KR20240072682A - Method for detecting cpu anomaly tand apparatus for same - Google Patents

Abstract

According to an embodiment of the present invention, a method for detecting an abnormality of a CPU by a device including a processor and a memory comprises the steps of: (a) training an artificial intelligence classification model; (b) setting a CPU monitoring condition including a CPU execution port number setting of a CPU to be monitored; (c) monitoring a port output value of the CPU execution port having a number set as the CPU monitoring condition; (d) making a dataset of the port output value of the CPU execution port according to the monitored result; (e) preprocessing the dataset; and (f) inputting the preprocessed dataset into the artificial intelligence classification model to output an abnormality detection result. The port output value of the CPU execution port is a performance monitoring counter (PMC) value of the CPU execution port.

Description

Method for detecting abnormalities in CPU and device therefor {METHOD FOR DETECTING CPU ANOMALY TAND APPARATUS FOR SAME}

The present invention relates to a method for detecting CPU abnormalities and a device therefor. In more detail, it relates to a method and device for detecting CPU abnormalities through monitoring the port output value of the CPU Execution Port.

CPU is an abbreviation for Central Processing Unit. It controls processing such as interpretation of instructions, calculation of data, and comparison. It is a core component of the computer system that is essential for all electronic devices, and its importance cannot be emphasized enough. Since an abnormality in the CPU can have a fatal impact on the operation of the entire electronic device, active research and development is being conducted on monitoring technology to detect abnormalities in the CPU.

Meanwhile, conventionally developed monitoring technology to detect abnormalities in CPUs had no choice but to limit monitoring to abnormal behavior for specific types of attacks, and accordingly, an abnormality detection program must be provided for each type of attack, so the system It had no choice but to become heavier overall, and there was a problem that it was too difficult to realistically provide an abnormality detection program for each type of attack.

In addition, user convenience was not sufficiently considered, and the CPU CORE to be monitored among multiple CPU COREs could not be individually set, so it was not possible to specifically confirm which CPU CORE the abnormal behavior occurred, and only at the level of the entire CPU. There was even a problem that there was no choice but to check whether abnormal behavior had occurred.

Nevertheless, as CPU performance improves through technology development, the number of CPU COREs is gradually increasing, and the types of attacks are also becoming more diverse day by day, so new and advanced technologies that can solve the problems of the conventional technology at once are required. The present invention relates to this.

Republic of Korea Patent Publication No. 10-2012-0105049 (2012.09.24)

The technical problem to be solved by the present invention is to provide a method and device for detecting CPU abnormalities that can quickly detect whether CPU abnormalities occur against all types of attacks, regardless of the type of attack.

Another technical problem that the present invention aims to solve is to enable monitoring by individually setting the CPU CORE to be monitored, thereby improving user convenience by accurately identifying the CPU CORE in which abnormal behavior occurred among a plurality of CPU COREs. A method for detecting CPU abnormalities and a device for this purpose are provided.

The technical problems of the present invention are not limited to the technical problems mentioned above, and other technical problems not mentioned will be clearly understood by those skilled in the art from the description below.

A method of detecting an abnormality in a CPU by a device including a processor and memory according to an embodiment of the present invention to achieve the above technical problem includes (a) learning an artificial intelligence classification model, (b) the steps of: Setting CPU monitoring conditions including setting the CPU Execution Port number, (c) monitoring the port output value of the CPU Execution Port whose number is set as the CPU monitoring condition, (d) CPU Execution according to the monitoring results Converting port output values of Port into a data set (e) preprocessing the data set; and (f) inputting the preprocessed dataset into the artificial intelligence classification model to output an abnormality detection result, wherein the port output value of the CPU Execution Port is the PMC (Performance Monitoring Counter) value of the CPU Execution Port. am.

According to one embodiment, step (a) includes (a-1) setting CPU monitoring conditions including setting the CPU Execution Port number of the CPU to be monitored, (a-2) step (a-1) A step of monitoring the port output value of the CPU Execution Port whose number is set as the CPU monitoring condition in (a-3), and the port output value of the CPU Execution Port according to the monitoring results in step (a-2) above is set as a DataSet. (a-4) preprocessing the data set in step (a-3), and (a-5) separating the data set preprocessed in step (a-4) into a predetermined ratio. , inputting the separated part into the artificial intelligence classification model to learn anomaly detection results, and (a-6) of the dataset preprocessed in step (a-4), the remaining separated part is input into the artificial intelligence classification model. It may include a step of testing the anomaly detection result by inputting it into .

According to one embodiment, the predetermined ratio in step (a-5) may be either 7:3 or 8:2 for the part:the remaining part.

According to one embodiment, the CPU monitoring condition may further include any one or more of setting the CPU CORE to be monitored, setting the number of CPU COREs to be monitored, setting the monitoring speed, and setting the monitoring time.

According to one embodiment, the CPU Execution Port number may be set individually for each CPU CORE to be monitored.

According to one embodiment, the data setting in step (d) may be saving the port output value of the CPU Execution Port according to the monitoring result as a CSV (Comma Separated Value) file.

