KR20210142443A - Method and system for providing continuous adaptive learning over time for real time attack detection in cyberspace - Google Patents

Abstract

According to one embodiment of the present invention, provided is a method of detecting a real-time attack in a cyberspace performed by a detection system. The method may include the steps of: labeling unclassified data continuously flowing in from cyberspace; evaluating an attribute score of training data obtained through the labeled unclassified data and classified data; and evaluating performance of a learning model learned using attribute information derived based on the attribute score of the evaluated training data. Accordingly, sophisticated models, which can be analyzed on past and present data, can be completed.

Description

METHOD AND SYSTEM FOR PROVIDING CONTINUOUS ADAPTIVE LEARNING OVER TIME FOR REAL TIME ATTACK DETECTION IN CYBERSPACE

The present invention relates to a method and system for providing adaptive learning. More particularly, it relates to a method and system for providing continuous adaptive learning over time for real-time attack detection in cyberspace.

Recently, a variety of cyberattacks have occurred around the world regardless of individuals, companies, and countries, and they are suffering not only financial damage but also significant damage due to the theft of important information. The military, which used conventional weapons in the past, is currently using high-performance weapons based on advanced technology. integrated management. Accordingly, the modern warfare area has been changed to five areas other than land, sea, and air, with space and cyberspace added.

Virtual cyberspace, rather than a physically distinguishable space, acts as a medium that connects activities in each domain while guaranteeing freedom for activities in other domains. As such cyberspace becomes an important area, reality is also largely dependent on computer systems.

According to the non-patent document Cisco, VNI "Cisco Visual Networking Index: Forecast and Trends, 2017-2022" White Paper, 2018>, by 2022, the number of network devices per capita will be 3.6 and the number of devices connected to the IP network will be all It is expected that it will triple the world's population, and global Internet traffic will reach more than 4.8 ZB (Zetta Byte) per year. As a large amount of cyberspace information that is difficult to process like this is generated in real time, continuous research and development are being made on numerous threats, but there is a problem in that absolute stability cannot be obtained for security. In addition, threats occurring in cyberspace require an operating system that can analyze them because the distinction between public and private organizations, government and commercial military and non-military is ambiguous.

The present invention is to solve the technical problems of the prior art as described above, and an object of the present invention is to provide a method and system for providing continuous adaptive learning over time for real-time attack detection in cyberspace.

In addition, an object of the present invention is a system and method for operating CALOT (Continuous Adaptive Learning Over Time) using a feature selection and continuous learning algorithm to analyze data continuously flowing in from cyberspace. is to provide

A method of detecting a real-time attack in cyberspace performed by a detection system according to an embodiment for solving the above problems is provided. The method includes labeling unclassified data continuously flowing in from cyberspace; evaluating an attribute score of training data obtained through the labeled unclassified data and classified data; and evaluating the performance of the learned learning model using attribute information derived based on the attribute score of the evaluated training data.

According to an embodiment, the step of labeling the unclassified data continuously flowing in from cyberspace may include performing pre-processing on the labeled unclassified data and the classified data.

According to an embodiment, the step of labeling the unclassified data continuously flowing in from cyberspace includes performing unsupervised pre-training for generating parameters only with the unclassified data, and the classification data The learning parameters can be tuned by performing supervised fine-tuning in which a classifier is generated using , and backpropagation is performed.

According to an embodiment, the step of labeling the unclassified data continuously introduced from cyberspace includes a DCAE (Dilated Convolution Auto Encoder) algorithm that combines self-taught learning and representation learning. Transforming the original data by using the learning parameters generated from the unclassified data based on , and performing re-learning on the transformed original data.

According to an embodiment, the step of labeling the unclassified data continuously flowing in from cyberspace includes applying a normalization process to the classified data, extracting features from the unclassified data, and adding a label to the extracted features. The method may include applying a normalization process to unclassified data generated by labeling.

According to an embodiment, the step of evaluating the attribute score of the training data obtained through the labeled unclassified data and the classified data includes evaluating a weight for each attribute for evaluating the attribute score of the acquired training data, , may include arranging the attribute scores of the acquired training data in descending order based on the evaluated weight for each attribute.

