WO2017155292A1 - Anomaly detection method and detection program - Google Patents

Anomaly detection method and detection program Download PDF

Info

Publication number
WO2017155292A1
WO2017155292A1 PCT/KR2017/002480 KR2017002480W WO2017155292A1 WO 2017155292 A1 WO2017155292 A1 WO 2017155292A1 KR 2017002480 W KR2017002480 W KR 2017002480W WO 2017155292 A1 WO2017155292 A1 WO 2017155292A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
group
abnormal behavior
computer
pattern information
Prior art date
Application number
PCT/KR2017/002480
Other languages
French (fr)
Korean (ko)
Inventor
최정렬
Original Assignee
주식회사 인피니그루
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 인피니그루 filed Critical 주식회사 인피니그루
Publication of WO2017155292A1 publication Critical patent/WO2017155292A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/02Banking, e.g. interest calculation or account maintenance
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Definitions

  • the present invention relates to an abnormal behavior searching method and a search program, and more particularly, to a method and program for determining whether or not abnormal behavior of the collected data obtained through a computer through big data analysis.
  • Phishing is a crime that pretends to be a trusted person (personal) or business (e-commerce company) and uses the e-mail or messenger to steal the recipient's personal information (such as passwords, credit information, or security card information).
  • the aim of the present invention is to provide a method and a program for detecting abnormal behaviors.
  • an abnormal behavior search method and program that allows an administrator to easily detect abnormal behavior. To provide.
  • the computer receives one or more collection data, the collection data includes one or more situation data, collection data receiving step; Calculating result data for each collected data through the deep neural network in the computer; Deriving pattern information when calculating the result data for each collected data, wherein the pattern information corresponds to an order determined in the deep neural network; A group specifying step of designating one or more pieces of collected data having the same pattern information as a specific group; Characterization step of giving the characteristics of each group; And calculating new result data after receiving the new collection data, and extracting a group corresponding to the new result data.
  • the calculating of the result data may include calculating the result data by applying a weight to each situation data, wherein the weight is such that the separation distance between groups having different pattern information falls above a specific value. It may be to adjust.
  • an abnormal behavior determination diagram including a plurality of distinguishable layers is generated, wherein each layer is matched with each other, and the generation position of the abnormal behavior determination diagram is changed according to a numerical value of the result data. ; And displaying the identification mark on the layer of the group to which the new collection data corresponds, and providing the identification mark to the user client.
  • the deep neural network when an acquisition order of at least one piece of situation data included in the collected data is determined, the deep neural network includes an abnormal behavior determination procedure that conforms to the acquisition sequence, and the abnormal behavior is performed step by step in the abnormal behavior determination procedure. It may be characterized by generating a determination diagram.
  • the method may further include providing type information of the abnormal behavior to an administrator client when the characteristic of the group corresponds to the abnormal behavior.
  • the characterizing step may be characterized in that for receiving the characteristic information determined based on the input value of the specific context data included in the collected data of the group from the administrator client.
  • the pattern information derivation step may perform an abnormal behavior determination procedure including one or more successive determination steps, and the pattern information may include the type and order of questions for each determination step in the abnormal behavior determination procedure. have.
  • the characterizing step may be characterized by determining the characteristics corresponding to the group through the reverse analysis of the pattern information.
  • the abnormal behavior search program according to another embodiment of the present invention is coupled to a computer which is hardware to execute the above-mentioned electronic device control method and is stored in a medium.
  • the collected data is classified using the pattern information, which is a flow determined in the deep learning algorithm of each collected data, rather than simply classifying the collected data into the result data calculated through the collected data.
  • the pattern information which is a flow determined in the deep learning algorithm of each collected data, rather than simply classifying the collected data into the result data calculated through the collected data.
  • the result data of each group can be adjusted to be visually distinguishable.
  • the administrator can easily grasp the characteristics of the new collection data. That is, the manager can quickly check whether the new collection data corresponds to abnormal behavior by identifying which layer on the diagram the identification mark of the new collection data is displayed, and can also quickly identify the specific abnormal behavior type.
  • FIG. 1 is a block diagram of an abnormal behavior determination system according to an embodiment of the present invention.
  • FIG. 2 is a flowchart illustrating a method for determining abnormal behavior according to an embodiment of the present invention.
  • FIG. 3 is an exemplary diagram of a deep learning algorithm showing a process of calculating pattern information using collected data according to an embodiment of the present invention.
  • FIG. 4 is a flow chart of an abnormal behavior determination method further comprising the step of adjusting the weight after the creation of a new group corresponding to the new collection data according to an embodiment of the present invention.
  • FIG. 5 is a flowchart illustrating an abnormal behavior determination method of displaying a group to which new collection data belongs using an abnormal behavior determination diagram according to an embodiment of the present invention.
  • FIG. 6 is an exemplary diagram of an abnormal behavior determination diagram according to an embodiment of the present invention.
  • FIG. 7 is a flowchart illustrating a method for determining abnormal behavior that provides a manager with a type of abnormal behavior corresponding to new collection data according to an embodiment of the present invention.
  • a computer includes all of various devices capable of performing arithmetic processing and providing a result to a user.
  • a computer can be a desktop PC, a notebook, as well as a smartphone, a tablet PC, a cellular phone, a PCS phone (Personal Communication Service phone), synchronous / asynchronous The mobile terminal of the International Mobile Telecommunication-2000 (IMT-2000), a Palm Personal Computer (PC), a Personal Digital Assistant (PDA), and the like may also be applicable.
  • the computer may correspond to a server that receives a request from a client and performs information processing.
  • the normal behavior refers to the behavior that is determined to be normal performance among specific performance behaviors (eg, financial transaction behavior, data detection behavior, etc.) using the user's client.
  • the abnormal behavior refers to the behavior that is determined to be abnormal performance among specific behaviors (eg, financial transaction behavior, data detection behavior, etc.) using the user's client. For example, with respect to certain financial transactions (e.g., account transfers), if performed in accordance with the procedures generally performed by users of a particular account, they may be classified as normal behavior, and existing procedures for users of a particular account.
  • Is different from e.g., when performing a transfer procedure to a client device other than the client for injection of the account holder user, the position corresponding to the IP currently connected to perform the transfer and the position corresponding to the recently accessed IP). If you include more than a certain distance, etc.) can be classified as abnormal behavior.
  • the collected data refers to data obtained during a specific performance of a user.
  • the collected data is data obtained from a client of a user or acquired in an image and stored in a computer in a process for performing a specific performing action.
  • the context data is one or more data included in the collected data, and means data obtained from a client in each situation during a procedure of performing a specific action. For example, in the case of a bank transfer during a financial transaction, a user accesses a financial institution application through a specific IP using a specific client device, performs a login, and enters a counterpart account.
  • 'situation data' individual data acquired in each situation, such as 'type of client', 'access IP', 'login account', 'counter party account information'
  • 'collection data' one contextual data may be obtained sequentially or simultaneously in one occurrence.
  • a group may mean one or more sets generated through classification of a plurality of collected data. For example, by classifying based on pattern information or characteristics described below, a specific group may include collected data having the same pattern information or characteristics.
  • the pattern information refers to data that is a standard for classifying collected data into one or more groups.
  • the pattern information may correspond to a flow in which groups are classified by a computer with respect to specific collection data.
  • a characteristic means an attribute of collected data.
  • the characteristics of the collected data can be divided into normal, suspicious or abnormal by the computer.
  • the abnormal characteristic may be classified using the basis (eg, status data that contributed to being determined abnormal) as classified as abnormal by the computer as the detailed characteristic.
  • the new collection data is data requiring determination of abnormal behavior.
  • the new situation data means one or more situation data included in the new collection data.
  • the new collection data may be added to existing collection data within a specific group after determining whether it is an abnormal behavior.
  • a user may mean a person who uses a client that provides collected data to a computer.
  • the manager refers to a person who is provided with data for determining whether an abnormal behavior of new collection data is applicable. That is, the manager may include not only a person who manages a specific system but also a person (eg, a service user) who checks the status of his / her account, account, and the like.
  • a deep neural network refers to a system or a network that performs a determination based on a plurality of data by constructing one or more layers in one or more computers.
  • the deep neural network may be implemented as a set of layers including a convolutional pooling layer, a locally-connected layer, and a fully-connected layer.
  • the overall structure of the deep neural network may be formed of a spiral neural network (ie, a convolutional neural network (CNN)) structure in which a local connection layer is connected to a convolution pooling layer and a fully connected layer is connected to the local connection layer. .
  • CNN convolutional neural network
  • the deep neural network may be formed of a recurrent neural network (RNN) structure that is recursively connected, for example, as edges pointing to the nodes of each layer are included.
  • the deep neural network may include various criteria (ie, parameters), and may add new criteria (ie, parameters) through an input image analysis.
  • the structure of the deep neural network according to the embodiments of the present invention is not limited thereto, and may be formed of a neural network having various structures.
  • Embodiments of the present invention are an abnormal behavior detection system (hereinafter, abnormal behavior detection system) including a deep neural network, which may be implemented in one computer or a plurality of computers connected to each other.
  • the abnormal behavior search system may be included in one or more computers 10.
  • the one or more computers may include a database server 11 containing collected data.
  • One or more computers 10 may receive new collection data from the user client 20 and compare and analyze the collected data 100 in the database server 11 to extract abnormal symptoms (that is, determine whether abnormal behavior is applicable).
  • the type of abnormal behavior derived may be provided to the manager client 30.
  • the abnormal behavior search system may be implemented as one computer 10, so that the collection data 100 is stored in a memory (for example, a hard disk) in one computer and new collection data ( It is possible to calculate whether or not the abnormal behavior corresponding to the acquisition and comparison with the collected data (100).
  • a memory for example, a hard disk
  • FIG. 2 is a flowchart illustrating a method for detecting abnormal behavior according to an embodiment of the present invention.
  • the computer 10 receives the collection data receiving step (100) collected data (S100); Calculating result data (300) for each collected data (100) through the deep neural network in the computer (10) (S200); A pattern information derivation step (S300) for deriving pattern information when calculating the result data 300 for each collection data 100; A group specifying step (S400) of designating one or more pieces of collected data having the same pattern information as a specific group; Characterization step (S500) to give the characteristics of each group; And calculating new result data after receiving the new collection data 200, and extracting a group corresponding to the new result data (S700).
  • the abnormal behavior search method according to an embodiment of the present invention will be described in order.
  • the computer 10 receives one or more pieces of collected data 100 (S100).
  • the collected data 100 includes one or more situation data, and a specific user (that is, the user) logs in using a specific performing activity (for example, data searching, financial transaction such as account transfer, or a specific account). Etc.) may be data received from the user client 20 in the process of performing an account use act.
  • One or more computers 10 may load specific collection data 100 stored therein. That is, when the collected data 100 for the existing (ie, previous) performing behavior is accumulated in the computer 10, the computer 10 loads the accumulated plurality of collected data 100 as described below. Can be entered into the deep neural network.
  • the computer 10 calculates the result data 300 for each of the collected data 100 through the deep neural network (S200).
  • the computer 10 may calculate the result data 300 using a deep learning algorithm through a deep neural network.
  • the result data 300 refers to data calculated by applying each situation data value in the collected data 100 to the deep learning algorithm.
  • the computer 10 may input numerical values corresponding to the situation data into the deep learning algorithm to convert the respective situation data into numerical values (eg, binary data) to calculate the result data 300. Accordingly, the computer 10 may calculate different result data 300 according to the configuration of the situation data included in each collection data 100.
  • the result data 300 may be calculated by applying a weight to each situation data.
  • the weight may be adjusted to reduce the separation distance between groups having different pattern information to a specific value or more (that is, to adjust the deviation between result data corresponding to groups having different pattern information to be greater than or equal to a specific value).
  • the result data 300 value calculated by the collection data 100 which is a different combination of situation data is close and specified. It may fall within the numerical range (ie, the deviation between the result data 300 corresponding to different groups may be smaller than a specific value and difficult to distinguish).
  • the first collection data is normal behavior, but the second collection data is abnormal.
  • the first result data ie, result data calculated by the first collection data
  • the second result data ie, result data calculated by the second collection data
  • the manager may not be able to distinguish the first result data and the second result data.
  • a problem may occur in which the second result data corresponding to the abnormal behavior is mistaken for the first result data corresponding to the normal behavior.
  • the computer 10 reflects the weights of one or more contextual data constituting each of the collected data 100, and the result data of the collected data 100 having different configurations of the contextual data values.
  • Numerical differences between the 300 can be more than a specific value.
  • the computer 10 may grasp the difference between the situation data items constituting the first result data and the second result data that are within a specific range (that is, the difference is equal to or less than the specific value), Weight can be given to the context data item.
  • the computer 10 may increase the numerical difference (that is, the deviation) between the first result data and the second result data, and display the first result data and the second result data on a graph or diagram.
  • the separation distance can be more than visually recognizable so that the manager can distinguish it.
  • the computer 10 derives the pattern information when calculating the result data for each of the collected data 100 (S300).
  • the pattern information may correspond to an order (or flow) determined in the deep neural network.
  • the pattern information derivation step S300 may perform an abnormal behavior determination procedure including one or more consecutive determination steps. That is, the computer 10 may include a plurality of determination steps to distinguish one or more collected data 100 in the deep learning algorithm, and each determination step may perform a determination based on one or more context data. For example, when each determination step in the deep learning algorithm includes a plurality of questions (eg, whether to determine whether a particular situation is based on the situation data), one or more included in each determination step As the status data value is input to any one of the questions, a question to be determined in the next determination step may be determined.
  • a question to be determined in the next determination step may be determined.
  • the pattern information may include the type and order of questions for each determination step in the abnormal behavior determination procedure. That is, the computer 10 may go through each determination step, and according to the difference in the situation data values included in the collected data 100, the types of query items that pass through the same determination step may vary. Therefore, the type and order of the question items determined according to the collected data 100 may be pattern information.
  • the computer 10 designates one or more pieces of collected data 100 having the same pattern information into a specific group (S400). That is, the computer 10 may classify the plurality of collected data 100 based on the pattern information rather than the result data 300 value. Since the collected data 100 having different contextual data but having adjacent result data 300 values may be incorrectly classified into the same group, the computer 10 may be a type or value of the contextual data constituting the collected data 100. Groups can be created based on clearly distinguishable pattern information.
  • the computer 10 gives the characteristics of each group (S500). For example, the computer 10 may give each group a characteristic corresponding to each group, such as normal behavior, suspicious behavior or abnormal behavior. The computer 10 may give the details of each group in detail. For example, if the performance is abnormal, elements that can identify why each group is determined to be abnormal (for example, status data assigned to each type of abnormal behavior or status data that is determined to be abnormal) Information) can be given as a group property.
  • the computer 10 can give each group a characteristic in various ways.
  • the method of imparting the characteristics of each group is not limited to the method described below, and various methods may be applied.
  • the characteristic granting step S500 may receive the characteristic information determined based on an input value of specific context data included in the collection data 100 of the group from the manager client 30. That is, the administrator may look at the situation data constituting the collection data 100 included in each classified group, and determine and input characteristics of each group.
  • the abnormal behavior search system may receive and set characteristic information for each group input to the manager client 30.
  • the characterization step S500 may determine a characteristic corresponding to the group through reverse analysis of the pattern information.
  • the abnormal behavior search system may sequentially store questions determined in a storage space granted to a specific result data 300 in the process of calculating the result data 300. Thereafter, the abnormal behavior search system may analyze the type and order of the rough questions in the process of calculating each result data 300. That is, the abnormal behavior detection system is an abnormal behavior, each of the collected data 100 (or the result data 300 according to the collected data 100) is abnormal behavior based on the case data input by the service user or administrator. It can be determined whether or not to correspond to.
  • the abnormal behavior detection system may obtain the reported financial transaction accident case data from the service user or manager of the financial transaction system, and the situation data within the case data of each financial transaction accident Data may be included. Therefore, the abnormal behavior search system compares the situation data of the financial transaction accident case data with the situation data of the collected data 100 in each group, and searches for a group corresponding to each financial transaction accident (or a financial transaction corresponding to each group). Matching state). Through this, the abnormal behavior search system can automatically assign the characteristics of each group using the accumulated case data. In addition, the abnormal behavior search system can clearly update the characteristics of the group based on the accumulated case data.
  • the computer 10 After receiving the new collection data 200, the computer 10 calculates new result data and extracts a group corresponding to the new result data (S700). According to an embodiment of the method for calculating the group to which the new collection data 200 corresponds, the computer 10 may determine the new result data as a group having a value corresponding to the new result data or a value within an error range. In particular, when a weight is given so that a difference value (i.e., a deviation) between each group is equal to or greater than a specific value (i.e., when the separation distance between each group is equal to or greater than a specific value), the new data is collected through the result data 300 value. The data 200 may accurately calculate a group to which the data 200 corresponds.
  • a difference value i.e., a deviation
  • the computer 10 (that is, abnormal behavior search system) is input. May calculate the result data 300 based on the new collection data 200, and extract a corresponding group through the pattern information grasped in the process of calculating the result data 300.
  • the computer 10 may determine that a new type of performance has occurred. Therefore, a new group can be created based on new result data and new pattern information corresponding to the new collection data 200. Since the result data 300 of the new group may be located between the result data 300 of the existing group, the computer 10 adjusts the weight so that the difference between the result data 300 corresponding to the adjacent group is equal to or greater than a specific value. Can be performed.
  • the method may further include generating an abnormal behavior determination diagram 400 including a plurality of distinguishable layers 410 (S600). That is, as shown in FIG. 6, the computer 10 may generate an abnormal behavior determination diagram 400 in which an administrator may visually distinguish a group by performance behavior.
  • the abnormal behavior determination diagram 400 may include one or more layers 410 indicating a generation position corresponding to a numerical value of the result data 300 corresponding to each group. That is, each layer 410 is matched to each group, and the generation position may vary according to the numerical value of the result data 300.
  • each layer 410 may be displayed differently in color or combined with an identification mark (ie, a label) so as to be visually distinguishable.
  • the new collection data 200 displays an identification mark on the layer 410 of the corresponding group, and provides the identification mark to the manager client 30 (S1000). . That is, the computer 10 may display the identification mark indicating the new collection data 200 on the layer 410 of the group corresponding to the new collection data 200 and provide it to the manager client 30.
  • an abnormal behavior judgment diagram visually provided by an administrator who manages the occurrence of abnormal behavior or a service user who wants to check whether an illegal situation occurs (for example, performing a specific performance behavior using his or her account or account).
  • the identification mark on 400 it is possible to visually check whether abnormal behavior has occurred or the type of abnormal behavior occurred simply and intuitively.
  • the deep neural network may include an abnormal behavior determination procedure in accordance with the acquisition order.
  • one or more contextual data included in the collected data 100 may be sequentially obtained at time intervals. It is necessary to quickly identify abnormal behaviors (e.g. abnormal transactions (e.g. transactions that are expected of financial accidents)) such as financial transactions (e.g., bank transfers), and take countermeasures such as stopping transactions. In this case, if all the situation data of the collected data 100 is acquired or analyzed whether it corresponds to abnormal behavior, the response may be late.
  • abnormal transactions e.g. transactions that are expected of financial accidents
  • financial transactions e.g., bank transfers
  • the computer 10 may generate a general notification of the specific performance behavior in order to notify the reception of the specific situation data that is likely to cause the collected data 100 to be classified as an abnormal behavior.
  • This may include procedures for determining abnormal behavior in accordance with the order of obtaining situational data. For example, after the first stage situation data (that is, situation data acquired in the first stage (first)) is received, the second stage situation data (that is, situation data obtained in the second stage (second)) is received. If the computer 10, the first decision step to perform the determination as the first stage situation data on the deep learning algorithm first in the order of the algorithm, the second determination to perform the determination as the second stage situation data The steps may be arranged in the following order of the first judgment step.
  • the computer 10 may generate the abnormal behavior determination diagram 400 in stages within the abnormal behavior determination procedure in accordance with the order of acquiring the situation data. That is, in order to grasp the real-time situation based on the situation data in the abnormal behavior judgment procedure in accordance with the situation data acquisition order, the computer 10 for each judgment step that can predict the possibility of abnormal behavior at the time when the specific situation data is acquired.
  • the abnormal behavior determination diagram 400 may be generated. Accordingly, as the manager provides the abnormal behavior determination diagram 400 of the current judgment stage displaying the current situation data acquired with the specific new collection data 200 and the identification mark of the collected data 100, the administrator may generate an abnormality. You can easily recognize and prepare for actions.
  • the computer 10 may rearrange the order of the layers 410 of the abnormal behavior determination diagram 400 arranged according to the numerical value of the result data 300, so that the administrator may intuitively determine whether the abnormal behavior has occurred. That is, the computer 10 generates a modified diagram in which the arrangement of each layer 410 of the abnormal behavior determination diagram 400 (hereinafter, referred to as the original diagram) according to the result data 300 is generated, and thus, the normal behavior layer and the abnormal behavior layer. Can be displayed as The manager can immediately check whether the abnormal behavior is visually based on the location where the new collection data 200 is included and match the specific layer 410 of the correction diagram when the correct group and the characteristics of the group are to be identified. The result data 300 or the modified diagram layer 410 and the original diagram layer 410 can be confirmed based on the matching relationship.
  • the computer 10 sets the abnormal behavior type of the group to which the new collection data 200 belongs. Can be identified and provided to the administrator.
  • the abnormal behavior search method according to the above-described embodiment of the present invention may be implemented as a program (or an application) and stored in a medium to be executed in combination with the computer 10 which is hardware.
  • the above-described program includes C, C ++, JAVA, machine language, etc. which can be read by the computer's processor (CPU) through the computer's device interface so that the computer reads the program and executes the methods implemented as the program.
  • Code may be coded in the computer language of. Such code may include functional code associated with a function or the like that defines the necessary functions for executing the methods, and includes control procedures related to execution procedures necessary for the computer's processor to execute the functions according to a predetermined procedure. can do.
  • the code may further include memory reference code for additional information or media required for the computer's processor to execute the functions at which location (address address) of the computer's internal or external memory should be referenced. have.
  • the code may be used to communicate with any other computer or server remotely using the communication module of the computer. It may further include a communication related code for whether to communicate, what information or media should be transmitted and received during communication.
  • the stored medium is not a medium for storing data for a short time such as a register, a cache, a memory, but semi-permanently, and means a medium that can be read by the device.
  • examples of the storage medium include, but are not limited to, a ROM, a RAM, a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like. That is, the program may be stored in various recording media on various servers to which the computer can access or various recording media on the computer of the user. The media may also be distributed over network coupled computer systems so that the computer readable code is stored in a distributed fashion.
  • the collected data is classified using the pattern information, which is a flow determined in the deep learning algorithm of each collected data, rather than simply classifying the collected data into the result data calculated through the collected data.
  • the pattern information which is a flow determined in the deep learning algorithm of each collected data, rather than simply classifying the collected data into the result data calculated through the collected data.
  • the result data of each group can be adjusted to be visually distinguishable.
  • the administrator can easily grasp the characteristics of the new collection data. That is, the manager can quickly check whether the new collection data corresponds to abnormal behavior by identifying which layer on the diagram the identification mark of the new collection data is displayed, and can also quickly identify the specific abnormal behavior type.

