KR101767454B1 - Method and apparatus of fraud detection for analyzing behavior pattern - Google Patents

Method and apparatus of fraud detection for analyzing behavior pattern Download PDF

Info

Publication number
KR101767454B1
KR101767454B1 KR1020150158592A KR20150158592A KR101767454B1 KR 101767454 B1 KR101767454 B1 KR 101767454B1 KR 1020150158592 A KR1020150158592 A KR 1020150158592A KR 20150158592 A KR20150158592 A KR 20150158592A KR 101767454 B1 KR101767454 B1 KR 101767454B1
Authority
KR
South Korea
Prior art keywords
abnormal behavior
user
information
abnormal
action
Prior art date
Application number
KR1020150158592A
Other languages
Korean (ko)
Other versions
KR20170056045A (en
Inventor
김성
박경철
Original Assignee
주식회사 엔젠소프트
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 엔젠소프트 filed Critical 주식회사 엔젠소프트
Priority to KR1020150158592A priority Critical patent/KR101767454B1/en
Publication of KR20170056045A publication Critical patent/KR20170056045A/en
Application granted granted Critical
Publication of KR101767454B1 publication Critical patent/KR101767454B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • H04L67/22
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • H04L67/306User profiles

Abstract

The present invention relates to an abnormal behavior detection method, and more particularly, to an abnormal behavior detection method capable of detecting an abnormal behavior through profile-based analysis and machine learning based analysis, adding or deleting an abnormal behavior analysis rule through a user's action parameter value , A method for generating an abnormal behavior analysis model through machine learning to detect abnormal behavior, and a device therefor.
According to another aspect of the present invention, there is provided an abnormal behavior detection method comprising: collecting an action parameter value of a user in real time; A first detection step of detecting an abnormal behavior by comparing the collected behavior parameter values of the user with the abnormal behavior analysis rules of the user; A second detection step of inputting an action parameter value of a user not determined as an abnormal behavior in the first detection step into an abnormal behavior analysis model and detecting an abnormal behavior through calculation of the abnormal behavior analysis model; Determining whether the abnormal operation is performed by combining the detection result of the first detection step and the detection result of the second detection step; .

Description

[0001] The present invention relates to a method and apparatus for detecting anomalous behavior through analysis of a user's behavior pattern in various web service environments,

The present invention relates to an abnormal behavior detection method, and more particularly, to an abnormal behavior detection method capable of detecting an abnormal behavior through profile-based analysis and machine learning based analysis, adding or deleting an abnormal behavior analysis rule through a user's action parameter value , A method for generating an abnormal behavior analysis model through machine learning to detect abnormal behavior, and a device therefor.

The contents described in this section merely provide background information on the present embodiment and do not constitute the prior art.

There is a need for an anomaly detection technology for effectively responding to web hacking and online fraud attempts by using a captured user account, a resident registration number, and credit card information in a social environment in which personal information is easily leaked by various hacking techniques have. As various types of fraud incidents occur in various fields such as insurance, finance, securities, and mobile communication, there is also a need for a technique that can be improved to intelligently judge fraud and be universally applicable to various types of websites.

In order to detect abnormal or fraudulent activity using logical defects or weaknesses of web services, it is necessary to be able to distinguish between logical and abnormal behavior patterns of each service, and to detect abnormal behavior based on normal behavior pattern vector .

However, the conventional detection method of the abnormal behavior pattern is based on the static rule, and there is a problem that it can not cope with the intelligent variant fraud and various hacking attempts appropriately.

The practicality of the anomaly detection technology is pre-blocked before the occurrence of the event. Therefore, the more effective the system is, the less time it takes to analyze, detect and determine the behavior pattern.

As a result, there is a growing need for technological alternatives that can broaden the range of active normative behaviors through artificial intelligence machine learning that can recognize new patterns automatically as well as static rules generated in advance.

In addition, in the field of e-commerce, the abolishment of the policy of mandatory use of public certificate has caused a problem about security vulnerability, and an abnormal behavior detection technology has been attracting attention for solving this problem. Also, .

Korean Registered Patent No. 10-1153968, registered May 31, 2012 (name: system and method for preventing fraud)

Accordingly, the present invention provides an abnormal behavior detection method for enhancing the accuracy of abnormal behavior detection by adding or deleting abnormal behavior analysis rules through analysis of a user's behavior pattern in various web service environments and forming an abnormal behavior analysis model through machine learning Thereby providing a device for that.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory and are not restrictive of the invention, unless further departing from the spirit and scope of the invention as defined by the appended claims. It will be possible.

According to the present invention, there is provided a method for solving the above problems, comprising the steps of: collecting a user's action parameter value in real time; A first detection step of detecting an abnormal behavior by comparing the collected behavior parameter values of the user with the abnormal behavior analysis rules of the user; A second detection step of inputting an action parameter value of a user not determined as an abnormal behavior in the first detection step into an abnormal behavior analysis model and detecting an abnormal behavior through calculation of the abnormal behavior analysis model; Determining whether the abnormal operation is performed by combining the detection result of the first detection step and the detection result of the second detection step; And an abnormal behavior detection method.

