• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    A computer implemented method of identifying anomalous behaviour of a computer system in a set of intercommunicating computer systems, each computer system in the set being uniquely identifiable, the method comprising: monitoring communication between computer systems in the set for a predetermined baseline time period to generate a baseline vector representation of each of the systems; monitoring communication between computer systems in the set for a subsequent predetermined time period to generate a subsequent vector representation of each of the systems; comparing baseline and subsequent vector representations corresponding to a target computer system using a vector similarity function to identify anomalous behaviour of the target system in the subsequent time period compared to the baseline time period, characterised in that a vector representation of the target system for a time period is generated based on a deterministic walk of a graph representation of communications between the computer systems in which nodes of the graph correspond to computer systems in the set and weighted directed edges between nodes of the graph correspond to a characteristic of communication between pairs of computer systems in the set.
    公开号:EP3681124A1
    申请号:EP19217369.8
    申请日:2019-12-18
    公开日:2020-07-15
    发明作者:Michael Gibson
    申请人:British Telecommunications PLC;
    IPC主号:H04L63-00
    专利说明:
    [0001] The present invention relates to the detection of anomalous behaviour of a computer system.
    [0002] Network connected computer systems, whether physical and/or virtual computer systems connected via one or more physical and/or virtual network communication mechanisms, can be susceptible to malicious attack. For example, one or more computer systems can become infected with malicious software such as botnet agents or the like, and such infected systems can instigate malicious communication with other systems such as communications intended to propagate such infections and/or communications intended to affect the operation of target computer systems (e.g. denial of service attacks, hijacking or the like).
    [0003] It is a longstanding desire to detect such malicious communication occurring in a network of computer systems in order that mitigation measures can be implemented.
    [0004] The present invention accordingly provides, in a first aspect, a computer implemented method of identifying anomalous behaviour of a computer system in a set of intercommunicating computer systems, each computer system in the set being uniquely identifiable, the method comprising: monitoring communication between computer systems in the set for a predetermined baseline time period to generate a baseline vector representation of each of the systems; monitoring communication between computer systems in the set for a subsequent predetermined time period to generate a subsequent vector representation of each of the systems; comparing baseline and subsequent vector representations corresponding to a target computer system using a vector similarity function to identify anomalous behaviour of the target system in the subsequent time period compared to the baseline time period, characterised in that a vector representation of the target system for a time period is generated based on a deterministic walk of a graph representation of communications between the computer systems in which nodes of the graph correspond to computer systems in the set and weighted directed edges between nodes of the graph correspond to a characteristic of communication between pairs of computer systems in the set.
    [0005] Preferably, the deterministic walk is a walk of the graph commencing at a node corresponding to the target system and continuing along edges of the graph based on a deterministic edge selection function at each node of the graph.
    [0006] Preferably, the edge selection function includes a determination of which edge to traverse for a current node in the graph based on a weight of the edge in comparison to weights of other edges for the current node.
    [0007] Preferably, multiple edges having identical edge weights are differentiated deterministically based on a characteristic of a node to which the edge leads in the graph such that the determination of which edge to traverse is based on the deterministic differentiation.
    [0008] Preferably, the deterministic walk of the path is bounded to a maximum walk length.
    [0009] Preferably, the deterministic walk is one of a set of deterministic walks of the graph, and the walks in the set are conducted in an order determined at least partly by a degree nodes in the graph, and wherein a traversal of an edge between nodes for a walk of the graph triggers a decreasing of a weight of the traversed edge so as to progressively deemphasise traversed edges for subsequent walks of the graph.
    [0010] Preferably, where two or more nodes have identical degree, the order of walks in the set for the two or more nodes is further determined based on an deterministic ordering of a characteristic of each node.
    [0011] Preferably, the set of deterministic walks includes sufficient walks of the graph such that each node in the graph is visited at least once across all walks in the set.
    [0012] Preferably, the vector similarity function is a cosine similarity function.
    [0013] Preferably, the characteristic of communication includes one or more of: a flow of network traffic from a source computer system to a target computer system; and a volume of data communicated from a source computer system to a target computer system.
    [0014] Preferably, a direction of an edge in the graph corresponds to a net direction of flow of network traffic between a source and target computer systems in a communication.
    [0015] Preferably, a weight of an edge in a graph corresponds to a volume of data communicated.
    [0016] Preferably, the method further comprises, responsive to the identification of anomalous behaviour, implementing protective measures for one or more computer systems in the set to protect against malicious communication involving the computer system exhibiting anomalous behaviour.
    [0017] Preferably, the protective measures include one or more of: preventing network communication to and/or from a particular computer system; performing an antimalware task on one or more of the computer systems; disconnecting one or more of the computer systems; and increasing a level of monitoring of network communication with one or more computer systems.
    [0018] Preferably, the predetermined baseline time period corresponds to at least part of a time period when the set of intercommunicating computer systems are separated from influence by malicious agents.
    [0019] The present invention accordingly provides, in a second aspect, a computer system including a processor and memory storing computer program code for performing the steps of the method set out above.
    [0020] The present invention accordingly provides, in a third aspect, a computer program element comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer to perform the steps of the method set out above.