Abstract

The present invention relates to a method and a program for detecting anomalies. A method for detecting anomalies according to one embodiment of the present invention comprises: a collection data reception step (S100) for receiving one or more collection data by a computer; a step (S200) for calculating result data for each collection data through a deep neural network in the computer; a pattern information derivation step (S300) for deriving pattern information at the time of calculating the result data for each collection data; a group designation step (S400) for designating one or more collection data having the same pattern information as a specific group; a characteristic assignment step (S500) for assigning a characteristic of each group; and a step (S700) for calculating new result data after receiving new collection data, and extracting a group corresponding to the new result data. According to the present invention, it is possible to prevent a group corresponding to an anomaly from being mistaken as being included in a group corresponding to a normal behavior.

Description

비정상행위 탐색방법 및 탐색프로그램Abnormal behavior search method and search program
본 발명은 비정상행위 탐색방법 및 탐색프로그램에 관한 것으로, 보다 자세하게는 빅데이터 분석을 통해 컴퓨터를 통해 획득되는 수집데이터의 비정상행위 해당여부를 판단하는 방법 및 프로그램에 관한 것이다.The present invention relates to an abnormal behavior searching method and a search program, and more particularly, to a method and program for determining whether or not abnormal behavior of the collected data obtained through a computer through big data analysis.
최근, 정보통신기술 및 반도체기술의 발달로 각종 분야에서 컴퓨터를 이용한 업무가 증가하고 있다.Recently, due to the development of information and communication technology and semiconductor technology, the use of computers has increased in various fields.
이는 금융 분야에서도 마찬가지이다. 예를 들어, 고객이 직접 은행 지점에 방문하여 처리하였던 금융 거래를 인터넷뱅킹, 모바일뱅킹, 폰뱅킹 등을 이용하여 신속한 처리가 가능하고, 금융 직원은 수기로 서류를 작성하고 결재하였던 업무를 전산 도입으로 자동 결재 및 처리가 가능하게 되었다. 그런데 한편에서는 상기의 전산 도입과 함께, 전자금융 사기, 불법 거래를 통한 신종 금융 범죄가 등장하게 되었고, 최근 들어서는 이로 인한 피해가 점차 확산됨에 따라 피싱 주의보가 내려질 만큼 피싱(phishing), 스미싱(smishing), 파밍(pharming) 등에 대한 주의가 요구되고 있다. 피싱은 주로 신뢰할 수 있는 사람(개인) 또는 기업(전자 상거래 업체)을 사칭하여 전자우편 또는 메신저를 통해 수신자의 개인 정보(비밀번호나 신용정보, 보안카드 정보 등)를 빼낸 뒤 이를 이용하는 범죄를 말한다.The same is true of the financial sector. For example, it is possible to promptly process a financial transaction that a customer directly visited a bank branch using internet banking, mobile banking, and phone banking. Automatic payment and processing is now possible. On the other hand, with the introduction of the above computerization, new financial crimes through electronic financial fraud and illegal transactions have emerged, and in recent years, as the damages gradually spread, phishing and smishing (phishing and smishing) have been issued. Attention is drawn to smishing, farming, and the like. Phishing is a crime that pretends to be a trusted person (personal) or business (e-commerce company) and uses the e-mail or messenger to steal the recipient's personal information (such as passwords, credit information, or security card information).
그런데 이러한 피싱 공격은 현재 고객의 신고나 백신업체의 악성코드 분석에 의해서만 확인할 수 있어 수동적인 탐지만 가능하며, 고객이 신고하지 않거나 알려지지 않은 피싱 사이트의 악성 코드에 감염된 경우에는 신속한 대응 및 추적이 어려운 문제점이 있다. However, these phishing attacks can only be detected by customers' reports or anti-malware malware analysis, so they can only be detected passively. If customers are not reported or infected by unknown phishing sites, it is difficult to respond quickly and track them. There is a problem.
금융 분야뿐만 아니라 컴퓨터를 이용하여 많은 업무를 수행함에 따라 비정상적인 행위가 다수 발생하지만 이를 발견해내지 못하고 넘어가는 경우가 많다.As well as the financial field, many abnormal activities occur as a result of using a lot of computers, but they often go undetected.
복수의 수집데이터(컴퓨터를 이용한 특정한 수행행위 과정에서 획득되는 데이터)를 딥러닝 알고리즘에 적용하여 획득된 각 수집데이터의 패턴정보를 이용하여 정상행위에 상응하는 값과 상이한 값 또는 구별되는 값을 가지는 비정상행위를 정확하게 구분해내는, 비정상행위 탐색방법 및 프로그램을 제공하고자 한다.By using a plurality of collected data (data acquired in a specific performing behavior process using a computer) to the deep learning algorithm, using a pattern information of each collected data has a value different from or corresponding to the normal behavior The aim of the present invention is to provide a method and a program for detecting abnormal behaviors.
또한, 패턴정보가 상이한 그룹을 시각적으로 구별할 수 있도록 각 상황데이터에 대한 가중치를 딥러닝 알고리즘을 이용하여 조절함에 따라 관리자가 비정상행위를 용이하게 탐색할 수 있도록 하는, 비정상행위 탐색방법 및 프로그램을 제공하고자 한다.In addition, by adjusting the weight for each situation data using a deep learning algorithm to visually distinguish a group with different pattern information, an abnormal behavior search method and program that allows an administrator to easily detect abnormal behavior. To provide.
또한, 신규수집데이터의 식별표지를 각각의 수집데이터 그룹에 상응하는 각 레이어를 가지는 다이어그램 상에 표시하도록 하여, 신규수집데이터의 특성을 관리자가 간편하게 확인할 수 있도록 하는, 비정상행위 탐색방법 및 프로그램을 제공하고자 한다.In addition, by providing an identification mark of the new collection data on a diagram having each layer corresponding to each collection data group, it provides an abnormal behavior search method and program that allows the administrator to easily check the characteristics of the new collection data. I would like to.
본 발명의 일실시예에 따른 비정상행위 탐색방법은, 컴퓨터가 하나 이상의 수집데이터를 수신하되, 상기 수집데이터는 하나 이상의 상황데이터를 포함하는 것인, 수집데이터수신단계; 상기 컴퓨터 내 심층신경망를 통해 각각의 수집데이터에 대한 결과데이터를 산출하는 단계; 각각의 수집데이터에 대해 상기 결과데이터 산출 시 패턴정보를 도출하되, 상기 패턴정보는 상기 심층신경망 내에서 판단되는 순서에 상응하는 것인, 패턴정보도출단계; 동일한 패턴정보를 가지는 하나 이상의 수집데이터를 특정한 그룹으로 지정하는 그룹지정단계; 각 그룹의 특성을 부여하는 특성부여단계; 및 신규수집데이터를 수신한 후 신규결과데이터를 산출하고, 상기 신규결과데이터에 대응하는 그룹을 추출하는 단계;를 포함한다.Abnormal behavior search method according to an embodiment of the present invention, the computer receives one or more collection data, the collection data includes one or more situation data, collection data receiving step; Calculating result data for each collected data through the deep neural network in the computer; Deriving pattern information when calculating the result data for each collected data, wherein the pattern information corresponds to an order determined in the deep neural network; A group specifying step of designating one or more pieces of collected data having the same pattern information as a specific group; Characterization step of giving the characteristics of each group; And calculating new result data after receiving the new collection data, and extracting a group corresponding to the new result data.
또한, 상기 결과데이터 산출단계는, 각각의 상황데이터에 대한 가중치를 적용하여 상기 결과데이터를 산출하는 것을 특징으로 하며, 상기 가중치는, 상기 패턴정보가 상이한 그룹 간의 이격거리를 특정값 이상으로 떨어지도록 조절하는 것일 수 있다.The calculating of the result data may include calculating the result data by applying a weight to each situation data, wherein the weight is such that the separation distance between groups having different pattern information falls above a specific value. It may be to adjust.
또한, 상기 신규수집데이터에 상응하는 그룹이 존재하지 않는 경우, 상기 신규수집데이터에 부합하는 신규그룹을 생성하는 단계; 및 하나 이상의 상기 가중치를 변경하여, 상기 그룹간 간격을 조절하는 단계;를 더 포함할 수 있다.In addition, if there is no group corresponding to the new collection data, generating a new group corresponding to the new collection data; And adjusting the interval between the groups by changing one or more of the weights.
또한, 구별 가능한 복수의 레이어를 포함하는 비정상행위판단다이어그램을 생성하되, 상기 레이어는 각각의 그룹이 매칭되는 것으로서, 상기 결과데이터의 수치값에 따라 생성위치가 달라지는 것인, 비정상행위판단다이어그램 생성단계; 및 상기 신규수집데이터가 대응되는 그룹의 레이어 상에 식별표지를 표시하여, 사용자 클라이언트로 제공하는 단계;를 포함할 수 있다.In addition, an abnormal behavior determination diagram including a plurality of distinguishable layers is generated, wherein each layer is matched with each other, and the generation position of the abnormal behavior determination diagram is changed according to a numerical value of the result data. ; And displaying the identification mark on the layer of the group to which the new collection data corresponds, and providing the identification mark to the user client.
또한, 상기 수집데이터에 포함된 하나 이상의 상황데이터의 획득순서가 정해져 있는 경우, 상기 심층신경망은, 상기 획득순서에 부합하는 비정상행위판단절차를 포함하며, 상기 비정상행위판단절차 내의 단계별로 상기 비정상행위판단다이어그램을 생성하는 것을 특징으로 할 수 있다.In addition, when an acquisition order of at least one piece of situation data included in the collected data is determined, the deep neural network includes an abnormal behavior determination procedure that conforms to the acquisition sequence, and the abnormal behavior is performed step by step in the abnormal behavior determination procedure. It may be characterized by generating a determination diagram.
또한, 상기 그룹의 특성이 비정상행위에 해당하는 경우, 관리자 클라이언트로 상기 비정상행위의 유형정보를 제공하는 단계;를 더 포함할 수 있다.The method may further include providing type information of the abnormal behavior to an administrator client when the characteristic of the group corresponds to the abnormal behavior.
또한, 상기 특성부여단계는, 관리자 클라이언트로부터 상기 그룹의 수집데이터에 포함된 특정한 상황데이터의 입력값을 바탕으로 결정된 특성정보를 수신하는 것을 특징으로 할 수 있다.In addition, the characterizing step may be characterized in that for receiving the characteristic information determined based on the input value of the specific context data included in the collected data of the group from the administrator client.
또한, 상기 패턴정보도출단계는, 연속되는 하나 이상의 판단단계를 포함하는 비정상행위판단절차를 수행하며, 상기 패턴정보는, 상기 비정상행위판단절차에서 각 판단단계별 질의사항의 종류 및 순서를 포함할 수 있다.In addition, the pattern information derivation step may perform an abnormal behavior determination procedure including one or more successive determination steps, and the pattern information may include the type and order of questions for each determination step in the abnormal behavior determination procedure. have.
또한, 상기 특성부여단계는, 상기 패턴정보의 역분석을 통해 상기 그룹에 상응하는 특성을 결정하는 것을 특징으로 할 수 있다.In addition, the characterizing step may be characterized by determining the characteristics corresponding to the group through the reverse analysis of the pattern information.
본 발명의 또 다른 일실시예에 따른 비정상행위 탐색프로그램은, 하드웨어인 컴퓨터와 결합되어 상기 언급된 전자기기 제어방법을 실행하며, 매체에 저장된다.The abnormal behavior search program according to another embodiment of the present invention is coupled to a computer which is hardware to execute the above-mentioned electronic device control method and is stored in a medium.
상기와 같은 본 발명에 따르면, 아래와 같은 다양한 효과들을 가진다.According to the present invention as described above, has the following various effects.
첫째, 단순히 수집데이터를 통해 산출된 결과데이터로 수집데이터를 분류하는 것이 아니라 각 수집데이터의 딥러닝 알고리즘 내에서 판단되는 흐름인 패턴정보를 이용하여 수집데이터를 분류하므로, 근사한 결과데이터 값을 가지는 복수의 수집데이터 그룹을 정확하게 분류할 수 있다. 따라서, 비정상행위에 해당하는 그룹을 정상행위에 해당하는 그룹에 포함되는 것으로 오인하는 것을 방지할 수 있다.First, the collected data is classified using the pattern information, which is a flow determined in the deep learning algorithm of each collected data, rather than simply classifying the collected data into the result data calculated through the collected data. Accurately classify groups of collected data. Accordingly, it is possible to prevent the group corresponding to the abnormal behavior from being mistaken as being included in the group corresponding to the normal behavior.
둘째, 각 상황데이터에 대한 가중치를 변경함에 따라 각 그룹의 결과데이터를 시각적으로도 구별 가능하도록 조절할 수 있다. Second, as the weight of each situation data is changed, the result data of each group can be adjusted to be visually distinguishable.
셋째, 비정상행위탐색다이어그램 상에 신규수집데이터의 식별표지를 표시하여 관리자에게 제공함에 따라, 관리자는 간편하게 신규수집데이터의 특성을 파악할 수 있다. 즉, 관리자는 신규수집데이터의 식별표지가 다이어그램 상의 어떤 레이어에 표시되었는지를 확인함에 따라 빠르게 신규수집데이터가 비정상행위에 해당하는지 여부를 확인할 수 있으며, 구체적인 비정상행위 유형도 빠르게 파악할 수 있다.Third, by displaying the identification mark of the new collection data on the abnormal behavior search diagram and providing it to the administrator, the administrator can easily grasp the characteristics of the new collection data. That is, the manager can quickly check whether the new collection data corresponds to abnormal behavior by identifying which layer on the diagram the identification mark of the new collection data is displayed, and can also quickly identify the specific abnormal behavior type.
넷째, 새로운 피싱방식이 적용되는 것과 같이, 신규수집데이터가 속하는 그룹이 없어 신규그룹 생성하는 경우, 그룹간의 특정한 간격을 가지도록 자동으로 가중치 조절을 수행할 수 있다. 이를 통해, 새로운 그룹 유형이 등장하여도 관리자가 간편하게 비정상행위 해당여부를 확인할 수 있는 비정상행위탐색다이어그램을 제공할 수 있다.Fourth, as a new phishing scheme is applied, when there is no group to which new collection data belongs, a new group is generated, so that weight adjustment can be automatically performed to have a specific interval between groups. Through this, even when a new group type emerges, an administrator may provide an abnormal behavior search diagram that enables the administrator to easily check whether an abnormal behavior is applicable.
