TWI823657B - Monitoring system and monitoring method for abnormal behavior of user equipment - Google Patents
Monitoring system and monitoring method for abnormal behavior of user equipment Download PDFInfo
- Publication number
- TWI823657B TWI823657B TW111141887A TW111141887A TWI823657B TW I823657 B TWI823657 B TW I823657B TW 111141887 A TW111141887 A TW 111141887A TW 111141887 A TW111141887 A TW 111141887A TW I823657 B TWI823657 B TW I823657B
- Authority
- TW
- Taiwan
- Prior art keywords
- user equipment
- abnormal
- network
- processor
- network domain
- Prior art date
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 54
- 238000000034 method Methods 0.000 title claims abstract description 22
- 206010000117 Abnormal behaviour Diseases 0.000 title claims abstract description 15
- 230000002159 abnormal effect Effects 0.000 claims abstract description 39
- 230000004044 response Effects 0.000 claims abstract description 27
- 230000006399 behavior Effects 0.000 claims description 35
- 238000010801 machine learning Methods 0.000 claims description 19
- 238000001914 filtration Methods 0.000 claims description 12
- 230000006870 function Effects 0.000 claims description 10
- 230000006855 networking Effects 0.000 description 4
- 230000005856 abnormality Effects 0.000 description 2
- 230000003321 amplification Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000000354 decomposition reaction Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 239000011159 matrix material Substances 0.000 description 2
- 238000003199 nucleic acid amplification method Methods 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000002156 mixing Methods 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Landscapes
- Alarm Systems (AREA)
- Emergency Alarm Devices (AREA)
Abstract
Description
本發明是有關於一種用戶設備的異常行為的監視系統和監視方法。 The present invention relates to a monitoring system and a monitoring method for abnormal behavior of user equipment.
由於內部使用者具有合法存取系統的權限,使得現今常見的使用關聯規則的安全性資訊與事件管理監控平台較難有效偵測來自內部使用者的威脅。因此,有效監控使用者的連網行為以防止內部使用者威脅和進階持續性威脅是保障企業安全和避免企業機敏外洩的重要議題。另外,大量的5G終端用戶設備被布建在不同的企業專網的場域之中,自動化且動態的偵測異常的用戶設備的方法,勢必是未來的重要走向。 Since internal users have legal access rights to the system, it is difficult for today's common security information and event management and monitoring platforms that use correlation rules to effectively detect threats from internal users. Therefore, effectively monitoring users' networking behavior to prevent internal user threats and advanced persistent threats is an important issue to ensure corporate security and avoid leakage of corporate intelligence. In addition, a large number of 5G end-user devices are deployed in different enterprise private network fields. Automatic and dynamic detection of abnormal user equipment is bound to be an important trend in the future.
本發明提供一種用戶設備的異常行為的監視系統和監視方法,可自動的分析當前網路流量並在用戶設備異常時發出警示訊息。 The present invention provides a monitoring system and method for monitoring abnormal behavior of user equipment, which can automatically analyze current network traffic and send out warning messages when user equipment is abnormal.
本發明的一種用戶設備的異常行為的監視系統,包含收發器以及處理器。處理器耦接收發器,其中處理器經配置以執行:通過收發器取得第一用戶設備的第一網路流量,並且根據第一網路流量產生對應於第一用戶設備的網域白名單;通過收發器取得第一用戶設備的第一當前網路流量,並且根據第一當前網路流量判斷第一用戶設備對第一網域的存取行為;響應於第一網域不在網域白名單中,根據存取行為判斷第一用戶設備是否異常;以及響應於判斷第一用戶設備異常,通過收發器輸出警示訊息。 The present invention provides a monitoring system for abnormal behavior of user equipment, including a transceiver and a processor. The processor is coupled to the transceiver, wherein the processor is configured to perform: obtain first network traffic of the first user equipment through the transceiver, and generate a network domain whitelist corresponding to the first user equipment according to the first network traffic; Obtain the first current network traffic of the first user equipment through the transceiver, and determine the access behavior of the first user equipment to the first network domain based on the first current network traffic; in response to the fact that the first network domain is not in the network domain whitelist In the method, it is determined whether the first user equipment is abnormal according to the access behavior; and in response to determining that the first user equipment is abnormal, a warning message is output through the transceiver.