According to an embodiment, the step of evaluating the performance of the learned learning model using the attribute information derived based on the attribute score of the evaluated training data includes the attribute derived based on the attribute score of the evaluated training data. It may include training a learning model using the information, and searching for a combination of attributes through performance evaluation of the learned learning model. In the step of searching for the attribute combination, the attribute combination is searched by removing unnecessary attributes from the original data through performance evaluation of the learned learning model.

A detection system according to another embodiment is disclosed. The detection system includes: an automatic labeling module for labeling unclassified data continuously introduced from cyberspace; a feature weight calculation module for evaluating attribute scores of training data obtained through the labeled unclassified data and classified data; and an evaluation model module for evaluating the performance of the learned learning model using attribute information derived based on the attribute score of the evaluated training data.

According to an embodiment, the automatic labeling module may perform pre-processing on the labeled unclassified data and classified data.

According to one embodiment, the automatic labeling module is based on a DCAE (Dilated Convolution Auto encoder) algorithm that combines self-taught learning and representation learning learning parameters generated from unclassified data. to transform the original data, and re-learning for the transformed original data may be performed.

According to an embodiment, the automatic labeling module applies a normalization process to the classification data, extracts a feature from the unclassified data, and applies a label to the extracted feature. can be applied.

According to an embodiment, the feature weight calculation module evaluates a weight for each attribute for evaluating the attribute score of the acquired training data, and calculates the attribute score of the acquired training data based on the evaluated weight for each attribute. You can sort in descending order.

According to an embodiment, the evaluation model module trains a learning model using attribute information derived based on attribute scores of the evaluated training data, and searches for attribute combinations through performance evaluation of the learned learning model. can do. The search for the attribute combination may be performed by removing unnecessary attributes from the original data through performance evaluation of the learned learning model.

A detection method and system providing continuous adaptive learning over time for real-time attack detection in cyberspace according to an embodiment has the following effects.

The detection system according to an embodiment presents optimized properties, and reduces the amount of data used for real-time attack sign detection because only optimal properties are left for classifying attack signs from the initial incoming data, and the model is trained. In the process, cost reduction and overfitting problems can be solved.

The detection system according to an embodiment remembers a representative pattern learned through continuous learning and learns only a new incoming pattern, learns only the added data without learning the whole each time, and analyzes the past and present data You can complete a sophisticated model that you can do.

The features and effects of the present invention described above will become more apparent through the following detailed description in relation to the accompanying drawings, and accordingly, those of ordinary skill in the art to which the present invention pertains can easily implement the technical idea of the present invention. will be able

1 is a diagram for explaining a pre-processing process in a detection system according to an embodiment.
2 is a diagram for explaining a structure for detecting a real-time attack in cyberspace in a detection system according to an embodiment.
3 is a diagram for explaining an automatic labeling operation in a detection system according to an embodiment.
4 is a diagram for explaining a structure of a feature weight calculation module in a detection system according to an embodiment.
5 is a diagram for explaining a structure of an evaluation model module in a detection system according to an embodiment.
6 is a flowchart illustrating a method of detecting a real-time attack in cyberspace in a detection system according to an embodiment.

The features and effects of the present invention described above will become more apparent through the following detailed description in relation to the accompanying drawings, and accordingly, those of ordinary skill in the art to which the present invention pertains can easily implement the technical idea of the present invention. will be able Since the present invention can have various changes and can have various forms, specific embodiments are illustrated in the drawings and described in detail in the text. However, this is not intended to limit the present invention to a specific disclosed form, it should be understood to include all modifications, equivalents and substitutes included in the spirit and scope of the present invention. The terms used herein are used only to describe specific embodiments, and are not intended to limit the present invention.

Since the present invention can have various changes and can have various embodiments, specific embodiments are illustrated in the drawings and described in detail in the detailed description. However, this is not intended to limit the present invention to a specific embodiment, it should be understood to include all modifications, equivalents and substitutes included in the spirit and scope of the present invention.

In describing each figure, like reference numerals are used for like elements.

Terms such as first, second, etc. may be used to describe various elements, but the elements should not be limited by the terms. The above terms are used only for the purpose of distinguishing one component from another.

For example, without departing from the scope of the present invention, a first component may be referred to as a second component, and similarly, a second component may also be referred to as a first component. The term “and/or” includes a combination of a plurality of related listed items or any of a plurality of related listed items.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.