    [0021] Embodiments of the present invention will now be described, by way of example only, with reference to the accompanying drawings, in which:Figure 1 is a block diagram a computer system suitable for the operation of embodiments of the present invention; Figure 2 is a component diagram of an arrangement for identifying anomalous behaviour of a computer system in a set of intercommunicating computer systems in accordance with embodiments of the present invention; Figure 3 is a flowchart of a method for identifying anomalous behaviour of a computer system in a set of intercommunicating computer systems in accordance with embodiments of the present invention; Figures 4a, 4b and 4c depict exemplary graph data structures representing intercommunicating computer systems in accordance with embodiments of the present invention; Figures 5a and 5b depict exemplary graph data structures of representing intercommunicating computer systems in accordance with embodiments of the present invention; Figure 6 is a flowchart of a method for generating vector representations for computer systems based on deterministic walks of a graph representation of communications between computer systems in accordance with embodiments of the present invention.
    [0022] Networks of computer systems can be represented as graphs of interconnected nodes. Physical or virtual computer systems can be physically or virtually connected to other such systems by way of, for example, a physical or virtual communications network. Computer systems can be represented as nodes with communications therebetween represented as edges in a graph representation. Nodes can have associated characteristics corresponding to characteristics of represented computer systems such as unique identifiers, technical, functional or locational characteristics. Edges between nodes correspond to communications between computer systems corresponding to the nodes such as a volume, frequency, type, speed (e.g. throughput) of data, an effectiveness of communication (e.g. a degree of error in the communication), a level of security of the communication (e.g. presence, absence or a degree of encryption) or other communication characteristics. Notably, such edges relate to communication between nodes (representing computer systems), not the very existence of means for achieving such communication (e.g. network connections). Thus, a graph representation of such communicating computer systems represents communications at a point in time or over a period of time between computer systems represented in the graph.
    [0023] Embodiments of the present invention provide for a comparison between graph representations of communicating computer systems such that anomalous behaviour of a computer system can be detected. Detection of such anomalous behaviour can lead to the implementation of mitigation measures to protect computer systems from potentially malicious communications. In particular, embodiments of the present invention determine a baseline graph representation of a set of communicating computer systems including nodes corresponding to computer systems and edges corresponding to communications therebetween. The baseline graph is determined for a time when the communicating computer systems are determined to be free from malicious intervention, such as when the computer systems are operating in a protected environment such as a network not being accessible to, or susceptible to, external communications from untrusted systems. For example, a pre-production operation of the communicating computer systems. Further, embodiments of the present invention determine a graph representation of the computer system corresponding to the computer system in production operation during which the detection of anomalous system behaviour is sought. Embodiments of the present invention are directed to providing techniques for the effective comparison of graphs corresponding to each of the baseline operation and production operation of the communicating computer systems so as to detect anomalous computer system behaviour in the production operation.
    [0024] Embodiments of the present invention allow subgraphs (graphs with the same set of nodes and, potentially, edges as each other) to be compared with each other. By looking at how nodes are connected to other nodes (edges) and utilising an attribute between pairs of nodes, a measurement of how edges and attributes change from one subgraph to another can be made. Before a measurement can be made, edges and attributes of a subgraph must be converted into a format which will allow comparisons with other subgraphs. This conversion technique is called "embedding" and will be used for each subgraph to be compared. Each subgraph can be a representation of how all nodes of the subgraph are connected to each other at a particular point in time, or over a particular period of time, so that changes to a node's connections correspond to a change of behaviour of the node. This behaviour change of a node is a measurement performed when comparing two subgraphs.
    [0025] Graph comparison techniques rely on a node's "degree" within a graph. A degree is the number of edges belonging to a node. Depending on where is located within a graph its "centrality" may change as well. A determination of centrality identifies most influential nodes and can be influenced by node positions and degrees. A problem with centrality is there are multiple differing mechanisms for determining such a characteristic and it is difficult to know which type of centrality measure should be employed in dependence on a particular subgraph. Another technique is "PageRank" ("The PageRank Citation Ranking: Bringing Order to the Web" (Page et al., 1999)) which scores nodes depending on a number of references (directed edges) from other nodes. PageRank sums all scores in a graph to one, which means it is infeasible to compare multiple graphs with this technique.
    [0026] Figure 1 is a block diagram of a computer system suitable for the operation of embodiments of the present invention. A central processor unit (CPU) 102 is communicatively connected to a storage 104 and an input/output (I/O) interface 106 via a data bus 108. The storage 104 can be any read/write storage device such as a random-access memory (RAM) or a non-volatile storage device. An example of a non-volatile storage device includes a disk or tape storage device. The I/O interface 106 is an interface to devices for the input or output of data, or for both input and output of data. Examples of I/O devices connectable to I/O interface 106 include a keyboard, a mouse, a display (such as a monitor) and a network connection.
    [0027] Machine learning is a form of artificial intelligence which allows a machine to learn a model of a process by applying statistical techniques on observed data. This means a machine can predict an outcome when given new, previously unseen data. An example of how machine learning has benefited people is language translation. By having a machine learn several translations from one language to another, the machine can "learn" how words are associated with each other. When a new phrase is entered, the machine can refer to previously seen examples and predict what the translation should be. Machine learning attempts to mimic how humans learn; observe experiences and recall on these when presented something new. Many machine learning techniques have been developed: from utilising basic mathematical models like linear regression to emulating how a brain works through the use of "neural networks".
    [0028] One machine learning technique which can be employed in embodiments of the present invention is known as "word embedding". Word embedding transforms words in a vocabulary into a set of vectors consisting of real numbers. The reason for this process is to allow a machine to represent a meaning of a word in relation to other words. Unlike a human, a machine does not know the meaning of a word but it can work with vector representations of words to represent the meaning of a word. One method of converting words into vectors is known as "Word2Vec" ("Efficient Estimation of Word Representations in Vector Space", Mikolov et al., 2013). Word2Vec is a collection of models for representing words in a corpus of text as a collection of vectors denoting how similar they are to each other depending on sentence context. It involves training a neural network to associate words with each other depending on where they lie within a context. The neural network itself (specifically its weight matrix) is the word embedding and it can be used to predict the context of a given word which appeared in the corpus.
