WO2022180424A1 - Système de détection de comportement atypique d'utilisateurs dans un système d'information - Google Patents

Système de détection de comportement atypique d'utilisateurs dans un système d'information Download PDF

Info

Publication number
WO2022180424A1
WO2022180424A1 PCT/IB2021/051603 IB2021051603W WO2022180424A1 WO 2022180424 A1 WO2022180424 A1 WO 2022180424A1 IB 2021051603 W IB2021051603 W IB 2021051603W WO 2022180424 A1 WO2022180424 A1 WO 2022180424A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
session
users
sessions
profile
Prior art date
Application number
PCT/IB2021/051603
Other languages
English (en)
Inventor
Aivars ROŽKALNS
Andrejs JERŠOVS
Aleksandrs ZEĻIKOVIČS
Jurijs KORŅIJENKO
Vitālijs ZABIŅAKO
Arnis KIRŠNERS
Sergejs PARŠUTINS
Henrik GABRIELYAN
Original Assignee
Software Plus, Sia
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Software Plus, Sia filed Critical Software Plus, Sia
Priority to PCT/IB2021/051603 priority Critical patent/WO2022180424A1/fr
Publication of WO2022180424A1 publication Critical patent/WO2022180424A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting

Definitions

  • the present invention relates to a system and a method for sequential anomaly revealing in a business logic level of information system using Markov chain and artificial neural networks (ANN).
  • ANN Markov chain and artificial neural networks
  • US patent publication No. 6,370,648 discloses a system for Detecting harmful or illegal intrusions into a computer network or into restricted portions of a computer network that uses statistical analysis to match user commands and program names with a template sequence. Discrete correlation matching and permutation matching are used to match sequences.
  • Another US patent publication No. 9,516,053 discloses a security platform that employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment.
  • the security platform is “big data” driven and employs machine learning to perform security analytics.
  • the security platform performs user/entity behavioural analytics to detect the security related anomalies and threats.
  • US patent application publication No. US2016/0342453 discloses a system and methods for anomaly detection wherein a log sequence monitoring is used in an environment or other system.
  • a cloud administrator or other such entity can use log sequence monitoring tools and/or data to pinpoint a root cause of an anomaly identified through log monitoring. Once the root cause has been determined, the administrator takes appropriate remedial action on the faulty component, service, or other such cause. Similar method and system is disclosed in the US patent publication No. US 8,495,429.
  • a method comprises the steps of receiving a log-file on activities of a user in the computer network; optional evaluation of each state in a session in a quarantine mechanism; multiple criteria evaluation of states of not quarantined states of the sessions or multi-state sessions in a session evaluation mechanism; and building and updating individual and group models.
  • the system comprises a sequential anomaly revealing platform connected to the data hub and configured to reveal sequential anomalies in signals received from the data.
  • the sequential anomaly revealing platform further comprises session evaluation and anomaly detection mechanism, individual and group models building and updating mechanisms, and optional multi-state transformation module and a quarantine module.
  • the present invention is a method for detecting atypical behaviour of information system users by analysing the sequence of user activities and metadata describing the activities at the level of use of information system business activities.
  • the method implements multi criteria evaluation within each user-executed session using Markov chain evaluation and long term short-term memory (LSTM) evaluation using artificial neural networks.
  • LSTM long term short-term memory
  • the present invention is a result of improvement of previous system and method for sequential anomaly revealing. In the development of the new system and method surprising results were achieved in more precise and effective detection of anomalies made by users of the monitored information system.
  • a sequential anomaly revealing method and system employs techniques and mechanisms to detect process anomalous evolution in an observed environment, which has property of changing structure, rules, physics, etc.
  • the method and the system is aimed for sequential and combined kinds of anomaly detection at the business layer of the environment. It employs computational intelligence algorithms to build behavioural models and update or adapt it according to behaviours drifting of entities in the environment. Implemented techniques automate initial model building, therefore the manual design of anomalous activity patterns is not requiring.
  • the sequential anomaly revealing method and system is designed for non-invasive interaction with host computer information system of the observed environment, which means no code injections to the host computer information system required.
  • the revealing mechanisms support anonymized or obfuscated data processing and thus providing the customer data confidence.
  • the key feature of the platform is providing of fully automated mechanisms for correct processing of the observed environment structural changes and thus avoiding of false alarms.
  • a sequential anomaly revealing method and system is capable to function both in single and multiple environments, providing detailed reports and controlling tools.
  • the present invention is disclosed in claims describing a system and a method for detecting atypical behaviour of users in an information system by analysing their actions using a Markov chain and an artificial neural network.
  • Fig. 1 illustrates a general interaction scheme of a host information system and an sequential anomaly revealing platform.
  • FIG. 2 illustrates a general architecture of a sequential anomaly revealing platform, wherein individual and group models building and updating mechanisms are performed.
  • Fig. 3 illustrates a general architecture of a sequential anomaly revealing platform, wherein the multiple-criteria evaluation of sessions includes Markov chain evaluation, LSTM neural network evaluation, session meta-attributes evaluation and statistical evaluation.
  • Fig. 4 illustrates a general architecture of a quarantine mechanism as seen in Error! Reference source not found.
  • Fig. 5 illustrates a multi-state transformation mechanism as seen in Error! Reference source not found, and Error! Reference source not found..
