KR102352954B1 - Real-time Abnormal Insider Event Detection on Enterprise Resource Planning Systems via Predictive Auto-regression Model - Google Patents

Abstract

Suggested are a system and method for detecting abnormal behavior of a user of a real-time enterprise information system based on predictive autoregression. In accordance with one embodiment, the method for detecting abnormal behavior of a user of a real-time enterprise information system based on predictive autoregression, which is performed by a computer system, includes the following steps of: using two consecutive session events in an enterprise information system as a present event and a future event; inputting the present event into a predictive autoregression model (PAM) to predict a future event to generate a prediction result; and comparing the prediction result to the actual future event to determine abnormal behavior of a user in real time.

Description

Real-time Abnormal Insider Event Detection on Enterprise Resource Planning Systems via Predictive Auto-regression Model}

The following embodiments relate to a system and method for detecting an abnormal user behavior for a corporate information system, and more particularly, to a system and method for detecting an abnormal user behavior for a predictive auto-regression-based real-time corporate information system.

An Enterprise Resource Planning System (ERP system) is a comprehensive resource management system that helps manage business processes in all sectors of an enterprise.

1 is a view for explaining a general ERP system.

Referring to FIG. 1 , the ERP system 110 organically shares resources and information of the overall business process (people 101, finance 102, production 103, sales 104, operation 105, etc.) Thus, it is possible to improve the operational efficiency (121, 122). That is, the ERP system 110 serves as an essential business hub in most modern enterprises having a complex corporate structure. However, the ERP system 110 that processes important and important data within the enterprise faces the risk of enterprise threats that infringe such important information. In particular, insider corporate threats have been regarded as one of the most important issues to consider. Insiders include current and former employees, as well as contractors or business partners with appropriate access to organizational systems and data. In general, insider threats are much more risky and costly to businesses than threats posed by external attackers. Since insiders already have legitimate access to the system, they usually know where sensitive data is stored in the organization. It is also easy to assume that it is common for insiders to access corporate resources. According to one report, more than 80% of security managers say their organization's insider threat effectiveness is 'somewhat effective'. The need to detect insider threats and protect organizations has been raised until recently.

As the need for insider threat prevention has emerged, role and scenario-based approaches have been proposed to detect anomalous activity inside the system. This approach has gained solid performance for identifying predefined or known anomalous or threatening behavior. However, there is a limitation in that it cannot cope with unexpected and unusual behavior. To overcome the limitations of using predefined information for abnormal behavior, and as large datasets become available, various deep learning-based approaches have been proposed. This approach sought to detect anomalous insider behavior by analyzing anomalous movement in input devices or network signals leading to data leaks. However, this indirect approach is limited in that it can frequently create false alarms that may not be related to the actual abnormal insider behavior of the ERP system 110 . It also did not take into account the need for insider threat detection to be performed in real time.

M. Du, F. Li, G. Zheng, and V. Srikumar, "Deeplog: Anomaly detection and diagnosis from system logs through deep learning," in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1285-1298, 2017. P. Wang, B. Xu, J. Xu, G. Tian, C.-L. Liu, and H. Hao, “Semantic expansion using word embedding clustering and convolutional neural network for improving short text classification,” Neurocomputing, vol. 174, pp. 806-814, 2016. J. Yu, Y. Lee, K. C. Yow, M. Jeon, and W. Pedrycz, “Abnormal event detection and localization via adversarial event prediction,” IEEE Transactions on Neural Networks and Learning Systems, 2021. P. Vincent, H. Larochelle, I. Lajoie, Y. Bengio, P.-A. Manzagol, and L. Bottou, "Stacked denoising autoencoders: Learning useful representations in a deep network with a local denoising criterion.," Journal of machine learning research, vol. 11, no. 12, 2010. A. Sherstinsky, "Fundamentals of recurrent neural network (rnn) and long short-term memory (lstm) network," Physica D: Nonlinear Phenomena, vol. 404, p. 132306, 2020. J. Chung, C. Gulcehre, K. Cho, and Y. Bengio, “Empirical evaluation of gated recurrent neural networks on sequence modeling,” arXiv preprint arXiv:1412.3555, 2014. J. R. Hershey and P. A. Olsen, "Approximating the kullback leibler divergence between gaussian mixture models," in 2007 IEEE International Conference on Acoustics, Speech and Signal Processing-ICASSP'07, vol. 4, pp. IV-317, IEEE, 2007.

The embodiments describe a predictive automatic regression-based real-time enterprise information system user anomaly detection system and method, and more specifically, a predictive auto-regression model (PAM) for real-time user It provides technology that can detect abnormal behavior.

Embodiments predict a future event by inputting a current event into a predictive automatic regression model (PAM), and determine a user abnormality in real time by comparing the prediction result and the actual future event, predictive autoregression-based real-time enterprise information system user abnormality To provide a behavior detection system and method.

