TWI823657B - Monitoring system and monitoring method for abnormal behavior of user equipment - Google Patents

Monitoring system and monitoring method for abnormal behavior of user equipment Download PDF

Info

Publication number
TWI823657B
TWI823657B TW111141887A TW111141887A TWI823657B TW I823657 B TWI823657 B TW I823657B TW 111141887 A TW111141887 A TW 111141887A TW 111141887 A TW111141887 A TW 111141887A TW I823657 B TWI823657 B TW I823657B
Authority
TW
Taiwan
Prior art keywords
user equipment
abnormal
network
processor
network domain
Prior art date
Application number
TW111141887A
Other languages
Chinese (zh)
Other versions
TW202420786A (en
Inventor
黃川源
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW111141887A priority Critical patent/TWI823657B/en
Application granted granted Critical
Publication of TWI823657B publication Critical patent/TWI823657B/en
Publication of TW202420786A publication Critical patent/TW202420786A/en

Links

Images

Landscapes

  • Alarm Systems (AREA)
  • Emergency Alarm Devices (AREA)

Abstract

A monitoring system and a monitoring method for an abnormal behavior of a user equipment are provided. The method includes: obtaining a first network traffic of a first user equipment and generating a domain white list corresponding to the first user equipment according to the first network traffic; obtaining a first current network traffic of the first user equipment and determining a access behavior of the first user equipment to a first domain according to the first current network traffic; in response to the first domain not being in the domain white list, determining whether the first user equipment is abnormal according to the access behavior; and in response to the first user equipment being abnormal, outputting an alarm message.

Description

用戶設備的異常行為的監視系統和監視方法Monitoring system and method for monitoring abnormal behavior of user equipment

本發明是有關於一種用戶設備的異常行為的監視系統和監視方法。 The present invention relates to a monitoring system and a monitoring method for abnormal behavior of user equipment.

由於內部使用者具有合法存取系統的權限,使得現今常見的使用關聯規則的安全性資訊與事件管理監控平台較難有效偵測來自內部使用者的威脅。因此,有效監控使用者的連網行為以防止內部使用者威脅和進階持續性威脅是保障企業安全和避免企業機敏外洩的重要議題。另外,大量的5G終端用戶設備被布建在不同的企業專網的場域之中,自動化且動態的偵測異常的用戶設備的方法,勢必是未來的重要走向。 Since internal users have legal access rights to the system, it is difficult for today's common security information and event management and monitoring platforms that use correlation rules to effectively detect threats from internal users. Therefore, effectively monitoring users' networking behavior to prevent internal user threats and advanced persistent threats is an important issue to ensure corporate security and avoid leakage of corporate intelligence. In addition, a large number of 5G end-user devices are deployed in different enterprise private network fields. Automatic and dynamic detection of abnormal user equipment is bound to be an important trend in the future.

本發明提供一種用戶設備的異常行為的監視系統和監視方法,可自動的分析當前網路流量並在用戶設備異常時發出警示訊息。 The present invention provides a monitoring system and method for monitoring abnormal behavior of user equipment, which can automatically analyze current network traffic and send out warning messages when user equipment is abnormal.

本發明的一種用戶設備的異常行為的監視系統,包含收發器以及處理器。處理器耦接收發器,其中處理器經配置以執行:通過收發器取得第一用戶設備的第一網路流量,並且根據第一網路流量產生對應於第一用戶設備的網域白名單;通過收發器取得第一用戶設備的第一當前網路流量,並且根據第一當前網路流量判斷第一用戶設備對第一網域的存取行為;響應於第一網域不在網域白名單中,根據存取行為判斷第一用戶設備是否異常;以及響應於判斷第一用戶設備異常,通過收發器輸出警示訊息。 The present invention provides a monitoring system for abnormal behavior of user equipment, including a transceiver and a processor. The processor is coupled to the transceiver, wherein the processor is configured to perform: obtain first network traffic of the first user equipment through the transceiver, and generate a network domain whitelist corresponding to the first user equipment according to the first network traffic; Obtain the first current network traffic of the first user equipment through the transceiver, and determine the access behavior of the first user equipment to the first network domain based on the first current network traffic; in response to the fact that the first network domain is not in the network domain whitelist In the method, it is determined whether the first user equipment is abnormal according to the access behavior; and in response to determining that the first user equipment is abnormal, a warning message is output through the transceiver.

在本發明的一實施例中,上述的處理器更經配置以執行:將第一網路流量中的參數輸入至機器學習模型以產生網域白名單。 In an embodiment of the present invention, the above-mentioned processor is further configured to: input parameters in the first network traffic into the machine learning model to generate a network domain whitelist.

在本發明的一實施例中,上述的參數包括第一用戶設備的用戶設備識別碼、第一網域的網域識別碼以及第一用戶設備對第一網域的第一評分(rating)。 In an embodiment of the present invention, the above parameters include a user equipment identification code of the first user equipment, a network domain identification code of the first network domain, and a first rating of the first network domain by the first user equipment.

在本發明的一實施例中,上述的處理器更經配置以執行:根據第一用戶設備統計多個存取次數,其中多個存取次數分別對應於多個網域,其中多個網域包括第一網域;以及根據多個存取次數計算第一網域的百分等級(Percentile Rank,PR)以產生第一評分。 In an embodiment of the present invention, the above-mentioned processor is further configured to perform: counting a plurality of access times according to the first user equipment, wherein the plurality of access times respectively correspond to multiple network domains, and the multiple network domains Including the first domain; and calculating the percentage rank (Percentile Rank, PR) of the first domain based on multiple access times to generate the first score.

