WO2019032502A1 - Système de transfert de connaissances pour accélérer un apprentissage réseau invariant - Google Patents

Système de transfert de connaissances pour accélérer un apprentissage réseau invariant Download PDF

Info

Publication number
WO2019032502A1
WO2019032502A1 PCT/US2018/045493 US2018045493W WO2019032502A1 WO 2019032502 A1 WO2019032502 A1 WO 2019032502A1 US 2018045493 W US2018045493 W US 2018045493W WO 2019032502 A1 WO2019032502 A1 WO 2019032502A1
Authority
WO
WIPO (PCT)
Prior art keywords
entities
network
model
invariant
invariant network
Prior art date
Application number
PCT/US2018/045493
Other languages
English (en)
Inventor
Zhengzhang CHEN
Luan Tang
Zhichun Li
Chen LUO
Original Assignee
Nec Laboratories America, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US16/055,675 external-priority patent/US10511613B2/en
Application filed by Nec Laboratories America, Inc. filed Critical Nec Laboratories America, Inc.
Publication of WO2019032502A1 publication Critical patent/WO2019032502A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N5/00Computing arrangements using knowledge-based models
    • G06N5/01Dynamic search techniques; Heuristics; Dynamic trees; Branch-and-bound
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N5/00Computing arrangements using knowledge-based models
    • G06N5/02Knowledge representation; Symbolic representation
    • G06N5/022Knowledge engineering; Knowledge acquisition

