JP7377126B2 - Information provision system, information provision method, and information provision program - Google Patents

Description

The present invention relates to, for example, a technique for recommending articles such as threat information regarding cyber attacks to users.

In recent years, the number of cyber attacks has increased rapidly, and the attack methods have become more complex. As a result, it is no longer possible to counter the threat of cyber attacks using only mechanical threat detection and countermeasure technology, and it is now necessary for humans to grasp the latest threat information and take direct action. It has become. For this reason, in organizations called SOCs (Security Operation Centers), analysts specializing in security gather to monitor threats to their own organizations and customer organizations, and to implement security operations using human power.

One of the important roles of the SOC is to search for threat information from the wide variety of news articles that exist in the world, determine whether it is necessary to notify the threat information, and, if necessary, notify the organization itself. This means notifying each department within the company and each customer of the threat information. However, with so much miscellaneous information overflowing, it is not efficient for SOC analysts to manually check each information source one by one.

Therefore, there is a need for technology to recommend articles from among a variety of news articles. In particular, SOC is required to provide notifications in consideration of the customer's system environment, etc., and since the threat information required differs depending on the analyst, the SOC learns trends in news articles desired by the analyst and recommends articles. A technology that does this is desirable.

As a technology for recommending news articles, for example, by recording the viewing history of articles referenced by the user and calculating the degree of similarity with articles viewed by the user in the past based on feature words extracted from the articles, A related article recommendation method that accurately recommends related articles that have substantially no overlap in content and that match the preferences and interests of each user as articles that are related to articles that the user is interested in (for example, see Patent Document 1) etc. have been proposed.

JP2010-224623A

The technology described in Patent Document 1 calculates the degree of similarity between articles that the user has viewed in the past based on feature words extracted from the sentences that make up the article based on a predetermined algorithm. Recommends related articles that match your tastes and interests.

However, in actual daily work, the user may refer to an article unrelated to the main job due to temporary chores or the like, or may refer to an article whose content is different from what the user expected. In this case, with the technology described in Patent Document 1, articles are recommended based on the browsing history of the user's temporary chores, etc., and there is a concern that articles unrelated to the main business may be recommended.

The present invention has been made in view of the above circumstances, and its purpose is to provide a technology that can more accurately recommend useful articles to users.

In order to achieve the above object, an information providing system according to one aspect is an information providing system that recommends articles to users, and the information providing system includes a storage unit that stores information and a connection to the storage unit. the storage unit stores a plurality of articles, usage history of articles used by the user, and message information indicating usage status of messages posted on SNS (Social Networking Service). The processor section extracts characteristic information from the article, identifies messages related to the article on the SNS based on the characteristic information of the article, and identifies messages related to the article on the SNS based on usage status of messages related to the article. Then, a degree of diffusion indicating the degree of diffusion of the article is calculated, and a given article is recommended to the user based on the characteristic information of the article, the degree of diffusion of the article, and the usage history of the article by the user. Determine whether or not to do so.

According to the present invention, useful articles can be recommended to the user with higher accuracy.

FIG. 1 is a configuration diagram of a threat information providing system according to the first embodiment. FIG. 2 is a functional configuration diagram of the news distribution server according to the first embodiment. FIG. 3 is a functional configuration diagram of the SNS distribution server according to the first embodiment. FIG. 4 is a functional configuration diagram of the recommendation device according to the first embodiment. FIG. 5 is a functional configuration diagram of the client according to the first embodiment. FIG. 6 is a hardware configuration diagram of a computer configuring each device of the threat information providing system according to the first embodiment. FIG. 7 is a diagram showing a data table stored in the database according to the first embodiment. FIG. 8 is a diagram illustrating the configuration of the news article information table according to the first embodiment. FIG. 9 is a diagram illustrating the structure of the analyst information table according to the first embodiment. FIG. 10 is a diagram illustrating the configuration of the SNS information table according to the first embodiment. FIG. 11 is a diagram illustrating the configuration of the recommendation determination model information table according to the first embodiment. FIG. 12 is a diagram illustrating the configuration of the viewing history information table according to the first embodiment. FIG. 13 is a sequence diagram of recommendation determination processing according to the first embodiment. FIG. 14 is a sequence diagram of recommendation distribution processing according to the first embodiment. FIG. 15 is a sequence diagram of recommendation determination model learning processing according to the first embodiment. FIG. 16 is a flowchart of the judgment model machine learning process according to the first embodiment. FIG. 17 is a display example of the recommendation screen according to the first embodiment. FIG. 18 is a diagram showing a data table stored in a database according to the second embodiment. FIG. 19 is a diagram illustrating the structure of an analyst information table according to the second embodiment. FIG. 20 is a diagram illustrating the configuration of a recommendation determination model information table according to the second embodiment. FIG. 21 is a diagram illustrating the configuration of a report distribution history information table according to the second embodiment. FIG. 22 is a diagram illustrating the configuration of a distribution destination information table according to the second embodiment. FIG. 23 is a sequence diagram of recommendation distribution processing according to the second embodiment. FIG. 24 is a sequence diagram of recommendation determination model learning processing according to the second embodiment. FIG. 25 is a flowchart of the judgment model machine learning process according to the second embodiment. FIG. 26 is a display example of a recommendation screen according to the second embodiment.

Some embodiments will be described with reference to the drawings. The embodiments described below do not limit the claimed invention, and all of the elements and combinations thereof described in the embodiments are essential to the solution of the invention. is not limited.

In the following description, information may be described using the expression "AAA table," but the information may be expressed using any data structure. That is, the "AAA table" can be referred to as "AAA information" to indicate that the information is independent of data structure.

Furthermore, in the following description, the "storage unit" may be one or more memories, or one or more drives such as HDD or SSD. The at least one memory may be volatile memory or non-volatile memory. The storage section is mainly used during processing by the processor section.

Furthermore, in the following description, the "processor unit" includes one or more processors. At least one processor is typically a microprocessor such as a CPU (Central Processing Unit). Each of the one or more processors may have a single core or multiple cores. A processor may include hardware circuitry that performs some or all of the processing.

(First embodiment)
(Threat information provision system)
First, a threat information providing system as an example of the information providing system according to the first embodiment will be described.

FIG. 1 is a configuration diagram of a threat information providing system according to the first embodiment.

The threat information providing system 100 includes one or more news distribution servers 102 (102_1, . . . , 102_n), one or more SNS (Social Networking System) distribution servers 103 (103_1, . . . , 103_n), one or more recommendation devices 104, and one or more recommendation devices 104. The client 105 (105_1, . . . , 105_n) and a database 106 are provided. The news distribution server 102, the SNS distribution server 103, the recommendation device 104, the client 105, and the database 106 are connected via one or more networks 101 (101_1, 101_2). In this embodiment, the news distribution server 102, the SNS distribution server 103, and the recommendation device 104 are connected via the network 101_1 (for example, the Internet), and the recommendation device 104, the client 105, and the database 106 are It is connected via a network 101_2 (for example, an intranet). The information providing system may include at least the recommendation device 104, or may include one or more devices other than the recommendation device 104 of the threat information providing system 100.