  • Fig. 6 illustrates one embodiment of a multi-state transformation mechanism in a process of sequential framing of states within each session.
  • Fig. 7 illustrates an algorithm for clustering sessions by user groups.
  • Fig. 8 illustrates a block scheme for creating matrices for continuous meta attributes.
  • Fig. 9 illustrates a block scheme for creating probability matrices for discrete meta attributes.
  • Fig. 10 illustrates a block scheme for multiple-criteria evaluation of sessions.
  • a system for sequential anomaly revealing in an information system for performing aforementioned method comprises at least one environment, in which various types of processes are performed, wherein later on the processes are analysed on anomalies.
  • the general interaction of a host information system and an anomaly identification platform implies presence of at least one IT system (or multiple systems - Information System 1 ... Information System N) which processes and stores data regarding at least one business / production environment (or multiple environments Environment 1 ... Environment N).
  • IT system or multiple systems - Information System 1 ... Information System N
  • the relevant data about IT system users or technical processes actions from according IT systems is retrieved via technical connection point “data hub / bridge” (it is shown as component “Data adapter” in Error! Reference source not found.) which enables transferring of information from target system to the entry of anomaly identification platform.
  • An optional step “Anonymization” is executed in case if the data being retrieved is sensitive and there is a need for depersonalization or obfuscation in order to ensure privacy and non-disclosure of such information.
  • the output from “data hub / bridge” in form of sequences of events serves as the input for the anomaly identification platform which ensures storage, building of behaviour models and verification of new sequences of events against these behaviour models as shown in details in Error! Reference source not found..
  • An anomaly identification platform operator oversees the process of model building and verification via monitoring and controlling console.
  • the platform is also supplied with mechanisms of “quarantine” (see Error! Reference source not found.) and multi-state transformation (see Error! Reference source not found, and Error! Reference source not found.) for effective data processing.
  • the general architecture of a sequential anomaly identification platform (as shown in Error! Reference source not found, and Error! Reference source not found.) consists of multiple modules which are interconnected by data and process flows. IT system users or technical processes actions data is interpreted by the adapter which performs transformation to the native format of sessions S and saves these sessions to the central storage.
  • Two common mechanisms are enabled for improved anomaly identification - the Multi-state transformation mechanism (see Error! Reference source not found., Error! Reference source not found, and Error! Reference source not found.) and the Quarantine mechanism (see Error! Reference source not found.) which are described in the following text.
  • All captured sessions are inspected in session evaluation and anomaly detection mechanism, based on one or many criteria, current models (behavioral profiles) and a pre-configured alert threshold.
  • current models behavioral profiles
  • a pre-configured alert threshold In case if particular session is non-anomal, according data is used for building and updating of individual and group models (behavioral profiles) in mechanism.
  • the user of the Platform can provide manual input and enforce the non-anomal state via Manual model learning mechanism. Also, the user can obtain reports and visualization data from the Platform, regarding current state of captured sessions and actual models.
  • the Quarantine mechanism (as shown in Error! Reference source not found.) is necessary to prevent the case when the set of all possible states is enhanced (e.g., via introduction of new functionality in the target system) and, as a result, the method of anomaly revealing, without knowledge about typical usage scenarios of newly introduced states, would detect multiple false-positive cases of abnormal behaviour in sessions of different users.
  • the sequential anomaly revealing platform further comprises an individual and group models building and updating module, a multi-state transformation module, a quarantine module configured to quarantine sessions, a clustering module configured to cluster sessions by user groups, session meta attributes evaluation model configured to evaluate meta attributes of the session and session evaluation and anomaly detection module configured to evaluate session and flag anomalous sessions.
  • Anomaly identification method detects IT systems user or technical process (in further text - user) atypical behaviour by executing the following steps: a) receiving information about user activity; b) user’s activity event pre-processing; c) training of user’ s primary behaviour model by self-training and partially monitored training; d) monitoring on the basis of established user behaviour models, within which user activity analysis and detection of atypical behaviour, as well as updating of typical behavioural profiles of users and user groups (in further text - profiles) take place; and e) behavioural profile renewal.
  • the method for anomaly identification begins with a receipt and definition of actions performed by IT system users or technical processes.
  • the first step in the method is receiving an IT system events of activities of a user (states). For example, user’ s activity, bof s activity, sensor values, recognized elements in video streams, etc. Normally such events are storing in log-files or relational tables of computer information system database.
  • Each state could be described as follows: where time - the time of event appearance in computer information system; eventld- predefined and permanent/constant identifier of an event, which may correspond to a business action to be happened in computer information system regarding to the particular environment; entityld - predefined and permanent/constant identifier of a user or bot, which raised the event; browser - web browsers programs version from which user performs actions;
  • IP - users IP address IP address