According to one embodiment, step (e) includes (e-1) extracting a predetermined number of CPU Execution Port numbers with high importance from the data set, and (e-2) extracting the numbers. A step of normalizing the port output values of a predetermined number of CPU Execution Ports of high importance may be included to converge within a predetermined range.

According to one embodiment, the predetermined number in step (e-1) may be any one of 10 to 20, and the predetermined number in step (e-2) may be -2 to 2.

According to one embodiment, the artificial intelligence classification model includes a Long Short Term Memory (LSTM) network structure, which is a short-term memory, and the LSTM network structure is,

It may be a Bi-LSTM network structure capable of bidirectional learning.

An apparatus for detecting an abnormality in a CPU according to another embodiment of the present invention for achieving the above technical problem includes one or more processors, a network interface, a memory for loading a computer program executed by the processor, and a large amount of network data. And storage for storing the computer program, wherein the computer program includes (A) an operation for learning an artificial intelligence classification model, (B) setting the CPU Execution Port number of the CPU to be monitored by the one or more processors. An operation to set CPU monitoring conditions, (C) an operation to monitor the port output value of the CPU Execution Port whose number is set as the CPU monitoring condition, (D) a data set (D) port output value of the CPU Execution Port according to the above monitoring results DataSet), (E) an operation to pre-process the data set, and (F) an operation to input the pre-processed data set into the artificial intelligence classification model and output an abnormality detection result, and the CPU The port output value of the Execution Port is the PMC (Performance Monitoring Counter) value of the CPU Execution Port.

A computer program stored in a medium according to another embodiment of the present invention for achieving the above technical problem is combined with a computing device, (AA) learning an artificial intelligence classification model, (BB) CPU Execution Port of the CPU to be monitored Setting CPU monitoring conditions including number setting, (CC) Monitoring the port output value of the CPU Execution Port whose number is set as the CPU monitoring condition, (DD) Port of the CPU Execution Port according to the monitoring results A step of converting the output value into a DataSet, (EE) preprocessing the dataset, and (FF) inputting the preprocessed dataset into the artificial intelligence classification model to output an anomaly detection result. During execution, the port output value of the CPU Execution Port is the PMC (Performance Monitoring Counter) value of the CPU Execution Port.

According to the present invention as described above, the port output value of the CPU Execution Port, which is independent of the type of attack, is monitored to detect whether abnormal behavior has occurred, and it is possible to quickly detect whether the CPU abnormality has occurred for all types of attacks. It works.

In addition, the user can freely set the CPU CORE to be monitored and even the CPU Execution Port for the CPU CORE to proceed with the monitoring, which has the effect of accurately detecting the source of abnormal behavior.

In addition, not only the CPU CORE to be monitored and the corresponding CPU Execution Port settings, but also the abnormality detection results can be selected and output in the desired way, which has the effect of dramatically improving user convenience.

In addition, the more repeatedly anomaly detection is performed, the more the learning accuracy of the artificial intelligence classification model improves, which has the effect of providing more accurate anomaly detection results.

The effects of the present invention are not limited to the effects mentioned above, and other effects not mentioned will be clearly understood by those skilled in the art from the description below.

Figure 1 is a diagram illustrating the overall configuration included in an apparatus for detecting abnormalities in a CPU according to a first embodiment of the present invention.
Figure 2 is a flowchart showing representative steps of a method for detecting abnormalities in a CPU according to a second embodiment of the present invention.
Figure 3 is a flow chart specifying step S210 of learning an artificial intelligence classification model in the method for detecting an abnormality in the CPU according to the second embodiment of the present invention.
Figure 4 is a diagram illustrating the internal structure of a CPU by way of example.
Figure 5 is an example of the port output value of the monitored CPU Execution Port.
Figure 6 is an example of a dataset saved as a CSV file.
Figure 7 is a flowchart specifying step S210-4 of preprocessing the dataset in the method for detecting an abnormality in the CPU according to the second embodiment of the present invention.
Figure 8 is a diagram showing the LSTM network structure.
Figure 9 is a diagram illustrating the configuration of an artificial intelligence classification model including an LSTM network structure in the method for detecting a CPU abnormality according to the second embodiment of the present invention.
Figure 10 is a table of exemplary detailed specifications of an artificial intelligence classification model.
Figure 11 is an example of an abnormality detection result when CPU CORE 0 is in a normal state output through a two-dimensional visual means through an artificial intelligence classification model with the specifications attached to Figure 10.
Figure 12 is an example of an abnormality detection result when CPU CORE 0 is in an abnormal state output through a two-dimensional visual means through an artificial intelligence classification model with the specifications attached to Figure 10.
Figure 13 is an example of an abnormality detection result when CPU CORE 0 is in an abnormal state output through a three-dimensional visual means through an artificial intelligence classification model with the specifications attached to Figure 10.
Figure 14 shows the results of accuracy simulation (confusion matrix) of the abnormality detection results in the method for detecting abnormalities in the CPU according to the second embodiment of the present invention.

Details regarding the purpose and technical configuration of the present invention and its operational effects will be more clearly understood by the following detailed description based on the drawings attached to the specification of the present invention. Embodiments according to the present invention will be described in detail with reference to the attached drawings.