According to another aspect of the present invention, there is provided an information processing apparatus including an information collecting unit for collecting, in real time, action parameter values generated for each user necessary for identifying an abnormal symptom; And an abnormal behavior analysis detecting unit for detecting whether or not the first abnormal behavior is detected by comparing the collected behavior parameter values of the user with the generated abnormal behavior analysis rule, ; Wherein the abnormal behavior analysis and detection unit determines whether a final abnormal behavior is caused by combining the determination results of the first abnormal behavior and the second abnormal behavior.

According to the present invention, the usage environment information (fingerprint attribute information of PC, mobile, etc.) of the user, the usage pattern of the user (input device usage behavior parameter, web navigation behavior parameter) Based on information such as time-based access page information / classification, and time-based user access method), and the attacking behavior can be quickly judged through machine learning of the artificial intelligence technique (SVDD).

The effects obtained in the present invention are not limited to the effects mentioned above, and other effects not mentioned can be clearly understood by those skilled in the art from the following description .

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of the specification, illustrate embodiments of the invention and, together with the description, serve to explain the technical features of the invention.
1 is a diagram for explaining a configuration of a system for providing an abnormal behavior detection method according to an embodiment of the present invention.
2 is a block diagram illustrating a schematic configuration of an abnormal behavior detection apparatus according to an embodiment of the present invention.
3 is a block diagram for explaining a schematic configuration of an information collecting unit in an abnormal behavior detecting apparatus according to an embodiment of the present invention.
4 is a block diagram for explaining a schematic configuration of a database unit in an abnormal behavior detection apparatus according to an embodiment of the present invention.
5 is a block diagram for explaining a schematic configuration of an abnormal behavior analysis detecting unit in the abnormal behavior detecting apparatus according to the embodiment of the present invention.
6 is a flowchart illustrating a process of forming an abnormal behavior analysis model according to an embodiment of the present invention.
7 is a flowchart illustrating a process of an abnormal behavior detection method according to an embodiment of the present invention.
8 is a flowchart illustrating an abnormal behavior detection process according to another embodiment of the present invention.

Hereinafter, preferred embodiments according to the present invention will be described in detail with reference to the accompanying drawings. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The following detailed description, together with the accompanying drawings, is intended to illustrate exemplary embodiments of the invention and is not intended to represent the only embodiments in which the invention may be practiced. The following detailed description includes specific details in order to provide a thorough understanding of the present invention. However, those skilled in the art will appreciate that the present invention may be practiced without these specific details.

In some instances, well-known structures and devices may be omitted or may be shown in block diagram form, centering on the core functionality of each structure and device, to avoid obscuring the concepts of the present invention.

Throughout the specification, when an element is referred to as "comprising" or " including ", it is meant that the element does not exclude other elements, do. Also, the terms "part," "module," and the like, which are described in the specification, refer to a unit for processing at least one function or operation, and may be implemented by hardware or software or a combination of hardware and software. It will also be understood by those skilled in the art that in the context of describing the invention (particularly in the context of the following claims), the terms " a or an, ""Quot; or " include ", unless the context clearly dictates otherwise.

Also, terms including ordinal numbers such as first, second, etc. are used to describe various elements, and are used only for the purpose of distinguishing one element from another, Not used. For example, without departing from the scope of the present invention, the second component may be referred to as a first component, and similarly, the first component may also be referred to as a second component.

The specific terminology used in the following description is provided to aid understanding of the present invention, and the use of such specific terminology may be changed into other forms without departing from the technical idea of the present invention.

The present invention provides an abnormal behavior detection method by analyzing a behavior pattern of a user in various service environments using a communication network. Hereinafter, a method proposed by the present invention will be described with reference to the drawings.

1 is a diagram for explaining a configuration of a system for providing an abnormal behavior detection method according to an embodiment of the present invention.

Referring to FIG. 1, the abnormal behavior detection apparatus 120 may include one or more user terminal devices 100 connected through a communication network 150, and one or more web service servers 110.

The user terminal device 100 for carrying out the present invention means a device connected to the communication network provided by the present invention to transmit and receive data. Here, the terminal 100 may be a user equipment (UE), a mobile station (MS), a mobile subscriber station (SS), a subscriber station (SS), an advanced mobile station (AMS), a wireless terminal (WT) Communication device, a machine-to-machine (M2M) device, a device-to-device (D2D) device, a station (STA), or the like.

The user terminal device 100 according to the embodiment of the present invention can be implemented in various forms. For example, mobile terminals such as a smart phone, a tablet PC, a PDA (Personal Digital Assistants), a PMP (Portable Multimedia Player), and an MP3 player, as well as a smart TV, Or the like may be used.

However, the present invention is not limited to this, and any device that performs a certain function by allowing a user to connect to the communication network 150 without distinguishing between wired and wireless may correspond to the terminal described in the present invention.

The user terminal device 100 is connected to the other terminal, the web service server 110, and the abnormal behavior detection device 120 via the communication network 150. Where the communication network 150 is defined as one or more data links that enable electronic data to be transmitted between computer systems and / or modules. For example, a wireless communication method such as WLAN (Wireless LAN), Wi-Fi, WiBro, WiMAX, HSDPA or Ethernet, xDSL (ADSL, VDSL) , Hybrid Fiber Coaxial Cable (HFC), Fiber to the Curb (FTTC), and Fiber To The Home (FTTH). In addition to the above-described communication methods, other widely known or later-developed communication methods may be included.