The news distribution server 102 is a device (for example, a web news site) that distributes various news articles (an example of an article), and is managed by, for example, an organization different from the organization that manages the recommendation device 104.

The SNS distribution server 103 is a device that provides a service (eg, SNS web service) that distributes personal information (messages), and individuals can distribute information using this device.

The recommendation device 104 is a server that mainly executes various processes in the process of recommending news articles based on information on the database 106.

The client 105 is a terminal directly operated by an SOC analyst (an example of a user), and may be, for example, a general computer terminal. The client 105 is a device that is the main output destination of the processing results by the recommendation device 104, that is, the news article recommendation results.

The database 106 is a storage device that stores information related to news articles obtained from the news distribution server 102, information related to SNS messages obtained from the SNS distribution server 103, reference history information of news articles by analysts, and the like. In this embodiment, the database 106 is communicably connected to the recommendation device 104 via the network 101_2. The database 106 may be constructed in the external storage device 604 (see FIG. 6) of the computer 601 (see FIG. 6) that constitutes the recommendation device 104.

Note that in this embodiment, the networks 101_1 and 101_2 are illustrated as different networks, but they may be the same network. Moreover, the constituent elements with reference numerals in FIG. 1 may be plural as required.

(Functional configuration)
Next, various functions included in the threat information providing system 100 of this embodiment will be explained. Here, we will explain not only the recommendation device 104 but also the functions realized by each device of the threat information providing system 100 by executing appropriate programs stored in its memory 603 and external storage device 604 (see FIG. 6). explain.

FIG. 2 is a functional configuration diagram of the news distribution server according to the first embodiment.

The news distribution server 102 includes a transmitting/receiving section 201 and a control section 202. The transmitting/receiving unit 201 transmits and receives information to and from another device (for example, the recommendation device 104) via the network 101_1. The control unit 202 includes a news distribution unit 203. The news distribution unit 203 transmits information such as the identifier and text of the news article (article information) to another device (for example, the recommendation device 104) via the transmission/reception unit 201.

FIG. 3 is a functional configuration diagram of the SNS distribution server according to the first embodiment.

The SNS distribution server 103 includes a transmitting/receiving section 301 and a control section 302. The transmitting/receiving unit 301 transmits and receives information to and from another device (for example, the recommendation device 104) via the network 101_1. The control unit 302 includes an SNS information distribution unit 303. The SNS information distribution unit 303 sends information (SNS information) such as the identifier and text of a message posted to the SNS provided by the SNS distribution server 103 to another device (for example, the recommendation device 104) via the transmission/reception unit 301. Send to.

FIG. 4 is a functional configuration diagram of the recommendation device according to the first embodiment.

The recommendation device 104 includes a transmitting/receiving section 401 and a control section 402. The transmitting/receiving unit 401 transmits and receives information between the news distribution server 102 and the SNS distribution server 103 via the network 101_1, and transmits and receives information between the client 105 and the database 106 via the network 101_2. . The control unit 402 includes a recommendation determination unit 403, a recommendation distribution unit 404, and a recommendation determination model learning unit 405. The recommendation determination unit 403 determines whether or not a news article should be recommended to an analyst, and stores the result (recommendation result) in the database 106 . The recommendation distribution unit 404 transmits the recommendation results stored in the database 106 to the client 105 via the transmission/reception unit 401. The recommendation determination model learning unit 405 uses various information on the database 106 to learn (machine learning) a determination model (recommendation determination model: recommendation determination model) necessary for recommendation determination.

FIG. 5 is a functional configuration diagram of the client 105 according to the first embodiment.

The client 105 includes a transmitting/receiving section 501, an input/output section 502, and a control section 503. The transmitting/receiving unit 501 transmits and receives information to and from other devices (for example, the recommendation device 104, the news distribution server 102, etc.) via the network 101_2. The input/output unit 502 executes input processing of various information from an analyst via an interface device such as a keyboard, and executes output processing for the analyst via an interface device such as a monitor. The control unit 503 includes a recommendation display unit 504 and a report distribution unit 505. The recommendation display unit 504 receives the recommendation result from the recommendation device 104 via the transmitting/receiving unit 501, and displays it on the screen of the interface device for the analyst. A report distribution unit 505 distributes a report created by an analyst to a customer or the like. A report is the result of an analyst reviewing and analyzing recommended news articles.

(Hardware configuration)
Next, the hardware configuration of the devices that constitute the threat information providing system 100 of this embodiment will be explained.

FIG. 6 is a hardware configuration diagram of a computer configuring each device of the threat information providing system 100 according to the first embodiment.

The news distribution server 102, SNS distribution server 103, recommendation device 104, and client 105 that configure the threat information providing system 100 are each configured by a computer device 601, for example.

A computer device (computer) 601 includes a CPU 602 as an example of a processor section, a memory 603 composed of a volatile memory element such as a RAM (Random Access Memory), and an appropriate non-volatile memory element such as an SSD (Solid State Drive) or a hard disk drive. The device includes an external storage device 604 including an external storage device 604, a transmitting/receiving device 605 such as a network interface card (NIC), an output device 606 such as a display, and an input device 607 such as a keyboard.

The output device 606 and the input device 607 do not need to be included in any of the news distribution server 102, the SNS distribution server 103, and the recommendation device 104.

The control units 202, 302, 402, and 503 of each device shown in FIGS. It is realized (configured) by executing it. Further, the transmitting/receiving units 201, 301, 401, and 501 of each device shown in FIGS. 2 to 5 are constituted by the transmitting/receiving device 605 of the computer device 601 that constitutes each device. Further, the input/output unit 502 in the client 105 is configured by an output device 606 and an input device 607 of the computer device 601 that constitutes the client 105.

(Data structure)
Next, data used by the recommendation device 104 of this embodiment will be explained.

The data used by the recommendation device 104 is generated by news article information distributed by the news distribution server 102, SNS information distributed by the SNS distribution server 103, viewing history of news articles by analysts, and recommendation determination processing by the recommendation device 104. There is information such as judgment results.

FIG. 7 is a diagram showing a data table stored in the database according to the first embodiment.

The database 106 stores a news article information table 701, an analyst information table 702, an SNS information table 703, a recommendation determination model information table 704, and a viewing history information table 705. These tables are associated with each other by a predetermined ID included in the record.

FIG. 8 is a diagram illustrating the configuration of the news article information table according to the first embodiment.