    [0029] Embodiments of the present invention identify anomalous behaviour of a computer system in a set of intercommunicating computer systems such as physical or virtual computer systems communicating via one or more physical or virtual computer networks in which each computer system is uniquely identifiable (such as by way of an identifier, name, address or other suitable identification). Figure 2 is a component diagram of an arrangement for identifying anomalous behaviour of a computer system in a set 200 of intercommunicating computer systems in accordance with embodiments of the present invention. The set 200 of computer systems are arranged for intercommunication by way of, for example, one or more wired or wireless communications networks. As illustrated in Figure 2, such networks can be disparate in technology, topology and/or architecture such as a linear, hierarchical, star, wireless, cellular or any other suitable intercommunication means for computer systems. In the exemplary set 200 of computer systems of Figure 2, eleven computer systems labelled "A" through "J" are depicted, each being communicatively connected to one or more other of the computer systems in the set. Embodiments of the present invention are operable to monitor communications between the computer systems in the set 200 so as to generate graph representation of communications between the computer systems. Notably, such graph representations of communications do not necessarily correspond to the architecture, topology or arrangement of computer networks interconnecting the computer systems. Rather, such graph representations model actual communications between systems in the set 200.
    [0030] Graph representations are generated in two phases of operation of embodiments of the present invention. In a first phase, one or more baseline graphs are generated to represent communications between computer systems in the set 200 occurring to at least part of a time period when the set 200 of intercommunicating computer systems are determined to be unaffected by potentially or actually malicious agents such as malicious software, viruses, botnets or other malicious activity. For example, the set 200 of systems can be separated from influence by potentially or actually malicious agents. In such first phase of operation, the set 200 of computer systems can operate in a pre-production environment, secured environment or environment confirmed to be clean of malicious infection. Subsequently, embodiments of the present invention operate in a second phase of operation in which one or more subsequent graphs are generated to represent communications between computer systems in the set 200. In the second phase of operation the set 200 of computer systems operate in, for example, a production mode of operation in which there is a possibility of influence of malicious agents such as the introduction of malware, the activity of botnets or other malicious occurrences potentially affecting one or more of the computer systems in the set 200.
    [0031] In each phase of operation, embodiments of the present invention generate vector representations of network communication derived from the generated graphs such that a set of baseline vectors is generated derived from the baseline graph(s) with a baseline vector generated for each node in the baseline graph corresponding to a computer system in the set 200. Further, a set of subsequent vectors is generated derived from the subsequent graph(s) such that a subsequent vector is generated for each node in the subsequent graph corresponding to a computer system in the set 200. The baseline and subsequent vectors for each computer system are comparable using a vector similarity function to identify anomalous behaviour of a computer system operating in the production mode of operation vis-à-vis its operation in the pre-production (baseline) mode of operation. Such anomalies correspond to a behavioural change of one or more computer systems in the set 200 and can trigger the implementation of protective measures for one or more of the computer systems or the entire set 200.
    [0032] Protective measures can include, for example, the deployment of firewalls, new security measures, additional authentication or authorisation checks, execution or updating of antimalware services, preventing communication with one or more computer systems or the whole set 200, increasing a level of monitoring, tracing or logging and other protective measures as will be apparent to those skilled in the art.
    [0033] Thus, in the arrangement of Figure 2, a baseline graph generator as a hardware, software, firmware or combination component, generates a baseline graph data structure 204 representing communication between computer systems in the set 200 of intercommunicating computer systems. Each of at least a subset of the computer systems in the set 200 is provided as a node in the graph 204 with communications therebetween represented as weighted directed edges in the graph 200. As depicted in Figure 2, edges are directed to indicate a net flow of traffic and are weighted (indicated by thickness of an edge) to indicate a volume of traffic. A "net" flow of traffic is a predominant direction of transfer of communicated data such as payload data in network communication, recognising that network communication can be bidirectional including at least the negotiation, setup and/or configuration of a communication by way of protocol messages to achieve the delivery of a payload or portion of data as the substantive subject of the communication. For example, network communication corresponding to a request for a web-page by a web-browser being communicated to a web-server will involve communication of the request from the browser to the server with the substantive data transfer being realised as the communication of the web-page content from the server to the browser. Thus, the net flow is from the server to the browser and can be determined, in this example, based on the volume of data transferred. Other mechanisms to determine the net flow of data can be employed including mechanisms that infer the direction of net flow of data based on an analysis, inspection or other identification of the data to determine the substantive part of a communication between computer systems.
    [0034] Figure 2 further includes a baseline vector generator 206 as a hardware, software, firmware or combination component arranged to generate a vector representation 208 of communication for each node in the baseline graph 204. In one embodiment, the baseline vector generator 206 uses Word2Vec or, preferably, Node2Vec which uses node identifiers as words and paths through the baseline graph 204 as sentences into a typical Word2Vec model ("On Generalizing Neural Node Embedding Methods to Multi-Network Problems", Heimann and Koutra, 2017). The paths can be generated by random walks (traversals of the graph) for a node in the baseline graph 204, as will be described in more detail later. Due to the non-deterministic nature of Node2Vec (arising because it employs random walks to generate a corpus for Word2Vec) it is preferably to combine a plurality of such random walks to generate a representative vector for a node, the representative vector being defined based on a combination of the plurality of walks of the graph for a node (the node representing a computer system). Combining multiple vector representations into a single representation can be achieved using a simple average vector. Alternatively, an orthogonal transformation vector for each of a plurality of pairs of vector representations for the node can be generated such that the orthogonal transformation vector transforms a first vector in each pair to a second vector in the pair. A linear optimisation process operating on the orthogonal vectors by, for example, linear regression, can be used to define a combination vector representation for a node in the graph 204.
