WO2017155292A1 - Procédé de détection d'anomalie et programme de détection d'anomalie - Google Patents

Procédé de détection d'anomalie et programme de détection d'anomalie Download PDF

Info

Publication number
WO2017155292A1
WO2017155292A1 PCT/KR2017/002480 KR2017002480W WO2017155292A1 WO 2017155292 A1 WO2017155292 A1 WO 2017155292A1 KR 2017002480 W KR2017002480 W KR 2017002480W WO 2017155292 A1 WO2017155292 A1 WO 2017155292A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
group
abnormal behavior
computer
pattern information
Prior art date
Application number
PCT/KR2017/002480
Other languages
English (en)
Korean (ko)
Inventor
최정렬
Original Assignee
주식회사 인피니그루
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 인피니그루 filed Critical 주식회사 인피니그루
Publication of WO2017155292A1 publication Critical patent/WO2017155292A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/02Banking, e.g. interest calculation or account maintenance
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Definitions

  • the present invention relates to an abnormal behavior searching method and a search program, and more particularly, to a method and program for determining whether or not abnormal behavior of the collected data obtained through a computer through big data analysis.
  • Phishing is a crime that pretends to be a trusted person (personal) or business (e-commerce company) and uses the e-mail or messenger to steal the recipient's personal information (such as passwords, credit information, or security card information).
  • the aim of the present invention is to provide a method and a program for detecting abnormal behaviors.
  • an abnormal behavior search method and program that allows an administrator to easily detect abnormal behavior. To provide.
  • the computer receives one or more collection data, the collection data includes one or more situation data, collection data receiving step; Calculating result data for each collected data through the deep neural network in the computer; Deriving pattern information when calculating the result data for each collected data, wherein the pattern information corresponds to an order determined in the deep neural network; A group specifying step of designating one or more pieces of collected data having the same pattern information as a specific group; Characterization step of giving the characteristics of each group; And calculating new result data after receiving the new collection data, and extracting a group corresponding to the new result data.
  • the calculating of the result data may include calculating the result data by applying a weight to each situation data, wherein the weight is such that the separation distance between groups having different pattern information falls above a specific value. It may be to adjust.
  • an abnormal behavior determination diagram including a plurality of distinguishable layers is generated, wherein each layer is matched with each other, and the generation position of the abnormal behavior determination diagram is changed according to a numerical value of the result data. ; And displaying the identification mark on the layer of the group to which the new collection data corresponds, and providing the identification mark to the user client.
  • the deep neural network when an acquisition order of at least one piece of situation data included in the collected data is determined, the deep neural network includes an abnormal behavior determination procedure that conforms to the acquisition sequence, and the abnormal behavior is performed step by step in the abnormal behavior determination procedure. It may be characterized by generating a determination diagram.
  • the method may further include providing type information of the abnormal behavior to an administrator client when the characteristic of the group corresponds to the abnormal behavior.
  • the characterizing step may be characterized in that for receiving the characteristic information determined based on the input value of the specific context data included in the collected data of the group from the administrator client.
  • the pattern information derivation step may perform an abnormal behavior determination procedure including one or more successive determination steps, and the pattern information may include the type and order of questions for each determination step in the abnormal behavior determination procedure. have.
  • the characterizing step may be characterized by determining the characteristics corresponding to the group through the reverse analysis of the pattern information.
  • the abnormal behavior search program according to another embodiment of the present invention is coupled to a computer which is hardware to execute the above-mentioned electronic device control method and is stored in a medium.
  • the collected data is classified using the pattern information, which is a flow determined in the deep learning algorithm of each collected data, rather than simply classifying the collected data into the result data calculated through the collected data.
  • the pattern information which is a flow determined in the deep learning algorithm of each collected data, rather than simply classifying the collected data into the result data calculated through the collected data.
  • the result data of each group can be adjusted to be visually distinguishable.
  • the administrator can easily grasp the characteristics of the new collection data. That is, the manager can quickly check whether the new collection data corresponds to abnormal behavior by identifying which layer on the diagram the identification mark of the new collection data is displayed, and can also quickly identify the specific abnormal behavior type.
  • FIG. 1 is a block diagram of an abnormal behavior determination system according to an embodiment of the present invention.
  • FIG. 2 is a flowchart illustrating a method for determining abnormal behavior according to an embodiment of the present invention.
  • FIG. 3 is an exemplary diagram of a deep learning algorithm showing a process of calculating pattern information using collected data according to an embodiment of the present invention.
  • FIG. 4 is a flow chart of an abnormal behavior determination method further comprising the step of adjusting the weight after the creation of a new group corresponding to the new collection data according to an embodiment of the present invention.
  • FIG. 5 is a flowchart illustrating an abnormal behavior determination method of displaying a group to which new collection data belongs using an abnormal behavior determination diagram according to an embodiment of the present invention.
  • FIG. 6 is an exemplary diagram of an abnormal behavior determination diagram according to an embodiment of the present invention.