在本發明的一實施例中,上述的處理器更經配置以執行:將第一網路流量中的參數輸入至機器學習模型以產生網域白名單。 In an embodiment of the present invention, the above-mentioned processor is further configured to: input parameters in the first network traffic into the machine learning model to generate a network domain whitelist.
在本發明的一實施例中,上述的參數包括第一用戶設備的用戶設備識別碼、第一網域的網域識別碼以及第一用戶設備對第一網域的第一評分(rating)。 In an embodiment of the present invention, the above parameters include a user equipment identification code of the first user equipment, a network domain identification code of the first network domain, and a first rating of the first network domain by the first user equipment.
在本發明的一實施例中,上述的處理器更經配置以執行:根據第一用戶設備統計多個存取次數,其中多個存取次數分別對應於多個網域,其中多個網域包括第一網域;以及根據多個存取次數計算第一網域的百分等級(Percentile Rank,PR)以產生第一評分。 In an embodiment of the present invention, the above-mentioned processor is further configured to perform: counting a plurality of access times according to the first user equipment, wherein the plurality of access times respectively correspond to multiple network domains, and the multiple network domains Including the first domain; and calculating the percentage rank (Percentile Rank, PR) of the first domain based on multiple access times to generate the first score.
在本發明的一實施例中,上述的處理器更經配置以執行:根據基於協同過濾(Collaborative Filtering)的損失函數(loss function)訓練機器學習模型,其中基於協同過濾的損失函數關聯 於用戶設備識別碼之間的相關性、網域識別碼之間的相關性以及用戶設備對網域的評分。 In an embodiment of the present invention, the above-mentioned processor is further configured to perform: training a machine learning model according to a loss function based on collaborative filtering, wherein the loss function based on collaborative filtering is associated with The correlation between user device identifiers, the correlation between domain identifiers, and the user device's rating of the domain.
在本發明的一實施例中,上述的處理器更經配置以執行:將第一用戶設備識別碼轉換為第一嵌入向量(embedding vector),並且將第二用戶設備識別碼轉換為第二嵌入向量;以及計算第一嵌入向量與第二嵌入向量之間的距離以取得用戶識別碼之間的相關性。 In an embodiment of the present invention, the above-mentioned processor is further configured to perform: converting the first user equipment identification code into a first embedding vector (embedding vector), and converting the second user equipment identification code into a second embedding vector. vector; and calculating the distance between the first embedding vector and the second embedding vector to obtain the correlation between user identification codes.
在本發明的一實施例中,上述的存取行為包含存取次數,上述的處理器更經配置以執行:響應於存取次數大於閾值,判斷第一用戶設備異常。 In an embodiment of the present invention, the above-mentioned access behavior includes the number of accesses, and the above-mentioned processor is further configured to perform: in response to the number of accesses being greater than the threshold, determining that the first user equipment is abnormal.
在本發明的一實施例中,上述的存取行為包含第一存取次數,上述的處理器更經配置以執行:取得用戶設備集合中的每一者的當前網路流量,其中用戶設備集合包括第一用戶設備;根據當前網路流量統計用戶設備集合中的每一者對第一網域的存取次數,並且根據存取次數計算平均存取次數;以及響應於第一存取次數與平均存取次數的比值大於閾值,判斷第一用戶設備異常。 In an embodiment of the present invention, the above-mentioned access behavior includes a first access count, and the above-mentioned processor is further configured to perform: obtain the current network traffic of each of the user equipment sets, wherein the user equipment set including a first user equipment; counting the number of accesses of each user equipment set to the first network domain according to the current network traffic, and calculating the average number of accesses based on the number of accesses; and responding to the first number of accesses and If the ratio of the average access times is greater than the threshold, it is determined that the first user equipment is abnormal.
在本發明的一實施例中,上述的存取行為包含上傳資料量,上述的處理器更經配置以執行:響應於上傳資料量大於閾值,判斷第一用戶設備異常。 In an embodiment of the present invention, the above-mentioned access behavior includes the amount of uploaded data, and the above-mentioned processor is further configured to perform: in response to the amount of uploaded data being greater than the threshold, determining that the first user equipment is abnormal.
