WO2019017550A1 - Integrated control system and method for personal information security products - Google Patents

Integrated control system and method for personal information security products Download PDF

Info

Publication number
WO2019017550A1
WO2019017550A1 PCT/KR2018/002350 KR2018002350W WO2019017550A1 WO 2019017550 A1 WO2019017550 A1 WO 2019017550A1 KR 2018002350 W KR2018002350 W KR 2018002350W WO 2019017550 A1 WO2019017550 A1 WO 2019017550A1
Authority
WO
WIPO (PCT)
Prior art keywords
task
business
cluster
data
user
Prior art date
Application number
PCT/KR2018/002350
Other languages
French (fr)
Korean (ko)
Inventor
김현철
Original Assignee
주식회사 삼오씨엔에스
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from KR1020170091386A external-priority patent/KR101810860B1/en
Priority claimed from KR1020170169516A external-priority patent/KR101933712B1/en
Application filed by 주식회사 삼오씨엔에스 filed Critical 주식회사 삼오씨엔에스
Publication of WO2019017550A1 publication Critical patent/WO2019017550A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules

Definitions

  • the present invention relates to a monitoring system and method for monitoring a personal information use record of a user accessing personal information data, and more particularly, And to a system and method for integrating and controlling personal information security products capable of judging whether or not the information is leaked.
  • a plurality of execution servers connected through a wired / wireless communication network such as the Internet and a wireless network are constructed in a government agency, a corporation, a bank, a research institute, or a school. Respectively. These plurality of execution servers are connected to the security system.
  • log information about the security system is analyzed to prevent information leakage. For example, if the log of the heterogeneous security system is integrated and the simple lookup and behavior conforms to the predefined definition, it is determined to be a normal behavior pattern. Otherwise, the abnormal behavior pattern is determined.
  • Korean Patent Laid-Open Publication No. 10-2014-0088712 includes a monitoring unit for monitoring an access status of personal information and detecting an abnormal transaction; A monitoring unit that receives the output of the monitoring unit and monitors the status of personal information access in real time; And a control unit for controlling the monitoring unit, the monitoring unit, and the log management unit.
  • the control unit controls the monitoring unit, the monitoring unit, and the log management unit to analyze and track the path of the application accessing the personal information from the personal information access status output through the monitoring unit.
  • QCL separation index
  • Korean Patent Registration No. 10-0980117 discloses a data collection step of collecting data on individual behaviors of a person to be evaluated; A user data warehouse establishing step of performing user standardization and storing the result; A data mart constructing step of constructing a data mart by grasping an individual commerce behavior, an abandonment behavior exceeding a normal behavior, an abnormal behavior by a person, and a relationship of a personal network according to a security risk assessment item; A step of analyzing and calculating a personal action security risk by assigning a security step weight assigned to each action to a user defined action built in the data mart; Personal networking security risk analysis and calculation step that gives personal network security risk; Discloses an internal information leakage threat analysis method comprising an individual personnel security risk analysis and calculation step for assigning individual personnel security risk and an individual security risk analysis and calculation step for calculating individual security risks by combining the above three security risks.
  • Korean Patent Laid-Open Publication No. 10-2014-0035146 (Prior Art 3) includes a log information collection unit for collecting log information for each of a plurality of users; A standardization database for integrating log information and user information for each user to construct an integrated database; Discloses an information security apparatus including a pattern extracting unit for extracting a pattern for each user and defining a normal pattern from a pattern for each user, and a pattern analyzing unit for comparing a pattern for each user with a normal pattern to determine whether or not a security risk exists.
  • Korean Patent Laid-Open Publication No. 10-2010-0121896 includes a step of acquiring a plurality of user situation information; Applying each of the user context information to individual rules of the individual rule database to deduce a prediction result according to each user context information; Generating a prediction pattern according to user context information from the inferred prediction result;
  • a pattern-based prediction method comprising the steps of: searching for a pattern matching a predictive pattern among a correct answer pattern or an incorrect answer pattern stored in a pattern database; and predicting the next situation to be experienced by the user according to the search result.
  • Korean Patent Registration No. 10-1462608 discloses a data collection unit for collecting user data; A big data DB accumulating collected user data; A data mining unit for analyzing data on the big data to pattern user-specific data, determining a characteristic type for each behavior type of a user-specific pattern, and setting an abnormal symptom patterning criterion through the identified behavior type characteristic selection; A modeling unit for setting an abnormality symptom judgment reference using a sagittal symptom patterning criterion; There is disclosed an adaptive big data processing based abnormality symptom detection system including a data collection state in which an abnormal symptom judgment criterion set by a modeling unit is applied to user data provided by a data collecting unit to determine an abnormal symptom in a context adaptive manner.
  • the systems disclosed in the prior arts detect a user's abnormal behavior pattern on the basis of a predetermined normal pattern based on the statistical number, which makes it difficult to trace intelligent personal information leakage.
  • the prior art causes a problem in that, when new data is generated or a standard of action is changed, a new rule can be defined to define it.
  • the present invention has been proposed in order to solve the conventional problems as described above, and it is an object of the present invention to provide a system and method for integrating a personal information security product, have.
  • Another object of the present invention is to provide a personal information security product integration control system capable of reducing the ratio of false positive or false negative that can be caused by using a statistical rule-based analysis method for fixing an anomaly pattern in advance System and method.
  • Another object of the present invention is to provide a personal information security product integrated control system capable of reducing the ratio of positive or negative errors by analyzing a user's business behavior with respect to logs generated and collected without fixing an abnormal pattern in advance There is.
  • a personal information security product integrated control system converts personal information utilization data using personal information into business behavior list data through a log of a security product generated in a user's business behavior
  • a task-based data conversion unit for extracting a business behavior list obtained by the data conversion unit by a user, a task-based vector conversion unit for vectorizing a business behavior list extracted for each user, Based clustering processing unit for forming a task-based cluster by clustering using a K-means algorithm and a task-based threshold calculation unit for calculating a distance value threshold between the center and elements of the task-based cluster using a t-digest algorithm ,
  • An abnormal pattern judgment for judging whether an abnormal behavior is made by comparing the analysis distance value of the cluster obtained from the business behavior list used for personal information through the log of the security product generated by the user's subsequent business action and the task based
  • the abnormal pattern analysis module further includes an analysis data conversion unit, an analysis vector conversion unit, an analysis clustering processing unit, an analysis distance value calculation unit, and a task-based cluster loading unit.
  • the method of integrating a personal information security product includes a task-based data conversion step of converting data generated by a user's business activity using personal information through a log of a security product into data of a business activity list, Wow;
  • a business-based data extracting step of extracting a business behavior list obtained in the business-based data conversion step for each user;
  • a task-based threshold value calculation step of calculating a task-based distance value threshold between the center of the task-based cluster formed in the task-based clustering processing step and the elements using the t-digest algorithm;
  • a clustering storage step of storing the distance value thresholds calculated in the task-based cluster and the task-based threshold calculation step formed in the task-based clustering process step in a column
  • the analysis target distance value between the center of the analysis target cluster and the elements is converted into an analysis target business behavior list by data generated as the analysis target business behavior of the user who uses the personal information at a later time through the log of the security product
  • An analysis target data conversion step An analysis target vector conversion step of vectorizing the analysis target business behavior list generated in the analysis target data conversion step;
  • An analysis object clustering processing step of forming a analysis object cluster by clustering an analysis target business action list vectorized in the analysis object vector conversion step using a K-means algorithm; and a target distance value calculation step of calculating a target distance value between the center of the target cluster and the elements formed in the target clustering processing step using the t-digest algorithm.
  • the integrated information security product integrated control system and method analyze a business activity of a user who uses personal information through a log of a security product generated by a user's business activity without fixing an abnormal pattern in advance, The ratio of errors can be reduced.
  • FIG. 1 is a block diagram of a personal information security product integrated control system according to the present invention.
  • FIG. 2 is a flowchart illustrating an operation state of a profiling cluster storage module of a personal information security product integrated control system according to the present invention.
  • FIG. 3 is a flowchart illustrating an operation state of an abnormal pattern analysis module of the integrated personal information security product control system according to the present invention.
  • the personal information security product integrated control system includes a task-based data conversion unit for converting personal information utilization data using personal information into business activity list data through a log of a security product generated by a business activity of a user, A task-based vector conversion unit for vectorizing a business behavior list extracted for each user; a vector-based business behavior list, which uses a K-average algorithm; A task-based clustering processor for clustering the task-based clusters to form a task-based cluster, a task-based threshold calculator for calculating a distance value threshold between the center and elements of the task-based cluster using a t-digest algorithm, The value threshold is stored in a column-type datapo A profiling cluster storage module configured with a clustering storage unit for storing the data; An abnormal pattern judgment for judging whether an abnormal behavior is made by comparing the analysis distance value of the cluster obtained from the business behavior list used for personal information through the log of the security product generated by the user's subsequent business action and the task based distance value threshold obtained from the storage module And an abnormal
  • the method of integrating a personal information security product includes a task-based data conversion step of converting data generated by a user's business activity using personal information through a log of a security product into data of a business activity list, Wow;
  • a business-based data extracting step of extracting a business behavior list obtained in the business-based data conversion step for each user;
  • a task-based threshold value calculation step of calculating a task-based distance value threshold between the center of the task-based cluster formed in the task-based clustering processing step and the elements using the t-digest algorithm;
  • a clustering storage step of storing the distance value thresholds calculated in the task-based cluster and the task-based threshold calculation step formed in the task-based clustering process step in a column
  • the personal information security product integrated control system includes a task-based data conversion unit 111 for converting data using personal information into business behavior list data through a log of a security product generated in a business action of a user, A business-based data extracting unit 112 for extracting a business behavior list obtained by the data converting unit 111 for each user, a business-based vector converting unit 113 for vectorizing a business behavior list extracted for each user, A task-based clustering processor 114 for forming a task-based cluster by clustering lists using a K-means algorithm, and a task calculating unit 114 for calculating a distance value threshold between the center and the elements of the task- Based threshold value calculation unit 115, a cluster of the task list in a column-format data format It comprises a profiled cluster storage module configured to store service-based clustering unit 116 to store.
  • the task-based data conversion unit 111 can generate task list data by defining and sorting data using personal information through a log of a security product generated by a user's business activity, with an index centering on a business activity. For example, when configured as 'business behavior 1', 'business behavior 2', and 'business behavior 3' on the basis of the business behavior of the user, the data conversion unit 111 converts these indices into '0' 1 ', and' 2 ', respectively. If there are three cases in which the user uses the personal information through the 'business behavior 1', the data conversion unit 111 converts the business behavior list into 'business behavior 1: 3'.
  • the task-based data extraction unit 112 extracts a task behavior list generated by the task-based data conversion unit 111 for each user. For example, if the user A is using three pieces of personal information through 'business behavior 1', the data extraction unit 112 extracts the business behavior list of the user A as 'business behavior 1: 3' If four pieces of personal information are used through 'business behavior 2', the data extraction unit 112 extracts the business behavior list of the user B as 'business behavior 2: 4'.
  • the task-based vector conversion unit 113 vectors the data of a general table structure into a sparse vector format that is efficient for clustering calculation. For example, when the data of one column is composed of values of 1, 0, 0, 0, 0, 0 and 5, the vector conversion unit 113 converts the data into (7, [0, 6] , 5]), which means that there is a value of [1,5] in the position of size 7 and index [0,6].
  • the task-based clustering processing unit 114 uses a K-means algorithm to group the given data into K clusters based on tasks.
  • the task-based threshold value calculation unit 115 calculates a threshold value of the center value of the cluster obtained by the clustering processing unit 114 and the distance value between the elements.
  • the task-based clustering storage unit 116 stores the task-based threshold value obtained by the threshold value calculation unit 115 for each cluster unit.
  • the personal information security product integrated control system may include an analysis distance value of an analysis cluster obtained from data using personal information through a log of a security product generated by a user's subsequent business action, And an abnormal pattern determination module 126 that compares the obtained task-based distance value thresholds to determine whether the personal information accessing behavior is an abnormal pattern or a normal pattern.
  • the abnormal pattern analysis module includes an analysis data conversion unit 121 for generating an analysis action behavior list from data using personal information through a log of a security product generated by a user's subsequent business action, An analysis clustering processor 123 for forming an analysis cluster by using a K-average algorithm and a t-digest algorithm for computing a vectorized business behavior list; And an analysis distance value calculation unit 124 for calculating an analysis distance value between the center of the analysis cluster and the elements of the analysis cluster and a task for loading a threshold value of the task based cluster stored in the task based cluster storage unit of the profiling cluster storage module Based cluster loading unit 125.
  • the method of integrating a personal information security product includes a task-based data conversion step of converting data generated by a user's business activity using personal information through a log of a security product into data of a business activity list, Wow;
  • a business-based data extracting step of extracting a business behavior list obtained in the business-based data conversion step for each user;
  • a task-based threshold value calculation step of calculating a task-based distance value threshold between the center of the task-based cluster formed in the task-based clustering processing step and the elements using the t-digest algorithm;
  • a clustering storage step of storing the distance value thresholds calculated in the task-based cluster and the task-based threshold calculation step formed in the task-based clustering process step in a column
  • the task-based data conversion unit 111 defines and arranges indexes based on the business behavior of the data using the personal information by the user to generate business behavior list data (See step 211). For example, the task-based data conversion unit 111 defines 'business behavior 1', 'business behavior 2' and 'business behavior 3' as indices of '0', '1', and '2' do.
  • the task-based data extraction unit 112 may extract a task behavior list for each user as illustrated in Table 3 below.
  • Table 3 shows that U001 uses personal information through work behavior 1, U002 uses personal information through work behavior 1 and work behavior 2, and U003 uses personal information through work behavior 1 and work behavior 3. .
  • the task-based vector conversion unit 113 vectorizes the task behavior list extracted for each user as shown in Table 4 below.
  • the first value is the length of the log entire business activity index
  • the second value is the user business activity index
  • the third value is the number of personal information utilization per user business index.
  • step 214 the task-based clustering processor 114 forms a task-based cluster using the K-means algorithm as illustrated in Table 5 below.
  • the task-based threshold calculation unit 115 calculates a distance value between the center of the user-specific cluster and the elements using the t-digest algorithm as illustrated in Table 6 below and calculates a threshold value.
  • Table 6 since the users U001 and U003 have the same task-based cluster, the distance from the center of the two users to the center of the cluster is calculated as 0.25, and the center of the user U002 is calculated as 0.0 because the user U002 is a single cluster.
  • the task-based clustering storage unit stores the task-based threshold value of the distance value for each cluster unit in the form of Table 7 below.
  • the task-based distance threshold value of the task-based cluster is obtained through the above-described process, if data using the personal information is newly input through the log of the security product that is caught by the action of the specific user, Calculate the analytical clusters and calculate the analytical distance. The calculated analysis distance value is compared with the task-based threshold value to determine whether the personal information use behavior of the specific user is abnormal pattern or normal pattern.
  • step 311 the analysis data conversion unit 121 converts the new personal information use count data into the business behavior list data through the log of the security product generated by the business activity of the specific user.
  • the analysis vector conversion unit 122 converts the business behavior list of a specific user into a vector.
  • step 312 the analysis clustering processing unit 123 forms a vectorized business behavior list of a specific user into an analysis cluster using a K-means algorithm, and the analysis distance value calculation unit 124 calculates the distance between the center of the analysis cluster and the elements Calculate the analytical distance value.
  • the task-based cluster loading unit 125 of the abnormal pattern analysis module loads the corresponding cluster stored in the cluster storage unit 116 and extracts a task-based threshold value (see steps 313 and 314).
  • the abnormal pattern determination unit 127 compares the extracted task-based threshold value with the analysis distance value, and determines whether the personal information use behavior of the specific user is an abnormal pattern or a normal pattern. For example, if the analytical distance value is larger than the threshold value, it is determined as an abnormal pattern, and if it is the opposite, it is determined as a normal pattern.