在本發明的一實施例中,上述的處理器更經配置以執行:根據基於協同過濾(Collaborative Filtering)的損失函數(loss function)訓練機器學習模型,其中基於協同過濾的損失函數關聯 於用戶設備識別碼之間的相關性、網域識別碼之間的相關性以及用戶設備對網域的評分。 In an embodiment of the present invention, the above-mentioned processor is further configured to perform: training a machine learning model according to a loss function based on collaborative filtering, wherein the loss function based on collaborative filtering is associated with The correlation between user device identifiers, the correlation between domain identifiers, and the user device's rating of the domain.

在本發明的一實施例中,上述的處理器更經配置以執行:將第一用戶設備識別碼轉換為第一嵌入向量(embedding vector),並且將第二用戶設備識別碼轉換為第二嵌入向量;以及計算第一嵌入向量與第二嵌入向量之間的距離以取得用戶識別碼之間的相關性。 In an embodiment of the present invention, the above-mentioned processor is further configured to perform: converting the first user equipment identification code into a first embedding vector (embedding vector), and converting the second user equipment identification code into a second embedding vector. vector; and calculating the distance between the first embedding vector and the second embedding vector to obtain the correlation between user identification codes.

在本發明的一實施例中,上述的存取行為包含存取次數,上述的處理器更經配置以執行:響應於存取次數大於閾值,判斷第一用戶設備異常。 In an embodiment of the present invention, the above-mentioned access behavior includes the number of accesses, and the above-mentioned processor is further configured to perform: in response to the number of accesses being greater than the threshold, determining that the first user equipment is abnormal.

在本發明的一實施例中,上述的存取行為包含第一存取次數,上述的處理器更經配置以執行:取得用戶設備集合中的每一者的當前網路流量,其中用戶設備集合包括第一用戶設備;根據當前網路流量統計用戶設備集合中的每一者對第一網域的存取次數,並且根據存取次數計算平均存取次數;以及響應於第一存取次數與平均存取次數的比值大於閾值,判斷第一用戶設備異常。 In an embodiment of the present invention, the above-mentioned access behavior includes a first access count, and the above-mentioned processor is further configured to perform: obtain the current network traffic of each of the user equipment sets, wherein the user equipment set including a first user equipment; counting the number of accesses of each user equipment set to the first network domain according to the current network traffic, and calculating the average number of accesses based on the number of accesses; and responding to the first number of accesses and If the ratio of the average access times is greater than the threshold, it is determined that the first user equipment is abnormal.

在本發明的一實施例中,上述的存取行為包含上傳資料量,上述的處理器更經配置以執行:響應於上傳資料量大於閾值,判斷第一用戶設備異常。 In an embodiment of the present invention, the above-mentioned access behavior includes the amount of uploaded data, and the above-mentioned processor is further configured to perform: in response to the amount of uploaded data being greater than the threshold, determining that the first user equipment is abnormal.

在本發明的一實施例中,上述的處理器更經配置以執行:根據存取行為將第一用戶設備記錄在多個監控名單的其中之一中,其中多個監控名單分別對應於多個時段;統計多個監控名 單中包括第一用戶設備的至少一監控名單的數量;以及響應於數量大於閾值,判斷第一用戶設備異常。 In an embodiment of the present invention, the above-mentioned processor is further configured to perform: recording the first user equipment in one of multiple monitoring lists according to the access behavior, wherein the multiple monitoring lists respectively correspond to multiple Period; count multiple monitoring names The list includes the number of at least one monitoring list of the first user equipment; and in response to the number being greater than the threshold, determining that the first user equipment is abnormal.

本發明的一種用戶設備的異常行為的監視方法,包含:取得第一用戶設備的第一網路流量,並且根據第一網路流量產生對應於第一用戶設備的網域白名單;取得第一用戶設備的第一當前網路流量,並且根據第一當前網路流量判斷第一用戶設備對第一網域的存取行為;響應於第一網域不在網域白名單中,根據存取行為判斷第一用戶設備是否異常;以及響應於判斷第一用戶設備異常,輸出警示訊息。 A method of monitoring abnormal behavior of user equipment of the present invention includes: obtaining the first network traffic of the first user equipment, and generating a network domain whitelist corresponding to the first user equipment based on the first network traffic; obtaining the first network traffic of the first user equipment. the first current network traffic of the user equipment, and determine the access behavior of the first user equipment to the first network domain based on the first current network traffic; in response to the first network domain not being in the network domain whitelist, based on the access behavior Determine whether the first user equipment is abnormal; and in response to determining that the first user equipment is abnormal, output a warning message.

基於上述,本發明的監視系統可以根據基於協同過濾(Collaborative Filtering)的損失函數所訓練的機器學習模型取得第一用戶設備的網域白名單。有別於以往分群及離群的方式,本發明藉由比對網域白名單以及第一用戶設備的存取行為,可從大量5G用戶設備的連網紀錄中快速地找到異常的用戶設備,並且發出警示訊號。本發明可將異常的用戶設備提供給資安管理人員進行分析,以找出潛藏的惡意攻擊或活動,進而提升企業安全性。 Based on the above, the monitoring system of the present invention can obtain the network domain whitelist of the first user equipment according to the machine learning model trained based on the loss function of collaborative filtering (Collaborative Filtering). Different from the previous methods of grouping and outliers, the present invention can quickly find abnormal user equipment from the network connection records of a large number of 5G user equipment by comparing the network domain whitelist and the access behavior of the first user equipment, and Send a warning signal. The present invention can provide abnormal user equipment to information security managers for analysis to find potential malicious attacks or activities, thereby improving enterprise security.

100:監視系統 100:Monitoring system

110:處理器 110: Processor

120:儲存媒體 120:Storage media

130:收發器 130:Transceiver

S201、S202、S203、S204、S205、S206、S207、S301、S302、S303、S304:步驟 S201, S202, S203, S204, S205, S206, S207, S301, S302, S303, S304: steps

圖1根據本發明的一實施例繪示一種用戶設備的異常行為的監視系統的示意圖。 FIG. 1 is a schematic diagram of a monitoring system for abnormal behavior of user equipment according to an embodiment of the present invention.