According to an embodiment, a method for detecting user abnormal behavior based on predictive autoregression based on real-time corporate information system performed by a computer system includes: using two consecutive session events in a corporate information system as a current event and a future event; generating a prediction result by predicting a future event by inputting the current event into a predictive auto-regression model (PAM); and comparing the prediction result with the actual future event to determine the user's abnormal behavior in real time.

In the step of using the two consecutive session events as a current event and a future event by using the two consecutive session events, the raw system log is encoded by a dense embedding vector (DEV) or one-hot encoding in the corporate information system. and using the two consecutive session events using the dense embedding vector or one-hot encoding to be used as a current event and a future event.

The predictive autoregression model (PAM) may be trained to predict a future event using the input current event.

The step of generating a prediction result by inputting the current event into a predictive autoregression model (PAM) to predict a future event may include: extracting a latent feature by encoding the current event using an encoder; and generating the prediction result by using a predictor variable for the extracted latent feature.

The step of comparing the prediction result and the actual future event to determine the user's abnormal behavior in real time may include comparing the prediction result with the actual future event based on a mean square error (MSE), and the calculated error is a preset threshold value. If it is abnormal, it may be judged as an abnormal behavior of the user.

Comparing the prediction result and the actual future event to determine the user abnormal behavior in real time may include calculating a prediction error loss to determine a difference between the prediction result and the actual future event.

The step of comparing the prediction result and the actual future event to determine the user anomaly in real time applies an auto-regression loss to lower the uncertainty of the latent feature generated in the encoding and decoding process, and the auto-regression loss is the actual It may be a difference between a result of extracting a feature of a future event and a result of extracting a feature for prediction through the current event.

A predictive automatic regression-based real-time enterprise information system user anomaly detection system according to another embodiment includes: a preprocessor that uses two consecutive session events in the enterprise information system as a current event and a future event; a predictive auto-regression model (PAM) for generating a prediction result by predicting a future event by inputting the current event; and a user abnormal behavior determination unit that compares the prediction result with the actual future event to determine the user abnormal behavior in real time.

The preprocessor encodes a raw system log in a corporate information system with a dense embedding vector (DEV) or one-hot encoding, and uses the dense embedding vector or one-hot encoding Thus, the two consecutive session events can be used as a current event and a future event.

The predictive autoregression model (PAM) may be trained to predict a future event using the input current event.

The predictive autoregression model (PAM) may include an encoder for encoding the current event to extract latent features; and a predictor that generates the prediction result by using a predictor variable for the extracted latent feature.

The user abnormal behavior determination unit may determine the user abnormal behavior when an error calculated by comparing the prediction result and the actual future event based on a mean square error (MSE) is equal to or greater than a preset threshold.

The user abnormal behavior determination unit may determine a difference between the prediction result and the actual future event by calculating a prediction error loss.

The user anomaly determination unit applies an auto-regression loss to reduce uncertainty of latent features generated in the encoding and decoding process, and the auto-regression loss is a result of extracting the features of the future event and the current event. It may be the difference in the results when the features for prediction are derived through the

According to embodiments, a predictive auto-regression-based real-time enterprise information system user anomaly detection system capable of detecting a user anomaly with respect to an enterprise information system in real time using a predictive auto-regression model (PAM) and methods may be provided.

According to embodiments, predictive auto-regression-based real-time corporate information system that predicts future events by inputting current events into a predictive automatic regression model (PAM), and determines user abnormal behavior in real time by comparing the predicted results and actual future events A system and method for detecting user anomalies may be provided.

1 is a view for explaining a general ERP system.
2 is a block diagram illustrating an example of an internal configuration of a computer system according to an embodiment.
3 is a block diagram illustrating a system for detecting abnormal behavior of a user in a real-time enterprise information system based on predictive automatic regression according to an embodiment.
4 is a flowchart illustrating a method for detecting an abnormal behavior of a user in a real-time enterprise information system based on predictive auto-regression according to an embodiment.
5 is a diagram illustrating an AIED proposed for an ERP system according to an embodiment.
6 is a diagram illustrating structural details of a PAM according to an embodiment.

Hereinafter, embodiments will be described with reference to the accompanying drawings. However, the described embodiments may be modified in various other forms, and the scope of the present invention is not limited by the embodiments described below. In addition, various embodiments are provided in order to more completely explain the present invention to those of ordinary skill in the art. The shapes and sizes of elements in the drawings may be exaggerated for clearer description.

With the development of information and communication technology and the globalization of companies, many companies are operating through an electric resource management system called an ERP (Enterprise Resource Planning) system. ERP systems enable efficient and centralized resource management for enterprises. However, since many corporate resources are managed by the system, the threatening behavior of insiders is one of the most important risks in ERP system operation. Since insider access to corporate resources is considered a normal event, it is far more stealthy and lethal than threats from outsiders. Existing insider threat detection methods aim to detect specific events manually defined by system administrators. This approach is not robust to changing event patterns, and cannot be used unless a predefined case is presented.