    [0035] Thus, in this way, embodiments of the present invention generate baseline vector representations 208 for each node in the baseline graph 204. Such baseline vector representation 208 and the baseline graph 204 are generated during a time period when the intercommunicating computer systems 200 are not susceptible to malicious attack such as malware, botnets or the like. In this way the baseline vectors 208 constitute a baseline for comparison to identify anomalies during production operation of the computer systems when the set 200 of systems may be subject or susceptible to attack or intrusion. Accordingly, during production operation of the set 200 of intercommunicating computer systems a subsequent graph generator 210 as a hardware, software, firmware or combination component is operable to generate subsequent graph 212. The subsequent graph generator 210 can be operationally identical to the baseline graph generator 202 except that the subsequent graph generator 210 is operable during execution of the computer systems in a production mode of operation, when potentially subject or susceptible to attack. In some embodiments, the baseline graph generator 202 and the subsequent graph generator 210 are one and the same. The subsequent graph 212 is comparable with the baseline graph 204 by way of vector representations. Thus, a subsequent vector generator 214 (which is operationally identical to the baseline vector generator 206 and can be one and the same) is operable to generate a vector representation of the subsequent graph 212 as a subsequent vector 216 for each node in the subsequent graph 212.
    [0036] The subsequent vector representations 216 can be generated periodically each corresponding to a particular period of time such that the subsequent vectors 216 can be compared with the baseline vectors 208 to identify anomalies in the subsequent vectors with respect to the baseline vectors. The comparison is made by a vector similarity function 218 such as a cosine similarity function for comparing vectors as is known in the art. Where a subsequent vector for a node in the subsequent graph 212 corresponding to a computer system in the set 200 is sufficiently dissimilar to a baseline vector for a node in the baseline graph 204 corresponding to the same computer system, then an anomaly is identified. Sufficiency of dissimilarity (or similarity) can be predetermined in terms of a degree of difference characterised in dependence on the particular vector similarity function 218 employed - such as an angular difference, an extent of vectoral magnitude difference or a combination or other such characterisations of difference as will be apparent to those skilled in the art. Protective measures 220 can be implemented to protect one or more of the computer systems in the set 200 of intercommunicating computer systems in dependence on the detection of an anomaly by the vector similarity function 218.
    [0037] Figure 3 is a flowchart of a method for identifying anomalous behaviour of a computer system in a set of intercommunicating computer systems in accordance with embodiments of the present invention. Initially, at step 302, communication between computer systems in the set 200 for a predetermined baseline time period is monitored and at step 304 a baseline graph representation of the systems is generated in which nodes of the graph correspond to computer systems in the set and weighted directed edges between nodes of the graph correspond to a characteristic of communication between pairs of computer systems in the set 200. At steps 306 to 310 a baseline vector representation is generated for each node in the baseline graph based on a combination of a plurality of walks of the graph for the node. At step 312 communication between computer systems in the set 200 for a subsequent time period is monitored. The subsequent time period is a predetermined period of time during which the computer systems operate in a production mode of operation. At step 314 a subsequent graph representation of the systems is generated in which nodes of the graph correspond to computer systems in the set and weighted directed edges between nodes of the graph correspond to a characteristic of communication between pairs of computer systems in the set 200. At steps 316 to 320 a subsquent vector representation is generated for each node in the subsequent graph based on a combination of a plurality of walks of the graph for the node. At steps 322 to 330 baseline and subsequent vectors for nodes corresponding to each of a plurality of computer systems in at least a subset of the set 200 of computer systems are compared using a vector similarity function 218. Where anomalous behaviour of a computer system is detected at step 326, protective measures are implemented at step 328.
    [0038] Thus, embodiments of the present invention seek to identify a computer system in the set 200 exhibiting a behaviour change relative to a baseline representation of its behaviour. Figures 4a, 4b and 4c depict exemplary graph data structures representing intercommunicating computer systems in accordance with embodiments of the present invention. Specifically, Figures 4a, 4b and 4c depict graph representations of network traffic for a set of computer systems at different time points. In Figures 4a and 4b, computer "A" is showing "normal" behaviour (that is, typical behaviour for itself), whereas in Figure 4c, computer "A" is "attacking" several computers, so exhibiting anomalous behaviour.
    [0039] Each edge (arrowed) in Figures 4a to 4c is a flow of traffic between a source and a destination computer and the weight (thickness) represents an attribute of the flow. This attribute can be the number of connections/flows between two computers, the number of bytes or packets sent or an aggregation of these. In the example of Figure 4c the number of simultaneous flows between computer "A" and others has increased (hence the thicker arrows). As this behaviour was not observed before it is likely that an attack (for example a denial of service attack) is occurring.
    [0040] To identify this anomalous behaviour embodiments of the present invention employ machine learning techniques such as Node2Vec to convert each graph into an embedding so that differences in a node can be measured between embeddings. Node2Vec is a version of Word2Vec which uses node identifiers as words and paths through a graph as sentences in a Word2Vec model. The paths are generated by random walks from each node in a graph. These random walks can be configured to walk close to neighbouring nodes (akin to breadth-first search) or walk across the structure of the graph (akin to depth-first search). A next step to take in a walk can be determined by edge probabilities. These probabilities can be calculated by an attribute of an edge (for example, an attribute of flow), such as by normalising the attribute among all edges and applying the breadth/depth-first search configurations. In the context of monitoring computer behaviour, attacks may be more likely to occur in respect of neighbouring computer systems rather than systems on the other side of a network. Therefore, a larger breadth-first search parameter can be employed, for example.