The embodiments disclosed in this specification should not be construed or used as limiting the scope of the present invention. It is obvious to those skilled in the art that the description, including embodiments, of this specification has various applications. Accordingly, any embodiments described in the detailed description of the present invention are illustrative to better explain the present invention and are not intended to limit the scope of the present invention to the embodiments.

The functional blocks shown in the drawings and described below are only examples of possible implementations. Other functional blocks may be used in other implementations without departing from the spirit and scope of the detailed description. Additionally, although one or more functional blocks of the present invention are shown as individual blocks, one or more of the functional blocks of the present invention may be a combination of various hardware and software components that perform the same function.

In addition, the expression including certain components is an “open” expression and simply refers to the presence of the corresponding components, and should not be understood as excluding additional components.

Furthermore, when a component is referred to as being “connected” or “connected” to another component, it should be understood that although it may be directly connected or connected to the other component, other components may exist in between. do.

Hereinafter, detailed embodiments of the present invention will be looked at with reference to the drawings.

Figure 1 is a diagram illustrating the overall configuration included in the device 100 for detecting an abnormality in the CPU according to the first embodiment of the present invention.

However, this is only a preferred embodiment for achieving the purpose of the present invention, and some components may be added or deleted as needed, and of course, the role played by one component may be performed by another component.

The device 100 for detecting a CPU abnormality according to the first embodiment of the present invention includes a processor 10, a network interface 20, a memory 30, a storage 40, and a data bus 50 connecting them. Of course, it may be included, and other additional components required to achieve the purpose of the present invention may be further included.

The processor 10 controls the overall operation of each component. The processor 10 may be one of a central processing unit (CPU), a micro processor unit (MPU), a micro controller unit (MCU), or a type of processor widely known in the technical field to which the present invention pertains. In addition, the processor 10 may perform operations on at least one application or program to perform the method for detecting an abnormality in the CPU according to the second embodiment of the present invention.

The network interface 20 supports wired and wireless Internet communication of the device 100 for detecting an abnormality in the CPU according to the first embodiment of the present invention, and may also support other known communication methods. Accordingly, the network interface 20 may be configured to include a corresponding communication module.

The memory 30 stores various information, commands and/or information, and executes one or more computer programs 41 from the storage 40 to perform the method for detecting abnormalities in the CPU according to the second embodiment of the present invention. It can be loaded. In FIG. 1, RAM is shown as one of the memories 30, but of course, various storage media can also be used as the memory 30.

Storage 40 may non-temporarily store one or more computer programs 41 and large-capacity network information 42. This storage 40 includes non-volatile memory such as Read Only Memory (ROM), Erasable Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), flash memory, hard disk (HDD), secondary storage match (SSD), and removable memory. It may be a disk or any type of computer-readable recording medium widely known in the technical field to which the present invention pertains.

The computer program 41 is loaded into the memory 30 and, by one or more processors 10, includes (A) an operation for learning an artificial intelligence classification model, and (B) setting the CPU Execution Port number of the CPU to be monitored. An operation to set CPU monitoring conditions, (C) an operation to monitor the port output value of the CPU Execution Port whose number is set as the CPU monitoring condition, (D) a data set (D) port output value of the CPU Execution Port according to the above monitoring results An operation to convert the data set into a data set, (E) an operation to pre-process the data set, and (F) an operation to input the pre-processed data set into the artificial intelligence classification model and output an abnormality detection result can be executed.

The operation performed by the computer program 41 simply mentioned above can be viewed as a function of the computer program 41, and a more detailed description is provided regarding the method for detecting an abnormality in the CPU according to the second embodiment of the present invention. This will be explained later in the explanation.

The data bus 50 serves as a path for moving instructions and/or information between the processor 10, network interface 20, memory 30, and storage 40 described above.

The device 100 for detecting an abnormality in the CPU according to the first embodiment of the present invention described above may be in the form of an independent device, for example, an electronic device or a server (including a cloud), and in the former case, a user terminal ( (not shown) is directly connected to the user terminal (not shown) through a wired/wireless network to detect abnormalities in the CPU installed in the user terminal (not shown), and in the latter case, it is installed and driven in the form of a dedicated application on the user terminal (not shown), etc. Abnormalities may be detected.

Meanwhile, here, electronic devices include not only devices such as desktop PCs and server devices that are fixedly installed and used in one place, but also portable devices that are easy to carry, such as smartphones, tablet PCs, laptop PCs, PDAs, and PMPs. , any electronic device can be used as long as the CPU is installed and has network functions.

Hereinafter, on the premise that the device 100 for detecting an abnormality in the CPU according to the first embodiment of the present invention is in the form of a server among electronic devices that are independent devices, the present invention is applied through a dedicated application installed on a user terminal (not shown). A method for detecting abnormalities in the CPU according to the second embodiment will be described with reference to FIGS. 2 to 14.

Figure 2 is a flowchart showing representative steps of a method for detecting abnormalities in a CPU according to a second embodiment of the present invention.

However, this is only a preferred embodiment in achieving the purpose of the present invention, and some steps may be added or deleted as needed, and one step may be performed by being included in another step.