  • device the device used by the user, workTime - execution time of the activity against the user's "working hours” or “outside working hours”; and attributeX- other metadata describing user behaviour.
  • the metadata is gathered from specific information systems or from other source which records information about users’ activities.
  • time meta-attribute evaluation time interval attribute D ⁇ between different states A and B is determined using the following formula: where t(A, B ) is average time for transtitioning from A to B.
  • Continuous meta attribute evaluation is based on comparing an actual attribute value for a specific event pair to an average attribute value of a specific event pair. To do so the matrices of average values for each event pair are created for each continuous attribute (Error! Reference source not found.). Matrices are built dynamically, step-by-step adding new events from data repository and then from new data flow, to keep matrices up to date. Matrices are used to evaluate events in event pair evaluation stage (Error! Reference source not found.).
  • Discrete meta attribute evaluation is based on calculating the occurrence probability of each value of an attribute for a specific event pair. For each discrete attribute A L and for each value of that attribute i 3 ⁇ 4 ⁇ a probability matrix is created, containing the occurrence probability of value v tj for a specific event pair, e.c. P Vij (A,B) (Error! Reference source not found.).
  • Matrices are created dynamically, step-by-step adding events from data repository and then from new data flow, to keep matrices up to date. Matrices will be used to evaluate events in event pair evaluation stage (Error! Reference source not found.).
  • each session s comprises data on actions made by the user in particular environment during limited period of time. All events performed by information system users are divided into user sessions S according to the following criteria or a combination thereof:
  • Each session S is a collection of single-element states, made by single user or technical process (entityld). Usually, session is starting by some kind of head element (for example “login”) and finishing by some kind of ending element (for example, “logout”). SARP supports cases when start and/or ending elements are absence.
  • head element for example “login”
  • ending element for example, “logout”.
  • SARP supports cases when start and/or ending elements are absence.
  • session S includes one or more user activity events (states), for example, Login FolderRequest DocRead DocWrite Logout , which are arranged in sequence according to their time of creation. “ Login ”, “ Folder Request” “ DocRead ’ etc., are system states after each user action.
  • Multi-state transformation mechanism (as shown in Error! Reference source not found.) performs transformation of sessions S with atomic states to sessions containing multi steps states (S). Such transformation is performed via framing - a process of dividing set of states of the session to create modified instance of session, which contains concatenated states.
  • One embodiment of a multi-state transformation mechanism is shown in Error! Reference source not found..
  • S is a collection of a multi-step states sessions (s), made by users or technical process is shown in the following example:
  • the next step is identification of user group.
  • the clustering of sessions gives an opportunity to extract user groups form the dataflow and analyse them separately to lessen the false positive rate - cases, when normal behaviour is marked as abnormal.
  • the clustering algorithm starts with definition of possible number of clusters (Error! Reference source not found., step 1). Empirically the optimal number of clusters can be obtained. And the cluster centres are generated randomly (Error! Reference source not found., step 2). Then, using a metric, the closest cluster is found for each record in the dataset and the record is assigned to that cluster (Error! Reference source not found., step 3). When all records are assigned to clusters, the cluster centres are recalculated (Error! Reference source not found., step 4) and the ending criteria is checked (Error! Reference source not found., step 5). If the ending criteria is met, then the process ends and the clusters are returned, otherwise the process returns to the step 3.
  • the number of behavioural profiles is not limited and it enables ability of the Anomaly Revealing Platform to analyse sessions regarding multiple criteria - the overall anomaly is calculated within criteria of the following structure: where each profile is described with following attributes: where profileld- profile unique identifier; applicableUsers - system users to whom this profile is applicable; applicableAttributes - the descriptive attributes of the users, sessions, or transitions that were used to select the sessions that make up the profile, wherein each profile is weighted with according coefficient:
  • the training process implements the creation of individual, user groups and other profiles on the basis of a self-learning approach, using Markov chains with extended multifactor analysis. Training takes place by adjusting the group to which the sessions s transitions belong. The training process takes into account the variability of session s transitions and the metadata characterizing the transition.
  • typical behavioural profdes of a user or group are created, which contain information about typical user actions - transition probabilities from the current state to the next.
  • Typical behavior profiles for a user or user group are probability matrices that contain information about the probability of occurrence of the next steps. Step is the transition from the current state to the next state.
  • the training process implements a partially supervised training profile based on positive examples of “trusted” user group sessions and anomalous sessions discovered by other users (as negative examples). Evaluation of the sessions (S) is performed by using LSTM (Long-Short Term Memory) neural network. “Trusted” user group is created using expert classification rules, wherein trusted users and other types of users are defined in the IT system.
  • a specialized profile is created based on expert-defined rules that define the session and session transitions for the corresponding profile.
  • Prohibited activities profiles are created during the training process.
  • the Prohibited Activity profile is used to analyse user sessions, and, in case of compliance, a signal is issued about the user's unauthorized activity.
