US 12,141,284 B2
Method for detecting anomalies in an information system, computer program and system for detecting anomalies implementing such a method
Mahamadou Salissou Aboubacar Alka, Mantes-la-Jolie (FR); and Béranger Guedou, Mantes-la-Jolie (FR)
Assigned to BULL SAS, Les Clayes-sous-Bois (FR)
Filed by BULL SAS, Les Clayes-sous-bois (FR)
Filed on Mar. 31, 2022, as Appl. No. 17/710,935.
Claims priority of application No. 21305423 (EP), filed on Apr. 1, 2021.
Prior Publication US 2022/0318388 A1, Oct. 6, 2022
Int. Cl. G06N 3/08 (2023.01); G06F 21/56 (2013.01); G06N 3/045 (2023.01)
CPC G06F 21/566 (2013.01) [G06N 3/045 (2023.01); G06N 3/08 (2013.01); G06F 2221/034 (2013.01)] 14 Claims
OG exemplary drawing
 
1. A computer implemented method for detecting anomalies in an information system (IS), comprising several computer entities, said computer implemented method comprising:
at least one iteration of a detection phase for at least one entity of said several computer entities of said IS and at least one time window,
wherein said at least one time window comprises a current unitary window,
wherein said detection phase comprises
 collecting data related to an activity of said at least one entity during said current unitary window;
 constructing a data set associated with said current unitary window based on the data collected during a window comprising said current unitary window,
wherein said data set comprises an observation and said window is an observation window,
 generating a unitary digital signature representative of a behavior of said at least one entity during said current unitary window based on said observation; and,
 calculating an anomaly score, associated with said at least one entity for said current unitary window based on
said unitary digital signature, and
a reference digital signature, wherein said reference digital signature is previously calculated for said at least one entity and is representative of the activity of said at least one entity over a period preceding said current unitary window,
wherein said period is a reference period,
wherein said unitary digital signature and said reference digital signature are generated using a generator based on deep learning Siamese neural networks and
wherein, for the unitary digital signature, the anomaly score is calculated using
Z0=(d0−MEAN)/STD
where
d0 is a distance between the reference digital signature and the unitary digital signature;
MEAN is an average of distances between the reference digital signature and each unitary digital signature associated with said each unitary window of said reference period, and
STD is a standard deviation of the distances between the reference digital signature and said each unitary digital signature associated with said each unitary window of said reference period.