  • FIG. 7 is a flowchart illustrating a method for determining abnormal behavior that provides a manager with a type of abnormal behavior corresponding to new collection data according to an embodiment of the present invention.
  • a computer includes all of various devices capable of performing arithmetic processing and providing a result to a user.
  • a computer can be a desktop PC, a notebook, as well as a smartphone, a tablet PC, a cellular phone, a PCS phone (Personal Communication Service phone), synchronous / asynchronous The mobile terminal of the International Mobile Telecommunication-2000 (IMT-2000), a Palm Personal Computer (PC), a Personal Digital Assistant (PDA), and the like may also be applicable.
  • the computer may correspond to a server that receives a request from a client and performs information processing.
  • the normal behavior refers to the behavior that is determined to be normal performance among specific performance behaviors (eg, financial transaction behavior, data detection behavior, etc.) using the user's client.
  • the abnormal behavior refers to the behavior that is determined to be abnormal performance among specific behaviors (eg, financial transaction behavior, data detection behavior, etc.) using the user's client. For example, with respect to certain financial transactions (e.g., account transfers), if performed in accordance with the procedures generally performed by users of a particular account, they may be classified as normal behavior, and existing procedures for users of a particular account.
  • Is different from e.g., when performing a transfer procedure to a client device other than the client for injection of the account holder user, the position corresponding to the IP currently connected to perform the transfer and the position corresponding to the recently accessed IP). If you include more than a certain distance, etc.) can be classified as abnormal behavior.
  • the collected data refers to data obtained during a specific performance of a user.
  • the collected data is data obtained from a client of a user or acquired in an image and stored in a computer in a process for performing a specific performing action.
  • the context data is one or more data included in the collected data, and means data obtained from a client in each situation during a procedure of performing a specific action. For example, in the case of a bank transfer during a financial transaction, a user accesses a financial institution application through a specific IP using a specific client device, performs a login, and enters a counterpart account.
  • 'situation data' individual data acquired in each situation, such as 'type of client', 'access IP', 'login account', 'counter party account information'
  • 'collection data' one contextual data may be obtained sequentially or simultaneously in one occurrence.
  • a group may mean one or more sets generated through classification of a plurality of collected data. For example, by classifying based on pattern information or characteristics described below, a specific group may include collected data having the same pattern information or characteristics.
  • the pattern information refers to data that is a standard for classifying collected data into one or more groups.
  • the pattern information may correspond to a flow in which groups are classified by a computer with respect to specific collection data.
  • a characteristic means an attribute of collected data.
  • the characteristics of the collected data can be divided into normal, suspicious or abnormal by the computer.
  • the abnormal characteristic may be classified using the basis (eg, status data that contributed to being determined abnormal) as classified as abnormal by the computer as the detailed characteristic.
  • the new collection data is data requiring determination of abnormal behavior.
  • the new situation data means one or more situation data included in the new collection data.
  • the new collection data may be added to existing collection data within a specific group after determining whether it is an abnormal behavior.
  • a user may mean a person who uses a client that provides collected data to a computer.
  • the manager refers to a person who is provided with data for determining whether an abnormal behavior of new collection data is applicable. That is, the manager may include not only a person who manages a specific system but also a person (eg, a service user) who checks the status of his / her account, account, and the like.
  • a deep neural network refers to a system or a network that performs a determination based on a plurality of data by constructing one or more layers in one or more computers.
  • the deep neural network may be implemented as a set of layers including a convolutional pooling layer, a locally-connected layer, and a fully-connected layer.
  • the overall structure of the deep neural network may be formed of a spiral neural network (ie, a convolutional neural network (CNN)) structure in which a local connection layer is connected to a convolution pooling layer and a fully connected layer is connected to the local connection layer. .
  • CNN convolutional neural network
  • the deep neural network may be formed of a recurrent neural network (RNN) structure that is recursively connected, for example, as edges pointing to the nodes of each layer are included.
  • the deep neural network may include various criteria (ie, parameters), and may add new criteria (ie, parameters) through an input image analysis.
  • the structure of the deep neural network according to the embodiments of the present invention is not limited thereto, and may be formed of a neural network having various structures.
  • Embodiments of the present invention are an abnormal behavior detection system (hereinafter, abnormal behavior detection system) including a deep neural network, which may be implemented in one computer or a plurality of computers connected to each other.
  • the abnormal behavior search system may be included in one or more computers 10.
  • the one or more computers may include a database server 11 containing collected data.
  • One or more computers 10 may receive new collection data from the user client 20 and compare and analyze the collected data 100 in the database server 11 to extract abnormal symptoms (that is, determine whether abnormal behavior is applicable).
  • the type of abnormal behavior derived may be provided to the manager client 30.
  • the abnormal behavior search system may be implemented as one computer 10, so that the collection data 100 is stored in a memory (for example, a hard disk) in one computer and new collection data ( It is possible to calculate whether or not the abnormal behavior corresponding to the acquisition and comparison with the collected data (100).
  • a memory for example, a hard disk
  • FIG. 2 is a flowchart illustrating a method for detecting abnormal behavior according to an embodiment of the present invention.
