WO2024009362A1 - Abnormality detection device, abnormality detection method, and abnormal detection program - Google Patents

Abnormality detection device, abnormality detection method, and abnormal detection program Download PDF

Info

Publication number
WO2024009362A1
WO2024009362A1 PCT/JP2022/026621 JP2022026621W WO2024009362A1 WO 2024009362 A1 WO2024009362 A1 WO 2024009362A1 JP 2022026621 W JP2022026621 W JP 2022026621W WO 2024009362 A1 WO2024009362 A1 WO 2024009362A1
Authority
WO
WIPO (PCT)
Prior art keywords
rate range
data
anomaly
false positive
learning
Prior art date
Application number
PCT/JP2022/026621
Other languages
French (fr)
Japanese (ja)
Inventor
充敏 熊谷
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to PCT/JP2022/026621 priority Critical patent/WO2024009362A1/en
Publication of WO2024009362A1 publication Critical patent/WO2024009362A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning

Definitions

  • the present invention relates to an anomaly detection device, an anomaly detection method, and an anomaly detection program.
  • anomaly detection technology that learns normal patterns from datasets and identifies whether given unknown data is abnormal has been used in various fields such as intrusion detection, medical image diagnosis, and industrial system monitoring.
  • Non-Patent Document 1 In anomaly detection technology, it is important to solve a partial AUC (pAUC) maximization problem that maximizes the detection rate while keeping the false positive rate below a certain value (see Non-Patent Document 1).
  • pAUC partial AUC
  • the pAUC maximization method requires labeled data of abnormality and normality, so it cannot be used in cases where labeled data of abnormality and normality is not available.
  • anomaly detection anomaly data is rare and it may be difficult to collect anomaly data for the target task.
  • the present invention has been made in view of the above, and an object of the present invention is to easily enable learning to maximize pAUC in abnormality detection.
  • an anomaly detection device includes one or more datasets including anomaly data of tasks related to a target task to be processed for anomaly detection, and each data set.
  • an acquisition unit that acquires the false positive rate range of the set, and the acquired data set and the false positive rate range, when normal data and the specified false positive rate range are input.
  • the present invention is characterized by comprising a learning unit that learns a model that outputs an anomaly detector that detects an anomaly in which pAUC is maximized in a false detection rate range.
  • FIG. 1 is a diagram for explaining the outline of an abnormality detection device.
  • FIG. 2 is a diagram for explaining the outline of the abnormality detection device.
  • FIG. 3 is a schematic diagram illustrating a schematic configuration of the abnormality detection device.
  • FIG. 4 is a diagram for explaining the processing of the model learning section.
  • FIG. 5 is a flowchart showing the learning processing procedure.
  • FIG. 6 is a flowchart showing the detection processing procedure.
  • FIG. 7 is a diagram illustrating a computer that executes an abnormality detection program.
  • FIGS. 1 and 2 are diagrams for explaining the outline of an abnormality detection device.
  • the anomaly detection device detects data different from a normal pattern as an anomaly using an anomaly detection model learned to maximize partial AUC (pAUC).
  • pAUC partial AUC
  • the sample x is determined to be abnormal if s(x)>t, and normal if s(x) ⁇ t. shall be taken as a thing.
  • the ROC curve in this case represents the relationship between the false positive rate (FPR) and the true positive rate (TPR) when the threshold t for abnormality determination is changed.
  • the area under the ROC curve indicated by diagonal lines in FIG. 1(a) is called AUC.
  • AUC is used as a performance index of an anomaly detector.
  • pAUC in the false positive rate range ( ⁇ , ⁇ ) means the value normalized to the area when the FPR range is limited to [ ⁇ , ⁇ ] in AUC, which is indicated by diagonal lines in Figure 1(b). do.
  • the anomaly detection device of this embodiment performs learning using a plurality of related data sets including normal data and abnormal data so as to be able to detect an abnormality in a target task data set containing only normal data.
  • the related data set is a related task data set that is similar to the target task data set.
  • a data set of target tasks related to a certain new user is exemplified as a data set of related tasks related to other users who have been in service for a long time.
  • it is difficult to collect a data set including abnormal data for a new user but it may be possible to collect a data set including abnormal data for a user who has been operating for a long time.
  • the anomaly detection device performs learning of the anomaly detector of the target task by using the related data set including normal data and abnormal data for learning. Specifically, the anomaly detection device performs learning to maximize pAUC in [ ⁇ , ⁇ ] by inputting the false detection rate range ( ⁇ , ⁇ ). For example, as shown in Fig. 2, the anomaly detection device detects various related data sets (normal data sets 1, 2, 3, ...) and various false positive rate ranges ((a1, b1), (a2, b2). , (a3, b3), ). This enables the anomaly detection device to learn an anomaly detection learning model that can be generalized to unknown data sets.
  • FIG. 3 is a schematic diagram illustrating a schematic configuration of an abnormality detection device.
  • the abnormality detection device 1 according to this embodiment is realized by a general-purpose computer such as a workstation or a personal computer, and executes an abnormality detection process to be described later.
  • the abnormality detection device 1 of this embodiment includes a learning section 10 that performs learning processing and a detection section 20 that performs detection processing.
  • the learning unit 10 uses a plurality of related data sets to learn an anomaly detection learning model 14a that maximizes pAUC within an arbitrary false positive rate range.
  • the detection unit 20 uses the anomaly detection learning model 14a output by learning by the learning unit 10 to output an anomaly detector that maximizes pAUC within a desired false detection rate range for the data of the target task. Then, the detection unit 20 uses the output abnormality detector to detect an abnormality in the data of the target task.
  • the detection unit 20 may be implemented in the same hardware as the learning unit 10, or may be implemented in different hardware.
  • the learning section 10 includes a learning data input section 11 , a feature extraction section 12 , a model learning section 13 , and a storage section 14 .
  • the learning data input unit 11 is realized using an input device such as a keyboard or a mouse, and inputs various instruction information to the control unit in response to input operations by an operator.
  • the learning data input unit 11 functions as an acquisition unit and collects one or more datasets including abnormal data of tasks related to the target task to be processed for abnormality detection, and false detections of each dataset. Get the rate range.
  • the false detection rate range a set of predetermined ranges ⁇ (a1, b1), (a2, b2), (a3, b3), ... ⁇ may be obtained in advance.
  • the related data set may be input to the learning unit 10 from an external server device or the like via a communication control unit (not shown) implemented by a NIC (Network Interface Card) or the like.
  • a communication control unit not shown
  • NIC Network Interface Card
  • the control unit is realized using a CPU (Central Processing Unit) that executes a processing program, and functions as a feature extraction unit 12 and a model learning unit 13.
  • a CPU Central Processing Unit
  • the feature extraction unit 12 converts each sample of the acquired related data set into a feature vector in preparation for processing in the model learning unit 13, which will be described later.
  • the feature vector is a representation of the features of necessary data as an n-dimensional numerical vector.
  • the feature extraction unit 12 performs conversion into a feature vector using a method commonly used in machine learning. For example, when the data is text, the feature extraction unit 12 can apply a method using morphological analysis, a method using n-grams, a method using delimiters, etc.
  • the model learning section 13 functions as a learning section.
  • the model learning unit 13 uses the acquired related data set and the false positive rate range to calculate the pAUC in the false positive rate range when normal data and the specified false positive rate range are input.
  • An anomaly detection learning model 14a that outputs an anomaly detector that performs maximized anomaly detection is learned.
  • the model learning unit 13 learns an anomaly detection learning model 14a using a permutation-invariant neural network.
  • the model learning unit 13 also learns the anomaly detection learning model 14a so as to output an anomaly detector using a differentiable model such as a feedforward neural network.
  • the differentiable model is, for example, an autoencoder or a one-class SVM.
  • FIG. 4 is a diagram for explaining the processing of the model learning section.
  • FIG. 4 exemplifies the pseudo code of the processing of the model learning unit 13.
  • the purpose here is that when the anomaly detection unit 23 (described later) receives a target data set S - which is not included in the related data set and false positive rate range inputs ( ⁇ , ⁇ ), The objective is to obtain an anomaly detector that maximizes pAUC at [ ⁇ , ⁇ ].
  • the model learning unit 13 generates an abnormality detection learning model 14a through learning. Then, an anomaly detection unit 23, which will be described later, outputs an anomaly detector s from the target data set S - and the false detection rate range ( ⁇ , ⁇ ) using the anomaly detection learning model 14a. In that case, the feature extraction unit 22, which will be described later, converts S ⁇ into a vector representation z shown in the following equation (3).
  • f and g are arbitrary neural networks. Since the "sum" of f does not depend on the order of the samples in the target data set S - , one vector z is determined for the set S by the above equation (3).
  • the neural network is not particularly limited, and for example, any permutation-invariant neural network such as "maximum value” or set transformer can be applied.
  • the anomaly detector s is a function that outputs an anomaly score for the sample x, and is defined by a neural network shown in the following equation (4).
  • the linear weight parameter w ( ⁇ , ⁇ ) is defined by another neural network that receives two-dimensional ( ⁇ , ⁇ ) as input. Since this anomaly detector s depends on the vector representation z of normal data and the false positive rate range ( ⁇ , ⁇ ), its properties change when these values change. That is, when the vector representation z of normal data and the false positive rate range ( ⁇ , ⁇ ) are newly given, the model learning unit 13 maximizes pAUC in the false positive rate range ( ⁇ , ⁇ ). The purpose is to output an abnormality detector s.
  • the model learning unit 13 generates an anomaly detection learning model 14a by learning using the related data set.
  • normal data selected from the related data set is represented by S - .
  • the objective function of the abnormality detection learning model 14a is expressed by the following equations (5) and (6).
