Method and device for detecting intrusion in a computer system
The use of a large language model trained by unsupervised or semi-supervised learning to segment and analyze network traffic data for intrusion detection addresses the limitations of existing systems, improving accuracy and reducing false positives.
Patent Information
- Authority / Receiving Office
- FR · FR
- Patent Type
- Applications
- Current Assignee / Owner
- COMMISSARIAT A LENERGIE ATOMIQUE ET AUX ENERGIES ALTERNATIVES
- Filing Date
- 2024-12-13
- Publication Date
- 2026-06-19
Smart Images

Figure 00000000_0000_ABST
Abstract
Description
Title of the invention: Method and device for detecting intrusion in a computer system
[0001] The present invention relates to a method for detecting intrusion in a computer system comprising at least one communication interface via a communication network.
[0002] The invention also relates to an intrusion detection device in an associated computer system and an associated computer program.
[0003] The invention relates to the field of computer system security, and more particularly to the field of intrusion detection. This field is critical for securing computer systems in response to potential attacks by malicious third parties.
[0004] Intrusion detection is based more specifically on the detection of abnormal traffic in communications within the communication network (or network communications) destined for the computer system in question. Denial-of-service attacks are a well-known example, in which the malicious third-party system executes commands to disrupt the normal operation of the communication network.
[0005] A potentially malicious intrusion can also be detected from operating history data (or "logs") of the computer system concerned, by detecting anomalies in the operating history data compared to the normal operating history data.
[0006] Traditionally, to prevent potential malicious intrusions into a computer system, a "firewall" is implemented, which is programmed using predetermined rules, for example, by rejecting network communication packets originating from certain previously identified systems. It is clear that such strategies have limitations, insofar as the rules are predefined.
[0007] More recently, machine learning-trained models have been used to distinguish between normal and abnormal network traffic. Such models are, for example, neural network models parameterized for the task of classifying representative network communication data, also known as network traffic data, into normal and abnormal traffic. Machine learning is performed on training data and is used to calculate the values of the parameters characterizing the model in order to optimize the task to be performed.
[0008] In general, it has been proposed to develop such models by supervised learning, that is, on previously collected training data of network traffic. One drawback of the supervised approach is that it requires a representative sample of labeled traffic, i.e., examples of regular (i.e., normal) and malicious (i.e., abnormal) traffic. This is often done in pre-prepared testbeds, which are considerably different from the communication network in which the intrusion detection system will ultimately be deployed.
[0009] Unsupervised learning has also been considered. In this case, the model parameters are trained solely on data representative of a normal state of network communications and data representative of normal traffic. A known drawback of this type of method is that any deviation from the learned normal traffic cases risks being labeled as due to an intrusion, leading to an excessively high false positive rate.
[0010] The present invention aims to remedy the disadvantages of the aforementioned prior art, by proposing a method and device for intrusion detection using a large language model previously trained by unsupervised or semi-supervised learning, providing better intrusion detection accuracy.
[0011] To this end, the invention relates to a method for detecting intrusions in a computer system 2) comprising at least one communication interface (4) via a communication network (6), comprising a collection (40) of formatted data representative of network communications or the operation of said computer system, the method implementing a large language model (35), previously trained by machine learning on training data comprising at least training data representative of a normal state of network communications or the operation of said computer system. This method comprises steps, implemented by a computing processor, of: - segmentation of at least a subset of said formatted data collected into a sequence of elementary fragments, said elementary fragments belonging to a predetermined dictionary of elementary fragments, - application of said large-scale language model to the sequence of elementary fragments, providing as output, for each elementary fragment, a likelihood value of said elementary fragment as a function of a context comprising at least some of the other elementary fragments of said sequence of elementary fragments,
[0012]
[0013]
[0014]
[0015]
[0016]
[0017]
[0018]
[0019]
[0020]
[0021] - calculation of a perplexity value for said sequence of elementary fragments as a function of said likelihood values, - comparison of the calculated perplexity value to a normality threshold, and in case of exceeding the normality threshold, detection of potential intrusion and issuance of an intrusion alert in said computer system. Advantageously, the use of the perplexity value makes it possible to better distinguish between formatted data representative of a normal state of network communications or of the operation of the computer system and formatted data representative of an abnormal state, or state of anomaly, of the computer system, such an abnormal state being an indicator of a potential intrusion. According to other advantageous aspects of the invention, the method for detecting intrusion into a computer system comprises one or more of the following features, taken individually or in all technically possible combinations. The large-size language model is a masking language model, and in which the application of said large-size masking language model involves successive masking of each elementary fragment of said sequence, and for each masked elementary fragment, an application of the large-size masking language model enabling the obtaining of a likelihood value of the masked elementary fragment as a function of the context formed by the unmasked elementary fragments. The perplexity value of said sequence is calculated using the following formula: u(X) = exp^S^Jog^x^t)) ) Where X is the sequence of elementary fragments, p' is the likelihood of the elementary fragment with index t and n(X) the perplexity value of the sequence of elementary fragments. The large-size language model is an autoregressive language model, in which, for each elementary fragment, a likelihood value of said elementary fragment is calculated based on a context containing the preceding elementary fragments in said sequence of elementary fragments, and the perplexity value is calculated by the formula: n(X) = exp^^log^xjx^) ) Where X is the sequence of elementary fragments, p (% the likelihood of the elementary fragment of index t and n{X) the perplexity value of the sequence of elementary fragments.
[0022] The method further comprises, in a preparatory phase, a step of calibrating the normality threshold from threshold training data, distinct from the training data used for training said large language model.