    [0041] The net flows of network traffic is directed (as previously described). This direction is carried forward during a random walk which can have an effect on which nodes appear in a path. Figures 5a and 5b depict exemplary graph data structures of representing intercommunicating computer systems in accordance with embodiments of the present invention. In the graph of Figure 5a, node "B" has relatively heavy weighted edges directed to each of nodes "A", "J", "H" and "E" indicating that computer corresponding to node "B" is sending lots of packets to those target computers. During walks of the graph of Figure 5a as part of the Node2Vec process, only node "C" can result in a traversal to node "B" because only node "C" has an edge directed to node "B". This means the set of paths (corpus) for training Node2Vec will for all nodes other than node "C" will not involve node "B", despite node "B" representing the most communicative computer system in the set. To remedy this, all edges and their weights are reversed prior to the walking process of Node2Vec, as illustrated in Figure 5b. In the exemplary graph of Figure 5b many more nodes now lead to node "B". During the random walks of the Node2Vec process there is an increased chance of walks involving node "B" meaning the path corpus has a higher chance of mentioning node "B" and thus highlighting the impact node "B" has on the graph.
    [0042] Word2Vec is used to determine the similarity of words within an embedding. In this process, a similarity score is used on vectors within the embedding. For example, the cosine between two vectors can be calculated which is used to determine how similar (i.e. how parallel) they are. In embodiments of the present invention, however, each node is to be compared across a set of graph embeddings.
    [0043] A problem in using Node2Vec is it is a non-deterministic algorithm because it uses random walks to generate the corpus for Word2Vec. This means that every time Node2Vec is used on the same graph with the same parameters, different embeddings can be generated. For effective comparison of vectors to determine anomalies, Node2Vec would preferably operate deterministically producing consistent embeddings no matter how many executions are performed. This would also mean performing a similarity score for the same node among all embeddings should reveal an identical or, at least, much more similar score, for example, using cosine similarity should yield a score tending towards one.
    [0044] One possible solutions to this challenge is to use a different walking strategy known as graph kernelling. Alternatively, a sample average can be calculated from a set of embeddings.
    [0045] Random walking is integral to Node2Vec and for its intended purpose of producing one embedding for a graph, it suits most needs. However, for larger graphs where there are many possible paths, this strategy may be unsuitable. Even increasing a number of iterations during an execution (i.e. the number of walks performed from each node) may not improve the embedding as the training phase is built on previous walks. Another walking strategy could be used, especially if it can be built on hidden Markov models as this is how the graph is constructed as an input to Node2Vec ("What is a Hidden Markov Model ", Sean R Eddy, Nature Biotechnology volume 22, pages 1315-1316, 2004).
    [0046] Combining of embeddings is considered in "Linear Ensembles of Word Embedding Models" (Muromagi et al, 2017) where an ensemble is created for performing Word2Vec tasks on a small corpus. The technique in Muromagi of combining embeddings (matrices) through a process called "orthogonal Procrustes" leads to more accurate representations of combined embeddings compared to least squares regression. Orthogonal Procrustes produces an orthogonal matrix, given matrices A and B, so that A can be transformed to (closely match) B. As there are multiple matrices to be combined and one matrix is to represent all of them, this process can be adapted into a linear optimisation problem so that the process can be run iteratively to produce a matrix as an embedding rather than an orthogonal matrix. Thus, in the above described exemplary embodiments, combining vector representations into a single vector representation for a node can be performed by generating an orthogonal transformation vector for each of a plurality of pairs of vector representations for the node such that the orthogonal transformation vector transforms a first vector in the pair to a second vector in the pair. Linear optimisation is then performed on the orthogonal transformation vectors by linear regression. Thus, the different embeddings from each Node2Vec iteration on the same graph and parameters can be combined to produce a representative embedding of the graph.
    [0047] To evaluate the model, a baseline is required to compare an embedding with, as previously described. This baseline graph (and resulting vector embedding) should represent the normal state of the environment. The baseline graph can also be an aggregation of graphs which is especially advantageous if time windows are to be used to observe changes. As previously described, a baseline graph and embedding are generated for a period of time where traffic behaviour is expected to be normal (nothing malicious occurring). Since traffic can change over time (and may have temporal, seasonal or other effects, such as peak and off-peak work hours), time windows can be used to observe traffic during different periods of time. When constructing a baseline graph multiple constant observations are aggregated to form the baseline graph.
    [0048] During observations of live data at a production time of operation of computer systems, new (subsequent) graphs are generated which have the same nodes as the baseline graph (but not necessarily the same edges and edge properties which depend on the intercommunications between the computer systems). Before the subsequent graph can be used it is preferably aggregated with the baseline graph to smooth out any noise. Once the observed graph has been aggregated and smoothed, it goes through the Node2Vec and Procrustes mechanisms to produce another representative embedding to be used for comparing with the baseline embedding.
    [0049] The two representative embeddings, baseline and subsequent observation, can be compared to show how a node has changed behaviour (how the edges have changed) between baseline and subsequent observation. Since an embedding is a collection of vectors, the vectors of the same word (i.e. node having a node identifier) from each embedding are compared against each other using the vector similarity function. For example, cosine similarity can be used to show how parallel two vectors are - parallel vectors have a score of 1, perpendicular vectors have a score of 0 and opposite-facing vectors have a score of -1. Other similarity scores can be used as will be apparent to those skilled in the art.