In an embodiment of the present invention, a method for detecting an abnormal insider event in real time using a predictive auto-regression model (PAM) is presented. Compared with the existing approaches, the proposed method can compile a predictive model using common events and identify threats when the probability of predictive outcomes is lower than a threshold. Experiments are performed using a dataset containing defined events as a series of ERP system logs. Logs are captured in the real world of the enterprise. The results show that the proposed method can successfully identify abnormal events in the ERP system.

An embodiment of the present invention proposes a method for detecting an abnormal insider event in real time for an ERP system that can identify an abnormal event of a company insider without a predefined case of abnormal or abnormal event. A key hypothesis of this invention is that a model trained only on normal events can predict normal events well. Using this hypothesis, the proposed method is trained on a sample of normal events, and an anomalous event is identified when the prediction result does not match the corresponding future event. In this way, in particular, using the prediction results, the proposed model can respond to anomalous user events in near real-time. For this methodology, it is important to derive an accurate predictive model.

In order to improve the prediction result, the embodiments propose a predictive autoregressive model (PAM) capable of deriving a more differentiated predictive model. To demonstrate the effectiveness of the proposed method in detecting anomalous insider events, we evaluate how to utilize real event datasets. The dataset consists of ERP system logs captured by real companies. The experimental results show the effectiveness of the proposed method in detecting abnormal events in the ERP system.

The main contributions of the present invention are as follows.

A new real-time anomaly insider event detection method based on long-term memory (LSTM) is proposed. The proposed method provides strong detection performance for abnormal insider events with real-time processing speed.

To derive an accurate predictive model using a given normal event, a predictive autoregressive model (PAM) is proposed, which utilizes the proposed differential probabilistic model to identify normal and abnormal events.

In addition to the above contributions, we present comprehensive experimental results to find the optimal hyperparameter settings. It also provides a performance comparison of traditional time-series predictive models and a variety of methods, including existing state-of-the-art methods for anomalous insider event detection (AIED) and enterprise threat detection (ETD).

Below, we introduce relevant studies on AIED and ETD, and describe the details of the proposed method, including the overall architecture of PAM.

2 is a block diagram illustrating an example of an internal configuration of a computer system according to an embodiment. For example, the predictive automatic regression-based real-time enterprise information system user abnormal behavior detection system according to embodiments of the present invention may be implemented through the computer system (device) 200 of FIG. 2 . As shown in FIG. 2 , the computer system 200 includes a processor 210 , a memory 220 , and a permanent storage device 230 as components for executing a predictive automatic regression-based real-time enterprise information system user abnormal behavior detection method. , a bus 240 , an input/output interface 250 , and a network interface 260 may be included.

Processor 210 may include or be part of any apparatus capable of processing any sequence of instructions. Processor 210 may include, for example, a computer processor, a processor in a mobile device, or other electronic device and/or a digital processor. The processor 210 may be included in, for example, a server computing device, a server computer, a set of server computers, a server farm, a cloud computer, a content platform, a mobile computing device, a smartphone, a tablet, a set-top box, a media player, and the like. The processor 210 may be connected to the memory 220 via a bus 240 .

Memory 220 may include volatile memory, persistent, virtual, or other memory for storing information used by or output by computer system 200 . The memory 220 may include, for example, random access memory (RAM) and/or dynamic RAM (DRAM). Memory 220 may be used to store any information, such as state information of computer system 200 . The memory 220 may also be used to store instructions of the computer system 200 including, for example, instructions for detecting a predictive auto-regression-based real-time corporate information system user anomaly. Computer system 200 may include one or more processors 210 as needed or appropriate.

Bus 240 may include a communications infrastructure that enables interaction between various components of computer system 200 . Bus 240 may carry data between, for example, components of computer system 200 , such as between processor 210 and memory 220 . Bus 240 may include wireless and/or wired communication media between components of computer system 200 , and may include parallel, serial, or other topological arrangements.

Persistent storage 230 is a component, such as memory or other persistent storage, as used by computer system 200 to store data for an extended period of time (eg, compared to memory 220 ). may include Persistent storage 230 may include non-volatile main memory as used by processor 210 in computer system 200 . Persistent storage 230 may include, for example, flash memory, a hard disk, an optical disk, or other computer readable medium.

Input/output interface 250 may include interfaces to a keyboard, mouse, voice command input, display, or other input or output device. Information for configuration commands and/or predictive automatic regression-based real-time enterprise information system user abnormal behavior detection may be received through the input/output interface 250 .

Network interface 260 may include one or more interfaces to networks such as a local area network or the Internet. Network interface 260 may include interfaces for wired or wireless connections. Information for configuration commands and/or predictive auto-regression-based real-time enterprise information system user abnormal behavior detection may be received through the network interface 260 .

Also, in other embodiments, computer system 200 may include more components than those of FIG. 2 . However, there is no need to clearly show most of the prior art components.