도 1은 본 발명의 일실시예에 따른 비정상행위 판단시스템의 구성도이다.1 is a block diagram of an abnormal behavior determination system according to an embodiment of the present invention.
도 2는 본 발명의 일실시예에 따른 비정상행위 판단방법의 순서도이다.2 is a flowchart illustrating a method for determining abnormal behavior according to an embodiment of the present invention.
도 3은 본 발명의 일실시예에 따른 수집데이터를 이용하여 패턴정보가 산출되는 과정을 나타내는 딥러닝 알고리즘의 예시도면이다.3 is an exemplary diagram of a deep learning algorithm showing a process of calculating pattern information using collected data according to an embodiment of the present invention.
도 4는 본 발명의 일실시예에 따른 신규수집데이터에 상응하는 신규그룹 생성 후 가중치 조절하는 과정을 더 포함하는 비정상행위 판단방법의 순서도이다.4 is a flow chart of an abnormal behavior determination method further comprising the step of adjusting the weight after the creation of a new group corresponding to the new collection data according to an embodiment of the present invention.
도 5는 본 발명의 일실시예에 따른 비정상행위판단다이어그램을 이용하여 신규수집데이터가 속하는 그룹을 표시하는 비정상행위 판단방법의 순서도이다.5 is a flowchart illustrating an abnormal behavior determination method of displaying a group to which new collection data belongs using an abnormal behavior determination diagram according to an embodiment of the present invention.
도 6은 본 발명의 일실시예에 따른 비정상행위판단다이어그램의 예시도면이다.6 is an exemplary diagram of an abnormal behavior determination diagram according to an embodiment of the present invention.
도 7은 본 발명의 일실시예에 따른 신규수집데이터가 해당되는 비정상행위의 유형을 관리자에게 제공하는 비정상행위 판단방법의 순서도이다.7 is a flowchart illustrating a method for determining abnormal behavior that provides a manager with a type of abnormal behavior corresponding to new collection data according to an embodiment of the present invention.
이하, 첨부된 도면을 참조하여 본 발명의 바람직한 실시예를 상세히 설명한다. 본 발명의 이점 및 특징, 그리고 그것들을 달성하는 방법은 첨부되는 도면과 함께 상세하게 후술되어 있는 실시예들을 참조하면 명확해질 것이다. 그러나 본 발명은 이하에서 게시되는 실시예들에 한정되는 것이 아니라 서로 다른 다양한 형태로 구현될 수 있으며, 단지 본 실시예들은 본 발명의 게시가 완전하도록 하고, 본 발명이 속하는 기술분야에서 통상의 지식을 가진 자에게 발명의 범주를 완전하게 알려주기 위해 제공되는 것이며, 본 발명은 청구항의 범주에 의해 정의될 뿐이다. 명세서 전체에 걸쳐 동일 참조 부호는 동일 구성 요소를 지칭한다.Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. Advantages and features of the present invention and methods for achieving them will be apparent with reference to the embodiments described below in detail with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but may be implemented in various forms, and only the embodiments are intended to complete the disclosure of the present invention, and the general knowledge in the art to which the present invention pertains. It is provided to fully inform the person having the scope of the invention, which is defined only by the scope of the claims. Like reference numerals refer to like elements throughout.
다른 정의가 없다면, 본 명세서에서 사용되는 모든 용어(기술 및 과학적 용어를 포함)는 본 발명이 속하는 기술분야에서 통상의 지식을 가진 자에게 공통적으로 이해될 수 있는 의미로 사용될 수 있을 것이다. 또 일반적으로 사용되는 사전에 정의되어 있는 용어들은 명백하게 특별히 정의되어 있지 않는 한 이상적으로 또는 과도하게 해석되지 않는다.Unless otherwise defined, all terms (including technical and scientific terms) used in the present specification may be used in a sense that can be commonly understood by those skilled in the art. In addition, the terms defined in the commonly used dictionaries are not ideally or excessively interpreted unless they are specifically defined clearly.
본 명세서에서 사용된 용어는 실시예들을 설명하기 위한 것이며 본 발명을 제한하고자 하는 것은 아니다. 본 명세서에서, 단수형은 문구에서 특별히 언급하지 않는 한 복수형도 포함한다. 명세서에서 사용되는 "포함한다(comprises)" 및/또는 "포함하는(comprising)"은 언급된 구성요소 외에 하나 이상의 다른 구성요소의 존재 또는 추가를 배제하지 않는다.The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. In this specification, the singular also includes the plural unless specifically stated otherwise in the phrase. As used herein, "comprises" and / or "comprising" does not exclude the presence or addition of one or more other components in addition to the mentioned components.
본 명세서에서 컴퓨터는 연산처리를 수행하여 사용자에게 결과를 제공할 수 있는 다양한 장치들이 모두 포함된다. 예를 들어, 컴퓨터는 데스크 탑 PC, 노트북(Note Book) 뿐만 아니라 스마트폰(Smart phone), 태블릿 PC, 셀룰러폰(Cellular phone), 피씨에스폰(PCS phone; Personal Communication Service phone), 동기식/비동기식 IMT-2000(International Mobile Telecommunication-2000)의 이동 단말기, 팜 PC(Palm Personal Computer), 개인용 디지털 보조기(PDA; Personal Digital Assistant) 등도 해당될 수 있다. 또한, 컴퓨터는 클라이언트로부터 요청을 수신하여 정보처리를 수행하는 서버가 해당될 수 있다.In this specification, a computer includes all of various devices capable of performing arithmetic processing and providing a result to a user. For example, a computer can be a desktop PC, a notebook, as well as a smartphone, a tablet PC, a cellular phone, a PCS phone (Personal Communication Service phone), synchronous / asynchronous The mobile terminal of the International Mobile Telecommunication-2000 (IMT-2000), a Palm Personal Computer (PC), a Personal Digital Assistant (PDA), and the like may also be applicable. Also, the computer may correspond to a server that receives a request from a client and performs information processing.
본 명세서에서 정상행위는 사용자의 클라이언트를 이용한 특정한 수행행위(예를 들어, 금융거래 행위, 자료 탐지 행위 등) 중에서 정상적인 수행으로 판단되는 행위를 의미한다. 반면, 본 명세서에서 비정상행위는 사용자의 클라이언트를 이용한 특정한 행위(예를 들어, 금융거래 행위, 자료 탐지 행위 등) 중에서 비정상적인 수행으로 판단되는 행위를 의미한다. 예를 들어, 특정한 금융거래 행위(예를 들어, 계좌 이체)와 관련하여, 특정 계좌의 사용자가 일반적으로 수행하는 절차에 따라 수행되면 정상행위로 분류될 수 있고, 특정 계좌의 사용자의 기존 수행절차와 상이한 수행동작(예를 들어, 계좌주인 사용자의 주사용 클라이언트가 아닌 클라이언트 장치로 이체 절차를 수행하는 경우, 이체 수행을 위해 현재 접속한 IP에 상응하는 위치가 최근 접속한 IP에 상응하는 위치와 특정 거리 이상 떨어져 있는 경우 등)을 포함하면 비정상행위로 분류될 수 있다. In this specification, the normal behavior refers to the behavior that is determined to be normal performance among specific performance behaviors (eg, financial transaction behavior, data detection behavior, etc.) using the user's client. On the other hand, in this specification, the abnormal behavior refers to the behavior that is determined to be abnormal performance among specific behaviors (eg, financial transaction behavior, data detection behavior, etc.) using the user's client. For example, with respect to certain financial transactions (e.g., account transfers), if performed in accordance with the procedures generally performed by users of a particular account, they may be classified as normal behavior, and existing procedures for users of a particular account. Is different from (e.g., when performing a transfer procedure to a client device other than the client for injection of the account holder user, the position corresponding to the IP currently connected to perform the transfer and the position corresponding to the recently accessed IP). If you include more than a certain distance, etc.) can be classified as abnormal behavior.
본 명세서에서 수집데이터는 사용자의 특정한 수행행위 중에 획득되는 데이터를 의미한다. 즉, 수집데이터는 특정한 수행행위를 하기 위한 과정(Process) 상에서 사용자의 클라이언트로부터 획득되거나 이미지 획득되어 컴퓨터 내에 저장된 데이터이다. 본 명세서에서 상황데이터는 수집데이터에 포함되는 하나 이상의 데이터로, 특정한 수행행위를 행하는 절차 중의 각각의 상황에서 클라이언트로부터 획득되는 데이터를 의미한다. 예를 들어, 금융거래 중 계좌이체인 경우, 사용자는 '특정한 클라이언트 장치'를 이용하여 금융사 어플리케이션에 '특정한 IP'를 통해 접속하고'로그인'을 수행한 후 '상대방 계좌'를 입력하여 계좌이체를 수행한다면, 각각의 상황에서 획득되는 개별데이터인 '클라이언트의 종류', '접속IP', '로그인 계정', '상대방 계좌정보'를 '상황데이터'라고 할 수 있고, 하나의 수행행위에 대한 하나 이상의 상황데이터 집합을 '수집데이터'라고 할 수 있다. 하나 이상의 상황데이터는 순차적으로 또는 하나의 발생상황 내에서 동시에 획득될 수 있다.In the present specification, the collected data refers to data obtained during a specific performance of a user. In other words, the collected data is data obtained from a client of a user or acquired in an image and stored in a computer in a process for performing a specific performing action. In the present specification, the context data is one or more data included in the collected data, and means data obtained from a client in each situation during a procedure of performing a specific action. For example, in the case of a bank transfer during a financial transaction, a user accesses a financial institution application through a specific IP using a specific client device, performs a login, and enters a counterpart account. If performing, individual data acquired in each situation, such as 'type of client', 'access IP', 'login account', 'counter party account information' may be referred to as 'situation data', and one The above situation data set may be referred to as 'collection data'. One or more contextual data may be obtained sequentially or simultaneously in one occurrence.
본 명세서에서 그룹은 복수의 수집데이터의 분류를 통해 생성되는 하나 이상의 집합을 의미할 수 있다. 예를 들어, 후술하는 패턴정보 또는 특성을 바탕으로 분류하여, 특정한 그룹에는 동일한 패턴정보 또는 특성을 가지는 수집데이터가 포함될 수 있다.In the present specification, a group may mean one or more sets generated through classification of a plurality of collected data. For example, by classifying based on pattern information or characteristics described below, a specific group may include collected data having the same pattern information or characteristics.
본 명세서에서 패턴정보는 수집데이터를 하나 이상의 그룹으로 분류하는 기준이 되는 데이터를 의미한다. 예를 들어, 패턴정보는 특정한 수집데이터에 대해 컴퓨터에 의해 그룹이 분류되는 흐름(Flow)가 해당될 수 있다.In the present specification, the pattern information refers to data that is a standard for classifying collected data into one or more groups. For example, the pattern information may correspond to a flow in which groups are classified by a computer with respect to specific collection data.
본 명세서에서 특성은 수집데이터가 가지는 속성을 의미한다. 예를 들어, 수집데이터의 특성은 컴퓨터에 의해 정상, 의심 또는 비정상으로 나누어질 수 있다. 또한, 비정상특성은 컴퓨터에 의해 비정상으로 분류된 근거(예를 들어, 비정상으로 판단되는데 기여한 상황데이터)를 세부특성으로 하여 분류될 수 있다.In the present specification, a characteristic means an attribute of collected data. For example, the characteristics of the collected data can be divided into normal, suspicious or abnormal by the computer. In addition, the abnormal characteristic may be classified using the basis (eg, status data that contributed to being determined abnormal) as classified as abnormal by the computer as the detailed characteristic.
본 명세서에서 신규수집데이터는 비정상행위 해당여부의 판단이 요구되는 데이터이다. 본 명세서에서 신규상황데이터는 신규수집데이터에 포함되는 하나 이상의 상황데이터를 의미한다. 신규수집데이터는 비정상행위인지 여부를 판단한 후, 특정한 그룹 내의 기존 수집데이터에 추가될 수 있다.In the present specification, the new collection data is data requiring determination of abnormal behavior. In the present specification, the new situation data means one or more situation data included in the new collection data. The new collection data may be added to existing collection data within a specific group after determining whether it is an abnormal behavior.
본 명세서에서 사용자는 수집데이터를 컴퓨터로 제공하는 클라이언트를 사용하는 사람을 의미할 수 있다. 본 명세서에서 관리자는 신규수집데이터의 비정상행위 해당여부 판단을 위해 데이터를 제공받는 사람을 의미한다. 즉, 관리자는 특정한 시스템을 관리하는 사람뿐만 아니라 본인 계정, 계좌 등의 상태를 체크하는 사람(예를 들어, 서비스 이용자)를 포함할 수 있다.In the present specification, a user may mean a person who uses a client that provides collected data to a computer. In this specification, the manager refers to a person who is provided with data for determining whether an abnormal behavior of new collection data is applicable. That is, the manager may include not only a person who manages a specific system but also a person (eg, a service user) who checks the status of his / her account, account, and the like.
본 명세서에서 심층신경망(Deep Neural Network; DNN)은, 하나 이상의 컴퓨터 내에 하나 이상의 레이어(Layer)를 구축하여 복수의 데이터를 바탕으로 판단을 수행하는 시스템 또는 네트워크를 의미한다. 예를 들어, 심층신경망은 컨볼루션 풀링 층(Convolutional Pooling Layer), 로컬 접속 층(a locally-connected layer) 및 완전 연결 층(fully-connected layer)을 포함하는 층들의 세트로 구현될 수 있다. 일부 실시 예에서, 심층신경망의 전체적인 구조는 컨볼루션 풀링 층에 로컬 접속 층이 이어지고, 로컬 접속 층에 완전 연결 층이 이러지는 형태인 나선형 신경망(즉, Convolutional Neural Network; CNN) 구조로 이루어질 수 있다. 또한, 심층신경망은, 예를 들어, 각 레이어의 노드들에 자신을 가르키는 엣지(edge)가 포함됨에 따라 재귀적으로 연결되는 순환형 신경망(Recurrent Neural Network; RNN) 구조로 형성될 수도 있다. 심층신경망은 다양한 판단기준(즉, 파라미터(Parameter))를 포함할 수 있고, 입력되는 영상 분석을 통해 새로운 판단기준(즉, 파라미터)를 추가할 수 있다. 다만, 본 발명의 실시예들에 따른 심층신경망의 구조는 이에 한정되지 아니하고, 다양한 구조의 신경망으로 형성될 수 있다. In the present specification, a deep neural network (DNN) refers to a system or a network that performs a determination based on a plurality of data by constructing one or more layers in one or more computers. For example, the deep neural network may be implemented as a set of layers including a convolutional pooling layer, a locally-connected layer, and a fully-connected layer. In some embodiments, the overall structure of the deep neural network may be formed of a spiral neural network (ie, a convolutional neural network (CNN)) structure in which a local connection layer is connected to a convolution pooling layer and a fully connected layer is connected to the local connection layer. . In addition, the deep neural network may be formed of a recurrent neural network (RNN) structure that is recursively connected, for example, as edges pointing to the nodes of each layer are included. The deep neural network may include various criteria (ie, parameters), and may add new criteria (ie, parameters) through an input image analysis. However, the structure of the deep neural network according to the embodiments of the present invention is not limited thereto, and may be formed of a neural network having various structures.
