KR102644230B1 - Mysterious symptom detection system using AI variable threshold - Google Patents

Abstract

In a security management system that manages access to secure areas,
A PC 120 that transmits the access record of the tag reader 110 tagging the tag pass 130 of the visitor when entering the document security room of supplementary management; and
Entry and exit records of visitors holding a tag pass 130 tagged by the tag reader 110 on the door of the security area 100, digital documents on the security server, web access records (log records) in the security room, and CPU of the remote PC. Status monitoring data (cpu_system_pct, cpu_user_pct, tot_cpu_pct) is stored cumulatively in the database of a secure server for each individual and normalized according to individual z-score, average, and standard deviation according to statistics by time zone/day/period, and then set to individual AI variable threshold. We propose a security management system characterized by determining (upper and lower limits).

Description

Security room storage management system using machine learning learning algorithm {Mysterious symptom detection system using AI variable threshold}

The present invention relates to a security management system that uses deep learning or machine learning learning algorithms to learn normal patterns of learning data and applies them to manage access to security areas.

Recently, the access records of tag passes recognized by the tag reader installed in the company's security area room and the web access records of the digital document security room accessed through the wired and wireless communication network from the user terminal (PC, smartphone, tablet PC) are managed by security management. It is stored in the server's database, and document security is necessary to prevent abnormal information leakage by monitoring the access records of the security room and the web access records of the digital document security room.

In a conventional document security system, when a client terminal encrypts digital information, authentication is performed using a key value predefined by the document security server, and after authentication, the digital information created by the client terminal is encrypted and stored in an external storage device. When accessing it again, it is decrypted and the digital information is viewed.

For example, an entrant using a 13.56 MHz RFID tag on a pass equipped with an RFID tag reader in a security area room and a digital document accessed through a wired or wireless communication network from a user terminal. For example, a security manager is Entering 10 times, employees will enter 5 times, 3 times, 2 times, or 1 time depending on the work involved. By accumulating the entry and exit records of those entering and exiting the digital document security room using the tag on the security room pass, daily/weekly/monthly statistics are calculated for each individual, and the entry and exit records and web access records are analyzed and systematically managed to detect any abnormalities. It is necessary to manage abnormal data with .

As prior art 1 related to this, patent registration number 10-0750697 registers “a digital document security system equipped with shared storage with a user access function, and a document processing method using the system.”

A digital document security system equipped with shared storage with user access functions is configured to prevent abnormal leakage of digital information processed by a computer.

One of at least one DRM client terminal is configured to be connected to the shared storage, encrypt and store digital information in the shared storage medium, and perform an editing function by decrypting the encrypted digital information according to the user access control function,

The shared storage is; It consists of a physical serial number provided so that each DRM client terminal can access and perform registration authentication, and a storage unit in which the digital information is stored,

The DRM client terminal is; An authentication process is performed by inputting the physical serial number of the shared storage, and after performing the authentication process, an encryption/decryption unit that encrypts and decrypts the digital information is linked to the shared storage to provide digital information. It is characterized by being composed of an application tool that provides permission setting functions such as editing.

As prior art 2 related to this, “Anomaly detection method and system using machine learning” is registered in Patent Registration No. 10-2185190.

Figure 1 is an exemplary diagram of an anomaly detection system 100 using conventional machine learning.

The detection method of the anomaly detection system using machine learning is:

storing cost changes between predicted values and actual values for learning data using machine learning;

Searching for a neighbor having a similar pattern to the target's cost change among the stored cost changes; and

A step of determining normal/abnormality of the target based on the difference between the cost change of the searched neighbor and the cost change of the target,

The step of storing the cost changes is

determining a threshold value of the cost to distinguish normal from abnormal based on the cost corresponding to test data; determining whether the test data is normal/abnormal based on the threshold; and storing a change in cost for a first time with respect to a normal situation while the cost is greater than the threshold in the test data, wherein the cost is a difference between the predicted value and the actual value.

In addition, the anomaly detection system using machine learning

A learner that creates a learning model by learning test data using machine learning;

a prediction standard judger that primarily determines whether a target is normal or abnormal based on a threshold value for cost corresponding to the difference between the predicted value and the actual value according to the learning model; and

Receive a primary judgment result for the target from the prediction criterion judge, calculate the difference between the cost change of the target and the cost change of the neighbor extracted during a predetermined time, and calculate the calculated cost change difference value and A cost change standard judger that secondarily determines normality/abnormality for the target by comparing cost change difference limit values,

Stored are threshold-exceeding cost changes in the test data that are greater than the threshold and for a first time period for a normal situation,

A first cost change difference function is determined that calculates the difference between the above-threshold cost changes,

A first threshold for the difference between the threshold-exceeding cost changes is determined using the first cost change difference function.

Recently, companies that require security monitor the access records for each executive, department/employee, the security of the company's document security room containing secret documents, and the status of the computer's CPU to learn normal patterns and identify abnormal abnormal patterns. It must be extracted and managed.