Definitions

  • the present invention relates to enterprise networks and, more particularly, to implementing a knowledge transfer system for accelerating invariant network learning.
  • a computer-implemented method for implementing a knowledge transfer based model for accelerating invariant network learning includes generating an invariant network from data streams, the invariant network representing an enterprise information network including a plurality of nodes representing entities, employing a multi -relational based entity estimation model for transferring the entities from a source domain graph to a target domain graph by filtering irrelevant entities from the source domain graph, employing a reference construction model for determining differences between the source and target domain graphs, and constructing unbiased dependencies between the entities to generate a target invariant network, and outputting the generated target invariant network on a user interface of a computing device.
  • a system for implementing a knowledge transfer based model for accelerating invariant network learning includes a memory and a processor in communication with the memory, wherein the processor is configured to generate an invariant network from data streams, the invariant network representing an enterprise information network including a plurality of nodes representing entities, employ a multi-relational based entity estimation model for transferring the entities from a source domain graph to a target domain graph by filtering irrelevant entities from the source domain graph, employ a reference construction model for determining differences between the source and target domain graphs, and construct unbiased dependencies between the entities to generate a target invariant network, and output the generated target invariant network on a user interface of a computing device.
  • a non-transitory computer-readable storage medium comprising a computer- readable program for implementing a knowledge transfer based model for accelerating invariant network learning
  • the computer-readable program when executed on a computer causes the computer to perform the steps of generating an invariant network from data streams, the invariant network representing an enterprise information network including a plurality of nodes representing entities, employing a multi-relational based entity estimation model for transferring the entities from a source domain graph to a target domain graph by filtering irrelevant entities from the source domain graph, employing a reference construction model for determining differences between the source and target domain graphs, and constructing unbiased dependencies between the entities to generate a target invariant network, and outputting the generated target invariant network on a user interface of a computing device.
  • FIG. 1 is an example architecture of an automatic security intelligence system, in accordance with embodiments of the present invention.
  • FIG. 2 is an example architecture of an intrusion detection engine, in accordance with embodiments of the present invention.
  • FIG. 3 is an example architecture of a network analysis module, in accordance with embodiments of the present invention.
  • FIG. 4 is an example framework of an online anomaly detection component, in accordance with embodiments of the present invention.
  • FIG. 5 is an example of node similarity, in accordance with embodiments of the present invention.
  • FIG. 6 is a block/flow diagram illustrating a method of implementing a blue print graph model, in accordance with embodiments of the present invention.
  • FIG. 7 is a block/flow diagram illustrating a method of detecting abnormal network connections, in accordance with embodiments of the present invention.
  • FIG. 8 is a block/flow diagram illustrating a TINET workflow of learning the invariant network, in accordance with embodiments of the present invention.
  • FIG. 9 is a block/flow diagram illustrating an overview of the TINET model including two sub-models (entity estimation model and dependency construction model), in accordance with embodiments of the present invention.
  • Embodiments of the invention provide TINET, a knowledge transfer based model for accelerating invariant network construction.
  • an entity estimation model is employed to estimate the probability of each source domain entity that can be included in the final invariant network of the target domain.
  • a dependency construction model is employed for constructing the unbiased dependency relationships by solving a two-constraint optimization problem.
  • FIG. 1 shows the overall architecture 100 of the Automatic Security Intelligence (ASI) system.
  • the components are: agent 1000 installed in each host of the enterprise network to collect operational data, backend servers 2000 that receive the data from agents, pre- process them, and send such processed data to the analysis server, analysis server 3000, which runs the security application programs to analyze the data, and the system invariant network.
  • the intrusion detection engine 3100 is an application for detecting any possible intrusion from sources inside/outside the enterprise network.
  • the analysis server 3000 runs the security application programs to analyze the data.
  • the system invariant network 4000 component automatically and incrementally constructs a system blueprint with confidence to holistically profile the whole system. It is necessary to many forensic analysis applications, such as intrusion detection, incident backtrack and system recovery, etc. Such technique is integrated in the system invariant network construction.
  • FIG. 2 shows the architecture 200 of an intrusion detection engine. There can be five modules in the engine.