The news article information table 701 stores records for each news article. The records of the news article information table 701 include news article ID 801, body text 802, other attribute information 803, update date and time 804, characteristic word list 805, SNS diffusion degree 806, recommendation judgment result list 807, and recommendation judgment date and time 808 as data items. have

The news article ID 801 stores an identifier (news article ID) uniquely assigned to the news article corresponding to the record. The main text 802 stores the main text of the news article corresponding to the record. Other attribute information 803 stores attribute information of the news article used for screen display, such as the title of the news article corresponding to the record and the URL (Uniform Resource Locator) of the news article. The update date and time 804 stores the last update date and time of the news article corresponding to the record. The feature word list 805 stores a list of feature words (an example of feature information) extracted from the text of the news article corresponding to the record. The SNS diffusion degree 806 stores the degree of diffusion on SNS of the news article corresponding to the record (SNS diffusion degree). The recommendation determination result list 807 stores the results of recommendation determination processing for news articles corresponding to records. The result of the recommendation determination process is, for example, a list of recommendation determination results for news articles by each determination model, and specifically, for example, a list of sets of recommendation determination model ID, analyst ID, and determination results. The recommendation determination date and time 808 stores the date and time when the recommendation determination process was performed on the news article corresponding to the entry.

FIG. 9 is a diagram illustrating the structure of the analyst information table according to the first embodiment.

Analyst information table 702 stores records for each analyst. The record of the analyst information table 702 has an analyst ID 901 and analyst other information 902 as data items.

The analyst ID 901 stores an identifier (analyst ID) uniquely assigned to the analyst corresponding to the record. Analyst and other information 902 stores attribute information of the analyst used for screen display, such as the name of the analyst corresponding to the record.

In this embodiment, it is assumed that in the analyst information table 702, each information of each analyst's record is defined in advance and stored in the database 106.

FIG. 10 is a diagram illustrating the configuration of the SNS information table according to the first embodiment.

The SNS information table 703 stores records for each message posted on the SNS. The record of the SNS information table 703 has SNS ID 1001, message body 1002, feature word 1003, number of views 1004, number of replies 1005, number of transfers 1006, and number of high ratings 1007 as data items.

The SNS ID 1001 stores an identifier (SNS ID) uniquely assigned to a message corresponding to a record. The message body 1002 stores the message body (message body) corresponding to the record. The characteristic word 1003 stores the characteristic word used when searching for a message corresponding to a record. The number of views 1004 stores the number of times other users have viewed the message corresponding to the record (number of views). The number of replies 1005 stores the number of times other users have responded to the message corresponding to the record (number of replies). The number of transfers 1006 stores the number of times another user has transferred a message corresponding to the record (number of transfers). The number of high ratings 1007 stores the number of times other users gave high ratings to the message corresponding to the record (number of high ratings). Here, the number of views, the number of replies, the number of transfers, and the number of high ratings are examples of message usage status.

FIG. 11 is a diagram illustrating the configuration of the recommendation determination model information table according to the first embodiment.

The recommendation determination model information table 704 stores records for each recommendation determination model obtained by machine learning for making recommendation determinations. The record of the recommendation judgment model information table 704 has a recommendation judgment model ID 1101, a recommendation judgment model 1102, and an analyst ID 1103 as data items.

The recommendation judgment model ID 1101 stores an identifier (determination model ID) uniquely assigned to a recommendation judgment model corresponding to a record. The recommendation determination model 1102 stores a recommendation determination model corresponding to a record. The analyst ID 1103 stores an identifier uniquely assigned to an analyst who is a target for learning a recommendation determination model corresponding to a record.

FIG. 12 is a diagram illustrating the configuration of the viewing history information table according to the first embodiment.

The viewing history information table 705 stores records for each viewing of a news article by an analyst. A record in the viewing history information table 705 has a news article ID 1201, an analyst ID 1202, and a viewing date and time 1203 as data items.

The news article ID 1201 stores the ID of the news article viewed during the viewing corresponding to the record. The analyst ID 1202 stores the ID of the analyst who viewed the record. The viewing date and time 1203 stores the date and time when the corresponding record was viewed.

In this embodiment, a news article information table 701, an analyst information table 702, an SNS information table 703, a recommendation judgment model information table 704, and a browsing history information table 705 are constructed on the database 106. The invention is not limited to this, and at least a portion of these tables may be stored in the recommendation device 104. Further, at least one or more of the respective tables may be combined to form a single table, or a more normalized table may be formed.

Next, processing operations of the threat information providing method by the threat information providing system 100 in this embodiment will be described. Various operations in the process of the threat information providing method described below are realized by, for example, the recommendation device 104 reading out a program (information providing program) into the memory 603 or the like, and the CPU 602 executing the program. This program includes code for performing various operations described below. In the following description, not only the processing executed by the recommendation device 104 but also the processing executed by other devices will be explained as appropriate.

(Recommendation judgment process)
FIG. 13 is a sequence diagram of recommendation determination processing according to the first embodiment. Here, the recommendation determination process includes a process of acquiring news article information from the news distribution server 102, a process of acquiring SNS information from the SNS distribution server 103, and a process of determining whether a recommendation is necessary for the news article. is included.

First, the recommendation determination unit 403 of the recommendation device 104 starts a recommendation determination process periodically (for example, once every hour) (S1301). Note that in this embodiment, the recommendation determination process is started periodically, but the recommendation determination process may be started after receiving a notification from the news distribution server 102 such as the timing of a new news article being distributed. .

Next, the recommendation determination unit 403 of the recommendation device 104 requests the news distribution server 102 to distribute the news article. The news distribution unit 203 of the news distribution server 102, which has received a request to distribute a news article, distributes one piece of news article information regarding an undistributed news article to the recommendation device 104. The recommendation determination unit 403 acquires the distributed news article information (news article acquisition process: S1302). Note that the news article information to be distributed includes, for example, the news article ID, news article text, and other attribute information stored in the news article information table 701, and the news article information is stored in the database storage process (described later). S1308) is stored in the news article information table 701.

Next, the recommendation determination unit 403 of the recommendation device 104 extracts a characteristic word from the main text of the news article included in the news article information (characteristic word extraction process: S1303). In addition, as a method for extracting feature words, a method of extracting by morphological analysis of the main text of a news article, a method of extracting a named entity using a predefined dictionary, or a method of extracting a named entity using a predefined dictionary may be used. Other methods may also be used. Note that the extracted feature words are stored in the feature word list 805 of the news article information table 701 through database storage processing (S1308), which will be described later.

Next, the recommendation determination unit 403 of the recommendation device 104 requests the SNS distribution server 103 to distribute message information related to the characteristic word extracted by the characteristic word extraction process (S1303). Upon receiving this request, the SNS information distribution unit 303 of the SNS distribution server 103 searches for messages based on the characteristic word corresponding to the request, identifies messages related to the news article, and sends the identified messages to the recommendation device 104. The SNS information of the message is distributed all at once (S1304). Note that the SNS information to be distributed includes, for example, the SNS ID stored in the SNS information table 703, message text, characteristic words, number of views, number of replies, number of transfers, and number of high ratings. The SNS information is stored in the SNS information table 703 through database storage processing (S1308), which will be described later.