When the information is transmitted or provided to a computer system via a network or other (wired, wireless, or a combination of wired or wireless) communication connection, the connection may be understood as a computer-readable medium. Computer readable instructions include, for example, instructions and data that cause a general purpose computer system or special purpose computer system to perform a particular function or group of functions. The computer executable instructions may be binary, intermediate format instructions, such as, for example, assembly language, or even source code.

The web service server 110 is also connected to another web service server, the user terminal device 100, and the abnormal behavior detection device 120 via the communication network 150. The web service server 110 is a main body that provides a service that the user uses through the user terminal device 100. For example, the web service server 110 of the present invention may be a server for providing online transactions of insurance and financial service providers, and may be connected to a home trading system (HTS) or a mobile trading system (MTS) May be a service providing server. The service providing field is not limited to electronic commerce, and may be a server for various contents providing services such as game, music, and video provided using an online server, and the field is not limited.

The abnormal behavior detection device 120 is a part constituting the main configuration of the present invention, and the configuration thereof is shown in FIG. 2 to FIG. 5 below.

2 is a block diagram illustrating a schematic configuration of an abnormal behavior detection apparatus according to an embodiment of the present invention.

2, the abnormal behavior detection apparatus 120 according to the present invention includes an information collection unit 210, an abnormal behavior analysis detection unit 220, a database unit 230, a monitoring unit 240, 250).

The information collection unit 210 is configured to extract and collect an anonymity assurance parameter values necessary for identifying an abnormal symptom in the course of using a web service such as a PC or a mobile.

3 is a block diagram for explaining a schematic configuration of an information collecting unit in an abnormal behavior detecting apparatus according to an embodiment of the present invention.

3, the information collecting unit 210 may include a PC information collecting unit 310, a mobile information collecting unit 320, and a web server information collecting unit 330. Referring to FIG.

The PC information collecting unit 310 and the mobile information collecting unit 320 are connected to one or more user terminal devices 100 matching the PC or mobile characteristic via the communication network 150. The web server information collecting unit 330 And is connected to one or more web service servers 110 via a communication network 150.

Each information collecting unit 210 may include an agent for collecting information from an information collecting object. An agent is an autonomous process that performs work on behalf of an administrator in order to collect information. It is a system that exists as a part of an information collecting part rather than existing independently. The agent for information collection may be configured differently depending on the type of the user terminal device 100 and the type of browser installed therein. The agent collects information through the communication network 150 according to a predetermined schedule without the intervention of an administrator and searches all or a part of the communication network 150 using information on the type of behavior parameters provided in advance and collects the information of interest , And it can perform the function of providing it every day or a certain time period.

The information collecting unit 210 may collect information on the use of the user terminal 100 by the user or an access record or pattern for the web service server 120 through the agent. Each item capable of extracting or patterning an attribute is referred to as a parameter, and the extracted result is referred to as a parameter value.

In particular, the parameter values collected in the present invention may include behavior parameter values related to at least one of a device fingerprinting attribute, an input device utilization behavior, and a web navigation.

The fingerprinting technology extracts a fingerprint (physical hardware layer information such as a modem, MAC software layer information such as a beacon header, etc.) that uniquely identifies a device from radio signal characteristics generated in a communication process, and determines whether the transmitting device is a fake clone device . This is largely divided into fingerprint generation and classification steps.

The parameter values related to the device fingerprinting attributes collected in the embodiment of the present invention include unique information (transaction number, transaction number, service registration number, etc.) about the service to be provided by the user, environment information (Software information such as hardware information such as M / B ID, CPU ID, HDD S / N, USB S / N, OS version, patch / plugin version of used browser or peripheral device, browser version / (E.g., a keyboard, a mouse, a USB storage device, a touch pad, a removable storage medium) of the user terminal device 100, network information such as an IP address, a MAC address, a G / W IP address, (E.g., information on a BLE product such as a keyboard and a mouse), and software information (operation process, specific resist information, etc.) of the user terminal device 100. [

The parameter values related to the input device use behavior are collected by an input device in the user terminal device 100. Here, the input device may be implemented by various input means that are currently commercialized or can be commercialized in the future. For example, , A joystick, a touch screen, and a touch pad, gesture input means for sensing a user's motion to generate a specific input signal, and voice recognition means for recognizing the user's voice. Here, the input / output interface may include a wide variety of input / output interfaces, such as, for example, a serial port interface, a PS / 2 interface, a parallel port interface, a USB interface, IEEE (Institute of Electrical and Electronics Engineers) Any of the different interfaces can be represented logically, or even combinations of different interfaces can be logically represented.

The parameter types related to the input device use behavior include input pattern information for the input device as described above, information on the variation of the input device itself, information on the main usage behavior, information on the authentication method (pattern touch, fingerprint recognition, Authentication using a mobile device during browsing through a PC, and the like).

The parameter values related to the web navigation action include pattern information (issuance and registration of a public certificate, login action, personal information change act, etc.) related to the transaction advance act, information related to the authentication act (addition or change of the authentication means, (Transaction amount, frequency, date, etc.), prior information related to abnormal behavior (such as exceeding login limit, frequency of error, attempting to change personal information, etc.) Transaction location and time). The parameter values associated with the web navigation behavior can be collected and extracted through web traffic information collection.

