KR20230072280A - Mysterious symptom detection system using AI variable threshold - Google Patents

Abstract

In the security management system that manages access to the security area
A PC 120 that transmits the access record of the tag reader 110 tagging the tag pass 130 of the visitor when entering the document security room for supplementary management; and
Access record of the person holding the tag pass 130 tagged by the tag reader 110 of the door of the security area 100, web access record (log record) of the digital document security room of the security server, CPU of the remote PC Status monitoring data (cpu_system_pct, cpu_user_pct, tot_cpu_pct) is accumulated and stored in the database of the security server for each individual, and the AI variable threshold for each individual is normalized according to z-score, average, and standard deviation for each individual according to statistics by time/date/period We propose a security management system characterized by determining (upper limit value, lower limit value).

Description

Security room storage management system using machine learning learning algorithm {Mysterious symptom detection system using AI variable threshold}

The present invention relates to a security management system that manages access to a secure area by learning a normal pattern of learning data using a deep learning or machine learning learning algorithm and applying it.

Recently, the access record of the tag pass recognized by the tag reader installed in the company's security area room and the web access record of the digital document security room accessed through the wired/wireless communication network from the user terminal (PC, smartphone, tablet PC) are used for security management. It is stored in the database of the server, and document security is required to prevent abnormal information leakage by monitoring the access records of the secure room and the web access records of the digital document security room.

In the conventional document security system, when a client terminal encrypts digital information, authentication is performed by a key value predefined by a document security server, and after the authentication is performed, the digital information created by the client terminal is encrypted and stored in an external storage device. Then, when it is accessed again, it is decrypted and the digital information is viewed.

For example, a visitor using a 13.56MHz RFID tag of a pass equipped with an RFID tag reader in a security zone room and a visitor in a digital document security room accessed from a user terminal through a wired or wireless communication network. For example, a security manager Access 10 times, the employees will enter 5 times, 3 times, 2 times, 1 time depending on the related work. Daily/weekly/monthly statistics are calculated for each individual by accumulating the access records of those using the tag of the pass of the security area room and those of the digital document security room, and analyzing and systematically managing the access records and web access records to detect abnormal symptoms. It is necessary to manage abnormal data having

As a prior art 1 related to this, Patent Registration No. 10-0750697 has registered "a digital document security system equipped with a shared storage having a user access function, and a document processing method using the system".

A digital document security system equipped with a shared storage having a user access function configured to prevent abnormal leakage of digital information operated by a computer is

At least one of the DRM client terminals is connected to the shared storage, encrypts and stores digital information in the shared storage medium, and decrypts the encrypted digital information according to a user access control function to perform an editing function.

The shared storage; It consists of a physical serial number provided so that each DRM client terminal can access and perform registration authentication, and a storage unit for storing the digital information,

The DRM client terminal; An authentication process is performed by inputting the physical serial number of the shared storage, and an encryption unit/decryption unit that encrypts and decrypts the digital information after performing the authentication process, and is connected to the shared storage to obtain digital information It is characterized in that it consists of an application tool that provides a function of setting rights such as editing.

As a prior art 2 related to this, Patent Registration No. 10-2185190 "Method and system for detecting anomalies using machine learning" is registered.

1 is a diagram illustrating an anomaly symptom detection system 100 using conventional machine learning.

The detection method of the anomaly detection system using machine learning,

storing cost changes between predicted values and actual values for learning data using machine learning;

searching for a neighbor having a pattern similar to a cost change of a target among the stored cost changes; and

Determining whether the target is normal or abnormal based on a difference between a cost change of the searched neighbor and a cost change of the target;

Storing the cost changes

determining a threshold value of the cost for distinguishing normal from abnormal based on a cost corresponding to the test data; determining normality/abnormality of the test data based on the threshold value; and storing a change in cost for a first time in the test data for a normal situation when the cost is greater than the threshold value, wherein the cost is a difference between the predicted value and the actual value.

In addition, an anomaly detection system using machine learning

a learner that generates a learning model by learning test data using machine learning;

a prediction criterion determiner that primarily determines normal/abnormality for a target based on a threshold value for a cost corresponding to a difference between a predicted value and an actual measured value according to the learning model; and

Receives a result of primary determination of the target by the prediction criterion determiner, calculates a difference between a cost change of the target and a cost change of a neighbor extracted for a predetermined time period, and calculates a cost change difference value and A cost change criterion determiner that secondarily determines normal/abnormality for the target by comparing cost change difference limit values;

In the test data, cost changes above the threshold and above the threshold for a first time relative to a normal situation are stored;

a first cost change difference function that computes a difference between the threshold-above cost changes is determined;

A first threshold for a difference between the over-threshold cost changes is determined using the first cost change difference function.

Recently, companies that require security monitor access records by executives, departments/employees, security of the company's document security room containing secret documents, and computer CPU status to learn normal patterns and detect abnormal abnormal patterns. extract and manage.