Terms such as those defined in a commonly used dictionary should be interpreted as having a meaning consistent with the meaning in the context of the related art, and should not be interpreted in an ideal or excessively formal meaning unless explicitly defined in the present application. shouldn't

The suffixes “module,” “block,” and “part” for the components used in the following description are given or mixed in consideration of the ease of writing the specification only, and do not have a meaning or role distinct from each other by themselves. .

Hereinafter, a preferred embodiment of the present invention will be described with reference to the accompanying drawings so that a person skilled in the art can easily implement it. In the following description of embodiments of the present invention, if it is determined that a detailed description of a related known function or a known configuration may unnecessarily obscure the gist of the present invention, the detailed description thereof will be omitted.

Hereinafter, a heterogeneous test equipment interface method and apparatus for a weapon system environment/reliability test according to the present specification will be described.

In this specification, a continuous adaptive learning over time (CALOT) operating system that uses a feature selection and continuous learning algorithm, rather than the conventional general machine learning, to analyze data continuously flowing in from cyberspace, and A method will be described. In a real-time cyberspace continuous and repetitively operated model, when new data enters the trained model, incremental learning that enables continuous learning can be used to continue learning the existing learning model. Progressive learning is a method of remembering the already learned representative pattern and learning only the new incoming pattern. This is a learning method suitable for real-time cyberspace intrusion detection because it can learn even in a situation where time and resources are limited, and when abundant resources are provided, the learning is divided into batch units.

In this regard, FIG. 1 is a diagram for explaining a pre-processing process in a detection system according to an exemplary embodiment.

The detection system may perform a preprocessing process on the data set used for the CALOT test. CSE-CIC-IDS2018 is available as a data set. Regarding the CSE-CIC-IDS 2018 data set, Non-Patent Document 2 <Sharafaldin, Iman, et al. "Towards a reliable intrusion detection benchmark dataset." Software Networking 2018.1 (2018): 177-200.> can be referred to. As an example, the CSE-CIC-IDS 2018 data set may be associated with a data set created by this intrusion detection benchmark dataset. According to Non-Patent Document 2, the reliability of existing data sets, such as DARPA98, KDD99, ISC2012, and ADFA13, which were used by many people in the past, were verified. For reasons such as unreasonable packet information, payload anonymization, and lack of feature sets and metadata, all tested data sets may result in unreliable results. As a result, a joint project between Communications Security Establishment (CSE) and the Canadian Cyber Security Research Institute created a reliable data set containing seven common attack network flows that satisfy the various criteria above. The data set is organized on a daily basis, and raw data including network traffic (Pcap) per computer and event logs were recorded. In order to extract features from raw data, features were conventionally created using a tool called NetMate, but in the CSE-CIC-IDS2018 data set, multiple (e.g., 80) or more traffic characteristics can be extracted. As a result, a comprehensive set of network traffic feature sets and a dataset representing the best feature set for detecting specific attack categories by evaluating the performance of machine learning algorithms were completed. The detection system according to an embodiment may use the CSE-CIC-IDS2018 data set.

The detection system may perform preprocessing to learn data through CALOT. At this time, since more than 80% of the time is used for data collection and pre-processing, it is a very important process. Referring to Figure 1, the overall structure of the pre-processing process is shown.

According to an embodiment, a hybrid feature approach in which a filter approach and a wrapper approach are mixed may be used in the preprocessing process.

The filter approach is generally used in preprocessing and can be applied independently of machine learning algorithms. This means that the results of the filter approach are not the best feature subsets in machine learning, but various statistical scores are derived based on the result variables and correlations to give rankings to attributes. Through this, a machine learning user can configure a feature subset with information about how much influence each feature has through a feature-rank before learning.

The wrapper approach trains the model using feature subsets and determines whether to add or subtract features from the previous model based on inference. However, comparing models based on inference can be computationally expensive. Compared to the filter approach, which extracts the feature rank independently of the model's performance in the preprocessing process of machine learning, it is directly related to the machine learning algorithm because it adds or subtracts features that show high performance while performing machine learning using a feature subset. It has a much better effect in terms of performance.