Abstract

The present invention relates to an integrated control system and method for personal information security products, and comprises: a profiling cluster storage module comprising a work-based data conversion unit for converting data, which results from users' work behaviors using personal information, into work behavior list data, a work-based data extraction unit for extracting work behavior lists, acquired from the data conversion unit, according to users, a work-based vector conversion unit for vectorizing the work behavior lists extracted according to users, a work-based clustering unit for forming a work-based cluster by clustering the vectorized work behavior lists by using the k-means algorithm, a work-based threshold value calculation unit for calculating a distance threshold value for distances between the center of the work-based cluster and elements thereof by using the t-digest algorithm, a clustering storage unit for storing the work-based cluster and the distance threshold value in a column-type data format; and an abnormal pattern analysis module comprising an abnormal pattern determination unit for determining whether a user's subsequent access behavior to personal information is an abnormal behavior, by comparing an analyzed cluster distance value derived from the subsequent access behavior with the work-based distance threshold value acquired from the storage module. Therefore, it is possible to reduce the false positive rate or false negative rate by analyzing a user's work behavior through created and collected logs without fixing abnormal patterns in advance.

Description

개인정보 보안제품 통합관제 시스템 및 방법Personal information security product integrated control system and method
본 발명은 개인정보 데이터에 접속하는 사용자의 개인정보 이용기록을 모니터링하는 관제 시스템 및 방법에 관한 것이고, 더 상세하게는 개인정보 데이터를 보호하는 보안제품에 접속하는 사용자의 업무행동을 기준으로 개인정보 유출여부를 판단할 수 있는 개인정보 보안제품 통합관제 시스템 및 방법에 관한 것이다.BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a monitoring system and method for monitoring a personal information use record of a user accessing personal information data, and more particularly, And to a system and method for integrating and controlling personal information security products capable of judging whether or not the information is leaked.
일반적으로, 정부기관, 기업, 은행, 연구소 또는 학교 등에서는 인터넷, 무선망과 같은 유무선 통신망을 통해 접속되는 복수의 실행서버를 구축하고 있으며, 일부 실행서버 내에 각종 자료를 구비하여 다른 실행서버와 통신 접속하게 된다. 이러한 복수의 실행서버는 보안시스템과 연결되어 있다.2. Description of the Related Art Generally, a plurality of execution servers connected through a wired / wireless communication network such as the Internet and a wireless network are constructed in a government agency, a corporation, a bank, a research institute, or a school. Respectively. These plurality of execution servers are connected to the security system.
IT기술이 발전함에 따라 기업 등의 업무 환경이 e-business 중심으로 변화하면서 고객에게 제품 및 서비스 공급하는 기업은 어플리케이션과 데이터베이스라는 형태로 고객들의 개인정보를 대량으로 수집하여 축적하고 이용하게 되었다. 이러한 개인정보가 유출되는 경우 사생활 침해, 범죄 등으로 악용될 수 있으므로, 개인정보 유출위험에 대하여 모니터링하고 조기에 대응하게 된다.As IT technology evolves, the business environments of companies and others are changed to e-business. As a result, companies that provide products and services to customers are collecting and accumulating personal information of customers in large quantities in the form of applications and databases. When such personal information is leaked, it can be abused by privacy invasion, crime, etc., so that the risk of leakage of personal information is monitored and responded early.
종래에는 보안시스템에 대한 로그정보를 분석하여 정보유출을 방지하였다. 예를 들어, 이기종 보안시스템의 로그를 통합하고 단순 조회 및 행위에 대하여 사전 정의에 부합하는 경우 정상행위 패턴이라 판단하고 그렇지 않은 경우 이상행위 패턴이라 판단하였다.Conventionally, log information about the security system is analyzed to prevent information leakage. For example, if the log of the heterogeneous security system is integrated and the simple lookup and behavior conforms to the predefined definition, it is determined to be a normal behavior pattern. Otherwise, the abnormal behavior pattern is determined.
대한민국 공개특허공보 제10-2014-0088712호(선행기술1)에는 개인정보 접근 현황을 감시하여 비정상 거래를 탐지하는 감시부; 상기 감시부의 출력을 입력받아 개인정보 접근 현황을 실시간 모니터링하는 모니터링부; 상기 모니터링부를 통해 출력되는 개인정보 접근 현황 중, 상기 개인정보에 접근한 어플리케이션의 경로를 분석 및 추적하는 로그 관리부 및 상기 감시부, 모니터링부, 로그 관리부를 제어하는 제어부를 포함하고, 개인정보 접근건수를 이용한 6σ(Six Sigma) 지표를 기준으로 이격도(QCL) 지수를 산출하여 이상 징후를 분류하는 개인정보 접근감시 시스템 및 그 방법이 개시되어 있다. Korean Patent Laid-Open Publication No. 10-2014-0088712 (prior art 1) includes a monitoring unit for monitoring an access status of personal information and detecting an abnormal transaction; A monitoring unit that receives the output of the monitoring unit and monitors the status of personal information access in real time; And a control unit for controlling the monitoring unit, the monitoring unit, and the log management unit. The control unit controls the monitoring unit, the monitoring unit, and the log management unit to analyze and track the path of the application accessing the personal information from the personal information access status output through the monitoring unit. Discloses a personal information access monitoring system and a method thereof for classifying an abnormal symptom by calculating a separation index (QCL) index based on a Six Sigma index using a database.
대한민국 등록특허공보 제10-0980117호(선행기술2)에는 평가대상자의 개인별 행위에 대한 데이터를 수집하는 데이터 수집단계; 사용자 표준화 작업을 수행하고 그 결과를 저장하는 사용자 데이터 웨어하우스 구축단계; 보안위험도 평가 항목에 적합한 개인별 통상행위, 통상행위를 넘는 이탈행위, 개인별 이상행위 및 개인별 인맥 관계도를 파악하여 데이터 마트를 구축하는 데이터 마트 구축단계; 데이터 마트에 구축된 사용자 정의 행위에 대하여 각 해당행위에 부여된 보안단계 가중치를 부여하여 개인별 행위 보안위험도 분석 및 산출단계; 개인별 인맥 보안위험도를 부여하는 개인별 인맥 보안위험도 분석 및 산출단계; 개인별 인사보안위험도를 부여하는 개인별 인사 보안위험도 분석 및 산출단계 및 위 3개의 보안위험도를 합하여 개인별 보안위험도를 산출하는 개인별 보안위험도 분석 및 산출단계로 이루어진 내부정보 유출위협 분석방법이 개시되어 있다. Korean Patent Registration No. 10-0980117 (Prior Art 2) discloses a data collection step of collecting data on individual behaviors of a person to be evaluated; A user data warehouse establishing step of performing user standardization and storing the result; A data mart constructing step of constructing a data mart by grasping an individual commerce behavior, an abandonment behavior exceeding a normal behavior, an abnormal behavior by a person, and a relationship of a personal network according to a security risk assessment item; A step of analyzing and calculating a personal action security risk by assigning a security step weight assigned to each action to a user defined action built in the data mart; Personal networking security risk analysis and calculation step that gives personal network security risk; Discloses an internal information leakage threat analysis method comprising an individual personnel security risk analysis and calculation step for assigning individual personnel security risk and an individual security risk analysis and calculation step for calculating individual security risks by combining the above three security risks.
대한민국 공개특허공보 제10-2014-0035146호(선행기술3)에는 복수의 사용자 각각에 대한 로그정보를 수집하는 로그정보 수집부와; 로그정보와 사용자 각각에 대한 사용자 정보를 통합하여 통합데이터베이스를 구축하는 표준화 데이터 베이스와; 사용자별 패턴을 추출하고, 사용자별 패턴으로부터 통상패턴을 정의하는 패턴추출부와 사용자별 패턴을 통상패턴과 비교하여 보안위험 여부를 판단하는 패턴분석부를 포함하는 정보보안 장치가 개시되어 있다. Korean Patent Laid-Open Publication No. 10-2014-0035146 (Prior Art 3) includes a log information collection unit for collecting log information for each of a plurality of users; A standardization database for integrating log information and user information for each user to construct an integrated database; Discloses an information security apparatus including a pattern extracting unit for extracting a pattern for each user and defining a normal pattern from a pattern for each user, and a pattern analyzing unit for comparing a pattern for each user with a normal pattern to determine whether or not a security risk exists.
대한민국 공개특허공보 제10-2010-0121896호(선행기술4)에는 다수의 사용자 상황 정보를 획득하는 단계; 사용자 상황 정보 각각을 개별 규칙 데이터베이스의 개별 규칙에 적용하여 각 사용자 상황 정보에 따른 예측 결과를 추론하는 단계; 추론된 예측 결과로부터 사용자 상황 정보에 따른 예측 패턴을 생성하는 단계; 패턴 데이터베이스에 저장되어 있는 정답 패턴 또는 오답 패턴 중 예측 패턴과 매칭되는 패턴을 검색하는 단계 및 검색 결과에 따라 사용자에 발생할 다음 상황을 예측하는 단계를 포함하는 패턴 기반 예측 방법이 개시되어 있다.Korean Patent Laid-Open Publication No. 10-2010-0121896 (Prior Art 4) includes a step of acquiring a plurality of user situation information; Applying each of the user context information to individual rules of the individual rule database to deduce a prediction result according to each user context information; Generating a prediction pattern according to user context information from the inferred prediction result; A pattern-based prediction method comprising the steps of: searching for a pattern matching a predictive pattern among a correct answer pattern or an incorrect answer pattern stored in a pattern database; and predicting the next situation to be experienced by the user according to the search result.