However, the existing security system records the entry and exit of the person holding the tag pass in the document security room in the security area, the web access record of the digital document security room, the remote PC's CPU status monitoring (cpu_system_pct, cpu_user_pct, tot_cpu_pct), and the log record. Each individual is accumulated and stored in the database of the security server, and the security server records access, web access, and monitors the CPU status of the remote PC (cpu_system_pct, cpu_user_pct . It does not provide a function to separate and display data (normal within 5-95%) and abnormal data (less than 5%, more than 95%) with abnormal patterns.

Patent Registration No. 10-0750697 (registration date August 13, 2007), "Digital document security system equipped with shared storage with user access function, and document processing method using the system", Mark Any Co., Ltd. Patent Registration No. 10-2185190 (registration date: November 25, 2020), "Method and system for detecting anomalies using machine learning", Korea Electronics and Telecommunications Research Institute

An object of the present invention for solving the above problems is in a security management system for managing access to a security area.

When entering and exiting the document security room of supplementary management, the PC 120 transmits the access record of the tag reader 110 that has tagged the tag pass 130 of the visitor; and the tag reader of the door of the security area 100 ( 110), the access record of the person holding the tag pass 130, the web access record (log record) of the digital document security room of the security server, and the CPU status monitoring data (cpu_system_pct, cpu_user_pct, tot_cpu_pct) of the remote PC. It is characterized by determining individual AI variable thresholds (upper limit, lower limit) after accumulatively storing each individual in the database of the security server and normalizing the z-score, average, and standard deviation of each individual according to statistics by time/date/period Provides a security management system that

In order to achieve the object of the present invention, the present invention is a security management system for managing access to a security area, when entering and exiting a document security room for supplementary management, a tag reader (110) tagging a person's tag pass (130). PC 120, which transmits the access record of the security zone 100; and the access record of the person possessing the tag pass 130 tagged by the tag reader 110 of the door of the security area 100, digital document security of the security server. Web access records (log records) and CPU status monitoring data (cpu_system_pct, cpu_user_pct, tot_cpu_pct) of remote PCs are cumulatively stored in the database of the security server for each individual, and individual z-score and average are calculated according to statistics by time/date/period. , After normal distribution according to the standard deviation, individual AI variable thresholds (upper limit, lower limit) are determined.

In addition, in order to achieve the object of the present invention, an anomaly symptom detection system using an AI variable threshold is to record the access of a person with a tag pass in a security area, web access records (log records) in a digital document security room, and CPU of a remote PC. Condition monitoring data is accumulated and stored in the database for each individual, normal distribution is performed according to z-score, average, and standard deviation for each individual according to statistics by time/date/period, and AI variable thresholds are determined for each individual, and the learning data is converted into a learning algorithm A security server that learns normal patterns by using and provides abnormal pattern data having normal pattern data and abnormal abnormal patterns by applying different AI variable thresholds for each individual to the corresponding detection data in real time; and a user terminal connected to the security server through a wired or wireless communication network.

The anomaly symptom detection system using the AI variable threshold of the present invention records the access of the RFID tag pass of the person recognized by the RFID tag reader installed in the company's security area room, web access record (log record) in the digital document security room, and monitoring The data is stored in the database of the security server, and (1) the access record of the person holding the tag pass in the document security room in the security area, the web access record (log record) of the digital document security room in the security server, and the CPU of the remote PC. Status monitoring (cpu_system_pct, cpu_user_pct, tot_cpu_pct) is cumulatively stored in the database of the security server for each individual, and the z-score, average, and standard deviation for each individual are normalized according to statistics by time/date/period, and then each threshold value (upper limit, lower limit), and the security server converts training data, including access records, web access records (log records), and remote PC CPU status monitoring (cpu_system_pct, cpu_user_pct, tot_cpu_pct), to normal using deep learning or machine learning learning algorithms. It learns patterns and applies different AI variable thresholds (upper limit, lower limit) for each individual in real time to the corresponding detection data, so that normal pattern data (normal within 5 to 95% of the normal distribution) and abnormal abnormal pattern data having abnormal abnormal patterns Separately extract (5% or less, 95% or more of the normal distribution) and display it on the UI screen with the user terminal, and output the final result including the log (number of output pages/business hours, number of output pages/non-business hours),

(2) Training data including access records/web access records/remote PC CPU status monitoring (cpu_system_pct, cpu_user_pct, tot_cpu_pct)/log records with variable AI thresholds applied for each individual, and detection data images in real time are sent to the security server. It outputs to the user terminal, and has the effect of visualizing detection data, extracting data (5% or less, 95% or more) with abnormal abnormal patterns, and displaying them on the screen for management.