3 is a block diagram illustrating a system for detecting abnormal behavior of a user in a real-time enterprise information system based on predictive automatic regression according to an embodiment.

3 is a diagram illustrating an example of components that the processor 210 of the computer system 200 according to the embodiment of FIG. 2 may include. Here, the processor 210 of the computer system 200 may include the predictive automatic regression-based real-time enterprise information system user abnormal behavior detection system 200 according to an embodiment. The predictive automatic regression-based real-time enterprise information system user anomaly detection system 300 according to an embodiment may include a preprocessor 310 , a predictive automatic regression model 320 and a user anomaly detection unit 330 . .

The processor 210 and the components of the processor 210 may perform the steps S410 to S430 included in the predictive automatic regression-based real-time enterprise information system user anomaly detection method of FIG. 4 . For example, the processor 210 and components of the processor 210 may be implemented to execute an operating system code included in the memory 220 and an instruction according to at least one program code described above. Here, the at least one program code may correspond to a code of a program implemented to process the prediction automatic regression-based real-time enterprise information system user abnormal behavior detection.

The predictive automatic regression-based real-time corporate information system user abnormal behavior detection method may not occur in the order shown, and some of the steps may be omitted or additional processes may be further included.

4 is a flowchart illustrating a method for detecting an abnormal behavior of a user in a real-time enterprise information system based on predictive auto-regression according to an embodiment.

Referring to FIG. 4 , the predictive auto-regression-based real-time enterprise information system user abnormal behavior detection method performed by a computer system according to an embodiment uses two consecutive session events in the enterprise information system to provide a current event and a future event (S410) of using the current event as a predictive auto-regression model (PAM) to predict the future event to generate a predicted result (S420) and comparing the predicted result with the actual future event to determine the user's abnormal behavior in real time (S430).

According to embodiments, by inputting a current event into a predictive automatic regression model (PAM), predicting a future event, and comparing the predicted result with an actual future event, it is possible to determine an abnormal user behavior in real time.

The predictive automatic regression-based real-time enterprise information system user anomaly detection method according to an embodiment may be described in more detail with an example of the predictive automatic regression-based real-time enterprise information system user anomaly detection system according to the embodiment described in FIG. have. The predictive automatic regression-based real-time enterprise information system user anomaly detection system 300 according to an embodiment may include a preprocessor 310 , a predictive automatic regression model 320 and a user anomaly detection unit 330 . .

In step S410, the preprocessor 310 may use two consecutive session events in the enterprise information system as a current event and a future event. That is, two consecutive session events may be used, the previous session event may be used as a current event, and the subsequent session event may be used as a future event.

In addition, the preprocessor 310 encodes the raw system log into a dense embedding vector (DEV) in the corporate information system, and uses two consecutive session events using the dense embedding vector to create a current event and a future event. can be used as

In step S420 , the predictive autoregression model 320 may input a current event to the predictive autoregression model (PAM) to predict a future event to generate a prediction result. The predictive autoregression model 320 may be trained to predict future events using input current events.

The predictive autoregression model 320 may include an encoder and a predictor. An encoder may encode a current event to extract a latent feature, and a predictor may generate a prediction result by using a predictor variable in the extracted latent feature.

In step S430, the user abnormal behavior detection unit 330 may determine the user abnormal behavior in real time by comparing the prediction result with the actual future event. The user anomaly detection unit 330 may determine a user anomaly when an error calculated by comparing a prediction result and an actual future event based on the mean square error (MSE) is equal to or greater than a preset threshold.

The user anomaly detection unit 330 may determine the difference between the prediction result and the actual future event by calculating the prediction error loss. In addition, the user anomaly detection unit 330 applies an auto-regression loss to reduce the uncertainty of the latent feature generated in the encoding and decoding process, and the auto-regression loss is the result of extracting the features of the actual future event and the current event. It may be the difference in the result when the features for prediction are derived through

The embodiments provide an event prediction-based real-time corporate information system user anomaly detection method, and a predictive autoregression model based on a given SAL log can learn in terms of increasing the prediction accuracy of the next event with respect to the previous event. Accordingly, an event prediction model can be built. Embodiments may predict a next event with respect to an event occurring in real time, and may calculate an error between the predicted event and the actual event. As a result, it is possible to visualize the degree of anomaly for every input event.

Typically, ERP system logs are displayed in alphanumeric combinations. However, this type of representation cannot be accepted as input to a computational model. Therefore, it is necessary to change the system log into a signal that can be applied to the deep learning model. To change the raw system log, one-hot encoding can be considered as the simplest way to change the classified log into a signal. Since Du (Non-Patent Document 1) is simple and efficient, it utilizes one-hot encoding to transform the raw system log of a computing system. Unfortunately, because of the methodological simplicity of single hot vector encoding, it is sometimes considered a curse of dimensionality when extending a new dimension for a new class. The size of the encoding space is linearly proportional to the number of signal classes because its methodological properties indicate classes using one-hot vectors. Therefore, it is inefficient in terms of computational cost.