    [0050] For example, network traffic can be collected to generate a baseline representational embedding and production (subsequent) representational embeddings. A time window of one hour can be used per observation and a full day's worth of traffic is to be used to generate the baseline. The 24 hours of data can be divided into 24 observations and each one of them can be converted into a graph in which each node represents a computer system in the set 200 and each edge represents a property of a connection between two systems. Some properties can include the number of connections made, number of packets or bytes sent or some other suitable observable property. The 24 network graphs are then aggregated into one graph by, for example, taking a mean of each edge property. The resulting aggregate graph is processed iteratively through Node2Vec with the resulting vectors merged by the Procrustes mechanism to produce a representative embedding of the baseline graph.
    [0051] During observation of live data from the set 200 of computer systems operating in a production mode of operation, new one-hour network graphs are generated as subsequent graphs with the same edge property used in the baseline graph. Each subsequent network graph is aggregated (and averaged) with the baseline to smooth out any noise (consequently resulting in a 25-hour averaged subsequent network graph). The process of Node2Vec and Procrustes is applied iteratively to the averaged subsequent graph to create a new representative embedding which can be used for comparison.
    [0052] Each generated embedding arising from a subsequent graph is compared with the baseline embedding using a similarity function as previously described. For each node in the embeddings a similarity score will show how much a computer system represented by the node has changed behaviour. If cosine similarity is used, a score close to 1 means the node did not change behaviour (constant connections maintained), whereas a score closer to -1 means the node dramatically changed behaviour, possibly meaning it was performing an attack. Where an attack is indicated, reactive measures can be employed such as the protective measures previously described.
    [0053] The generation of a vector representation for a node in the graph by generating a statistically representative vector based on, for example, multiple node2vec executions, has disadvantages. For example, multiple vectors are generated for consolidation into a single vector representation and a particular number of vectors required to arrive at a statistically representative combined vector can be difficult to determine (similar to a difficulty in determining a depth of a deep learning network or a number of training examples for a machine learning algorithm to arrive at a suitably trained machine). Furthermore, the use of random walking of the graph results in a lack of certainty that independently generated vector embeddings will be comparable due to the non-determinative nature of the walking process. While the non-determinative nature of the walking process can be suitably mitigated by consolidating a multiplicity of walks, the selection and number of such walks is itself challenging to determine. Accordingly, it would be advantageous to overcome this challenge for embodiments of the present invention.
    [0054] Figure 6 is a flowchart of a method for generating vector representations for computer systems based on deterministic walks of a graph representation of communications between computer systems in accordance with embodiments of the present invention. In accordance with embodiments of the present invention, the flowchart of Figure 6 is applicable to the generation of the baseline vector 308 and the generation of the subsequent vector 318 steps in Figure 3. The use of a reproducible deterministic walk of a graph as a basis for the generation of a vector representation removes a need to combine a plurality of walks of the graph to generate a representative vector representation. Accordingly, the selection of an appropriate number of such walks for combination is also avoided.
    [0055] Firstly, at step 602, the nodes in at least a subset of the graph (and preferably all nodes in the graph) are ordered using a deterministic ordering function. Preferably, the nodes are ordered based on a degree of each node (i.e. a number of edges for each node). Where multiple nodes share the same degree, an ordered differentiation of the nodes can be made based on a characteristic of each node sharing the same degree. For example, a unique identifier of each node can be used to order the nodes, such as by ordering the nodes in order of their identifier using a suitable means (e.g. an alphabetic, alphanumeric or numeric identifier can be readily ordered). Thus, in such embodiments, the degree of each node constitutes at least part of the basis for determining an order of the nodes.
    [0056] Subsequently, at step 604, the method proceeds to iterate through nodes in the ordered set of nodes starting with a first node in the ordered set. At step 606, for a current node, a walk of the graph commencing with the current node is undertaken. Thus, the walk is performed for the current node which constitutes the start node of the walk. Such current node is therefore referred to herein as the current start node.
    [0057] The walk is constituted by the method steps 608 to 612 in which, initially at step 608, determines if a stopping condition for the walk is met. A walk for a start node preferably stops after a predetermined number of edge traversals (or node visits) in order to limit the maximum length of the walk. Such a limit thus constitutes a stopping condition. Another stopping condition can include a condition that a total weight of all edges from the node exceeds a particular value, such as a total weight must be greater than zero. Other suitable stopping conditions will be apparent to those skilled in the art.
    [0058] Where the stopping condition is not satisfied the method proceeds to step 610 where an edge to traverse next in the walk is determined based on a deterministic edge selection function. The edge selection function is a function that determines which edge, from a particular node, the walk should take next and is deterministic such that the function always determines the same edge in the same circumstances. Preferably, the edge selection function selects an edge based on weights of edges for a node. For example, the edge selection function identifies the edge having the greatest weight by, e.g., comparing the weights of the edges for the node. In such an embodiment, multiple edges sharing the same weight can be differentiated in an ordered manner by, for example, ordering the nodes to which each edge leads using a characteristic of such nodes. Such a characteristic can be a unique identifier of the nodes so that the nodes can be ordered in a deterministic way so that the edge selection function can identify deterministically which edge should be walked next. Subsequently, at step 612, the determined edge is walked and the method iterates to step 608 until the stopping condition is met.