The classified parameter values may be stored in a storage unit provided in the information collection unit or in a separate database unit 230. [

The abnormal behavior analysis detection unit 210 is a means for performing abnormal behavior analysis detection using the collected parameter values, and the detailed configuration is shown in FIG.

4, the abnormal behavior analysis and detection unit 230 includes a user identification unit 410, a distributed storage database 420 for real-time processing, a feature extraction unit 430, a first abnormal behavior analysis unit 440 and a second abnormal behavior analysis unit 450.

The user identification unit 410 is a configuration for performing a function of determining which user parameter value is the collected parameter value. Each user is distinguished by the user identification unit 410. In order to classify the parameter values for each user, profile information is provided for each user by using information (IP, MAC address, etc.) about the user terminal 100 Can be performed. It is possible to determine whether the user is a normal user based on the collected IP and ID information in the profiling.

The real-time processing distributed storage database 420 is a database for processing real-time information according to the embodiment of the present invention. Is configured in the behavior analysis analysis unit 220 rather than the database unit 230 separately configured for real time processing and generates and stores per-user profile information in the real-time processing distributed storage database 420. [

The feature extraction unit 430 is configured to generate a feature vector using feature extraction results in real time using profile information for each user. The dimensions and items of the feature vector are determined by the collected action parameter values. The more items, the higher the dimension and the higher the performance. The number of items necessary for carrying out the present invention may be four or more behavior parameter values related to device fingerprinting, and more than 450 types of input device usage behavior parameter values, but is not limited thereto.

The first abnormal behavior analysis unit 440 compares the action parameter value with the abnormal behavior analysis rule of the corresponding user to detect the abnormal behavior. This is referred to as a first detection step. An abnormal behavior rule can be generated for each user.

In addition, the first abnormal behavior analysis unit 440 can analyze and detect abnormal behavior based on the profile information. This can be performed using the feature vector extracted by the feature extraction unit 430. The extracted feature vector or profile characteristic is compared with the abnormal behavior analysis rule to detect the abnormal behavior.

In addition, the first abnormal behavior analysis unit 440 may have a white list corresponding to the normal action and a black list corresponding to the abnormal behavior. The first abnormal behavior analysis unit 440 compares the preset white list and the black list with the action parameter values to detect abnormal behavior.

The second abnormal behavior analysis unit 450 generates an abnormal behavior analysis model based on the learning data and detects abnormal behavior. This is referred to as a second detection step. The second abnormal behavior analysis unit 450 may have previously stored an abnormal behavior analysis model. In addition, the second abnormal behavior analysis unit 450 receives information on the feature vector generated by the feature extraction unit 430, extracts learning data based on the feature vector, and performs the machine learning. The behavioral analysis model can be modified through the performance of machine learning. Here, the abnormal behavior analysis model may be an analysis model generated using the SVDD (Support Vector Data Description) technique.

SVDD is one of the useful techniques for solving One-Class Classification Problems which can perform learning using only data belonging to one class of learning to be classified. SVDD detects singularities and finds boundaries that contain most of the given object data. The interface is composed of phrases containing as many objective data as possible, and assuming singularities as hypothetical. The set of learning data is distributed inside or outside the interface with center a and radius r and expresses the area of the learning class using sphere corresponding to the number of learning data. If the learning data is distributed outside the interface, a penalty is imposed. The singularities and sphere sizes can be represented by functions using various variables and constants, Lagrangean multipliers, and a kernel for expressing a high dimensional feature space.

The second abnormal behavior analysis unit 450 compares the abnormal behavior analysis model generated using the machine learning with the action parameter values collected through the current user terminal device 100 to determine whether the behavior parameter value is abnormal It is judged whether it is included in the boundary of the behavior analysis model or exists outside the boundary surface to detect the abnormal behavior.

The abnormal behavior analysis detector 220 may combine the result of the first detection step and the result of the second detection step to determine whether the abnormal behavior is the final result.

5 is a block diagram for explaining a schematic configuration of a database unit 230 in an abnormal behavior detection apparatus according to an embodiment of the present invention.

The database unit 230 includes a database management system (DBMS) for managing the database management system. The DBMS manages the database unit 230 and provides an environment in which application programs related to the abnormal behavior detection system of the present invention can share and use the database unit 230. A database building frame is formed by the DBMS, and an interface through which an application program can access the database unit 230, recovery according to a failure of the database unit 230, and a security maintenance function are provided.

5, the database unit 230 according to the present invention includes a mass storage log database 410, an abnormal behavior profile database 420, a feature extraction vector database 430, and a service access record database 440 Lt; / RTI >

The large-capacity log storage database 510 is a configuration for receiving and storing log data for each user from the real-time processing distributed storage database 420. The log data includes log and logout records, the number of files (hits, hits) connected at the time of connection, the number of downloads (page views, PageViews) of the web document composed of HTML by the user's web browser, (Session, Session), and Duration Time at a specific site.

The abnormal behavior profile database 520 is a configuration for receiving and storing profile information from the real-time processing distributed storage database 420.