  • the data distributor 3110 that receives the data from the backend server and distributes the corresponding data to a network or host level modules.
  • the network analysis module 3120 that processes the network connection events (including TCP (transmission control protocol) and UDP (user datagram protocol)) and detects the abnormal connections.
  • TCP transmission control protocol
  • UDP user datagram protocol
  • the host level analysis module 3130 that processes the host level events, including user-to-process, process-to-file, user-to-registry, etc.
  • the abnormal host level events are then generated.
  • the anomaly fusion module 3140 that integrates the network and host level anomalies and refines the results for trustworthy intrusion events.
  • the visualization module 3150 that outputs the detection results to end users.
  • the technique of this invention serves as the main part of network analysis module 3120.
  • FIG. 3 illustrates the architecture 300 of the network analysis module.
  • the blue print graph model 3121 which is a relationship model constructed and updated on the streaming network connection events from 3110
  • the online processing component that takes the network connections as input, conducts analysis based on the blue print graphs, and outputs the detected abnormal network connections to 3140.
  • a flowchart 600 (FIG. 6) summarizes such process.
  • the ASI agents are installed on the hosts of the enterprise network, and the ASI agents collect all the network connection events and send them to the analysis server.
  • a network event contains the following information.
  • the ASI agent is a light-weight software. To reduce the workload and maintain privacy, the agent does not collect the content and traffic size of the network connections. Such information is thus not available for the system to analyze.
  • Table 1 illustrates a list of network event samples from 11 :30 am to 12:05 am in 2016-2-29. These network events can be classified to two (2) categories based on the dst ip: if the dst ip is in the range of enterprise network's IP addresses (138.15.xx.xx), the network event is an inside connection between two hosts of the enterprise network. If the dst ip is not in the range, it is an outside connection between an internal host and an external host.
  • the blue print graph of topology (topology graph) is used to model the source and destination relationship of the connection events inside the enterprise network.
  • the blue print graph of process-destination-port (port graph) is used to model the relationship between process and destination ports of all the network connections.
  • the topology blue print graph G t ⁇ V, E>, where V is the node set of hosts inside the enterprise network and E is the edge set.
  • the last connection time records the timestamp of the latest network connection on the node/edge. This measurement is used to update the blue print graphs. If a node/edge has no connection event for quite a long time (e.g., 2 months), the system removes such a node/edge to keep the blue print graphs up-to-date.
  • the topology graph if there is a new network connection between a pair of hosts inside the enterprise network, an edge is constructed between these two host nodes. The last connection time of both nodes and edges are updated as the timestamp of the connection event. Note that the topology graph does not store the total count of connection events between a pair of nodes. Since the ASI agent does not monitor the contents and traffic of the network connections, the total count of connection is not meaningful and can be misleading. In real applications, many normal processes may initialize thousands of network connection events in one second via the same edge. A large number of the total count does not indicate high traffic on the edge.
  • the port blue print graph G p ⁇ V P , V d , E>, where V p is the node set of processes that initialize the connection, V d is the node set of the destination port, and E is the edge set.
  • the port graph is a bipartite graph. In this graph, a process node can only connect to port nodes, and vice versa.
  • the source of the edge is always defined as the process, and the destination of the edge is always defined as the port.
  • an edge may be constructed from a source process to a destination port based on the new connection event.
  • the last connection time of both nodes and edges are updated as the timestamp of the connection event.
  • the first process summarized below illustrates the steps used to construct and update both graphs over the streaming data. For each new connection event, the system first checks whether the topology graph contains the source and destination host nodes, and adds the nodes if they are not contained (Steps 1 to 2). Then the system checks the edge existence between the pair of host nodes and adds a new edge if there is no edge between both nodes (Steps 3 to 4).
  • Step 5 the last connection time of the edge and nodes are updated based on the event's timestamp.
  • Step 6 The steps of updating the port graph are similar (Steps 6 to 12).
  • the system removes outdated nodes and edges and returns the updated graphs (Steps 13 to 14). Note that this process is employed for both constructing the graph models and maintaining them up-to-date.
  • the constructed blue print graphs can be saved in files and loaded by a different analysis engine.
  • the users may construct the graphs from one enterprise network, and load the constructed graphs on the stream of another enterprise network.
  • the process automatically updates the blue print graphs. It does not require the users to provide any specific information of the enterprise network. Hence, it is more feasible for system deployment in real applications.