1 is a diagram illustrating an anomaly symptom detection system 100 using conventional machine learning.
2 is a configuration diagram of an anomaly detection system using an AI variable threshold according to the present invention.
3a shows that access records and web access records (log records) for each individual in the company security area are stored in a security server, and normal distribution is performed using the z-score, mean, and standard deviation of each individual record. After that, it is a screen to apply a flexible AI variable threshold for each individual.
3b shows that the security server learns access records and web access records using machine learning and applies different AI variable thresholds (upper limit, lower limit) for each individual to detect normal data (normal within 5 to 95%) and abnormalities with abnormal signs. This is a screen to extract and manage data (less than 5%, more than 95%).
3C is a learning data query (SPL) and detection data query (SPL) screen that applies an AI variable threshold (above DRM release) for each individual.
3D is a screen of a learning data image (Splunk Image) and a detection data image (Splunk Image) to which an AI variable threshold (above DRM release) for each individual is applied.
Figure 3e is a screen displaying data visualization of learning data trends (trend graph) by date and learning data distribution (bar graph) showing frequency by value according to UserID.
FIG. 3F calculates an individual threshold using learning data for each individual date using a learning algorithm for access records/web access records, calculates individual upper limit thresholds/lower limit thresholds, and compares them to detect individual access records/web access records. This is a screen that extracts data and outputs the final result.
3g is a data visualization screen displaying individual upper/lower thresholds, learning data trends (trend graph) by date, and learning data distribution (bar graph) showing frequency by value according to UserID.
4a is a client screen showing a scenario within a JMachine of a user terminal.
4B is an additional explanation of the learning algorithm: cluster analysis (cluster), anomaly analysis settings [analysis of all employees (analysis on the day / analysis on the period), analysis on specific employees (analysis on the day / analysis on the period), analysis of the entire infrastructure (analysis on the day / period) Analysis), specific infrastructure analysis (analysis of the day/analysis of period), analysis of all IP addresses (analysis of the day/analysis of period), analysis of specific IP address (analysis of the same day/period analysis) - This is the screen for setting abnormal behavior options].
4c is a Test Data query (AI anomaly detection-employee analysis on the day) screen.
4d is a Test Data Splunk Image (AI anomaly detection-employee analysis on the same day) screen.
Figures 4e and 4f show images after the learning algorithm: normal data (normal within 5-95%) and abnormal data with anomalies (5% or less, 95% or more) by applying different AI variable thresholds (upper limit, lower limit) for each UserID individual ) is separated and extracted, the log (number of output pages/business hours, number of output pages/non-business hours) is listed, and the final result including abnormal data with abnormal symptoms is displayed.
4g is an error in JMachine that sets the analysis target [employee, infrastructure, IP address], time standard [day analysis, period analysis], lists employee number/name/department, employee number search box, and outputs the analysis screen. This is the symptom detection screen.
4h is a JMachine (Python) screen extracted by the JMachine website according to employee number/name/department.
5A is an AI numerical anomaly detection: a screen showing a machine learning algorithm for detecting an abnormal pattern in numerical data by learning a normal pattern by the learning algorithm.
5b and 5c are screens showing AI detection options (Sensitivity, Duplication, Accumulated Data, Sloop degree, Time Window Unit, Outlier/Inlier).
5D is a Test Data (KPI = 1) query (AI numerical abnormality detection) screen using a learning data query (SPL) and a detection data query (SPL).
5e is a Test Data Splunk Image (AI numerical abnormality detection) screen including a training data image (Splunk Image) and a detection data image (Splunk Image).
5f is a screen showing data visualization (KPI = 1) of learning data trends (trend graph) by date and learning data distribution (bar graph) showing frequency by value according to UserID.
5g shows detection data visualization (KPI) including detection data trends by date (trend graph-outlier pattern (Anomaly-Outlier)) and detection data distribution showing frequency by value (bar graph-outlier pattern (Outlier)) according to UserID. = 1) It is one screen.
5h and 5i show that after learning a normal pattern for the training data using a learning algorithm, a numerical anomaly detection threshold for each individual is applied using a deep learning model, detection data is output, and the predicted value of the detection data and the actual This is a screen that calculates the distance of the value and outputs the detection data.
5j is an AI detection sensitivity screen for daily detection data after learning algorithm.
5K is a JMachine scenario - AI detection sensitivity to detection data, AI detection source data screen.
6A is a Test Data (KPI = 3) query (AI numerical abnormality detection) screen using a learning data query (SPL) and a detection data query (SPL).
6B is a Test Data Splunk Image (AI numerical anomaly detection) (KPI = 3) screen including a training data image (Splunk Image) and a detection data image (Splunk Image).
6C is a data visualization (KPI = 3) screen of learning data trends (trend graph) and learning data distribution (bar graph) showing frequency by value for cpu_system_pct, cpu_user_pct, and tot_cpu_pct.
6D is a trend of detection data by time period for cpu_system_pct, cpu_user_pct, and tot_cpu_pct (trend graph-outlier pattern (Anomaly-Outlier)), and detection data distribution (bar graph-outlier pattern (Outlier)) showing frequency by cpu_system_pct, cpu_user_pct, and tot_cpu_pct. It is a screen of detection data visualization (KPI = 3) including .
6E shows that after learning normal patterns by time period/day for the learning algorithm’s cpu_system_pct, cpu_user_pct, and tot_cpu_pct learning data, a deep learning model is used to apply a numerical anomaly detection threshold for each individual to output detection data, and cpu_system_pct and cpu_user_pct , This is a screen that outputs detection data by calculating the distance between the predicted value and the actual value of detection data by time/date for tot_cpu_pct.
6F is a result after learning normal patterns of cpu_system_pct, cpu_user_pct, and tot_cpu_pct training data using a learning algorithm: a display screen of abnormal patterns after learning normal patterns by time period/date for cpu_system_pct, cpu_user_pct, and tot_cpu_pct training data.
6G is a JMachine scenario - AI detection sensitivity and AI detection source data screen for cpu_system_pct, cpu_user_pct, and tot_cpu_pct detection data.
6H is a detection event visualization screen showing detection data displaying a histogram for each value and frequency for cpu_system_pct, cpu_user_pct, and tot_cpu_pct detection data.
7a and 7b show AI log anomaly detection: transforming log text data into numerical data and then detecting abnormal patterns in numerical data (learning normal patterns and digitizing abnormal patterns to designate thresholds) Test Data (KPI=1) learning data query (SPL), Detection Data Query (SPL) - This is the AI log anomaly detection screen.
7c is a Test Data Splunk Image (AI log anomaly detection) screen including a training data image (Splunk) and a detection data image (Splunk).
7D is a screen showing embedded text (AI log anomaly detection) of learning data and detection data in a time-series order by time and log_key.