The detection system can divide the preprocessing process into two types according to the data. First, it is the CSE-CIC-IDS2018 data set as the classified data (Labeled Data) 101 . The CSE-CIC-IDS2018 data set has a CSV file format with Data Construction that can directly apply machine learning because it is already processed data that has been processed and labeled by the user. The detection system may apply the normalization process 130 to the classification data without another prior process.

The data disclosed herein may include unlabeled data in addition to the classified data 101 . In this regard, the unlabeled data may be data 111 input through a Raw Network Packet (pcap). The data 111 input through the Raw Network Packet (pcap) may be converted to the Raw Network Packet data 111 . In general, data collected in cyberspace is in the form of unclassified data that is not labeled. This is true not only in cyberspace, but in other fields as well, raw data is usually unlabeled. Accordingly, it is necessary to give a label to the unclassified data.

The detection system may use the CICFlowMeter 112 to extract features from raw network data collected in cyberspace. At this time, the data extracted by using the CICFlowMeter 112 becomes unlabeled data 113 composed of features without labels. The detection system may label the unclassified data 113 through automatic labeling 114 using a CALOT automatic labeling module. A description of the automatic labeling module will be described in detail with reference to FIG. 2 . Data that has been successfully labeled through automatic labeling will have the data construction 120 shown in Table 1 as the classification data. The data structure is a data structure with multiple (eg, 79) features including labels. Although it is a learnable form, it is not normalized, so it takes a lot of time and inaccurate results when learning. It is very likely to come out

The detection system may perform normalization 130 on each of the classified data and the unclassified data for more accurate learning results and faster learning. Normalization can consist of four steps. Null Value Delete in normalization removes null values from each feature in data construction, and it is possible to prevent inaccurate learning through null values. Incorrect Value Delete removes an abnormal value, and removes or replaces values such as 'Infinity' and 'NaN'. There are several methods for substituting, but the most commonly used methods are 'zero padding', 'the most frequent data', 'highest value', 'lowest value', and 'average value'. Min-max normalization is to scale the values of data to a distribution within a certain range because a lot of load occurs in learning when the difference in the distribution of data is greater than (eg, large) a preset criterion, In general, a value between 0 and 1 is often used, and Equation 1 is as follows.

Feature selection is to generate a feature subset with the best performance for learning from all features. In the case of feature selection, only correct information can be collected if there is prior knowledge about the problem to be solved through machine learning, but in most cases, unnecessary information is included because there is no prior knowledge. Accordingly, feature selection refers to a method of generating an efficient attribute set by using a subset of all attributes collected without prior knowledge. In other words, it is a process of generating an optimal model by removing unnecessary attributes from the original data by removing the attributes that are judged not to affect the results among various attributes.

Feature selection is performed through a feature weight operation module, and a detailed description thereof will be described with reference to FIG. 2 . An example of the final training data (training data) 140 generated as the detection system performs four steps of normalization may be shown in Table 2. In this regard, Table 2 shows a normalization data structure.

2 is a diagram for explaining a structure for detecting a real-time attack in cyberspace in a detection system according to an embodiment. Meanwhile, FIG. 3 is a diagram for explaining an automatic labeling operation in a detection system according to an embodiment. 4 is a diagram for explaining a structure of a feature weight calculation module in a detection system according to an embodiment. 5 is a diagram for explaining the structure of an evaluation model module in a detection system according to an embodiment.

Referring to FIG. 2 , the detection system may include an automatic labeling module 210 , a feature weight calculation module 220 , and an evaluation model module 230 .

The detection system may analyze data continuously flowing in from cyberspace using an automatic labeling module 210 , a feature weight calculation module 220 , and an evaluation model module 230 .

The automatic labeling module 210 may automatically assign a label to the unlabeled data. The automatic labeling module 210 may proceed at the very beginning of the detection system. In order to automatically assign a label in the automatic labeling module 210, a DCAE (Dilated Convolution Auto encoder) algorithm that combines the concepts of self-taught learning and representation learning can be used. DCAE is a form of unsupervised learning that transforms original data using learning parameters generated from unclassified data, such as autonomous learning, and re-learns on the transformed original data. It is also called unsupervised feature learning because of the feature of learning parameters using only features without labels. Referring to FIG. 3 , after performing unsupervised pre training 310 that generates parameters only with unclassified data, a classifier is generated using a small number of classification data to perform backpropagation. It has a structure in which more sophisticated parameters are completed by performing supervised fine-tuning 320 to tune the existing parameters.