  • the learning parameters of the abnormality detection learning model 14a are the parameters of the neural models f, g, and w.
  • ⁇ tilde ⁇ pAUC ⁇ in the above equation (5) is a function obtained by replacing the indicator function I of ⁇ hat ⁇ pAUC ⁇ in the above equation (6) with a differentiable sigmoid function.
  • Q represents normal/abnormal data randomly sampled from the same related data set as S ⁇ .
  • R is a set of false positive rate ranges specified by the user in advance.
  • the storage unit 14 is realized by a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk.
  • the learned abnormality detection learning model 14a is stored in the storage unit 14 of this embodiment.
  • the detection section 20 includes a data input section 21 , a feature extraction section 22 , an anomaly detection section 23 , and a result output section 24 .
  • the data input unit 21 is realized using an input device such as a keyboard or a mouse, and inputs various instruction information to the control unit and receives data in response to input operations by an operator.
  • the data input unit 21 receives input of a data set of a target task, a user-specified false positive rate range, and test data of a target task to be subjected to abnormality detection processing.
  • this information may be input to the detection unit 20 from an external server device or the like via a communication control unit (not shown) implemented by a NIC or the like. Further, the data input section 21 may be the same hardware as the learning data input section 11.
  • the control unit is realized using a CPU or the like that executes a processing program, and includes a feature extraction unit 22 and an abnormality detection unit 23.
  • the feature extraction unit 22 converts each sample of the acquired target data set into a feature vector in preparation for processing in the anomaly detection unit 23.
  • the abnormality detection section 23 functions as a detection section. That is, the anomaly detection unit 23 inputs the normal data of the target task and the specified false detection rate range to the learned anomaly detection learning model 14a, and uses the output anomaly detector to detect the data of the target task. Detect abnormalities. Specifically, as described above, the anomaly detection unit 23 inputs the target data set S - which is not included in the related data set and the false positive rate range input ( ⁇ , ⁇ ), and inputs the false positive rate range [ ⁇ , ⁇ ] is obtained. Further, the abnormality detection unit 23 uses the output abnormality detector to determine whether each test data of the target task is normal or abnormal.
  • the result output unit 24 is realized by a display device such as a liquid crystal display, a printing device such as a printer, an information communication device, etc., and outputs the result of the abnormality detection process to the operator. For example, the determination result of whether the input test data of the target task is normal or abnormal is output.
  • the anomaly detection process of the anomaly detection device 1 includes a learning process by the learning section 10 and a detection process by the detecting section 20.
  • FIG. 5 is a flowchart illustrating the learning processing procedure.
  • the flowchart in FIG. 5 starts, for example, at the timing when the user inputs an operation instructing to start the learning process.
  • the learning data input unit 11 receives input of a plurality of related data sets, each of which includes normal data and abnormal data, and a false detection rate range of each data set (step S1).
  • the feature extraction unit 12 converts each sample of the received related data set into a feature vector (step S2).
  • the model learning unit 13 calculates the pAUC in the false positive rate range when normal data and the specified false positive rate range are input.
  • An anomaly detection learning model 14a that outputs an anomaly detector that detects an anomaly with the maximum value is learned (step S3).
  • the model learning unit 13 generates the anomaly detection learning model 14a by learning using the input related data set and the false positive rate range.
  • This anomaly detection learning model 14a outputs an anomaly detector when normal data and a specified false detection rate range are input.
  • the anomaly detector outputs an anomaly score of input data so as to maximize pAUC in a specified detection rate range.
  • model learning unit 13 stores the learned anomaly detection learning model 14a in the storage unit 14. This completes the series of learning processes.
  • FIG. 6 is a flowchart illustrating the detection processing procedure.
  • the flowchart in FIG. 6 is started, for example, at the timing when the user inputs an operation instructing the start of the estimation process.
  • the data input unit 21 receives normal data of the target task and a specified false positive rate range (step S11), and the feature extraction unit 22 converts each received sample (normal data) into a feature vector (step S11). S12).
  • the anomaly detection unit 23 inputs the normal data of the target task and the specified false detection rate range to the learned anomaly detection learning model 14a, and tests the target task using the output anomaly detector. An abnormality in the data is detected (step S13).
  • the anomaly detection unit 23 inputs the target data set S - which is not included in the related data set and the false positive rate range input ( ⁇ , ⁇ ), and maximizes pAUC in the false positive rate range [ ⁇ , ⁇ ]. Obtain an anomaly detector that can Further, the abnormality detection unit 23 inputs the test data of the target task to the output abnormality detector, and obtains a determination result as to whether each test data is normal or abnormal.
  • the result output unit 24 outputs the abnormality detection result, that is, the determined result of whether it is normal or abnormal (step S14). This completes the series of detection processes.
  • the learning data input unit 11 inputs one or more data sets containing abnormal data of tasks related to the target task to be processed for anomaly detection, and the error data of each data set. Obtain the detection rate range.
  • the model learning unit 13 uses the acquired data set and the false positive rate range, and when normal data and the specified false positive rate range are input, the pAUC in the false positive rate range is the maximum.
  • An anomaly detection learning model 14a that outputs an anomaly detector that performs standardized anomaly detection is learned.
  • the model learning unit 13 learns an anomaly detection learning model 14a using a permutation-invariant neural network.
  • the model learning unit 13 also learns the anomaly detection learning model 14a so as to output an anomaly detector using a differentiable model.
  • the anomaly detection device 1 can maximize pAUC in the desired false positive rate range by learning using related data sets including abnormal data, even when only normal data is obtained for the target task. It becomes possible to obtain an anomaly detector that can detect anomalies in data of a target task. Further, once the anomaly detection learning model 14a is generated by performing learning on the related data set, an anomaly detector can be obtained without relearning on any normal data set. Therefore, it is possible to perform abnormality detection with high accuracy without performing relearning that requires expensive calculations. For example, anomalies can be detected even on low-resource computers where anomalies are generally difficult to detect. In this way, learning to maximize pAUC in abnormality detection is easily possible.
  • the anomaly detection unit 23 inputs the normal data of the target task and the specified false detection rate range to the learned anomaly detection learning model 14a, and uses the output anomaly detector to generate test data of the target task. Detects abnormalities. Thereby, even if only normal data is obtained for the target task, it is possible to perform highly accurate abnormality detection that maximizes pAUC within a desired false detection rate range.
  • the anomaly detection device 1 can be implemented by installing an anomaly detection program that executes the above-described anomaly detection process on a desired computer as packaged software or online software. For example, by causing the information processing device to execute the above abnormality detection program, the information processing device can be made to function as the abnormality detection device 1.
  • information processing devices include mobile communication terminals such as smartphones, mobile phones, and PHSs (Personal Handyphone Systems), as well as slate terminals such as PDAs (Personal Digital Assistants).
  • the functions of the abnormality detection device 1 may be implemented in a cloud server.
  • FIG. 7 is a diagram showing an example of a computer that executes the abnormality detection program.
  • Computer 1000 includes, for example, memory 1010, CPU 1020, hard disk drive interface 1030, disk drive interface 1040, serial port interface 1050, video adapter 1060, and network interface 1070. These parts are connected by a bus 1080.
  • the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012.
  • the ROM 1011 stores, for example, a boot program such as BIOS (Basic Input Output System).
  • Hard disk drive interface 1030 is connected to hard disk drive 1031.
  • Disk drive interface 1040 is connected to disk drive 1041.
  • a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1041, for example.
  • a mouse 1051 and a keyboard 1052 are connected to the serial port interface 1050.
  • a display 1061 is connected to the video adapter 1060.
  • the hard disk drive 1031 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. Each piece of information described in the above embodiments is stored in, for example, the hard disk drive 1031 or the memory 1010.
  • the abnormality detection program is stored in the hard disk drive 1031, for example, as a program module 1093 in which commands to be executed by the computer 1000 are written. Specifically, a program module 1093 in which each process executed by the abnormality detection device 1 described in the above embodiment is described is stored in the hard disk drive 1031.
  • data used for information processing by the abnormality detection program is stored as program data 1094 in, for example, the hard disk drive 1031.
  • the CPU 1020 reads out the program module 1093 and program data 1094 stored in the hard disk drive 1031 to the RAM 1012 as necessary, and executes each of the above-described procedures.
  • program module 1093 and program data 1094 related to the abnormality detection program are not limited to being stored in the hard disk drive 1031; for example, they may be stored in a removable storage medium and read by the CPU 1020 via the disk drive 1041 or the like. May be served.
  • the program module 1093 and program data 1094 related to the abnormality detection program are stored in another computer connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network), and are transmitted via the network interface 1070. The data may also be read out by the CPU 1020.
  • LAN Local Area Network
  • WAN Wide Area Network
  • Anomaly detection device 10 Learning section 11 Learning data input section 12 Feature extraction section 13 Model learning section 14 Storage section 14a Anomaly detection learning model 20 Detection section 21 Data input section 22 Feature extraction section 23 Anomaly detection section 24 Result output section