Meanwhile, it is assumed that each step is performed through the device 100 for detecting an abnormality in the CPU according to the first embodiment of the present invention, and the device 100 for detecting an abnormality in the CPU according to the first embodiment of the present invention ) is assumed to be in the form of a server, so the dedicated application installed on the user terminal (not shown) will be viewed in the same sense as the device 100 for detecting an abnormality in the CPU according to the first embodiment of the present invention, and for convenience of explanation For this purpose, all of these will be named “device 100”.

First, the device 100 learns an artificial intelligence classification model (S210).

Model learning is an essential prerequisite for all technologies that use artificial intelligence models, and the method for detecting CPU abnormalities according to the second embodiment of the present invention is not much different from this. Hereinafter, it will be described in detail with reference to FIG. 3.

Figure 3 is a flow chart specifying step S210 of learning an artificial intelligence classification model in the method for detecting an abnormality in the CPU according to the second embodiment of the present invention.

However, this is only a preferred embodiment in achieving the purpose of the present invention, and some steps may be added or deleted as needed, and one step may be performed by being included in another step.

First, the device 100 sets CPU monitoring conditions including setting the CPU Execution Port number of the CPU (S210-1).

Here, the CPU Execution Port can be confirmed by referring to Figure 4, which shows the internal structure of the CPU. The internal structure and operation of the CPU will be explained first.

A typical CPU consists of a front end, execution engine, and memory subsystem, and the execution engine is usually called the back end.

Here, the front end is responsible for fetching instructions from memory and decoding them into a series of micro-operations (μops), and the execution engine's Reorder Buffer stores μops in order until they are discarded, register allocation and It is responsible for changing register names.

If the reorder buffer has stored μops, the μops are passed to the Scheduler, which queues the μops until all source operands are ready. Once the μop's operands are ready, the μops are passed through the execute port, where the execution port is It is a CPU Execution Port, and the number of CPU Execution Ports can be determined depending on the number of CPU Execution Ports.

The Intel Core microarchitecture, which is widely known among CPUs, may include any of 6, 8, and 10 CPU Execution Ports, but this may not necessarily be the case, and due to out-of-order execution, μops are necessarily dependent on the program order. Rather than being dispatched randomly, each CPU Execution Port can be connected to a different set of functional devices and can accommodate at most one μop in every cycle.

In the method for detecting CPU abnormalities according to the second embodiment of the present invention, the port output value of the CPU Execution Port, which is an execution port that transmits μop from the scheduler on the execution engine of the CPU, is used as a monitoring target for detecting CPU abnormalities. Now, this will be explained in more detail later.

The CPU monitoring conditions set in step S210-1 include setting the CPU Execution Port number, where the CPU Execution Port number setting refers to the number of the CPU Execution Port to be monitored. For example, referring to FIG. 4, Port 0 to Port This is to set which port number out of 5 to monitor, and since it is common to have multiple CPU Execution Ports on one CPU, it goes without saying that you can also set multiple CPU Execution Port numbers to monitor.

Meanwhile, CPU monitoring conditions may include not only setting the CPU Execution Port number to be monitored, but also setting the CPU CORE to be monitored, setting the number of CPU COREs to be monitored, setting the monitoring speed, and setting the monitoring time, which can be set by the user. This is to improve convenience.

Regardless of the CPU Execution Port number corresponding to the number of CPU Execution Ports, as CPU performance improves day by day, it is common for one CPU to contain multiple COREs. By allowing users to individually set or even set the number of CPU COREs they want to monitor, unlike the prior art, it is possible to go one step further than checking whether abnormal behavior occurred only at the level of the entire CPU, and to specifically check which CPU CORE it occurred in. By doing so, it is possible to take appropriate follow-up measures only for the relevant CPU CORE, thereby promoting stable operation at the level of the entire system.

Let me explain with an example. The CPU contains 12 CPU COREs, which are named CORE 0, CORE 1, CORE 2, CORE 3, CORE 4, CORE 5, CORE 6, CORE 7, CORE 8, CORE 9, CORE 10, and CORE 11, respectively. If so, you can set only CORE 0, CORE 5, and CORE 10 as CPU COREs to be monitored by setting the CPU CORE to be monitored. If you want to monitor only 6 COREs by setting the number of CPU COREs to be monitored, CORE 0, CORE 1, CORE 2, CORE 3, CORE 4, and CORE 5 can be set as the CPU CORE to be monitored.

On the other hand, since setting the number of CPU COREs to be monitored is a setting for the number of COREs, not the number of COREs, the CPU COREs to be monitored may be different depending on the conditions for COREs corresponding to the number. For example, the number of CPU COREs to be monitored may be different. If the conditions of the CORE corresponding to the You can set it to CPU CORE. In addition, in addition to descending and ascending order, the condition for CORE corresponding to the number may be the memory usage ratio for each CORE, so the user can freely set the condition for CORE corresponding to the number.