As shown in FIG. 3 , a Stack Dilated Convolution Auto Encoder Structure is shown. When configuring the autoencoder in DCAE, dilated convolution is used instead of general convolution. For that reason, through a structure that does not pool layers, it shows a fast learning speed using fewer parameters than conventional convolution, and by adding zero padding inside the filter, forcibly a receptive field. Since the (receptive field) is increased, the loss of the spatial dimension is small, and the calculation efficiency is good because most of the weights are 0.

The feature weight calculation module 220 may be configured to evaluate a score for each attribute and measure initial performance of a model using all data. That is, a method of evaluating the score for each attribute through the feature weight calculation module 220 and measuring the initial performance of a model using all data may be performed. Referring to FIG. 4 , it relates to a diagram for explaining the structure of a feature weight operation module, and a feature weight operation 410 and a feature evaluation pool 420 are illustrated. Through the feature weight calculation 410 , a feature selection algorithm, cross validation, and feature evaluation may be performed. Also, estimate accuracy may be performed through the feature weight calculation 410 . In addition, a high accuracy feature may be selected through the feature weight operation 410 and an optimal feature may be selected. With respect to the feature evaluation pool 420 , distance, information ( information), dependency, consistency, and feature importance may be taken into consideration to evaluate the selected feature.

On the other hand, the feature weight calculation module 220 evaluates the score for each attribute and measures the initial performance of the model using all data, associated with the feature weight calculation 410 and the feature evaluation pool 420 of FIG. 4 . A function or action may be performed. However, the feature weight calculation module 220 is not limited to the functions or operations associated with the feature weight calculation 410 and the feature evaluation pool 420 shown in FIG. 4 , and uses various types of feature selection as follows. You can evaluate the score for each attribute of

The feature weight calculation module 220 may evaluate a score for each attribute of data by using feature selection. The feature weight calculation module 220 evaluates the weight for each attribute, and sorts the scores for each attribute in descending order based on the evaluated weight for each attribute. The feature weight calculation module 220 determines whether to sort in descending order based on the score for each property according to the property (List of Features) or/and the property set (List of Feature sets), or in descending order based on the score according to the property set You can choose to sort by . When sorting based on the score for each attribute, sorting is performed based on the score evaluated for each attribute.

Also, in the case of sorting based on a score according to a property set, a method of assigning a score to each permuted feature set may be applied. At this time, the value used uses the number of attributes (Length, n) and evaluation score (Value, v), and makes each value a value of 0 to 1 through normalization. As shown in Equation 2, the smaller the number of attributes, the higher the evaluation, and the higher the score of the set, the higher the evaluation. Additionally, in order to compare performance in the evaluation model module 230 thereafter, performance evaluation of the learned model may be performed using all attributes. In this case, the performance can be derived using the 10-fold cross validation method.

The evaluation model module 230 may find an optimal attribute combination through performance evaluation after learning by applying the attribute to the actual learning model by using the attribute derived through the feature weight calculating unit 220 . Referring to FIG. 5 , it is a diagram for explaining the structure of the evaluation model 510 . The evaluation model 510 of FIG. 5 may correspond to the evaluation model module 230 of FIG. 2 . The evaluation model module 230 of FIG. 2 may perform performance evaluation in conjunction with the evaluation model 510 of FIG. 5 . 2 and 5 , the evaluation model module 230 predicts a threshold value (Estimate Threshold), selects an optimal threshold value (Best Threshold), and selects an evaluation model accordingly (Select Model). .

Referring to FIG. 5 , the evaluation model module 230 may derive a threshold value 520 using Equation 3 . Through the derived threshold, the agent can select a learning model with appropriate time, memory and performance. Thereafter, the performance index for the combination is derived through 10-fold cross validation.

As a result, attributes optimized for the model are presented through the feature weight calculation module 220 and the evaluation model module 230, and only the optimal attributes are left for classifying the attack signs from the initially incoming data, so it is used for real-time attack sign detection. The amount of data used is reduced, and the problem of overfitting and cost reduction can be solved in the process of training the model. By memorizing the representative pattern learned through continuous learning and learning only the new incoming pattern, it learns only the added data without learning the whole each time, so that a sophisticated model that can analyze past and present data will be completed. can

6 is a flowchart illustrating a method of detecting a real-time attack in cyberspace in a detection system according to an embodiment.