대한민국 등록특허공보 제10-1462608호(선행기술5)에는 사용자 데이터를 수집하는 데이터 수집부; 수집된 사용자 데이터를 누적하는 빅데이터 DB; 빅데이터 상의 데이터를 분석하여 사용자별 데이터를 패턴화하고 사용자별 패턴의 행위 유형별 특성 전형을 파악하고, 파악된 행위 유형 특성 전형을 통해 이상 징후 패턴화 기준을 설정하는 데이터마이닝부; 시상 징후 패턴화 기준을 사용해 이상 징후 판단 기준을 설정하는 모델링부; 모델링부에 의해 설정된 이상 징후 판단 기준을 데이터 수집부가 제공하는 사용자 데이터에 적용하여 상황 적응형으로 이상 징후를 판단하는 데이타 수집주를 포함하는 적응형 빅데이타 처리 기반 이상 징후 탐지 시스템이 개시되어 있다.Korean Patent Registration No. 10-1462608 (Prior Art 5) discloses a data collection unit for collecting user data; A big data DB accumulating collected user data; A data mining unit for analyzing data on the big data to pattern user-specific data, determining a characteristic type for each behavior type of a user-specific pattern, and setting an abnormal symptom patterning criterion through the identified behavior type characteristic selection; A modeling unit for setting an abnormality symptom judgment reference using a sagittal symptom patterning criterion; There is disclosed an adaptive big data processing based abnormality symptom detection system including a data collection state in which an abnormal symptom judgment criterion set by a modeling unit is applied to user data provided by a data collecting unit to determine an abnormal symptom in a context adaptive manner.
선행기술들에 개시되어 있는 시스템들은 통계적 건수를 기반으로 미리 정해진 통상패턴을 기준으로 사용자의 이상행위 패턴을 탐지하고 있으며 이는 점점 지능화되고 있는 개인정보 유출에 대한 추적이 어려운 문제점이 있었다. The systems disclosed in the prior arts detect a user's abnormal behavior pattern on the basis of a predetermined normal pattern based on the statistical number, which makes it difficult to trace intelligent personal information leakage.
선행기술들은 사용자의 업무행위를 고려하지 않고 통상행위를 사전에 정의하여 고정화시키고 이러한 정의를 벗어나면 이상행위 패턴으로 판단하므로, 사용자는 특정 업무를 수행함에 있어서 통상행위를 벗어난 업무 특성에 적절하게 대응하지 못하는 문제점이 있었다.Prior arts do not consider the user's work behavior and define and fix the normal behavior in advance and judge it as the abnormal behavior pattern when the definition is out of the definition. Therefore, the user appropriately responds to the characteristic There is a problem that can not be done.
선행기술들은 새로운 데이터가 발생하거나 통상행위의 기준이 변경되면, 이를 정의할 수 있는 새로운 규칙을 설정해야 하는 문제점을 유발하게 된다.The prior art causes a problem in that, when new data is generated or a standard of action is changed, a new rule can be defined to define it.
본 발명은 상술된 바와 같은 종래의 문제점을 해결하기 위하여 제안된 것으로, 사용자의 업무행동을 기준으로 개인정보 유출여부를 판단할 수 있는 개인정보 보안제품 통합관제 시스템 및 방법을 제공하는 데 그 목적이 있다.Disclosure of Invention Technical Problem [8] The present invention has been proposed in order to solve the conventional problems as described above, and it is an object of the present invention to provide a system and method for integrating a personal information security product, have.
본 발명의 다른 목적은 미리 이상패턴을 고정화시키는 통계적 Rule기반 분석방식을 사용함으로써 야기될 수 있는 긍정오류(false positive) 또는 부정오류(false negative)의 비율을 저감시킬 수 있는 개인정보 보안제품 통합관제 시스템 및 방법을 제공하는 데 있다.Another object of the present invention is to provide a personal information security product integration control system capable of reducing the ratio of false positive or false negative that can be caused by using a statistical rule-based analysis method for fixing an anomaly pattern in advance System and method.
본 발명의 또 다른 목적은 이상패턴을 미리 고정시키지 않고 생성 수집한 로그들을 대상으로 사용자의 업무행동을 분석함으로써 긍정오류 또는 부정오류의 비율을 저감시킬 수 있는 개인정보 보안제품 통합관제 시스템을 제공하는 데 있다.Another object of the present invention is to provide a personal information security product integrated control system capable of reducing the ratio of positive or negative errors by analyzing a user's business behavior with respect to logs generated and collected without fixing an abnormal pattern in advance There is.
상기 목적을 달성하기 위하여, 본 발명에 따른 개인정보 보안제품 통합관제 시스템은 사용자의 업무행동으로 생성되는 보안제품의 로그를 통해서 개인정보를 이용하고 있는 개인정보 이용 데이터를 업무행동 리스트 데이터로 변환하는 업무기반 데이터 변환부와, 상기 데이터 변환부에서 얻어진 업무행동 리스트를 사용자별로 추출하는 업무기반 데이터 추출부와, 사용자별로 추출된 업무행동 리스트를 벡터화하는 업무기반 벡터 변환부와, 벡터화된 업무행동 리스트를 K-평균 알고리즘을 활용하여 클러스터링하여 업무기반 클러스터를 형성하는 업무기반 클러스터링 처리부와, t-다이제스트 알고리즘을 활용하여 상기 업무기반 클러스터의 중심과 요소들간의 거리값 임계치를 계산하는 업무기반 임계치 계산부과, 상기 업무기반 클러스터와 거리값 임계치를 컬럼형태의 데이터 포맷으로 저장하는 클러스터링 저장부로 구성되는 프로파일링 클러스터 저장모듈과; 사용자의 후속 업무행동으로 생성되는 보안제품의 로그를 통해서 개인정보 이용하는 업무행동 리스트로부터 얻어지는 클러스터의 분석 거리값과 상기 저장모듈에서 얻어진 업무기반 거리값 임계치를 비교하여 이상행위 여부를 판단하는 이상패턴 판단부를 포함하는 이상패턴 분석모듈로 이루어진 것을 특징으로 한다.In order to achieve the above object, a personal information security product integrated control system according to the present invention converts personal information utilization data using personal information into business behavior list data through a log of a security product generated in a user's business behavior A task-based data conversion unit for extracting a business behavior list obtained by the data conversion unit by a user, a task-based vector conversion unit for vectorizing a business behavior list extracted for each user, Based clustering processing unit for forming a task-based cluster by clustering using a K-means algorithm and a task-based threshold calculation unit for calculating a distance value threshold between the center and elements of the task-based cluster using a t-digest algorithm , The task-based cluster and the distance value Based values of a column format which is composed of a cluster storage that stores a data format profiling cluster storage module; An abnormal pattern judgment for judging whether an abnormal behavior is made by comparing the analysis distance value of the cluster obtained from the business behavior list used for personal information through the log of the security product generated by the user's subsequent business action and the task based distance value threshold obtained from the storage module And an abnormal pattern analyzing module including the abnormal pattern analyzing module.
상기 이상패턴 분석모듈은 분석 데이터 변환부와, 분석 벡터 변환부와, 분석 클러스터링 처리부와, 분석 거리값 계산부와, 업무기반 클러스터 로딩부를 더 포함한다.The abnormal pattern analysis module further includes an analysis data conversion unit, an analysis vector conversion unit, an analysis clustering processing unit, an analysis distance value calculation unit, and a task-based cluster loading unit.
본 발명에 따른 개인정보 보안제품 통합관제 방법은 사용자가 보안제품의 로그를 통해서 개인정보를 이용하고 있는 사용자의 업무행동으로 생성되는 데이터를 업무행동 리스트의 데이터로 변환하여 리스트화시키는 업무기반 데이터 변환단계와; 상기 업무기반 데이터 변환단계에서 얻어진 업무행동 리스트를 사용자별로 추출하는 업무기반 데이터 추출단계와; 상기 업무기반 테이터 추출단계에서 사용자별로 추출된 업무행동 리스트를 벡터화하는 업무기반 벡터 변환단계와; 상기 업무기반 벡터 변환단계에서 벡터화된 업무행동 리스트를 K-평균 알고리즘을 활용해서 클러스터링하여 업무기반 클러스터를 형성하는 업무기반 클러스터링 처리단계와; 상기 업무기반 클러스터링 처리단계에서 형성된 업무기반 클러스터의 중심과 요소들간의 업무기반 거리값 임계치를 t-다이제스트 알고리즘을 활용하여 계산하는 업무기반 임계치 계산단계와; 상기 업무기반 클러스터링 처리단계에서 형성된 상기 업무기반 클러스터와 상기 업무기반 임계치 계산단계에서 계산된 거리값 임계치를 컬럼형태의 데이터 포맷으로 저장하는 클러스터링 저장단계와; 사용자가 추후 보안제품의 로그를 통해서 개인정보를 이용하는 사용자의 분석대상 업무행동으로 생성되는 데이터로부터 얻어지는 분석대상 클러스터의 중심과 요소들간의 분석대상 거리값과 상기 클러스터링 저장단계에서 저장된 업무기반 거리값 임계치를 비교하여 이상행위 여부를 판단하는 이상패턴 분석단계로 이루어진 것을 특징으로 한다.The method of integrating a personal information security product according to the present invention includes a task-based data conversion step of converting data generated by a user's business activity using personal information through a log of a security product into data of a business activity list, Wow; A business-based data extracting step of extracting a business behavior list obtained in the business-based data conversion step for each user; A business-based vector conversion step of vectorizing a business behavior list extracted for each user in the business-based data extraction step; A task-based clustering processing step of forming a task-based cluster by clustering the vectorized business behavior list using the K-average algorithm in the task-based vector conversion step; A task-based threshold value calculation step of calculating a task-based distance value threshold between the center of the task-based cluster formed in the task-based clustering processing step and the elements using the t-digest algorithm; A clustering storage step of storing the distance value thresholds calculated in the task-based cluster and the task-based threshold calculation step formed in the task-based clustering process step in a columnar data format; The analysis target distance value between the center of the analysis target cluster and the elements obtained from the data generated by the user in the analysis object business behavior of the user who uses the personal information through the log of the security product in the future and the business base distance value threshold stored in the clustering storage step And an abnormal pattern analysis step of determining whether an abnormal operation is performed.