在本發明的一實施例中,上述的處理器更經配置以執行:根據存取行為將第一用戶設備記錄在多個監控名單的其中之一中,其中多個監控名單分別對應於多個時段;統計多個監控名 單中包括第一用戶設備的至少一監控名單的數量;以及響應於數量大於閾值,判斷第一用戶設備異常。 In an embodiment of the present invention, the above-mentioned processor is further configured to perform: recording the first user equipment in one of multiple monitoring lists according to the access behavior, wherein the multiple monitoring lists respectively correspond to multiple Period; count multiple monitoring names The list includes the number of at least one monitoring list of the first user equipment; and in response to the number being greater than the threshold, determining that the first user equipment is abnormal.
本發明的一種用戶設備的異常行為的監視方法,包含:取得第一用戶設備的第一網路流量,並且根據第一網路流量產生對應於第一用戶設備的網域白名單;取得第一用戶設備的第一當前網路流量,並且根據第一當前網路流量判斷第一用戶設備對第一網域的存取行為;響應於第一網域不在網域白名單中,根據存取行為判斷第一用戶設備是否異常;以及響應於判斷第一用戶設備異常,輸出警示訊息。 A method of monitoring abnormal behavior of user equipment of the present invention includes: obtaining the first network traffic of the first user equipment, and generating a network domain whitelist corresponding to the first user equipment based on the first network traffic; obtaining the first network traffic of the first user equipment. the first current network traffic of the user equipment, and determine the access behavior of the first user equipment to the first network domain based on the first current network traffic; in response to the first network domain not being in the network domain whitelist, based on the access behavior Determine whether the first user equipment is abnormal; and in response to determining that the first user equipment is abnormal, output a warning message.
基於上述,本發明的監視系統可以根據基於協同過濾(Collaborative Filtering)的損失函數所訓練的機器學習模型取得第一用戶設備的網域白名單。有別於以往分群及離群的方式,本發明藉由比對網域白名單以及第一用戶設備的存取行為,可從大量5G用戶設備的連網紀錄中快速地找到異常的用戶設備,並且發出警示訊號。本發明可將異常的用戶設備提供給資安管理人員進行分析,以找出潛藏的惡意攻擊或活動,進而提升企業安全性。 Based on the above, the monitoring system of the present invention can obtain the network domain whitelist of the first user equipment according to the machine learning model trained based on the loss function of collaborative filtering (Collaborative Filtering). Different from the previous methods of grouping and outliers, the present invention can quickly find abnormal user equipment from the network connection records of a large number of 5G user equipment by comparing the network domain whitelist and the access behavior of the first user equipment, and Send a warning signal. The present invention can provide abnormal user equipment to information security managers for analysis to find potential malicious attacks or activities, thereby improving enterprise security.
100:監視系統 100:Monitoring system
110:處理器 110: Processor
120:儲存媒體 120:Storage media
130:收發器 130:Transceiver
S201、S202、S203、S204、S205、S206、S207、S301、S302、S303、S304:步驟 S201, S202, S203, S204, S205, S206, S207, S301, S302, S303, S304: steps
圖1根據本發明的一實施例繪示一種用戶設備的異常行為的監視系統的示意圖。 FIG. 1 is a schematic diagram of a monitoring system for abnormal behavior of user equipment according to an embodiment of the present invention.
圖2根據本發明的一實施例繪示一種用戶設備的異常行為的 方法的流程圖。 Figure 2 illustrates an abnormal behavior of a user equipment according to an embodiment of the present invention. Flowchart of the method.
圖3根據本發明的一實施例繪示一種用戶設備的異常行為的監視方法的流程圖。 FIG. 3 illustrates a flow chart of a method for monitoring abnormal behavior of user equipment according to an embodiment of the present invention.
