JP-2026075055-A - A method for detecting abnormal behavior by analyzing network activity from multiple perspectives, and an electronic device for performing this analysis.

Abstract

[Problem] To provide a method for detecting abnormal behavior by having an electronic device perform a multifaceted analysis of network activity, and an electronic device that performs this. [Solution] The method includes the steps of acquiring transmitted and received packets, analyzing the acquired packets to generate packet information, generating statistical information for a predetermined period based on the generated packet information, extracting scenario data corresponding to each of a plurality of behavioral analysis scenarios using the packet information and statistical information, inputting the scenario data into a pre-trained neural network to confirm the result value, and determining the user's abnormal behavior based on the result value. [Selection Diagram] Figure 7

Inventors

• ホン， ジェワン
• キム， ヨンホ

Assignees

• クワッド マイナー カンパニー リミテッド

Dates

Publication Date

20260507

Application Date

20250926

Priority Date

20241021

Claims (10)

1. In a method in which an electronic device analyzes network behavior from multiple perspectives to detect abnormal behavior, The stage of acquiring packets that are being sent or received; The stage of analyzing acquired packets and generating packet information; The stage of generating statistical information for a predetermined period based on the generated packet information; The step of extracting scenario data corresponding to each of the multiple behavioral analysis scenarios from the aforementioned packet information and statistical information; The step of inputting the scenario data into a pre-trained neural network and checking the resulting values; A multifaceted analytical method for detecting abnormal behavior, including the step of determining the user's abnormal behavior based on the aforementioned result values.
2. The step of analyzing the acquired packets and generating packet information is: The multifaceted analysis-based anomaly detection method according to claim 1, comprising parsing the acquired packets to generate IP information, port information, application information, and packet size information for the packets.
3. The step of generating statistical information for a predetermined period based on the generated packet information is: The multifaceted analysis-based abnormal behavior detection method according to claim 2, comprising classifying the information contained in the packet information during the predetermined period, and generating statistical information by deriving statistics from the classified information.
4. The multifaceted analysis-based anomaly detection method according to claim 1, further comprising the step of training the neural network based on a portion of the packet information and statistical information of packets transmitted and received during a specific period.
5. The step of training the aforementioned neural network is as follows: The multifaceted analysis-based abnormal behavior detection method according to claim 4, comprising the steps of: extracting training data corresponding to each of a plurality of behavior analysis scenarios from the packet information and statistical information; and training the neural network based on the training data.
6. The step of training the aforementioned neural network is as follows: A multifaceted analysis-based abnormal behavior detection method according to claim 5, which utilizes an autoencoder composed of a recurrent neural network (RNN).
7. The step of determining abnormal behavior by the user based on the aforementioned result values is: The multifaceted analysis-based abnormal behavior detection method according to claim 1, wherein if there is a value that exceeds a critical value among the loss values for the input and result values of the scenario data corresponding to each of the multiple behavior analysis scenarios, it is detected as abnormal behavior.
8. The multifaceted analysis-based abnormal behavior detection method according to claim 1, wherein the aforementioned multiple behavior analysis scenarios include an overall behavior analysis scenario, an application-specific behavior analysis scenario, an attachment-specific behavior analysis scenario, and an email-specific behavior analysis scenario.
9. A computer-readable recording medium containing a program for causing a computer to perform the method described in any one of claims 1 to 8.
10. In an electronic device that detects abnormal behavior by analyzing network activity from multiple perspectives, A communication unit that sends and receives packets over a network; Includes memory; and processor; The aforementioned processor, Capture the packets being sent and received, The acquired packets are analyzed to generate packet information, Based on the generated packet information, statistical information for a predetermined period is generated. Using the packet information and statistical information, scenario data corresponding to each of the multiple behavioral analysis scenarios is extracted. The scenario data is input into a pre-trained neural network, and the resulting values are checked. An electronic device that determines abnormal behavior of the packet based on the aforementioned result value.

Description

This application relates to a method for detecting abnormal behavior by analyzing network activity from multiple perspectives, and to an electronic device for carrying out this method. Existing systems have largely relied on IDS (Intrusion Detection System) network security equipment to detect abnormal user behavior. Among these, the Snort detection pattern grammar has become widely used by CERT (Computer Emergency Response Team) breach response teams worldwide. However, this pattern-based detection method has a problem: while it can detect patterns in known attacks, it cannot detect zero-day attacks targeting specific targets or unknown attack methods. When attack techniques become widely known and detection methods emerge as patterns, a variety of derivative attack techniques emerge that circumvent existing patterns or use different strings to avoid detection. Therefore, in addition to pattern-based detection, statistical approaches have also been used to investigate how to detect unknown attacks. While there are methods for detecting insider threats based on machine learning, such as the previously published "Machine Learning-Based Insider Threat Detection Technique: Anomaly Detection Using RNN Autoencoder," these methods suffer from the problem of overgeneralizing user behavior. Therefore, because user behavior is not always clear, further procedures are needed to verify the results detected by this method, resulting in a high false positive rate. Consequently, there is a need for methods that can detect abnormal behavior through a multifaceted analysis of user actions. [Prior art document] [Non-patent literature] Machine Learning-Based Insider Threat Detection Techniques: Anomaly Detection Using RNN AutoEncoder (https://doi.org/10.13089/JKIISC.2017.27.4.763) This is a simplified block diagram illustrating the configuration of an electronic device according to one embodiment of this application.This is a simplified block diagram illustrating the configuration of a processor according to one embodiment of this application.This is a drawing illustrating a method for generating packet information according to one embodiment of this application.This is a diagram illustrating a method for generating statistical information according to one embodiment of this application.This diagram illustrates a method for training a neural network corresponding to each of multiple behavioral analysis scenarios according to one embodiment of this application.This is a diagram illustrating a method for detecting abnormal user behavior according to one embodiment of this application.This is a flowchart illustrating a method for detecting abnormal behavior by multifaceted analysis of network activity according to one embodiment of this application. The aforementioned objectives, features, and advantages of this application will become clearer through the following detailed description in relation to the attached drawings. However, since this application can be modified in various ways and has many different embodiments, specific embodiments will be illustrated and described in detail below. Throughout the specification, the same reference numerals generally indicate the same components. Furthermore, components with the same function within the same conceptual scope shown in the drawings of each embodiment will be described using the same reference numerals, and redundant explanations will be omitted. Where a specific description of a known function or configuration related to this application is deemed likely to unnecessarily obscure the gist of this application, such detailed description will be omitted. Furthermore, the numbers used in the course of this specification (e.g., 1st, 2nd, etc.) are merely identification symbols to distinguish one component from another. Furthermore, the suffixes "module" and "part" used for the components in the following embodiments are added or mixed solely for the sake of ease of specification drafting, and do not inherently possess any distinguishing meaning or role from each other. In the following examples, singular expressions include plural expressions unless the context clearly indicates otherwise. In the following embodiments, terms such as "includes" or "has" mean that the features or components described in the specification are present, and do not preclude the possibility of the addition of one or more other features or components. The dimensions of components may be exaggerated or reduced in the drawings for illustrative purposes. For example, the dimensions and thicknesses of each component shown in the drawings are arbitrary and provided for illustrative purposes only; the present invention is not necessarily limited to those shown. Where a different embodiment can be realized, the order of a particular process may differ from the order described. For example, two processes described consecutively may be performed substantially simultaneously, or they may proceed in the reverse o