  • the same mathematical approach is used to create this profile as for a typical behavioural profile, but it is subject to the following conditions: 1. user created sessions (S) that have been recognized as restricted by expert for specific user are being used; and 2. when creating a profile of prohibited activities, out of all transitions made within the session, only those transitions that have been determined as prohibited by the expert shall be used. For each transition of prohibited activities, possible transitions executed in practice are sought in sessions of other groups of users.
  • the quarantine mechanism functions in the following way. In case there are changes in the monitored information system (for example, an update is being installed which implements new functionality and new step identifiers appear in the audit data), there is high chance that starting from this moment the system will return “false positive” warnings. To rule out such situation, the quarantine mechanism is being implemented. [052] General approach of quarantine mechanism: the platform maintains a "vocabulary" of all known multi-step states, which is being filled while the system is in training mode. When user performs unknown multi-step X (which is not in the vocabulary), the "quarantine" mode for this session is enabled for a time which is defined by a parameter C tax .
  • t max is predefined parameter describing allowable time of stay in quarantine.
  • the quarantine algorithm checks whether this new multi-step state also appears in new sessions of at least l number of other users l is predefined parameter describing a number of users, required for multi-step state to be leaving the quarantine. If this happens, the assumption is made, that the system has a new functionality multi-step state X and for each user profile additional education for such sessions occurs, until a minimum number of sessions ssc is achieved regarding this certain multi-step state X.
  • ssc is also predefined parameter describing a number of sessions for additional learning for the quarantine mechanism.
  • Data structures comprise a vocabulary of multi-step states, wherein in one embodiment the vocabulary of the multi-step states may be as follows:
  • Structure of a multi-step state may comprise the following parameter: where id is multi-step state identifier; flag is multi-step state property value as described above; tQ is a time of a multi-step state entrance into the quarantine; f/is a list of users who got in the multi-step state; and SC is a session count containing the multi-step state.
  • the data structure may comprise an array of multi-step states aside sessions:
  • Monitoring based on a typical user behavioural model is as follows. As a part of monitoring, each users’ actions sessions S analysis is being conducted. Before analysis multi state transformation of the sessions S is happening, wherein the session S is sequentially framed into a multi-step state session s.
  • Each multi-step state in session is treated and analysed independently of others in case if the user session contains multiple multi-step states under quarantine. In this case, final operations with sessions are committed only when all multi-step states under the quarantine are processed according to the aforementioned algorithm.
  • Session analysis is performed independently of all user profiles that belong to the user: individual, group, "trusted” or forbidden activity profiles.
  • Comparison of session data against each profile, created using Markov chains with extended multifactor analysis capability, includes a comparison of each transition from the current state to the next with the information included in the profile about the transition probability, see Error! Reference source not found..
  • f(P(A, B)) is a function of the event (A, B), is a function of time between the events (A, B), is a function of a browser used by the user during the events (A, B), f ⁇ P IP (A, B)) is a function of an IP address used by the user of the computer network during the events (A, B), and f nevice (A B)) is a function of a device used by the user of the computer network during the events (A, B), are possible other metadata, which characterize the transitions of user activity sessions and which are obtainable from the information system, and W'is normalised attribute weight.
  • continuous meta attribute evaluation is based on comparing an actual attribute value for a specific event pair to an average attribute value of a specific event pair and a discrete meta attribute evaluation is based on calculating the occurrence probability of each value of an attribute for a specific event pair.
  • the artificial neural network comprises six or more inputs. These six inputs are as follows: a previous event (A), a current event (B), a time spent between said events (A, B), a browser used by the user of the information system during the events (A, B), an IP address used by the user of the information system during the events (A, B), a device used by the user of the computer network during the events (A, B) or other factors described event.
  • the artificial neural network comprises at least one hidden LSTM (Long Short-Term Memory) layer and output as a one single neuron. If the output is 1, then an anomaly is detected by the artificial neural network. If the output is 0, then a normal event is detected by the artificial neural network.
  • LSTM Long Short-Term Memory
  • Result / ansa mbie could be comparable with predefined suspicion threshold. If the suspicion threshold is exceeded, the session is defined as atypical (anomalous). In a different way, the result of the continuous function /ansambie is analyzed, where the probability of anomaly is higher, the higher the value of /ansambie-
  • Updating profiles is performed in the following manner. Sessions that have been rated as typical are used to update the user's individual and group profiles in case / ansambie ( ) meets the training threshold criteria. Atypical (anomalous) sessions are not included in the updating of user and group profiles.
  • the LSTM training methodology is based on a Markov chain evaluation of the sessions, the training dataset for the LSTM network is built and renewed to include the latest data. The LSTM network is trained, using the back-propagation algorithm. The training process remains continuous. As the new data is regularly obtained, the LSTM network should also be retrained. The period for retraining the LSTM network depends on the amount of data, that is regularly obtained, and on the accuracy that the LSTM network can provide. The LSTM is trained using supervised training methodology.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