상기 분석대상 클러스터의 중심과 요소들간의 분석대상 거리값은, 상기 사용자가 추후에 보안제품의 로그를 통해서 개인정보를 이용하는 사용자의 분석대상 업무행동으로 생성되는 데이터를 분석대상 업무행동 리스트로 변환하는 분석대상 데이터 변환단계와; 상기 분석대상 데이터 변환단계에서 생성된 분석대상 업무행동 리스트를 벡터화하는 분석대상 벡터 변환단계와; 상기 분석대상 벡터 변환단계에서 벡터화된 분석대상 업무행동 리스트를 K-평균 알고리즘을 활용해서 클러스터링하여 분석대상 클러스터를 형성하는 분석대상 클러스터링 처리단계와; t-다이제스트 알고리즘을 활용하여 상기 분석대상 클러스터링 처리단계에서 형성된 분석대상 클러스터의 중심과 요소들간의 분석대상 거리값을 계산하는 분석대상 거리값 계산단계에 의해서 얻어진다.The analysis target distance value between the center of the analysis target cluster and the elements is converted into an analysis target business behavior list by data generated as the analysis target business behavior of the user who uses the personal information at a later time through the log of the security product An analysis target data conversion step; An analysis target vector conversion step of vectorizing the analysis target business behavior list generated in the analysis target data conversion step; An analysis object clustering processing step of forming a analysis object cluster by clustering an analysis target business action list vectorized in the analysis object vector conversion step using a K-means algorithm; and a target distance value calculation step of calculating a target distance value between the center of the target cluster and the elements formed in the target clustering processing step using the t-digest algorithm.
본 발명에 따르면, 개인정보 보안제품 통합관제 시스템 및 방법은 이상패턴을 미리 고정시키지 않고 사용자의 업무행동으로 생성되는 보안제품의 로그를 통해서 개인정보를 이용하는 사용자의 업무행위를 분석함으로써 긍정오류 또는 부정오류의 비율을 저감시킬 수 있다.According to the present invention, the integrated information security product integrated control system and method analyze a business activity of a user who uses personal information through a log of a security product generated by a user's business activity without fixing an abnormal pattern in advance, The ratio of errors can be reduced.
도 1은 본 발명에 따른 개인정보 보안제품 통합관제 시스템의 블록도이다.1 is a block diagram of a personal information security product integrated control system according to the present invention.
도 2는 본 발명에 따른 개인정보 보안제품 통합관제 시스템의 프로파일링 클러스터 저장모듈의 작동상태를 나타낸 흐름도이다.FIG. 2 is a flowchart illustrating an operation state of a profiling cluster storage module of a personal information security product integrated control system according to the present invention.
도 3은 본 발명에 따른 개인정보 보안제품 통합관제 시스템의 이상패턴 분석모듈의 작동상태를 나타낸 흐름도이다.FIG. 3 is a flowchart illustrating an operation state of an abnormal pattern analysis module of the integrated personal information security product control system according to the present invention.
본 발명에 따른 개인정보 보안제품 통합관제 시스템은 사용자의 업무행동으로 생성되는 보안제품의 로그를 통해서 개인정보를 이용하고 있는 개인정보 이용 데이터를 업무행동 리스트 데이터로 변환하는 업무기반 데이터 변환부와, 상기 데이터 변환부에서 얻어진 업무행동 리스트를 사용자별로 추출하는 업무기반 데이터 추출부와, 사용자별로 추출된 업무행동 리스트를 벡터화하는 업무기반 벡터 변환부와, 벡터화된 업무행동 리스트를 K-평균 알고리즘을 활용하여 클러스터링하여 업무기반 클러스터를 형성하는 업무기반 클러스터링 처리부와, t-다이제스트 알고리즘을 활용하여 상기 업무기반 클러스터의 중심과 요소들간의 거리값 임계치를 계산하는 업무기반 임계치 계산부과, 상기 업무기반 클러스터와 거리값 임계치를 컬럼형태의 데이터 포맷으로 저장하는 클러스터링 저장부로 구성되는 프로파일링 클러스터 저장모듈과; 사용자의 후속 업무행동으로 생성되는 보안제품의 로그를 통해서 개인정보 이용하는 업무행동 리스트로부터 얻어지는 클러스터의 분석 거리값과 상기 저장모듈에서 얻어진 업무기반 거리값 임계치를 비교하여 이상행위 여부를 판단하는 이상패턴 판단부를 포함하는 이상패턴 분석모듈로 이루어진다.The personal information security product integrated control system according to the present invention includes a task-based data conversion unit for converting personal information utilization data using personal information into business activity list data through a log of a security product generated by a business activity of a user, A task-based vector conversion unit for vectorizing a business behavior list extracted for each user; a vector-based business behavior list, which uses a K-average algorithm; A task-based clustering processor for clustering the task-based clusters to form a task-based cluster, a task-based threshold calculator for calculating a distance value threshold between the center and elements of the task-based cluster using a t-digest algorithm, The value threshold is stored in a column-type datapo A profiling cluster storage module configured with a clustering storage unit for storing the data; An abnormal pattern judgment for judging whether an abnormal behavior is made by comparing the analysis distance value of the cluster obtained from the business behavior list used for personal information through the log of the security product generated by the user's subsequent business action and the task based distance value threshold obtained from the storage module And an abnormal pattern analyzing module including the abnormal pattern analyzing module.
본 발명에 따른 개인정보 보안제품 통합관제 방법은 사용자가 보안제품의 로그를 통해서 개인정보를 이용하고 있는 사용자의 업무행동으로 생성되는 데이터를 업무행동 리스트의 데이터로 변환하여 리스트화시키는 업무기반 데이터 변환단계와; 상기 업무기반 데이터 변환단계에서 얻어진 업무행동 리스트를 사용자별로 추출하는 업무기반 데이터 추출단계와; 상기 업무기반 테이터 추출단계에서 사용자별로 추출된 업무행동 리스트를 벡터화하는 업무기반 벡터 변환단계와; 상기 업무기반 벡터 변환단계에서 벡터화된 업무행동 리스트를 K-평균 알고리즘을 활용해서 클러스터링하여 업무기반 클러스터를 형성하는 업무기반 클러스터링 처리단계와; 상기 업무기반 클러스터링 처리단계에서 형성된 업무기반 클러스터의 중심과 요소들간의 업무기반 거리값 임계치를 t-다이제스트 알고리즘을 활용하여 계산하는 업무기반 임계치 계산단계와; 상기 업무기반 클러스터링 처리단계에서 형성된 상기 업무기반 클러스터와 상기 업무기반 임계치 계산단계에서 계산된 거리값 임계치를 컬럼형태의 데이터 포맷으로 저장하는 클러스터링 저장단계와; 사용자가 추후 보안제품의 로그를 통해서 개인정보를 이용하는 사용자의 분석대상 업무행동으로 생성되는 데이터로부터 얻어지는 분석대상 클러스터의 중심과 요소들간의 분석대상 거리값과 상기 클러스터링 저장단계에서 저장된 업무기반 거리값 임계치를 비교하여 이상행위 여부를 판단하는 이상패턴 분석단계로 이루어진다.The method of integrating a personal information security product according to the present invention includes a task-based data conversion step of converting data generated by a user's business activity using personal information through a log of a security product into data of a business activity list, Wow; A business-based data extracting step of extracting a business behavior list obtained in the business-based data conversion step for each user; A business-based vector conversion step of vectorizing a business behavior list extracted for each user in the business-based data extraction step; A task-based clustering processing step of forming a task-based cluster by clustering the vectorized business behavior list using the K-average algorithm in the task-based vector conversion step; A task-based threshold value calculation step of calculating a task-based distance value threshold between the center of the task-based cluster formed in the task-based clustering processing step and the elements using the t-digest algorithm; A clustering storage step of storing the distance value thresholds calculated in the task-based cluster and the task-based threshold calculation step formed in the task-based clustering process step in a columnar data format; The analysis target distance value between the center of the analysis target cluster and the elements obtained from the data generated by the user in the analysis object business behavior of the user who uses the personal information through the log of the security product in the future and the business base distance value threshold stored in the clustering storage step And an abnormal pattern analysis step for determining whether or not an abnormal action is performed.
이하, 첨부된 도면을 참조하여 본 발명에 따른 개인정보 보안제품 통합관제 시스템 및 방법의 구성 및 작동에 대해 설명한다.DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the configuration and operation of a personal information security product integrated control system and method according to the present invention will be described with reference to the accompanying drawings.