圖2根據本發明的一實施例繪示一種用戶設備的異常行為的 方法的流程圖。 Figure 2 illustrates an abnormal behavior of a user equipment according to an embodiment of the present invention. Flowchart of the method.

圖3根據本發明的一實施例繪示一種用戶設備的異常行為的監視方法的流程圖。 FIG. 3 illustrates a flow chart of a method for monitoring abnormal behavior of user equipment according to an embodiment of the present invention.

圖1根據本發明的一實施例繪示一種用戶設備的異常行為的監視系統100的示意圖。監視系統100可包含處理器110、儲存媒體120以及收發器130。 FIG. 1 illustrates a schematic diagram of a monitoring system 100 for abnormal behavior of user equipment according to an embodiment of the present invention. Monitoring system 100 may include processor 110, storage media 120, and transceiver 130.

處理器110例如是中央處理單元(central processing unit,CPU),或是其他可程式化之一般用途或特殊用途的微控制單元(micro control unit,MCU)、微處理器(microprocessor)、數位信號處理器(digital signal processor,DSP)、可程式化控制器、特殊應用積體電路(application specific integrated circuit,ASIC)、圖形處理器(graphics processing unit,GPU)、影像訊號處理器(image signal processor,ISP)、影像處理單元(image processing unit,IPU)、算數邏輯單元(arithmetic logic unit,ALU)、複雜可程式邏輯裝置(complex programmable logic device,CPLD)、現場可程式化邏輯閘陣列(field programmable gate array,FPGA)或其他類似元件或上述元件的組合。處理器110可耦接至儲存媒體120以及收發器130。 The processor 110 is, for example, a central processing unit (CPU), or other programmable general-purpose or special-purpose micro control unit (MCU), microprocessor, or digital signal processing unit. Digital signal processor (DSP), programmable controller, application specific integrated circuit (ASIC), graphics processing unit (GPU), image signal processor (ISP) ), image processing unit (IPU), arithmetic logic unit (ALU), complex programmable logic device (CPLD), field programmable gate array (field programmable gate array) , FPGA) or other similar components or a combination of the above components. The processor 110 may be coupled to the storage medium 120 and the transceiver 130 .

儲存媒體120例如是任何型態的固定式或可移動式的隨機存取記憶體(random access memory,RAM)、唯讀記憶體 (read-only memory,ROM)、快閃記憶體(flash memory)、硬碟(hard disk drive,HDD)、固態硬碟(solid state drive,SSD)或類似元件或上述元件的組合,而用於儲存可由處理器110執行的多個模組或各種應用程式,以實施本發明的用戶設備的異常行為的監視方法。 The storage medium 120 is, for example, any type of fixed or removable random access memory (RAM) or read-only memory. (read-only memory, ROM), flash memory (flash memory), hard disk drive (HDD), solid state drive (SSD) or similar components or a combination of the above components, and are used for Multiple modules or various application programs that can be executed by the processor 110 are stored to implement the method of monitoring abnormal behavior of user equipment of the present invention.

收發器130以無線或有線的方式傳送及接收訊號。收發器130還可以執行例如低噪聲放大、阻抗匹配、混頻、向上或向下頻率轉換、濾波、放大以及類似的操作。 The transceiver 130 transmits and receives signals in a wireless or wired manner. Transceiver 130 may also perform, for example, low noise amplification, impedance matching, mixing, up or down frequency conversion, filtering, amplification, and similar operations.

圖2根據本發明的一實施例繪示一種用戶設備的異常行為的方法的流程圖,其中所述方法可由如圖1所示的監視系統100實施。在步驟S201中,處理器110可通過收發器130接收第一用戶設備的第一網路流量。處理器110可對第一網路流量執行特徵擷取以提取監視系統100所需的各個流量欄位。處理器110可對包含非數字資訊(例如:連網協定)的欄位執行欄位數據化,以賦予各欄位最佳型態的格式。第一網路流量可包含記載網址的欄位。處理器110可利用資訊擴建手段自網址分割出對應的網域,諸如二級網域(Second Level Domain)。處理器110根據第一用戶設備統計分別對應於多個網域的多個存取次數,其中多個網域包含第一網域。具體來說,處理器110可統計第一網路流量中第一用戶設備對各個網域的存取次數,以取得分別對應於多個網域的多個存取次數。假設上述的多個網域包括第一網域,處理器110可使用特徵擷取技術以從第一網路流量中提取第一用戶設備的用 戶設備識別碼以及第一網域的網域識別碼,並且剔除第一網路流量中的廣告網域以及雜訊。在一實施例中,處理器110可藉由計算上述的多個網域的每一個的傳送流量比例,並根據傳送流量比例計算欄位與欄位之間的關聯度,以剔除非必要的欄位。 FIG. 2 illustrates a flow chart of a method for abnormal behavior of user equipment according to an embodiment of the present invention, wherein the method can be implemented by the monitoring system 100 shown in FIG. 1 . In step S201, the processor 110 may receive first network traffic of the first user equipment through the transceiver 130. The processor 110 may perform feature extraction on the first network traffic to extract various traffic fields required by the monitoring system 100 . The processor 110 may perform field digitization on fields containing non-numeric information (eg, networking protocols) to give each field an optimal format. The first network traffic may include a field recording the URL. The processor 110 can use information expansion means to segment the corresponding network domain from the website, such as a Second Level Domain (Second Level Domain). The processor 110 counts a plurality of access times respectively corresponding to multiple network domains according to the first user equipment, wherein the multiple network domains include the first network domain. Specifically, the processor 110 may count the access times of the first user equipment to each network domain in the first network traffic, so as to obtain multiple access times corresponding to multiple network domains respectively. Assuming that the above-mentioned plurality of network domains include the first network domain, the processor 110 may use a feature extraction technology to extract the user equipment of the first user equipment from the first network traffic. The user device identification code and the domain identification code of the first network domain are obtained, and the advertising domain and noise in the first network traffic are eliminated. In one embodiment, the processor 110 can eliminate unnecessary columns by calculating the transmission traffic proportion of each of the plurality of network domains and calculating the correlation between fields according to the transmission traffic proportion. Bit.