La présente invention concerne un système et un procédé pour une détection d'anomalie séquentielle améliorée dans un système d'informations à l'aide d'une chaîne de Markov et des réseaux neuronaux artificiels. Un procédé comprend les étapes suivantes : la réception d'un fichier journal sur des activités d'un utilisateur dans le système d'informations ; l'évaluation de chaque état dans une session dans un mécanisme de mise en quarantaine ; une évaluation de multiples critères dans un mécanisme d'évaluation de session ; et la construction et la mise à jour de profils individuels et de groupe. Le système comprend une plateforme de révélation d'anomalies séquentielles connectée à un concentrateur de données et configurée pour révéler des anomalies séquentielles dans des signaux reçus à partir des données. La plateforme de révélation d'anomalies séquentielles comprend en outre un module d'évaluation de session et de détection d'anomalies, un module de construction et de mise à jour de profils individuels et de groupe, ainsi qu'un module de transformation multi-états et un module de mise en quarantaine.
PCT/IB2021/051603 2021-02-26 2021-02-26 Système de détection de comportement atypique d'utilisateurs dans un système d'information WO2022180424A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/IB2021/051603 WO2022180424A1 (fr) 2021-02-26 2021-02-26 Système de détection de comportement atypique d'utilisateurs dans un système d'information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IB2021/051603 WO2022180424A1 (fr) 2021-02-26 2021-02-26 Système de détection de comportement atypique d'utilisateurs dans un système d'information