본 발명에 따른 개인정보 보안제품 통합관제 시스템은 사용자의 업무행동으로 생성되는 보안제품의 로그를 통해서 개인정보를 이용하는 데이터를 업무행동 리스트 데이터로 변환하는 업무기반 데이터 변환부(111)와, 업무기반 데이터 변환부(111)에서 얻어진 업무행동 리스트를 사용자별로 추출하는 업무기반 데이터 추출부(112)와, 사용자별로 추출된 업무행동 리스트를 벡터화하는 업무기반 벡터 변환부(113)와, 벡터화된 업무행동 리스트를 K-평균 알고리즘을 활용하여 클러스터링하여 업무기반 클러스터를 형성하는 업무기반 클러스터링 처리부(114)와, t-다이제스트 알고리즘을 활용하여 상기 업무기반 클러스터의 중심과 요소들간의 거리값 임계치를 계산하는 업무기반 임계치 계산부(115)과, 상기 업무리스트의 클러스터를 컬럼형태의 데이터 포맷으로 저장하는 업무기반 클러스터링 저장부(116)로 구성되는 프로파일링 클러스터 저장모듈을 포함한다.The personal information security product integrated control system according to the present invention includes a task-based data conversion unit 111 for converting data using personal information into business behavior list data through a log of a security product generated in a business action of a user, A business-based data extracting unit 112 for extracting a business behavior list obtained by the data converting unit 111 for each user, a business-based vector converting unit 113 for vectorizing a business behavior list extracted for each user, A task-based clustering processor 114 for forming a task-based cluster by clustering lists using a K-means algorithm, and a task calculating unit 114 for calculating a distance value threshold between the center and the elements of the task- Based threshold value calculation unit 115, a cluster of the task list in a column-format data format It comprises a profiled cluster storage module configured to store service-based clustering unit 116 to store.
업무기반 데이터 변환부(111)는 사용자의 업무행동으로 생성되는 보안제품의 로그를 통해서 개인정보를 이용하는 데이터를 업무행동을 중심으로 하는 인덱스를 정의하고 정렬하여 업무리스트 데이터를 생성할 수 있다. 예를 들어, 사용자의 업무행동을 기준으로 하여 '업무행동1', '업무행동2', '업무행동3'으로 구성될 때 데이터 변환부(111)는 이들의 인덱스를 각자 '0', '1', '2'로 정의할 수 있다. 사용자가 '업무행동1'을 통해서 개인정보를 이용하는 이용건수가 3건인 경우, 데이터 변환부(111)는 업무행동 리스트를 '업무행동1:3'으로 데이터화 시킨다.The task-based data conversion unit 111 can generate task list data by defining and sorting data using personal information through a log of a security product generated by a user's business activity, with an index centering on a business activity. For example, when configured as 'business behavior 1', 'business behavior 2', and 'business behavior 3' on the basis of the business behavior of the user, the data conversion unit 111 converts these indices into '0' 1 ', and' 2 ', respectively. If there are three cases in which the user uses the personal information through the 'business behavior 1', the data conversion unit 111 converts the business behavior list into 'business behavior 1: 3'.
업무기반 데이터 추출부(112)는 업무기반 데이터 변환부(111)에서 생성된 업무행동 리스트를 사용자별로 추출한다. 예를 들어, 사용자A가 '업무행동1'을 통해서 3건의 개인정보를 이용하고 있으면 데이터 추출부(112)는 사용자A의 업무행동 리스트를 '업무행동1:3'으로 추출하고, 사용자B가 '업무행동2'를 통해서 4건의 개인정보를 이용하고 있으면 데이터 추출부(112)는 사용자B의 업무행동 리스트를 '업무행동2:4'로 추출한다.The task-based data extraction unit 112 extracts a task behavior list generated by the task-based data conversion unit 111 for each user. For example, if the user A is using three pieces of personal information through 'business behavior 1', the data extraction unit 112 extracts the business behavior list of the user A as 'business behavior 1: 3' If four pieces of personal information are used through 'business behavior 2', the data extraction unit 112 extracts the business behavior list of the user B as 'business behavior 2: 4'.
업무기반 벡터 변환부(113)는 일반적인 테이블 구조의 데이터를 클러스터링 계산에 효율적인 희소 벡터형식으로 벡터화한다. 예를 들어, 한 컬럼의 데이터가1, 0, 0, 0, 0, 0, 5]의 값으로 이루어진 경우, 벡터 변환부(113)는 이러한 데이터를 (7, [0,6], [1,5])의 형식으로 벡터화시키며 이는 크기가 7이고, 인덱스가 [0,6]인 포지션에 [1,5]의 값이 존재함을 의미한다.The task-based vector conversion unit 113 vectors the data of a general table structure into a sparse vector format that is efficient for clustering calculation. For example, when the data of one column is composed of values of 1, 0, 0, 0, 0, 0 and 5, the vector conversion unit 113 converts the data into (7, [0, 6] , 5]), which means that there is a value of [1,5] in the position of size 7 and index [0,6].
업무기반 클러스터링 처리부(114)는 주어진 데이터를 업무기반의 K개 클러스터로 묶기 위하여 K-평균 알고리즘(K-means algorithm)을 사용한다. The task-based clustering processing unit 114 uses a K-means algorithm to group the given data into K clusters based on tasks.
업무기반 임계치 계산부(115)는 클러스터링 처리부(114)에서 얻어진 클러스터의 중심과 요소들간 거리값의 임계치를 계산한다. The task-based threshold value calculation unit 115 calculates a threshold value of the center value of the cluster obtained by the clustering processing unit 114 and the distance value between the elements.
업무기반 클러스터링 저장부(116)는 임계치 계산부(115)에서 얻어진 업무기반 임계치를 클러스터 단위별로 저장한다.The task-based clustering storage unit 116 stores the task-based threshold value obtained by the threshold value calculation unit 115 for each cluster unit.
또한, 본 발명에 따르면, 개인정보 보안제품 통합관제 시스템은 사용자의 후속 업무행동으로 생성되는 보안제품의 로그를 통해서 개인정보를 이용하는 데이터로부터 얻어지는 분석 클러스터의 분석 거리값과 상기 프로파일링 클러스터 저장모듈에서 얻어진 업무기반 거리값 임계치를 비교하여 개인정보 접속행위가 이상패턴인지 정상패턴인지 여부를 판단하는 이상패턴 판단부(126)를 포함하는 이상패턴 분석모듈을 더 포함한다.In addition, according to the present invention, the personal information security product integrated control system may include an analysis distance value of an analysis cluster obtained from data using personal information through a log of a security product generated by a user's subsequent business action, And an abnormal pattern determination module 126 that compares the obtained task-based distance value thresholds to determine whether the personal information accessing behavior is an abnormal pattern or a normal pattern.
상기 이상패턴 분석모듈은 사용자의 후속 업무행동으로 생성되는 보안제품의 로그를 통해서 개인정보를 이용하는 데이터로부터 분석 업무행동 리스트를 생성하는 분석 데이터 변환부(121)와, 분석 데이터 변환부(121)에서 생성된 분석 업무행동 리스트를 벡터화하는 분석 벡터 변환부(122)와, 벡터화된 업무행동 리스트를 K-평균 알고리즘을 활용하여 분석 클러스터를 형성하는 분석 클러스터링 처리부(123)와, t-다이제스트 알고리즘을 활용하여 분석 클러스터의 중심과 요소들간의 분석 거리값을 계산하는 분석 거리값 계산부(124)와, 프로파일링 클러스터 저장모듈의 업무기반 클러스터 저장부에 저장되어 있는 업무기반 클러스터의 임계값을 로딩하는 업무기반 클러스터 로딩부(125)를 포함한다.The abnormal pattern analysis module includes an analysis data conversion unit 121 for generating an analysis action behavior list from data using personal information through a log of a security product generated by a user's subsequent business action, An analysis clustering processor 123 for forming an analysis cluster by using a K-average algorithm and a t-digest algorithm for computing a vectorized business behavior list; And an analysis distance value calculation unit 124 for calculating an analysis distance value between the center of the analysis cluster and the elements of the analysis cluster and a task for loading a threshold value of the task based cluster stored in the task based cluster storage unit of the profiling cluster storage module Based cluster loading unit 125.
이하, 도 2와 도 3을 참조하여 본 발명에 따른 개인정보 보안제품 통합관제 방법에 대해 설명한다.Hereinafter, a method for integrating a personal information security product according to the present invention will be described with reference to FIG. 2 and FIG.
본 발명에 따른 개인정보 보안제품 통합관제 방법은 사용자가 보안제품의 로그를 통해서 개인정보를 이용하고 있는 사용자의 업무행동으로 생성되는 데이터를 업무행동 리스트의 데이터로 변환하여 리스트화시키는 업무기반 데이터 변환단계와; 상기 업무기반 데이터 변환단계에서 얻어진 업무행동 리스트를 사용자별로 추출하는 업무기반 데이터 추출단계와; 상기 업무기반 테이터 추출단계에서 사용자별로 추출된 업무행동 리스트를 벡터화하는 업무기반 벡터 변환단계와; 상기 업무기반 벡터 변환단계에서 벡터화된 업무행동 리스트를 K-평균 알고리즘을 활용해서 클러스터링하여 업무기반 클러스터를 형성하는 업무기반 클러스터링 처리단계와; 상기 업무기반 클러스터링 처리단계에서 형성된 업무기반 클러스터의 중심과 요소들간의 업무기반 거리값 임계치를 t-다이제스트 알고리즘을 활용하여 계산하는 업무기반 임계치 계산단계와; 상기 업무기반 클러스터링 처리단계에서 형성된 상기 업무기반 클러스터와 상기 업무기반 임계치 계산단계에서 계산된 거리값 임계치를 컬럼형태의 데이터 포맷으로 저장하는 클러스터링 저장단계와; 사용자가 추후 보안제품의 로그를 통해서 개인정보를 이용하는 사용자의 분석대상 업무행동으로 생성되는 데이터로부터 얻어지는 분석대상 클러스터의 중심과 요소들간의 분석대상 거리값과 상기 클러스터링 저장단계에서 저장된 업무기반 거리값 임계치를 비교하여 이상행위 여부를 판단하는 이상패턴 분석단계로 이루어진다.The method of integrating a personal information security product according to the present invention includes a task-based data conversion step of converting data generated by a user's business activity using personal information through a log of a security product into data of a business activity list, Wow; A business-based data extracting step of extracting a business behavior list obtained in the business-based data conversion step for each user; A business-based vector conversion step of vectorizing a business behavior list extracted for each user in the business-based data extraction step; A task-based clustering processing step of forming a task-based cluster by clustering the vectorized business behavior list using the K-average algorithm in the task-based vector conversion step; A task-based threshold value calculation step of calculating a task-based distance value threshold between the center of the task-based cluster formed in the task-based clustering processing step and the elements using the t-digest algorithm; A clustering storage step of storing the distance value thresholds calculated in the task-based cluster and the task-based threshold calculation step formed in the task-based clustering process step in a columnar data format; The analysis target distance value between the center of the analysis target cluster and the elements obtained from the data generated by the user in the analysis object business behavior of the user who uses the personal information through the log of the security product in the future and the business base distance value threshold stored in the clustering storage step And an abnormal pattern analysis step for determining whether or not an abnormal action is performed.