  • Process 1 can be given as follows:
  • a flowchart 700 (FIG. 7) summarizes such process.
  • FIG. 4 shows the framework of an online anomaly detection component 400.
  • This component takes both blue print graphs and the new connection event as input.
  • the system first matches the event to a blue print graph and checks whether the event is on an existing edge of the graph. If the event is on the existing edge, it means that a connection with the same topology/port information has been seen before, and such an event is normal.
  • the system then updates the blue print graph based on this event. If the event cannot be matched to any edge, it means that the event has an unseen relationship. In such a case, the system needs to further compute the probability of this connection.
  • the system If the probability is larger than a threshold, such an event is still normal and the system updates the blue print graph by adding a new edge based on the event. If the probability is low, it means that the connection is not likely to happen. Then, the system outputs the event as an abnormal connection.
  • connection probability for a new edge There key factors in computing the connection probability for a new edge are: (1) whether the source or destination node always has new edges in previous periods (node stability); (2) whether the source or destination node has many edges already (node diversity); and (3) whether the source or destination has connected to a similar node before (node similarity).
  • the nodes and edges are updated based on the arriving network connection events. After a while, some nodes always have new edges, but other nodes become stable with a constant number of edges. The following measure is employed to model the stability of a node.
  • the range of node stability is [0, 1], when a node has no stable window, i.e., the node always has new edges in every window, the stability is 0. If all the windows are stable, the node stability is 1. [0059] In real applications, the window length is set to 24 hours (a day). Hence the stability of a node is determined by the days that the node has no new edges and the total number of days. Note that, the node stability can be easily maintained over the stream, the system only stores three numbers of for each node, and updates in every 24 hours.
  • the time complexity of computing node stability is O(1).
  • some nodes have many edges, e.g., a public server in the topology graph may have edges to hundreds of hosts. Thus, the probability is much higher for this node to have more new edges.
  • the range of node diversity in the topology graph is [0, 1]. For a node without any edge, the diversity is 0, and if the node connects to every other node in the graph, the diversity is 1.
  • the port graph is a bipartite graph. For each edge in the port graph, the source is always a process node and the designation is always a port node.
  • the process node diversity and port node diversity are defined by Eqs. 5 and 6, where ⁇ Vd ⁇ is the size of the
  • port node set and is the size of the process node set.
  • the range of node diversity in the port graph is also [0,1]. If a process connects to all the ports, or a port has connections from every process, the node diversity reaches the maximum as 1.
  • the node diversity can also be efficiently computed over the stream.
  • the system stores a total number of edges from/to each node, and updates the number when a new edge is added to the graph.
  • the time complexity of computing the node diversity is 0(1).
  • connection probability computation is the node similarity, which indicates whether the source/destination has connected to similar nodes before.
  • v 1 and v 2 be two nodes of the same type in the blue print graph, dst(v) and src(v) denote the destinations/sources that have edges from/to v.
  • the node similarity is defined as Eqs. 7 and 8.
  • v 1 and v 2 must be the same type, i.e., they are both host nodes in the topology graph, or both are process nodes or port nodes in the port graph.
  • the source similarity (Eq.7) between the two nodes is indeed the Jaccard similarity of their destinations, and the destination similarity (Eq.8) is the Jaccard similarity of the sources that have connected to both nodes.
  • the range of node similarity is [0,1]. If both nodes have the same sources/destinations in the blue print graph, their similarity is 1, if they have no common source/destinations, the similarity is 0.
  • connection probability can be defined as follows. [0076] Connection Probability: Let e be a new connection event, G be a blue print graph, v 1 and v 2 be source and destination nodes when matching e to G, the connection probability, p(e ⁇ G), is defined as shown in Eq. 9, where are the source and destination abnormal scores of v 1 and v 2 , which are computed in Eqs. 10 and 11.
  • the abnormal score of source node v 1 is computed as shown in Eq. 10, where ⁇ ) is the node stability, is the node diversity and dst(vi) is the node set of destination that
  • v 1 has connected to in the blue print graph G.
  • the abnormal score of destination node v 2 is computed in Eq. 11, where src(v 2 ) is the source node set that has connection to v 2 .
  • the measure of node similarity is different from the measures of stability and diversity.
  • the stability and diversity is defined on a single node, but the similarity is a score computed by comparing two nodes.
  • the node similarity is compared between v 2 and every historical destination of vi, and uses the maximum to compute the abnormal score.