Next, the recommendation determination unit 403 of the recommendation device 105 evaluates the SNS diffusion level (also simply referred to as the diffusion level) indicating the degree of diffusion of the news article on SNS (S1305). Note that as a method for evaluating the degree of SNS diffusion of a news article, there is a method of calculating the number of engagements of messages related to the news article and using this number of engagements as the degree of diffusion. The number of engagements may be based on at least one of the number of views, the number of replies, the number of transfers, and the number of high ratings, or may be the sum of a plurality of values. In this embodiment, for example, the sum of the number of views, the number of replies, the number of transfers, and the number of high ratings is used as the number of engagements. Note that the degree of diffusion obtained through the evaluation is stored in the SNS degree of diffusion 806 of the news article information table 701 through database storage processing (S1308), which will be described later.

Next, the recommendation determination unit 403 of the recommendation device 104 acquires all recommendation determination models stored in the recommendation determination model information table 704 (S1306). Note that the recommendation determination model is data of a model learned by machine learning, which is generated in a recommendation determination model learning process (see FIG. 15) that will be described later.

Next, the recommendation determination unit 403 of the recommendation device 104 performs recommendation determination processing to determine whether or not a news article needs to be recommended (S1307). Note that the news article recommendation determination process is performed using machine learning methods such as LSTM (Long short-term memory) using data corresponding to feature words or feature word groups extracted in advance from news articles as input parameters. By using a neural network model (recommendation determination model) that inputs data corresponding to a feature word or a group of characteristic words of the news article to be determined into the recommendation determination model, it is possible to determine whether or not the news article to be determined needs to be recommended. judge. In this recommendation determination process, the recommendation determination unit 403 determines whether or not a news article needs to be recommended for each acquired recommendation determination model. Note that the determination result of whether or not a recommendation is necessary is stored in the recommendation determination result list 807 of the record corresponding to the news article in the news article information table 701 through database storage processing (S1308), which will be described later.

Next, the recommendation determination unit 403 of the recommendation device 104 stores various acquired information and determination results obtained in the recommendation determination process in the database 106 (database storage process: S1308). Note that in this embodiment, various data are stored all at once in the database storage process (S1308), but various data may be stored in the database 106 as appropriate in the process of steps S1302 to S1307.

Next, the recommendation determination unit 403 of the recommendation device 104 repeats the processing of steps S1302 to S1307. This process is repeated until there are no more news articles distributed from the news distribution server 102 in the news article acquisition process (S1302). In this embodiment, news articles are acquired one by one in the news article acquisition process (S1302), but all articles may be acquired at once.

(Recommendation notification processing)
FIG. 14 is a sequence diagram of recommendation notification processing according to the first embodiment. Here, the recommendation notification process includes a process of acquiring a recommendation result from the recommendation device 104 and a process of displaying the recommendation result by the client 105.

First, the client 105 receives an operation from the analyst via the input/output unit 502, and starts a recommendation notification process on the client 105 side. The recommendation display unit 504 of the client 105 requests the recommendation device 104 to distribute the recommendation results. (Recommendation result distribution request processing: S1401). Note that this request for recommendation results includes at least the analyst ID. The method for inputting the analyst ID may be a method in which a login screen is provided in advance on the client 105 and input is made to the login screen, or a method in which the analyst ID is input through device authentication or the like may be used.

Next, the recommendation distribution unit 404 of the recommendation device 104 that has received the request to distribute the recommendation results acquires news article information from the news article information table 701 (news article information acquisition process: S1402). In the news article information acquisition process (S1402), the recommendation distribution unit 404 refers to the recommendation determination result 807 of the record in the news article information table 701, and determines whether the value of the recommendation determination result 807 corresponds to the analyst ID included in the request. News article information of only news articles of records that are determined to require recommendation by the recommendation determination model is acquired. Note that the news article information acquired in the news article information acquisition process may include a news article ID, other attribute information, and update date and time.

Next, the recommendation distribution unit 404 of the recommendation device 104 generates data for a recommendation screen (for example, see FIG. 17), and transmits the data for the recommendation screen to the client 105 (S1403). Note that an example of the recommendation screen will be described later.

Next, the recommendation display unit 504 of the client 105, which has received the data on the recommendation screen, displays the recommendation screen to the analyst via the input/output unit 502. The analyst can instruct viewing of a news article by clicking on a hyperlink to the news article on the recommendation screen as appropriate. The recommendation display unit 504 of the client 105, which has received the instruction to view the news article from the analyst, transmits an article viewing request to the recommendation device 104 (article viewing request process: S1404). The article viewing request includes, for example, the news article ID that the analyst wishes to view as instructed by the analyst, the analyst ID, and the viewing date and time.

Next, the recommendation distribution unit 404 of the recommendation device 104 adds a new record to the viewing history information table 705 and stores the information included in the received article viewing request. (S1405)

Next, the recommendation device 104 redirects the screen displayed on the client 105 to the news article screen provided by the news distribution server 102 (S1406). Note that when the analyst clicks on a hyperlink to a news article on the recommendation screen, the client 105 and the recommendation device 104 repeatedly execute the processes of steps S1404 to S1407.

This allows the analyst to view desired news articles and check threat information regarding cyber attacks through the client 105 during daily work.

Analysts will then create a threat intelligence report based on the information they have collected. The report distribution unit 505 of the client 105 distributes the report created by the analyst to a predetermined customer (S1407). Note that the report may be distributed to the customer by including the report in an e-mail or by posting the contents of the report on a notification portal for the customer.

(Recommendation decision model learning process)
FIG. 15 is a sequence diagram of recommendation determination model learning processing according to the first embodiment. Here, the recommendation determination model learning process includes processing for learning (machine learning) a recommendation determination model by the recommendation device 104.

First, the recommendation judgment model learning unit 405 of the recommendation device 104 starts a recommendation judgment model learning process periodically (for example, once every hour) (S1501).

Next, the recommendation determination model learning unit 405 of the recommendation device 104 acquires all viewing history information from the viewing history information table 705. Note that the acquired viewing history information includes, for example, a news article ID and an analyst ID. Note that the browsing history information to be acquired may be only browsing history information within a predetermined period.

Next, the recommendation determination model learning unit 405 of the recommendation device 104 acquires all news article information from the news article information table 701 (S1503). Note that the news article information to be acquired includes, for example, a news article ID, a list of characteristic words, and a degree of SNS diffusion. Note that the news article information to be acquired may be only news article information within a predetermined period. Further, the news article information to be acquired may be only news article information including predetermined content.

Next, the recommendation judgment model learning unit 405 of the recommendation device 104 performs machine learning on the recommendation judgment model (determination model machine learning process: S1504). The determination model machine learning process will be described later using FIG. 16.