Abstract

A training data input unit (11) acquires one or more data sets including abnormal data of a task related to a target task of an abnormality detection process, and a range of a false detection rate of each of the data sets. When normal data and a designated range of the false detection rate are input, a model training unit (13) uses the acquired data set and the range of a false detection rate and trains an abnormality detection training model (14a) which outputs an abnormality detector that performs abnormality detection in which pAUC is maximized in the range of a false detection rate.

Description

異常検知装置、異常検知方法および異常検知プログラムAnomaly detection device, anomaly detection method, and anomaly detection program
 本発明は、異常検知装置、異常検知方法および異常検知プログラムに関する。 The present invention relates to an anomaly detection device, an anomaly detection method, and an anomaly detection program.
 近年、侵入検知、医療画像診断、産業システム監視など様々な分野で、データセットから正常パターンを学習し、与えられた未知のデータが異常か否かを識別する異常検知技術が利用されている。 In recent years, anomaly detection technology that learns normal patterns from datasets and identifies whether given unknown data is abnormal has been used in various fields such as intrusion detection, medical image diagnosis, and industrial system monitoring.
 異常検知技術において、誤検知率を一定値以下に保ちつつ検知率を最大化させるという、partial AUC(pAUC)最大化問題を解くことが重要である(非特許文献1参照)。 In anomaly detection technology, it is important to solve a partial AUC (pAUC) maximization problem that maximizes the detection rate while keeping the false positive rate below a certain value (see Non-Patent Document 1).
 しかしながら、従来の技術は、異常検知においてpAUC最大化問題を解くことが困難な場合がある。例えば、pAUC最大化法には異常・正常のラベルありデータが必要であるため、異常・正常のラベルありデータが手に入らないケースでは利用できない。一方、異常検知において、異常データは希少であり、目標とするタスクで異常データの収集が困難な場合がある。 However, with conventional techniques, it may be difficult to solve the pAUC maximization problem in anomaly detection. For example, the pAUC maximization method requires labeled data of abnormality and normality, so it cannot be used in cases where labeled data of abnormality and normality is not available. On the other hand, in anomaly detection, anomaly data is rare and it may be difficult to collect anomaly data for the target task.
 本発明は、上記に鑑みてなされたものであって、異常検知においてpAUCを最大化する学習を容易に可能とすることを目的とする。 The present invention has been made in view of the above, and an object of the present invention is to easily enable learning to maximize pAUC in abnormality detection.
 上述した課題を解決し、目的を達成するために、本発明に係る異常検知装置は、異常検知の処理対象の目標タスクに関連するタスクの異常データを含む1つ以上のデータセットと、各データセットの誤検知率範囲とを取得する取得部と、取得された前記データセットと前記誤検知率範囲とを用いて、正常データと指定された誤検知率範囲とが入力された場合に、該誤検知率範囲におけるpAUCが最大化された異常検知を行う異常検知器を出力するモデルを学習する学習部と、を有することを特徴とする。 In order to solve the above-mentioned problems and achieve the purpose, an anomaly detection device according to the present invention includes one or more datasets including anomaly data of tasks related to a target task to be processed for anomaly detection, and each data set. an acquisition unit that acquires the false positive rate range of the set, and the acquired data set and the false positive rate range, when normal data and the specified false positive rate range are input, The present invention is characterized by comprising a learning unit that learns a model that outputs an anomaly detector that detects an anomaly in which pAUC is maximized in a false detection rate range.
 本発明によれば、異常検知においてpAUCを最大化する学習が容易に可能となる。 According to the present invention, learning to maximize pAUC in abnormality detection is easily possible.
図1は、異常検知装置の概要を説明するための図である。FIG. 1 is a diagram for explaining the outline of an abnormality detection device. 図2は、異常検知装置の概要を説明するための図である。FIG. 2 is a diagram for explaining the outline of the abnormality detection device. 図3は、異常検知装置の概略構成を例示する模式図である。FIG. 3 is a schematic diagram illustrating a schematic configuration of the abnormality detection device. 図4は、モデル学習部の処理を説明するための図である。FIG. 4 is a diagram for explaining the processing of the model learning section. 図5は、学習処理手順を示すフローチャートである。FIG. 5 is a flowchart showing the learning processing procedure. 図6は、検知処理手順を示すフローチャートである。FIG. 6 is a flowchart showing the detection processing procedure. 図7は、異常検知プログラムを実行するコンピュータを例示する図である。FIG. 7 is a diagram illustrating a computer that executes an abnormality detection program.
 以下、図面を参照して、本発明の一実施形態を詳細に説明する。なお、この実施形態により本発明が限定されるものではない。また、図面の記載において、同一部分には同一の符号を付して示している。 Hereinafter, one embodiment of the present invention will be described in detail with reference to the drawings. Note that the present invention is not limited to this embodiment. In addition, in the description of the drawings, the same parts are denoted by the same reference numerals.
[異常検知装置の概要]
 まず、図1および図2は、異常検知装置の概要を説明するための図である。異常検知装置は、partial AUC(pAUC)を最大化するように学習された異常検知モデルを用いて、正常パターンと異なるデータを異常として検知する。 [Overview of anomaly detection device]
First, FIGS. 1 and 2 are diagrams for explaining the outline of an abnormality detection device. The anomaly detection device detects data different from a normal pattern as an anomaly using an anomaly detection model learned to maximize partial AUC (pAUC).
 ここで、異常検知器sにおいて、異常判定の閾値tを用いて、サンプルxについて、s(x)>tの場合に異常と判定され、s(x)<tの場合に正常と判定されるものとする。この場合のROC曲線は、異常判定の閾値tを変えた場合の誤検知率(FPR,False Positive Rate)と検知率(TPR,True Positive Rate)との関係を表す。そして、図1(a)に斜線で示す、ROC曲線の下部面積をAUCと呼ぶ。AUCは異常検知器の性能指標として用いられる。 Here, in the abnormality detector s, using the abnormality determination threshold t, the sample x is determined to be abnormal if s(x)>t, and normal if s(x)<t. shall be taken as a thing. The ROC curve in this case represents the relationship between the false positive rate (FPR) and the true positive rate (TPR) when the threshold t for abnormality determination is changed. The area under the ROC curve indicated by diagonal lines in FIG. 1(a) is called AUC. AUC is used as a performance index of an anomaly detector.
 また、誤検知率範囲(α,β)におけるpAUCとは、図1(b)に斜線で示す、AUCにおいてFPRの範囲を[α,β]に制限した場合の面積を正規化した値を意味する。例えば、α=0、β=0.1の場合のpAUCは、誤検知率=0.1以下の場合の異常検知器の性能を評価する指標である。 In addition, pAUC in the false positive rate range (α, β) means the value normalized to the area when the FPR range is limited to [α, β] in AUC, which is indicated by diagonal lines in Figure 1(b). do. For example, pAUC when α=0 and β=0.1 is an index for evaluating the performance of an anomaly detector when the false positive rate is 0.1 or less.
 pAUCを最大化するような異常検知器を学習により得るためには、異常・正常のラベルありデータが学習データとして必要であるが、異常データは希少であり入手が困難な場合がある。そこで、本実施形態の異常検知装置は、正常データのみの目標タスクのデータセットの異常検知を行えるように、正常データと異常データとを含む複数の関連データセットを用いて学習を行う。 In order to obtain an anomaly detector that maximizes pAUC through learning, data with abnormal/normal labels is required as learning data, but abnormal data is rare and may be difficult to obtain. Therefore, the anomaly detection device of this embodiment performs learning using a plurality of related data sets including normal data and abnormal data so as to be able to detect an abnormality in a target task data set containing only normal data.
 ここで、関連データセットとは、目標タスクのデータセットに類似する関連タスクのデータセットである。例えば、複数のユーザに対するサービスにおいて、ある特定の新規ユーザに関する目標タスクのデータセットに対し、長期間稼働している他のユーザに関する関連タスクのデータセットが例示される。この場合に、新規ユーザについて、異常データを含むデータセットの収集は困難であるが、長期間稼働しているユーザについては、異常データを含むデータセットを収集できる可能性がある。 Here, the related data set is a related task data set that is similar to the target task data set. For example, in a service for a plurality of users, a data set of target tasks related to a certain new user is exemplified as a data set of related tasks related to other users who have been in service for a long time. In this case, it is difficult to collect a data set including abnormal data for a new user, but it may be possible to collect a data set including abnormal data for a user who has been operating for a long time.
 このように、異常検知装置は、正常データと異常データとを含む関連データセットを学習に用いることにより、目標タスクの異常検知器の学習を行う。具体的には、異常検知装置は、誤検知率範囲(α,β)を入力することにより、[α,β]におけるpAUCを最大化するように学習を行う。例えば、図2に示すように、異常検知装置は、様々な関連データセット(正常データセット1、2、3、…)と様々な誤検知率範囲((a1,b1)、(a2,b2)、(a3,b3)、…)とを用いて学習を行う。これにより、異常検知装置は、未知のデータセットに汎化できる異常検知学習モデルの学習が可能となる。つまり、学習された異常検知学習モデルに目標タスクのデータセットと所望の誤検知率範囲(α’,β’)を入力することにより、[α’,β’]でのpAUCを最大化するような異常検知器が出力されるようになる。 In this way, the anomaly detection device performs learning of the anomaly detector of the target task by using the related data set including normal data and abnormal data for learning. Specifically, the anomaly detection device performs learning to maximize pAUC in [α, β] by inputting the false detection rate range (α, β). For example, as shown in Fig. 2, the anomaly detection device detects various related data sets ( normal data sets 1, 2, 3, ...) and various false positive rate ranges ((a1, b1), (a2, b2). , (a3, b3), ...). This enables the anomaly detection device to learn an anomaly detection learning model that can be generalized to unknown data sets. In other words, by inputting the target task dataset and the desired false positive rate range (α', β') to the trained anomaly detection learning model, the pAUC at [α', β'] is maximized. Anomaly detectors will now be output.
[異常検知装置の構成]
 次に、図3は、異常検知装置の概略構成を例示する模式図である。本実施形態に係る異常検知装置1は、ワークステーションやパソコン等の汎用コンピュータで実現され、後述する異常検知処理を実行する。 [Configuration of anomaly detection device]