본 발명의 실시예들은 심층신경망을 포함하는 비정상행위 탐색시스템(이하, 비정상행위 탐색시스템)으로, 하나의 컴퓨터 내에서 구현될 수도 있고 복수의 컴퓨터가 연결되어 네트워크망을 통해 구현될 수도 있다. 예를 들어, 도 1에서와 같이, 상기 비정상행위 탐색시스템은 하나 이상의 컴퓨터(10), 에 포함될 수 있다. 상기 하나 이상의 컴퓨터는 수집데이터를 포함하는 데이터베이스서버(11)를 포함할 수 있다. 하나 이상의 컴퓨터(10)는 사용자 클라이언트(20)로부터 신규수집데이터를 입력받아서 데이터베이스서버(11) 내의 수집데이터(100)와 비교 분석하여 이상징후를 추출(즉, 비정상행위 해당여부를 판단)할 수 있고, 도출된 비정상행위의 유형을 관리자 클라이언트(30)에 제공할 수 있다. 또한, 예를 들어, 상기 비정상행위 탐색시스템은 하나의 컴퓨터(10)로 구현될 수 있어서, 하나의 컴퓨터 내의 메모리(예를 들어, 하드디스크)에 수집데이터(100)를 저장하고 신규수집데이터(200)를 획득하여 수집데이터(100)와 비교하여 비정상행위 해당여부를 산출할 수 있다. Embodiments of the present invention are an abnormal behavior detection system (hereinafter, abnormal behavior detection system) including a deep neural network, which may be implemented in one computer or a plurality of computers connected to each other. For example, as shown in FIG. 1, the abnormal behavior search system may be included in one or more computers 10. The one or more computers may include a database server 11 containing collected data. One or more computers 10 may receive new collection data from the user client 20 and compare and analyze the collected data 100 in the database server 11 to extract abnormal symptoms (that is, determine whether abnormal behavior is applicable). In addition, the type of abnormal behavior derived may be provided to the manager client 30. In addition, for example, the abnormal behavior search system may be implemented as one computer 10, so that the collection data 100 is stored in a memory (for example, a hard disk) in one computer and new collection data ( It is possible to calculate whether or not the abnormal behavior corresponding to the acquisition and comparison with the collected data (100).
이하, 도면을 참조하여 본 발명의 실시예들에 따른 비정상행위 탐색방법 및 프로그램에 대해 설명하기로 한다.Hereinafter, a method and a program for detecting abnormal behavior according to embodiments of the present invention will be described with reference to the accompanying drawings.
도 2는 본 발명의 일실시예에 따른 비정상행위 탐색방법에 대한 순서도이다.2 is a flowchart illustrating a method for detecting abnormal behavior according to an embodiment of the present invention.
도 2를 참조하면, 본 발명의 일실시예에 따른 비정상행위 탐색방법은, 컴퓨터(10)가 하나 이상의 수집데이터(100)를 수신하는 수집데이터수신단계(S100); 상기 컴퓨터(10) 내 심층신경망를 통해 각각의 수집데이터(100)에 대한 결과데이터(300)를 산출하는 단계(S200); 각각의 수집데이터(100)에 대해 상기 결과데이터(300) 산출 시 패턴정보를 도출하는 패턴정보도출단계(S300); 동일한 패턴정보를 가지는 하나 이상의 수집데이터(100)를 특정한 그룹으로 지정하는 그룹지정단계(S400); 각 그룹의 특성을 부여하는 특성부여단계(S500); 및 신규수집데이터(200)를 수신한 후 신규결과데이터를 산출하고, 상기 신규결과데이터에 대응하는 그룹을 추출하는 단계(S700);를 포함한다. 본 발명의 일 실시예에 따른 비정상행위 탐색방법을 순서대로 설명한다.Referring to Figure 2, the abnormal behavior search method according to an embodiment of the present invention, the computer 10 receives the collection data receiving step (100) collected data (S100); Calculating result data (300) for each collected data (100) through the deep neural network in the computer (10) (S200); A pattern information derivation step (S300) for deriving pattern information when calculating the result data 300 for each collection data 100; A group specifying step (S400) of designating one or more pieces of collected data having the same pattern information as a specific group; Characterization step (S500) to give the characteristics of each group; And calculating new result data after receiving the new collection data 200, and extracting a group corresponding to the new result data (S700). The abnormal behavior search method according to an embodiment of the present invention will be described in order.
컴퓨터(10)가 하나 이상의 수집데이터(100)를 수신한다(S100). 상기 수집데이터(100)는 하나 이상의 상황데이터를 포함하는 것으로서, 특정한 유저(즉, 사용자)가 특정한 수행행위(예를 들어, 자료탐색행위, 계좌이체 등의 금융거래행위, 특정한 계정을 이용하여 로그인하는 등의 계정사용행위 등)를 행하는 과정에서 사용자 클라이언트(20)로부터 수신되는 데이터일 수 있다. 하나 이상의 컴퓨터(10)는, 내부에 저장되어 있는 특정한 수집데이터(100)를 로드할 수 있다. 즉, 컴퓨터(10) 내에 기존(즉, 이전)의 수행행위에 대한 수집데이터(100)가 누적되어 있는 경우, 컴퓨터(10)는 누적된 복수의 수집데이터(100)를 로드하여 후술하는 바와 같이 심층신경망에 입력할 수 있다. The computer 10 receives one or more pieces of collected data 100 (S100). The collected data 100 includes one or more situation data, and a specific user (that is, the user) logs in using a specific performing activity (for example, data searching, financial transaction such as account transfer, or a specific account). Etc.) may be data received from the user client 20 in the process of performing an account use act. One or more computers 10 may load specific collection data 100 stored therein. That is, when the collected data 100 for the existing (ie, previous) performing behavior is accumulated in the computer 10, the computer 10 loads the accumulated plurality of collected data 100 as described below. Can be entered into the deep neural network.
컴퓨터(10)는 내부의 심층신경망를 통해 각각의 수집데이터(100)에 대한 결과데이터(300)를 산출한다(S200). 컴퓨터(10)는 심층신경망을 통한 딥러닝 알고리즘을 이용하여 결과데이터(300)를 산출할 수 있다. 결과데이터(300)는 딥러닝 알고리즘에 수집데이터(100) 내의 각각의 상황데이터 값을 적용함에 따라 산출되는 데이터를 의미한다. 컴퓨터(10)는 각각의 상황데이터를 수치값(예를 들어, 바이너리 데이터)로 변환하여, 결과데이터(300)를 산출하기 위해 상황데이터에 상응하는 수치값을 딥러닝 알고리즘에 입력할 수 있다. 따라서, 컴퓨터(10)는 각각의 수집데이터(100)에 포함된 상황데이터의 구성에 따라 상이한 결과데이터(300)를 산출할 수 있다.The computer 10 calculates the result data 300 for each of the collected data 100 through the deep neural network (S200). The computer 10 may calculate the result data 300 using a deep learning algorithm through a deep neural network. The result data 300 refers to data calculated by applying each situation data value in the collected data 100 to the deep learning algorithm. The computer 10 may input numerical values corresponding to the situation data into the deep learning algorithm to convert the respective situation data into numerical values (eg, binary data) to calculate the result data 300. Accordingly, the computer 10 may calculate different result data 300 according to the configuration of the situation data included in each collection data 100.
상기 결과데이터산출단계(S200)는, 각각의 상황데이터에 대한 가중치를 적용하여 상기 결과데이터(300)를 산출할 수 있다. 상기 가중치는 상기 패턴정보가 상이한 그룹 간의 이격거리를 특정값 이상으로 떨어지도록 조절(즉, 패턴정보가 상이한 그룹에 상응하는 결과데이터 간의 편차가 특정값 이상이 되도록 조절)하는 것일 수 있다. 각각의 수집데이터(100)에 포함된 상황데이터 값을 가중치 적용없이 그대로 딥러닝 알고리즘에 입력하는 경우, 상이한 상황데이터 조합인 수집데이터(100)에 의해 산출된 결과데이터(300) 값이 근접하여 특정한 수치범위 내에 해당될 수 있다(즉, 상이한 그룹에 해당하는 결과데이터(300) 간의 편차가 특정한 값보다 작아서 구별하기 어려울 수 있다). In the result data calculating step (S200), the result data 300 may be calculated by applying a weight to each situation data. The weight may be adjusted to reduce the separation distance between groups having different pattern information to a specific value or more (that is, to adjust the deviation between result data corresponding to groups having different pattern information to be greater than or equal to a specific value). When the situation data value included in each collection data 100 is input to the deep learning algorithm as it is without weighting, the result data 300 value calculated by the collection data 100 which is a different combination of situation data is close and specified. It may fall within the numerical range (ie, the deviation between the result data 300 corresponding to different groups may be smaller than a specific value and difficult to distinguish).
구체적으로 살펴보면, 도 3에서와 같이, 제1수집데이터와 제2수집데이터에 포함되는 상황데이터의 구성에 차이가 있어서 제1수집데이터는 정상행위이지만 제2수집데이터는 비정상행위인 경우, 산출되는 제1결과데이터(즉, 제1수집데이터에 의해 산출된 결과데이터)와 제2결과데이터 (즉, 제2수집데이터에 의해 산출된 결과데이터)는 근접한 수치값을 가질 수 있다. 따라서, 컴퓨터(10)가 제1결과데이터와 제2결과데이터를 그래프상에 표시하여 관리자에게 시각적으로 제공하면, 관리자는 제1결과데이터와 제2결과데이터를 구별하지 못할 수 있다. 이에 의해, 비정상행위에 해당하는 제2결과데이터를 정상행위에 해당하는 제1결과데이터로 오인하는 문제가 발생할 수 있다.Specifically, as shown in FIG. 3, when there is a difference in the configuration of the situation data included in the first collection data and the second collection data, the first collection data is normal behavior, but the second collection data is abnormal. The first result data (ie, result data calculated by the first collection data) and the second result data (ie, result data calculated by the second collection data) may have close numerical values. Therefore, when the computer 10 displays the first result data and the second result data on a graph and visually provides them to the manager, the manager may not be able to distinguish the first result data and the second result data. As a result, a problem may occur in which the second result data corresponding to the abnormal behavior is mistaken for the first result data corresponding to the normal behavior.
따라서, 이러한 문제점을 해결하기 위해서, 컴퓨터(10)는 각각의 수집데이터(100)를 구성하는 하나 이상의 상황데이터에 가중치를 반영하여, 상황데이터 값의 구성이 상이한 수집데이터(100)에 의한 결과데이터(300) 사이의 수치 차이가 특정값 이상이 되도록 할 수 있다. 예를 들어, 컴퓨터(10)는 특정범위 내에 있는(즉, 수치값이 차이가 특정값 이하에 해당하는) 제1결과데이터와 제2결과데이터를 구성하는 상황데이터 항목의 차이를 파악하고, 상이한 상황데이터 항목에 가중치를 부여할 수 있다. 이를 통해, 컴퓨터(10)는 제1결과데이터와 제2결과데이터 간의 수치차이(즉, 편차)를 크게 할 수 있고, 그래프 또는 다이어그램 상에 제1결과데이터와 제2결과데이터를 표시하는 경우에 이격거리를 시각적으로 인식 가능한 거리 이상이 되어 관리자가 구별 가능하도록 할 수 있다.Therefore, in order to solve this problem, the computer 10 reflects the weights of one or more contextual data constituting each of the collected data 100, and the result data of the collected data 100 having different configurations of the contextual data values. Numerical differences between the 300 can be more than a specific value. For example, the computer 10 may grasp the difference between the situation data items constituting the first result data and the second result data that are within a specific range (that is, the difference is equal to or less than the specific value), Weight can be given to the context data item. As a result, the computer 10 may increase the numerical difference (that is, the deviation) between the first result data and the second result data, and display the first result data and the second result data on a graph or diagram. The separation distance can be more than visually recognizable so that the manager can distinguish it.
컴퓨터(10)는 각각의 수집데이터(100)에 대해 상기 결과데이터 산출 시 패턴정보를 도출한다(S300). 상기 패턴정보는 상기 심층신경망 내에서 판단되는 순서(또는 흐름(flow))에 상응하는 것일 수 있다. The computer 10 derives the pattern information when calculating the result data for each of the collected data 100 (S300). The pattern information may correspond to an order (or flow) determined in the deep neural network.
일실시예로, 상기 패턴정보도출단계(S300)는, 연속되는 하나 이상의 판단단계를 포함하는 비정상행위판단절차를 수행할 수 있다. 즉, 컴퓨터(10)는 딥러닝 알고리즘 내에 하나 이상의 수집데이터(100)를 구별하기 위해 복수의 판단단계를 포함할 수 있고, 각 판단단계는 하나 이상의 상황데이터를 바탕으로 판단을 수행할 수 있다. 예를 들어, 딥러닝 알고리즘 상의 각 판단단계가 복수의 질의사항(예를 들어, 상황데이터를 바탕으로 특정한 상황에 해당하는지 여부를 판단하는 사항)을 포함하는 경우, 각 판단단계에 포함된 하나 이상의 질의사항 중 어느 하나에 대해 상황데이터 값이 입력됨에 따라 다음 판단단계에서 판단할 질의사항이 결정될 수 있다. In one embodiment, the pattern information derivation step S300 may perform an abnormal behavior determination procedure including one or more consecutive determination steps. That is, the computer 10 may include a plurality of determination steps to distinguish one or more collected data 100 in the deep learning algorithm, and each determination step may perform a determination based on one or more context data. For example, when each determination step in the deep learning algorithm includes a plurality of questions (eg, whether to determine whether a particular situation is based on the situation data), one or more included in each determination step As the status data value is input to any one of the questions, a question to be determined in the next determination step may be determined.