Next, the recommendation judgment model learning unit 405 of the recommendation device 104 stores the recommendation judgment model generated in the judgment model machine learning process (S1504) in the recommendation judgment model information table 704 (S1505), and ends the recommendation judgment model learning process. do.

Next, the judgment model machine learning process (S1504) will be explained.

FIG. 16 is a flowchart of the judgment model machine learning process according to the first embodiment.

In the judgment model machine learning process, the recommendation judgment model learning unit 405 of the recommendation device 104 acquires analyst IDs from the analyst information table 702 and creates a unique list of analyst IDs (analyst ID list) (S1601 ).

Next, the recommendation determination model learning unit 405 repeatedly executes the process of loop 1 (S1604 to S1608) for each analyst ID in the analyst ID list. Here, the analyst ID to be processed is referred to as the target analyst ID.

In the process of Loop 1, the recommendation determination model learning unit 405 repeatedly executes the process of Loop 2 (S1604 to S1607) for the news articles in each record of the news article information table 701. Here, the news article to be processed is referred to as a target news article.

In the process of loop 2, the recommendation judgment model learning unit 405 compares the SNS diffusion degree of the target news article (the value of the SNS diffusion degree 806 of the corresponding record) with a predetermined threshold, and if the SNS diffusion degree is higher than the threshold value, In this case, the target news article is classified into a positive group, and if the SNS diffusion degree is lower than a threshold value, the target news article is classified into a negative group (news article classification process: S1604). If the target news article is classified into a positive group, the recommendation determination model learning unit 405 advances the process to step S1605, whereas if the target news article is classified into a negative group, the recommendation determination model learning unit 405 advances the process to step S1607. . Note that in this embodiment, the threshold value is defined in advance as a parameter and hard-coded, but the threshold value may be defined in a configuration file or the like and dynamically changed after the fact.

In step S1605, the recommendation determination model learning unit 405 refers to the viewing history information table 705 using the news article ID of the target news article and the target analyst ID as search keys, and searches for the target news article by the analyst with the target analyst ID. If the target news article has been viewed, the target news article is classified into a positive group, and if the target news article has not been viewed, the target news article is classified into a negative group. Categorize into groups. If the target news article is classified into a positive group, the recommendation determination model learning unit 405 advances the process to step S1606, whereas if the target news article is classified into a negative group, the recommendation determination model learning unit 405 advances the process to step S1607. Proceed.

In step S1606, the target news article is regarded as positive learning data, and the recommendation determination model learning unit 405 performs pre-processing for machine learning on the feature word list 805 of the record of the target news article. do. Here, the positive learning data is data of a news article that should be determined as requiring recommendation. Note that the preprocessing for machine learning may be, for example, a process of converting a feature word list of a news article into a numerical vector by a method such as tokenizing, or using a predetermined process defined by a machine learning method (such as LSTM). It may be a process using an algorithm, and in short, any process that uses a data format to be input to the judgment model is sufficient.

On the other hand, in step S1607, the target news article is regarded as negative learning data, and the recommendation determination model learning unit 405 performs preprocessing for machine learning on the feature word list 805 of the record of the target news article. Implement. Here, the negative learning data is data of news articles that should be determined as requiring no recommendation. Note that the preprocessing for machine learning can be similar to the preprocessing for the positive learning data described above.

After executing the process of loop 2 described above for all records in the news article information table 701, the process exits from the process of loop 2, and the recommendation judgment model learning unit 405 collects positive learning data and negative learning data. A recommendation determination model is generated using (S1608). In this embodiment, as a method for generating a recommendation determination model, a predetermined algorithm determined by a machine learning method (for example, LSTM) is used to generate a recommendation determination model by machine learning. Here, the comment determination model generated in step S1608 is a model corresponding to the viewing history of the analyst with the target analyst ID.

Next, the recommendation judgment model learning unit 405 executes the process of loop 1 (S1604 to S1608) for all analyst IDs in the analyst ID list, thereby creating a recommendation judgment model for each analyst ID. Generate one by one.

After executing the process of loop 1 for all analyst IDs in the analyst ID list, the recommendation judgment model learning unit 405 exits the process of loop 1 and ends the judgment model machine learning process.

According to the above-mentioned decision model machine learning process, the recommendation decision model is generated based on the analyst's viewing history of news articles and the degree of SNS dissemination of the news article, which is different from the analysis of threat information by the analyst. It is possible to reduce the possibility that news articles that have been viewed for that purpose will be learned as positive learning data. This makes it possible to appropriately recommend news articles that are useful for analyzing threat information to analysts using the recommendation determination model. In this embodiment, in an SOC that tends to place importance on the degree of social dissemination of articles related to threats, the view of an article with a low degree of social dissemination is likely to be an erroneous view, and the erroneously viewed article This is particularly effective because it prevents the data from being treated as positive learning data.

(Recommendation display screen)
FIG. 17 is a display example of the recommendation screen according to the first embodiment.

The recommendation screen 1701 includes an analyst ID display area 1702, an update date/time display area 1703, a news article information display area 1704, and a hyperlink 1705 to the news article.

The analyst ID display area 1702 displays the analyst ID given in the recommendation result distribution request process (S1401) of the recommendation notification process. In this embodiment, the analyst ID is displayed on the recommendation screen 1701, but the value of the analyst other attribute information 902 of the record corresponding to the analyst ID in the analyst information table 702 is referred to, and the analyst ID is displayed on the recommendation screen 1701. The name of the person may be displayed.

In the update date and time display area 1703, information on the update date and time 804 (update date and time) of the record in the news article information table 701 corresponding to the news article to be displayed is displayed. In this embodiment, the recommendation distribution unit 404 sorts the news article information based on the update date and time.

The news article information display area 1704 displays the value of the other attribute information 803 of the record of the news article information table 701 corresponding to the news article to be displayed, the SNS diffusion degree of the SNS diffusion degree 806, and the information of the recommendation determination result list 807. Is displayed. Note that the news articles to be displayed may be only the news articles for which the recommendation determination requires recommendation.

The hyperlink 1705 is a URL link to the news article to be displayed on the news distribution server 102, and is generated based on the information in the other attribute information 803 of the record in the news article information table 701 corresponding to the news article to be displayed. . When the hyperlink 1705 is clicked, the article viewing request process (S1404) of the recommendation notification process is called, the viewing history for this news article is recorded in the viewing history information table 705, and this news article distributed by the news distribution server 102 is You will be redirected to the news article.

(Second embodiment)
Next, a threat information providing system as an example of the information providing system according to the second embodiment will be described.

The threat information providing system according to the second embodiment uses report information distributed from an analyst to a customer as learning data for a recommendation determination model, and tags the recommendation determination model based on the attributes of the customer to whom the recommendation determination model is distributed. This embodiment differs from the first embodiment in that a recommendation judgment model generated for another analyst is utilized for recommendation judgment based on the tag attached to the recommendation judgment model. In addition, in the description of the second embodiment, the differences from the first embodiment will be mainly explained, and the description of the common points with the first embodiment will be omitted. In addition, in the description of the second embodiment, parts that are the same as or similar to those of the first embodiment will be described with the same reference numerals.