먼저, 하기 표 1에 나타난 바와 같이 3명 사용자(U001, U002, U003)의 업무행동으로 생성되는 보안제품의 로그를 통해서 개인정보를 이용하고 있음을 예시한다.First, as shown in the following Table 1, it is exemplified that personal information is used through a log of security products generated by the business activities of three users (U001, U002, U003).
사용자 IDUser ID 업무행동 리스트Business behavior list 개인정보 이용건수Number of personal information use
U001U001 업무행동1Business behavior 1 33
U002U002 업무행동2Business Behavior 2 44
U003U003 업무행동3Business behavior 3 1One
U002U002 업무행동1Business behavior 1 33
U003U003 업무행동1Business behavior 1 33
프로파일링 클러스터 저장모듈에 있어서, 업무기반 데이터 변환부(111)는 하기 표 2에 예시한 바와 같이 사용자가 개인정보를 이용하는 데이터를 업무행동을 기준으로 인덱스를 정의하고 정렬하여 업무행동 리스트 데이터를 생성한다(단계 211 참조). 예를 들어, 업무기반 데이터 변환부(111)는 모니터 화면상의 '업무행동1', '업무행동2', '업무행동3'을 각각 '0', '1', '2'의 인덱스로 정의한다.In the profiling cluster storage module, as shown in Table 2 below, the task-based data conversion unit 111 defines and arranges indexes based on the business behavior of the data using the personal information by the user to generate business behavior list data (See step 211). For example, the task-based data conversion unit 111 defines 'business behavior 1', 'business behavior 2' and 'business behavior 3' as indices of '0', '1', and '2' do.
사용자 IDUser ID 업무행동 리스트Business behavior list 개인정보 이용건수Number of personal information use 인덱스index
U001U001 업무행동1Business behavior 1 33 00
U002U002 업무행동2Business Behavior 2 44 1One
U003U003 업무행동3Business behavior 3 1One 22
U002U002 업무행동1Business behavior 1 33 00
U003U003 업무행동1Business behavior 1 33 00
단계 212에서 업무기반 데이터 추출부(112)는 업무행동 리스트를 하기 표 3에 예시한 바와 같이 사용자별로 추출할 수 있다. 표 3은 사용자 ID별로 U001는 업무행동1을 통해서 개인정보를 이용하였고, U002는 업무행동1과 업무행동2를 통해서 개인정보를 이용하였고, U003은 업무행동1과 업무행동3을 통해서 개인정보를 이용하였음을 의미한다.In operation 212, the task-based data extraction unit 112 may extract a task behavior list for each user as illustrated in Table 3 below. Table 3 shows that U001 uses personal information through work behavior 1, U002 uses personal information through work behavior 1 and work behavior 2, and U003 uses personal information through work behavior 1 and work behavior 3. .
사용자 IDUser ID 인덱스 리스트Index list 업무행동 리스트Business behavior list
U001U001 [0][0] 업무행동1:3Business behavior 1: 3
U002U002 [0,1][0,1] 업무행동1:3, 업무행동2:4Business Behavior 1: 3, Business Behavior 2: 4
U003U003 [0,2][0,2] 업무행동1:3, 업무행동3:1Business Behavior 1: 3, Business Behavior 3: 1
단계 213에서, 업무기반 벡터 변환부(113)는 사용자별로 추출된 업무행동 리스트를 하기 표 4에 예시한 바와 같이 벡터화한다. 표 4의 벡터값에서 첫번째 값은 로그 전체 업무행동 인덱스의 길이이고, 두번째 값은 사용자 업무행동 인덱스이고, 세번째 값은 사용자 업무인덱스별 개인정보 이용건수를 나타낸다.In step 213, the task-based vector conversion unit 113 vectorizes the task behavior list extracted for each user as shown in Table 4 below. In the vector values in Table 4, the first value is the length of the log entire business activity index, the second value is the user business activity index, and the third value is the number of personal information utilization per user business index.
사용자 IDUser ID 벡터 ValueVector Value
U001U001 (3,[0],[3])(3, [0], [3])
U002U002 (3,[0,1],[3,4])(3, [0, 1], [3,4])
U003U003 (3,[0,2],[3,1](3, [0, 2], [3, 1]
단계 214에서 업무기반 클러스터링 처리부(114)는 벡터화된 사용자별 업무행동 리스트를 K-평균 알고리즘을 사용해서 하기 표 5에 예시한 바와 같이 업무기반 클러스터를 형성한다. In step 214, the task-based clustering processor 114 forms a task-based cluster using the K-means algorithm as illustrated in Table 5 below.
사용자 IDUser ID 벡터 ValueVector Value 업무기반 클러스터Business-based clusters
U001U001 (3,[0],[3])(3, [0], [3]) 00
U002U002 (3,[0,1],[3,4])(3, [0, 1], [3,4]) 1One
U003U003 (3,[0,2],[3,1](3, [0, 2], [3, 1] 00
단계 215에서, 업무기반 임계치 계산부(115)는 t-다이제스트 알고리즘을 사용해서 하기 표 6에 예시된 바와 같이 사용자별 클러스터의 중심과 요소들과의 거리값을 계산하고 임계치를 산출한다. 표 6에서 사용자 U001과 U003은 동일 업무기반 클러스터를 갖고 있으므로 두 사용자의 중심에서 클러스터 중심까지의 거리는 0.25로 산출되고, 사용자 U002는 단일 클러스터이므로 그 중심은 0.0으로 산출된다.In step 215, the task-based threshold calculation unit 115 calculates a distance value between the center of the user-specific cluster and the elements using the t-digest algorithm as illustrated in Table 6 below and calculates a threshold value. In Table 6, since the users U001 and U003 have the same task-based cluster, the distance from the center of the two users to the center of the cluster is calculated as 0.25, and the center of the user U002 is calculated as 0.0 because the user U002 is a single cluster.
사용자 IDUser ID 벡터 ValueVector Value 업무기반 클러스터Business-based clusters 거리값Distance value
U001U001 (3,[0],[3])(3, [0], [3]) 00 0.250.25
U002U002 (3,[0,1],[3,4])(3, [0, 1], [3,4]) 1One 0.00.0
U003U003 (3,[0,2],[3,1](3, [0, 2], [3, 1] 00 0.250.25
단계 216에서, 업무기반 클러스터링 저장부는 클러스터 단위별로 거리값의 업무기반 임계치를 하기 표 7의 형태로 저장한다.In step 216, the task-based clustering storage unit stores the task-based threshold value of the distance value for each cluster unit in the form of Table 7 below.
업무기반 클러스터Business-based clusters 거리값 임계치Distance value threshold
00 [0.25, 0.25][0.25, 0.25]
1One [0.0][0.0]
상술된 과정을 통해서 업무기반 클러스터의 업무기반 거리값 임계치가 얻어진 후, 특정 사용자의 업무행동으로 새엉되는 보안제품의 로그를 통해서 개인정보를 이용하고 있는 데이터가 새로이 입력되면, 특정 사용자의 신규 데이터를 기반으로 분석 클러스터를 산정하고 분석 거리값을 계산한다. 계산된 분석 거리값을 업무기반 임계치와 비교하여 특정 사용자의 개인정보 이용행위가 이상패턴인지 정상패턴인지 판단하게 된다.After the task-based distance threshold value of the task-based cluster is obtained through the above-described process, if data using the personal information is newly input through the log of the security product that is caught by the action of the specific user, Calculate the analytical clusters and calculate the analytical distance. The calculated analysis distance value is compared with the task-based threshold value to determine whether the personal information use behavior of the specific user is abnormal pattern or normal pattern.
즉, 단계 311에서, 분석 데이터 변환부(121)는 특정 사용자의 업무행동으로 생성되는 보안제품의 로그를 통해서 신규 개인정보 이용건수 데이터를 업무행동 리스트 데이터로 변환한다. 분석 벡터 변환부(122)는 특정 사용자의 업무행동 리스트를 벡터화한다. That is, in step 311, the analysis data conversion unit 121 converts the new personal information use count data into the business behavior list data through the log of the security product generated by the business activity of the specific user. The analysis vector conversion unit 122 converts the business behavior list of a specific user into a vector.
단계 312에서, 분석 클러스터링 처리부(123)는 K-평균 알고리즘을 사용해서 특정 사용자의 벡터화된 업무행동 리스트를 분석 클러스터로 형성하고, 분석 거리값 계산부(124)는 분석 클러스터의 중심과 요소들간의 분석 거리값을 계산한다.In step 312, the analysis clustering processing unit 123 forms a vectorized business behavior list of a specific user into an analysis cluster using a K-means algorithm, and the analysis distance value calculation unit 124 calculates the distance between the center of the analysis cluster and the elements Calculate the analytical distance value.
이상패턴 분석모듈의 업무기반 클러스터 로딩부(125)는 클러스터 저장부(116)에 저장되어 있는 해당 클러스터를 로딩시키고 업무기반 임계치를 추출한다(단계 313, 314 참조).The task-based cluster loading unit 125 of the abnormal pattern analysis module loads the corresponding cluster stored in the cluster storage unit 116 and extracts a task-based threshold value (see steps 313 and 314).
단계 315에서, 이상패턴 판단부(127)는 추출된 업무기반 임계치와 상기 분석 거리값을 비교하여 특정 사용자의 개인정보 이용행위가 이상패턴인지 정상패턴인지 판단하게 된다. 예를 들어, 분석거리값이 임계치보다 크면 이상패턴으로 판단하고 그 반대이면 정상패턴으로 판단하게 된다.In step 315, the abnormal pattern determination unit 127 compares the extracted task-based threshold value with the analysis distance value, and determines whether the personal information use behavior of the specific user is an abnormal pattern or a normal pattern. For example, if the analytical distance value is larger than the threshold value, it is determined as an abnormal pattern, and if it is the opposite, it is determined as a normal pattern.
상술된 내용은 본 발명의 바람직한 실시예를 단지 예시한 것으로 본 발명이 속하는 기술분야의 당업자는 청구범위에 기재된 본 발명의 사상 및 요지로부터 벗어나지 않고 본 발명에 대한 수정 및 변경을 가할 수 있다는 것을 인식하여야 한다.It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the invention as defined by the appended claims. shall.