To overcome this problem, dense vector embedding (Non-Patent Document 2) can be used to preprocess the raw system log. In this embodiment, the data pre-processing operation is performed as follows. Initially, the raw ERP system log _{maps to a positive integer h = {h t} }t=1:n, where h _t and n represent the length of the t-th log and log sequence, respectively, for a single user session. The mapped integer is encoded as a dense vector x = {x _t }t=1:n ∈ X (where x _t ∈ R ^m ), where m is the predefined for dense embedding method using neural network-based embedding networks. is a dimension After encoding, the vector is used to train a predictive model.

For example, the raw ERP system log (represented by complex code) is _{replaced by the integer s = {s t} }t=1:n, where s _t and n represent the length of a single log and action at time t, respectively, and the neural network It is transformed back into a dense vector x = {x _t }t=1:n using an embedding network based on .

There are several advantages to using an embedding layer instead of one-hot encoding. First, a trainable embedding layer that can represent semantic relationships between arbitrary input signals is utilized, and maps the input signals into an orthogonal vector space (which is not possible with one-hot encoding). Second, dense embeddings have dimensional flexibility to embed raw signals into a specific vector space. Given an N-classification signal, the dimension of the one-hot vector space is at least greater than N. On the other hand, since dense embeddings do not enforce orthogonality between mapped vectors, signals can be mapped into a vector space with dimensions smaller than N. Meanwhile, although it is described here that dense vector embedding is used to pre-process the raw system log, it is not limited thereto, and another method of encoding time series data to be applicable to deep learning (eg, one-hot encoding) encoding)) can be used.

Similar to various anomaly detection methods (Non-Patent Document 3) or outlier detection approaches, the method according to embodiments aims to derive a model for capturing a normal event, and then further Expect a large error or a lower probability.

5 is a diagram illustrating an AIED proposed for an ERP system according to an embodiment.

Referring to FIG. 5 , in a given event sample x (501, 502, 503) for the ERP system 500, AIED is compared with a calculation error or a threshold value (τ) manually set by the system administrator as shown in the following equation (508, 509) can be performed.

Here, F can be defined by a discriminant model or a probabilistic model for a given normal event sample X ^{nor .} Depending on the type of model (such as a discriminant model or a probabilistic model), the results can be understood as errors or probabilities. As a methodology, it is important to build a model that can include all features of a given normal event.

Here, a prediction setting is used rather than a reconstruction setting, which is the most common method of compiling a probability distribution in a given dataset (Non-Patent Document 4). There are advantages to using predictive settings to derive models. Although the reconstruction set requires limited inputs and outputs, the prediction setup is more flexible in learning the correlation of inputs and outputs because it can determine the output corresponding to each input by changing the time interval between the input and output. This methodological property can improve the generalization performance of the model by providing a more diverse pattern of input samples.

The proposed method initially encodes a current event 502 using an encoder f ^enc (504) to extract a latent feature (feature, 505) and generates a prediction result (507) using a predictor ^{variable f pre (506).} can do. The encoding process for the current event 502 may be expressed as the following equation.

[Equation 1]

Here, f ^enc is the encoder module 504 of the proposed method. x ^C and z represent the current event 502 sample and the extracted latent feature 505, respectively. The proposed method can predict the future event 507 using the latent feature z (505) through the predictor variable f ^pre (506) as shown in the following equation.

[Equation 2]

는 예측 결과(507)를 나타낸다. where f ^pre denotes the predictor variable 506 of PAM and

denotes the prediction result 507 .

A recurrent neural network (RNN) structure is used for the encoder f ^enc (504) and the predictor f ^pre (506) to process sequential data, and is an approach commonly used to process time series data (Non-Patent Document 3). The encoder f ^enc (504) and the predictor f ^pre (506) can be compiled using an LSTM cell (Non-Patent Document 5).

The LSTM consists of an input gate i, a foget gate g, and an output gate o. At the t-th time step, the input gate i _t determines the weight representing the influence of the new input on the current internal state s _{t at time t.} The process of the input gate can be expressed as the following equation.

[Equation 3]

가 더 중요해진다. Wis와 Wih는 상태 s_t-1 및 은닉 상태 α_t-1과 관련된 가중치 파라미터이다. W_ix와 b_i는 가중치 행렬과 공간 특징

에 대한 bias이다.Here, σ(·) is a sigmoid function that maps the input to a value between 0 and 1. Values close to 1 indicate input features

becomes more important Wis and Wih are weight parameters associated _{with state s t-1} and hidden state α _t-1. W _ix and b _i are weight matrices and spatial features

is the bias for

[Equation 4]

에 대한 가중치 행렬을 나타낸다. _bg는 바이어스를 나타낸다. 이러한 입력을 활용하여 각 LSTM 셀의 s_t-1, α_t-1,

, g_t, s_t를 다음 식과 같이 업데이트한다.where W _gs , W _gh , and W _gx are s _t-1 , α _t-1 ,

Represents the weight matrix for . _b g indicates bias. Utilizing these inputs, the s _t-1 , α _t-1 ,

, g _t , and s _t are updated as follows.