另外,處理器110可進一步根據上述的多個存取次數計算第一網域在第一用戶設備所存取的所有網域中的百分等級(Percentile Rank,PR),以產生的第一評分(rating)。舉例來說,在第一用戶設備存取過的多個網域中,若第一網域的存取次數是最高的,則第一網域可為多個網域中具有最高百分等級和最高評分的網域。由於每個使用者的連網行為不同,因此處理器110可針對每個用戶設備所瀏覽過的多個網域的多個存取次數進行熱門程度的比較,透過計算每個用戶設備的多個存取次數的百分等級以產生個別的評分。藉此,能夠立即反應每個使用者異於往常的連網行為,有效偵測潛在的惡意使用者。 In addition, the processor 110 may further calculate a percentage rank (Percentile Rank, PR) of the first network domain among all network domains accessed by the first user equipment based on the plurality of access times mentioned above to generate a first score. (rating). For example, among the multiple network domains that the first user device has accessed, if the first network domain has the highest number of accesses, the first network domain can be the one with the highest percentage rank and the highest percentage among the multiple network domains. Top rated domains. Since each user's networking behavior is different, the processor 110 can compare the popularity of multiple access times of multiple network domains browsed by each user device by calculating multiple access times of each user device. Percentage of access times to generate individual ratings. In this way, each user's unusual networking behavior can be immediately reflected and potentially malicious users can be effectively detected.

在步驟S202中,處理器110將第一網路流量中的參數(各欄位記載的資訊)輸入至機器學習模型以產生對應於第一用戶設備的網域白名單。參數可包含上述的第一用戶設備的用戶設備識別碼、第一網域的網域識別碼以及第一用戶設備對第一網域的第一評分。具體來說,處理器110可根據基於協同過濾(Collaborative Filtering)的損失函數(loss function)訓練機器學習模型。基於協同過濾的損失函數關聯於用戶設備識別碼之間的相關性、網域識別碼之間的相關性或用戶設備對網域的評分。網域白名單即為 監視系統100推薦第一用戶設備存取的網域名單。訓練好的機器學習模型可為具有相似存取行為的用戶設備產生相似的網域白名單。舉例來說,若第一用戶設備與第二用戶設備存取相同的網域,且第一用戶設備與第二用戶設備對所述網域的評分相近,則基於協同過濾的損失函數訓練的機器學習模型可為第一用戶設備產生與第二用戶設備的喜好相似的網域白名單。 In step S202, the processor 110 inputs the parameters (information recorded in each field) in the first network traffic into the machine learning model to generate a network domain whitelist corresponding to the first user equipment. The parameters may include the above-mentioned user equipment identification code of the first user equipment, the network domain identification code of the first network domain, and the first score of the first user equipment for the first network domain. Specifically, the processor 110 may train a machine learning model according to a loss function based on collaborative filtering. The loss function based on collaborative filtering is associated with the correlation between user device identifiers, the correlation between network domain identifiers, or the user device's rating of the network domain. The domain whitelist is The monitoring system 100 recommends a list of network domains accessed by the first user device. The trained machine learning model can generate similar domain whitelists for user devices with similar access behaviors. For example, if the first user equipment and the second user equipment access the same network domain, and the scores of the first user equipment and the second user equipment for the network domain are similar, then the machine trained based on the loss function of collaborative filtering The learning model may generate a whitelist of network domains for the first user device that have similar preferences to those of the second user device.

在一實施例中,處理器110透過嵌入技術(Embedding Techniques)將第一用戶設備識別碼以及第二用戶設備識別碼分別轉換為第一嵌入向量(embedding vector)以及為第二嵌入向量,並且計算第一嵌入向量與第二嵌入向量之間的距離,以取得用戶識別碼之間的相關性。同理,處理器110又透過嵌入技術將各個網域的網域識別碼轉換成一嵌入向量,並且取得各個網域的網域識別碼之間的相關性。 In one embodiment, the processor 110 converts the first user equipment identification code and the second user equipment identification code into a first embedding vector (embedding vector) and a second embedding vector respectively through embedding techniques (Embedding Techniques), and calculates The distance between the first embedding vector and the second embedding vector is used to obtain the correlation between user identification codes. Similarly, the processor 110 converts the domain identification codes of each network domain into an embedding vector through embedding technology, and obtains the correlation between the domain identification codes of each network domain.

處理器110可透過歷史網路流量中的歷史參數取得基於協同過濾的損失函數,並且對機器學習模型進行多天的訓練,自動地產生次一日的預測網域資料,再將次一日的預測網域資料與次一日的實際網域資料作比對,持續至比對的誤差值低於門檻值即完成機器學習模型的訓練。 The processor 110 can obtain a loss function based on collaborative filtering through historical parameters in historical network traffic, and train the machine learning model for multiple days to automatically generate predicted network domain data for the next day, and then combine the next day's predicted network domain data with The predicted domain data is compared with the actual domain data of the next day, and the training of the machine learning model is completed until the error value of the comparison is lower than the threshold value.

在訓練好機器學習模型後,處理器110可將機器學習模型與由其他常見演算法所產生的其他推薦模型進行誤差值的比對。 After training the machine learning model, the processor 110 can compare the error values of the machine learning model with other recommendation models generated by other common algorithms.