    [0059] In a preferred embodiment, the selection of an edge by the edge selection function at step 610 for traversal of the edge at step 612 further comprises decreasing a weight of the edge so that the weight of the edge when it is traversed reduces. In this way, frequently traversed edges are progressively deemphasised deterministically in terms of the edge selection function for subsequent walks of the graph.
    [0060] When the stopping condition for a walk of the graph for a current start node is met, the walk for the current start node is stored, recorded or otherwise remembered in association with the current start node at step 614. The method then determines, at step 616, whether each node in the graph has been visited and iterates to step 604 accordingly. Notably, the determination at step 616 could be to determine if all nodes have been used as start nodes. Alternatively, and in a preferred embodiment, the determination at step 616 is whether all nodes have been visited, such visit being constituted as either a start node or as part of a walk of another node as start node.
    [0061] Thus the method of Figure 6 generates, for each node in a set of nodes of the graph (start nodes), a single deterministic walk of the graph for the node on which basis a vector representation can be generated using, for example, node2vec or word2vec as previously described.
    [0062] Insofar as embodiments of the invention described are implementable, at least in part, using a software-controlled programmable processing device, such as a microprocessor, digital signal processor or other processing device, data processing apparatus or system, it will be appreciated that a computer program for configuring a programmable device, apparatus or system to implement the foregoing described methods is envisaged as an aspect of the present invention. The computer program may be embodied as source code or undergo compilation for implementation on a processing device, apparatus or system or may be embodied as object code, for example.
    [0063] Suitably, the computer program is stored on a carrier medium in machine or device readable form, for example in solid-state memory, magnetic memory such as disk or tape, optically or magneto-optically readable memory such as compact disk or digital versatile disk etc., and the processing device utilises the program or a part thereof to configure it for operation. The computer program may be supplied from a remote source embodied in a communications medium such as an electronic signal, radio frequency carrier wave or optical carrier wave. Such carrier media are also envisaged as aspects of the present invention.
    [0064] It will be understood by those skilled in the art that, although the present invention has been described in relation to the above described example embodiments, the invention is not limited thereto and that there are many possible variations and modifications which fall within the scope of the invention.
    [0065] The scope of the present invention includes any novel features or combination of features disclosed herein. The applicant hereby gives notice that new claims may be formulated to such features or combination of features during prosecution of this application or of any such further applications derived therefrom. In particular, with reference to the appended claims, features from dependent claims may be combined with those of the independent claims and features from respective independent claims may be combined in any appropriate manner and not merely in the specific combinations enumerated in the claims.
    权利要求:
    Claims (17)
    [0001] A computer implemented method of identifying anomalous behaviour of a computer system in a set of intercommunicating computer systems, each computer system in the set being uniquely identifiable, the method comprising:
    monitoring communication between computer systems in the set for a predetermined baseline time period to generate a baseline vector representation of each of the systems;
    monitoring communication between computer systems in the set for a subsequent predetermined time period to generate a subsequent vector representation of each of the systems;
    comparing baseline and subsequent vector representations corresponding to a target computer system using a vector similarity function to identify anomalous behaviour of the target system in the subsequent time period compared to the baseline time period,
    characterised in that a vector representation of the target system for a time period is generated based on a deterministic walk of a graph representation of communications between the computer systems in which nodes of the graph correspond to computer systems in the set and weighted directed edges between nodes of the graph correspond to a characteristic of communication between pairs of computer systems in the set.
    [0002] The method of claim 1 in which the deterministic walk is a walk of the graph commencing at a node corresponding to the target system and continuing along edges of the graph based on a deterministic edge selection function at each node of the graph.
    [0003] The method of claim 2 wherein the edge selection function includes a determination of which edge to traverse for a current node in the graph based on a weight of the edge in comparison to weights of other edges for the current node.
    [0004] The method of claim 3 in which multiple edges having identical edge weights are differentiated deterministically based on a characteristic of a node to which the edge leads in the graph such that the determination of which edge to traverse is based on the deterministic differentiation.
    [0005] The method of any of claims 3 or 4 in which the deterministic walk of the path is bounded to a maximum walk length.
    [0006] The method of any of claims 3 to 5 in which the deterministic walk is one of a set of deterministic walks of the graph, and the walks in the set are conducted in an order determined at least partly by a degree nodes in the graph, andwherein a traversal of an edge between nodes for a walk of the graph triggers a decreasing of a weight of the traversed edge so as to progressively deemphasise traversed edges for subsequent walks of the graph.
    [0007] The method of claim 6 in which, where two or more nodes have identical degree, the order of walks in the set for the two or more nodes is further determined based on an deterministic ordering of a characteristic of each node.
    [0008] The method of any of claims 6 or 7 wherein the set of deterministic walks includes sufficient walks of the graph such that each node in the graph is visited at least once across all walks in the set.
    [0009] The method of any preceding claim wherein the vector similarity function is a cosine similarity function.
    [0010] The method of any preceding claim wherein the characteristic of communication includes one or more of: a flow of network traffic from a source computer system to a target computer system; and a volume of data communicated from a source computer system to a target computer system.
    [0011] The method of any preceding claim wherein a direction of an edge in the graph corresponds to a net direction of flow of network traffic between a source and target computer systems in a communication.
    [0012] The method of any preceding claim wherein a weight of an edge in a graph corresponds to a volume of data communicated.
    [0013] The method of any preceding claim further comprising, responsive to the identification of anomalous behaviour, implementing protective measures for one or more computer systems in the set to protect against malicious communication involving the computer system exhibiting anomalous behaviour.