Claims (4)

  1. 사용자의 업무행동으로 생성되는 보안제품의 로그를 통해서 개인정보를 이용하고 있는 개인정보 이용 데이터를 업무행동 리스트 데이터로 변환하는 업무기반 데이터 변환부와, 상기 데이터 변환부에서 얻어진 업무행동 리스트를 사용자별로 추출하는 업무기반 데이터 추출부와, 사용자별로 추출된 업무행동 리스트를 벡터화하는 업무기반 벡터 변환부와, 벡터화된 업무행동 리스트를 K-평균 알고리즘을 활용하여 클러스터링하여 업무기반 클러스터를 형성하는 업무기반 클러스터링 처리부와, t-다이제스트 알고리즘을 활용하여 상기 업무기반 클러스터의 중심과 요소들간의 거리값 임계치를 계산하는 업무기반 임계치 계산부과, 상기 업무기반 클러스터와 거리값 임계치를 컬럼형태의 데이터 포맷으로 저장하는 클러스터링 저장부로 구성되는 프로파일링 클러스터 저장모듈과; A task-based data conversion unit for converting the personal information utilization data using the personal information into the business behavior list data through the log of the security product generated by the user's business behavior; A business-based vector conversion unit for vectorizing the business behavior list extracted for each user, and a task-based clustering unit for clustering the vectorized business behavior list using a K-means algorithm to form a task-based cluster A task-based threshold value calculation unit for calculating a distance value threshold between the center of the task-based cluster and the elements using a t-digest algorithm; a clustering unit for storing the task-based cluster and the distance value threshold in a column- Pro that consists of storage Filing cluster storage module;
    사용자의 후속 업무행동으로 생성되는 보안제품의 로그를 통해서 개인정보 이용하는 업무행동 리스트로부터 얻어지는 클러스터의 분석 거리값과 상기 저장모듈에서 얻어진 업무기반 임계치를 비교하여 이상행위 여부를 판단하는 이상패턴 판단부를 포함하는 이상패턴 분석모듈로 이루어진 것을 특징으로 하는 개인정보 보안제품 통합관제 시스템.And an abnormal pattern determination unit for comparing the analysis distance value of the cluster obtained from the business behavior list using the personal information with the task based threshold value obtained in the storage module through the log of the security product generated by the user's subsequent business action And an abnormal pattern analyzing module for analyzing the abnormality of the personal information security product.
  2. 제1항에 있어서,The method according to claim 1,
    상기 이상패턴 분석모듈은 분석 데이터 변환부와, 분석 벡터 변환부와, 분석 클러스터링 처리부와, 분석 거리값 계산부와, 업무기반 클러스터 로딩부를 더 포함하는 것을 특징으로 하는 개인정보 보안제품 통합관제 시스템.Wherein the abnormal pattern analysis module further comprises an analysis data conversion unit, an analysis vector conversion unit, an analysis clustering processing unit, an analysis distance value calculation unit, and a task-based cluster loading unit.
  3. 사용자가 보안제품의 로그를 통해서 개인정보를 이용하고 있는 사용자의 업무행동으로 생성되는 데이터를 업무행동 리스트의 데이터로 변환하여 리스트화시키는 업무기반 데이터 변환단계와;A task-based data conversion step of converting data generated by a user's business activity using personal information through a log of the security product into data of the business activity list and listing the data;
    상기 업무기반 데이터 변환단계에서 얻어진 업무행동 리스트를 사용자별로 추출하는 업무기반 데이터 추출단계와;A business-based data extracting step of extracting a business behavior list obtained in the business-based data conversion step for each user;
    상기 업무기반 테이터 추출단계에서 사용자별로 추출된 업무행동 리스트를 벡터화하는 업무기반 벡터 변환단계와;A business-based vector conversion step of vectorizing a business behavior list extracted for each user in the business-based data extraction step;
    상기 업무기반 벡터 변환단계에서 벡터화된 업무행동 리스트를 K-평균 알고리즘을 활용해서 클러스터링하여 업무기반 클러스터를 형성하는 업무기반 클러스터링 처리단계와;A task-based clustering processing step of forming a task-based cluster by clustering the vectorized business behavior list using the K-average algorithm in the task-based vector conversion step;
    상기 업무기반 클러스터링 처리단계에서 형성된 업무기반 클러스터의 중심과 요소들간의 업무기반 거리값 임계치를 t-다이제스트 알고리즘을 활용하여 계산하는 업무기반 임계치 계산단계와;A task-based threshold value calculation step of calculating a task-based distance value threshold between the center of the task-based cluster formed in the task-based clustering processing step and the elements using the t-digest algorithm;
    상기 업무기반 클러스터링 처리단계에서 형성된 상기 업무기반 클러스터와 상기 업무기반 임계치 계산단계에서 계산된 거리값 임계치를 컬럼형태의 데이터 포맷으로 저장하는 클러스터링 저장단계와;A clustering storage step of storing the distance value thresholds calculated in the task-based cluster and the task-based threshold calculation step formed in the task-based clustering process step in a columnar data format;
    사용자가 추후 보안제품의 로그를 통해서 개인정보를 이용하는 사용자의 분석대상 업무행동으로 생성되는 데이터로부터 얻어지는 분석대상 클러스터의 중심과 요소들간의 분석대상 거리값과 상기 클러스터링 저장단계에서 저장된 업무기반 거리값 임계치를 비교하여 이상행위 여부를 판단하는 이상패턴 분석단계로 이루어진 것을 특징으로 하는 개인정보 보안제품 통합관제 방법.The analysis target distance value between the center of the analysis target cluster and the elements obtained from the data generated by the user in the analysis object business behavior of the user who uses the personal information through the log of the security product in the future and the business base distance value threshold stored in the clustering storage step And an abnormal pattern analysis step of determining whether the abnormal operation is performed by comparing the abnormal operation pattern with the abnormal operation pattern.
  4. 제3항에 있어서,The method of claim 3,
    상기 분석대상 클러스터의 중심과 요소들간의 분석대상 거리값은,The analysis target distance value between the center of the cluster to be analyzed and the elements,
    상기 사용자가 추후에 보안제품의 로그를 통해서 개인정보를 이용하는 사용자의 분석대상 업무행동으로 생성되는 데이터를 분석대상 업무행동 리스트로 변환하는 분석대상 데이터 변환단계와; An analysis object data conversion step of converting the data generated by the user into an analysis object business behavior list, the object business behavior analysis object of the user who uses the personal information at a later time through the log of the security product;
    상기 분석대상 데이터 변환단계에서 생성된 분석대상 업무행동 리스트를 벡터화하는 분석대상 벡터 변환단계와;An analysis target vector conversion step of vectorizing the analysis target business behavior list generated in the analysis target data conversion step;
    상기 분석대상 벡터 변환단계에서 벡터화된 분석대상 업무행동 리스트를 K-평균 알고리즘을 활용해서 클러스터링하여 분석대상 클러스터를 형성하는 분석대상 클러스터링 처리단계와;An analysis object clustering processing step of forming a analysis object cluster by clustering an analysis target business action list vectorized in the analysis object vector conversion step using a K-means algorithm;
    t-다이제스트 알고리즘을 활용하여 상기 분석대상 클러스터링 처리단계에서 형성된 분석대상 클러스터의 중심과 요소들간의 분석대상 거리값을 계산하는 분석대상 거리값 계산단계에 의해서 얻어지는 것을 특징으로 하는 개인정보 보안제품 통합관제 방법.and calculating a distance to be analyzed between the center of the analysis target cluster and elements to be analyzed formed in the analysis target clustering processing step using the t-digest algorithm. Way.
PCT/KR2018/002350 2017-07-19 2018-02-27 Integrated control system and method for personal information security products WO2019017550A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
KR10-2017-0169516 2017-07-19
KR1020170091386A KR101810860B1 (en) 2017-07-19 2017-07-19 Integrated monitoring system for personal information security product
KR10-2017-0091386 2017-07-19
KR1020170169516A KR101933712B1 (en) 2017-07-19 2017-12-11 Integraed monitoring method for personal information security product