  • the intuition is that, if one can find one node that v 1 has connected in history with high similarity to v 2 , then the connection probability between v 1 and v 2 is high.
  • a small blue print graph 500 with six nodes is presented.
  • the edge from node v 2 to v 5 is a new edge.
  • the system needs to check the node similarity between v 5 and the old destination nodes that v 2 has connected before (v 4 and v 6 ).
  • v 4 is more similar to v 5 than V 1 . [0085] Thus, the system uses to compute ⁇ ( ⁇ 2 ).
  • n the total number of nodes in the graph.
  • the system has to check n-l nodes for one round of comparison, and the comparison has to carry out for n-l times, the total time complexity is 0(n 2 ).
  • e be a new connection event
  • G be a blue print graph
  • v 1 and v 2 be source and destination nodes when matching e to G, the lower-bound of connection probability
  • G) the connection event is definitely normal. The system can just let it go without further computation. Only when low ( e
  • the second process shows the detailed steps of online anomaly detection.
  • the system takes the connection event, two blue print graphs and a threshold of connection probability as input, and outputs the abnormal labels of the event.
  • the system first matches the event to the topology graph, if the event is an existing edge, the topology abnormal label is false (e.g., the event is normal in topology perspective) (Steps 1 to 2). If the event is a new edge, the system computes the lower bound of connection probability, if the lower bound is already larger than or equal to the threshold, the topology abnormal label is still false (Steps 4 to 5). Only when the lower bound is less than the threshold, the system computes the connection probability and compares the result with the threshold.
  • Process 2 can be given as follows:
  • Dynamic information systems such as cyber-physical systems, enterprise systems, and cloud computing facilities, are inherently complex. These large-scale systems usually include a great variety of components/entities that work together in a highly complex and coordinated manner.
  • the cyber-physical system is usually equipped with a large number of wireless sensors that keep recording the running status of the local physical and software components.
  • invariants Recently, the concept of invariants has been employed to study complex systems. Such invariant models focus on discovering stable and significant dependencies between pairs of system entities that are monitored through surveillance data recordings, so as to profile the system status and perform subsequent reasoning. A strong dependency between a pair of entities is called an invariant relationship. By combining the invariants learned from all monitoring entities, a global system dependency profile can be obtained. The significant practical value of such an invariant profile is that it provides important clues on abnormal system behaviors, and in particular on the source of anomalies, by checking whether existing invariants are broken.
  • the first prerequisite is to construct the invariant network from the system streaming data.
  • a node represents a system component/entity and an edge indicates a stable, significant interaction between two system entities.
  • the network structure and invariant/dependency relations are inferred by continuously collecting and analyzing the surveillance data generated by the system.
  • the good news is that it is easy and fast to compute a partial, significantly incomplete, invariant network of the new environment of interest. To avoid the prohibitive time and resource consuming network building process, the exemplary embodiments complete this partial information reliably by transferring knowledge from another invariant network. Formally, given a partial invariant network of the target domain and a complete invariant network of the source domain. How can a user reliably compute the full invariant network of the target domain?
  • Challenge 1 Identify the domain-specific/irrelevant entities between two environments. As aforementioned, since the environments are different, not all entities of the source domain are related to the target domain. For instance, an invariant network from an electronic factory system will have entities such as energy-related program, which will not exist in an information technology (IT) company enterprise system. Thus, a user needs to identify the right entities that can be transferred from the source domain to the target one.
  • Challenge 2 Constructing the invariant relationships on the new environment. After transferring the entities from source to target, a user also needs to identify invariant relationships between the entities to complete the invariant network. The challenge is to extract the invariant information from the old environment, and then combine this knowledge with the partial invariant network of the new environment.
  • TINET is introduced, which is an efficient and effective method for transferring knowledge between Invariant Networks.
  • TINET includes two sub-models: EEM (Entity Estimation Model) and DCM (Dependency Construction Model).
  • EEM filters out irrelevant entities from the source network based on entity embedding and manifold learning. Only the entities with statistically high correlations with the target domain are transferred. Then, after transferring the entities, DCM model effectively constructs invariant (dependency) relationships between different entities for the target network by solving a two-constraint optimization problem.
  • the exemplary embodiments can use an existing invariant network of an old environment to complete the partial invariant network of the new environment. As a result, the costly time and resource consuming rebuilding process of the invariant network from scratch can be avoided.