另外,常見演算法可以是奇異值分解(Singular Value Decomposition,SVD)、K-鄰近演算法(K-Nearest Neighbor,KNN)或非負矩陣分解(Non-Negative Matrix Factorization)等演算法,本發明並不限制。 In addition, a common algorithm can be singular value decomposition (Singular Value Algorithms such as Decomposition (SVD), K-Nearest Neighbor (KNN) or Non-Negative Matrix Factorization (Non-Negative Matrix Factorization) are not limited by the present invention.

響應於機器學習模型的誤差值大於其他推薦模型的誤差值,處理器110可繼續更新對機器學習模型,以降低機器學習模型的誤差值。 In response to the error value of the machine learning model being greater than the error values of other recommended models, the processor 110 may continue to update the machine learning model to reduce the error value of the machine learning model.

響應於機器學習模型的誤差值小於其他推薦模型的誤差值,處理器110可對機器學習模型進行正規化(normalization)處理,並且將第一網路流量中的參數輸入至機器學習模型以產生第一用戶設備的網域白名單。網域白名單可包含分別對應於多個網域的多個預期評分以及分別對應於多個網域的多個網域識別碼。 In response to the error value of the machine learning model being less than the error values of other recommended models, the processor 110 may perform normalization processing on the machine learning model, and input parameters in the first network traffic to the machine learning model to generate a third A whitelist of domains for a user's device. The domain whitelist may include multiple expected scores corresponding to multiple domains and multiple domain identifiers corresponding to multiple domains.

在步驟S203中,處理器110可通過收發器130接收第一用戶設備的第一當前網路流量。在步驟S204中,處理器110根據第一當前網路流量判斷第一用戶設備對第一網域的存取行為。 In step S203, the processor 110 may receive the first current network traffic of the first user equipment through the transceiver 130. In step S204, the processor 110 determines the access behavior of the first user equipment to the first network domain according to the first current network traffic.

在步驟S205中,處理器110判斷第一網域是否在網域白名單中。若第一網域不在第一用戶設備的網域白名單中,則進入步驟S206。若第一網域在第一用戶設備的網域白名單中,則結束流程。在步驟S206中,處理器110根據存取行為判斷第一用戶設備是否異常。若處理器110判斷第一用戶設備異常,則進入步驟S207。若處理器110判斷第一用戶設備正常,則結束流程。 In step S205, the processor 110 determines whether the first network domain is in the network domain whitelist. If the first network domain is not in the network domain whitelist of the first user equipment, step S206 is entered. If the first network domain is in the network domain whitelist of the first user device, the process ends. In step S206, the processor 110 determines whether the first user equipment is abnormal according to the access behavior. If the processor 110 determines that the first user equipment is abnormal, step S207 is entered. If the processor 110 determines that the first user equipment is normal, the process ends.

在一實施例中,存取行為包含第一用戶設備對第一網域的存取次數。若存取次數大於閾值,則處理器110判斷第一用戶 設備對第一網域的存取行為是異常的。因此,第一用戶設備是異常的。若存取次數小於或等於閾值,則處理器110判斷第一用戶設備對第一網域的存取行為是正常的。因此,第一用戶設備是正常的。 In one embodiment, the access behavior includes the number of times the first user equipment accesses the first network domain. If the number of accesses is greater than the threshold, the processor 110 determines that the first user The device's access behavior to the first network domain is abnormal. Therefore, the first user equipment is abnormal. If the number of accesses is less than or equal to the threshold, the processor 110 determines that the access behavior of the first user equipment to the first network domain is normal. Therefore, the first user equipment is normal.

在一實施例中,存取行為包含第一用戶設備對第一網域的第一存取次數。處理器110可取得用戶設備集合中的每一者的當前網路流量,其中用戶設備集合包含第一用戶設備。接著,處理器110可根據當前網路流量統計用戶設備集合中的每一者對第一網域的存取次數並且根據統計的存取次數計算平均存取次數。若第一存取次數與平均存取次數的比值大於閾值,則處理器110可判斷第一用戶設備對第一網域的存取行為是異常的。因此,第一用戶設備是異常的。若比值小於或等於閾值,則處理器110可判斷第一用戶設備對第一網域的存取行為是正常的。因此,第一用戶設備是正常的。 In one embodiment, the access behavior includes a first number of accesses to the first network domain by the first user equipment. The processor 110 may obtain the current network traffic of each of the user equipment sets, where the user equipment set includes the first user equipment. Then, the processor 110 can count the number of accesses to the first network domain by each of the user equipment sets according to the current network traffic and calculate the average number of accesses based on the counted number of accesses. If the ratio of the first number of accesses to the average number of accesses is greater than the threshold, the processor 110 may determine that the access behavior of the first user equipment to the first network domain is abnormal. Therefore, the first user equipment is abnormal. If the ratio is less than or equal to the threshold, the processor 110 may determine that the access behavior of the first user equipment to the first network domain is normal. Therefore, the first user equipment is normal.

舉例來說,當第一用戶設備對第一網域的存取次數異常高時,處理器110可以藉由用戶設備集合中的其他用戶設備對第一網域的存取次數的大小來判斷第一用戶設備是否異常。假如其他用戶設備對第一網域的存取次數同樣異常高,即可判定第一用戶設備為正常,反之亦然。因此,可藉由用戶設備集合中的每一個對第一網域的存取次數來計算平均存取次數,並且響應於第一存取次數與平均存取次數的比值大於閾值,判斷第一用戶設備異常。 For example, when the number of accesses of the first user equipment to the first network domain is abnormally high, the processor 110 can determine the number of accesses of the first network domain by other user equipments in the user equipment set. Whether a user's equipment is abnormal. If the access times of other user devices to the first network domain are also abnormally high, the first user device can be determined to be normal, and vice versa. Therefore, the average number of accesses can be calculated based on the number of accesses to the first network domain by each user device set, and in response to the ratio of the first number of accesses to the average number of accesses being greater than the threshold, it is determined that the first user Equipment abnormality.