Continuing the explanation of CPU CORE in relation to CPU monitoring conditions, the preceding CPU Execution Port number setting may be possible individually for each CPU CORE to be monitored, so each of the preceding 12 CPU COREs may be individually configured. If the CPU CORE includes 8 CPU Execution Ports, one CPU can be viewed as including 96 CPU Execution Ports (12 * 8 in total), and the method for detecting CPU abnormalities according to the second embodiment of the present invention is User convenience can be further improved by individually setting the Execution Port number for each CPU CORE to be monitored.

For example, out of the 12 CPU COREs: CORE 0, CORE 1, CORE 2, CORE 3, CORE 4, CORE 5, CORE 6, CORE 7, CORE 8, CORE 9, CORE 10, CORE 11, CORE 2, Not only can only CORE 6 and CORE 11 be set as the CPU CORE to be monitored, but for CORE 2, all of CPU Execution Port 0 to CPU Execution Port 7, and for CORE 6, CPU Execution Port 1, CPU Execution Port 4, and CORE. For 11, CPU Execution Port 2, CPU Execution Port 3, and CPU Execution Port 7 can be individually set as monitoring targets.

Meanwhile, individual settings for each CPU CORE are not only possible for the CPU Execution Port number, but also for the number of CPU Execution Ports, similar to the setting of the number of CPU COREs described above, and the conditions of the CORE corresponding to the number are also for the CPU Execution Port. Since they can be applied equally, detailed explanations will be omitted to prevent redundant description.

As such, the method of detecting a CPU abnormality according to the second embodiment of the present invention monitors only the desired CPU CORE and only the CPU Execution Port for the desired CPU CORE by providing the user with various choices in relation to setting CPU monitoring conditions. This can improve user convenience, but except in special situations, such as when it is clearly known in advance that abnormal behavior occurs in a specific CPU CORE or a specific CPU Execution Port, it is necessary to trace the source of abnormal behavior. In this case, setting all CPU COREs and all CPU Execution Ports for them as CPU monitoring conditions is a shortcut to achieving the purpose as well as meeting the purpose of the present invention.

Independent of the above conditions, the user can also set the monitoring speed and monitoring time. Here, the monitoring speed setting refers to the speed at which the port output value of the CPU Execution Port, which will be described later, is converted into data by recording or detecting the port output value at a certain interval. Monitoring time refers to the entire time for monitoring port output values, and the set monitoring speed and monitoring time can be viewed as a monitoring timeline setting.

Afterwards, the device 100 monitors the port output value of the CPU Execution Port whose number is set as the CPU monitoring condition in step S210-1 (S210-2).

Here, the port output value of the CPU Execution Port, the explanation of which was withheld earlier, may be the PMC (Performance Monitoring Counter) value of the CPU Execution Port, and an example of the monitored port output value of the CPU Execution Port is attached to Figure 5.

If the port output value of the CPU Execution Port has been monitored, the device 100 converts the port output value of the CPU Execution Port according to the monitoring result in step S210-2 into a DataSet (S210-3).

Here, data setting means saving the port output value of the CPU Execution Port according to the monitoring results as a CSV (Comma Separated Value) file. Before explaining saving as a CSV file, the monitoring results will be explained first.

Figure 5 is an example of the port output value of the monitored CPU Execution Port. Prior to explanation, the example is an example of the port output value after only one timeline for the monitoring speed and monitoring time corresponding to the timeline setting among the CPU monitoring conditions set. Please specify that it is.

Referring to Figure 5, it can be seen that a plurality of numbers are written horizontally and vertically. Each number represents the port output value of the CPU Execution Port, and more specifically, the PMC value of the CPU Execution Port.

Additionally, each row corresponds to a CPU CORE number, and each column corresponds to the CPU's Execution Port number. For example, the first row represents the PMC value for CPU CORE 0, 104 is the PMC value for CPU Execution Port 0 for CPU CORE 0, and 93 is the PMC value for CPU Execution Port 1 for CPU CORE 0. , 6 is the PMC value of CPU Execution Port 2 for CPU CORE 0, 15 is the PMC value of CPU Execution Port 3 for CPU CORE 0, 13 is the PMC value of CPU Execution Port 4 for CPU CORE 0, 108 represents the PMC value of CPU Execution Port 5 for CPU CORE 0, 171 represents the PMC value of CPU Execution Port 6 for CPU CORE 0, and 4 represents the PMC value of CPU Execution Port 7 for CPU CORE 0. Through this analysis, it can be seen that the second row is the PMC value for CPU CORE 1 and the last row is the PMC value for CPU CORE 11. Accordingly, the CPU monitoring conditions set for the CPU to be monitored are 12 CPU CORE. It can also be inferred that there are 8 CPU Execution Ports for each CPU CORE.

Since these monitoring results are only based on the CPU monitoring conditions set in step S210-1, it cannot be concluded from the monitoring results alone that the CPU consists of only 12 CPU COREs and 8 CPU Execution Ports for each CPU CORE. It should be noted that there is no such thing, and this can only apply when monitoring conditions are set for all CPU COREs that make up the CPU and all CPU Execution Ports for the CPU CORE.