    [0014] The method of claim 13 wherein the protective measures include one or more of:preventing network communication to and/or from a particular computer system; performing an antimalware task on one or more of the computer systems; disconnecting one or more of the computer systems; and increasing a level of monitoring of network communication with one or more computer systems.
    [0015] The method of any preceding claim wherein the predetermined baseline time period corresponds to at least part of a time period when the set of intercommunicating computer systems are separated from influence by malicious agents.
    [0016] A computer system including a processor and memory storing computer program code for performing the steps of the method of any preceding claim.
    [0017] A computer program element comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer to perform the steps of a method as claimed in any of claims 1 to 15.
    类似技术:
    公开号 | 公开日 | 专利标题
    US9832213B2|2017-11-28|System and method for network intrusion detection of covert channels based on off-line network traffic
    US9910980B2|2018-03-06|Cyber security
    Acar et al.2020|Peek-a-Boo: I see your smart home activities, even encrypted!
    US10205735B2|2019-02-12|Graph-based network security threat detection across time and entities
    US20180103052A1|2018-04-12|System and methods for automated detection, reasoning and recommendations for resilient cyber systems
    Singhal et al.2017|Security risk analysis of enterprise networks using probabilistic attack graphs
    JP6378395B2|2018-08-22|Use of DNS requests and host agents for path exploration and anomaly / change detection and network status recognition for anomaly subgraph detection
    Wang et al.2012|A semantics aware approach to automated reverse engineering unknown protocols
    CN103748853B|2017-03-08|For the method and system that the protocol message in data communication network is classified
    US20190034631A1|2019-01-31|System and method for malware detection
    US8997236B2|2015-03-31|System, method and computer readable medium for evaluating a security characteristic
    JP6530786B2|2019-06-12|System and method for detecting malicious elements of web pages
    EP2566130B1|2016-02-24|Automatic analysis of security related incidents in computer networks
    US10791141B2|2020-09-29|Anonymized network data collection and network threat assessment and monitoring systems and methods
    US9081961B2|2015-07-14|System and method for analyzing malicious code using a static analyzer
    Kaur et al.2014|A survey on zero-day polymorphic worm detection techniques
    US7624448B2|2009-11-24|Intelligent intrusion detection system utilizing enhanced graph-matching of network activity with context data
    Razzaq et al.2014|Ontology for attack detection: An intelligent approach to web application security
    US20160352685A1|2016-12-01|Apparatus and method for providing controlling service for iot security
    CN106663169B|2021-03-09|System and method for high speed threat intelligence management using unsupervised machine learning and priority algorithms
    US10958672B2|2021-03-23|Cognitive offense analysis using contextual data and knowledge graphs
    EP2725512A1|2014-04-30|System and method for malware detection using multi-dimensional feature clustering
    US20170288974A1|2017-10-05|Graph-based fusing of heterogeneous alerts
    Wang et al.2013|k-zero day safety: A network security metric for measuring the risk of unknown vulnerabilities
    US8595176B2|2013-11-26|System and method for network security event modeling and prediction
    同族专利:
    公开号 | 公开日
    US20200220892A1|2020-07-09|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    法律状态:
    2020-06-12| STAA| Information on the status of an ep patent application or granted ep patent|Free format text: STATUS: THE APPLICATION HAS BEEN PUBLISHED |
    2020-06-12| PUAI| Public reference made under article 153(3) epc to a published international application that has entered the european phase|Free format text: ORIGINAL CODE: 0009012 |
    2020-07-15| AX| Request for extension of the european patent|Extension state: BA ME |
    2020-07-15| AK| Designated contracting states|Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
    2021-01-22| STAA| Information on the status of an ep patent application or granted ep patent|Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
    2021-02-24| RBV| Designated contracting states (corrected)|Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
    2021-02-24| 17P| Request for examination filed|Effective date: 20210114 |
    2021-08-11| STAA| Information on the status of an ep patent application or granted ep patent|Free format text: STATUS: GRANT OF PATENT IS INTENDED |
    2021-08-11| GRAP| Despatch of communication of intention to grant a patent|Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
    2021-09-08| INTG| Intention to grant announced|Effective date: 20210812 |
    2021-12-08| GRAS| Grant fee paid|Free format text: ORIGINAL CODE: EPIDOSNIGR3 |
    2021-12-10| STAA| Information on the status of an ep patent application or granted ep patent|Free format text: STATUS: THE PATENT HAS BEEN GRANTED |
    2021-12-10| GRAA| (expected) grant|Free format text: ORIGINAL CODE: 0009210 |
    2022-01-12| AK| Designated contracting states|Kind code of ref document: B1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
    2022-01-12| REG| Reference to a national code|Ref country code: GB Ref legal event code: FG4D |
    2022-01-14| REG| Reference to a national code|Ref country code: CH Ref legal event code: EP |
    2022-01-27| REG| Reference to a national code|Ref country code: DE Ref legal event code: R096 Ref document number: 602019010856 Country of ref document: DE |
    2022-01-31| REG| Reference to a national code|Ref country code: CH Ref legal event code: PK Free format text: BERICHTIGUNG B8 |
    2022-02-02| REG| Reference to a national code|Ref country code: IE Ref legal event code: FG4D |
    2022-02-15| REG| Reference to a national code|Ref country code: AT Ref legal event code: REF Ref document number: 1463122 Country of ref document: AT Kind code of ref document: T Effective date: 20220215 |
    2022-02-16| RAP4| Party data changed (patent owner data changed or rights of a patent transferred)|Owner name: BRITISH TELECOMMUNICATIONS PUBLIC LIMITED COMPANY |
    优先权:
    申请号 | 申请日 | 专利标题
    [返回顶部]