However, the existing security system records access records of visitors holding tag passes in the document security room in the security area, web access records in the digital document security room, CPU status monitoring (cpu_system_pct, cpu_user_pct, tot_cpu_pct) of remote PCs, and log records. Each individual is stored cumulatively in the security server's database, and the security server records access records, web access records, and monitors the remote PC's CPU status (cpu_system_pct, cpu_user_pct) according to individual variable thresholds (upper and lower limits) according to statistics by time zone/date/period. , tot_cpu_pct), learning normal patterns using deep learning or machine learning learning algorithms using learning data including log records, and applying different AI variable thresholds (upper and lower limits) for each individual to the detection data in real time to normalize the data. It did not provide a function to separately extract and display data (normal within 5 to 95%) and abnormal data with abnormal abnormal patterns (less than 5%, more than 95%).

Patent registration number 10-0750697 (registration date: August 13, 2007), “Digital document security system equipped with shared storage with user access function, and document processing method using the system”, MarkAny Co., Ltd. Patent registration number 10-2185190 (registration date: November 25, 2020), “Anomaly detection method and system using machine learning,” Electronics and Telecommunications Research Institute

The purpose of the present invention to solve the above problems is to provide a security management system that manages access to a secure area.

When entering the document security room of supplementary management, a PC 120 that transmits the access record of the tag reader 110 tagging the visitor's tag pass 130; and a tag reader of the door of the security area 100 ( Access records of visitors holding the tag pass 130 tagged by 110), web access records (log records) of the digital document security room of the security server, and CPU status monitoring data (cpu_system_pct, cpu_user_pct, tot_cpu_pct) of the remote PC. The feature is that each individual is stored cumulatively in the database of a secure server, and the AI variable threshold (upper limit, lower limit) for each individual is determined after normal distribution according to the z-score, average, and standard deviation for each individual based on statistics by time zone/date/period. Provides a security management system that

In order to achieve the purpose of the present invention, the present invention is a security management system for managing access to a secure area, and a tag reader 110 tagging the tag pass 130 of the visitor when entering the document security room of supplementary management. ) PC 120, which transmits the access record of the entry and exit records of the person holding the tag pass 130 tagged by the tag reader 110 of the door of the security area 100, and digital document security of the security server Real-time web access records (log records) and remote PC CPU status monitoring data (cpu_system_pct, cpu_user_pct, tot_cpu_pct) are stored cumulatively in the database of a secure server for each individual, and each individual's z-score and average are analyzed by time zone/date/period statistics. , After normal distribution according to the standard deviation, individual AI variable thresholds (upper and lower limits) are determined.

In addition, in order to achieve the purpose of the present invention, an abnormality detection system using an AI variable threshold records the entry and exit of people holding tag passes in a secure area, web access records (log records) in the digital document security room, and CPU of a remote PC. Status monitoring data is accumulated and stored in a database for each individual, and the data is normalized according to z-score, average, and standard deviation for each individual based on statistics by time zone/day/period, and then the AI variable threshold for each individual is determined, and the learning data is used to create a learning algorithm. A security server that learns normal patterns using and applies different AI variable thresholds for each individual to the detection data in real time to provide normal pattern data and abnormal abnormal pattern data with abnormal abnormal patterns; and a user terminal connected to the security server through a wired or wireless communication network.

The anomaly detection system using the AI variable threshold of the present invention records the entry and exit of the RFID tag pass of the person recognized by the RFID tag reader installed in the company's security area room, web access record (log record) in the digital document security room, and monitoring. The data is stored in the database of the security server, including (1) access records of visitors holding tag passes in the document security room in the secure area, web access records (log records) in the digital document security room of the security server, and CPU of the remote PC. Status monitoring (cpu_system_pct, cpu_user_pct, tot_cpu_pct) is stored cumulatively in the database of the security server for each individual, normalized to normal distribution with individual z-score, average, and standard deviation according to statistics by time/day/period, and then set to individual thresholds (upper limit, lower limit), and the security server normalizes learning data including access records, web access records (log records), and remote PC CPU status monitoring (cpu_system_pct, cpu_user_pct, tot_cpu_pct) using deep learning or machine learning learning algorithms. Learn patterns and apply different AI variable thresholds (upper and lower limits) for each individual to the corresponding detection data in real time to generate normal pattern data (normal within 5 to 95% of normal distribution) and abnormal abnormal pattern data with abnormal abnormal patterns. (5% or less, 95% or more of the normal distribution) is separately extracted and displayed on the UI screen on the user terminal, and the final result including the log (number of output pages/business time, number of output pages/non-business time) is output,

(2) Learning data including access records/web access records/CPU status monitoring (cpu_system_pct, cpu_user_pct, tot_cpu_pct)/log records of remote PCs with individual AI variable thresholds applied, and real-time detection data images connected to a security server. It is output to the user terminal and has the effect of visualizing detection data, extracting data with abnormal patterns (less than 5%, more than 95%) and displaying it on the screen.