在一實施例中,存取行為更包含上傳資料量。處理器110可響應於上傳資料量大於閾值,判斷第一用戶設備異常。另一方面,處理器110可響應於上傳資料量小於或等於閾值,判斷第一用戶設備正常。 In one embodiment, the access behavior further includes the amount of uploaded data. The processor 110 may determine that the first user equipment is abnormal in response to the amount of uploaded data being greater than the threshold. On the other hand, the processor 110 may determine that the first user equipment is normal in response to the amount of uploaded data being less than or equal to the threshold.

在一實施例中,處理器110可根據存取行為將第一用戶設備記錄在多個監控名單中的其中之一中,其中多個監控名單分別對應於多個時段。處理器110可藉由統計多個監控名單中包含第一用戶設備的至少一監控名單的數量,並且響應於數量大於閾值,判斷第一用戶設備異常。另一方面,處理器110可響應於數量小於或等於閾值,判斷第一用戶設備異常。 In an embodiment, the processor 110 may record the first user equipment in one of multiple monitoring lists according to the access behavior, where the multiple monitoring lists respectively correspond to multiple time periods. The processor 110 may count the number of at least one monitoring list including the first user equipment in the plurality of monitoring lists, and determine that the first user equipment is abnormal in response to the number being greater than the threshold. On the other hand, the processor 110 may determine that the first user equipment is abnormal in response to the number being less than or equal to the threshold.

舉例來說,當第一用戶設備被偵測出異常時,處理器110會將第一用戶設備記錄在多個監控名單中的其中之一中。其中多個監控名單分別對應於多個時段,例如過去一週的每一天。因此,當閾值為「4」時,代表若第一用戶設備在一週內有4天以上被記錄在當天的監控名單中,則處理器110判斷第一用戶設備異常。 For example, when an abnormality is detected in the first user equipment, the processor 110 will record the first user equipment in one of the multiple monitoring lists. Multiple monitoring lists correspond to multiple time periods, such as each day of the past week. Therefore, when the threshold is "4", it means that if the first user equipment is recorded in the monitoring list for more than 4 days in a week, the processor 110 determines that the first user equipment is abnormal.

在步驟S207中,處理器110可輸出警示訊息,藉以提示網路管理員檢查第一用戶設備的異常狀態。 In step S207, the processor 110 may output a warning message to prompt the network administrator to check the abnormal status of the first user equipment.

圖3根據本發明的一實施例繪示一種用戶設備的異常行為的監視方法的流程圖,其中所述監視方法可由如圖1所示的監視系統100實施。在步驟S301中,取得第一用戶設備的第一網路流量,並且根據第一網路流量產生對應於第一用戶設備的網域白名單。在步驟S302中,取得第一用戶設備的第一當前網路流量, 並且根據第一當前網路流量判斷第一用戶設備對第一網域的存取行為。在步驟S303中,響應於第一網域不在網域白名單中,根據存取行為判斷第一用戶設備是否異常。在步驟S304中,響應於判斷第一用戶設備異常,輸出警示訊息。 FIG. 3 illustrates a flow chart of a method for monitoring abnormal behavior of user equipment according to an embodiment of the present invention, where the monitoring method can be implemented by the monitoring system 100 shown in FIG. 1 . In step S301, first network traffic of the first user equipment is obtained, and a network domain whitelist corresponding to the first user equipment is generated according to the first network traffic. In step S302, obtain the first current network traffic of the first user equipment, And judging the access behavior of the first user equipment to the first network domain according to the first current network traffic. In step S303, in response to the fact that the first network domain is not in the network domain whitelist, it is determined whether the first user equipment is abnormal based on the access behavior. In step S304, in response to determining that the first user equipment is abnormal, a warning message is output.

綜上所述,本發明的監視系統可藉由數據化評分以及基於協同過濾(Collaborative Filtering)的損失函數所訓練的機器學習模型取得用戶設備的網域白名單。有別於以往分群及離群的方式,本發明藉由比對網域白名單以及用戶設備的存取行為,可從大量5G用戶設備的連網紀錄中快速地找到異常的用戶設備,並且發出警示訊號。因此,本發明可有效降低網路監控人員的工作負擔。此外,本發明可對用戶設備的存取行為和預設的閾值進行比較,並可根據比較結果判斷用戶設備是否異常,進而發送警示訊息給網路的管理者。本發明可將異常的用戶設備提供給資安管理人員進行分析,以找出潛藏的惡意攻擊或活動,進而提升企業安全性。本發明可應用於擁有巨量資料的網路環境。前處理技術可通過深度學習探勘的優勢,從巨量資料中取得可用特徵。據此,本發明可偵測出傳統使用關聯式或靜態規則的監視系統所偵測不到的盲點,進而將來自內部使用者的攻擊或進階持續性攻擊等新興攻擊手法進行防範。 To sum up, the monitoring system of the present invention can obtain the network domain whitelist of user equipment through digitized scoring and a machine learning model trained by a loss function based on collaborative filtering. Different from the previous methods of grouping and outliers, the present invention can quickly find abnormal user equipment from the network connection records of a large number of 5G user equipment by comparing the network domain whitelist and the access behavior of the user equipment, and issue a warning signal. Therefore, the present invention can effectively reduce the workload of network monitoring personnel. In addition, the present invention can compare the access behavior of the user equipment with a preset threshold, and can determine whether the user equipment is abnormal based on the comparison result, and then send a warning message to the network manager. The present invention can provide abnormal user equipment to information security managers for analysis to find potential malicious attacks or activities, thereby improving enterprise security. The present invention can be applied to network environments with huge amounts of data. Pre-processing technology can take advantage of deep learning exploration to obtain usable features from huge amounts of data. Accordingly, the present invention can detect blind spots that cannot be detected by traditional monitoring systems using correlation or static rules, thereby preventing emerging attack methods such as attacks from internal users or advanced persistent attacks.