[Equation 5]

와 관련된 가중치 행렬을 나타낸다. Here, denotes the product _{of each element, and W sh} and W _sx are the hidden state α _t-1 and spatial features, respectively.

Represents the weight matrix associated with .

The output gate o _t determines the effect of the present state on the future state and is defined as the following equation.

[Equation 6]

에 해당하는 가중치 파라미터를 나타낸다. b_c는 출력 게이트의 bias를 나타낸다. LSTM의 은닉 상태는 다음 식과 같이 계산된다.where W _cx , W _ch , and W _cs are s _t , h _t-1 ,

Indicates the weight parameter corresponding to . b _c represents the bias of the output gate. The hidden state of the LSTM is calculated as follows.

[Equation 7]

Here, ω is the ReLu activation function. The RNN structure used in the LSTM may be replaced with a gate repeating unit (GRU) structure (Non-Patent Document 6). Examples will provide an ablation study for AIED depending on the memory cell type for the experiment.

Using the encoder and predictor variables, when the event prediction is over, the prediction error is compared to a predefined threshold β to detect an anomalous event. As shown in FIG. 5 , a prediction error is obtained by comparing the prediction result with the corresponding future event. The error is formulated based on the mean squared error (MSE), and this process is expressed as

[Equation 8]

는 각각 제안된 방법에 의한 미래 사건과 예측 결과를 나타낸다. lx는 x^F의 시간 길이를 나타낸다.where, x ^F and

represents future events and prediction results by the proposed method, respectively. lx represents the time length of x ^{F .}

Therefore, the AIED workflow with errors is defined as:

[Equation 9]

Here, τ is the event anomaly threshold, which is determined manually. Anomalous events are detected by comparing the calculated error with a manually defined threshold τ, so the performance of the AIED depends on the threshold. Meanwhile, here, the error of the prediction result is determined based on the mean square error (MSE), but the present invention is not limited thereto, and a generalized error rate function may be applied.

로 출력한다. 위의 주석을 사용하여 p(x^F|x^C)를 다음 식과 같이 p(z|x^C)와 p(x^F|z,x^C)로 재구성할 수 있다.To obtain a robust probabilistic model from a given normal event dataset, embodiments use a predictive method. A prerequisite for accurate AIED is to derive an optimal predictive model for calculating the probability p(x ^F |x ^{C ) associated with the current event 502 x C} and the corresponding future event x ^{F .} As in the workflow of the method presented in Fig. 5, the encoder f ^enc first maps the current event x ^C as a latent feature as f ^enc : x ^C → z, and then the predictor f ^pre converts the prediction result to f ^pre : z →

output as Using the above annotation, p(x ^F |x ^C ) can be reconstructed into p(z|x ^C ) and p(x ^F |z,x ^{C ) as follows:}

[Equation 10]

Here, p(x ^C ) and p(z) represent the prior probabilities of ^{x C and z, respectively.} p(x ^C ) may be derived by a given event sample defined as the current event 502 . Therefore, to derive optimal p(z|x ^C ), optimal p(x ^F |z) and p(z), p(x ^F |x ^C ) is required, and the We deal with this issue from a point of view.

6 is a diagram illustrating structural details of a PAM according to an embodiment.

)와 현재 이벤트(611)를 통한 예측을 위한 특징을 도출했을 때의 결과(z)가 최대한 같을수록 예측 결과가 좋게 된다.Referring to FIG. 6 , PAM consists of _{two main pipelines for calculating prediction error loss L P} and autoregression loss L _A , both of which operate under the predictor variables of encoder 610 and predictor 620 . do. Here, the prediction error loss L _P may determine how much the predicted value 621 and the actual value 631 are different. If only the input/output prediction error is determined, the uncertainty of z, which is a latent feature generated in the encoding and decoding process, increases. In order to lower the uncertainty of z, we can provide an _{autoregressive loss L A that allows the shape of future events.} The result of extracting the features of the actual future event (631)

) and the result z when the feature for prediction is derived through the current event 611 is the same as possible, the better the prediction result.

_k+1:2k([수학식 2])를 생성하기 위해 예측 변수에 적용될 수 있다.Given a preprocessed event x _1:2k (where n = 2k), the current event x _1:k ^{(x C in} [Equation 1])(611) and the future event x _k+1:2k ([Equation 1] 8] in x ^F ) (621). Then, the current event 611 is encoded as a latent feature z through the ^{encoder 610 f enc ([Equation 1]).} The latent feature (z) is the predicted result

It can be applied to the predictor variable to generate _{k+1:2k ([Equation 2]).}

[Equation 11]

By minimizing L _{P ,} we can basically find suitable p(z|x ^C ) and p(x ^F |z).