Figure 1 is an exemplary diagram of an anomaly detection system 100 using conventional machine learning.
Figure 2 is a diagram illustrating the configuration of an anomaly detection system using an AI variable threshold according to the present invention.
Figure 3a shows individual access records and web access records (log records) in the company's security area stored on a security server, and normal distribution using the z-score, mean, and standard deviation of the individual records. This is a screen that applies a flexible AI variable threshold for each individual.
Figure 3b shows that the security server learns access records and web access records using machine learning and applies different AI variable thresholds (upper and lower limits) for each individual to determine normal data (normal within 5 to 95%) and abnormal data with abnormalities. This is a screen to extract and manage data (less than 5%, more than 95%).
Figure 3c is a learning data query (SPL) and detection data query (SPL) screen that applies an individual AI variable threshold (DRM release or higher).
Figure 3d shows the learning data image (Splunk Image) and detection data image (Splunk Image) screens with individual AI variable thresholds (DRM release or higher) applied.
Figure 3e is a screen displaying data visualization of learning data trends by date (trend graph) and learning data distribution (bar graph) showing frequency by value according to UserID.
FIG. 3F uses a learning algorithm for access records/web access records to calculate individual thresholds using learning data for each individual date, calculates individual upper limit thresholds/lower limit thresholds, and compares them to detect individual access records/web access records. This is a screen that extracts data and outputs the final results.
Figure 3g is a data visualization screen that displays upper/lower threshold values for each individual, learning data trends by date (trend graph), and learning data distribution (bar graph) showing frequency by value according to UserID.
Figure 4a is a client screen showing a scenario within JMachine of a user terminal.
Figure 4b is an additional explanation of the learning algorithm: cluster analysis (cluster), abnormal behavior analysis settings [all executives and employees analysis (same-day analysis/period analysis), specific executives and employees analysis (same-day analysis/period analysis), overall infrastructure analysis (same-day analysis/period analysis) Analysis), specific infrastructure analysis (same-day analysis/period analysis), entire IP address analysis (same-day analysis/period analysis), specific IP address analysis (same-day analysis/period analysis)-abnormal behavior options].
Figure 4c is a Test Data query (AI anomaly detection - same-day analysis by employees) screen.
Figure 4d is the Test Data Splunk Image (AI anomaly detection - same-day analysis by employees) screen.
Figures 4e and 4f show the appearance after the learning algorithm: By applying different AI variable thresholds (upper limit, lower limit) for each UserID individual, normal data (normal within 5 to 95%) and abnormal data with signs of abnormality (less than 5%, more than 95%) ) is separated and extracted, lists logs (number of output pages/business time, number of output pages/non-business time), and outputs the final results including abnormal data with abnormalities.
Figure 4g shows the abnormality within JMachine, which sets the analysis target [employee, infrastructure, IP address] and time standard [same-day analysis, period analysis], lists the employee number/name/department, employee number search box, and search results, and outputs the analysis screen. This is the symptom detection screen.
Figure 4h is a JMachine (Python) screen extracted by the JMachine website according to employee number/name/department.
Figure 5a is AI numerical anomaly detection: a screen showing a machine learning algorithm that detects numerical data abnormal patterns by learning normal patterns using a learning algorithm.
Figures 5b and 5c are screens showing AI detection options (Sensitivity, Duplication, Accumulated Data, Sloop degree, Time Window Unit, Outlier/Inlier).
Figure 5d is a Test Data (KPI = 1) query (AI numerical anomaly detection) screen using learning data query (SPL) and detection data query (SPL).
Figure 5e is a Test Data Splunk Image (AI numerical anomaly detection) screen including a training data image (Splunk Image) and a detection data image (Splunk Image).
Figure 5f is a data visualization screen (KPI = 1) showing the learning data trend by date (trend graph) and the learning data distribution (bar graph) showing the frequency by value according to UserID.
Figure 5g is a detection data visualization (KPI) including detection data trends by date (trend graph - anomaly pattern (Anomaly-Outlier)) and detection data distribution showing frequency by value (bar graph - anomaly pattern (Outlier)) according to UserID. = 1) It is one screen.
Figures 5h and 5i show that after learning a normal pattern for the training data using a learning algorithm, applying an individual numerical anomaly detection threshold using a deep learning model, outputting the detection data, and comparing the predicted value and the actual value of the detection data. This is a screen that calculates the distance of the value and outputs the detection data.
Figure 5j is an AI detection sensitivity screen for daily detection data after the learning algorithm.
Figure 5k is a JMachine scenario - AI detection sensitivity to detection data, AI detection source data screen.
Figure 6a is a Test Data (KPI = 3) query (AI numerical anomaly detection) screen using learning data query (SPL) and detection data query (SPL).
Figure 6b is a Test Data Splunk Image (AI numerical anomaly detection) (KPI = 3) screen including a training data image (Splunk Image) and a detection data image (Splunk Image).
Figure 6c is a data visualization screen (KPI = 3) showing the learning data trend (trend graph) by time period for cpu_system_pct, cpu_user_pct, and tot_cpu_pct, and the learning data distribution (bar graph) showing the frequency by value.
Figure 6d shows the detection data trend by time for cpu_system_pct, cpu_user_pct, tot_cpu_pct (trend graph - anomaly pattern (Anomaly-Outlier)), and the detection data distribution showing the frequency of cpu_system_pct, cpu_user_pct, tot_cpu_pct (bar graph - anomaly pattern (Outlier)). This is one screen containing detection data visualization (KPI = 3).
Figure 6e shows normal patterns by time/date for the cpu_system_pct, cpu_user_pct, and tot_cpu_pct learning data of the learning algorithm, and then applying individual numerical anomaly detection thresholds using a deep learning model to output detection data, and cpu_system_pct, cpu_user_pct , This is a screen that calculates the distance between the predicted value and the actual value of the detection data for each time slot/date for tot_cpu_pct and outputs the detection data.
Figure 6f is a result of learning normal patterns of cpu_system_pct, cpu_user_pct, tot_cpu_pct learning data using a learning algorithm: A screen showing abnormal patterns after learning normal patterns by time slot/date for cpu_system_pct, cpu_user_pct, tot_cpu_pct learning data.
Figure 6g is a JMachine scenario - AI detection sensitivity and AI detection source data screen regarding cpu_system_pct, cpu_user_pct, and tot_cpu_pct detection data.
Figure 6h is a detection event visualization screen showing detection data showing histograms for each value and frequency for cpu_system_pct, cpu_user_pct, and tot_cpu_pct detection data.
Figures 7a and 7b show AI log anomaly detection: Transform log text data into numerical data and then detect abnormal patterns in numerical data (learn normal patterns, quantify abnormal patterns and specify threshold) Test Data (KPI=1) Query learning data (SPL), Detection data query (SPL) - This is the AI log abnormality detection screen.
Figure 7c is a Test Data Splunk Image (AI log anomaly detection) screen including a training data image (Splunk) and a detection data image (Splunk).
Figure 7d is a screen with embedded text (AI log anomaly detection) of learning data and detection data in time-serial order by time and log_key.