圖1根據本發明的一實施例繪示一種用戶設備的異常行為的監視系統100的示意圖。監視系統100可包含處理器110、儲存媒體120以及收發器130。
FIG. 1 illustrates a schematic diagram of a
處理器110例如是中央處理單元(central processing unit,CPU),或是其他可程式化之一般用途或特殊用途的微控制單元(micro control unit,MCU)、微處理器(microprocessor)、數位信號處理器(digital signal processor,DSP)、可程式化控制器、特殊應用積體電路(application specific integrated circuit,ASIC)、圖形處理器(graphics processing unit,GPU)、影像訊號處理器(image signal processor,ISP)、影像處理單元(image processing unit,IPU)、算數邏輯單元(arithmetic logic unit,ALU)、複雜可程式邏輯裝置(complex programmable logic device,CPLD)、現場可程式化邏輯閘陣列(field programmable gate array,FPGA)或其他類似元件或上述元件的組合。處理器110可耦接至儲存媒體120以及收發器130。
The
儲存媒體120例如是任何型態的固定式或可移動式的隨機存取記憶體(random access memory,RAM)、唯讀記憶體
(read-only memory,ROM)、快閃記憶體(flash memory)、硬碟(hard disk drive,HDD)、固態硬碟(solid state drive,SSD)或類似元件或上述元件的組合,而用於儲存可由處理器110執行的多個模組或各種應用程式,以實施本發明的用戶設備的異常行為的監視方法。
The
收發器130以無線或有線的方式傳送及接收訊號。收發器130還可以執行例如低噪聲放大、阻抗匹配、混頻、向上或向下頻率轉換、濾波、放大以及類似的操作。
The
圖2根據本發明的一實施例繪示一種用戶設備的異常行為的方法的流程圖,其中所述方法可由如圖1所示的監視系統100實施。在步驟S201中,處理器110可通過收發器130接收第一用戶設備的第一網路流量。處理器110可對第一網路流量執行特徵擷取以提取監視系統100所需的各個流量欄位。處理器110可對包含非數字資訊(例如:連網協定)的欄位執行欄位數據化,以賦予各欄位最佳型態的格式。第一網路流量可包含記載網址的欄位。處理器110可利用資訊擴建手段自網址分割出對應的網域,諸如二級網域(Second Level Domain)。處理器110根據第一用戶設備統計分別對應於多個網域的多個存取次數,其中多個網域包含第一網域。具體來說,處理器110可統計第一網路流量中第一用戶設備對各個網域的存取次數,以取得分別對應於多個網域的多個存取次數。假設上述的多個網域包括第一網域,處理器110可使用特徵擷取技術以從第一網路流量中提取第一用戶設備的用
戶設備識別碼以及第一網域的網域識別碼,並且剔除第一網路流量中的廣告網域以及雜訊。在一實施例中,處理器110可藉由計算上述的多個網域的每一個的傳送流量比例,並根據傳送流量比例計算欄位與欄位之間的關聯度,以剔除非必要的欄位。
FIG. 2 illustrates a flow chart of a method for abnormal behavior of user equipment according to an embodiment of the present invention, wherein the method can be implemented by the
另外,處理器110可進一步根據上述的多個存取次數計算第一網域在第一用戶設備所存取的所有網域中的百分等級(Percentile Rank,PR),以產生的第一評分(rating)。舉例來說,在第一用戶設備存取過的多個網域中,若第一網域的存取次數是最高的,則第一網域可為多個網域中具有最高百分等級和最高評分的網域。由於每個使用者的連網行為不同,因此處理器110可針對每個用戶設備所瀏覽過的多個網域的多個存取次數進行熱門程度的比較,透過計算每個用戶設備的多個存取次數的百分等級以產生個別的評分。藉此,能夠立即反應每個使用者異於往常的連網行為,有效偵測潛在的惡意使用者。
In addition, the
在步驟S202中,處理器110將第一網路流量中的參數(各欄位記載的資訊)輸入至機器學習模型以產生對應於第一用戶設備的網域白名單。參數可包含上述的第一用戶設備的用戶設備識別碼、第一網域的網域識別碼以及第一用戶設備對第一網域的第一評分。具體來說,處理器110可根據基於協同過濾(Collaborative Filtering)的損失函數(loss function)訓練機器學習模型。基於協同過濾的損失函數關聯於用戶設備識別碼之間的相關性、網域識別碼之間的相關性或用戶設備對網域的評分。網域白名單即為
監視系統100推薦第一用戶設備存取的網域名單。訓練好的機器學習模型可為具有相似存取行為的用戶設備產生相似的網域白名單。舉例來說,若第一用戶設備與第二用戶設備存取相同的網域,且第一用戶設備與第二用戶設備對所述網域的評分相近,則基於協同過濾的損失函數訓練的機器學習模型可為第一用戶設備產生與第二用戶設備的喜好相似的網域白名單。
In step S202, the
在一實施例中,處理器110透過嵌入技術(Embedding Techniques)將第一用戶設備識別碼以及第二用戶設備識別碼分別轉換為第一嵌入向量(embedding vector)以及為第二嵌入向量,並且計算第一嵌入向量與第二嵌入向量之間的距離,以取得用戶識別碼之間的相關性。同理,處理器110又透過嵌入技術將各個網域的網域識別碼轉換成一嵌入向量,並且取得各個網域的網域識別碼之間的相關性。
In one embodiment, the
處理器110可透過歷史網路流量中的歷史參數取得基於協同過濾的損失函數,並且對機器學習模型進行多天的訓練,自動地產生次一日的預測網域資料,再將次一日的預測網域資料與次一日的實際網域資料作比對,持續至比對的誤差值低於門檻值即完成機器學習模型的訓練。
The