(Threat information provision system)
The configuration of the threat information providing system according to the second embodiment is similar to the configuration of the threat information providing system according to the first embodiment shown in FIG.

(Functional configuration)
The functions provided in the threat information providing system of the second embodiment are similar to those of the threat information providing system according to the first embodiment, but some functions are added or changed.

(Hardware configuration)
The hardware of each device constituting the threat information providing system 100 of the second embodiment is configured by the computer 601 shown in FIG. 6, as in the first embodiment.

(Data structure)
Next, data used by the recommendation device 104 of the second embodiment will be explained.

The data used in the second embodiment differs from the first embodiment in that the data used in the second embodiment does not include the viewing history of news articles by analysts, but instead includes the history of report distribution by analysts to customers.

FIG. 18 is a diagram showing a data table stored in a database according to the second embodiment.

The database 106 stores a news article information table 701, an analyst information table 1801, an SNS information table 703, a recommendation judgment model information table 1802, a report distribution history information table 1803, and a distribution destination information table 1804. These tables are associated with each other by a predetermined ID included in the record. Note that the news article information table 701 and the SNS information table 703 have the same configuration as the first embodiment.

FIG. 19 is a diagram illustrating the structure of an analyst information table according to the second embodiment.

Analyst information table 1801 stores records for each analyst. A record in the analyst information table 1801 has an analyst ID 1901, analyst and other attribute information 1902, and distribution destination attribute tag list 1903 as data items.

The analyst ID 1901 stores an identifier (analyst ID) uniquely assigned to the analyst corresponding to the record. Analyst and other attribute information 1902 stores analyst attribute information used for screen display, such as the name of the analyst corresponding to the record. The distribution destination attribute tag list 1903 stores a list of tags (distribution destination attribute tags) representing the attributes of distribution destinations (customers) to which the analyst corresponding to the record will distribute the report. Delivery destination attribute tags include, for example, tags representing the industry of the delivery destination, tags representing the content of distribution to the delivery destination, and tags representing the system environment of the delivery destination.

In this embodiment, it is assumed that in the analyst information table 1801, each information of each analyst's record is defined in advance and stored in the database 106.

FIG. 20 is a diagram illustrating the configuration of a recommendation determination model information table according to the second embodiment.

The recommendation determination model information table 1802 stores records for each recommendation determination model obtained by machine learning for making recommendation determinations. The record of the recommendation judgment model information table 1802 has a recommendation judgment model ID 2001, a recommendation judgment model 2002, and a distribution destination attribute tag 2003 as data items.

The recommendation judgment model ID 2001 stores an identifier (determination model ID) uniquely assigned to a recommendation judgment model corresponding to a record. The recommendation judgment model 2002 stores recommendation judgment models corresponding to records. The distribution destination attribute tag 2003 stores a tag (distribution destination attribute tag) representing the attribute of the distribution destination targeted by the recommendation determination model corresponding to the record.

FIG. 21 is a diagram illustrating the configuration of a report distribution history information table according to the second embodiment.

The report distribution history information table 1803 stores records for each report distribution history. Here, the report distribution history can also be referred to as the usage history of news articles in the report, as can be seen from the configuration below. A record in the report distribution history information table 1803 has a report ID 2101, a reference article ID list 2102, a distribution destination ID 2103, and a distribution date and time 2104 as data items.

The report ID 2101 stores an identifier (report ID) uniquely assigned to a report corresponding to a record. The reference article ID list 2102 stores a list of article IDs (reference article ID list) referenced (used) in the report corresponding to the record. The distribution destination ID 2103 stores the ID of the distribution destination (customer) to which the report corresponding to the record was distributed (customer ID: distribution destination ID). The distribution date and time 2104 stores the date and time when the report corresponding to the record was distributed.

FIG. 22 is a diagram illustrating the configuration of a distribution destination information table according to the second embodiment.

The distribution destination information table 1804 stores records for each report distribution destination. A record in the distribution destination information table 1804 has a distribution destination ID 2201 and a distribution destination attribute tag list 2202 as data items.

The distribution destination ID 2201 stores an identifier (customer ID) uniquely assigned to the distribution destination (customer) corresponding to the record. The distribution destination attribute tag list 2202 stores a list of tags (distribution destination attribute tags) representing attributes of the distribution destination corresponding to the record.

In this embodiment, it is assumed that in the distribution destination information table 1804, each information of a record corresponding to each distribution destination is defined in advance and stored in the database 106.

Next, processing operations of the threat information providing method by the threat information providing system 100 in the second embodiment will be described. Various operations in the process of the threat information providing method described below are realized by, for example, the recommendation device 104 reading out a program (information providing program) into the memory 603 or the like, and the CPU 602 executing the program. This program includes code for performing various operations described below. In the following description, not only the processing executed by the recommendation device 104 but also the processing executed by other devices will be explained as appropriate.

(Recommendation judgment process)
The recommendation determination process in the threat information providing system according to the second embodiment is the same as that in the threat information providing system according to the first embodiment.

(Recommendation notification processing)
FIG. 23 is a sequence diagram of recommendation notification processing according to the second embodiment. Here, the recommendation notification process includes a process of acquiring a recommendation result from the recommendation device 104 and a process of displaying the recommendation result by the client 105. Note that the same steps as in the recommendation notification process (FIG. 14) according to the first embodiment are given the same reference numerals.

First, the client 105 executes recommendation result distribution request processing (S1401). Next, the recommendation distribution unit 404 of the recommendation device 104, which has received the request to distribute the recommendation results, acquires news article information from the news article information table 701 (news article information acquisition process: S2301). In the news article information acquisition process (S2301), the recommendation distribution unit 404 uses the analyst ID included in the request as a search key to acquire the distribution destination attribute tag list of the distribution destination attribute tag list 1903 from the analyst information table 1802, By referring to the recommendation judgment model information table 1802 using the delivery destination attribute tag in the delivery destination attribute tag list as a search key, the recommendation judgment model ID corresponding to the delivery destination attribute tag is obtained, and the recommendation judgment model ID corresponding to the delivery destination attribute tag is obtained from the news article information table 701. News article information of a record indicating that it is determined that a recommendation is required by the recommendation determination model of the recommendation determination model ID is acquired. Note that the news article information acquired in the news article information acquisition process may include a news article ID, other attribute information, and update date and time.

Next, in the recommendation notification process, steps S1403 to S1407 are executed.

After the report distribution process (S1407), the report distribution unit 505 of the client 105 transfers the report distribution history information to the recommendation device 104 via the transmission/reception unit 501 (S2302). Note that the report distribution history information may include a report ID, a distribution destination ID, a distribution date and time, and a report text.