Hereinafter, the configuration and operation of a preferred embodiment of the present invention will be described in detail with reference to the accompanying drawings. In the description of the present invention, if it is determined that a detailed description of a related known function or known configuration may unnecessarily obscure the subject matter of the present invention, the detailed description thereof will be omitted. In addition, drawing numbers are assigned the same drawing numbers in different drawings when indicating the same configuration.

(Example)

In order to prevent abnormal information leakage, the access record of the RFID tag pass of the visitor recognized by the 13.56MHz RFID tag reader installed in the company's security area room where document security is required, and wired and wireless from the user terminal (PC, smartphone, tablet PC) Through the communication network, the web access record of the digital document security room of the server is stored and managed in the database of the security server.

For example, the security manager in the document security room enters the document security room 10 times, and the employees enter the document security room 5 times, 3 times, 2 times, and 1 time depending on their work. Calculate the mean and standard deviation of Z-scores for records and document security rooms.

In general, the access records of the RFID tag pass of the person related to the company's security area room and the web access record of the digital document security room have a z-score, mean, and standard deviation empirically have a normal distribution.

Example 1) Monitoring the access records of visitors with tag passes in the document security room of the security area and the web access records (log records) of the digital document security room of the security server

Example 2) CPU status monitoring (cpu_system_pct, cpu_user_pct, tot_cpu_pct) monitoring of remote PC using virtual machine of network equipment

2 is a configuration diagram of an anomaly detection system using an AI variable threshold according to the present invention.

In the embodiment, (Embodiment 1) the access record of the RFID tag pass 130 of the visitor recognized by the RFID tag reader 110 installed in the company's security area room, and the web access record (log record) of the digital document security room , Additionally, (Example 2) CPU monitoring data of an employee's PC in the company monitored using network equipment having a CPU monitoring function of a remote PC is stored in the database of the security server 200.

The anomaly detection system using the variable AI threshold of the present invention

A PC 120 connected to the tag reader 110 that transmits an access record of the tag reader 110 that has tagged the tag pass 130 of the visitor when entering or exiting the document security room of the security area;

Access record of the person holding the tag pass 130 tagged by the tag reader 110 of the door of the security area 100, web access record (log record) of the digital document security room of the security server, CPU of the remote PC Status monitoring data (cpu_system_pct, cpu_user_pct, tot_cpu_pct) is accumulated and stored in the database of the security server for each individual, and the AI variable threshold for each individual is normalized according to z-score, average, and standard deviation for each individual according to statistics by time/date/period Determine (upper limit, lower limit),

Optionally, if necessary, training data including access records, web access records (log records), and CPU status monitoring data of remote PCs (cpu_system_pct, cpu_user_pct, tot_cpu_pct) is used to detect normal patterns using deep learning or machine learning learning algorithms. learning, and applying different AI variable thresholds (upper limit, lower limit) for each individual in real time to the corresponding detection data, normal pattern data (normal within 5 to 95% of the normal distribution) and abnormal abnormal pattern data with abnormal abnormal patterns (regular A security server 200 that separates and extracts 5% or less, 95% or more of the distribution, displays them on the UI screen through a user terminal, and outputs a list or data visualization of final results including logs; and

It includes a user terminal 179 connected to the security server 200 through a wired or wireless communication network.

The digital document security room further includes a file server 230 for storing documents and files.

The system transmits the access record of the tag reader 110 tagging the tag pass 130 of the visitor when entering the document security room of the security area 100, and the PC connected to the tag reader 110 ( 120) is further included.

The user terminal of the security manager accesses the security server, selects the type of detection data, detection target and period, and access records/web access records/remote PC’s CPU status monitoring data (cpu_system_pct, displaying learning data including cpu_user_pct, tot_cpu_pct) and normal patterns (upper limit value, lower limit value) of the learning data, outputting a detection data image detected in real time to a user terminal connected to the security server 200, and visualizing the learning data , Detection data visualization with different AI variable thresholds (upper limit, lower limit) and abnormal patterns for each individual, extracting abnormal abnormal pattern data (5% or less, 95% or more) to extract final results and lists including logs or data It is visualized and the AI level or more is displayed on the screen.