Next, FIG. 3 is a schematic diagram illustrating a schematic configuration of an abnormality detection device. The abnormality detection device 1 according to this embodiment is realized by a general-purpose computer such as a workstation or a personal computer, and executes an abnormality detection process to be described later.
 本実施形態の異常検知装置1は、図3に示すように、学習処理を行う学習部10と、検知処理を行う検知部20とを有する。学習部10は、複数の関連データセットを用いて、任意の誤検知率範囲でpAUCを最大化する異常検知学習モデル14aを学習する。検知部20は、学習部10による学習により出力された異常検知学習モデル14aを用いて、目標タスクのデータについて、所望の誤検知率範囲でpAUCを最大化する異常検知器を出力する。そして、検知部20は、出力された異常検知器を用いて、目標タスクのデータの異常検知を行う。検知部20は、学習部10と同一のハードウェアに実装されてもよいし、異なるハードウェアに実装されてもよい。 As shown in FIG. 3, the abnormality detection device 1 of this embodiment includes a learning section 10 that performs learning processing and a detection section 20 that performs detection processing. The learning unit 10 uses a plurality of related data sets to learn an anomaly detection learning model 14a that maximizes pAUC within an arbitrary false positive rate range. The detection unit 20 uses the anomaly detection learning model 14a output by learning by the learning unit 10 to output an anomaly detector that maximizes pAUC within a desired false detection rate range for the data of the target task. Then, the detection unit 20 uses the output abnormality detector to detect an abnormality in the data of the target task. The detection unit 20 may be implemented in the same hardware as the learning unit 10, or may be implemented in different hardware.
[学習部]
 学習部10は、学習データ入力部11、特徴抽出部12、モデル学習部13、および格納部14を有する。 [Study Department]
The learning section 10 includes a learning data input section 11 , a feature extraction section 12 , a model learning section 13 , and a storage section 14 .
 学習データ入力部11は、キーボードやマウス等の入力デバイスを用いて実現され、操作者による入力操作に対応して、制御部に対して各種指示情報を入力する。本実施形態において、学習データ入力部11は、取得部として機能して、異常検知の処理対象の目標タスクに関連するタスクの異常データを含む1つ以上のデータセットと、各データセットの誤検知率範囲とを取得する。誤検知率範囲としては、予め所定の範囲の集合{(a1,b1)、(a2,b2)、(a3,b3)、…}を取得しておいてもよい。 The learning data input unit 11 is realized using an input device such as a keyboard or a mouse, and inputs various instruction information to the control unit in response to input operations by an operator. In the present embodiment, the learning data input unit 11 functions as an acquisition unit and collects one or more datasets including abnormal data of tasks related to the target task to be processed for abnormality detection, and false detections of each dataset. Get the rate range. As the false detection rate range, a set of predetermined ranges {(a1, b1), (a2, b2), (a3, b3), ...} may be obtained in advance.
 なお、関連データセットは、NIC(Network Interface Card)等で実現される図示しない通信制御部を介して、外部のサーバ装置等から学習部10に入力されてもよい。 Note that the related data set may be input to the learning unit 10 from an external server device or the like via a communication control unit (not shown) implemented by a NIC (Network Interface Card) or the like.
 制御部は、処理プログラムを実行するCPU(Central Processing Unit)等を用いて実現され、特徴抽出部12、モデル学習部13として機能する。 The control unit is realized using a CPU (Central Processing Unit) that executes a processing program, and functions as a feature extraction unit 12 and a model learning unit 13.
 特徴抽出部12は、後述するモデル学習部13における処理の準備として、取得された関連データセットの各サンプルを特徴ベクトルに変換する。ここで、特徴ベクトルとは、必要なデータの特徴をn次元の数ベクトルで表記したものである。特徴抽出部12は、機械学習で一般的に用いられている手法を利用して、特徴ベクトルへの変換を行う。例えば、特徴抽出部12は、データがテキストである場合には、形態素解析による手法、n-gramによる手法、区切り文字による手法等を適用可能である。 The feature extraction unit 12 converts each sample of the acquired related data set into a feature vector in preparation for processing in the model learning unit 13, which will be described later. Here, the feature vector is a representation of the features of necessary data as an n-dimensional numerical vector. The feature extraction unit 12 performs conversion into a feature vector using a method commonly used in machine learning. For example, when the data is text, the feature extraction unit 12 can apply a method using morphological analysis, a method using n-grams, a method using delimiters, etc.
 モデル学習部13は、学習部として機能する。つまり、モデル学習部13は、取得された関連データセットと誤検知率範囲とを用いて、正常データと指定された誤検知率範囲とが入力された場合に、該誤検知率範囲におけるpAUCが最大化された異常検知を行う異常検知器を出力する異常検知学習モデル14aを学習する。 The model learning section 13 functions as a learning section. In other words, the model learning unit 13 uses the acquired related data set and the false positive rate range to calculate the pAUC in the false positive rate range when normal data and the specified false positive rate range are input. An anomaly detection learning model 14a that outputs an anomaly detector that performs maximized anomaly detection is learned.
 具体的には、モデル学習部13は、置換不変なニューラルネットワークを用いた異常検知学習モデル14aを学習する。また、モデル学習部13は、フィードフォワードニューラルネットワーク等の微分可能なモデルを用いた異常検知器を出力するように、異常検知学習モデル14aを学習する。微分可能なモデルとは、例えばオートエンコーダまたはOne-class SVM等である。 Specifically, the model learning unit 13 learns an anomaly detection learning model 14a using a permutation-invariant neural network. The model learning unit 13 also learns the anomaly detection learning model 14a so as to output an anomaly detector using a differentiable model such as a feedforward neural network. The differentiable model is, for example, an autoencoder or a one-class SVM.
 ここで、図4は、モデル学習部の処理を説明するための図である。図4には、モデル学習部13の処理の疑似コードが例示されている。 Here, FIG. 4 is a diagram for explaining the processing of the model learning section. FIG. 4 exemplifies the pseudo code of the processing of the model learning unit 13.
 まず、正常データのみの目標データセットSが式(1)で表されるとする。 First, assume that the target data set S - containing only normal data is expressed by equation (1).
Figure JPOXMLDOC01-appb-M000001
Figure JPOXMLDOC01-appb-M000001
 そして、次式(2)で表されるT個の関連データセットがモデル学習部13に与えられたとする。また、すべてのデータセットで特徴ベクトルの次元Dは同一と仮定する。 Assume that T related data sets expressed by the following equation (2) are given to the model learning unit 13. Furthermore, it is assumed that the dimension D of the feature vector is the same for all datasets.
Figure JPOXMLDOC01-appb-M000002
Figure JPOXMLDOC01-appb-M000002
 ここでの目的は、後述する異常検知部23が、関連データセットには含まれない目標データセットSと誤検知率範囲入力(α,β)とが入力された場合に、誤検知率範囲[α,β]でのpAUCを最大化するような異常検知器を得ることである。 The purpose here is that when the anomaly detection unit 23 (described later) receives a target data set S - which is not included in the related data set and false positive rate range inputs (α, β), The objective is to obtain an anomaly detector that maximizes pAUC at [α, β].
 モデル学習部13は、異常検知学習モデル14aを学習により生成する。そして、後述する異常検知部23が、目標データセットSおよび誤検知率範囲(α,β)から、異常検知学習モデル14aを用いて異常検知器sを出力する。その場合に、後述する特徴抽出部22は、Sを次式(3)に示すベクトル表現zに変換する。 The model learning unit 13 generates an abnormality detection learning model 14a through learning. Then, an anomaly detection unit 23, which will be described later, outputs an anomaly detector s from the target data set S - and the false detection rate range (α, β) using the anomaly detection learning model 14a. In that case, the feature extraction unit 22, which will be described later, converts S into a vector representation z shown in the following equation (3).
Figure JPOXMLDOC01-appb-M000003
Figure JPOXMLDOC01-appb-M000003
 ここで、f、gは任意のニューラルネットワークである。fの“和”は目標データセットS内のサンプルの順番に依らないため、上記式(3)により、集合Sに対して1つのベクトルzが定まる。なお、ニューラルネットワークは特に限定されず、例えば、“最大値”やset transformer等、任意の置換不変なニューラルネットワークが適用可能である。 Here, f and g are arbitrary neural networks. Since the "sum" of f does not depend on the order of the samples in the target data set S - , one vector z is determined for the set S by the above equation (3). Note that the neural network is not particularly limited, and for example, any permutation-invariant neural network such as "maximum value" or set transformer can be applied.
 異常検知器sは、サンプルxに対するアノマリスコアを出力する関数であり、次式(4)に示すニューラルネットワークで定義される。 The anomaly detector s is a function that outputs an anomaly score for the sample x, and is defined by a neural network shown in the following equation (4).
Figure JPOXMLDOC01-appb-M000004
Figure JPOXMLDOC01-appb-M000004
 線形ウェイトパラメータw(α,β)は、2次元の(α,β)を入力とする別のニューラルネットワークで定義される。この異常検知器sは、正常データのベクトル表現zと誤検知率範囲(α,β)とに依存するため、これらの値が変わると性質が変化する。すなわち、モデル学習部13は、正常データのベクトル表現zと誤検知率範囲(α,β)とが新たに与えられた際に、誤検知率範囲(α,β)でのpAUCを最大化する異常検知器sを出力することを目的とする。 The linear weight parameter w (α, β) is defined by another neural network that receives two-dimensional (α, β) as input. Since this anomaly detector s depends on the vector representation z of normal data and the false positive rate range (α, β), its properties change when these values change. That is, when the vector representation z of normal data and the false positive rate range (α, β) are newly given, the model learning unit 13 maximizes pAUC in the false positive rate range (α, β). The purpose is to output an abnormality detector s.
 モデル学習部13は、関連データセットを用いて異常検知学習モデル14aを学習により生成する。ここで、関連データセットから選択された正常データをSで表すこととする。異常検知学習モデル14aの目的関数は次式(5)(6)で表される。また、異常検知学習モデル14aの学習パラメータは、ニューラルモデルf、g、wのパラメータである。 The model learning unit 13 generates an anomaly detection learning model 14a by learning using the related data set. Here, normal data selected from the related data set is represented by S - . The objective function of the abnormality detection learning model 14a is expressed by the following equations (5) and (6). Further, the learning parameters of the abnormality detection learning model 14a are the parameters of the neural models f, g, and w.
Figure JPOXMLDOC01-appb-M000005
Figure JPOXMLDOC01-appb-M000005
Figure JPOXMLDOC01-appb-M000006