The feature extraction vector database 530 is a structure for receiving and storing the feature vector extracted by the feature extraction unit 430. [

The abnormal behavior analysis rule database 540 stores the predetermined black list and the whitelist or stores the predetermined abnormal behavior analysis rules. The abnormal behavior analysis rule database 540 is connected to the first abnormal behavior analysis unit 440, the second abnormal behavior analysis unit 450, and the rule management unit 250, receives the added learning data, Can be stored.

The database unit 230 may be constituted by one server or a storage device, or may be divided into a plurality of servers or storage devices. The storage device may be an optical recording medium such as a magnetic medium such as a hard disk, a floppy disk and a magnetic tape, a compact disk read only memory (CD-ROM), a digital video disk (DVD) Optical media such as a floppy disk and a ROM, a random access memory (RAM), and a flash memory.

The monitoring unit 240 outputs a detection result of the abnormal behavior analysis detection unit 220 and notifies the administrator of the abnormal behavior detection. The monitoring unit 240 may include a separate web server or system for management, and may include a dashboard. Dashboards include user interface features that allow you to centrally manage and find various information on a single screen.

The rule management unit 250 extracts an action parameter value determined as a normal action among the previously collected action parameter values as normal action learning data based on the detection result of the abnormal action analysis detection unit 220, And adds and deletes the abnormal behavior analysis rule for each user based on data.

Further, rules may be added or deleted through the rule management unit 250 with respect to abnormal actions due to a new device and a web service access form.

The rules may be added or deleted according to the judgment of the administrator, but the rule management unit 250 may compare the abnormal behavior analysis rule with the abnormal behavior analysis You can add or delete rules. For example, in order to add and apply an abnormal behavior analysis rule to determine an abnormal behavior from a combination of behavior parameter values determined to be abnormal over a predetermined number of times, The detection unit 220 can be controlled.

6 is a flowchart illustrating a process of forming an abnormal behavior analysis model according to an embodiment of the present invention.

The second abnormal behavior analysis unit 450 extracts an action parameter value determined as a normal action among the action parameter values of the user as learning data (S600). The second abnormal behavior analysis unit 450 performs feature vectorization on the learning data to generate an abnormal behavior analysis model (S602), and then performs machine learning based on the learning data (S604). SVDD can be used as a method of machine learning. An abnormal behavior analysis model is generated through execution of the machine learning (S606).

7 is a flowchart illustrating a process of an abnormal behavior detection method according to an embodiment of the present invention.

Referring to FIG. 7, first, the information collecting unit 210 collects user's action parameter values (S700). The first abnormal behavior analysis unit 440 compares the action parameter value with the predetermined abnormal behavior analysis rule stored in the abnormal behavior analysis rule database 540 (S702) to determine whether a corresponding part exists (S704 (S710a). If there is a portion designated as an abnormal behavior in the abnormal behavior analysis rule (S710a). Anomaly analysis rules may include blacklists and whitelists. The black list may contain an IP or account that caused the anomaly, and the whitelist may include a specific IP or user terminal authenticated and registered as a normal user.

If it is determined that the abnormal behavior is not determined, the second abnormal behavior analysis unit 450 inputs an action parameter value to the abnormal behavior analysis model to perform a machine learning based detection to determine whether the abnormal behavior is abnormal (S706). As described in FIG. 5, an abnormal behavior analysis model can be generated through machine learning, particularly SVDD. In operation S708, the second abnormal behavior analysis unit 450 determines whether the user's action parameter values collected in real time are included in the boundary of the abnormal behavior analysis model or outside the boundary.

If it is determined as a normal action (S710b), the abnormal behavior analysis rule can be added or deleted, and machine learning for changing the abnormal behavior analysis model can be performed if necessary. If it is detected as an abnormal behavior, it can notify the administrator (S710a).

Here, the abnormal behavior analysis rule predetermined as the abnormal behavior may be generated using the behavior parameters collected by the user. In addition, the analysis rule can be added or deleted using the result of the risk calculation.

8 is a flowchart illustrating a process of an abnormal behavior detection method according to another embodiment of the present invention.

Referring to FIG. 8, the information collecting unit 210 extracts and collects a user's action parameter value (S800).

The collected parameter values are subjected to a profile-based check (S802) and a machine learning based check (S806), and it is determined whether an abnormal operation is performed (S804, S808).

Thereafter, the detection result of the machine learning-based abnormal behavior detection step (first detection step) and the detection result of the profile-based abnormal behavior detection step (second detection step) are combined to finally determine whether the abnormal behavior is abnormal (S810) And notifies the manager of the determination result (S818).

If the determination of the abnormal behavior is not certain, or if the determination result is normal, the degree of risk may be calculated by analyzing the degree of correlation (S812). Correlation analysis can use Pearson correlation coefficient. The Pearson correlation coefficient is expressed as the degree of variation of r = x and y / x and y, respectively, when each variable is called x, y,

Figure 112015110169345-pat00001

. r is a positive linear relationship if r is positive, 0 is a negative linear relationship if r is negative, 0 otherwise.

Through this correlation, it is possible to calculate the risk by analyzing the correlation between the actions occurring consecutively before the abnormal behavior and the abnormal behavior (S812), add it to the abnormal behavior analysis rule, and detect the abnormal behavior based on this ).