S301、S302、S303、S304:步驟 S301, S302, S303, S304: steps

Claims (11)

一種用戶設備的異常行為的監視系統,包括: 收發器;以及 處理器,耦接所述收發器,並且經配置以執行: 通過所述收發器取得第一用戶設備的第一網路流量,並且根據所述第一網路流量產生對應於所述第一用戶設備的網域白名單; 通過所述收發器取得所述第一用戶設備的第一當前網路流量,並且根據所述第一當前網路流量判斷所述第一用戶設備對第一網域的存取行為; 響應於所述第一網域不在所述網域白名單中,根據所述存取行為判斷所述第一用戶設備是否異常;以及 響應於判斷所述第一用戶設備異常,通過所述收發器輸出警示訊息。 A monitoring system for abnormal behavior of user equipment, including: transceiver; and a processor coupled to the transceiver and configured to perform: Obtain the first network traffic of the first user equipment through the transceiver, and generate a network domain whitelist corresponding to the first user equipment based on the first network traffic; Obtain the first current network traffic of the first user equipment through the transceiver, and determine the access behavior of the first user equipment to the first network domain based on the first current network traffic; In response to the first network domain not being in the network domain whitelist, determining whether the first user equipment is abnormal based on the access behavior; and In response to determining that the first user equipment is abnormal, a warning message is output through the transceiver. 如請求項1所述的監視系統,其中所述處理器更經配置以執行: 將所述第一網路流量中的參數輸入至機器學習模型以產生所述網域白名單。 The monitoring system of claim 1, wherein the processor is further configured to perform: Input parameters in the first network traffic into a machine learning model to generate the network domain whitelist. 如請求項2所述的監視系統,其中所述參數包括所述第一用戶設備的用戶設備識別碼、所述第一網域的網域識別碼以及所述第一用戶設備對所述第一網域的第一評分。The monitoring system of claim 2, wherein the parameters include the user equipment identification code of the first user equipment, the network domain identification code of the first network domain, and the first user equipment's response to the first network domain. The domain's first rating. 如請求項3所述的監視系統,其中所述處理器更經配置以執行: 根據所述第一用戶設備統計多個存取次數,其中所述多個存取次數分別對應於多個網域,其中所述多個網域包括所述第一網域;以及 根據所述多個存取次數計算所述第一網域的百分等級以產生所述第一評分。 The monitoring system of claim 3, wherein the processor is further configured to perform: Count a plurality of access times according to the first user equipment, wherein the plurality of access times respectively correspond to multiple network domains, wherein the multiple network domains include the first network domain; and Calculating a percentile rank of the first network domain based on the plurality of access times to generate the first score. 如請求項2所述的監視系統,其中所述處理器更經配置以執行: 根據基於協同過濾的損失函數訓練所述機器學習模型,其中所述基於協同過濾的損失函數關聯於用戶設備識別碼之間的相關性、網域識別碼之間的相關性以及用戶設備對網域的評分。 The monitoring system of claim 2, wherein the processor is further configured to perform: The machine learning model is trained according to a loss function based on collaborative filtering, wherein the loss function based on collaborative filtering is associated with the correlation between user device identification codes, the correlation between network domain identification codes, and the correlation between user equipment and network domains. 's rating. 如請求項5所述的監視系統,其中所述處理器更經配置以執行: 將第一用戶設備識別碼轉換為第一嵌入向量,並且將第二用戶設備識別碼轉換為第二嵌入向量;以及 計算所述第一嵌入向量與所述第二嵌入向量之間的距離以取得所述用戶識別碼之間的相關性。 The monitoring system of claim 5, wherein the processor is further configured to perform: converting the first user equipment identification code into a first embedding vector, and converting the second user equipment identification code into a second embedding vector; and The distance between the first embedding vector and the second embedding vector is calculated to obtain the correlation between the user identification codes. 如請求項1所述的監視系統,其中所述存取行為包括存取次數,其中所述處理器更經配置以執行: 響應於所述存取次數大於閾值,判斷所述第一用戶設備異常。 The monitoring system of claim 1, wherein the access behavior includes access times, and wherein the processor is further configured to perform: In response to the number of accesses being greater than a threshold, it is determined that the first user equipment is abnormal. 如請求項1所述的監視系統,其中所述存取行為包括第一存取次數,其中所述處理器更經配置以執行: 取得用戶設備集合中的每一者的當前網路流量,其中所述用戶設備集合包括所述第一用戶設備; 根據所述當前網路流量統計所述用戶設備集合中的所述每一者對所述第一網域的存取次數,並且根據所述存取次數計算平均存取次數;以及 響應於所述第一存取次數與所述平均存取次數的比值大於閾值,判斷所述第一用戶設備異常。 The monitoring system of claim 1, wherein the access behavior includes a first number of accesses, and wherein the processor is further configured to perform: Obtain the current network traffic of each of the user equipment sets, wherein the user equipment set includes the first user equipment; Count the number of accesses to the first network domain by each of the user equipment sets according to the current network traffic, and calculate the average number of accesses based on the number of accesses; and In response to the ratio of the first number of accesses to the average number of accesses being greater than a threshold, it is determined that the first user equipment is abnormal. 如請求項1所述的監視系統,其中所述存取行為包括上傳資料量,其中所述處理器更經配置以執行: 響應於所述上傳資料量大於閾值,判斷所述第一用戶設備異常。 The monitoring system of claim 1, wherein the access behavior includes uploading an amount of data, and wherein the processor is further configured to perform: In response to the amount of uploaded data being greater than a threshold, it is determined that the first user equipment is abnormal. 如請求項1所述的監視系統,其中所述處理器更經配置以執行: 根據所述存取行為將所述第一用戶設備記錄在多個監控名單的其中之一中,其中所述多個監控名單分別對應於多個時段;以及 統計所述多個監控名單中包括所述第一用戶設備的至少一監控名單的數量;以及 響應於所述數量大於閾值,判斷所述第一用戶設備異常。 The monitoring system of claim 1, wherein the processor is further configured to perform: Record the first user equipment in one of multiple monitoring lists according to the access behavior, wherein the multiple monitoring lists respectively correspond to multiple time periods; and Count the number of at least one monitoring list including the first user equipment in the plurality of monitoring lists; and In response to the number being greater than the threshold, it is determined that the first user equipment is abnormal. 一種用戶設備的異常行為的監視方法,包括: 取得第一用戶設備的第一網路流量,並且根據所述第一網路流量產生對應於所述第一用戶設備的網域白名單; 取得所述第一用戶設備的第一當前網路流量,並且根據所述第一當前網路流量判斷所述第一用戶設備對第一網域的存取行為; 響應於所述第一網域不在所述網域白名單中,根據所述存取行為判斷所述第一用戶設備是否異常;以及 響應於判斷所述第一用戶設備異常,輸出警示訊息。 A method for monitoring abnormal behavior of user equipment, including: Obtain the first network traffic of the first user equipment, and generate a network domain whitelist corresponding to the first user equipment according to the first network traffic; Obtain the first current network traffic of the first user equipment, and determine the access behavior of the first user equipment to the first network domain based on the first current network traffic; In response to the first network domain not being in the network domain whitelist, determining whether the first user equipment is abnormal based on the access behavior; and In response to determining that the first user equipment is abnormal, a warning message is output.
TW111141887A 2022-11-02 2022-11-02 Monitoring system and monitoring method for abnormal behavior of user equipment TWI823657B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW111141887A TWI823657B (en) 2022-11-02 2022-11-02 Monitoring system and monitoring method for abnormal behavior of user equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW111141887A TWI823657B (en) 2022-11-02 2022-11-02 Monitoring system and monitoring method for abnormal behavior of user equipment

