning a computer as each means in the high-speed binary classification system in any one of Claims 1-4. A high-speed binary classification method by a computer device having each means in the high-speed binary classification system according to any one of claims 1 to 4, as means for executing programmed computer processing,
The said computer apparatus performs the process in the high-speed binary classification system in any one of Claims 1-4 by each means with which it comprises, The input target object is based on the characteristic of the said target object. A fast binary classification method characterized by classifying into two classes C1 and C2.

Images