  • the exemplary methods perform an extensive set of experiments on both synthetic and real-world data to evaluate the performance of TINET.
  • the results demonstrate the effectiveness and efficiency of the novel algorithm.
  • the exemplary methods also apply TINET to real enterprise security systems for intrusion detection.
  • TINET By using TINET, the exemplary methods can achieve more than 75% accuracy after 3 days of training time, and this performance is almost the same as 30 days of construction of invariant network without using TINET. On the contrary, building an invariant network employing only 3 days of data can only get about 10% accuracy.
  • the exemplary methods can achieve superior detection performance at least 20 days lead-lag time in advance with more than 75% accuracy.
  • an invariant network is a graph between different computer system entities such as processes, files, and Internet sockets.
  • the edges indicate the stable causal dependencies including a process accessing a file, a process forking another process, and a process connecting to an Internet socket.
  • a network including all the invariant links is referred to as the invariant network.
  • Constructing the invariant network from the system monitoring or surveillance data is referred to as the model training.
  • the learned complete invariant network, as the system profile can be applied to many autonomic system management applications such as anomaly detection, system fault diagnose, incident backtrack, and etc.
  • Gs be the well-trained invariant network constructed based on the collected data from
  • the main goal is to transfer the knowledge from Gs to help construct a complete invariant network of the domain
  • source network can be used as the short name for the invariant network of the source domain (target domain).
  • the exemplary embodiments introduce a knowledge transfer algorithm with two sub-models: EEM (Entity Estimation Model) and DCM (Dependency Construction Model) as illustrated in FIG. 9.
  • Entity Estimation Model the goal is to filter out the entities in the source network Gs that are irrelevant to the target domain.
  • Objective Function To overcome the lack of intrinsic correlation measures among heterogeneous entities, entities are embedded into a common latent space, where their semantics can be preserved. More specifically, each entity, such as a user, or a process in computer systems, is represented as a d-dimensional vector and can be automatically learned from the data.
  • the correlation of entities can be naturally computed by distance/similarity measures in the space, such as Euclidean distances, vector dot product, and so on.
  • distance/similarity measures such as Euclidean distances, vector dot product, and so on.
  • Jaccard similarity the embedding method is more flexible and it has properties such as transitivity.
  • a meta-path is a path that connects entity types (labels) via a sequence of relations over a heterogeneous network.
  • a meta-path can be a "Process-File-Process", or a "File-Process-Internet Socket”.
  • Process-File-Process denotes the relationship of two processes load the same file
  • File-Process-Internet Socket denotes the relationship of a file loaded by a process who opened an Internet Socket.
  • the potential meta-paths induced from the heterogeneous network Gs can be infinite, but not every single one is relevant and useful for the specific task of interest. Fortunately, there are some algorithms introduced recently for automatically selecting the meta-paths for specific tasks.
  • is the trade-off factor of the generalization term.
  • the method can choose ⁇ as 1 or 2, which bears the resemblance to Hamming distance and Euclidean distance, respectively.
  • the optimized value can be obtained by:
  • the objective function in Eq. 2 includes two sets of parameters: (1) u s and (2) W.
  • the method proposes a two-step iterative process for optimizing where the
  • the method fixes the weight vectors W and learns the best entity vector matrix u s .
  • the method can have a closed form to solve this problem, via the multi-dimensional scaling technique. More specifically, to obtain such an embedding, the method computes the eigenvalue decomposition of the following matrix: where H is the
  • U has columns as the eigenvectors and ⁇ is a diagonal matrix with eigenvalues.
  • u s can be computed as:
  • the method also has the close form solution for
  • the method After the method obtains the embedding vectors u s , then the relevance matrix between different entities can be obtained as The method can use a user-defined threshold to select the entities with high correlation with target domain for transferring. But this thresholding scheme often suffers for the lack of domain knowledge. The method thus introduces a hypothesis test for automatically thresholding the selection of the entities.
  • Consistency Constraint The inconsistency between should be similar to the inconsistency between are the sub-graphs of
  • the method Before the above two constraints are modeled, the method first needs a measure to evaluate the inconsistency between different domains. As aforementioned, invariant networks are normal profiles of their corresponding domains. So, the method employs the distance between different invariant networks to denote the domain inconsistency.
  • a novel metric is thus introduced, named dynamic factor between two invariant networks from two different domains as:
  • d is the number or entities in d ,enote the adjacent matrix of respectively, and denotes the number of
  • edges of a fully connected graph with n s entities are edges of a fully connected graph with n s entities.