Hereinafter, the configuration and operation of the preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the description of the present invention, if it is determined that a detailed description of a related known function or a known configuration may unnecessarily obscure the gist of the present invention, the detailed description will be omitted. In addition, the same drawing number is assigned to different drawings when indicating the same configuration.

(Example)

In order to prevent abnormal information leakage, the access record of the RFID tag pass of the visitor recognized by the 13.56MHz RFID tag reader installed in the company's security area room where document security is required, and the access record from the user terminal (PC, smartphone, tablet PC) Through the communication network, the web access records of the server's digital document security room are stored and managed in the database of the secure server.

For example, the security manager enters the document security room 10 times, and the relevant employees enter the document security room 5 times, 3 times, 2 times, and 1 time depending on the relevant work, and cumulatively enter the document security room for 1 month. You can calculate the Z-score average and standard deviation of the record and document security room.

In general, the z-score, mean, and standard deviation of the RFID tag pass records of people entering the company's security area rooms and the web access records of the digital document security room have empirically normal distributions.

Example 1) Monitoring of entry and exit records of visitors holding tag passes in the document security room in the security area, and web access records (log records) in the digital document security room of the security server.

Example 2) Monitoring CPU status (cpu_system_pct, cpu_user_pct, tot_cpu_pct) of a remote PC using a virtual machine of network equipment

Figure 2 is a diagram illustrating the configuration of an anomaly detection system using an AI variable threshold according to the present invention.

In the embodiment, (Example 1) the access record of the RFID tag pass 130 of the visitor recognized by the RFID tag reader 110 installed in the company's security area room, and the web access record (log record) of the digital document security room , Additionally, (Example 2) CPU monitoring data of employee PCs within the company, which are monitored using network equipment with a remote PC CPU monitoring function, are stored in the database of the security server 200.

The anomaly detection system using the AI variable threshold of the present invention is

A PC (120) connected to the tag reader (110) that transmits an access record of the tag reader (110) tagging the tag pass (130) of the visitor when entering and exiting the document security room of the secure area;

Entry and exit records of visitors holding a tag pass 130 tagged by the tag reader 110 on the door of the security area 100, digital documents on the security server, web access records (log records) in the security room, and CPU of the remote PC. Status monitoring data (cpu_system_pct, cpu_user_pct, tot_cpu_pct) is stored cumulatively in the database of a secure server for each individual and normalized according to individual z-score, average, and standard deviation according to statistics by time zone/day/period, and then set to individual AI variable threshold. Determine the (upper and lower limits),

Optionally, if necessary, learn data including access records, web access records (log records), and CPU status monitoring data (cpu_system_pct, cpu_user_pct, tot_cpu_pct) of remote PCs using deep learning or machine learning learning algorithms to identify normal patterns. Learn, and apply different AI variable thresholds (upper and lower limits) for each individual to the detection data in real time to separate normal pattern data (normal within 5 to 95% of normal distribution) and abnormal abnormal pattern data (normal) with abnormal abnormal patterns. A security server (200) that separates and extracts (less than 5% and more than 95% of the distribution) and displays them on a UI screen through a user terminal, and outputs the final results, including logs, in a list or data visualization; and

It includes a user terminal 179 connected to the security server 200 through a wired or wireless communication network.

The digital document security room further includes a file server 230 that stores documents and files.

The system transmits the access record of the tag reader 110 tagging the tag pass 130 of the visitor when entering and exiting the document security room of the security area 100, and a PC connected to the tag reader 110 ( 120) is further included.

The security manager's user terminal is connected to the security server, selects the type of detection data, detection target and period, and access record/web access record/remote PC's CPU status monitoring data (cpu_system_pct, Displays learning data including (cpu_user_pct, tot_cpu_pct) and normal patterns (upper and lower limits) of the learning data, outputs detection data images detected in real time to a user terminal connected to the security server 200, and visualizes the learning data. , Visualization of detection data showing different AI variable thresholds (upper limit, lower limit) and abnormal patterns for each individual, extracting abnormal abnormal pattern data (less than 5%, more than 95%) and displaying final results including log and list or data By visualizing it, AI numbers or more are displayed on the screen.