在訓練好機器學習模型後,處理器110可將機器學習模型與由其他常見演算法所產生的其他推薦模型進行誤差值的比對。
After training the machine learning model, the
另外,常見演算法可以是奇異值分解(Singular Value Decomposition,SVD)、K-鄰近演算法(K-Nearest Neighbor,KNN)或非負矩陣分解(Non-Negative Matrix Factorization)等演算法,本發明並不限制。 In addition, a common algorithm can be singular value decomposition (Singular Value Algorithms such as Decomposition (SVD), K-Nearest Neighbor (KNN) or Non-Negative Matrix Factorization (Non-Negative Matrix Factorization) are not limited by the present invention.
響應於機器學習模型的誤差值大於其他推薦模型的誤差值,處理器110可繼續更新對機器學習模型,以降低機器學習模型的誤差值。
In response to the error value of the machine learning model being greater than the error values of other recommended models, the
響應於機器學習模型的誤差值小於其他推薦模型的誤差值,處理器110可對機器學習模型進行正規化(normalization)處理,並且將第一網路流量中的參數輸入至機器學習模型以產生第一用戶設備的網域白名單。網域白名單可包含分別對應於多個網域的多個預期評分以及分別對應於多個網域的多個網域識別碼。
In response to the error value of the machine learning model being less than the error values of other recommended models, the
在步驟S203中,處理器110可通過收發器130接收第一用戶設備的第一當前網路流量。在步驟S204中,處理器110根據第一當前網路流量判斷第一用戶設備對第一網域的存取行為。
In step S203, the
在步驟S205中,處理器110判斷第一網域是否在網域白名單中。若第一網域不在第一用戶設備的網域白名單中,則進入步驟S206。若第一網域在第一用戶設備的網域白名單中,則結束流程。在步驟S206中,處理器110根據存取行為判斷第一用戶設備是否異常。若處理器110判斷第一用戶設備異常,則進入步驟S207。若處理器110判斷第一用戶設備正常,則結束流程。
In step S205, the
在一實施例中,存取行為包含第一用戶設備對第一網域的存取次數。若存取次數大於閾值,則處理器110判斷第一用戶
設備對第一網域的存取行為是異常的。因此,第一用戶設備是異常的。若存取次數小於或等於閾值,則處理器110判斷第一用戶設備對第一網域的存取行為是正常的。因此,第一用戶設備是正常的。
In one embodiment, the access behavior includes the number of times the first user equipment accesses the first network domain. If the number of accesses is greater than the threshold, the
在一實施例中,存取行為包含第一用戶設備對第一網域的第一存取次數。處理器110可取得用戶設備集合中的每一者的當前網路流量,其中用戶設備集合包含第一用戶設備。接著,處理器110可根據當前網路流量統計用戶設備集合中的每一者對第一網域的存取次數並且根據統計的存取次數計算平均存取次數。若第一存取次數與平均存取次數的比值大於閾值,則處理器110可判斷第一用戶設備對第一網域的存取行為是異常的。因此,第一用戶設備是異常的。若比值小於或等於閾值,則處理器110可判斷第一用戶設備對第一網域的存取行為是正常的。因此,第一用戶設備是正常的。
In one embodiment, the access behavior includes a first number of accesses to the first network domain by the first user equipment. The
舉例來說,當第一用戶設備對第一網域的存取次數異常高時,處理器110可以藉由用戶設備集合中的其他用戶設備對第一網域的存取次數的大小來判斷第一用戶設備是否異常。假如其他用戶設備對第一網域的存取次數同樣異常高,即可判定第一用戶設備為正常,反之亦然。因此,可藉由用戶設備集合中的每一個對第一網域的存取次數來計算平均存取次數,並且響應於第一存取次數與平均存取次數的比值大於閾值,判斷第一用戶設備異常。
For example, when the number of accesses of the first user equipment to the first network domain is abnormally high, the
在一實施例中,存取行為更包含上傳資料量。處理器110可響應於上傳資料量大於閾值,判斷第一用戶設備異常。另一方面,處理器110可響應於上傳資料量小於或等於閾值,判斷第一用戶設備正常。
In one embodiment, the access behavior further includes the amount of uploaded data. The
在一實施例中,處理器110可根據存取行為將第一用戶設備記錄在多個監控名單中的其中之一中,其中多個監控名單分別對應於多個時段。處理器110可藉由統計多個監控名單中包含第一用戶設備的至少一監控名單的數量,並且響應於數量大於閾值,判斷第一用戶設備異常。另一方面,處理器110可響應於數量小於或等於閾值,判斷第一用戶設備異常。
In an embodiment, the