  • the computer 10 receives the collection data receiving step (100) collected data (S100); Calculating result data (300) for each collected data (100) through the deep neural network in the computer (10) (S200); A pattern information derivation step (S300) for deriving pattern information when calculating the result data 300 for each collection data 100; A group specifying step (S400) of designating one or more pieces of collected data having the same pattern information as a specific group; Characterization step (S500) to give the characteristics of each group; And calculating new result data after receiving the new collection data 200, and extracting a group corresponding to the new result data (S700).
  • the abnormal behavior search method according to an embodiment of the present invention will be described in order.
  • the computer 10 receives one or more pieces of collected data 100 (S100).
  • the collected data 100 includes one or more situation data, and a specific user (that is, the user) logs in using a specific performing activity (for example, data searching, financial transaction such as account transfer, or a specific account). Etc.) may be data received from the user client 20 in the process of performing an account use act.
  • One or more computers 10 may load specific collection data 100 stored therein. That is, when the collected data 100 for the existing (ie, previous) performing behavior is accumulated in the computer 10, the computer 10 loads the accumulated plurality of collected data 100 as described below. Can be entered into the deep neural network.
  • the computer 10 calculates the result data 300 for each of the collected data 100 through the deep neural network (S200).
  • the computer 10 may calculate the result data 300 using a deep learning algorithm through a deep neural network.
  • the result data 300 refers to data calculated by applying each situation data value in the collected data 100 to the deep learning algorithm.
  • the computer 10 may input numerical values corresponding to the situation data into the deep learning algorithm to convert the respective situation data into numerical values (eg, binary data) to calculate the result data 300. Accordingly, the computer 10 may calculate different result data 300 according to the configuration of the situation data included in each collection data 100.
  • the result data 300 may be calculated by applying a weight to each situation data.
  • the weight may be adjusted to reduce the separation distance between groups having different pattern information to a specific value or more (that is, to adjust the deviation between result data corresponding to groups having different pattern information to be greater than or equal to a specific value).
  • the result data 300 value calculated by the collection data 100 which is a different combination of situation data is close and specified. It may fall within the numerical range (ie, the deviation between the result data 300 corresponding to different groups may be smaller than a specific value and difficult to distinguish).
  • the first collection data is normal behavior, but the second collection data is abnormal.
  • the first result data ie, result data calculated by the first collection data
  • the second result data ie, result data calculated by the second collection data
  • the manager may not be able to distinguish the first result data and the second result data.
  • a problem may occur in which the second result data corresponding to the abnormal behavior is mistaken for the first result data corresponding to the normal behavior.
  • the computer 10 reflects the weights of one or more contextual data constituting each of the collected data 100, and the result data of the collected data 100 having different configurations of the contextual data values.
  • Numerical differences between the 300 can be more than a specific value.
  • the computer 10 may grasp the difference between the situation data items constituting the first result data and the second result data that are within a specific range (that is, the difference is equal to or less than the specific value), Weight can be given to the context data item.
  • the computer 10 may increase the numerical difference (that is, the deviation) between the first result data and the second result data, and display the first result data and the second result data on a graph or diagram.
  • the separation distance can be more than visually recognizable so that the manager can distinguish it.
  • the computer 10 derives the pattern information when calculating the result data for each of the collected data 100 (S300).
  • the pattern information may correspond to an order (or flow) determined in the deep neural network.
  • the pattern information derivation step S300 may perform an abnormal behavior determination procedure including one or more consecutive determination steps. That is, the computer 10 may include a plurality of determination steps to distinguish one or more collected data 100 in the deep learning algorithm, and each determination step may perform a determination based on one or more context data. For example, when each determination step in the deep learning algorithm includes a plurality of questions (eg, whether to determine whether a particular situation is based on the situation data), one or more included in each determination step As the status data value is input to any one of the questions, a question to be determined in the next determination step may be determined.
  • a question to be determined in the next determination step may be determined.
  • the pattern information may include the type and order of questions for each determination step in the abnormal behavior determination procedure. That is, the computer 10 may go through each determination step, and according to the difference in the situation data values included in the collected data 100, the types of query items that pass through the same determination step may vary. Therefore, the type and order of the question items determined according to the collected data 100 may be pattern information.
  • the computer 10 designates one or more pieces of collected data 100 having the same pattern information into a specific group (S400). That is, the computer 10 may classify the plurality of collected data 100 based on the pattern information rather than the result data 300 value. Since the collected data 100 having different contextual data but having adjacent result data 300 values may be incorrectly classified into the same group, the computer 10 may be a type or value of the contextual data constituting the collected data 100. Groups can be created based on clearly distinguishable pattern information.