Publications (1)

Publication Number Publication Date
WO2019017550A1 true WO2019017550A1 (en) 2019-01-24

Family

ID=65016202

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2018/002350 WO2019017550A1 (en) 2017-07-19 2018-02-27 Integrated control system and method for personal information security products

Country Status (1)

Country Link
WO (1) WO2019017550A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110493176A (en) * 2019-07-02 2019-11-22 北京科东电力控制系统有限责任公司 A kind of user's suspicious actions analysis method and system based on non-supervisory machine learning

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20120070299A (en) * 2010-12-21 2012-06-29 한국전자통신연구원 Apparatus and method for generating adaptive security model
KR101478233B1 (en) * 2014-08-01 2015-01-06 (주)세이퍼존 System for evaluating worker based on adaptive bigdata process
KR20150009798A (en) * 2013-07-17 2015-01-27 채중석 System for online monitering individual information and method of online monitering the same
KR20160113826A (en) * 2015-03-23 2016-10-04 목포대학교산학협력단 A Method on Initial Seeds Selection of K-Means for Big Data Clustering
KR101663288B1 (en) * 2015-09-04 2016-10-07 (주)이지서티 System and Method for Monitoring Personal Information

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20120070299A (en) * 2010-12-21 2012-06-29 한국전자통신연구원 Apparatus and method for generating adaptive security model
KR20150009798A (en) * 2013-07-17 2015-01-27 채중석 System for online monitering individual information and method of online monitering the same
KR101478233B1 (en) * 2014-08-01 2015-01-06 (주)세이퍼존 System for evaluating worker based on adaptive bigdata process
KR20160113826A (en) * 2015-03-23 2016-10-04 목포대학교산학협력단 A Method on Initial Seeds Selection of K-Means for Big Data Clustering
KR101663288B1 (en) * 2015-09-04 2016-10-07 (주)이지서티 System and Method for Monitoring Personal Information

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110493176A (en) * 2019-07-02 2019-11-22 北京科东电力控制系统有限责任公司 A kind of user's suspicious actions analysis method and system based on non-supervisory machine learning

Similar Documents

Publication Publication Date Title
CN111475804B (en) Alarm prediction method and system
Dasgupta et al. An immunity-based technique to characterize intrusions in computer networks
US8443443B2 (en) Security system and method for detecting intrusion in a computerized system
CN109818798A (en) A kind of wireless sensor network intruding detection system and method merging KPCA and ELM
CN112491796B (en) Intrusion detection and semantic decision tree quantitative interpretation method based on convolutional neural network
WO2017155292A1 (en) Anomaly detection method and detection program
CN111614690A (en) Abnormal behavior detection method and device
CN109547479A (en) Information integration system and method are threatened in a kind of industrial environment
WO2020122487A1 (en) Company bankruptcy prediction system and operating method therefor
CN104615936B (en) Cloud platform VMM layer behavior monitoring method
KR101810860B1 (en) Integrated monitoring system for personal information security product
CN111538741B (en) Deep learning analysis method and system for big data of alarm condition
CN113706100B (en) Real-time detection and identification method and system for Internet of things terminal equipment of power distribution network
Oladimeji et al. Review on insider threat detection techniques
CN110716957B (en) Intelligent mining and analyzing method for class case suspicious objects
CN116186759A (en) Sensitive data identification and desensitization method for privacy calculation
Lambert II Security analytics: Using deep learning to detect Cyber Attacks
WO2019017550A1 (en) Integrated control system and method for personal information security products
KR101933712B1 (en) Integraed monitoring method for personal information security product
CN116545679A (en) Industrial situation security basic framework and network attack behavior feature analysis method
CN116776331A (en) Internal threat detection method and device based on user behavior modeling
Salek et al. Intrusion detection using neuarl networks trained by differential evaluation algorithm
KR102410151B1 (en) Method, apparatus and computer-readable medium for machine learning based observation level measurement using server system log and risk calculation using thereof
CN113657443B (en) On-line Internet of things equipment identification method based on SOINN network
KR20210028952A (en) Integrated monitoring system for personal information security product

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18834820

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18834820

Country of ref document: EP

Kind code of ref document: A1