Next, the recommendation distribution unit 404 of the recommendation device 104 extracts characteristic words from the report text included in the acquired report distribution history information, and uses the extracted characteristic words as a search key to search the characteristic word list 805 of the news article information table 701. The search is performed, and the news article ID of the news article related to the report is specified from the news article ID 801 of the obtained record (S2303). A list of news article IDs identified in this manner corresponds to the reference article ID list stored in the reference article ID list 2102 of the report distribution history information table 1803.

Next, the recommendation distribution unit 404 of the recommendation device 104 stores report distribution history information (here, report ID, reference article ID list, distribution destination ID, and distribution date and time) in the report distribution history information table 1803 (S2304 ).

In the above-mentioned recommendation distribution process, by specifying the news article to be distributed using the distribution destination attribute tag, the distribution destination attribute is sent to newly subscribed analysts who have not yet accumulated sufficient history information. It is possible to recommend news articles suitable for the distribution destination represented by the tag.

(Recommendation decision model learning process)
FIG. 24 is a sequence diagram of recommendation determination model learning processing according to the second embodiment. Here, the recommendation judgment model learning process includes processing for learning (machine learning) a recommendation judgment model by the recommendation device 104. Note that the same steps as in the recommendation determination model learning process (FIG. 15) according to the first embodiment are given the same reference numerals.

First, periodic startup processing (S1501) is executed. Next, the recommendation determination model learning unit 405 of the recommendation device 104 combines the report distribution history information table 1803 with the distribution destination information table 1804 using the distribution destination ID as a key, and acquires all report distribution history information. Note that the report distribution history information acquired here includes, for example, a report ID, a reference article ID list, and a distribution destination attribute tag list. Next, the recommendation determination model learning unit 405 of the recommendation device 104 acquires all news article information from the news article information table 701 (S2401). Note that the news article information to be acquired includes a news article ID, a list of characteristic words, and a degree of SNS diffusion.

Next, article acquisition processing (S1503) is executed. Next, the recommendation judgment model learning unit 405 of the recommendation device 104 performs machine learning on the recommendation judgment model (determination model machine learning process: S2402). The determination model machine learning process will be described later using FIG. 25.

Next, the recommendation judgment model learning unit 405 of the recommendation device 104 stores the discrimination model generated in the judgment model machine learning process (S2402) in the recommendation judgment model information table 1802 (S2403), and ends the recommendation judgment model learning process. .

Next, the judgment model machine learning process (S2402) will be explained.

FIG. 25 is a flowchart of the judgment model machine learning process according to the second embodiment. Note that the same steps as in the judgment model machine learning process (FIG. 16) according to the first embodiment are given the same reference numerals.

In the judgment model machine learning process, the recommendation judgment model learning unit 405 of the recommendation device 104 acquires the distribution destination attribute tags of the recommendation judgment model information table 1802, and creates a unique list of distribution destination attribute tags (distribution destination attribute tag list). Create (S2501).

Next, the recommendation determination model learning unit 405 repeatedly executes the process of loop 1A (S1604, S2503, S1606 to S1608) for each distribution destination attribute tag in the distribution destination attribute tag list. Here, the distribution destination attribute tag to be processed is referred to as a target attribute tag.

In the process of loop 1A, the recommendation determination model learning unit 405 repeatedly executes the process of loop 2A (S1604, S2503, S1606, S1607) for the news articles of each record of the news article information table 701. Here, the news article to be processed is referred to as a target news article.

In the process of loop 2A, if the target news article is classified into a positive group in the news article classification process (S1604), the recommendation determination model learning unit 405 searches the news article ID and target attribute tag of the target news article. By searching the report distribution history information table 1803 as a key, it is determined whether the target attribute tag of the target news article is referenced (used) in the report of the distribution destination corresponding to the target attribute tag, and if there is a reference in the report, The target news article is classified into a positive group, and if there is no reference in the report, the target news article is classified into a negative group (S2503).

Next, the recommendation determination model learning unit 405 executes the process of step S1606 when the target news article is classified into a positive group, and executes the process of step S1607 when the target news article is classified into a negative group. Execute processing.

After executing the process of loop 2A described above for all records in the news article information table 701, the process exits from the process of loop 2A, and the recommendation determination model learning unit 405 executes the process of step S1608. Here, the comment determination model generated in step S1608 is a model corresponding to the reference history of the news article in the report to the distribution destination corresponding to the target attribute tag.

Next, the recommendation judgment model learning unit 405 executes the process of loop 1A (S1604, S2503, S1606 to S1608) for all the distribution destination attribute tags in the distribution destination attribute tag list, thereby adjusting each distribution destination attribute tag. Recommendation decision models are generated one by one for each.

After executing the process of loop 1A for all the distribution destination attribute tags in each distribution destination attribute tag list, the recommendation judgment model learning unit 405 exits the process of loop 1A and ends the judgment model machine learning process. do.

According to the above-described decision model machine learning process, recommendations are made for each destination attribute tag based on a combination of the reference history of news articles in reports to the destination corresponding to the destination attribute tag and the SNS diffusion degree of the news article. By generating a judgment model, the news articles referenced in the report of the delivery destination corresponding to the delivery destination attribute tag are used as positive learning data, so this recommendation judgment model allows the analyst to It becomes possible to appropriately recommend useful news articles suitable for attributes.

(Recommendation display screen)
FIG. 26 is a display example of a recommendation screen according to the second embodiment. Note that the same components as the recommendation screen 1701 (FIG. 17) according to the first embodiment are given the same reference numerals.

The recommendation screen 2601 includes an analyst ID display area 1702, an update date and time display area 1703, a news article information display area 1704, a hyperlink to the news article 1705, and an attribute tag display area 2602.

The attribute tag display area 2602 displays the distribution destination attribute tag (recommendation model information table 1802 (value of distribution destination attribute tag 2003) is displayed.

In this way, by displaying a news article with a distribution destination attribute tag on the recommendation screen 2601, the analyst can easily and appropriately know in what category the news article is recommended. . For example, if the destination attribute tag is "financial", you can see that the recommendation is based on news articles that are frequently referenced in reports aimed at customers in the financial field. This allows the analyst to quickly and appropriately grasp the news articles to be viewed depending on the customer involved.

Note that the present invention is not limited to the above-described embodiments, and can be implemented with appropriate modifications without departing from the spirit of the present invention. For example, each of the embodiments described above has been described in detail to explain the present invention in an easy-to-understand manner, and the present invention is not necessarily limited to having all the configurations described.

For example, in the first embodiment, a news article whose diffusion degree is higher than a predetermined threshold and which has been viewed by an analyst based on the viewing history is classified as positive learning data, and the news article is classified as positive learning data. A recommendation judgment model has been generated by performing machine learning using articles other than articles classified as data as negative learning data, but the present invention is not limited to this. Articles lower than the threshold and news articles that have never been viewed by the user based on the viewing history are classified as negative learning data, and articles other than those classified as negative learning data are treated as positive learning data. A recommendation determination model may be generated by performing machine learning.