  • the computer 10 gives the characteristics of each group (S500). For example, the computer 10 may give each group a characteristic corresponding to each group, such as normal behavior, suspicious behavior or abnormal behavior. The computer 10 may give the details of each group in detail. For example, if the performance is abnormal, elements that can identify why each group is determined to be abnormal (for example, status data assigned to each type of abnormal behavior or status data that is determined to be abnormal) Information) can be given as a group property.
  • the computer 10 can give each group a characteristic in various ways.
  • the method of imparting the characteristics of each group is not limited to the method described below, and various methods may be applied.
  • the characteristic granting step S500 may receive the characteristic information determined based on an input value of specific context data included in the collection data 100 of the group from the manager client 30. That is, the administrator may look at the situation data constituting the collection data 100 included in each classified group, and determine and input characteristics of each group.
  • the abnormal behavior search system may receive and set characteristic information for each group input to the manager client 30.
  • the characterization step S500 may determine a characteristic corresponding to the group through reverse analysis of the pattern information.
  • the abnormal behavior search system may sequentially store questions determined in a storage space granted to a specific result data 300 in the process of calculating the result data 300. Thereafter, the abnormal behavior search system may analyze the type and order of the rough questions in the process of calculating each result data 300. That is, the abnormal behavior detection system is an abnormal behavior, each of the collected data 100 (or the result data 300 according to the collected data 100) is abnormal behavior based on the case data input by the service user or administrator. It can be determined whether or not to correspond to.
  • the abnormal behavior detection system may obtain the reported financial transaction accident case data from the service user or manager of the financial transaction system, and the situation data within the case data of each financial transaction accident Data may be included. Therefore, the abnormal behavior search system compares the situation data of the financial transaction accident case data with the situation data of the collected data 100 in each group, and searches for a group corresponding to each financial transaction accident (or a financial transaction corresponding to each group). Matching state). Through this, the abnormal behavior search system can automatically assign the characteristics of each group using the accumulated case data. In addition, the abnormal behavior search system can clearly update the characteristics of the group based on the accumulated case data.
  • the computer 10 After receiving the new collection data 200, the computer 10 calculates new result data and extracts a group corresponding to the new result data (S700). According to an embodiment of the method for calculating the group to which the new collection data 200 corresponds, the computer 10 may determine the new result data as a group having a value corresponding to the new result data or a value within an error range. In particular, when a weight is given so that a difference value (i.e., a deviation) between each group is equal to or greater than a specific value (i.e., when the separation distance between each group is equal to or greater than a specific value), the new data is collected through the result data 300 value. The data 200 may accurately calculate a group to which the data 200 corresponds.
  • a difference value i.e., a deviation
  • the computer 10 (that is, abnormal behavior search system) is input. May calculate the result data 300 based on the new collection data 200, and extract a corresponding group through the pattern information grasped in the process of calculating the result data 300.
  • the computer 10 may determine that a new type of performance has occurred. Therefore, a new group can be created based on new result data and new pattern information corresponding to the new collection data 200. Since the result data 300 of the new group may be located between the result data 300 of the existing group, the computer 10 adjusts the weight so that the difference between the result data 300 corresponding to the adjacent group is equal to or greater than a specific value. Can be performed.
  • the method may further include generating an abnormal behavior determination diagram 400 including a plurality of distinguishable layers 410 (S600). That is, as shown in FIG. 6, the computer 10 may generate an abnormal behavior determination diagram 400 in which an administrator may visually distinguish a group by performance behavior.
  • the abnormal behavior determination diagram 400 may include one or more layers 410 indicating a generation position corresponding to a numerical value of the result data 300 corresponding to each group. That is, each layer 410 is matched to each group, and the generation position may vary according to the numerical value of the result data 300.
  • each layer 410 may be displayed differently in color or combined with an identification mark (ie, a label) so as to be visually distinguishable.
  • the new collection data 200 displays an identification mark on the layer 410 of the corresponding group, and provides the identification mark to the manager client 30 (S1000). . That is, the computer 10 may display the identification mark indicating the new collection data 200 on the layer 410 of the group corresponding to the new collection data 200 and provide it to the manager client 30.
  • an abnormal behavior judgment diagram visually provided by an administrator who manages the occurrence of abnormal behavior or a service user who wants to check whether an illegal situation occurs (for example, performing a specific performance behavior using his or her account or account).
  • the identification mark on 400 it is possible to visually check whether abnormal behavior has occurred or the type of abnormal behavior occurred simply and intuitively.
  • the deep neural network may include an abnormal behavior determination procedure in accordance with the acquisition order.
  • one or more contextual data included in the collected data 100 may be sequentially obtained at time intervals. It is necessary to quickly identify abnormal behaviors (e.g. abnormal transactions (e.g. transactions that are expected of financial accidents)) such as financial transactions (e.g., bank transfers), and take countermeasures such as stopping transactions. In this case, if all the situation data of the collected data 100 is acquired or analyzed whether it corresponds to abnormal behavior, the response may be late.