컴퓨터(10)가 복수의 판단단계를 포함하는 비정상행위판단절차를 수행하는 경우, 상기 패턴정보는 상기 비정상행위판단절차에서 각 판단단계별 질의사항의 종류 및 순서를 포함할 수 있다. 즉, 컴퓨터(10)는 각각의 판단단계를 거치면서, 수집데이터(100) 내에 포함된 상황데이터 값의 차이에 따라 동일한 판단단계 내에서 거치는 질의사항의 종류가 달라질 수 있다. 따라서, 수집데이터(100)에 따라 판단되는 질의사항의 종류와 순서가 패턴정보가 될 수 있다.When the computer 10 performs an abnormal behavior determination procedure including a plurality of determination steps, the pattern information may include the type and order of questions for each determination step in the abnormal behavior determination procedure. That is, the computer 10 may go through each determination step, and according to the difference in the situation data values included in the collected data 100, the types of query items that pass through the same determination step may vary. Therefore, the type and order of the question items determined according to the collected data 100 may be pattern information.
컴퓨터(10)는 동일한 패턴정보를 가지는 하나 이상의 수집데이터(100)를 특정한 그룹으로 지정한다(S400). 즉, 컴퓨터(10)는 결과데이터(300) 값이 아닌 패턴정보를 바탕으로 복수의 수집데이터(100)를 분류할 수 있다. 상이한 상황데이터를 가지는 수집데이터(100)이지만 인접한 결과데이터(300) 값을 가짐에 따라 동일한 그룹으로 잘못 분류될 수 있으므로, 컴퓨터(10)는 수집데이터(100)를 구성하는 상황데이터의 종류 또는 값에 따라 구별되는 명확하게 구별될 수 있는 패턴정보를 바탕으로 그룹을 생성할 수 있다.The computer 10 designates one or more pieces of collected data 100 having the same pattern information into a specific group (S400). That is, the computer 10 may classify the plurality of collected data 100 based on the pattern information rather than the result data 300 value. Since the collected data 100 having different contextual data but having adjacent result data 300 values may be incorrectly classified into the same group, the computer 10 may be a type or value of the contextual data constituting the collected data 100. Groups can be created based on clearly distinguishable pattern information.
컴퓨터(10)는 각 그룹의 특성을 부여한다(S500). 예를 들어, 컴퓨터(10)는 각 그룹이 정상행위, 의심행위 또는 비정상행위와 같은 각 그룹에 상응하는 특성을 부여할 수 있다. 컴퓨터(10)는 각 그룹의 특성을 세부적으로 부여할 수도 있다. 예를 들어, 수행행위가 비정상행위인 경우, 각 그룹이 어떠한 이유로 비정상행위로 판단되는지 식별할 수 있는 요소(예를 들어, 비정상행위의 유형별로 부여된 식별번호 또는 비정상행위로 판단되도록 한 상황데이터 정보)를 그룹 특성으로 부여할 수 있다.The computer 10 gives the characteristics of each group (S500). For example, the computer 10 may give each group a characteristic corresponding to each group, such as normal behavior, suspicious behavior or abnormal behavior. The computer 10 may give the details of each group in detail. For example, if the performance is abnormal, elements that can identify why each group is determined to be abnormal (for example, status data assigned to each type of abnormal behavior or status data that is determined to be abnormal) Information) can be given as a group property.
컴퓨터(10)는 각 그룹에 다양한 방식으로 각 그룹에 특성을 부여할 수 있다. 다만, 각 그룹의 특성을 부여하는 방식은 이하 기재되는 방식에 한정되지 아니하고, 다양한 방식이 적용될 수 있다.The computer 10 can give each group a characteristic in various ways. However, the method of imparting the characteristics of each group is not limited to the method described below, and various methods may be applied.
일실시예로, 상기 특성부여단계(S500)는, 관리자 클라이언트(30)로부터 상기 그룹의 수집데이터(100)에 포함된 특정한 상황데이터의 입력값을 바탕으로 결정된 특성정보를 수신할 수 있다. 즉, 관리자는 분류된 각 그룹에 포함된 수집데이터(100)를 구성하는 상황데이터를 살펴보고, 각 그룹의 특성을 결정하여 입력할 수 있다. 비정상행위탐색시스템은 관리자 클라이언트(30)에 입력된 그룹별 특성정보를 수신하여 설정할 수 있다. In one embodiment, the characteristic granting step S500 may receive the characteristic information determined based on an input value of specific context data included in the collection data 100 of the group from the manager client 30. That is, the administrator may look at the situation data constituting the collection data 100 included in each classified group, and determine and input characteristics of each group. The abnormal behavior search system may receive and set characteristic information for each group input to the manager client 30.
다른 일 실시예로, 상기 특성부여단계(S500)는, 상기 패턴정보의 역분석을 통해 상기 그룹에 상응하는 특성을 결정할 수 있다. 예를 들어, 비정상행위탐색시스템는 결과데이터(300) 산출과정에서 특정한 결과데이터(300)에 부여된 저장공간에 판단되는 질의사항을 차례대로 저장할 수 있다. 그 후, 비정상행위탐색시스템은 각 결과데이터(300)가 산출되는 과정에서 거친 질의사항의 종류와 순서의 분석을 수행할 수 있다. 즉, 비정상행위탐색시스템은 기존에 비정상행위로 서비스이용자 또는 관리자에 의해 입력된 사례데이터를 기반으로 각각의 수집데이터(100)(또는 수집데이터(100)에 따른 결과데이터(300))가 비정상행위에 해당하는 지 여부를 판단할 수 있다. 예를 들어, 수행행위가 금융거래행위인 경우, 비정상행위탐색시스템은 금융거래시스템의 서비스이용자 또는 관리자로부터 신고된 금융거래사고 사례데이터를 획득할 수 있고, 각 금융거래사고의 사례데이터 내에는 상황데이터가 포함될 수 있다. 따라서, 비정상행위탐색시스템은 금융거래사고 사례데이터의 상황데이터와 각 그룹 내 수집데이터(100)의 상황데이터를 비교하여, 각 금융거래사고에 상응하는 그룹을 탐색(또는 각 그룹에 상응하는 금융거래상태를 매칭)할 수 있다. 이를 통해, 비정상행위탐색시스템은 누적된 사례데이터를 이용하여 자동으로 각 그룹의 특성을 부여할 수 있다. 또한, 비정상행위탐색시스템은 누적되는 사례데이터를 바탕으로 그룹의 특성을 명확하게 업데이트를 진행할 수 있다.In another embodiment, the characterization step S500 may determine a characteristic corresponding to the group through reverse analysis of the pattern information. For example, the abnormal behavior search system may sequentially store questions determined in a storage space granted to a specific result data 300 in the process of calculating the result data 300. Thereafter, the abnormal behavior search system may analyze the type and order of the rough questions in the process of calculating each result data 300. That is, the abnormal behavior detection system is an abnormal behavior, each of the collected data 100 (or the result data 300 according to the collected data 100) is abnormal behavior based on the case data input by the service user or administrator. It can be determined whether or not to correspond to. For example, if the conduct is a financial transaction, the abnormal behavior detection system may obtain the reported financial transaction accident case data from the service user or manager of the financial transaction system, and the situation data within the case data of each financial transaction accident Data may be included. Therefore, the abnormal behavior search system compares the situation data of the financial transaction accident case data with the situation data of the collected data 100 in each group, and searches for a group corresponding to each financial transaction accident (or a financial transaction corresponding to each group). Matching state). Through this, the abnormal behavior search system can automatically assign the characteristics of each group using the accumulated case data. In addition, the abnormal behavior search system can clearly update the characteristics of the group based on the accumulated case data.
컴퓨터(10)는 신규수집데이터(200)를 수신한 후 신규결과데이터를 산출하고, 상기 신규결과데이터에 대응하는 그룹을 추출한다(S700). 신규수집데이터(200)가 대응되는 그룹을 산출하는 방식의 일실시예로, 컴퓨터(10)는 신규결과데이터와 일치되는 값 또는 오차범위 내의 값을 가지는 그룹으로 신규결과데이터를 판단할 수 있다. 특히, 가중치가 부여되어 각 그룹간의 차이값(즉, 편차)이 특정값 이상이 되는 경우(즉, 각 그룹간의 이격거리가 특정값 이상이 되는 경우), 결과데이터(300) 값을 통해 신규수집데이터(200)가 해당되는 그룹을 정확하게 산출할 수 있다.After receiving the new collection data 200, the computer 10 calculates new result data and extracts a group corresponding to the new result data (S700). According to an embodiment of the method for calculating the group to which the new collection data 200 corresponds, the computer 10 may determine the new result data as a group having a value corresponding to the new result data or a value within an error range. In particular, when a weight is given so that a difference value (i.e., a deviation) between each group is equal to or greater than a specific value (i.e., when the separation distance between each group is equal to or greater than a specific value), the new data is collected through the result data 300 value. The data 200 may accurately calculate a group to which the data 200 corresponds.
신규수집데이터(200)가 대응되는 그룹을 산출하는 방식의 다른 일실시예로, 비정상행위인지 판단이 필요한 신규수집데이터(200)가 입력되는 경우, 컴퓨터(10)(즉, 비정상행위탐색시스템)는 신규수집데이터(200)를 바탕으로 결과데이터(300)를 산출하고, 결과데이터(300) 산출과정에서 파악되는 패턴정보를 통해 대응되는 그룹을 추출할 수 있다. In another embodiment of the method of calculating the group to which the new collection data 200 corresponds, when the new collection data 200 requiring determination of abnormal behavior is input, the computer 10 (that is, abnormal behavior search system) is input. May calculate the result data 300 based on the new collection data 200, and extract a corresponding group through the pattern information grasped in the process of calculating the result data 300.
또한, 도 4에서와 같이, 상기 신규수집데이터(200)에 상응하는 그룹이 존재하지 않는 경우, 상기 신규수집데이터(200)에 부합하는 신규그룹을 생성하는 단계(S800); 및 하나 이상의 상기 가중치를 변경하여, 상기 그룹간 간격을 조절하는 단계(S900);를 더 포함할 수 있다. 신규수집데이터(200)에 상응하는 그룹이 탐색되지 않으면, 컴퓨터(10)는 새로운 형태의 수행행위가 발생한 것으로 판단할 수 있다. 따라서, 상기 신규수집데이터(200)에 대응하는 신규결과데이터와 신규패턴정보를 바탕으로 신규그룹을 생성할 수 있다. 신규그룹의 결과데이터(300)는 기존의 그룹의 결과데이터(300) 사이에 위치할 수 있으므로, 컴퓨터(10)는 인접그룹에 상응하는 결과데이터(300)의 차이가 특정값 이상이 되도록 가중치 조절을 수행할 수 있다.In addition, as shown in FIG. 4, when there is no group corresponding to the new collection data 200, generating a new group corresponding to the new collection data 200 (S800); And adjusting the interval between the groups by changing one or more of the weights (S900). If a group corresponding to the new collection data 200 is not found, the computer 10 may determine that a new type of performance has occurred. Therefore, a new group can be created based on new result data and new pattern information corresponding to the new collection data 200. Since the result data 300 of the new group may be located between the result data 300 of the existing group, the computer 10 adjusts the weight so that the difference between the result data 300 corresponding to the adjacent group is equal to or greater than a specific value. Can be performed.
또한, 도 5에서와 같이, 구별 가능한 복수의 레이어(410)를 포함하는 비정상행위판단다이어그램(400)을 생성하는 단계(S600);를 더 포함할 수 있다. 즉, 도 6에서와 같이, 컴퓨터(10)는 관리자가 수행행위별 그룹을 시각적으로 구별할 수 있는 비정상행위판단다이어그램(400)을 생성할 수 있다. 예를 들어, 비정상행위판단다이어그램(400)은 각각의 그룹에 상응하는 결과데이터(300) 수치값에 부합하는 생성위치를 표시되는 하나 이상의 레이어(410)를 포함할 수 있다. 즉, 각 레이어(410)는 각각의 그룹에 매칭되는 것으로서, 상기 결과데이터(300)의 수치값에 따라 생성위치가 달라질 수 있다. 또한, 각 레이어(410)는 시각적으로 구별 가능하도록 색상으로 다르게 표시하거나 식별표지(즉, 레이블)이 결합될 수 있다.In addition, as illustrated in FIG. 5, the method may further include generating an abnormal behavior determination diagram 400 including a plurality of distinguishable layers 410 (S600). That is, as shown in FIG. 6, the computer 10 may generate an abnormal behavior determination diagram 400 in which an administrator may visually distinguish a group by performance behavior. For example, the abnormal behavior determination diagram 400 may include one or more layers 410 indicating a generation position corresponding to a numerical value of the result data 300 corresponding to each group. That is, each layer 410 is matched to each group, and the generation position may vary according to the numerical value of the result data 300. In addition, each layer 410 may be displayed differently in color or combined with an identification mark (ie, a label) so as to be visually distinguishable.
또한, 도 5에서와 같이, 상기 신규수집데이터(200)가 대응되는 그룹의 레이어(410) 상에 식별표지를 표시하여, 관리자 클라이언트(30)로 제공하는 단계(S1000);를 포함할 수 있다. 즉, 컴퓨터(10)는 신규수집데이터(200)에 대응하는 그룹의 레이어(410)에 신규수집데이터(200)를 나타내는 식별표지를 표시하여 관리자 클라이언트(30)로 제공할 수 있다. 이를 통해, 비정상행위의 발생여부를 관리하는 관리자나 도용상황이 발생(예를 들어, 본인 계정 또는 계좌를 이용하여 특정 수행행위를 수행)하는지 확인을 원하는 서비스이용자가 시각적으로 제공되는 비정상행위판단다이어그램(400) 상의 식별표지를 통해 간편하고 직관적으로 비정상행위 발생 여부 또는 발생된 비정상행위의 유형을 시각적으로 확인할 수 있다. In addition, as shown in FIG. 5, the new collection data 200 displays an identification mark on the layer 410 of the corresponding group, and provides the identification mark to the manager client 30 (S1000). . That is, the computer 10 may display the identification mark indicating the new collection data 200 on the layer 410 of the group corresponding to the new collection data 200 and provide it to the manager client 30. Through this, an abnormal behavior judgment diagram visually provided by an administrator who manages the occurrence of abnormal behavior or a service user who wants to check whether an illegal situation occurs (for example, performing a specific performance behavior using his or her account or account). Through the identification mark on 400, it is possible to visually check whether abnormal behavior has occurred or the type of abnormal behavior occurred simply and intuitively.