  • u T is the vector representation of the entities in
  • the first term of the model incorporates the smoothness constraint component, which keeps the u T closer to the target domain knowledge existed in
  • the second term considers the consistency constraint, that is the inconsistency between should be similar to the inconsistency between ⁇ and ⁇ are important parameters
  • there are two parameters, ⁇ and ⁇ , in the model.
  • it is always assigned manually based on the experiments and experience.
  • when a large number of entities are transferred to the target domain, a large ⁇ can improve the transferring result, because more information is needed to be added from the source domain.
  • when only a small number of entities are transferred to the target domain, then a larger ⁇ will bias the result. Therefore, the value of ⁇ depends on how many entities are transferred from the source domain to the target domain.
  • the proportion of the transferred entities in can be used to calculate ⁇ . Given the entity size of the entity size of then ⁇
  • the time for learning the model is dominated by computing the objective functions and their corresponding gradients against feature vectors.
  • EEM Entity Estimation Model
  • the time complexity of computing the us in Eq. 3 is bounded by O(din), where n is the number of entities in Gs, and di is the dimension of the vector space of us.
  • the time complexity for computing W is also bounded by O(din). So, suppose the number of training iterations for EEM is ti, then the overall complexity of EEM model is 0(tidin).
  • DCM Dependency Construction Model
  • the time complexity of computing the gradients of L 2 against is 0(t 2 d 2 n), where t 2
  • d 2 is the dimensionality of feature vector
  • aspects of the present invention may be embodied as a system, method or computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a "circuit,” “module” or “system.” Furthermore, aspects of the present invention may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.
  • the computer readable medium may be a computer readable signal medium or a computer readable storage medium.
  • a computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing.
  • a computer readable storage medium may be any tangible medium that can include, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
  • a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof.
  • a computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
  • Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
  • Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages.
  • the program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server.
  • the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
  • LAN local area network
  • WAN wide area network
  • Internet Service Provider for example, AT&T, MCI, Sprint, EarthLink, MSN, GTE, etc.
  • These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks or modules.
  • the computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks or modules.
  • processor as used herein is intended to include any processing device, such as, for example, one that includes a CPU (central processing unit) and/or other processing circuitry. It is also to be understood that the term “processor” may refer to more than one processing device and that various elements associated with a processing device may be shared by other processing devices.
  • memory as used herein is intended to include memory associated with a processor or CPU, such as, for example, RAM, ROM, a fixed memory device (e.g., hard drive), a removable memory device (e.g., diskette), flash memory, etc. Such memory may be considered a computer readable storage medium.
  • input/output devices or "I/O devices” as used herein is intended to include, for example, one or more input devices (e.g., keyboard, mouse, scanner, etc.) for entering data to the processing unit, and/or one or more output devices (e.g., speaker, display, printer, etc.) for presenting results associated with the processing unit.
  • input devices e.g., keyboard, mouse, scanner, etc.
  • output devices e.g., speaker, display, printer, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Mathematical Physics (AREA)
  • Artificial Intelligence (AREA)
  • Computational Linguistics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Medical Informatics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé mis en œuvre par ordinateur pour mettre en œuvre un modèle basé sur un transfert de connaissances pour accélérer un apprentissage réseau invariant. Le procédé mis en œuvre par ordinateur consiste à générer un réseau invariant à partir de flux de données, le réseau invariant représentant un réseau d'informations d'entreprise comprenant une pluralité de nœuds représentant des entités, à utiliser un modèle d'estimation d'entité à base de relations multiples pour transférer les entités d'un graphe de domaine source vers un graphe de domaine cible par filtrage des entités non pertinentes à partir du graphe de domaine source, à utiliser un modèle de construction de référence pour déterminer des différences entre les graphes de domaine source et cible, et à construire des dépendances non biaisées entre les entités pour générer un réseau invariant cible, et émettre le réseau invariant cible généré sur une interface d'utilisateur d'un dispositif informatique.
PCT/US2018/045493 2017-08-09 2018-08-07 Système de transfert de connaissances pour accélérer un apprentissage réseau invariant WO2019032502A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US201762543050P 2017-08-09 2017-08-09
US62/543,050 2017-08-09
US16/055,675 2018-08-06
US16/055,675 US10511613B2 (en) 2017-01-24 2018-08-06 Knowledge transfer system for accelerating invariant network learning