Figure JPOXMLDOC01-appb-M000006
 ここで、上記式(5)の¥tilde{pAUC}は、上記式(6)の¥hat{pAUC}の指示関数Iを微分可能なシグモイド関数に置き換えた関数である。また、Qは、Sと同じ関連データセットからランダムにサンプリングされた正常・異常データを表す。Rは、予め利用者が指定した誤検知率範囲の集合である。上記式(5)(6)の目的関数を最適化することで、正常データSと誤検知率範囲(α,β)とで定義される異常検知器sについて、Qで計算したpAUCを最大化するように学習が行われる。この学習には確率的勾配法が用いられる。 Here, \tilde{pAUC} in the above equation (5) is a function obtained by replacing the indicator function I of \hat{pAUC} in the above equation (6) with a differentiable sigmoid function. Moreover, Q represents normal/abnormal data randomly sampled from the same related data set as S . R is a set of false positive rate ranges specified by the user in advance. By optimizing the objective functions of equations (5) and (6) above, the pAUC calculated by Q can be maximized for the abnormality detector s defined by the normal data S - and the false positive rate range (α, β). Learning takes place in such a way that it becomes A stochastic gradient method is used for this learning.
 図3の説明に戻る。格納部14は、RAM(Random Access Memory)、フラッシュメモリ(Flash Memory)等の半導体メモリ素子、または、ハードディスク、光ディスク等の記憶装置によって実現される。本実施形態の格納部14には、学習された異常検知学習モデル14aが格納される。 Returning to the explanation of FIG. 3. The storage unit 14 is realized by a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk. The learned abnormality detection learning model 14a is stored in the storage unit 14 of this embodiment.
[検知部]
 検知部20は、データ入力部21、特徴抽出部22、異常検知部23、および結果出力部24を有する。 [Detection part]
The detection section 20 includes a data input section 21 , a feature extraction section 22 , an anomaly detection section 23 , and a result output section 24 .
 データ入力部21は、キーボードやマウス等の入力デバイスを用いて実現され、操作者による入力操作に対応して、制御部に対して各種指示情報を入力したり、データを受け付けたりする。本実施形態では、データ入力部21は、目標タスクのデータセットおよびユーザ指定の誤検知率範囲、異常検知処理の対象の目標タスクのテストデータの入力を受け付ける。 The data input unit 21 is realized using an input device such as a keyboard or a mouse, and inputs various instruction information to the control unit and receives data in response to input operations by an operator. In this embodiment, the data input unit 21 receives input of a data set of a target task, a user-specified false positive rate range, and test data of a target task to be subjected to abnormality detection processing.
 なお、これらの情報は、NIC等で実現される図示しない通信制御部を介して、外部のサーバ装置等から検知部20に入力されてもよい。また、データ入力部21は、学習データ入力部11と同一のハードウェアでもよい。 Note that this information may be input to the detection unit 20 from an external server device or the like via a communication control unit (not shown) implemented by a NIC or the like. Further, the data input section 21 may be the same hardware as the learning data input section 11.
 制御部は、処理プログラムを実行するCPU等を用いて実現され、特徴抽出部22と異常検知部23とを有する。 The control unit is realized using a CPU or the like that executes a processing program, and includes a feature extraction unit 22 and an abnormality detection unit 23.
 特徴抽出部22は、学習部10の特徴抽出部12と同様に、異常検知部23における処理の準備として、取得された目標データセットの各サンプルを特徴ベクトルに変換する。 Similar to the feature extraction unit 12 of the learning unit 10, the feature extraction unit 22 converts each sample of the acquired target data set into a feature vector in preparation for processing in the anomaly detection unit 23.
 異常検知部23は、検知部として機能する。すなわち、異常検知部23は、学習された異常検知学習モデル14aに目標タスクの正常データと指定された誤検知率範囲とを入力し、出力された異常検知器を用いて、目標タスクのデータの異常を検知する。具体的には、上記のように、異常検知部23は、関連データセットには含まれない目標データセットSと誤検知率範囲入力(α,β)を入力し、誤検知率範囲[α,β]でのpAUCを最大化するような異常検知器を得る。また、異常検知部23は、出力された異常検知器を用いて、目標タスクの各テストデータが正常か異常かを判定する。 The abnormality detection section 23 functions as a detection section. That is, the anomaly detection unit 23 inputs the normal data of the target task and the specified false detection rate range to the learned anomaly detection learning model 14a, and uses the output anomaly detector to detect the data of the target task. Detect abnormalities. Specifically, as described above, the anomaly detection unit 23 inputs the target data set S - which is not included in the related data set and the false positive rate range input (α, β), and inputs the false positive rate range [α , β] is obtained. Further, the abnormality detection unit 23 uses the output abnormality detector to determine whether each test data of the target task is normal or abnormal.
 結果出力部24は、液晶ディスプレイなどの表示装置、プリンター等の印刷装置、情報通信装置等によって実現され、異常検知処理の結果を操作者に対して出力する。例えば、入力された目標タスクのテストデータについて、正常か異常かの判定結果を出力する。 The result output unit 24 is realized by a display device such as a liquid crystal display, a printing device such as a printer, an information communication device, etc., and outputs the result of the abnormality detection process to the operator. For example, the determination result of whether the input test data of the target task is normal or abnormal is output.
[異常検知処理]
 次に、図5および図6を参照して、異常検知装置1による異常検知処理について説明する。異常検知装置1の異常検知処理は、学習部10による学習処理と、検知部20による検知処理とを含む。 [Anomaly detection processing]
Next, with reference to FIGS. 5 and 6, abnormality detection processing by the abnormality detection device 1 will be described. The anomaly detection process of the anomaly detection device 1 includes a learning process by the learning section 10 and a detection process by the detecting section 20.
[学習処理]
 図5は、学習処理手順を例示するフローチャートである。図5のフローチャートは、例えば、ユーザによる学習処理の開始を指示する操作入力があったタイミングで開始される。 [Learning process]
FIG. 5 is a flowchart illustrating the learning processing procedure. The flowchart in FIG. 5 starts, for example, at the timing when the user inputs an operation instructing to start the learning process.
 まず、学習データ入力部11が、それぞれが正常データと異常データとを含む複数の関連データセットと、各データセットの誤検知率範囲との入力を受け付ける(ステップS1)。次に、特徴抽出部12が、受け付けた関連データセットの各サンプルを特徴ベクトルに変換する(ステップS2)。 First, the learning data input unit 11 receives input of a plurality of related data sets, each of which includes normal data and abnormal data, and a false detection rate range of each data set (step S1). Next, the feature extraction unit 12 converts each sample of the received related data set into a feature vector (step S2).
 次に、モデル学習部13が、入力された関連データセットと誤検知率範囲とを用いて、正常データと指定された誤検知率範囲とが入力された場合に、該誤検知率範囲におけるpAUCが最大化された異常検知を行う異常検知器を出力する異常検知学習モデル14aを学習する(ステップS3)。 Next, using the input related data set and the false positive rate range, the model learning unit 13 calculates the pAUC in the false positive rate range when normal data and the specified false positive rate range are input. An anomaly detection learning model 14a that outputs an anomaly detector that detects an anomaly with the maximum value is learned (step S3).
 すなわち、モデル学習部13は、入力された関連データセットと誤検知率範囲とを用いて、異常検知学習モデル14aを学習により生成する。この異常検知学習モデル14aは、正常データと指定された誤検知率範囲とが入力された場合に、異常検知器を出力する。異常検知器は、指定された検知率範囲におけるpAUCを最大化するように、入力されたデータのアノマリスコアを出力する。 That is, the model learning unit 13 generates the anomaly detection learning model 14a by learning using the input related data set and the false positive rate range. This anomaly detection learning model 14a outputs an anomaly detector when normal data and a specified false detection rate range are input. The anomaly detector outputs an anomaly score of input data so as to maximize pAUC in a specified detection rate range.
 また、モデル学習部13は、学習した異常検知学習モデル14aを格納部14に格納する。これにより、一連の学習処理が終了する。 Additionally, the model learning unit 13 stores the learned anomaly detection learning model 14a in the storage unit 14. This completes the series of learning processes.
[検知処理]
 次に図6は、検知処理手順を例示するフローチャートである。図6のフローチャートは、例えば、ユーザによる推定処理の開始を指示する操作入力があったタイミングで開始される。 [Detection processing]
Next, FIG. 6 is a flowchart illustrating the detection processing procedure. The flowchart in FIG. 6 is started, for example, at the timing when the user inputs an operation instructing the start of the estimation process.
 まず、データ入力部21が、目標タスクの正常データと指定の誤検知率範囲とを受け付け(ステップS11)、特徴抽出部22が、受け付けた各サンプル(正常データ)を特徴ベクトルに変換する(ステップS12)。 First, the data input unit 21 receives normal data of the target task and a specified false positive rate range (step S11), and the feature extraction unit 22 converts each received sample (normal data) into a feature vector (step S11). S12).
 次に、異常検知部23が、学習された異常検知学習モデル14aに目標タスクの正常データと指定された誤検知率範囲とを入力し、出力された異常検知器を用いて、目標タスクのテストデータの異常を検知する(ステップS13)。 Next, the anomaly detection unit 23 inputs the normal data of the target task and the specified false detection rate range to the learned anomaly detection learning model 14a, and tests the target task using the output anomaly detector. An abnormality in the data is detected (step S13).
 つまり、異常検知部23は、関連データセットには含まれない目標データセットSと誤検知率範囲入力(α,β)を入力し、誤検知率範囲[α,β]でのpAUCを最大化するような異常検知器を得る。また、異常検知部23は、出力された異常検知器に、目標タスクのテストデータを入力し、各テストデータが正常か異常かの判定結果を得る。 In other words, the anomaly detection unit 23 inputs the target data set S - which is not included in the related data set and the false positive rate range input (α, β), and maximizes pAUC in the false positive rate range [α, β]. Obtain an anomaly detector that can Further, the abnormality detection unit 23 inputs the test data of the target task to the output abnormality detector, and obtains a determination result as to whether each test data is normal or abnormal.
 そして、結果出力部24が、異常検知結果の出力すなわち判定された正常か異常かの判定結果の出力を行う(ステップS14)。これにより、一連の検知処理が終了する。 Then, the result output unit 24 outputs the abnormality detection result, that is, the determined result of whether it is normal or abnormal (step S14). This completes the series of detection processes.
[効果]