The document storage room (100) in the security area within the company has an RFID tag reader (110) on the door, and the access record of the 13.56 MHz tag pass (130) of the visitor is sent to the security server (200) connected to the middleware through the document storage room PC (120). is transmitted.

The company is equipped with multiple user terminals 170 for each president, executive/department/employee.

The user terminal 170 can use a smartphone or tablet PC in addition to a PC.

The learning data includes Example 1) access records of visitors holding tag passes in the document security room of the security area, and web access records (log records) of the digital document security room of the security server.

Additionally, the learning data includes Example 2) CPU status monitoring (cpu_system_pct, cpu_user_pct, tot_cpu_pct) data of a remote PC using a virtual machine of the network equipment.

The learning algorithm uses a deep learning (CNN) or machine learning algorithm to learn the normal pattern of the learning data, calculates the Z-score, average, and standard deviation based on the accumulated statistical data, normalizes it, and then individually Different AI variable thresholds (upper and lower limits) are determined, abnormal abnormal patterns of the detection data are extracted according to the different AI variable thresholds (upper and lower limits) for each individual, detection data is provided, and the data is visualized and displayed.

The learning algorithm is used in the client program of the user terminal. For AI machine learning, deep learning (CNN) or various types of machine learning algorithms and "AI detection option" are selected in the "Run machine learning" menu, and the learning data is individually regulated. Learn normal pattern data within the range of the upper and lower limits (5 to 95%) of the distribution, and according to the AI variable threshold (upper and lower limits), the detection data is below the lower limit of the normal distribution (5% or less) and above the upper limit ( Extract abnormal abnormal pattern data with 95% or more).

The learning algorithm is used by selecting deep learning (CNN) or various types of machine learning algorithms, including unsupervised-visualization-detection (CNN), unsupervised-advance control-detection (AutoEncoder), and unsupervised-memory-detection ( LSTM), deep memory-detection (Deep LSTM), unsupervised-bidirectional-memory-detection (Bidirectional LSTM), unsupervised-visualization-memory-detection (Convolution LSTM), unsupervised-bidirectional-circular-detection (Bidirectional GRU) , and unsupervised-bidirectional-stacked-circulation-detection (Stacked Bidirectional GRU) algorithm.

AI detection options include sensitivity of AI detection data, data deduplication, accumulated area, slope degree, time window unit, and outlier/inlier. signs/normal signs) are included.

* Sensitivity: Indicates the degree of difference between predictions and actual values, and becomes a measure of future event detection.

* Data de-duplication: Excluding data with duplicate values

* Accumulated Area: Apply filter using the area of the data

Example) Detection when data is low value below the standard value

* Slope degree: Apply filter using the slope of the data

(e.g. event detection when

* Time Window Unit: Number of data rows in the window

Example) 7 unit: 7 data considered as one pattern (input)

* Outlier/Inlier: Whether detected as an event among abnormal/normal signs

The security server 200 includes a WWW server 201 connected to the user terminal 170 through a wired or wireless communication network; A control unit 203 that controls security functions; DB 207 that stores access records, web access records (log records) of the digital document security room, CPU status monitoring (cpu_system_pct, cpu_user_pct, tot_cpu_pct) data of remote PCs, and other monitoring data when necessary; Member management department (209) that receives, stores, and manages member information; A user authentication unit 211 that authenticates the user using ID/Passwd or a personal certificate/universal certificate linked to an authentication server; an AI variable threshold setting unit 213 that sets different AI variable thresholds (upper limit, lower limit) for each individual based on statistics of learning data accumulated for each period; A machine learning unit 215 that learns normal patterns in the normal range from the upper limit to the lower limit by learning the corresponding training data using a deep learning or machine learning learning algorithm; An abnormal pattern detection unit 217 that detects an abnormal pattern of detection data detected in real time based on the AI variable threshold (upper limit, lower limit) that is different for each individual; A learning data/detection data output unit 219 that outputs the learning data and detection data in a learning data and detection data list or learning data visualization/detection data visualization; It includes a statistical processing unit 221 that provides data, lists, or visual data visualization that provides statistical information such as Z-score, average, variance, and standard deviation of individual/departmental/total data.

(Example 1)

Figure 3a shows individual access records and web access records (log records) in the company's security area stored on a security server, and normal distribution using the z-score, mean, and standard deviation of the individual records. This is a screen that applies a flexible AI variable threshold for each individual.

)를 따를때, 크기가 n인 임의 표본의 표본 평균이 X, 표준편차 σ일때, Statistically, when a random sample of size n is extracted from a population, the distribution of the population is a normal distribution N(m,

), when the sample mean of a random sample of size n is X and the standard deviation σ,

At a confidence level (95% confidence) of the population mean m,

, X + 1.96

]이며, The confidence interval is [X - 1.96

,

], and

≤ m ≤ X + 1.96

조건을 만족한다. X - 1.96

≤ m ≤ X + 1.96

satisfies the conditions.

) 를 가질 때, If the random variable

), when you have

Z score, mean and standard deviation are calculated.

Figure 3b shows that the security server learns access records and web access records using machine learning and applies different AI variable thresholds (upper and lower limits) for each individual to determine normal data (normal within 5 to 95%) and abnormal data with abnormalities. This is a screen to extract and manage data (less than 5%, more than 95%).