The detection result and the risk calculation result may be stored in the abnormal behavior analysis rule database 540 (S816), and the result is notified to the administrator and may be reflected in the abnormal behavior analysis rule (S818).

Although the present specification and drawings illustrate exemplary device configurations, implementations of the functional operations and the subject matter described herein may be embodied in other types of digital electronic circuitry or include structures and their structural equivalents disclosed herein Firmware, or hardware, or a combination of one or more of the foregoing. Implementations of the subject matter described herein may be embodied in one or more computer program products, that is, a computer program product encoded on a type of program storage medium for execution by, And can be implemented as a module as described above. The computer-readable medium can be a machine-readable storage device, a machine-readable storage substrate, a memory device, a composition of matter that affects the machine readable propagation type signal, or a combination of one or more of the foregoing.

While the specification contains a number of specific implementation details, it should be understood that they are not to be construed as limitations on the scope of any invention or claim, but rather on the description of features that may be specific to a particular embodiment of a particular invention Should be understood. Certain features described herein in the context of separate embodiments may be implemented in combination in a single embodiment. Conversely, various features described in the context of a single embodiment may also be implemented in multiple embodiments, either individually or in any suitable subcombination. Further, although the features may operate in a particular combination and may be initially described as so claimed, one or more features from the claimed combination may in some cases be excluded from the combination, Or a variant of a subcombination.

Likewise, although the operations are depicted in the drawings in a particular order, it should be understood that such operations must be performed in that particular order or sequential order shown to achieve the desired result, or that all illustrated operations should be performed. In certain cases, multitasking and parallel processing may be advantageous. Also, the separation of the various system components of the above-described embodiments should not be understood as requiring such separation in all embodiments, and the described program components and systems will generally be integrated together into a single software product or packaged into multiple software products It should be understood.

The present invention relates to an abnormal behavior detection method, and can provide a real-time abnormal behavior detection technique by analyzing an environment of a user terminal and a behavior pattern of a user.

In particular, according to the present invention, an anomaly detection analysis is performed on parameter values through extraction collection of anonymity assurance parameter values. Specifically, a plurality of abnormal behavior analysis and detection rules can be applied and machine learning can be performed to ensure a high detection rate of abnormal behavior.

100: User terminal device
110: Web service server
120: abnormal behavior detection device
210: Information collecting section
220: abnormal behavior analysis detection unit
230:
240:
250:

Claims (14)

Generating an abnormal behavior analysis rule for each user;
Collecting an action parameter value of the user in real time;
A first detection step of detecting an abnormal behavior by comparing the collected behavior parameter values of the user with the abnormal behavior analysis rules of the user;
A second detection step of inputting an action parameter value of a user not determined as an abnormal behavior in the first detection step into an abnormal behavior analysis model and detecting an abnormal behavior through calculation of the abnormal behavior analysis model;
And a step of determining whether an abnormal operation is performed by combining the detection result of the first detection step and the detection result of the second detection step,
The behavior parameter value of the user is information capable of extracting or patterning attributes of a user terminal device used by a user, a use behavior of a user terminal device, and an access behavior of a Web service server,
An action parameter value associated with a device fingerprinting attribute including at least one of unique information about a service to be provided by the user, environment information about the user terminal device, peripheral hardware information of the user terminal device, and software information of the user terminal device,
An action parameter value related to an input device using action including at least one of input pattern information on an input device used by a user, information on a change in the input device itself, information on a use behavior for the input device, And
A parameter value related to a web navigation action including at least one of pattern information related to a transaction with a web service server used by a user, information related to an authentication action, transaction behavior pattern information, transaction pattern information, and dictionary information related to an abnormal behavior And detecting the abnormal behavior. The method according to claim 1,
Calculating a risk by analyzing a correlation between an action occurring consecutively and an abnormal action before the abnormal action if the result of the determining step is a normal action;
Re-determining whether the abnormal behavior is based on the risk;
Further comprising the steps of: delete The method according to claim 1,
Wherein the first detection step comprises:
Generates profile information for the user based on the action parameter values collected in real time,
Extracts characteristics of the profile information,
And comparing the extracted profile characteristic with the abnormal behavior analysis rule to detect an abnormal behavior. The method according to claim 1,
Wherein the first detection step comprises:
And detecting an abnormal behavior by comparing the behavior parameter values with predetermined black list and white list. The method according to claim 1,
The step of generating the abnormal behavior analysis rule for each user includes:
Wherein an abnormal behavior analysis rule of the user is added or deleted based on an action parameter value determined as a normal action or an abnormal behavior through comparison with the abnormal behavior analysis rule. The method according to claim 1,
Further comprising extracting an action parameter value determined as a normal action among the action parameter values of the user as learning data and performing machine learning on the abnormal behavior analysis model based on the learning data, Detection method. The method according to claim 1,
The abnormal behavior analysis model includes:
And an SVDD (Support Vector Data Description) technique. delete The method according to claim 6,
The step of generating the per-user abnormal behavior analysis rule
And adding or deleting the abnormal behavior analysis rule based on the result of the risk calculation. An information collecting unit for collecting, in real time, an action parameter value of a user, which is generated for each user necessary for identifying an abnormal symptom; And
The collected behavior parameter values of the user are compared with the previously generated abnormal behavior analysis rules to first detect whether the abnormal behavior is abnormal and to calculate the abnormal behavior or not by the abnormal behavior analysis model, And an abnormal behavior analysis detecting unit for determining whether a final abnormal behavior has occurred by combining the secondary detection determination results,
The behavior parameter value of the user is information capable of extracting or patterning attributes of a user terminal device used by a user, a use behavior of a user terminal device, and an access behavior of a Web service server,
An action parameter value associated with a device fingerprinting attribute including at least one of unique information about a service to be provided by the user, environment information about the user terminal device, peripheral hardware information of the user terminal device, and software information of the user terminal device,
An action parameter value related to an input device using action including at least one of input pattern information on an input device used by a user, information on a change in the input device itself, information on a use behavior for the input device, And
A parameter value related to a web navigation action including at least one of pattern information related to a transaction with a web service server used by a user, information related to an authentication action, transaction behavior pattern information, transaction pattern information, and dictionary information related to an abnormal behavior Wherein the abnormal behavior detection device comprises: The information processing apparatus according to claim 11,
A PC information collecting unit for collecting a user's action parameter value from the user's PC, a mobile information collecting unit for collecting the action parameter value of the user from the user's mobile terminal device, and a user's action parameter value collecting unit from the web server used by the user And a web server information collecting unit. 12. The method of claim 11,
A rule management unit for adding and deleting the abnormal behavior analysis rule for each user based on an action parameter value determined as a normal action among the action parameter values collected based on the detection result of the abnormal behavior analysis detection unit;
Wherein the abnormal behavior detection device further comprises: 12. The method of claim 11,
A monitoring unit for outputting a detection result of the abnormal behavior analysis detection unit and notifying an administrator of abnormal behavior detection;
Wherein the abnormal behavior detection device further comprises:
KR1020150158592A 2015-11-12 2015-11-12 Method and apparatus of fraud detection for analyzing behavior pattern KR101767454B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150158592A KR101767454B1 (en) 2015-11-12 2015-11-12 Method and apparatus of fraud detection for analyzing behavior pattern