However, using only the prediction error loss may not be sufficient for learning globalized features because abstract representations of the latent space cannot be considered. Methodologically, the prediction error loss minimizes errors in the sample space that are not abstracted or generalized as closely as possible. During this error minimization process, abstracted features are mapped into latent space, which are more globalized features than the original input. However, according to previous studies, when the latent feature space is constructed arbitrarily, uncertainty may arise in the reconstruction of the input sample due to randomness. Consequently, uncertainty can degrade prediction performance, and poorly reconstructed results can degrade AIED performance.

Accordingly, the embodiments can be applied to automatically return loss L _A potential feature to reduce the uncertainty. Embodiments push the distribution of latent features used for prediction, denoted by z, close to the actual distribution embedded in the actual _{future event x k+1:2k .} The reverse operation of the predictor acts as an encoder to take a latent feature in a given future event. The reverse processing of the predictor variable f ^pre can be expressed as the following equation.

[Equation 12]

는 훈련 단계에서 주어진 미래 이벤트에서 추출한 잠재 특징이다. 이 단계에서는 새 모델이 필요하지 않으므로 모델의 복잡도에 영향을 미치지 않는다. 역방향 작동은 도 6에 도시된 바와 같이 원래 예측 모델 f^pre의 가중치 공유를 기반으로 수행된다.where f ^-pre denotes the reverse action of the predictor f ^{pre ,}

is a latent feature extracted from a given future event in the training phase. No new model is required at this stage, so it does not affect the complexity of the model. The backward operation is performed based on weight sharing of the ^{original prediction model f pre} , as shown in FIG. 6 .

에서, 잠재 특징에 대한 자동 회귀 손실은 다음 식과 같이 정의된다.While minimizing the difference between the distributions of two latent features, the difference is measured using Kullback-Leibler (KL) divergence (Non-Patent Document 7). given z and

In , the autoregression loss for the latent feature is defined as

[Equation 13]

_j는 각각 잠재 특징 z와

에서 i 번째 및 j 번째 요소를 나타낸다. K_L 분산의 최소값은 0이며, 이는 두 분포가 정확히 같다는 것을 의미한다. where D _KL represents the K _L divergence module, z _i and

_j is the latent feature z and

represents the i-th and j-th elements in . The minimum value of the K _L variance is 0, which means that the two distributions are exactly equal.

Therefore, the total loss function is defined as the combination of the prediction error loss and the autoregression loss as follows.

[Equation 14]

where λ is the balance weight between the two losses. In the present invention, 0.1 is set as the value of the balance weight for the best performance.

According to Apaydin et al., the model complexity of PAM using LSTM is O(2W) _{with W = n c} Х n _c Х 3 + n _c Х n _o + n _{c Х 2.} Here, n _c , n _i , and n _o represent the number of LSTM cells, input units, and output units, respectively. Also, the complexity of dense vector embedding via neural networks is O(N ² ), where N is the dimension of the hidden layer used for dense vector embedding via neural networks. Therefore, the model complexity of the proposed method is O(2W + N ² ). However, the model complexity can change with the length of time of the input event samples as it can increase or decrease the number of memory cells integrated into the encoder and predictor. In addition to the theoretical model complexity, the actual execution speed is essential to demonstrate processing speed as a real-time application to the task. The experiment shows that the real-time processing capability of the method according to the embodiments is reasonable.

The device described above may be implemented as a hardware component, a software component, and/or a combination of the hardware component and the software component. For example, devices and components described in the embodiments may include, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable array (FPA), It may be implemented using one or more general purpose or special purpose computers, such as a programmable logic unit (PLU), microprocessor, or any other device capable of executing and responding to instructions. The processing device may execute an operating system (OS) and one or more software applications running on the operating system. A processing device may also access, store, manipulate, process, and generate data in response to execution of the software. For convenience of understanding, although one processing device is sometimes described as being used, one of ordinary skill in the art will recognize that the processing device includes a plurality of processing elements and/or a plurality of types of processing elements. It can be seen that can include For example, the processing device may include a plurality of processors or one processor and one controller. Other processing configurations are also possible, such as parallel processors.

Software may comprise a computer program, code, instructions, or a combination of one or more thereof, which configures a processing device to operate as desired or is independently or collectively processed You can command the device. The software and/or data may be any kind of machine, component, physical device, virtual equipment, computer storage medium or apparatus, to be interpreted by or to provide instructions or data to the processing device. may be embodied in The software may be distributed over networked computer systems and stored or executed in a distributed manner. Software and data may be stored in one or more computer-readable recording media.

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, etc. alone or in combination. The program instructions recorded on the medium may be specially designed and configured for the embodiment, or may be known and available to those skilled in the art of computer software. Examples of the computer-readable recording medium include magnetic media such as hard disks, floppy disks and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic media such as floppy disks. - includes magneto-optical media, and hardware devices specially configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine language codes such as those generated by a compiler, but also high-level language codes that can be executed by a computer using an interpreter or the like.