  • abnormal transactions e.g. transactions that are expected of financial accidents
  • financial transactions e.g., bank transfers
  • the computer 10 may generate a general notification of the specific performance behavior in order to notify the reception of the specific situation data that is likely to cause the collected data 100 to be classified as an abnormal behavior.
  • This may include procedures for determining abnormal behavior in accordance with the order of obtaining situational data. For example, after the first stage situation data (that is, situation data acquired in the first stage (first)) is received, the second stage situation data (that is, situation data obtained in the second stage (second)) is received. If the computer 10, the first decision step to perform the determination as the first stage situation data on the deep learning algorithm first in the order of the algorithm, the second determination to perform the determination as the second stage situation data The steps may be arranged in the following order of the first judgment step.
  • the computer 10 may generate the abnormal behavior determination diagram 400 in stages within the abnormal behavior determination procedure in accordance with the order of acquiring the situation data. That is, in order to grasp the real-time situation based on the situation data in the abnormal behavior judgment procedure in accordance with the situation data acquisition order, the computer 10 for each judgment step that can predict the possibility of abnormal behavior at the time when the specific situation data is acquired.
  • the abnormal behavior determination diagram 400 may be generated. Accordingly, as the manager provides the abnormal behavior determination diagram 400 of the current judgment stage displaying the current situation data acquired with the specific new collection data 200 and the identification mark of the collected data 100, the administrator may generate an abnormality. You can easily recognize and prepare for actions.
  • the computer 10 may rearrange the order of the layers 410 of the abnormal behavior determination diagram 400 arranged according to the numerical value of the result data 300, so that the administrator may intuitively determine whether the abnormal behavior has occurred. That is, the computer 10 generates a modified diagram in which the arrangement of each layer 410 of the abnormal behavior determination diagram 400 (hereinafter, referred to as the original diagram) according to the result data 300 is generated, and thus, the normal behavior layer and the abnormal behavior layer. Can be displayed as The manager can immediately check whether the abnormal behavior is visually based on the location where the new collection data 200 is included and match the specific layer 410 of the correction diagram when the correct group and the characteristics of the group are to be identified. The result data 300 or the modified diagram layer 410 and the original diagram layer 410 can be confirmed based on the matching relationship.
  • the computer 10 sets the abnormal behavior type of the group to which the new collection data 200 belongs. Can be identified and provided to the administrator.
  • the abnormal behavior search method according to the above-described embodiment of the present invention may be implemented as a program (or an application) and stored in a medium to be executed in combination with the computer 10 which is hardware.
  • the above-described program includes C, C ++, JAVA, machine language, etc. which can be read by the computer's processor (CPU) through the computer's device interface so that the computer reads the program and executes the methods implemented as the program.
  • Code may be coded in the computer language of. Such code may include functional code associated with a function or the like that defines the necessary functions for executing the methods, and includes control procedures related to execution procedures necessary for the computer's processor to execute the functions according to a predetermined procedure. can do.
  • the code may further include memory reference code for additional information or media required for the computer's processor to execute the functions at which location (address address) of the computer's internal or external memory should be referenced. have.
  • the code may be used to communicate with any other computer or server remotely using the communication module of the computer. It may further include a communication related code for whether to communicate, what information or media should be transmitted and received during communication.
  • the stored medium is not a medium for storing data for a short time such as a register, a cache, a memory, but semi-permanently, and means a medium that can be read by the device.
  • examples of the storage medium include, but are not limited to, a ROM, a RAM, a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like. That is, the program may be stored in various recording media on various servers to which the computer can access or various recording media on the computer of the user. The media may also be distributed over network coupled computer systems so that the computer readable code is stored in a distributed fashion.
  • the collected data is classified using the pattern information, which is a flow determined in the deep learning algorithm of each collected data, rather than simply classifying the collected data into the result data calculated through the collected data.
  • the pattern information which is a flow determined in the deep learning algorithm of each collected data, rather than simply classifying the collected data into the result data calculated through the collected data.
  • the result data of each group can be adjusted to be visually distinguishable.
  • the administrator can easily grasp the characteristics of the new collection data. That is, the manager can quickly check whether the new collection data corresponds to abnormal behavior by identifying which layer on the diagram the identification mark of the new collection data is displayed, and can also quickly identify the specific abnormal behavior type.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Business, Economics & Management (AREA)
  • General Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Mining & Analysis (AREA)
  • Technology Law (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Strategic Management (AREA)
  • Economics (AREA)
  • General Business, Economics & Management (AREA)
  • Development Economics (AREA)
  • Mathematical Physics (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Marketing (AREA)
  • Artificial Intelligence (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Evolutionary Computation (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Databases & Information Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