Figure 3c is a learning data query (SPL) and detection data query (SPL) screen that applies an individual AI variable threshold (DRM release or higher).

Figure 3d shows the learning data image (Splunk Image) and detection data image (Splunk Image) screens with individual AI variable thresholds (DRM release or higher) applied.

Figure 3e is a screen showing data visualization of learning data trends by date (trend graph) and learning data distribution (bar graph) showing frequency by value according to UserID.

Figure 3f is a screen where the learning algorithm calculates the individual threshold using the learning data for each individual and each day, calculates the upper limit threshold/lower limit for each individual, compares them, extracts the detection data of the individual access record/web access record, and outputs the final result. .

Figure 3g is a data visualization screen that displays upper/lower threshold values for each individual, learning data trends by date (trend graph), and learning data distribution (bar graph) showing frequency by value according to UserID.

Figure 4a is a client screen showing a scenario within JMachine of a user terminal.

Figure 4b is an additional explanation of the learning algorithm: cluster analysis (cluster), abnormal behavior analysis settings [all executives and employees analysis (same-day analysis/period analysis), specific executives and employees analysis (same-day analysis/period analysis), overall infrastructure analysis (same-day analysis/period analysis) Analysis), specific infrastructure analysis (same-day analysis/period analysis), entire IP address analysis (same-day analysis/period analysis), specific IP address analysis (same-day analysis/period analysis)-abnormal behavior options].

Figure 4c is a Test Data query (AI anomaly detection - same-day analysis by employees) screen.

Figure 4d is the Test Data Splunk Image (AI anomaly detection - same-day analysis by employees) screen.

Figures 4e and 4f show the appearance after the learning algorithm: By applying different AI variable thresholds (upper limit, lower limit) for each UserID individual, normal data (normal within 5 to 95%) and abnormal data with signs of abnormality (less than 5%, more than 95%) ) is separated and extracted, lists the logs (number of output pages/business time, number of output pages/non-business time), and outputs the final results including abnormal data with abnormalities.

Figure 4g shows the abnormality within JMachine, which sets the analysis target [employee, infrastructure, IP address] and time standard [same-day analysis, period analysis], lists the employee number/name/department, employee number search box, and search results, and outputs the analysis screen. This is the symptom detection screen.

Figure 4h is a JMachine (Python) screen in which employee numbers are extracted by the JMachine website according to employee number/name/department.

(2) AI numerical anomaly detection: A machine learning algorithm that detects abnormal patterns in the numerical data of the detection data by learning normal patterns of the learning data through a learning algorithm.

Figure 5a is AI numerical anomaly detection: a screen showing a machine learning algorithm that detects numerical data abnormal patterns by learning normal patterns using a learning algorithm.

The detection properties of the monitoring client of the user terminal connected to the security server are detection type (AI detection, AI numerical anomaly detection), detection basic information (detection target field name, aggregate query), AI machine learning (AI algorithm, machine learning query, machine Equipped with learning execution, detection query) and AI predictive detection (AI detection option).

AI machine learning executes training on training data by selecting deep learning (CNN) or various types of machine learning algorithms from the “Run machine learning” menu.

* Unsupervised-visualization-detection (CNN)

- It consists of a 1-layer CNN and is efficient for time series and image data.

* Unsupervised-Proactive Control-Detection (AutoEncoder)

- Reduces dimensionality by preserving data characteristics and can be used for various learning data

* Unsupervised-memory-detection (LSTM)

- Consists of 1-layer LSTM and is efficient for time series/text data

* Deep memory-detection (Deep LSTM)

- Consists of 3-layer LSTM and is efficient for time series/text data

* Unsupervised-Bidirectional-Memory-Detection (Bidirectional LSTM)

- Consists of 1-layer bidirectional LSTM and is efficient for time series/text data

* Unsupervised-visualization-memory-detection (Convolution LSTM)

- A structure that applies dimension-reduced data to LSTM, and is efficient for image or video data with spatial characteristics.

* Unsupervised-bidirectional-circular-detection (Bidirectional GRU)

- It consists of a 1-layer Bidirectional GRU, a simplified version of LSTM, and is effective for time series/text data.

* Unsupervised-Bidirectional-Stacked Circulation-Detection (Stacked Bidirectional GRU)

- Consists of 3 layers of Bidirectional GRU and is effective for time series/text data

For reference, as the number of layers of the transformer encoder increases, it is more effective for complex or long sequence data. Data encoded with patch/position embedded data through k Transformer encoders is decoded by k decoders and learned.

Convolutional Neural Networks (CNN) are multilayer neural networks mainly used for character recognition and image analysis of videos. Convolutional Neural Network (CNN) uses multiple convolution layers and pooling layers in the form of pairs (convolution layer, pooling layer, convolution layer, pooling layer,...) , followed by a multilayer perceptron (MLP) with an input layer/hidden layer/output layer composed of several FC layers (fully-connected layers). For example, when a specific image is given as an input to a CNN, it goes through a reconstruction process of the feature map generated in each layer. Features are extracted and classified step by step from the input image from each feature map. In the process of creating a feature map, the weights are called filters, and the mask used in the convolution layer, 2x2, 3x3, 4x4 or 2x4 used in the pooling layer. The 5x5 window and the collection of weights used in the FC layer can all be called filters. For down-sampling or sub-sampling in the pooling layer, it is used by selecting the mean function that calculates the average or the max function that selects the maximum value.