In the document storage room (100) of the security area in the company, the RFID tag reader (110) at the door sends the access record of the 13.56MHz tag pass (130) to the security server (200) connected as middleware through the document storage room PC (120). is sent

A company is provided with a plurality of user terminals 170 for each president, executive/department/employee.

The user terminal 170 may use a smart phone or tablet PC in addition to a PC.

Example 1) The learning data includes the access record of the person possessing the tag pass in the document security room of the security area and the web access record (log record) of the digital document security room of the security server.

In addition, the learning data includes Example 2) CPU status monitoring (cpu_system_pct, cpu_user_pct, tot_cpu_pct) data of a remote PC using a virtual machine of network equipment.

The learning algorithm learns normal patterns of training data using deep learning (CNN) or machine learning algorithms, calculates the Z-score, mean, and standard deviation based on the accumulated statistical data, and normalizes them. Determines different AI variable thresholds (upper limit, lower limit), extracts abnormal patterns of detection data according to AI variable thresholds (upper limit, lower limit) for each individual, provides detection data, and displays it as data visualization.

In the AI machine learning in the client program of the user terminal, deep learning (CNN) or various types of machine learning algorithms and "AI detection options" are selected in the "Machine Learning Execution" menu, and the training data is regularized for each individual. Learning normal pattern data within the range of the upper limit to the lower limit of the distribution (5 to 95%), and according to the AI variable threshold (upper limit, lower limit), the detection data is below the lower limit of the normal distribution (5% or less), above the upper limit ( 95% or more) and extract abnormal abnormal pattern data.

The learning algorithm is used by selecting deep learning (CNN) or several types of machine learning algorithms, such as unsupervised-visualization-detection (CNN), unsupervised-preceding control-detection (AutoEncoder), and unsupervised-memory-detection ( LSTM), deep LSTM, unsupervised-bidirectional-memory-detection (Bidirectional LSTM), unsupervised-visualization-memory-detection (Convolution LSTM), unsupervised-bidirectional-circular-detection (Bidirectional GRU) , and an unsupervised-bidirectional-overlapped circular-detection (Stacked Bidirectional GRU) algorithm.

AI detection options include Sensitivity of AI detection data, De-duplication, Accumulated Area, Slope degree, Time Window Unit, Outlier/Inlier symptoms/normal symptoms).

* Sensitivity: Indicates the degree of difference between the predicted and actual values, and becomes a measure for event detection in the future.

* De-duplication: Excluding data with duplicate values

* Accumulated Area: Apply filter using area of data

Ex) Detect when data with a low value below the standard value X)

* Slope degree: Apply a filter using the slope of the data

(Example: Detect event X when plummeting

* Time Window Unit: Number of data rows in the window

Example) 7 unit: 7 data as one pattern (input)

* Outlier/Inlier: Whether an event is detected as an event of abnormality/normality

The security server 200 includes a user terminal 170 and a WWW server 201 connected through a wired or wireless communication network; a control unit 203 that controls security functions; DB 207 for storing access records, web access records (log records) of the digital document security room, CPU status monitoring (cpu_system_pct, cpu_user_pct, tot_cpu_pct) data of remote PCs, and other monitoring data when necessary; Membership management unit 209 for registering, storing, and managing member information; a user authentication unit 211 for authenticating a user using ID/Passwd or a personal certificate/universal certificate linked to an authentication server; An AI variable threshold setting unit 213 for setting different AI variable thresholds (upper limit value, lower limit value) for each individual based on statistics of learning data accumulated for each period; a machine learning unit 215 that learns a normal pattern within a normal range from an upper limit value to a lower limit value by learning corresponding learning data using a deep learning or machine learning learning algorithm; An abnormal pattern detection unit 217 for detecting an abnormal pattern of detection data detected in real time based on AI variable thresholds (upper limit value, lower limit value) different for each individual; a learning data/detection data output unit 219 that visualizes the corresponding learning data and detection data, a list of learning data and detection data, or visualization of learning data/detection data; It includes a statistical processing unit 221 that provides statistical information such as Z-score, mean, variance, and standard deviation of individual/departmental/total data, as well as a list or visual data visualization.

(Example 1)

3a shows that access records and web access records (log records) for each individual in the company security area are stored in a security server, and normal distribution is performed using the z-score, mean, and standard deviation of each individual record. After that, it is a screen to apply a flexible AI variable threshold for each individual.

)를 따를때, 크기가 n인 임의 표본의 표본 평균이 X, 표준편차 σ일때, Statistically, when a random sample of size n is extracted from a population, the distribution of the population is a normal distribution N (m,

), when the sample mean of a random sample of size n is X and standard deviation σ,

At the confidence level (95% confidence) of the mean m of the population,

, X + 1.96

]이며, The confidence interval is [X - 1.96

, X + 1.96

],

≤ m ≤ X + 1.96

조건을 만족한다. X - 1.96

≤ m ≤ X + 1.96

Satisfy the condition.

) 를 가질 때, The random variable X is normally distributed (m,

) when you have

Z scores, mean and standard deviation are calculated.