La présente invention concerne un procédé et un programme pour détecter des anomalies. Un procédé pour détecter des anomalies selon un mode de réalisation de la présente invention comprend : une étape de réception de données de collection (S100) pour recevoir une ou plusieurs données de collection par un ordinateur; une étape (S200) pour calculer des données de résultat pour chacune des données de collection par l'intermédiaire d'un réseau neuronal profond dans l'ordinateur; une étape de dérivation d'informations de motif (S300) pour dériver des informations de motif au moment du calcul des données de résultat pour chacune des données de collection; une étape de désignation de groupe (S400) pour désigner une ou plusieurs données de collection ayant les mêmes informations de motif qu'un groupe spécifique; une étape d'affectation de caractéristique (S500) pour affecter une caractéristique de chaque groupe; et une étape (S700) pour calculer de nouvelles données de résultat après la réception de nouvelles données de collection, et extraire un groupe correspondant aux nouvelles données de résultat. Selon la présente invention, il est possible d'empêcher un groupe correspondant à une anomalie d'être erroné en étant inclus dans un groupe correspondant à un comportement normal.
PCT/KR2017/002480 2016-03-08 2017-03-08 Procédé de détection d'anomalie et programme de détection d'anomalie WO2017155292A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2016-0027448 2016-03-08
KR1020160027448A KR101720538B1 (ko) 2016-03-08 2016-03-08 비정상행위 탐색방법 및 탐색프로그램