舉例來說,當第一用戶設備被偵測出異常時,處理器110會將第一用戶設備記錄在多個監控名單中的其中之一中。其中多個監控名單分別對應於多個時段,例如過去一週的每一天。因此,當閾值為「4」時,代表若第一用戶設備在一週內有4天以上被記錄在當天的監控名單中,則處理器110判斷第一用戶設備異常。
For example, when an abnormality is detected in the first user equipment, the
在步驟S207中,處理器110可輸出警示訊息,藉以提示網路管理員檢查第一用戶設備的異常狀態。
In step S207, the
圖3根據本發明的一實施例繪示一種用戶設備的異常行為的監視方法的流程圖,其中所述監視方法可由如圖1所示的監視系統100實施。在步驟S301中,取得第一用戶設備的第一網路流量,並且根據第一網路流量產生對應於第一用戶設備的網域白名單。在步驟S302中,取得第一用戶設備的第一當前網路流量,
並且根據第一當前網路流量判斷第一用戶設備對第一網域的存取行為。在步驟S303中,響應於第一網域不在網域白名單中,根據存取行為判斷第一用戶設備是否異常。在步驟S304中,響應於判斷第一用戶設備異常,輸出警示訊息。
FIG. 3 illustrates a flow chart of a method for monitoring abnormal behavior of user equipment according to an embodiment of the present invention, where the monitoring method can be implemented by the
綜上所述,本發明的監視系統可藉由數據化評分以及基於協同過濾(Collaborative Filtering)的損失函數所訓練的機器學習模型取得用戶設備的網域白名單。有別於以往分群及離群的方式,本發明藉由比對網域白名單以及用戶設備的存取行為,可從大量5G用戶設備的連網紀錄中快速地找到異常的用戶設備,並且發出警示訊號。因此,本發明可有效降低網路監控人員的工作負擔。此外,本發明可對用戶設備的存取行為和預設的閾值進行比較,並可根據比較結果判斷用戶設備是否異常,進而發送警示訊息給網路的管理者。本發明可將異常的用戶設備提供給資安管理人員進行分析,以找出潛藏的惡意攻擊或活動,進而提升企業安全性。本發明可應用於擁有巨量資料的網路環境。前處理技術可通過深度學習探勘的優勢,從巨量資料中取得可用特徵。據此,本發明可偵測出傳統使用關聯式或靜態規則的監視系統所偵測不到的盲點,進而將來自內部使用者的攻擊或進階持續性攻擊等新興攻擊手法進行防範。 To sum up, the monitoring system of the present invention can obtain the network domain whitelist of user equipment through digitized scoring and a machine learning model trained by a loss function based on collaborative filtering. Different from the previous methods of grouping and outliers, the present invention can quickly find abnormal user equipment from the network connection records of a large number of 5G user equipment by comparing the network domain whitelist and the access behavior of the user equipment, and issue a warning signal. Therefore, the present invention can effectively reduce the workload of network monitoring personnel. In addition, the present invention can compare the access behavior of the user equipment with a preset threshold, and can determine whether the user equipment is abnormal based on the comparison result, and then send a warning message to the network manager. The present invention can provide abnormal user equipment to information security managers for analysis to find potential malicious attacks or activities, thereby improving enterprise security. The present invention can be applied to network environments with huge amounts of data. Pre-processing technology can take advantage of deep learning exploration to obtain usable features from huge amounts of data. Accordingly, the present invention can detect blind spots that cannot be detected by traditional monitoring systems using correlation or static rules, thereby preventing emerging attack methods such as attacks from internal users or advanced persistent attacks.