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150158592A KR101767454B1 (en) 2015-11-12 2015-11-12 Method and apparatus of fraud detection for analyzing behavior pattern

Publications (2)

Publication Number Publication Date
KR20170056045A KR20170056045A (en) 2017-05-23
KR101767454B1 true KR101767454B1 (en) 2017-08-14

Family

ID=59050378

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150158592A KR101767454B1 (en) 2015-11-12 2015-11-12 Method and apparatus of fraud detection for analyzing behavior pattern

Country Status (1)

Country Link
KR (1) KR101767454B1 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101880705B1 (en) 2017-11-08 2018-07-20 주식회사 모비젠 System for collecting device information using internet and method thereof
KR20190083764A (en) * 2018-01-05 2019-07-15 다운정보통신(주) Method for Generating Whitelist and Detecting Abnormal Behavior Based on Matrix
KR20200004207A (en) * 2018-07-03 2020-01-13 네이버 주식회사 Apparatus for analysing user behavier and method for the same
KR102143593B1 (en) 2019-10-18 2020-08-11 주식회사 모비젠 Method for detecting anomaly of Internet of Things device based on autoencoder and system thereof
US11003765B2 (en) 2018-06-11 2021-05-11 Tmax A&C Co., Ltd Container-based integrated management system
KR102307632B1 (en) * 2021-05-31 2021-10-05 주식회사 아미크 Unusual Insider Behavior Detection Framework on Enterprise Resource Planning Systems using Adversarial Recurrent Auto-encoder
US11245543B2 (en) * 2018-06-15 2022-02-08 Microsoft Technology Licensing, Llc Identifying abnormal usage of electronic device
KR102370661B1 (en) 2021-07-02 2022-03-07 주식회사 모비젠 Method of detecting abnormal traffic of IoT devices deployed in each household and system thereof
KR20220095539A (en) 2020-12-30 2022-07-07 숭실대학교산학협력단 Method for providing weighting using device fingerprint, recording medium and device for performing the method