Publications (1)

Publication Number Publication Date
WO2017155292A1 true WO2017155292A1 (fr) 2017-09-14

Family

ID=58495675

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2017/002480 WO2017155292A1 (fr) 2016-03-08 2017-03-08 Procédé de détection d'anomalie et programme de détection d'anomalie

Country Status (2)

Country Link
KR (1) KR101720538B1 (fr)
WO (1) WO2017155292A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109614496A (zh) * 2018-09-27 2019-04-12 长威信息科技发展股份有限公司 一种基于知识图谱的低保鉴别方法
CN109871445A (zh) * 2019-01-23 2019-06-11 平安科技(深圳)有限公司 欺诈用户识别方法、装置、计算机设备和存储介质
US11501156B2 (en) 2018-06-28 2022-11-15 International Business Machines Corporation Detecting adversarial attacks through decoy training

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102046651B1 (ko) * 2017-04-20 2019-11-20 주식회사 비아이큐브 클라우드기반의 대용량 데이터 스트림의 실시간 처리 방법
KR102040929B1 (ko) 2017-08-04 2019-11-27 국방과학연구소 비정상 행위 감시를 이용한 드라이브 바이 다운로드 탐지 장치 및 그 방법
US10944789B2 (en) 2018-07-25 2021-03-09 Easy Solutions Enterprises Corp. Phishing detection enhanced through machine learning techniques
KR102657620B1 (ko) 2022-11-23 2024-04-16 주식회사 인피니그루 금융사기 방지를 위한 독립구동형 상시감지 인앱 제어 방법 및 시스템
KR102625864B1 (ko) 2023-09-18 2024-01-16 주식회사 인피니그루 독립구동형 상시감지 인앱을 이용한 보이스피싱 방지 방법 및 시스템

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20040092314A (ko) * 2003-04-26 2004-11-03 엘지엔시스(주) 침입 탐지 장치 기반의 공격트래픽 실시간 모니터링 시스템
KR20080084132A (ko) * 2007-03-15 2008-09-19 임준식 가중 퍼지 소속함수 기반 신경망을 이용한 비선형 시계열예측 모델의 추출방법
KR20130126814A (ko) * 2012-04-26 2013-11-21 한국전자통신연구원 데이터마이닝을 이용한 트래픽 폭주 공격 탐지 및 심층적 해석 장치 및 방법
KR20150091775A (ko) * 2014-02-04 2015-08-12 한국전자통신연구원 비정상 행위 탐지를 위한 네트워크 트래픽 분석 방법 및 시스템