 以上、説明したように、異常検知装置1において、学習データ入力部11が、異常検知の処理対象の目標タスクに関連するタスクの異常データを含む1つ以上のデータセットと、各データセットの誤検知率範囲とを取得する。モデル学習部13が、取得された前記データセットと前記誤検知率範囲とを用いて、正常データと指定された誤検知率範囲とが入力された場合に、該誤検知率範囲におけるpAUCが最大化された異常検知を行う異常検知器を出力する異常検知学習モデル14aを学習する。 [effect]
As described above, in the anomaly detection device 1, the learning data input unit 11 inputs one or more data sets containing abnormal data of tasks related to the target task to be processed for anomaly detection, and the error data of each data set. Obtain the detection rate range. The model learning unit 13 uses the acquired data set and the false positive rate range, and when normal data and the specified false positive rate range are input, the pAUC in the false positive rate range is the maximum. An anomaly detection learning model 14a that outputs an anomaly detector that performs standardized anomaly detection is learned.
 具体的には、モデル学習部13は、置換不変なニューラルネットワークを用いた異常検知学習モデル14aを学習する。また、モデル学習部13は、微分可能なモデルを用いた異常検知器を出力するように、異常検知学習モデル14aを学習する。 Specifically, the model learning unit 13 learns an anomaly detection learning model 14a using a permutation-invariant neural network. The model learning unit 13 also learns the anomaly detection learning model 14a so as to output an anomaly detector using a differentiable model.
 このように、異常検知装置1は、異常データを含む関連データセットを用いて学習することにより、目標タスクについて正常データしか得られない場合であっても、所望の誤検知率範囲のpAUCを最大化するような異常検知器を得て、目標タスクのデータの異常検知を行うことが可能となる。また、一度、関連データセットで学習を行って異常検知学習モデル14aを生成すれば、任意の正常データセットに対して再学習を行うことなく異常検知器を得ることができる。そのため、高コストな計算を要する再学習を行わずに、高精度に異常検知を行うことが可能なる。例えば、一般に異常検知が困難な低リソースの計算機上でも異常検知が可能となる。このように、異常検知においてpAUCを最大化する学習が容易に可能となる。 In this way, the anomaly detection device 1 can maximize pAUC in the desired false positive rate range by learning using related data sets including abnormal data, even when only normal data is obtained for the target task. It becomes possible to obtain an anomaly detector that can detect anomalies in data of a target task. Further, once the anomaly detection learning model 14a is generated by performing learning on the related data set, an anomaly detector can be obtained without relearning on any normal data set. Therefore, it is possible to perform abnormality detection with high accuracy without performing relearning that requires expensive calculations. For example, anomalies can be detected even on low-resource computers where anomalies are generally difficult to detect. In this way, learning to maximize pAUC in abnormality detection is easily possible.
 また、異常検知部23が、学習された異常検知学習モデル14aに目標タスクの正常データと指定された誤検知率範囲とを入力し、出力された異常検知器を用いて、目標タスクのテストデータの異常を検知する。これにより、目標タスクについて正常データしか得られない場合であっても、所望の誤検知率範囲のpAUCを最大化するような高精度な異常検知を行うことが可能となる。 Further, the anomaly detection unit 23 inputs the normal data of the target task and the specified false detection rate range to the learned anomaly detection learning model 14a, and uses the output anomaly detector to generate test data of the target task. Detects abnormalities. Thereby, even if only normal data is obtained for the target task, it is possible to perform highly accurate abnormality detection that maximizes pAUC within a desired false detection rate range.
[プログラム]
 上記実施形態に係る異常検知装置1が実行する処理をコンピュータが実行可能な言語で記述したプログラムを作成することもできる。一実施形態として、異常検知装置1は、パッケージソフトウェアやオンラインソフトウェアとして上記の異常検知処理を実行する異常検知プログラムを所望のコンピュータにインストールさせることによって実装できる。例えば、上記の異常検知プログラムを情報処理装置に実行させることにより、情報処理装置を異常検知装置1として機能させることができる。また、その他にも、情報処理装置にはスマートフォン、携帯電話機やPHS(Personal Handyphone System)等の移動体通信端末、さらには、PDA(Personal Digital Assistant)等のスレート端末等がその範疇に含まれる。また、異常検知装置1の機能を、クラウドサーバに実装してもよい。 [program]
It is also possible to create a program in which the processing executed by the abnormality detection device 1 according to the embodiment described above is written in a computer-executable language. As one embodiment, the anomaly detection device 1 can be implemented by installing an anomaly detection program that executes the above-described anomaly detection process on a desired computer as packaged software or online software. For example, by causing the information processing device to execute the above abnormality detection program, the information processing device can be made to function as the abnormality detection device 1. In addition, information processing devices include mobile communication terminals such as smartphones, mobile phones, and PHSs (Personal Handyphone Systems), as well as slate terminals such as PDAs (Personal Digital Assistants). Further, the functions of the abnormality detection device 1 may be implemented in a cloud server.
 図7は、異常検知プログラムを実行するコンピュータの一例を示す図である。コンピュータ1000は、例えば、メモリ1010と、CPU1020と、ハードディスクドライブインタフェース1030と、ディスクドライブインタフェース1040と、シリアルポートインタフェース1050と、ビデオアダプタ1060と、ネットワークインタフェース1070とを有する。これらの各部は、バス1080によって接続される。 FIG. 7 is a diagram showing an example of a computer that executes the abnormality detection program. Computer 1000 includes, for example, memory 1010, CPU 1020, hard disk drive interface 1030, disk drive interface 1040, serial port interface 1050, video adapter 1060, and network interface 1070. These parts are connected by a bus 1080.
 メモリ1010は、ROM(Read Only Memory)1011およびRAM1012を含む。ROM1011は、例えば、BIOS(Basic Input Output System)等のブートプログラムを記憶する。ハードディスクドライブインタフェース1030は、ハードディスクドライブ1031に接続される。ディスクドライブインタフェース1040は、ディスクドライブ1041に接続される。ディスクドライブ1041には、例えば、磁気ディスクや光ディスク等の着脱可能な記憶媒体が挿入される。シリアルポートインタフェース1050には、例えば、マウス1051およびキーボード1052が接続される。ビデオアダプタ1060には、例えば、ディスプレイ1061が接続される。 The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012. The ROM 1011 stores, for example, a boot program such as BIOS (Basic Input Output System). Hard disk drive interface 1030 is connected to hard disk drive 1031. Disk drive interface 1040 is connected to disk drive 1041. A removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1041, for example. For example, a mouse 1051 and a keyboard 1052 are connected to the serial port interface 1050. For example, a display 1061 is connected to the video adapter 1060.
 ここで、ハードディスクドライブ1031は、例えば、OS1091、アプリケーションプログラム1092、プログラムモジュール1093およびプログラムデータ1094を記憶する。上記実施形態で説明した各情報は、例えばハードディスクドライブ1031やメモリ1010に記憶される。 Here, the hard disk drive 1031 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. Each piece of information described in the above embodiments is stored in, for example, the hard disk drive 1031 or the memory 1010.
 また、異常検知プログラムは、例えば、コンピュータ1000によって実行される指令が記述されたプログラムモジュール1093として、ハードディスクドライブ1031に記憶される。具体的には、上記実施形態で説明した異常検知装置1が実行する各処理が記述されたプログラムモジュール1093が、ハードディスクドライブ1031に記憶される。 Further, the abnormality detection program is stored in the hard disk drive 1031, for example, as a program module 1093 in which commands to be executed by the computer 1000 are written. Specifically, a program module 1093 in which each process executed by the abnormality detection device 1 described in the above embodiment is described is stored in the hard disk drive 1031.
 また、異常検知プログラムによる情報処理に用いられるデータは、プログラムデータ1094として、例えば、ハードディスクドライブ1031に記憶される。そして、CPU1020が、ハードディスクドライブ1031に記憶されたプログラムモジュール1093やプログラムデータ1094を必要に応じてRAM1012に読み出して、上述した各手順を実行する。 Further, data used for information processing by the abnormality detection program is stored as program data 1094 in, for example, the hard disk drive 1031. Then, the CPU 1020 reads out the program module 1093 and program data 1094 stored in the hard disk drive 1031 to the RAM 1012 as necessary, and executes each of the above-described procedures.
 なお、異常検知プログラムに係るプログラムモジュール1093やプログラムデータ1094は、ハードディスクドライブ1031に記憶される場合に限られず、例えば、着脱可能な記憶媒体に記憶されて、ディスクドライブ1041等を介してCPU1020によって読み出されてもよい。あるいは、異常検知プログラムに係るプログラムモジュール1093やプログラムデータ1094は、LAN(Local Area Network)やWAN(Wide Area Network)等のネットワークを介して接続された他のコンピュータに記憶され、ネットワークインタフェース1070を介してCPU1020によって読み出されてもよい。 Note that the program module 1093 and program data 1094 related to the abnormality detection program are not limited to being stored in the hard disk drive 1031; for example, they may be stored in a removable storage medium and read by the CPU 1020 via the disk drive 1041 or the like. May be served. Alternatively, the program module 1093 and program data 1094 related to the abnormality detection program are stored in another computer connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network), and are transmitted via the network interface 1070. The data may also be read out by the CPU 1020.
 以上、本発明者によってなされた発明を適用した実施形態について説明したが、本実施形態による本発明の開示の一部をなす記述および図面により本発明は限定されることはない。すなわち、本実施形態に基づいて当業者等によりなされる他の実施形態、実施例および運用技術等は全て本発明の範疇に含まれる。 Although embodiments to which the invention made by the present inventor is applied have been described above, the present invention is not limited by the description and drawings that form part of the disclosure of the present invention by this embodiment. That is, all other embodiments, examples, operational techniques, etc. made by those skilled in the art based on this embodiment are included in the scope of the present invention.
 1 異常検知装置
 10 学習部
 11 学習データ入力部
 12 特徴抽出部
 13 モデル学習部
 14 格納部
 14a 異常検知学習モデル
 20 検知部
 21 データ入力部
 22 特徴抽出部
 23 異常検知部
 24 結果出力部 1 Anomaly detection device 10 Learning section 11 Learning data input section 12 Feature extraction section 13 Model learning section 14 Storage section 14a Anomaly detection learning model 20 Detection section 21 Data input section 22 Feature extraction section 23 Anomaly detection section 24 Result output section