In addition, with the rapid development of computing power and computing technology such as CPU, GPU, and memory, deep learning algorithms such as RNN (Recurrent Neural Network), LSTM (Long Short-Term Memory), and GRU (Gated Recurrent Unit) have been developed into artificial neural networks. It maintains sequential data order and can learn a large amount of training data.

For reference, a Recurrent Neural Network (RNN) is a neural network with a structure in which the output of a specific node is re-input to that node, that is, it derives the result by simultaneously considering current input data and past input data. In addition, LSTM (Long Short-Term Memory) was proposed as a solution to the vanishing gradient problem in the learning of neural networks.

LSTM (Long Short-Term Memory neural network) has a gate structure that can add or delete information in the cell state. The gate can be selected in determining information and consists of a multiplication operation between the sigmoid neural network layer and the elements of the vector.

Bidirectional-LSTM (Bidirectional Long Short-Term Memory, Bi-LSTM, Bidirectional Long Short-Term Neural Network) uses the same input as the unidirectional LSTM model, and unlike the structure of the unidirectional LSTM model, it uses the time series of sentences of the language model in a bidirectional manner. Train using information.

The output of all tokens (size: 512x768) of each layer was used as the input of LSTM. LSTM consists of two layers, each LSTM layer consists of 512 LSTM cells, and the LSTM output of each layer (size: 512x192) ) are combined, then a fully connected layer is used.

Bidirectional GRU (Bidirectional Gated Recurrent Unit, Bi-GRU) is used as a sentence similarity measure.

After preprocessing, each sequence of tokens is embedded into a random vector through the word embedding layer. In the example, Bi-GRU sets the size to 256 and the contained vectors are calculated. In an embodiment, similarity is calculated as sigmoid using a full connect layer (FC) and Euclidean distance. Similarity has a value between 0 and 1, and the closer the similarity value is to 1, the more similar the two sentences are. To measure similarity, the distance from the fully connected layer (FC) is measured, and the distances can be used as Euclidean distance, Cosine distance, Manhatten distance, Minkowski distance, and Chebyshev distance.

Figures 5b and 5c are screens showing AI detection options (Sensitivity, Duplication, Accumulated Data, Sloop degree, Time Window Unit, Outlier/Inlier).

AI detection options include sensitivity of AI detection data, data deduplication, accumulated area, slope degree, time window unit, and outlier/inlier. signs/normal signs) are included.

* Sensitivity: Indicates the degree of difference between predictions and actual values, and becomes a measure of future event detection.

* Data de-duplication: Excluding data with duplicate values

* Accumulated Area: Apply filter using the area of the data

Example) Detection when data is of low value X)

* Slope degree: Apply a filter using the slope of the data (e.g. detect event when there is a sharp decrease

* Time Window Unit: Number of data rows in the window

Example) 7 unit: 7 data considered as one pattern (input)

* Outlier/Inlier: Which of the abnormal/normal signs can be detected as an event?

About whether or not

Figure 5d is a Test Data (KPI = 1) query (AI numerical anomaly detection) screen using learning data query (SPL) and detection data query (SPL).

Figure 5e is a Test Data Splunk Image (AI numerical anomaly detection) screen including a training data image (Splunk Image) and a detection data image (Splunk Image).

Figure 5f is a data visualization screen (KPI = 1) showing the learning data trend by date (trend graph) and the learning data distribution (bar graph) showing the frequency by value according to UserID.

Figure 5g is a detection data visualization (KPI) including detection data trends by date (trend graph - anomaly pattern (Anomaly-Outlier)) and detection data distribution showing frequency by value (bar graph - anomaly pattern (Outlier)) according to UserID. = 1) It is one screen.

Figures 5h and 5i show normal patterns for the training data using a learning algorithm, then applying an individual numerical anomaly detection threshold using a deep learning model to output detection data, and comparing the predicted value and actual value of the detection data. This is a screen that calculates the distance of the value and outputs the detection data.

Figure 5j is an AI detection sensitivity screen for daily detection data after the learning algorithm.

Figure 5k is a JMachine scenario - AI detection sensitivity to detection data, AI detection source data screen.

(Example 2)

When monitoring the history of CPU usage using a virtual machine on a network device,

CPU system (cpu_system_pct), CPU usage by individual user (cpu_user_pct), total CPU usage (tot_cpu_pct)

Figure 6a is a Test Data (KPI = 3) query (AI numerical anomaly detection) screen using learning data query (SPL) and detection data query (SPL).

Figure 6b is a Test Data Splunk Image (AI numerical anomaly detection) (KPI = 3) screen including a training data image (Splunk Image) and a detection data image (Splunk Image).

Figure 6c is a screen showing data visualization (KPI = 3) of learning data trends (trend graph) by date/time for cpu_system_pct, cpu_user_pct, and tot_cpu_pct learning data, and learning data distribution (bar graph) showing frequency by value.

Figure 6d shows detection data trends by date/time for cpu_system_pct, cpu_user_pct, and tot_cpu_pct (trend graph - anomaly pattern (Anomaly-Outlier)) and detection data distribution showing the frequency by value (bar graph - anomaly pattern (Outlier)). Detection data visualization (KPI = 3) is one screen.