S301、S302、S303、S304:步驟 S301, S302, S303, S304: steps
Claims (11)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW111141887A TWI823657B (en) | 2022-11-02 | 2022-11-02 | Monitoring system and monitoring method for abnormal behavior of user equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW111141887A TWI823657B (en) | 2022-11-02 | 2022-11-02 | Monitoring system and monitoring method for abnormal behavior of user equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
TWI823657B true TWI823657B (en) | 2023-11-21 |
TW202420786A TW202420786A (en) | 2024-05-16 |
Family
ID=89722753
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW111141887A TWI823657B (en) | 2022-11-02 | 2022-11-02 | Monitoring system and monitoring method for abnormal behavior of user equipment |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI823657B (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110149343A (en) * | 2019-05-31 | 2019-08-20 | 国家计算机网络与信息安全管理中心 | A kind of abnormal communications and liaison behavioral value method and system based on stream |
CN110808951A (en) * | 2019-09-25 | 2020-02-18 | 国网思极网安科技(北京)有限公司 | Method and device for discovering abnormal behavior of terminal based on equipment image |
TWI777766B (en) * | 2021-09-10 | 2022-09-11 | 中華電信股份有限公司 | System and method of malicious domain query behavior detection |
-
2022
- 2022-11-02 TW TW111141887A patent/TWI823657B/en active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110149343A (en) * | 2019-05-31 | 2019-08-20 | 国家计算机网络与信息安全管理中心 | A kind of abnormal communications and liaison behavioral value method and system based on stream |
CN110808951A (en) * | 2019-09-25 | 2020-02-18 | 国网思极网安科技(北京)有限公司 | Method and device for discovering abnormal behavior of terminal based on equipment image |
TWI777766B (en) * | 2021-09-10 | 2022-09-11 | 中華電信股份有限公司 | System and method of malicious domain query behavior detection |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111262722B (en) | Safety monitoring method for industrial control system network | |
CN109818942B (en) | User account abnormity detection method and device based on time sequence characteristics | |
WO2021109314A1 (en) | Method, system and device for detecting abnormal data | |
CN105072089B (en) | A kind of WEB malice scanning behavior method for detecting abnormality and system | |
KR102271449B1 (en) | Artificial intelligence model platform and operation method thereof | |
WO2019128529A1 (en) | Url attack detection method and apparatus, and electronic device | |
CN107579956B (en) | User behavior detection method and device | |
Ali Alheeti et al. | Intelligent intrusion detection in external communication systems for autonomous vehicles | |
CN111949803B (en) | Knowledge graph-based network abnormal user detection method, device and equipment | |
CN110602135B (en) | Network attack processing method and device and electronic equipment | |
CN112468347B (en) | Security management method and device for cloud platform, electronic equipment and storage medium | |
CN107070940B (en) | Method and device for judging malicious login IP address from streaming login log | |
CN104836781A (en) | Method distinguishing identities of access users, and device | |
TW201702921A (en) | Method, system and apparatus for predicting abnormality | |
CN110222513B (en) | Abnormality monitoring method and device for online activities and storage medium | |
Ajdani et al. | Introduced a new method for enhancement of intrusion detection with random forest and PSO algorithm | |
CN111030992A (en) | Detection method, server and computer readable storage medium | |
CN116366374B (en) | Security assessment method, system and medium for power grid network management based on big data | |
CN108933781B (en) | Method, apparatus and computer-readable storage medium for processing character string | |
CN115174251B (en) | False alarm identification method and device for safety alarm and storage medium | |
CN109743339B (en) | Network security monitoring method and device for power plant station and computer equipment | |
TWI823657B (en) | Monitoring system and monitoring method for abnormal behavior of user equipment | |
CN107948149A (en) | Tactful self study and optimization method and device based on random forest | |
TWI777766B (en) | System and method of malicious domain query behavior detection | |
CN115834231A (en) | Honeypot system identification method and device, terminal equipment and storage medium |