此应用程序的某些内容目前无法使用。
如果这种情况持续存在,请联系我们反馈与联系
1. (WO2018224670) ANOMALY DETECTION IN COMPUTER NETWORKS
注:相关文本通过自动光符识别流程生成。凡涉及法律问题,请以 PDF 版本为准

CLAIMS

1 . A method of anomaly detection for network traffic communicated by devices via a computer network, the method comprising:

clustering a set of time series, each time series including a plurality of time windows of data corresponding to network communication characteristics for a device;

training an autoencoder for each cluster based on time series in the cluster;

generating a set of reconstruction errors for each autoencoder based on testing the autoencoder with data from time windows of at least a subset of the time series;

generating a probabilistic model of reconstruction errors for each autoencoder; and generating an aggregation of the probabilistic models for, in use, detecting reconstruction errors for a time series of data corresponding to network communication characteristics for a device as anomalous.

2. The method of claim 1 wherein the clusters are defined based on an autoencoder for converting each time series to a vector of features for the time series and a clustering algorithm clusters the vectors.

3. The method of any preceding claim wherein the set of reconstruction errors for an autoencoder are generated based on the autoencoder processing each time series in a corresponding cluster of time series.

4. The method of claim 1 wherein the clustering are defined based on a random subdivision of the set of time series.

5. The method of claim 4 wherein the set of reconstruction errors for an autoencoder are generated based on the autoencoder processing each of the time series.

6. The method of any preceding claim wherein each probabilistic model is a Gaussian model of reconstruction errors for an autoencoder.

7. The method of claim 6 wherein the aggregation of the probabilistic models is a Gaussian mixture model.

8. The method of any of claims 1 to 5 wherein the aggregation of the probabilistic models is a hidden Markov model.

9. A computer system including a processor and memory storing computer program code for performing the steps of any preceding claim.

10. A computer program element comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer to perform the steps of a method as claimed in any of claims 1 to 8.