Figure 6e shows the cpu_system_pct, cpu_user_pct, tot_cpu_pct learning data of the learning algorithm, after learning normal patterns by time zone/date, applying individual numerical anomaly detection thresholds using a deep learning model to output detection data, and cpu_system_pct, cpu_user_pct , This is a screen that outputs the detection data by calculating the Euclidean distance between the predicted value and the actual value of the detection data for each time slot/date for tot_cpu_pct.

Figure 6f is a result of learning normal patterns of cpu_system_pct, cpu_user_pct, tot_cpu_pct learning data using a learning algorithm: A screen showing abnormal patterns after learning normal patterns by time slot/date for cpu_system_pct, cpu_user_pct, tot_cpu_pct learning data.

Figure 6g is a JMachine scenario - AI detection sensitivity and AI detection source data screen regarding cpu_system_pct, cpu_user_pct, and tot_cpu_pct detection data.

Figure 6h is a detection event visualization screen showing detection data showing histograms for each value and frequency for cpu_system_pct, cpu_user_pct, and tot_cpu_pct detection data.

(3) AI log anomaly detection: Detect abnormal patterns in numerical data after transforming log text data into numerical data (learn normal patterns, quantify abnormal patterns and specify threshold)

Figures 7a and 7b show AI log anomaly detection: Transform log text data into numerical data and then detect abnormal patterns in numerical data (learn normal patterns, quantify abnormal patterns and specify threshold) Test Data (KPI=1) Query learning data (SPL), Detection data query (SPL) - This is the AI log abnormality detection screen.

Figure 7c is a Test Data Splunk Image (AI log anomaly detection) screen including a training data image (Splunk) and a detection data image (Splunk).

Figure 7d is a screen with embedded text (AI log anomaly detection) of learning data and detection data in time-serial order by time and log_key.

Embodiments according to the present invention may be implemented in the form of program instructions that can be executed through various computer means and recorded on a computer-readable recording medium. The computer-readable recording medium may include program instructions, data files, and data structures alone or in combination. Computer-readable recording media include storage, magnetic media such as hard disks, floppy disks, and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic media such as floptical disks. -Hardware devices configured to store and execute program instructions in optical media and storage media such as ROM, RAM, flash memory, etc. may be included. Examples of program instructions may include those produced by a compiler, machine language code, as well as high-level language code that can be executed by a computer using an interpreter. The hardware device may be configured to operate as one or more software modules to perform the operations of the present invention.

As described above, the method of the present invention is implemented as a program and can be stored on a recording medium (CD-ROM, RAM, ROM, memory card, hard disk, magneto-optical disk, storage device, etc.) in a form that can be read using computer software. ) can be stored in .

Although the present invention has been described with reference to specific embodiments of the present invention, the present invention is not limited to the same configuration and operation as the specific embodiments to illustrate the technical idea as described above, and is not limited to the technical idea and scope of the present invention. It can be implemented with various modifications, and the scope of the present invention should be determined by the claims described later.

100: Secure area document storage room 110: Tag reader
120: Document storage room PC 130: Tag pass of visitor
131: tag chip 170: user terminal
190: router 200: security server

Claims (4)

In a security management system that manages access to secure areas,
A PC 120 that transmits the access record of the tag reader 110 tagging the tag pass 130 of the visitor when entering the document security room of supplementary management; and
Entry and exit records of visitors holding a tag pass 130 tagged by the tag reader 110 on the door of the security area 100, digital documents on the security server, web access records (log records) in the security room, and CPU of the remote PC. Status monitoring data (cpu_system_pct, cpu_user_pct, tot_cpu_pct) is stored cumulatively in the database of a secure server for each individual and normalized according to individual z-score, average, and standard deviation according to statistics by time zone/day/period, and then set to individual AI variable threshold. Determine the (upper and lower limits)
Learning data including the access records, web access records (log records), and remote PC CPU status monitoring data (cpu_system_pct, cpu_user_pct, tot_cpu_pct) are used to learn normal patterns using a deep learning or machine learning learning algorithm, and in real time. By applying different AI variable thresholds (upper limit, lower limit) for each individual to the detection data, normal pattern data (normal within 5 to 95% of normal distribution) and abnormal abnormal pattern data with abnormal abnormal pattern (normal within 5% of normal distribution) , 95% or more) is separately extracted and displayed on the UI screen of the user terminal, and the final results, including logs, are output in a list or data visualization (200); and
A security room security management system comprising a user terminal (179) connected to the security server (200) through a wired or wireless communication network. delete In paragraph 1
The security management system is
The security room includes a file server 230 that stores documents and files, and the PC uses a tag reader 110 that tags the visitor's tag pass 130 when entering or leaving the document security room in the security area 100. A security room security management system that transmits access records and is connected to a tag reader (110). In paragraph 3
The security management system includes a user terminal of a security manager, where the user terminal is connected to the security server, a menu for selecting the type of detection data, detection target, and period is displayed on the monitor, and the monitor displays a user terminal for each individual. Characterized by displaying learning data including access records/web access records/remote PC CPU status monitoring data (cpu_system_pct, cpu_user_pct, tot_cpu_pct) to which AI variable thresholds are applied, and normal patterns (upper and lower limits) of the learning data. Security room security management system.