Search

KR-20260067767-A - METHOD AND SYSTEM FOR LLM-BASED CONTEXT AWARE DETECTION CORPORATE INFORMATION SYSTEM ABNORMAL BEHAVIOR

KR20260067767AKR 20260067767 AKR20260067767 AKR 20260067767AKR-20260067767-A

Abstract

The present disclosure relates to an LLM-based context-aware method and system for detecting abnormal behavior in enterprise information systems. A learning engine trains a large-scale language model to extract abnormal behavior patterns from log data of an enterprise information system. A detection engine uses the large-scale language model to detect abnormal behavior from a log stream of an enterprise information system that flows in in real time. A hybrid analysis engine integrates the detection results from the detection engine with the detection results of the abnormal behavior from the log stream based on predefined rules to determine the final abnormal behavior. An update system may be configured to update at least one of the large-scale language model or a catalog based on at least one of the log stream, the final abnormal behavior, or feedback or verification data regarding the final abnormal behavior.

Inventors

  • 양진홍

Assignees

  • 인제대학교 산학협력단

Dates

Publication Date
20260513
Application Date
20241106

Claims (15)

  1. In a computing system for detecting abnormal behavior in enterprise information systems based on a Large Language Model (LLM) context-aware, the computing system comprises: A learning engine configured to train a large-scale language model to extract abnormal behavior patterns from log data of an enterprise information system; and A detection engine configured to detect abnormal behavior from the log stream of the enterprise information system flowing in in real time using the above-mentioned large-scale language model including, Computing system.
  2. In Article 1, A hybrid analysis engine configured to determine the final abnormal behavior by integrating the detection results of abnormal behavior from the log stream based on the detection results from the detection engine and predefined rules. including more, Computing system.
  3. In Article 2, A catalog generator configured to generate a catalog for the above-mentioned abnormal behavior patterns Includes more, The above detection engine is, Configured to detect the anomalous behavior from the log stream based on the catalog using the above-mentioned large-scale language model, Computing system.
  4. In Paragraph 3, An update system configured to update at least one of the large-scale language model or the catalog based on at least one of the log stream, the final anomaly, or feedback or verification data regarding the final anomaly. including more, Computing system.
  5. In Article 2, A data collection and preprocessing module configured to collect the log data from the above enterprise information system, preprocess the log data in correspondence with the above large-scale language model, and provide the log data to the learning engine; or A user interface and notification system capable of interacting with a user and configured to transmit the aforementioned final abnormal behavior to the user. including at least one more of, Computing system.
  6. In Article 1, A cloud-based infrastructure configured to manage computing resources and to establish a computer environment in which the computing system operates using said computing resources; A data privacy and security module configured to implement a data processing and analysis process that complies with predefined regulations in the above computing system; or API and integration interface configured to support interoperability with external systems of the above computing system including at least one more of, Computing system.
  7. In Article 2, The above hybrid analysis engine is, A rule-based analysis submodule configured to detect abnormal behavior from the log stream based on the aforementioned predefined rules; A result integration submodule configured to integrate the detection result from the detection engine and the detection result from the rule-based analysis submodule to derive an integrated detection result; and A decision sub-module configured to determine the final abnormal behavior based on the integrated detection results. including, Computing system.
  8. In Article 7, The above result integration submodule is, A method of maximizing strengths and compensating for weaknesses of each of the above-mentioned large-scale language model and the above-mentioned method based on predefined rules by utilizing ensemble learning techniques, or A method of dynamically assigning weights based on confidence and historical performance for each of the above-mentioned large-scale language model and the above-mentioned method based on predefined rules. Configured to integrate the detection result from the detection engine and the detection result from the rule-based analysis submodule by applying at least one of the above. Computing system.
  9. In Article 1, The above detection engine is, A stream processing submodule configured to process the above log stream in parallel; A context analysis submodule configured to interpret the meaning and context of each log event within the log stream using the above-mentioned large-scale language model; and An abnormal score calculation submodule configured to determine whether the log event exhibits abnormal behavior by comparing the abnormal score with a preset threshold, using a scoring method for at least one element, and based on the meaning and context of the above. including, Computing system.
  10. In a method of operation of a computing system for detecting abnormal behavior in a large-scale language model-based context-aware enterprise information system, the method of operation of the computing system is A step of training a large-scale language model so that a learning engine extracts abnormal behavior patterns from log data of an enterprise information system; and A step in which a detection engine uses the above-mentioned large-scale language model to detect abnormal behavior from the log stream of the above-mentioned enterprise information system flowing in in real time. including, Method of operation of a computing system.
  11. In Article 10, A step in which a hybrid analysis engine integrates the detection results of abnormal behavior from the log stream based on the detection results from the detection engine and predefined rules to determine the final abnormal behavior. including, Method of operation of a computing system.
  12. In Article 11, Step in which a catalog generator generates a catalog for the above abnormal behavior pattern Includes more, The step of detecting the abnormal behavior from the log stream is, A step of detecting the anomalous behavior from the log stream based on the catalog using the above-mentioned large-scale language model including, Method of operation of a computing system.
  13. In Article 12, A step in which an update system updates at least one of the large-scale language model or the catalog based on at least one of the log stream, the final anomaly, or feedback or verification data regarding the final anomaly. including, Method of operation of a computing system.
  14. In Article 10, A step in which a data collection and preprocessing module collects the log data from the enterprise information system; The step of the data collection and preprocessing module preprocessing the log data in correspondence with the large-scale language model; and The step in which the data collection and preprocessing module provides the log data to the learning engine including, Method of operation of a computing system.
  15. In Article 11, A user interface and notification system capable of interacting with the user transmit the aforementioned final abnormal behavior to the user. including, Method of operation of a computing system.