또한, 상기 수집데이터(100)에 포함된 하나 이상의 상황데이터의 획득순서가 정해져 있는 경우, 상기 심층신경망은, 상기 획득순서에 부합하는 비정상행위판단절차를 포함할 수 있다. 금융거래 등의 수행행위 과정에서, 수집데이터(100)에 포함되는 하나 이상의 상황데이터는 시간간격을 가지고 차례대로 획득될 수 있다. 금융거래(예를 들어, 계좌이체 등)과 같이 비정상행위(예를 들어, 이상거래(즉, 금융사고가 예상되는 거래) 등)를 신속하게 파악하여 거래 중지 등의 대처를 수행할 필요가 있는 경우, 수집데이터(100)의 모든 상황데이터가 획득된 후에 비정상행위에 해당하는 지 여부를 분석하면 대응이 늦을 수 있다. In addition, when an acquisition order of one or more contextual data included in the collected data 100 is determined, the deep neural network may include an abnormal behavior determination procedure in accordance with the acquisition order. In the course of performing financial transactions, one or more contextual data included in the collected data 100 may be sequentially obtained at time intervals. It is necessary to quickly identify abnormal behaviors (e.g. abnormal transactions (e.g. transactions that are expected of financial accidents)) such as financial transactions (e.g., bank transfers), and take countermeasures such as stopping transactions. In this case, if all the situation data of the collected data 100 is acquired or analyzed whether it corresponds to abnormal behavior, the response may be late.
따라서, 차례대로 상황데이터가 수신되는 경우, 수집데이터(100)를 비정상행위로 분류되도록 할 가능성이 높은 특정한 상황데이터 수신 시에 이에 대한 알림을 수행하기 위해, 컴퓨터(10)는 특정한 수행행위의 일반적인 상황데이터 획득순서에 부합하는 비정상행위판단절차를 포함할 수 있다. 예를 들어, 제1단계 상황데이터(즉, 제1단계(최초)로 획득되는 상황데이터)가 수신된 후에 제2단계 상황데이터(즉, 제2단계(두번째)로 획득되는 상황데이터)가 수신되는 경우, 컴퓨터(10)는 딥러닝 알고리즘 상에 제1단계 상황데이터로 판단을 수행하는 제1판단단계를 알고리즘의 순서상 가장 먼저 배치하고, 제2단계 상황데이터로 판단을 수행하는 제2판단단계를 제1판단단계의 다음 순서로 배치할 수 있다.Therefore, when the situation data is received in sequence, the computer 10 may generate a general notification of the specific performance behavior in order to notify the reception of the specific situation data that is likely to cause the collected data 100 to be classified as an abnormal behavior. This may include procedures for determining abnormal behavior in accordance with the order of obtaining situational data. For example, after the first stage situation data (that is, situation data acquired in the first stage (first)) is received, the second stage situation data (that is, situation data obtained in the second stage (second)) is received. If the computer 10, the first decision step to perform the determination as the first stage situation data on the deep learning algorithm first in the order of the algorithm, the second determination to perform the determination as the second stage situation data The steps may be arranged in the following order of the first judgment step.
또한, 컴퓨터(10)는 상황데이터 획득순서에 부합하는 비정상행위판단절차 내의 단계별로 상기 비정상행위판단다이어그램(400)을 생성할 수 있다. 즉, 상황데이터 획득순서에 부합하는 비정상행위판단절차에서 상황데이터를 바탕으로 실시간 상황을 파악하기 위해, 컴퓨터(10)는 특정한 상황데이터가 획득된 시점에서 비정상행위 해당 가능성을 예측할 수 있는 각 판단단계별 비정상행위판단다이어그램(400)을 생성할 수 있다. 따라서, 관리자는 특정한 신규수집데이터(200)로 획득된 현재 상황데이터와 수집데이터(100)의 식별표지를 표시한 현 판단단계의 비정상행위판단다이어그램(400)을 제공함에 따라, 관리자는 발생될 비정상행위를 간편하게 인지하여 대비할 수 있다.In addition, the computer 10 may generate the abnormal behavior determination diagram 400 in stages within the abnormal behavior determination procedure in accordance with the order of acquiring the situation data. That is, in order to grasp the real-time situation based on the situation data in the abnormal behavior judgment procedure in accordance with the situation data acquisition order, the computer 10 for each judgment step that can predict the possibility of abnormal behavior at the time when the specific situation data is acquired. The abnormal behavior determination diagram 400 may be generated. Accordingly, as the manager provides the abnormal behavior determination diagram 400 of the current judgment stage displaying the current situation data acquired with the specific new collection data 200 and the identification mark of the collected data 100, the administrator may generate an abnormality. You can easily recognize and prepare for actions.
또한, 컴퓨터(10)는 결과데이터(300)의 수치값에 따라 배치된 비정상행위판단다이어그램(400)의 레이어(410) 순서를 재배치하여 관리자가 직관적으로 비정상행위 여부를 판단하도록 할 수 있다. 즉, 컴퓨터(10)는 결과데이터(300)에 따른 비정상행위판단다이어그램(400)(이하, 원본다이어그램)의 각 레이어(410) 배치를 변경한 수정다이어그램을 생성하여, 정상행위층과 비정상행위층으로 표시되도록 할 수 있다. 관리자는 신규수집데이터(200)가 포함된 위치를 기반으로 시각적으로 비정상행위 해당여부를 바로 확인할 수 있고, 정확한 그룹과 해당 그룹의 특성을 파악하고자 하는 경우, 수정다이어그램의 특정 레이어(410)에 매칭된 결과데이터(300) 또는 수정다이어그램의 레이어(410)와 원본다이어그램의 레이어(410)간의 매칭관계를 바탕으로 확인할 수 있다.In addition, the computer 10 may rearrange the order of the layers 410 of the abnormal behavior determination diagram 400 arranged according to the numerical value of the result data 300, so that the administrator may intuitively determine whether the abnormal behavior has occurred. That is, the computer 10 generates a modified diagram in which the arrangement of each layer 410 of the abnormal behavior determination diagram 400 (hereinafter, referred to as the original diagram) according to the result data 300 is generated, and thus, the normal behavior layer and the abnormal behavior layer. Can be displayed as The manager can immediately check whether the abnormal behavior is visually based on the location where the new collection data 200 is included and match the specific layer 410 of the correction diagram when the correct group and the characteristics of the group are to be identified. The result data 300 or the modified diagram layer 410 and the original diagram layer 410 can be confirmed based on the matching relationship.
또한, 도 7에서와 같이, 상기 그룹의 특성이 비정상행위에 해당하는 경우, 관리자 클라이언트(30)로 상기 비정상행위의 유형정보를 제공하는 단계(S1100);를 더 포함할 수 있다. 즉, 컴퓨터(10)는, 신규수집데이터(200)가 패턴정보 비교 또는 결과데이터(300) 비교를 통해 비정상행위로 판단되면, 신규수집데이터(200)가 속하는 그룹의 비정상행위 유형을 그룹 특성을 통해 식별하여 관리자에게 제공할 수 있다. In addition, as shown in FIG. 7, when the characteristic of the group corresponds to abnormal behavior, providing the manager client 30 with type information of the abnormal behavior (S1100). That is, when the new collection data 200 is determined to be an abnormal behavior through the comparison of the pattern information or the comparison of the result data 300, the computer 10 sets the abnormal behavior type of the group to which the new collection data 200 belongs. Can be identified and provided to the administrator.
이상에서 전술한 본 발명의 일 실시예에 따른 비정상행위 탐색방법은, 하드웨어인 컴퓨터(10)와 결합되어 실행되기 위해 프로그램(또는 어플리케이션)으로 구현되어 매체에 저장될 수 있다.The abnormal behavior search method according to the above-described embodiment of the present invention may be implemented as a program (or an application) and stored in a medium to be executed in combination with the computer 10 which is hardware.
상기 전술한 프로그램은, 상기 컴퓨터가 프로그램을 읽어 들여 프로그램으로 구현된 상기 방법들을 실행시키기 위하여, 상기 컴퓨터의 프로세서(CPU)가 상기 컴퓨터의 장치 인터페이스를 통해 읽힐 수 있는 C, C++, JAVA, 기계어 등의 컴퓨터 언어로 코드화된 코드(Code)를 포함할 수 있다. 이러한 코드는 상기 방법들을 실행하는 필요한 기능들을 정의한 함수 등과 관련된 기능적인 코드(Functional Code)를 포함할 수 있고, 상기 기능들을 상기 컴퓨터의 프로세서가 소정의 절차대로 실행시키는데 필요한 실행 절차 관련 제어 코드를 포함할 수 있다. 또한, 이러한 코드는 상기 기능들을 상기 컴퓨터의 프로세서가 실행시키는데 필요한 추가 정보나 미디어가 상기 컴퓨터의 내부 또는 외부 메모리의 어느 위치(주소 번지)에서 참조되어야 하는지에 대한 메모리 참조관련 코드를 더 포함할 수 있다. 또한, 상기 컴퓨터의 프로세서가 상기 기능들을 실행시키기 위하여 원격(Remote)에 있는 어떠한 다른 컴퓨터나 서버 등과 통신이 필요한 경우, 코드는 상기 컴퓨터의 통신 모듈을 이용하여 원격에 있는 어떠한 다른 컴퓨터나 서버 등과 어떻게 통신해야 하는지, 통신 시 어떠한 정보나 미디어를 송수신해야 하는지 등에 대한 통신 관련 코드를 더 포함할 수 있다. The above-described program includes C, C ++, JAVA, machine language, etc. which can be read by the computer's processor (CPU) through the computer's device interface so that the computer reads the program and executes the methods implemented as the program. Code may be coded in the computer language of. Such code may include functional code associated with a function or the like that defines the necessary functions for executing the methods, and includes control procedures related to execution procedures necessary for the computer's processor to execute the functions according to a predetermined procedure. can do. In addition, the code may further include memory reference code for additional information or media required for the computer's processor to execute the functions at which location (address address) of the computer's internal or external memory should be referenced. have. Also, if the processor of the computer needs to communicate with any other computer or server remotely in order to execute the functions, the code may be used to communicate with any other computer or server remotely using the communication module of the computer. It may further include a communication related code for whether to communicate, what information or media should be transmitted and received during communication.
상기 저장되는 매체는, 레지스터, 캐쉬, 메모리 등과 같이 짧은 순간 동안 데이터를 저장하는 매체가 아니라 반영구적으로 데이터를 저장하며, 기기에 의해 판독(reading)이 가능한 매체를 의미한다. 구체적으로는, 상기 저장되는 매체의 예로는 ROM, RAM, CD-ROM, 자기 테이프, 플로피디스크, 광 데이터 저장장치 등이 있지만, 이에 제한되지 않는다. 즉, 상기 프로그램은 상기 컴퓨터가 접속할 수 있는 다양한 서버 상의 다양한 기록매체 또는 사용자의 상기 컴퓨터상의 다양한 기록매체에 저장될 수 있다. 또한, 상기 매체는 네트워크로 연결된 컴퓨터 시스템에 분산되어, 분산방식으로 컴퓨터가 읽을 수 있는 코드가 저장될 수 있다.The stored medium is not a medium for storing data for a short time such as a register, a cache, a memory, but semi-permanently, and means a medium that can be read by the device. Specifically, examples of the storage medium include, but are not limited to, a ROM, a RAM, a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like. That is, the program may be stored in various recording media on various servers to which the computer can access or various recording media on the computer of the user. The media may also be distributed over network coupled computer systems so that the computer readable code is stored in a distributed fashion.
상기와 같은 본 발명에 따르면, 아래와 같은 다양한 효과들을 가진다.According to the present invention as described above, has the following various effects.
첫째, 단순히 수집데이터를 통해 산출된 결과데이터로 수집데이터를 분류하는 것이 아니라 각 수집데이터의 딥러닝 알고리즘 내에서 판단되는 흐름인 패턴정보를 이용하여 수집데이터를 분류하므로, 근사한 결과데이터 값을 가지는 복수의 수집데이터 그룹을 정확하게 분류할 수 있다. 따라서, 비정상행위에 해당하는 그룹을 정상행위에 해당하는 그룹에 포함되는 것으로 오인하는 것을 방지할 수 있다.First, the collected data is classified using the pattern information, which is a flow determined in the deep learning algorithm of each collected data, rather than simply classifying the collected data into the result data calculated through the collected data. Accurately classify groups of collected data. Accordingly, it is possible to prevent the group corresponding to the abnormal behavior from being mistaken as being included in the group corresponding to the normal behavior.
둘째, 각 상황데이터에 대한 가중치를 변경함에 따라 각 그룹의 결과데이터를 시각적으로도 구별 가능하도록 조절할 수 있다. Second, as the weight of each situation data is changed, the result data of each group can be adjusted to be visually distinguishable.
셋째, 비정상행위탐색다이어그램 상에 신규수집데이터의 식별표지를 표시하여 관리자에게 제공함에 따라, 관리자는 간편하게 신규수집데이터의 특성을 파악할 수 있다. 즉, 관리자는 신규수집데이터의 식별표지가 다이어그램 상의 어떤 레이어에 표시되었는지를 확인함에 따라 빠르게 신규수집데이터가 비정상행위에 해당하는지 여부를 확인할 수 있으며, 구체적인 비정상행위 유형도 빠르게 파악할 수 있다.Third, by displaying the identification mark of the new collection data on the abnormal behavior search diagram and providing it to the administrator, the administrator can easily grasp the characteristics of the new collection data. That is, the manager can quickly check whether the new collection data corresponds to abnormal behavior by identifying which layer on the diagram the identification mark of the new collection data is displayed, and can also quickly identify the specific abnormal behavior type.
넷째, 새로운 피싱방식이 적용되는 것과 같이, 신규수집데이터가 속하는 그룹이 없어 신규그룹 생성하는 경우, 그룹간의 특정한 간격을 가지도록 자동으로 가중치 조절을 수행할 수 있다. 이를 통해, 새로운 그룹 유형이 등장하여도 관리자가 간편하게 비정상행위 해당여부를 확인할 수 있는 비정상행위탐색다이어그램을 제공할 수 있다.Fourth, as a new phishing scheme is applied, when there is no group to which new collection data belongs, a new group is generated, so that weight adjustment can be automatically performed to have a specific interval between groups. Through this, even when a new group type emerges, an administrator may provide an abnormal behavior search diagram that enables the administrator to easily check whether an abnormal behavior is applicable.
이상 첨부된 도면을 참조하여 본 발명의 실시예들을 설명하였지만, 본 발명이 속하는 기술분야에서 통상의 지식을 가진 자는 본 발명이 그 기술적 사상이나 필수적인 특징을 변경하지 않고서 다른 구체적인 형태로 실시될 수 있다는 것을 이해할 수 있을 것이다. 그러므로 이상에서 기술한 실시예들은 모든 면에서 예시적인 것이며 한정적이 아닌 것으로 이해해야만 한다.Although embodiments of the present invention have been described above with reference to the accompanying drawings, those skilled in the art to which the present invention pertains may implement the present invention in other specific forms without changing the technical spirit or essential features thereof. I can understand that. Therefore, it should be understood that the embodiments described above are exemplary in all respects and not restrictive.