3b shows that the security server learns access records and web access records using machine learning and applies different AI variable thresholds (upper limit, lower limit) for each individual to detect normal data (normal within 5 to 95%) and abnormalities with abnormal signs. This is a screen to extract and manage data (less than 5%, more than 95%).

3C is a learning data query (SPL) and detection data query (SPL) screen that applies an AI variable threshold (above DRM release) for each individual.

3D is a screen of a learning data image (Splunk Image) and a detection data image (Splunk Image) to which an AI variable threshold (above DRM release) for each individual is applied.

3e is a data visualization screen of learning data trends (trend graph) by date and learning data distribution (bar graph) showing frequency by value according to UserID.

3f is a screen for calculating a threshold value for each individual using the learning data for each individual date of the learning algorithm, calculating an upper limit threshold/lower limit threshold for each individual, and extracting detection data of each individual access record/web access record by comparing them and outputting the final result. .

3g is a data visualization screen displaying individual upper/lower thresholds, learning data trends (trend graph) by date, and learning data distribution (bar graph) showing frequency by value according to UserID.

4a is a client screen showing a scenario within a JMachine of a user terminal.

4B is an additional explanation of the learning algorithm: cluster analysis (cluster), anomaly analysis settings [analysis of all employees (analysis on the day / analysis on the period), analysis on specific employees (analysis on the day / analysis on the period), analysis of the entire infrastructure (analysis on the day / period) Analysis), specific infrastructure analysis (analysis of the day/analysis of period), analysis of all IP addresses (analysis of the day/analysis of period), analysis of specific IP address (analysis of the same day/period analysis) - This is the screen for setting abnormal behavior options].

4c is a Test Data query (AI anomaly detection-employee analysis on the day) screen.

4d is a Test Data Splunk Image (AI anomaly detection-employee analysis on the same day) screen.

Figures 4e and 4f show images after the learning algorithm: normal data (normal within 5-95%) and abnormal data with anomalies (5% or less, 95% or more) by applying different AI variable thresholds (upper limit, lower limit) for each UserID individual ) is separated and extracted, the log (number of output pages/business hours, number of output pages/non-business hours) is listed, and the final result including abnormal data with abnormal symptoms is output.

4g is an error in JMachine that sets the analysis target [employee, infrastructure, IP address], time standard [day analysis, period analysis], lists employee number/name/department, employee number search box, and outputs the analysis screen. This is the symptom detection screen.

4h is a JMachine (Python) screen extracted by the JMachine website according to employee number/name/department.

(2) AI Numerical Anomaly Detection: A machine learning algorithm that detects anomaly patterns in numerical data in detection data by learning normal patterns in training data by a learning algorithm.

5A is an AI numerical anomaly detection: a screen showing a machine learning algorithm for detecting an abnormal pattern in numerical data by learning a normal pattern by the learning algorithm.

The detection properties of the monitoring client of the user terminal connected to the security server include detection type (AI detection, AI numerical abnormality detection), detection basic information (detection target field name, aggregate query), AI machine learning (AI algorithm, machine learning query, machine learning run, detection query), and AI predictive detection (AI detection option).

AI machine learning executes learning of training data by selecting deep learning (CNN) or several kinds of machine learning algorithms from the "run machine learning" menu.

* Unsupervised-Visible-Detection (CNN)

- Composed of 1-layer CNN, efficient for time series and image data

* Unmapped-preceding control-detection (AutoEncoder)

- Dimension reduction by preserving data characteristics, available for various learning data

* Unmapped-Memory-Detection (LSTM)

- Consists of 1-layer LSTM, efficient for time series/text data

* Deep memory-detection (Deep LSTM)

- Consists of 3 layers of LSTM, efficient for time series/text data

* Unsupervised-bidirectional-memory-detection (Bidirectional LSTM)

- Consisting of 1-layer bidirectional LSTM, efficient for time series/text data

* Unsupervised-visualization-memory-detection (Convolution LSTM)

- A structure that applies dimensionally reduced data to LSTM, which is efficient for image or video data with spatial characteristics

* Unmapped-bidirectional-circular-detection (Bidirectional GRU)

- Consists of 1-layer Bidirectional GRU, which is a simplified version of LSTM, and is effective for time series/text data

* Stacked Bidirectional GRU

- Consists of 3 layers of Bidirectional GRU, effective for time series/text data

For reference, as the number of layers of the transformer encoder increases, it is effective for complex or long sequence data. Through k transformer encoders, patch/position embedded data is decoded and learned by k decoders.

Convolutional Neural Networks (CNNs) are multilayer neural networks mainly used for character recognition and image analysis of video. Convolutional neural network (CNN) uses several convolution layers and pooling layers in the form of pairs (convolution layer, pooling layer, convolution layer, pooling layer,..) , and then a multilayer perceptron (MLP) having an input layer/hidden layer/output layer composed of several fully-connected layers (FC layers) can be used. For example, when a specific image is given as an input to a CNN, it undergoes a reconstruction process of feature maps generated in each layer. From each feature map, features are extracted from the input image in stages (feature extraction) and classified (classification). In the process of generating a feature map, the weights are called filters, and the mask used in the convolution layer, 2x2, 3x3, 4x4, or 2x2 used in the pooling layer All collections of weights used in a 5x5 window and FC layer can be referred to as filters. For down-sampling or sub-sampling in the pooling layer, a mean function that calculates the average or a max function that selects the maximum value is selected and used.

