US 12,309,183 B2
Attack detection apparatus and method based on measurement of networking behavior abnormalities in symbolic spaces
Byung-Ho Chung, Daejeon (KR); and Hyeok-Chan Kwon, Daejeon (KR)
Assigned to ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE, Daejeon (KR)
Filed by ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE, Daejeon (KR)
Filed on Nov. 18, 2022, as Appl. No. 18/057,056.
Claims priority of application No. 10-2021-0190598 (KR), filed on Dec. 29, 2021.
Prior Publication US 2023/0208866 A1, Jun. 29, 2023
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/1425 (2013.01) [H04L 63/1416 (2013.01); G06F 2221/033 (2013.01)] 18 Claims
OG exemplary drawing
 
1. An attack detection apparatus based on measurement of networking behavior abnormalities in symbolic spaces, comprising:
a memory configured to store at least one program and an abnormal behavior prediction model; and
a processor configured to execute the program,
wherein the program is configured to perform:
creating profiles based on a transmission address of a flow received from a network,
measuring a behavior abnormality of a device corresponding to the transmission address of the flow on the network, and mapping the measured behavior abnormality to behavior symbols in symbolic spaces,
generating a behavior symbol sequence pattern, in which the behavior symbols are sequentially connected, for each profile, and
detecting presence or non-presence of an attack and a device associated with the attack based on an output of the abnormal behavior prediction model that receives the behavior symbol sequence pattern as input,
wherein the program is configured to perform, in mapping,
generating a behavior period symbol and a behavior frequency symbol based on a flow size, a flow duration, and an inter-flow arrival time difference (IFTD), and
generating a behavior periodicity symbol by combining the behavior period symbol with the behavior frequency symbol.