Claims (10)

  1. 컴퓨터가 하나 이상의 수집데이터를 수신하되, 상기 수집데이터는 하나 이상의 상황데이터를 포함하는 것인, 수집데이터수신단계;A computer receiving one or more collection data, wherein the collection data includes one or more situation data;
    상기 컴퓨터 내 심층신경망를 통해 각각의 수집데이터에 대한 결과데이터를 산출하는 단계;Calculating result data for each collected data through the deep neural network in the computer;
    각각의 수집데이터에 대해 상기 결과데이터 산출 시 패턴정보를 도출하되, 상기 패턴정보는 상기 심층신경망 내에서 판단되는 순서에 상응하는 것인, 패턴정보도출단계;Deriving pattern information when calculating the result data for each collected data, wherein the pattern information corresponds to an order determined in the deep neural network;
    동일한 패턴정보를 가지는 하나 이상의 수집데이터를 특정한 그룹으로 지정하는 그룹지정단계;A group specifying step of designating one or more pieces of collected data having the same pattern information as a specific group;
    각 그룹의 특성을 부여하는 특성부여단계; 및Characterization step of giving the characteristics of each group; And
    신규수집데이터를 수신한 후 신규결과데이터를 산출하고, 상기 신규결과데이터에 대응하는 그룹을 추출하는 단계;를 포함하는, 비정상행위 탐색방법.And calculating new result data after receiving the new collection data, and extracting a group corresponding to the new result data.
  2. 제1항에 있어서, The method of claim 1,
    상기 결과데이터 산출단계는,The result data calculating step,
    각각의 상황데이터에 대한 가중치를 적용하여 상기 결과데이터를 산출하는 것을 특징으로 하며,It is characterized in that for calculating the result data by applying a weight for each situation data,
    상기 가중치는,The weight is,
    상기 패턴정보가 상이한 그룹 간의 이격거리를 특정값 이상으로 떨어지도록 조절하는 것인, 비정상행위 탐색방법.The pattern information is to adjust the separation distance between different groups to fall above a specific value, abnormal behavior detection method.
  3. 제2항에 있어서, The method of claim 2,
    상기 신규수집데이터에 상응하는 그룹이 존재하지 않는 경우,If there is no group corresponding to the newly collected data,
    상기 신규수집데이터에 부합하는 신규그룹을 생성하는 단계; 및Creating a new group corresponding to the new collection data; And
    하나 이상의 상기 가중치를 변경하여, 상기 그룹간 간격을 조절하는 단계;를 더 포함하는, 비정상행위 탐색방법.And adjusting the interval between the groups by changing one or more of the weights.
  4. 제1항에 있어서, The method of claim 1,
    구별 가능한 복수의 레이어를 포함하는 비정상행위판단다이어그램을 생성하되, 상기 레이어는 각각의 그룹이 매칭되는 것으로서, 상기 결과데이터의 수치값에 따라 생성위치가 달라지는 것인, 비정상행위판단다이어그램 생성단계; 및Generating an abnormal behavior determination diagram including a plurality of distinguishable layers, wherein the layers match each group, and a generation position of the abnormal behavior determination diagram varies according to a numerical value of the result data; And
    상기 신규수집데이터가 대응되는 그룹의 레이어 상에 식별표지를 표시하여, 사용자 클라이언트로 제공하는 단계;를 포함하는, 비정상행위 탐색방법.And displaying the identification mark on the layer of the group to which the new collection data corresponds, and providing the identification mark to the user client.
  5. 제4항에 있어서, The method of claim 4, wherein
    상기 수집데이터에 포함된 하나 이상의 상황데이터의 획득순서가 정해져 있는 경우,When the acquisition order of one or more contextual data included in the collected data is determined,
    상기 심층신경망은,The deep neural network,
    상기 획득순서에 부합하는 비정상행위판단절차를 포함하며,Including abnormality judgment procedure in accordance with the acquisition order,
    상기 비정상행위판단절차 내의 단계별로 상기 비정상행위판단다이어그램을 생성하는 것을 특징으로 하는, 비정상행위 탐색방법.And generating the abnormal behavior determination diagram in stages within the abnormal behavior determination procedure.
  6. 제1항에 있어서, The method of claim 1,
    상기 그룹의 특성이 비정상행위에 해당하는 경우,If the characteristics of the group correspond to abnormal behavior,
    관리자 클라이언트로 상기 비정상행위의 유형정보를 제공하는 단계;를 더 포함하는, 비정상행위 탐색방법.Providing the type information of the abnormal behavior to the client client; abnormality detection method further comprising.
  7. 제1항에 있어서, The method of claim 1,
    상기 특성부여단계는,The characterizing step,
    관리자 클라이언트로부터 상기 그룹의 수집데이터에 포함된 특정한 상황데이터의 입력값을 바탕으로 결정된 특성정보를 수신하는 것을 특징으로 하는, 비정상행위 탐색방법.And receiving characteristic information determined based on an input value of specific context data included in the group's collected data from an administrator client.
  8. 제1항에 있어서, The method of claim 1,
    상기 패턴정보도출단계는,The pattern information derivation step,
    연속되는 하나 이상의 판단단계를 포함하는 비정상행위판단절차를 수행하며,Perform an abnormal behavior determination procedure that includes one or more successive judgments,
    상기 패턴정보는,The pattern information,
    상기 비정상행위판단절차에서 각 판단단계별 질의사항의 종류 및 순서를 포함하는, 비정상행위 탐색방법.The abnormal behavior detection method, including the type and order of questions in each determination step in the abnormal behavior determination procedure.
  9. 제8항에 있어서, The method of claim 8,
    상기 특성부여단계는,The characterizing step,
    상기 패턴정보의 역분석을 통해 상기 그룹에 상응하는 특성을 결정하는 것을 특징으로 하는, 비정상행위 탐색방법.And determining a characteristic corresponding to the group by performing reverse analysis of the pattern information.
  10. 하드웨어인 컴퓨터와 결합되어, 제1항 내지 제9항 중 어느 한 항의 방법을 실행시키기 위하여 매체에 저장된, 비정상행위 탐색 프로그램.10. An abnormality detection program, stored in a medium for carrying out the method of any one of claims 1 to 9, coupled with a computer that is hardware.
PCT/KR2017/002480 2016-03-08 2017-03-08 Anomaly detection method and detection program WO2017155292A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2016-0027448 2016-03-08
KR1020160027448A KR101720538B1 (en) 2016-03-08 2016-03-08 Method and program for detecting abnormal action