Claims (6)

  1.  異常検知の処理対象の目標タスクに関連するタスクの異常データを含む1つ以上のデータセットと、各データセットの誤検知率範囲とを取得する取得部と、
     取得された前記データセットと前記誤検知率範囲とを用いて、正常データと指定された誤検知率範囲とが入力された場合に、該誤検知率範囲におけるpAUCが最大化された異常検知を行う異常検知器を出力するモデルを学習する学習部と、
     を有することを特徴とする異常検知装置。     an acquisition unit that acquires one or more datasets containing abnormality data of tasks related to the target task to be processed for abnormality detection and a false positive rate range of each dataset;
    Using the acquired data set and the false positive rate range, when normal data and a specified false positive rate range are input, detect an abnormality in which pAUC is maximized in the false positive rate range. a learning unit that learns a model that outputs an anomaly detector to perform;
    An anomaly detection device characterized by having.
  2.  学習された前記モデルに前記目標タスクの正常データと指定された誤検知率範囲とを入力し、出力された異常検知器を用いて、前記目標タスクのデータの異常を検知する検知部を、さらに有することを特徴とする請求項1に記載の異常検知装置。 further comprising: a detection unit that inputs normal data of the target task and a specified false positive rate range to the trained model, and detects an abnormality in the data of the target task using an output anomaly detector; The abnormality detection device according to claim 1, further comprising:
  3.  前記学習部は、置換不変なニューラルネットワークを用いた前記モデルを学習することを特徴とする請求項1に記載の異常検知装置。 The anomaly detection device according to claim 1, wherein the learning unit learns the model using a permutation-invariant neural network.
  4.  前記学習部は、微分可能なモデルを用いた前記異常検知器を出力するように、前記モデルを学習することを特徴とする請求項1に記載の異常検知装置。 The anomaly detection device according to claim 1, wherein the learning unit learns the model so as to output the anomaly detector using a differentiable model.
  5.  異常検知装置が実行する異常検知方法であって、
     異常検知の処理対象の目標タスクに関連するタスクの異常データを含む1つ以上のデータセットと、各データセットの誤検知率範囲とを取得する取得工程と、
     取得された前記データセットと前記誤検知率範囲とを用いて、正常データと指定された誤検知率範囲とが入力された場合に、該誤検知率範囲におけるpAUCが最大化された異常検知を行う異常検知器を出力するモデルを学習する学習工程と、
     を含んだことを特徴とする異常検知方法。     An anomaly detection method performed by an anomaly detection device, the method comprising:
    an acquisition step of acquiring one or more datasets containing abnormality data of tasks related to the target task to be processed for abnormality detection and a false positive rate range of each dataset;
    Using the acquired data set and the false positive rate range, when normal data and a specified false positive rate range are input, detect an abnormality in which pAUC is maximized in the false positive rate range. a learning process for learning a model that outputs an anomaly detector;
    An anomaly detection method characterized by comprising:
  6.  コンピュータに、
     異常検知の処理対象の目標タスクに関連するタスクの異常データを含む1つ以上のデータセットと、各データセットの誤検知率範囲とを取得する取得ステップと、
     取得された前記データセットと前記誤検知率範囲とを用いて、正常データと指定された誤検知率範囲とが入力された場合に、該誤検知率範囲におけるpAUCが最大化された異常検知を行う異常検知器を出力するモデルを学習する学習ステップと、
     を実行させることを特徴とする異常検知プログラム。     to the computer,
    an acquisition step of acquiring one or more datasets including anomaly data of tasks related to the target task to be processed for anomaly detection, and a false positive rate range of each dataset;
    Using the acquired data set and the false positive rate range, when normal data and a specified false positive rate range are input, detect an abnormality in which pAUC is maximized in the false positive rate range. a learning step of learning a model that outputs an anomaly detector to perform;
    An anomaly detection program characterized by executing the following.
PCT/JP2022/026621 2022-07-04 2022-07-04 Abnormality detection device, abnormality detection method, and abnormal detection program WO2024009362A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/026621 WO2024009362A1 (en) 2022-07-04 2022-07-04 Abnormality detection device, abnormality detection method, and abnormal detection program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/026621 WO2024009362A1 (en) 2022-07-04 2022-07-04 Abnormality detection device, abnormality detection method, and abnormal detection program