Further, in each of the above-described embodiments, it is determined whether or not to recommend a news article using a recommendation determination model generated by machine learning, but the present invention is not limited to this, and the feature information of a news article A predetermined algorithm is generated in advance to determine whether or not to recommend a news article based on the degree of spread of the news article and the usage history of the news article by the user, and the characteristics of the news article to be determined are generated in advance. A predetermined algorithm may be used to determine whether or not to recommend a news article based on the information, the degree of spread of the news article, and the usage history of the news article by the user.

Further, each of the above-mentioned configurations, functions, processing units, processing means, etc. may be partially or entirely realized in hardware by, for example, designing an integrated circuit. Further, each of the above configurations, functions, etc. may be realized by software by a processor interpreting and executing a program for realizing each function. Information such as programs, tables, and files for realizing each function can be stored in a memory, a recording device such as a hard disk, a solid state drive (SSD), or a recording medium such as an IC card, an SD card, or a DVD.

Further, the control lines and information lines are shown to be necessary for explanation purposes, and not all control lines and information lines are necessarily shown in the product. In reality, almost all components may be considered to be interconnected.

100 threat information providing system, 101 network, 102 news distribution server, 103 SNS distribution server, 104 recommendation device, 105 client, 106 database, 602 CPU, 603 memory, 604 external storage device, 605 transmitting/receiving device, 606 output device, 607 input device, 701 news article information table, 702 analyst information table, 703 SNS information table, 704 recommendation judgment model information table, 705 viewing history information table, 1801 analyst information table, 1802 recommendation judgment model information table, 1803 report distribution history information Table, 1804 Delivery destination information table

Claims (8)

An information provision system that recommends articles to users,
The information providing system includes a storage unit that stores information, and a processor unit connected to the storage unit,
The storage unit stores a plurality of articles, usage history of articles used by the user, and message information indicating usage status of messages posted on SNS (Social Networking Service),
The processor section includes:
Extract feature information from the article,
Identifying messages related to the article on the SNS based on characteristic information of the article,
Calculating the degree of diffusion indicating the degree of diffusion of the article based on the usage status of messages related to the article,
Determining whether or not to recommend a given article to the user based on characteristic information of the article, the degree of spread of the article, and a usage history of the article by the user ;
The processor section includes:
determining whether to recommend the article to the user based on the degree of spread of the article and the usage history of the article by the user;
Generating a recommendation determination model for determining whether to recommend an article by performing machine learning using learning data based on feature information of the article and a result of whether to recommend it to the user;
By inputting characteristic information of a predetermined article into the recommendation determination model, it is determined whether or not to recommend the predetermined article to the user.
Information provision system. The usage history of the article by the user is a viewing history of the article by the user,
The processor section includes:
Articles for which the degree of diffusion of the article is higher than a predetermined threshold and have been viewed by the user according to the viewing history are classified as positive learning data, and articles other than articles classified as positive learning data The information providing system according to claim 1 , wherein the recommendation determination model is generated by performing machine learning using as negative learning data. The usage history of the article by the user is a viewing history of the article by the user,
The processor section includes:
Articles whose diffusion degree is lower than a predetermined threshold and articles that have not been viewed by the user according to the browsing history are classified as negative learning data, and articles other than those classified as negative learning data are classified as negative learning data. The information providing system according to claim 1 , wherein the recommendation determination model is generated by performing machine learning using articles as positive learning data. the usage history of the article by the user is the usage history of the article in a report created by the user;
The processor section includes:
Articles whose degree of spread is higher than a predetermined threshold and are used by the user in the report are classified as positive learning data, and articles other than the articles classified as positive training data are subjected to negative learning. The information providing system according to claim 1 , wherein the recommendation determination model is generated by performing machine learning on the data. The usage history of the article by the user is the usage history of the article in a report created by the user;
The processor section includes:
Articles whose degree of spread is lower than a predetermined threshold and articles that have never been used by the user in the report are classified as negative learning data, and articles other than the articles classified as negative learning data are classified as negative learning data. The information providing system according to claim 1 , wherein the recommendation determination model is generated by performing machine learning using as positive learning data. The usage history of the article by the user is the usage history of the article in a report created by the user;
The storage unit stores attribute information indicating an attribute of a distribution destination to which the user has distributed the report,
The processor section includes:
Using only the usage history of reports with the same attribute information of the delivery destination,
An article in which the degree of spread of the article is higher than a predetermined threshold and the attribute information of the distribution destination is the same and is used by the user in the report is classified as positive learning data; Generating the recommendation judgment model for the distribution destination of the attribute information by performing machine learning using articles other than articles as negative learning data;
The processor section includes:
The information providing system according to claim 1 , wherein the recommendation determination model for a distribution destination of attribute information corresponding to a distribution destination of a user is used to determine whether or not to recommend a predetermined article to the user. An information provision method using an information provision system that recommends articles to users, the method comprising:
Stores a plurality of articles, usage history of articles used by the user, and message information indicating usage status of messages posted on SNS (Social Networking Service),
Extract feature information from the article,
Identifying messages related to the article on the SNS based on characteristic information of the article,
Calculating the degree of diffusion indicating the degree of diffusion of the article based on the usage status of messages related to the article,
Determining whether or not to recommend a given article to the user based on characteristic information of the article, the degree of spread of the article, and a usage history of the article by the user ;
determining whether to recommend the article to the user based on the degree of spread of the article and the usage history of the article by the user;
Generating a recommendation determination model for determining whether to recommend an article by performing machine learning using learning data based on feature information of the article and a result of whether to recommend it to the user;
By inputting characteristic information of a predetermined article into the recommendation determination model, it is determined whether or not to recommend the predetermined article to the user.
Information provision method. An information providing program for causing a computer to perform a process of recommending articles to a user,
A storage unit stores a plurality of articles, usage history of articles used by the user, and message information indicating usage status of messages posted on SNS (Social Networking Service),
to the computer;
Extract feature information from the article,
Identifying messages related to the article on the SNS based on characteristic information of the article;
Calculating the degree of diffusion indicating the degree of diffusion of the article based on the usage status of messages related to the article,
determining whether or not to recommend a predetermined article to the user based on characteristic information of the article, a degree of diffusion of the article, and a usage history of the article by the user ;
determining whether to recommend the article to the user based on the degree of spread of the article and the usage history of the article by the user;
Generating a recommendation determination model for determining whether to recommend an article by performing machine learning using learning data based on feature information of the article and a result of whether to recommend the article to the user;
By inputting characteristic information of a predetermined article into the recommendation determination model, it is determined whether or not to recommend the predetermined article to the user.
Information program.