Publications (1)

Publication Number Publication Date
WO2019032502A1 true WO2019032502A1 (fr) 2019-02-14

Family

ID=65271459

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2018/045493 WO2019032502A1 (fr) 2017-08-09 2018-08-07 Système de transfert de connaissances pour accélérer un apprentissage réseau invariant

Country Status (1)

Country Link
WO (1) WO2019032502A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111611410A (zh) * 2020-06-23 2020-09-01 中国人民解放军国防科技大学 基于多层网络空间知识表示的知识处理方法和装置
US11797611B2 (en) 2021-07-07 2023-10-24 International Business Machines Corporation Non-factoid question answering across tasks and domains

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080114710A1 (en) * 2006-11-09 2008-05-15 Pucher Max J Method For Training A System To Specifically React On A Specific Input
US20130013540A1 (en) * 2010-06-28 2013-01-10 International Business Machines Corporation Graph-based transfer learning
US9008840B1 (en) * 2013-04-19 2015-04-14 Brain Corporation Apparatus and methods for reinforcement-guided supervised learning
US20150379423A1 (en) * 2014-06-30 2015-12-31 Amazon Technologies, Inc. Feature processing recipes for machine learning
US20160267397A1 (en) * 2015-03-11 2016-09-15 Ayasdi, Inc. Systems and methods for predicting outcomes using a prediction learning model

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080114710A1 (en) * 2006-11-09 2008-05-15 Pucher Max J Method For Training A System To Specifically React On A Specific Input
US20130013540A1 (en) * 2010-06-28 2013-01-10 International Business Machines Corporation Graph-based transfer learning
US9008840B1 (en) * 2013-04-19 2015-04-14 Brain Corporation Apparatus and methods for reinforcement-guided supervised learning
US20150379423A1 (en) * 2014-06-30 2015-12-31 Amazon Technologies, Inc. Feature processing recipes for machine learning
US20160267397A1 (en) * 2015-03-11 2016-09-15 Ayasdi, Inc. Systems and methods for predicting outcomes using a prediction learning model

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111611410A (zh) * 2020-06-23 2020-09-01 中国人民解放军国防科技大学 基于多层网络空间知识表示的知识处理方法和装置
CN111611410B (zh) * 2020-06-23 2024-01-12 中国人民解放军国防科技大学 基于多层网络空间知识表示的知识处理方法和装置
US11797611B2 (en) 2021-07-07 2023-10-24 International Business Machines Corporation Non-factoid question answering across tasks and domains

Similar Documents

Publication Publication Date Title
US10511613B2 (en) Knowledge transfer system for accelerating invariant network learning
US11451565B2 (en) Malicious activity detection by cross-trace analysis and deep learning
US11218498B2 (en) Context-aware feature embedding and anomaly detection of sequential log data using deep recurrent neural networks
US11082438B2 (en) Malicious activity detection by cross-trace analysis and deep learning
US11522881B2 (en) Structural graph neural networks for suspicious event detection
US10333815B2 (en) Real-time detection of abnormal network connections in streaming data
US10956296B2 (en) Event correlation
EP3528463A1 (fr) Analyste de cybersécurité en intelligence artificielle
US11126493B2 (en) Methods and systems for autonomous cloud application operations
US20190065738A1 (en) Detecting anomalous entities
US10885185B2 (en) Graph model for alert interpretation in enterprise security system
CN110659502B (zh) 一种基于文本信息关联关系分析的项目版本检测方法及系统
EP3627376A1 (fr) Architecture de noeud de travail d'apprentissage machine
Luo et al. TINET: learning invariant networks via knowledge transfer
Bebortta et al. An adaptive machine learning-based threat detection framework for industrial communication networks
WO2019032502A1 (fr) Système de transfert de connaissances pour accélérer un apprentissage réseau invariant
Qi et al. Cybersecurity knowledge graph enabled attack chain detection for cyber-physical systems
Guigou et al. An artificial immune ecosystem model for hybrid cloud supervision
CN115037561A (zh) 一种网络安全检测方法和系统
Kalaki et al. Anomaly detection on OpenStack logs based on an improved robust principal component analysis model and its projection onto column space
Păduraru et al. RiverIoT-a framework proposal for fuzzing IoT applications
Sweet Synthesizing cyber intrusion alerts using generative adversarial networks
Luo et al. Accelerating dependency graph learning from heterogeneous categorical event streams via knowledge transfer
Siraj et al. Intelligent clustering with PCA and unsupervised learning algorithm in intrusion alert correlation
US20240073229A1 (en) Real time behavioral alert processing in computing environments

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18843759

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18843759

Country of ref document: EP

Kind code of ref document: A1