Figure 6 is an example of a data set saved as a CSV file, and it can be seen that the port output value (Value) of the CPU Execution Port monitored in each timeline is listed for each CPU CORE and the port number of the CPU Execution Port for it. In the end, this can be viewed as a dataset built by the number of CPU COREs (X) set by the user as CPU monitoring conditions and the monitoring time (y) set by the user.

Let us return to the description of FIG. 3 again.

If the port output value of the CPU Execution Port is data set, the device 100 preprocesses the data set data set in step S210-3 (S210-4).

Here, preprocessing can be seen as a preprocessing process performed before inputting data into the artificial intelligence classification model. It is intended to make the artificial intelligence classification model lightweight by extracting only data with high importance from a large amount of data, and through normalization. The intention is to build an artificial intelligence classification model with high accuracy.

Accordingly, step S210-4 is a step (S210-4-1) of extracting a predetermined number of CPU Execution Port numbers of high importance within the data set made by the device 100 as shown in FIG. A step (S210-4-2) of normalizing the extracted port output values of a predetermined number of CPU Execution Ports with high importance to converge within a predetermined range may be included.

Here, the predetermined number in step S210-4-1 may be any one of 10 to 20, and the predetermined number in step S210-4-2 may be -2 to 2, but are not necessarily limited thereto. It goes without saying that the predetermined number to be extracted and the predetermined range to be normalized can be freely set according to the settings of the administrator of the device 100.

Furthermore, the predetermined number and range here may be freely set by the user of the device 100, but since it is related to learning of an artificial intelligence classification model, it may be directly related to the performance of the device 100 itself, so it is recommended that the user set the predetermined number and range freely. It would be desirable to allow only settings.

Meanwhile, when the device 100 implements step S210-4-1, it will be able to utilize scikit-learn's Random forest Classifer API, which is one of the Python Packages. Likewise, when implementing step S210-4-2, the device 100 can utilize the Random forest Classifer API of scikit-learn, which is one of the Python Packages. You can use scikit-learn's RobustScaler API, but it is not necessarily limited to this.

If the data set has been pre-processed, the device 100 separates the pre-processed data set into a predetermined ratio, inputs the separated part into an artificial intelligence classification model to learn anomaly detection results (S210-5), and separates the remaining part. is input into the artificial intelligence classification model to test the abnormality detection results (S210-6).

Here, the predetermined ratio may be either 7:3 or 8:2 for part:remaining part, and is not necessarily limited thereto, and may be freely set by the administrator of the device 100, but at least the data input for testing One way to increase the learning efficiency of an artificial intelligence classification model is to have a smaller ratio than the data set input for learning.

Meanwhile, the artificial intelligence classification model that inputs the data set includes a Long Short Term Memory (LSTM) network structure, where the LSTM network structure may be a Bi-LSTM network structure capable of bidirectional learning, Figure 8 The LSTM network structure is shown as an example.

When explaining the LSTM network structure with reference to FIG. 8, the preprocessed dataset is input to x ^t , and σ and h mean the hidden layer where the sigmoid and hyperbolic tangent of the LSTM network are hidden as activation functions. In addition, c ^t is data for long-term memory of the previous state, and o ^t is the result of the operation. In this way, the LSTM network is easy to analyze time series data because it simultaneously accepts current input and previous output. The port output value of the monitored CPU execution port, and more specifically, the data set that data sets it, is time series data sorted according to the timeline. Therefore, it can be seen as the most optimized network structure for the method of detecting CPU abnormalities according to the second embodiment of the present invention.

Figure 9 is a diagram illustrating the configuration of an artificial intelligence classification model including an LSTM network structure in the method for detecting a CPU abnormality according to the second embodiment of the present invention. To explain this, learning is performed using the Bi-LSTM network structure that can learn the input data set in both directions (forward - forward, backward - backward), and the results are output using the ReLU Activation Function. Additionally, the Dropout Layer is utilized to solve the overfitting problem for the output result values, and the Weight for specific output is increased by adding the Attention Layer to increase the performance (accuracy) of the model. Finally, in order to classify the data set based on time series data, the Activation Function of Dense is set to Softmax to perform classification for a specific current state, and Bi-LSTM, Dropout Layer, Attention Layer, and Dense are used to minimize outliers. After the result of the layer, it passes through the BatchNormalization Layer, through which overall normalization can proceed.

In the method of detecting an abnormality in the CPU according to the second embodiment of the present invention, the artificial intelligence classification model can go further than this configuration and utilize the EarlyStop Method to dynamically change the learning rate during the learning process, If the accuracy does not increase when the intelligence classification model is trained using the learning dataset (i.e., after one epoch has passed), the learning rate is dynamically changed according to the set Learning Decay to model the overall artificial intelligence classification model. can help improve learning performance.

Learning of the artificial intelligence classification model can proceed through steps S210-1 to S210-6 described above, and the more this is repeated, the more complete the learning can be improved. Let us return to the description of FIG. 2 again.

If the artificial intelligence classification model has been learned, the device 100 sets CPU monitoring conditions including setting the CPU Execution Port number of the CPU to be monitored (S220), and outputs the port output value of the CPU Execution Port whose number is set as the CPU monitoring condition. Monitor (S230), and convert the port output value of the CPU Execution Port according to the monitoring results into a data set (S240). Afterwards, the data set is pre-processed (S250), and finally, the pre-processed data set is input into an artificial intelligence classification model and anomaly detection results are output (S260).