Publications (1)

Publication Number Publication Date
WO2024009362A1 true WO2024009362A1 (en) 2024-01-11

Family

ID=89452938

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/026621 WO2024009362A1 (en) 2022-07-04 2022-07-04 Abnormality detection device, abnormality detection method, and abnormal detection program

Country Status (1)

Country Link
WO (1) WO2024009362A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2017102540A (en) * 2015-11-30 2017-06-08 日本電信電話株式会社 Classification device, method, and program
JP2020170214A (en) * 2019-04-01 2020-10-15 株式会社東芝 Time series data analysis method, time-series data analyzer and computer program
WO2021070394A1 (en) * 2019-10-11 2021-04-15 日本電信電話株式会社 Learning device, classification device, learning method, and learning program
WO2021199226A1 (en) * 2020-03-31 2021-10-07 日本電気株式会社 Learning device, learning method, and computer-readable recording medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2017102540A (en) * 2015-11-30 2017-06-08 日本電信電話株式会社 Classification device, method, and program
JP2020170214A (en) * 2019-04-01 2020-10-15 株式会社東芝 Time series data analysis method, time-series data analyzer and computer program
WO2021070394A1 (en) * 2019-10-11 2021-04-15 日本電信電話株式会社 Learning device, classification device, learning method, and learning program
WO2021199226A1 (en) * 2020-03-31 2021-10-07 日本電気株式会社 Learning device, learning method, and computer-readable recording medium

Similar Documents

Publication Publication Date Title
JP7223839B2 (en) Computer-implemented methods, computer program products and systems for anomaly detection and/or predictive maintenance
JP6594044B2 (en) Method for detecting anomalies in real time series
KR101711936B1 (en) Generalized pattern recognition for fault diagnosis in machine condition monitoring
EP3385889A1 (en) Abnormality detection system, abnormality detection method, abnormality detection program, and method for generating learned model
JP2019061565A (en) Abnormality diagnostic method and abnormality diagnostic device
Cai et al. A new fault detection method for non-Gaussian process based on robust independent component analysis
JP2015170121A (en) Abnormality diagnosis device and program
EP2342603A2 (en) Method and apparatus for creating state estimation models in machine condition monitoring
CN107942956A (en) Information processor, information processing method, message handling program and recording medium
JP2018190127A (en) Determination device, analysis system, determination method and determination program
JP6866930B2 (en) Production equipment monitoring equipment, production equipment monitoring method and production equipment monitoring program
Rajaraman et al. A methodology for fault detection, isolation, and identification for nonlinear processes with parametric uncertainties
CN114584377A (en) Flow anomaly detection method, model training method, device, equipment and medium
JP2020187667A (en) Information processing apparatus and information processing method
CN112380073B (en) Fault position detection method and device and readable storage medium
WO2024009362A1 (en) Abnormality detection device, abnormality detection method, and abnormal detection program
JP7331940B2 (en) LEARNING DEVICE, ESTIMATION DEVICE, LEARNING METHOD, AND LEARNING PROGRAM
CN115932144A (en) Chromatograph performance detection method, device, equipment and computer medium
US11593700B1 (en) Network-accessible service for exploration of machine learning models and results
Zhu et al. Generic process visualization using parametric t-SNE
JP7331938B2 (en) LEARNING DEVICE, ESTIMATION DEVICE, LEARNING METHOD, AND LEARNING PROGRAM
Parpoula et al. On change-point analysis-based distribution-free control charts with Phase I applications
JP7347547B2 (en) Event analysis support device, event analysis support method, and program
WO2023223510A1 (en) Learning device, learning method, and learning program
JP7306460B2 (en) Adversarial instance detection system, method and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22950157

Country of ref document: EP

Kind code of ref document: A1