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20040092314A (ko) * 2003-04-26 2004-11-03 엘지엔시스(주) 침입 탐지 장치 기반의 공격트래픽 실시간 모니터링 시스템
KR20080084132A (ko) * 2007-03-15 2008-09-19 임준식 가중 퍼지 소속함수 기반 신경망을 이용한 비선형 시계열예측 모델의 추출방법
KR20130126814A (ko) * 2012-04-26 2013-11-21 한국전자통신연구원 데이터마이닝을 이용한 트래픽 폭주 공격 탐지 및 심층적 해석 장치 및 방법
KR20150091775A (ko) * 2014-02-04 2015-08-12 한국전자통신연구원 비정상 행위 탐지를 위한 네트워크 트래픽 분석 방법 및 시스템

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
KIM, JONG-HUN ET AL.: "Big Data Analysis Based on Deep Learning for Baseball Game Data", THE JOURNAL OF KOREAN INSTITUTE OF COMMUNICATIONS AND INFORMATION SCIENCES 2015 AUTUMN CONFERENCE, November 2015 (2015-11-01), pages 263 - 266, XP055413948 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11501156B2 (en) 2018-06-28 2022-11-15 International Business Machines Corporation Detecting adversarial attacks through decoy training
US11829879B2 (en) 2018-06-28 2023-11-28 International Business Machines Corporation Detecting adversarial attacks through decoy training
CN109614496A (zh) * 2018-09-27 2019-04-12 长威信息科技发展股份有限公司 一种基于知识图谱的低保鉴别方法
CN109614496B (zh) * 2018-09-27 2022-06-17 长威信息科技发展股份有限公司 一种基于知识图谱的低保鉴别方法
CN109871445A (zh) * 2019-01-23 2019-06-11 平安科技(深圳)有限公司 欺诈用户识别方法、装置、计算机设备和存储介质

Also Published As

Publication number Publication date
KR101720538B1 (ko) 2017-03-28

Similar Documents

Publication Publication Date Title
WO2017155292A1 (fr) Procédé de détection d'anomalie et programme de détection d'anomalie
US10593004B2 (en) System and methods for identifying compromised personally identifiable information on the internet
US9253208B1 (en) System and method for automated phishing detection rule evolution
CN109873812A (zh) 异常检测方法、装置及计算机设备
EP4319054A2 (fr) Identification de sites web avec le droit pour éliminer des faux positifs dans une analyse de découverte de domaine
CN109672674A (zh) 一种网络威胁情报可信度识别方法
CN112866023A (zh) 网络检测、模型训练方法、装置、设备及存储介质
KR101866556B1 (ko) 비정상행위 탐색방법 및 탐색프로그램
CN108090351A (zh) 用于处理请求消息的方法和装置
Korkmaz et al. Phishing web page detection using N-gram features extracted from URLs
Liu et al. An efficient multistage phishing website detection model based on the CASE feature framework: Aiming at the real web environment
WO2020122487A1 (fr) Système de prédiction de faillite d'une société et procédé de fonctionnement correspondant
CN109313541A (zh) 用于显示和比较攻击遥测资源的用户界面
CN113225331A (zh) 基于图神经网络的主机入侵安全检测方法、系统及装置
Liu et al. MMWD: An efficient mobile malicious webpage detection framework based on deep learning and edge cloud
CN107404491A (zh) 终端环境异常检测方法、检测装置及计算机可读存储介质
Khazaee et al. Using fuzzy c-means algorithm for improving intrusion detection performance
CN117009832A (zh) 异常命令的检测方法、装置、电子设备及存储介质
Prasad et al. HIDSC2: Host-Based Intrusion Detection System in Cloud Computing
Parmar et al. An Optimized Intelligent Malware Detection Framework for Securing Digital Data
WO2019017550A1 (fr) Système et procédé de commande intégrée pour des produits de sécurité d'informations personnelles
Luo et al. A hierarchical CNN-transformer model for network intrusion detection
CN111507368A (zh) 一种校园网入侵检测方法和系统
WO2022250187A1 (fr) Système et procédé d'authentification d'identité non en face à face basée sur l'authentification de visage et d'identification de personne d'intérêt pour la lutte contre le blanchiment d'argent
Azanguezet Quimatio et al. HOrBAC Optimization Based on Suspicious Behavior Detection Using Information Theory

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17763553

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 14/01/2019)

122 Ep: pct application non-entry in european phase

Ref document number: 17763553

Country of ref document: EP

Kind code of ref document: A1