Among the above steps, steps S220 to S250 are the same as the descriptions of steps S210-1 to S210-4 previously related to learning of the artificial intelligence classification model, so detailed descriptions are omitted to prevent redundant description, and S210 In the description of the steps, steps S210-5 and S210-6 were performed after preprocessing the dataset, separating the dataset into a predetermined ratio, learning part and testing part, but in the case of Figure 2, learning of the artificial intelligence classification model Since it is not about , but rather about the performance of a method for detecting actual CPU abnormalities, there is a difference in that all preprocessed datasets are input into an artificial intelligence classification model and the abnormality detection results are output.

Meanwhile, in relation to the S260 stage, the abnormality detection results can be output by distinguishing whether they are in a normal or abnormal state for each CPU CORE, and whether they are in a normal or abnormal state for each CPU Execution Port for the CPU CORE, similar to the previously set CPU monitoring conditions. And, if any one of the plurality of CPU Execution Ports exists in an abnormal state, the CPU CORE for it may be output in an abnormal state.

Meanwhile, the output for normal and abnormal states is numerical. For example, the closer the value to 1 is, the closer it is to the normal state. The closer the value to 0 is, the closer it is to the abnormal state. It is a visual display that can be identified at a glance. It can also be output through any means.

Figure 10 is a table of exemplary detailed specifications of the artificial intelligence classification model, and Figure 11 is a two-dimensional table showing the abnormality detection results when CPU CORE 0 is in a normal state through the artificial intelligence classification model with the specifications attached to Figure 10. This is an example of output through visual means, and Figure 12 is an example of the abnormality detection result in an abnormal state output through two-dimensional visual means.

Referring to Figure 11, it can be seen that for CPU CORE 0, the port output values of both CPU Execution Ports 0 to 8 are output consistently without significant change. In the case of values outside of some ranges, they are not maintained continuously and are therefore considered noise. You can see that it does. However, referring to FIG. 12, since the port output value continues to change rapidly starting from timeline 4000, it will be easy to identify that an abnormal state has occurred.

Meanwhile, the method for detecting an abnormality in the CPU according to the second embodiment of the present invention can output the abnormality detection result not only through a two-dimensional visual means, but also through a three-dimensional visual means as exemplarily shown in FIG. 13, Users can freely select the anomaly detection result output method they want, which can improve user convenience.

Figure 14 is a simulation result of the accuracy of the abnormality detection result (Confusion Matrix) in the method for detecting an abnormality in the CPU according to the second embodiment of the present invention, that is, a simulation result of the performance, when in the actual normal state (init), In 83.22% of cases, the abnormality detection result was output in a normal state, when it was actually in an abnormal state (attack), in 99.41% of cases, the abnormality detection result was output in an abnormal state, in a normal state while watching YouTube (youtube), The abnormality detection results were output in a normal state of watching YouTube in 82.84% of cases, and it can be seen that the abnormality detection results were very accurate, close to 100%.

So far, the method for detecting CPU abnormalities according to the second embodiment of the present invention has been described. According to the present invention, the occurrence of abnormal behavior is detected by monitoring the port output value of the CPU Execution Port regardless of the type of attack, and it is possible to quickly detect whether the CPU abnormality occurs for all types of attacks. In addition, the user can freely set the CPU CORE to be monitored and even the CPU Execution Port for the CPU CORE, allowing the user to accurately detect the source of abnormal behavior. Furthermore, user convenience can be dramatically improved because not only the settings of the CPU CORE and CPU Execution Port to be monitored, but also the abnormality detection results can be selected and output in the desired manner. In addition, the more repeatedly anomaly detection is performed using the device 100, the more the learning accuracy of the artificial intelligence classification model improves, thereby providing more accurate anomaly detection results.

Meanwhile, the device 100 for detecting a CPU abnormality according to the first embodiment of the present invention and the method for detecting a CPU abnormality according to the second embodiment of the present invention are used with a computer according to the third embodiment of the present invention. It can also be implemented as a computer program stored in a readable medium, in which case CPU monitoring conditions including (AA) learning an artificial intelligence classification model in combination with a computing device and (BB) setting the CPU Execution Port number of the CPU to be monitored. A step of setting, (CC) a step of monitoring the port output value of the CPU Execution Port whose number is set as the CPU monitoring condition, (DD) forming a data set of the port output value of the CPU Execution Port according to the monitoring results. The steps of (EE) preprocessing the data set and (FF) inputting the preprocessed data set into the artificial intelligence classification model and outputting anomaly detection results may be performed, and duplicate descriptions may be performed. Although not described in detail, all technical features applied to the device 100 for detecting a CPU abnormality according to the first embodiment of the present invention and the method for detecting a CPU abnormality according to the second embodiment of the present invention are included in the present invention. Of course, it can be equally applied to all computer programs stored in a computer-readable medium according to the fourth embodiment.