In addition, with the rapid development of computing power and computing technology such as CPU, GPU, and memory, deep learning algorithms such as RNN (Recurrent Neural Network), LSTM (Long Short-Term Memory), and GRU (Gated Recurrent Unit) are It maintains the order of sequential data and can learn a large amount of training data.

For reference, a Recurrent Neural Network (RNN) is a neural network that has a structure in which the output of a specific node is input back to the corresponding node, that is, the result value is derived by simultaneously considering the current input data and the past input data. As a solution to the vanishing gradient problem in neural network learning, LSTM (Long Short-Term Memory) was proposed.

LSTM (Long Short-Term Memory Neural Network) has a gate structure capable of adding or deleting information to a cell state. The gate can be selected for information determination and consists of a multiplication operation between the sigmoid neural network layer and the elements of the vector.

Bidirectional Long Short-Term Memory (Bi-LSTM) uses the same input as the unidirectional LSTM model, and unlike the structure of the unidirectional LSTM model, the bidirectional long short-term memory (Bi-LSTM) uses the same input as the unidirectional LSTM model. Use the information to train.

The output of all tokens of each layer (size: 512x768) was used as the input of LSTM. The LSTM consists of two layers, each LSTM layer consists of 512 LSTM cells, ), then a fully connected layer is used.

Bidirectional GRU (Bidirectional Gated Recurrent Unit, Bi-GRU) is used for sentence similarity measure.

After preprocessing, each sequence of tokens in each sentence is embedded into a random vector through an embedding layer of words. In the embodiment, the size of the Bi-GRU is set to 256, and the included vectors are calculated. In an embodiment, similarity is calculated as a sigmoid using a full connect layer (FC) and Euclidean distance. Similarity has a value between 0 and 1, and the closer the similarity value is to 1, the more similar the two sentences are. To measure the similarity, the distance to the fully connected layer (FC) is measured, and Euclidean distance, Cosine distance, Manhatten distance, Minkowski distance, and Chebyshev distance can be used for the distance.

5b and 5c are screens showing AI detection options (Sensitivity, Duplication, Accumulated Data, Sloop degree, Time Window Unit, Outlier/Inlier).

AI detection options include Sensitivity of AI detection data, De-duplication, Accumulated Area, Slope degree, Time Window Unit, Outlier/Inlier symptoms/normal symptoms).

* Sensitivity: Indicates the degree of difference between the predicted and actual values, and becomes a measure for event detection in the future.

* De-duplication: Excluding data with duplicate values

* Accumulated Area: Apply filter using area of data

Ex) Detect low value data X)

* Slope degree: Apply a filter using the slope of the data (e.g., event detection X when rapidly decreasing)

* Time Window Unit: Number of data rows in the window

Example) 7 unit: 7 pieces of data are regarded as one pattern (input)

* Outlier/Inlier: Which part of abnormal symptoms/normal symptoms can be detected as an event

whether or not

5D is a Test Data (KPI = 1) query (AI numerical abnormality detection) screen using a learning data query (SPL) and a detection data query (SPL).

5e is a Test Data Splunk Image (AI numerical abnormality detection) screen including a training data image (Splunk Image) and a detection data image (Splunk Image).

5f is a screen showing data visualization (KPI = 1) of learning data trends (trend graph) by date and learning data distribution (bar graph) showing frequency by value according to UserID.

5g shows detection data visualization (KPI) including detection data trends by date (trend graph-outlier pattern (Anomaly-Outlier)) and detection data distribution showing frequency by value (bar graph-outlier pattern (Outlier)) according to UserID. = 1) It is one screen.

5h and 5i show that after learning a normal pattern for the training data using a learning algorithm, a deep learning model is used to apply a numerical anomaly detection threshold for each individual to output detection data, and the predicted value of the detection data and the actual This screen calculates the distance of the value and outputs the detection data.

5j is an AI detection sensitivity screen for daily detection data after learning algorithm.

5K is a JMachine scenario - AI detection sensitivity to detection data, AI detection source data screen.

(Example 2)

When monitoring the history of CPU usage using virtual machines on network equipment,

CPU system (cpu_system_pct), CPU usage per individual user (cpu_user_pct), total CPU usage (tot_cpu_pct)

6A is a Test Data (KPI = 3) query (AI numerical abnormality detection) screen using a learning data query (SPL) and a detection data query (SPL).

6B is a Test Data Splunk Image (AI numerical anomaly detection) (KPI = 3) screen including a training data image (Splunk Image) and a detection data image (Splunk Image).

6C is a data visualization (KPI = 3) screen of learning data trends (trend graph) by date/time for cpu_system_pct, cpu_user_pct, and tot_cpu_pct learning data, and learning data distribution (bar graph) showing frequency by value.

6D shows detection data trends by date/time for cpu_system_pct, cpu_user_pct, and tot_cpu_pct (trend graph-outlier pattern (Anomaly-Outlier)) and detection data distribution showing frequency by value (bar graph-outlier pattern (Outlier)). Detection data visualization (KPI = 3) is one screen.

