US 12,425,420 B2
Method and system for anomaly detection in a network
Yushan Liu, Munich (DE); Mitchell Joblin, Surrey (CA); Marcel Hildebrandt, Munich (DE); and Dominik Dold, Leiden (NL)
Assigned to SIEMENS AKTIENGESELLSCHAFT, Munich (DE)
Filed by Siemens Aktiengesellschaft, Munich (DE)
Filed on Apr. 24, 2023, as Appl. No. 18/138,197.
Claims priority of application No. 22170611 (EP), filed on Apr. 28, 2022.
Prior Publication US 2023/0353584 A1, Nov. 2, 2023
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/1416 (2013.01) 13 Claims
OG exemplary drawing
 
1. A computer implemented method for anomaly detection in a network, comprising operations, wherein the operations are performed by components, and wherein the components are software components executed by one or more processors and/or hardware components, the method comprising:
representing, by a temporal knowledge graph stored in a graph database, a network including interactions between network modules with a set of entities, a set of relations, and a set of timestamps,
with each entity representing data about the network as a node in the temporal knowledge graph,
with at least some entities representing network modules consisting of hardware and/or software,
with at least some of the relations representing a type of interaction between network modules, and
with at least some edges between nodes representing interactions between entities that have been observed as events, with each of these edges having a timestamp, encoding when the interaction occurred, and being an instance of one of the relations;
sampling, by a temporal random walks component in a first step, temporal random walks from the temporal knowledge graph for each relation in the temporal knowledge graph, wherein each temporal random walk is a sequence of edges with decreasing timestamps starting with an edge for the respective relation;
transforming, in a second step, the temporal random walks into temporal logical rules;
observing, by a monitoring component, an event in the network or a different network; and
classifying, in a third step, the observed event with regard to an anomaly, using the temporal logical rules;
wherein the second step is performed by a rule learning component, wherein:
each temporal logical rule consists of a rule body and a rule head, with each rule head specifying one of the relations,
each temporal random walk is stored as a rule grounding of the respective temporal logical rule, and
a confidence value is computed for each temporal logical rule, indicating a probability for the correctness of the respective rule.