Publications (1)

Publication Number Publication Date
WO2022180424A1 true WO2022180424A1 (fr) 2022-09-01

Family

ID=83048779

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2021/051603 WO2022180424A1 (fr) 2021-02-26 2021-02-26 Système de détection de comportement atypique d'utilisateurs dans un système d'information

Country Status (1)

Country Link
WO (1) WO2022180424A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190253443A1 (en) * 2018-02-14 2019-08-15 Paladion Networks Private Limited User Behavior Anomaly Detection
WO2019215478A1 (fr) * 2018-05-08 2019-11-14 Abc Software, Sia Système et procédé de révélation d'anomalies séquentielles dans un réseau informatique
WO2020068471A1 (fr) * 2018-09-27 2020-04-02 Oracle International Corporation Prédiction de défaillance de lecteur de disque avec des réseaux neuronaux
US20200267162A1 (en) * 2017-03-31 2020-08-20 Oracle International Corporation Mechanisms for anomaly detection and access management

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200267162A1 (en) * 2017-03-31 2020-08-20 Oracle International Corporation Mechanisms for anomaly detection and access management
US20190253443A1 (en) * 2018-02-14 2019-08-15 Paladion Networks Private Limited User Behavior Anomaly Detection
WO2019215478A1 (fr) * 2018-05-08 2019-11-14 Abc Software, Sia Système et procédé de révélation d'anomalies séquentielles dans un réseau informatique
WO2020068471A1 (fr) * 2018-09-27 2020-04-02 Oracle International Corporation Prédiction de défaillance de lecteur de disque avec des réseaux neuronaux

Similar Documents

Publication Publication Date Title
CN108566364B (zh) 一种基于神经网络的入侵检测方法
US10686829B2 (en) Identifying changes in use of user credentials
Junejo et al. Behaviour-based attack detection and classification in cyber physical systems using machine learning
US8443443B2 (en) Security system and method for detecting intrusion in a computerized system
US7181768B1 (en) Computer intrusion detection system and method based on application monitoring
US11899808B2 (en) Machine learning for identity access management
CN112800116A (zh) 一种业务数据的异常检测方法及装置
CN116957049B (zh) 基于对抗自编码器的无监督内部威胁检测方法
Farooq Supervised learning techniques for intrusion detection system based on multi-layer classification approach
Owais et al. Survey: using genetic algorithm approach in intrusion detection systems techniques
US20210075812A1 (en) A system and a method for sequential anomaly revealing in a computer network
CN110166422B (zh) 域名行为识别方法、装置、可读存储介质和计算机设备
Freeman et al. Host-based intrusion detection using user signatures
Pannell et al. Anomaly detection over user profiles for intrusion detection
WO2022180424A1 (fr) Système de détection de comportement atypique d'utilisateurs dans un système d'information
Dmitry et al. Approaches to anomaly detection in web application intrusion detection systems
Bertino et al. Securing dbms: characterizing and detecting query floods
CN115567241A (zh) 一种多站点网络感知检测系统
CN1592228A (zh) 系统管理策略执行方法和系统
Beghdad Training all the KDD data set to classify and detect attacks
CN115085956A (zh) 入侵检测方法、装置、电子设备及存储介质
CN111917801A (zh) 私有云环境下基于Petri网的用户行为认证方法
Jose et al. Prediction of Network Attacks Using Supervised Machine Learning Algorithm
Ghorbani et al. Detection approaches
Sonawane et al. Self configuring intrusion detection system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21927748

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21927748

Country of ref document: EP

Kind code of ref document: A1