In step 610, the detection system may label unclassified data continuously flowing in from cyberspace. The detection system may perform pre-processing on labeled unclassified data and classified data. The detection system transforms the original data using the learning parameters generated from the unclassified data based on the DCAE (Dilated Convolution Auto Encoder) algorithm, which combines self-taught learning and representation learning. It is possible to proceed with re-learning on the original data. The detection system may apply a normalization process to the unclassified data generated by applying a normalization process to the classified data, extracting features from the unclassified data, and labeling the extracted features.

In step 620, the detection system may evaluate the attribute score of the training data obtained through the labeled unclassified data and the classified data. The detection system may evaluate a weight for each attribute for evaluating the attribute score of the acquired training data, and arrange the attribute scores of the acquired training data in descending order based on the evaluated weight for each attribute.

In operation 630, the detection system may evaluate the performance of the learned learning model using attribute information derived based on the attribute score of the evaluated training data. The detection system may train a learning model using attribute information derived based on attribute scores of the evaluated training data, and may search for attribute combinations through performance evaluation of the learned learning model.

The device described above may be implemented as a hardware component, a software component, and/or a combination of the hardware component and the software component. For example, devices and components described in the embodiments may include, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable gate array (FPGA). , a programmable logic unit (PLU), a microprocessor, or any other device capable of executing and responding to instructions, may be implemented using one or more general purpose or special purpose computers. The processing device may execute an operating system (OS) and one or more software applications running on the operating system. The processing device may also access, store, manipulate, process, and generate data in response to execution of the software. For convenience of understanding, although one processing device is sometimes described as being used, one of ordinary skill in the art will recognize that the processing device includes a plurality of processing elements and/or a plurality of types of processing elements. It can be seen that can include For example, the processing device may include a plurality of processors or one processor and one controller. Other processing configurations are also possible, such as parallel processors.

The software may comprise a computer program, code, instructions, or a combination of one or more thereof, which configures a processing device to operate as desired or is independently or collectively processed You can command the device. The software and/or data may be any kind of machine, component, physical device, virtual equipment, computer storage medium or device, to be interpreted by or to provide instructions or data to the processing device. may be embodied in The software may be distributed over networked computer systems, and stored or executed in a distributed manner. Software and data may be stored in one or more computer-readable recording media.

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, etc. alone or in combination. The program instructions recorded on the medium may be specially designed and configured for the embodiment, or may be known and available to those skilled in the art of computer software. Examples of the computer-readable recording medium include magnetic media such as hard disks, floppy disks and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic such as floppy disks. - includes magneto-optical media, and hardware devices specially configured to store and carry out program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine language codes such as those generated by a compiler, but also high-level language codes that can be executed by a computer using an interpreter or the like.

As described above, although the embodiments have been described with reference to the limited embodiments and drawings, various modifications and variations are possible from the above description by those skilled in the art. For example, the described techniques are performed in a different order than the described method, and/or the described components of the system, structure, apparatus, circuit, etc. are combined or combined in a different form than the described method, or other components Or substituted or substituted by equivalents may achieve an appropriate result.

Therefore, other implementations, other embodiments, and equivalents to the claims are also within the scope of the following claims.

In the above, a method and apparatus for interfacing heterogeneous test equipment for a weapon system environment/reliability test according to an embodiment have been described. The heterogeneous test equipment interface method and apparatus for a weapon system environment/reliability test according to an embodiment has the following effects.

A detection method and system providing continuous adaptive learning over time for real-time attack detection in cyberspace according to an embodiment has the following effects.

The detection system according to an embodiment presents optimized properties, and reduces the amount of data used for real-time attack sign detection because only optimal properties are left for classifying attack signs from the initial incoming data, and the model is trained. In the process, cost reduction and overfitting problems can be solved.

The detection system according to an embodiment remembers a representative pattern learned through continuous learning and learns only a new incoming pattern, learns only the added data without learning the whole each time, and analyzes the past and present data You can complete a sophisticated model that you can do.