Although embodiments of the present invention have been described above with reference to the attached drawings, those skilled in the art will understand that the present invention can be implemented in other specific forms without changing its technical idea or essential features. You will be able to understand it. Therefore, the embodiments described above should be understood in all respects as illustrative and not restrictive.

10: processor
20: network interface
30: memory
40: storage
41: computer program
50: Information Bus
100: Device that detects CPU abnormalities

Claims (11)

In a method for a device including a processor and memory to detect an abnormality in a CPU (Central Processing Unit),
(a) learning an artificial intelligence classification model;
(b) setting CPU monitoring conditions including setting the CPU Execution Port number of the CPU to be monitored;
(c) monitoring the port output value of the CPU Execution Port whose number is set as the CPU monitoring condition;
(d) converting the port output value of the CPU Execution Port according to the monitoring results into a DataSet;
(e) preprocessing the data set; and
(f) inputting the preprocessed dataset into the artificial intelligence classification model and outputting an anomaly detection result;
In a method for detecting an abnormality in a CPU, including:
The port output value of the CPU Execution Port is,
The PMC (Performance Monitoring Counter) value of the CPU Execution Port,
How to detect CPU abnormalities. According to paragraph 1,
In step (a),
(a-1) setting CPU monitoring conditions including setting the CPU Execution Port number of the CPU to be monitored;
(a-2) monitoring the port output value of the CPU Execution Port whose number is set as the CPU monitoring condition in step (a-1);
(a-3) converting the port output value of the CPU Execution Port according to the monitoring results in step (a-2) into a data set;
(a-4) preprocessing the dataset converted into a dataset in step (a-3); and
(a-5) separating the dataset preprocessed in step (a-4) into a predetermined ratio and inputting the separated portion into the artificial intelligence classification model to learn anomaly detection results; and
(a-6) inputting the separated remaining part of the dataset preprocessed in step (a-4) into the artificial intelligence classification model to test anomaly detection results;
Method for detecting abnormalities in CPU including. According to paragraph 2,
The predetermined ratio in step (a-5) is,
The above part: either 7:3 or 8:2 with respect to the remaining part,
How to detect CPU abnormalities. According to paragraph 1,
The CPU monitoring conditions are:
Further comprising any one or more of the CPU CORE setting to be monitored, the number setting of the CPU CORE to be monitored, the monitoring speed setting, and the monitoring time setting,
How to detect CPU abnormalities. According to clause 4,
The above CPU Execution Port number setting is,
It is possible to individually set the Execution Port number for each CPU CORE to be monitored as set above.
How to detect CPU abnormalities. According to paragraph 1,
Data setting in step (d) above,
Saving the port output value of the CPU Execution Port according to the monitoring results as a CSV (Comma Separated Value) file,
How to detect CPU abnormalities. According to paragraph 1,
In step (e),
(e-1) extracting a predetermined number of CPU Execution Port numbers with high importance from the data set; and
(e-2) normalizing the port output values of a predetermined number of CPU Execution Ports of high importance from which the numbers are extracted to converge within a predetermined range;
Method for detecting abnormalities in CPU including. In clause 7,
The predetermined number in step (e-1) is,
Any one of 10 to 20,
The predetermined range in step (e-2) is,
-2 to 2 people,
How to detect CPU abnormalities. According to paragraph 1,
The artificial intelligence classification model is,
Includes LSTM (Long Short Term Memory) network structure, which is short-term memory,
The LSTM network structure is,
Bi-LSTM network structure capable of bidirectional learning,
How to detect CPU abnormalities. One or more processors;
network interface;
a memory that loads a computer program executed by the processor; and
Including storage for storing large-capacity network data and the computer program,
The computer program is operated by the one or more processors,
(A) Operation to learn artificial intelligence classification model;
(B) An operation to set CPU monitoring conditions including setting the CPU Execution Port number of the CPU to be monitored;
(C) An operation to monitor the port output value of the CPU Execution Port whose number is set as the CPU monitoring condition;
(D) An operation to convert the port output value of the CPU Execution Port according to the monitoring results into a DataSet;
(E) an operation to preprocess the data set; and
(F) an operation to input the preprocessed dataset into the artificial intelligence classification model and output an abnormality detection result;
In a device that detects an abnormality in a CPU running,
The port output value of the CPU Execution Port is,
The PMC (Performance Monitoring Counter) value of the CPU Execution Port,
A device that detects CPU abnormalities. In combination with a computing device,
(AA) learning an artificial intelligence classification model;
(BB) setting CPU monitoring conditions including setting the CPU Execution Port number of the CPU to be monitored;
(CC) monitoring the port output value of the CPU Execution Port whose number is set as the CPU monitoring condition;
(DD) converting the port output value of the CPU Execution Port according to the monitoring results into a DataSet;
(EE) preprocessing the data set; and
(FF) inputting the preprocessed dataset into the artificial intelligence classification model and outputting an anomaly detection result;
In a device that detects an abnormality in a CPU running,
The port output value of the CPU Execution Port is,
The PMC (Performance Monitoring Counter) value of the CPU Execution Port,
A computer program stored on a medium readable by a computer running a computer program.

Images