Publications (1)

Publication Number Publication Date
WO2017155292A1 true WO2017155292A1 (en) 2017-09-14

Family

ID=58495675

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2017/002480 WO2017155292A1 (en) 2016-03-08 2017-03-08 Anomaly detection method and detection program

Country Status (2)

Country Link
KR (1) KR101720538B1 (en)
WO (1) WO2017155292A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109614496A (en) * 2018-09-27 2019-04-12 长威信息科技发展股份有限公司 A kind of minimum living discrimination method of knowledge based map
CN109871445A (en) * 2019-01-23 2019-06-11 平安科技(深圳)有限公司 Fraudulent user recognition methods, device, computer equipment and storage medium
US11501156B2 (en) 2018-06-28 2022-11-15 International Business Machines Corporation Detecting adversarial attacks through decoy training

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102046651B1 (en) * 2017-04-20 2019-11-20 주식회사 비아이큐브 Method for cloud based real-time processing bigdata stream
KR102040929B1 (en) 2017-08-04 2019-11-27 국방과학연구소 Apparatus and method for the detection of drive-by download using unusual behavior monitoring
US10944789B2 (en) 2018-07-25 2021-03-09 Easy Solutions Enterprises Corp. Phishing detection enhanced through machine learning techniques
KR102625864B1 (en) 2023-09-18 2024-01-16 주식회사 인피니그루 Voice phishing prevention method and system using an independent, always-on detection in-app

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20040092314A (en) * 2003-04-26 2004-11-03 엘지엔시스(주) Real time attack traffic monitoring system based on Intrusion Detection System
KR20080084132A (en) * 2007-03-15 2008-09-19 임준식 Method for extracting nonlinear time series prediction model using neural network with weighted fuzzy membership functions
KR20130126814A (en) * 2012-04-26 2013-11-21 한국전자통신연구원 Traffic flooding attack detection and in-depth analysis devices and method using data mining
KR20150091775A (en) * 2014-02-04 2015-08-12 한국전자통신연구원 Method and System of Network Traffic Analysis for Anomalous Behavior Detection

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20040092314A (en) * 2003-04-26 2004-11-03 엘지엔시스(주) Real time attack traffic monitoring system based on Intrusion Detection System
KR20080084132A (en) * 2007-03-15 2008-09-19 임준식 Method for extracting nonlinear time series prediction model using neural network with weighted fuzzy membership functions
KR20130126814A (en) * 2012-04-26 2013-11-21 한국전자통신연구원 Traffic flooding attack detection and in-depth analysis devices and method using data mining
KR20150091775A (en) * 2014-02-04 2015-08-12 한국전자통신연구원 Method and System of Network Traffic Analysis for Anomalous Behavior Detection

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
KIM, JONG-HUN ET AL.: "Big Data Analysis Based on Deep Learning for Baseball Game Data", THE JOURNAL OF KOREAN INSTITUTE OF COMMUNICATIONS AND INFORMATION SCIENCES 2015 AUTUMN CONFERENCE, November 2015 (2015-11-01), pages 263 - 266, XP055413948 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11501156B2 (en) 2018-06-28 2022-11-15 International Business Machines Corporation Detecting adversarial attacks through decoy training
US11829879B2 (en) 2018-06-28 2023-11-28 International Business Machines Corporation Detecting adversarial attacks through decoy training
CN109614496A (en) * 2018-09-27 2019-04-12 长威信息科技发展股份有限公司 A kind of minimum living discrimination method of knowledge based map
CN109614496B (en) * 2018-09-27 2022-06-17 长威信息科技发展股份有限公司 Low security identification method based on knowledge graph
CN109871445A (en) * 2019-01-23 2019-06-11 平安科技(深圳)有限公司 Fraudulent user recognition methods, device, computer equipment and storage medium

Also Published As

Publication number Publication date
KR101720538B1 (en) 2017-03-28

Similar Documents

Publication Publication Date Title
WO2017155292A1 (en) Anomaly detection method and detection program
US10593004B2 (en) System and methods for identifying compromised personally identifiable information on the internet
EP3065367B1 (en) System and method for automated phishing detection rule evolution
EP4319054A2 (en) Identifying legitimate websites to remove false positives from domain discovery analysis
CN109873812A (en) Method for detecting abnormality, device and computer equipment
CN109672674A (en) A kind of Cyberthreat information confidence level recognition methods
CN112866023A (en) Network detection method, model training method, device, equipment and storage medium
CN108090351A (en) For handling the method and apparatus of request message
Gu et al. Convolution neural network-based higher accurate intrusion identification system for the network security and communication
Korkmaz et al. Phishing web page detection using N-gram features extracted from URLs
WO2020122487A1 (en) Company bankruptcy prediction system and operating method therefor
Liu et al. An efficient multistage phishing website detection model based on the CASE feature framework: Aiming at the real web environment
CN109885597A (en) Tenant group processing method, device and electric terminal based on machine learning
KR101866556B1 (en) Method and program for detecting abnormal action
Liu et al. MMWD: An efficient mobile malicious webpage detection framework based on deep learning and edge cloud
CN113225331A (en) Method, system and device for detecting host intrusion safety based on graph neural network
Khazaee et al. Using fuzzy c-means algorithm for improving intrusion detection performance
RU2762241C2 (en) System and method for detecting fraudulent activities during user interaction with banking services
WO2019017550A1 (en) Integrated control system and method for personal information security products
CN111507368A (en) Campus network intrusion detection method and system
WO2022250187A1 (en) System and method for face authentication-based non-face-to-face identity authentication and person-of-interest identification for anti-money laundering
Azanguezet Quimatio et al. HOrBAC Optimization Based on Suspicious Behavior Detection Using Information Theory
Parmar et al. An Optimized Intelligent Malware Detection Framework for Securing Digital Data
WO2023229230A1 (en) Method and device for detecting multi-access account by using similarity degree between nicknames
CN109214212A (en) Information leakage protection method and device

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17763553

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 14/01/2019)

122 Ep: pct application non-entry in european phase

Ref document number: 17763553

Country of ref document: EP

Kind code of ref document: A1