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102408348B1 (en) 2017-12-21 2022-06-14 삼성전자주식회사 Terminal apparatus and controlling method of the terminal apparatus
CN108306864B (en) * 2018-01-12 2021-02-26 深圳壹账通智能科技有限公司 Network data detection method and device, computer equipment and storage medium
EP3776396B1 (en) * 2018-04-09 2023-08-02 Carrier Corporation Detecting abnormal behavior in smart buildings
KR102157031B1 (en) 2018-12-27 2020-09-18 동서대학교 산학협력단 Device and method for detecting abnormal behavior using server motor electric power consumption
TR201908288A2 (en) * 2019-05-30 2019-06-21 Turkcell Teknoloji Arastirma Ve Gelistirme Anonim Sirketi A SYSTEM THAT ENABLES A CORRECTION GRADE FOR SITUATIONS INCLUDING ANOMALIA
KR102311997B1 (en) * 2019-08-27 2021-10-14 (주)하몬소프트 Apparatus and method for endpoint detection and response terminal based on artificial intelligence behavior analysis
US10992696B2 (en) 2019-09-04 2021-04-27 Morgan Stanley Services Group Inc. Enterprise-level security method and system
KR102125848B1 (en) * 2020-03-31 2020-06-23 주식회사 이글루시큐리티 Method for controling physical security using mac address and system thereof
KR102184855B1 (en) * 2020-04-17 2020-12-01 주식회사 에스랩 Illegal login detectoin system and method thereof
CN111639681A (en) * 2020-05-09 2020-09-08 同济大学 Early warning method, system, medium and device based on education drive type fraud
CN117201090A (en) * 2023-08-28 2023-12-08 山东亚泽信息技术有限公司 Abnormal behavior detection processing method and system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004220373A (en) * 2003-01-15 2004-08-05 Mitsubishi Electric Corp Unauthorized access detection log information analysis support system, unauthorized access detection log information analysis support method, and computer program thereof
US20150106926A1 (en) * 2011-10-18 2015-04-16 Mcafee, Inc. User behavioral risk assessment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004220373A (en) * 2003-01-15 2004-08-05 Mitsubishi Electric Corp Unauthorized access detection log information analysis support system, unauthorized access detection log information analysis support method, and computer program thereof
US20150106926A1 (en) * 2011-10-18 2015-04-16 Mcafee, Inc. User behavioral risk assessment

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101880705B1 (en) 2017-11-08 2018-07-20 주식회사 모비젠 System for collecting device information using internet and method thereof
KR20190083764A (en) * 2018-01-05 2019-07-15 다운정보통신(주) Method for Generating Whitelist and Detecting Abnormal Behavior Based on Matrix
KR102032222B1 (en) * 2018-01-05 2019-10-15 다운정보통신(주) Method for Generating Whitelist and Detecting Abnormal Behavior Based on Matrix
US11003765B2 (en) 2018-06-11 2021-05-11 Tmax A&C Co., Ltd Container-based integrated management system
US11245543B2 (en) * 2018-06-15 2022-02-08 Microsoft Technology Licensing, Llc Identifying abnormal usage of electronic device
KR20200004207A (en) * 2018-07-03 2020-01-13 네이버 주식회사 Apparatus for analysing user behavier and method for the same
KR102291557B1 (en) * 2018-07-03 2021-08-19 네이버 주식회사 Apparatus for analysing user behavier and method for the same
US11729283B2 (en) 2018-07-03 2023-08-15 Naver Corporation Apparatus for analysing online user behavior and method for the same
KR102143593B1 (en) 2019-10-18 2020-08-11 주식회사 모비젠 Method for detecting anomaly of Internet of Things device based on autoencoder and system thereof
KR20220095539A (en) 2020-12-30 2022-07-07 숭실대학교산학협력단 Method for providing weighting using device fingerprint, recording medium and device for performing the method
KR102307632B1 (en) * 2021-05-31 2021-10-05 주식회사 아미크 Unusual Insider Behavior Detection Framework on Enterprise Resource Planning Systems using Adversarial Recurrent Auto-encoder
KR102370661B1 (en) 2021-07-02 2022-03-07 주식회사 모비젠 Method of detecting abnormal traffic of IoT devices deployed in each household and system thereof

Also Published As

Publication number Publication date
KR20170056045A (en) 2017-05-23

Similar Documents

Publication Publication Date Title
KR101767454B1 (en) Method and apparatus of fraud detection for analyzing behavior pattern
KR101743269B1 (en) Method and apparatus of fraud detection by analysis of PC information and modeling of behavior pattern
CN111401416B (en) Abnormal website identification method and device and abnormal countermeasure identification method
CN109753800B (en) Android malicious application detection method and system fusing frequent item set and random forest algorithm
CN104205111A (en) Computing device to detect malware
CN104966053A (en) Face recognition method and recognition system
CN103500307A (en) Mobile internet malignant application software detection method based on behavior model
WO2017071148A1 (en) Cloud computing platform-based intelligent defense system
CN109922065B (en) Quick identification method for malicious website
CN105678125A (en) User authentication method and device
CN103617393A (en) Method for mobile internet malicious application software detection based on support vector machines
CN110784462B (en) Three-layer phishing website detection system based on hybrid method
CN104573456A (en) Terminal interface control method
CN107256357A (en) The detection of Android malicious application based on deep learning and analysis method
Shezan et al. Read between the lines: An empirical measurement of sensitive applications of voice personal assistant systems
CN104598792A (en) Terminal
Patil et al. Network traffic anomaly detection using PCA and BiGAN
CN103297267A (en) Method and system for network behavior risk assessment
CN113221032A (en) Link risk detection method, device and storage medium
CN113037709B (en) Webpage fingerprint monitoring method for multi-label browsing of anonymous network
US9332031B1 (en) Categorizing accounts based on associated images
KR101602480B1 (en) Illegal internet site filtering system and control method thereof, recording medium for performing the method
CN116049808A (en) Equipment fingerprint acquisition system and method based on big data
Izergin et al. Risk assessment model of compromising personal data on mobile devices
CN106897619B (en) Mobile terminal from malicious software cognitive method and device

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E701 Decision to grant or registration of patent right
GRNT Written decision to grant