Description

Method and System for LLM-Based Context-Aware Abnormal Behavior Detection in Corporate Information Systems The present disclosure relates to a Large Language Model (LM)-based context-aware method for detecting abnormal behavior in enterprise information systems and a system thereof. The use of enterprise information systems is increasing. However, there are various technical limitations to the use of these systems. The first factor is the increasing complexity of enterprise information systems. Enterprise information systems are becoming increasingly complex day by day. Consequently, detecting abnormal behavior within these systems is becoming more difficult. Therefore, there is a growing need for advanced anomaly detection technologies that can operate effectively even in complex system environments. The second point is the increasing threat from insiders. Cases of information leakage and system exploitation by insiders are on the rise. Existing security solutions focused on external threats are insufficient to effectively counter these insider threats. Therefore, a new approach is required that can accurately analyze insider behavior patterns and detect abnormal behavior. The third point is that existing rule-based detection systems have limitations. Traditional rule-based anomaly detection systems are showing limitations in responding to new types of threats. Because these systems rely solely on predefined rules, they struggle to detect changing attack patterns. Therefore, the development of more flexible and adaptive detection technologies is necessary. The fourth factor is the advancement of Large Language Models (LLMs). Recently, LLM technology has been developing rapidly. These LLMs are demonstrating the ability to deeply understand the context and meaning of complex text data. Therefore, it is expected that applying this technology to the field of anomaly detection will enable more sophisticated and accurate analysis. The fifth point is the increasing importance of real-time response. As the speed and complexity of cyber attacks grow, the importance of real-time detection and response is growing. Existing systems have limitations in analyzing large volumes of log data in real time and responding immediately. Therefore, there is a need to develop high-performance systems capable of rapidly processing large-scale data and detecting abnormal behavior in real time. FIG. 1 is a block diagram schematically illustrating a computing system for detecting abnormal behavior in an LLM-based enterprise information system according to the present disclosure. Figure 2 is a block diagram illustrating in detail the LLM-based abnormal behavior pattern learning engine of Figure 1. FIG. 3 is a block diagram illustrating in detail the automated anomaly detection catalog generator of FIG. 1. Figure 4 is a block diagram illustrating in detail the context-based real-time anomaly detection engine of Figure 1. Figure 5 is a block diagram illustrating the hybrid analysis engine of Figure 1 in detail. Figure 6 is a block diagram illustrating the continuous learning and model update system of Figure 1 in detail. FIG. 7 is a flowchart illustrating the operation method of a computing system for detecting abnormal behavior in an LLM-based context-aware enterprise information system according to the present disclosure. FIG. 8 is a flowchart illustrating the operation method of a computing system for detecting abnormal behavior in an LLM-based enterprise information system according to the present disclosure. FIG. 9 is a structural diagram illustrating the system architecture of a computing system according to the present disclosure. FIG. 10 is a structural diagram illustrating a cloud architecture for a computing system according to the present disclosure. FIG. 11 is a structural diagram illustrating a hybrid cloud architecture for a computing system according to the present disclosure. In the following, the present disclosure provides an LLM-based context-aware method for detecting abnormal behavior in enterprise information systems and a system thereof. The purpose of the present disclosure is to develop a system that utilizes LLM to highly accurately detect abnormal behavior in enterprise information systems and rapidly adapts to new threats through self-learning, thereby effectively defending against insider threats and significantly enhancing the ability to respond to complex cyber attacks, and to safely protect the information assets of an enterprise. Specifically, the present disclosure may be implemented to achieve various objectives. The first is advanced context-based anomaly detection. This disclosure aims to achieve a deep contextual understanding of log data from enterprise information systems by utilizing LLM. Through this, it seeks to implement sophisticated anomaly detection that considers the intent and context of user behavior, going beyond simple pattern matching. Consequently, it aims to dramatically improve det