Publications (2)

Publication Number Publication Date
TWI823657B true TWI823657B (en) 2023-11-21
TW202420786A TW202420786A (en) 2024-05-16

Family

ID=89722753

Family Applications (1)

Application Number Title Priority Date Filing Date
TW111141887A TWI823657B (en) 2022-11-02 2022-11-02 Monitoring system and monitoring method for abnormal behavior of user equipment

Country Status (1)

Country Link
TW (1) TWI823657B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110149343A (en) * 2019-05-31 2019-08-20 国家计算机网络与信息安全管理中心 A kind of abnormal communications and liaison behavioral value method and system based on stream
CN110808951A (en) * 2019-09-25 2020-02-18 国网思极网安科技(北京)有限公司 Method and device for discovering abnormal behavior of terminal based on equipment image
TWI777766B (en) * 2021-09-10 2022-09-11 中華電信股份有限公司 System and method of malicious domain query behavior detection

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110149343A (en) * 2019-05-31 2019-08-20 国家计算机网络与信息安全管理中心 A kind of abnormal communications and liaison behavioral value method and system based on stream
CN110808951A (en) * 2019-09-25 2020-02-18 国网思极网安科技(北京)有限公司 Method and device for discovering abnormal behavior of terminal based on equipment image
TWI777766B (en) * 2021-09-10 2022-09-11 中華電信股份有限公司 System and method of malicious domain query behavior detection

Similar Documents

Publication Publication Date Title
CN111262722B (en) Safety monitoring method for industrial control system network
CN109818942B (en) User account abnormity detection method and device based on time sequence characteristics
WO2021109314A1 (en) Method, system and device for detecting abnormal data
CN105072089B (en) A kind of WEB malice scanning behavior method for detecting abnormality and system
KR102271449B1 (en) Artificial intelligence model platform and operation method thereof
WO2019128529A1 (en) Url attack detection method and apparatus, and electronic device
CN107579956B (en) User behavior detection method and device
Ali Alheeti et al. Intelligent intrusion detection in external communication systems for autonomous vehicles
CN111949803B (en) Knowledge graph-based network abnormal user detection method, device and equipment
CN110602135B (en) Network attack processing method and device and electronic equipment
CN112468347B (en) Security management method and device for cloud platform, electronic equipment and storage medium
CN107070940B (en) Method and device for judging malicious login IP address from streaming login log
CN104836781A (en) Method distinguishing identities of access users, and device
TW201702921A (en) Method, system and apparatus for predicting abnormality
CN110222513B (en) Abnormality monitoring method and device for online activities and storage medium
Ajdani et al. Introduced a new method for enhancement of intrusion detection with random forest and PSO algorithm
CN111030992A (en) Detection method, server and computer readable storage medium
CN116366374B (en) Security assessment method, system and medium for power grid network management based on big data
CN108933781B (en) Method, apparatus and computer-readable storage medium for processing character string
CN115174251B (en) False alarm identification method and device for safety alarm and storage medium
CN109743339B (en) Network security monitoring method and device for power plant station and computer equipment
TWI823657B (en) Monitoring system and monitoring method for abnormal behavior of user equipment
CN107948149A (en) Tactful self study and optimization method and device based on random forest
TWI777766B (en) System and method of malicious domain query behavior detection
CN115834231A (en) Honeypot system identification method and device, terminal equipment and storage medium