6E shows that after learning normal patterns by time period/day for the learning algorithm’s cpu_system_pct, cpu_user_pct, and tot_cpu_pct learning data, a deep learning model is used to apply a numerical anomaly detection threshold for each individual to output detection data, and cpu_system_pct and cpu_user_pct , This is a screen that outputs detection data by calculating the Euclidean distance between the predicted value and the actual value of detection data by time/date for tot_cpu_pct.

6F is a result after learning normal patterns of cpu_system_pct, cpu_user_pct, and tot_cpu_pct training data using a learning algorithm: a display screen of abnormal patterns after learning normal patterns by time period/date for cpu_system_pct, cpu_user_pct, and tot_cpu_pct training data.

6G is a JMachine scenario - AI detection sensitivity and AI detection source data screen for cpu_system_pct, cpu_user_pct, and tot_cpu_pct detection data.

6H is a detection event visualization screen showing detection data displaying a histogram for each value and frequency for cpu_system_pct, cpu_user_pct, and tot_cpu_pct detection data.

(3) AI log anomaly detection: After transforming log text data into numerical data, detecting anomaly patterns in numerical data (learning normal patterns and digitizing abnormal patterns to designate thresholds)

7a and 7b show AI log anomaly detection: transforming log text data into numerical data and then detecting abnormal patterns in numerical data (learning normal patterns and digitizing abnormal patterns to designate thresholds) Test Data (KPI=1) learning data query (SPL), Detection Data Query (SPL) - This is the AI log anomaly detection screen.

7c is a Test Data Splunk Image (AI log anomaly detection) screen including a training data image (Splunk) and a detection data image (Splunk).

7D is a screen showing embedded text (AI log anomaly detection) of learning data and detection data in a time-series order by time and log_key.

Embodiments according to the present invention may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer readable recording medium. The computer readable recording medium may include program instructions, data files, and data structures alone or in combination. Computer-readable recording media include storage, hard disks, magnetic media such as floppy disks and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic media such as floptical disks. - A hardware device configured to store and execute program instructions in storage media such as magneto-optical media, ROM, RAM, flash memory, etc. may be included. Examples of program instructions may include those produced by compilers and machine language codes as well as high-level language codes that can be executed by a computer using an interpreter. The hardware device may be configured to operate as one or more software modules to perform the operations of the present invention.

As described above, the method of the present invention is implemented as a program and can be read using computer software on a recording medium (CD-ROM, RAM, ROM, memory card, hard disk, magneto-optical disk, storage device, etc.) ) can be stored in

Although described with reference to specific embodiments of the present invention, the present invention is not limited to the same configuration and operation as the specific embodiments to illustrate the technical idea as described above, and within the limit that does not deviate from the technical spirit and scope of the present invention It can be implemented with various modifications, and the scope of the present invention should be determined by the claims described later.

100: secure area document storage room 110: tag reader
120: document storage room PC 130: visitor's tag pass
131: tag chip 170: user terminal
190: router 200: security server

Claims (4)

In the security management system that manages access to the security area
A PC 120 that transmits the access record of the tag reader 110 tagging the tag pass 130 of the visitor when entering the document security room for supplementary management; and
Access record of the person holding the tag pass 130 tagged by the tag reader 110 of the door of the security area 100, web access record (log record) of the digital document security room of the security server, CPU of the remote PC Status monitoring data (cpu_system_pct, cpu_user_pct, tot_cpu_pct) is accumulated and stored in the database of the security server for each individual, and the AI variable threshold for each individual is normalized according to z-score, average, and standard deviation for each individual according to statistics by time/date/period A security management system characterized by determining (upper limit value, lower limit value). According to claim 1
The learning data including the access records, web access records (log records), and CPU status monitoring data (cpu_system_pct, cpu_user_pct, tot_cpu_pct) of the remote PC is used to learn normal patterns using deep learning or machine learning learning algorithms, and in real time For the detection data, different AI variable thresholds (upper and lower limits) are applied for each individual, and normal pattern data (normal within 5 to 95% of the normal distribution) and abnormal pattern data with abnormal abnormal patterns (below 5% of the normal distribution) , 95% or more) is separated and displayed on the UI screen by the user terminal, and the security server 200 outputs the final result including the log as a list or data visualization; and
A security management system comprising a user terminal 179 connected to the security server 200 through a wired or wireless communication network. According to claim 2
The security management system
The security room includes a file server 230 for storing documents and files, and the PC is a tag reader 110 that tags a visitor's tag pass 130 when entering or exiting the document security room of the security area 100. A security room security management system characterized in that it transmits the access record of and is connected to the tag reader 110. According to claim 3
The security management system includes a user terminal of a security manager, the user terminal is connected to the security server, and a menu for selecting the type of detection data, detection target, and period is displayed on the monitor, and the monitor displays different Learning data including access records/web access records/remote PC CPU status monitoring data (cpu_system_pct, cpu_user_pct, tot_cpu_pct) with AI variable threshold applied, and normal patterns (upper limit, lower limit) of the learning data are displayed Security room security management system.

Images