As described above, although the embodiments have been described with reference to the limited embodiments and drawings, various modifications and variations are possible from the above description by those skilled in the art. For example, the described techniques are performed in an order different from the described method, and/or the described components of the system, structure, apparatus, circuit, etc. are combined or combined in a different form than the described method, or other components Or substituted or substituted by equivalents may achieve an appropriate result.

Therefore, other implementations, other embodiments, and equivalents to the claims are also within the scope of the following claims.

Claims (14)

In the predictive automatic regression-based real-time enterprise information system user abnormal behavior detection method performed by a computer system,
using two consecutive session events in the corporate information system as current events and future events;
generating a prediction result by predicting a future event by inputting the current event into a predictive auto-regression model (PAM); and
Comparing the prediction result and the actual future event to determine the user's abnormal behavior in real time
including,
The step of generating a prediction result by inputting the current event into a predictive automatic regression model (PAM) to predict a future event,
extracting latent features by encoding the current event using an encoder; and
generating the prediction result by using a predictor variable for the extracted latent feature
Including, a user anomaly detection method. In the predictive automatic regression-based real-time enterprise information system user abnormal behavior detection method performed by a computer system,
using two consecutive session events in the corporate information system as current events and future events;
generating a prediction result by predicting a future event by inputting the current event into a predictive auto-regression model (PAM); and
Comparing the prediction result and the actual future event to determine the user's abnormal behavior in real time
including,
The step of using the two consecutive session events as a current event and a future event is,
Encoding the raw system log by dense embedding vector (DEV) or one-hot encoding in the enterprise information system
including,
Using the two consecutive session events using the dense embedding vector or one-hot encoding as a current event and a future event
Characterized in, the user anomaly detection method. According to claim 1,
The predictive autoregression model (PAM) is
being trained to predict future events using the input current event
Characterized in, the user anomaly detection method. delete According to claim 1,
The step of comparing the prediction result with the actual future event to determine the user's abnormal behavior in real time,
If the error calculated by comparing the prediction result with the actual future event is greater than or equal to a preset threshold, it is determined as a user abnormal behavior
Characterized in, the user anomaly detection method. According to claim 1,
The step of comparing the prediction result with the actual future event to determine the user's abnormal behavior in real time,
determining the difference between the prediction result and the actual future event by calculating the prediction error loss;
Characterized in, the user anomaly detection method. According to claim 1,
The step of comparing the prediction result with the actual future event to determine the user's abnormal behavior in real time,
Auto-regression loss is applied to reduce uncertainty of latent features generated during encoding and decoding, and the auto-regression loss is the result of extracting the actual features of the future event and deriving features for prediction through the current event What is the difference in the result when
Characterized in, the user anomaly detection method. In the predictive automatic regression-based real-time corporate information system user abnormal behavior detection system,
A preprocessor that uses two consecutive session events in the corporate information system as current and future events;
a predictive auto-regression model (PAM) for generating a prediction result by predicting a future event by inputting the current event; and
A user abnormal behavior determination unit that compares the prediction result with the actual future event to determine the user abnormal behavior in real time
including,
The predictive autoregression model (PAM) is
an encoder for encoding the current event to extract latent features; and
A predictor that generates the prediction result by using a predictor variable for the extracted latent feature
Including, user anomaly detection system. In the predictive automatic regression-based real-time corporate information system user abnormal behavior detection system,
A preprocessor that uses two consecutive session events in the corporate information system as current and future events;
a predictive auto-regression model (PAM) for generating a prediction result by predicting a future event by inputting the current event; and
A user abnormal behavior determination unit that compares the prediction result with the actual future event to determine the user abnormal behavior in real time
including,
The preprocessor is
In the enterprise information system, the raw system log is encoded with a dense embedding vector (DEV) or one-hot encoding, and the continuous Using 2 session events as current event and future event
Characterized in, the user anomaly detection system. 9. The method of claim 8,
The predictive autoregression model (PAM) is
being trained to predict future events using the input current event
Characterized in, the user anomaly detection system. delete 9. The method of claim 8,
The user abnormal behavior determination unit,
If the error calculated by comparing the prediction result with the actual future event is greater than or equal to a preset threshold, it is determined as a user abnormal behavior
Characterized in, the user anomaly detection system. 9. The method of claim 8,
The user abnormal behavior determination unit,
determining the difference between the prediction result and the actual future event by calculating the prediction error loss;
Characterized in, the user anomaly detection system. 9. The method of claim 8,
The user abnormal behavior determination unit,
Auto-regression loss is applied to reduce uncertainty of latent features generated during encoding and decoding, and the auto-regression loss is the result of extracting the actual features of the future event and deriving features for prediction through the current event What is the difference in the result when
Characterized in, the user anomaly detection system.

Images