The features and effects of the present invention described above will become more apparent through the following detailed description in relation to the accompanying drawings, and accordingly, those of ordinary skill in the art to which the present invention pertains can easily implement the technical idea of the present invention. will be able

Since the present invention can have various changes and can have various embodiments, specific embodiments are illustrated in the drawings and described in detail in the detailed description. However, this is not intended to limit the present invention to a specific embodiment, it should be understood to include all modifications, equivalents and substitutes included in the spirit and scope of the present invention.

According to the software implementation, not only the procedures and functions described in this specification but also the design and parameter optimization for each component may be implemented as a separate software module. The software code may be implemented as a software application written in a suitable programming language. The software code may be stored in a memory and executed by a controller or a processor.

Claims (13)

A method for detecting a real-time attack in cyberspace performed by a detection system, the method comprising:
labeling unclassified data continuously flowing in from cyberspace;
evaluating an attribute score of training data obtained through the labeled unclassified data and classified data; and
and evaluating the performance of the learned learning model using attribute information derived based on attribute scores of the evaluated training data. According to claim 1,
The step of labeling unclassified data continuously flowing in from the cyberspace comprises:
and performing pre-processing on the labeled unclassified data and classified data. 3. The method of claim 2,
The step of labeling unclassified data continuously flowing in from the cyberspace comprises:
Perform unsupervised pre training to generate parameters only with the unclassified data,
A real-time attack detection method in cyberspace, characterized in that a classifier is generated using the classification data and a learning parameter is tuned by performing supervised fine-tuning to perform backpropagation . 4. The method of claim 3,
The step of labeling unclassified data continuously flowing in from the cyberspace comprises:
Based on a DCAE (Dilated Convolution Auto Encoder) algorithm that combines self-taught learning and representation learning, the original data is transformed using the learning parameters generated from unclassified data, and the transformed original A real-time attack detection method in cyberspace, comprising the step of relearning data. 3. The method of claim 2,
The step of labeling unclassified data continuously flowing in from the cyberspace comprises:
Real-time in cyberspace comprising applying a normalization process to the classified data, extracting features from the unclassified data, and applying a normalization process to unclassified data generated by labeling the extracted features. How to detect attacks. According to claim 1,
Evaluating the attribute score of the training data obtained through the labeled unclassified data and classified data,
Evaluating a weight for each attribute for evaluating the attribute score of the acquired training data, and arranging the attribute score of the acquired training data in descending order based on the evaluated weight for each attribute. How to detect an attack. According to claim 1,
Evaluating the performance of the learned learning model by using the attribute information derived based on the attribute score of the evaluated training data,
Learning a learning model using attribute information derived based on attribute scores of the evaluated training data, and searching for attribute combinations through performance evaluation of the learned learning model,
In the step of searching for the attribute combination, the attribute combination is searched for by removing unnecessary attributes from the original data through performance evaluation of the learned learning model. A detection system comprising:
an automatic labeling module that labels unclassified data continuously flowing in from cyberspace;
a feature weight calculation module for evaluating attribute scores of training data obtained through the labeled unclassified data and classified data; and
and an evaluation model module for evaluating the performance of the learned learning model by using attribute information derived based on the attribute score of the evaluated training data. 9. The method of claim 8,
The automatic labeling module,
and performing pre-processing on the labeled unclassified data and classified data. 10. The method of claim 9,
The automatic labeling module,
Based on the Dilated Convolution Auto Encoder (DCAE) algorithm that combines self-taught learning and representation learning, the original data is transformed using learning parameters generated from unclassified data, and the transformed original A detection system, characterized in that re-learning on the data is performed. 10. The method of claim 9,
The automatic labeling module,
A detection system, characterized in that applying a normalization process to the classified data, extracting features from the unclassified data, and applying a normalization process to unclassified data generated by labeling the extracted features. 9. The method of claim 8,
The feature weight calculation module includes:
Evaluating a weight for each attribute for evaluating the attribute score of the acquired training data, and arranging the attribute score of the acquired training data in descending order based on the evaluated weight for each attribute. 9. The method of claim 8,
The evaluation model module,
Learning a learning model using attribute information derived based on attribute scores of the evaluated training data, and searching for attribute combinations through performance evaluation of the learned learning model,
The search for the attribute combination is performed by removing unnecessary attributes from the original data through performance evaluation of the learned learning model.

Images