[0023] The large language model is previously trained by unsupervised learning, in said preparatory phase, only on training data representative of a normal state of network communications or of the operation of said computer system.
[0024] In the calibration step, the normality threshold is set to a predetermined percentile of the perplexity values calculated for the elementary fragment sequences of the threshold training data.
[0025] The large language model is previously trained by semi-supervised learning, in the preparatory phase, on first training data representative of a normal state of network communications or of the operation of said computer system and on second formatted training data representative of a state of anomaly of network communications or of the operation of said computer system.
[0026] During the calibration step, the normality threshold is set to the minimum perplexity value calculated for second threshold training data representative of an anomaly state.
[0027] During the calibration step, the normality threshold is set at a predetermined percentile of the perplexity values calculated for the elementary fragment sequences of second threshold training data representative of an anomaly state.
[0028] During the calibration step, the normality threshold is calculated based on a combined error metric calculated from first threshold training data representative of a normal state and second threshold training data representative of an abnormal state.
[0029] The invention also relates to an intrusion detection device for a computer system comprising at least one communication interface via a communication network, comprising a module for collecting formatted data representative of network communications or the operation of said computer system, the device being configured to implement a large language model, previously trained by machine learning on training data representative of a normal state of network communications or the operation of said computer system, the device being characterized in that it comprises a computing processor, configured to implement: - a module for slicing at least a subset of said formatted data collected into a sequence of elementary fragments, said elementary fragments belonging to a predetermined dictionary of elementary fragments, - an application module for said large-scale language model on the sequence of elementary fragments, providing as output, for each elementary fragment, a likelihood value for said elementary fragment as a function of a context comprising at least some of the other elementary fragments of said sequence of elementary fragments, - a calculation module for determining the perplexity value of said sequence of elementary fragments as a function of said likelihood values, - a module for comparing the calculated perplexity value to a normality threshold, and in the event of exceeding the normality threshold, for detecting potential intrusion and issuing an intrusion alert in said computer system.
[0030] The invention also relates to a computer program comprising software instructions which, when executed by a computer, implement a method for detecting intrusion into a computer system as defined above.
[0031] The invention will become clearer upon reading the following description, given solely by way of non-limiting example, and made with reference to the drawings in which:
[0032] [Fig-1] [Fig.1] is a block diagram of the main modules of a device Intrusion detection in a computer system in one embodiment;
[0033] [Fig.2] [Fig.2] is a flowchart of a method for detecting intrusion in a computer system according to a first embodiment;
[0034] [Fig.3] [Fig.3] is a flowchart of a method for detecting intrusion in a computer system according to a second embodiment;
[0035] [Fig.4] [Fig.4] is a flowchart of the main steps of a preparatory phase of the intrusion detection process;
[0036] [Fig.5] [Fig.5] is a flowchart of the main steps of an embodiment of the calibration of the normality threshold.
[0037] Fig. 1 schematically illustrates a computer system 2, comprising at least one communication interface 4 configured to carry out communications via a communication network 6, according to a given communication standard.
[0038] The communication interface is wired or wireless.
[0039] For example, the communication interface 4 is configured to communicate via a WiFi communication protocol or via Ethernet.
[0040] The computer system 2 further comprises a set of processors 8 and a set of electronic memories 10, configured to communicate via internal communication links 12, for example communication buses.
[0041] The computer system 2 is represented here schematically; in practice, the invention applies to any type of computer system with complex architectures, comprising various interconnected programmable electronic devices configured to communicate with each other, for example, using a local communication network not shown.
[0042] Thanks to the communication interface 4, the computer system 2 is able to communicate, in transmission and reception, with remote computer systems 14A, 14B, also connected to the communication network 6.
[0043] Of course, only two remote computer systems are represented, but in practice computer system 2 is capable of communicating with any number of remote computer systems.
[0044] Communication takes place via communication packets, according to the chosen communication protocol. Information relating to incoming and outgoing communication packets is stored and forms data 15 representative of the communications (or network traffic data) of the computer system 2.
[0045] The data 15 representative of network communications are formatted according to a predetermined format and stored in an electronic memory 10 of the computer system 2.
[0046] The data 15 representative of network communications are stored for example in a common text format, for example the CSV format (for "Comma-Separated Values") in which the data are separated by given types, the separation being carried out by commas.
[0047] According to one variant, the 15 representative network communications data are formatted in the JSON (JavaScript Object Notation) text data format.
[0048] As an optional complement, data 25 representative of the operation of the computer system 2 are also stored in an electronic memory 10 of the computer system 2.
[0049] The data 25 representative of the operation of the computer system 2 are, for example, historical operating data stored in structures called "logs" or system operating reports.
[0050] Just as the data 15 representing network communications, the data 25 representing the operation of the system are formatted in a common text format, for example CSV or JSON.
[0051] Subsequently, reference is made to data 15 representing network communications and 25 representing the operation of the computer system by "formatted data".
[0052] The computer system 2 comprises or is connected to an intrusion detection device 20, consisting of one or a plurality of interconnected programmable electronic devices, configured to implement the intrusion detection method described below.
[0053] In [Fig.1], in a simplified manner, an intrusion detection device 20 is schematically represented, this device comprising in particular one or more computing processors 22 and an electronic memory unit 24, a communication unit 26 and a human-machine interface 28.
[0054] Elements 22, 24, 26 and 28 are connected to a communication bus 27.
[0055] The intrusion detection device 20 is configured to detect an intrusion, and in particular to issue an alert, via the human-machine interface 28, to an operator and / or to transmit the alert to a remote security system (not shown).
[0056] The computing processor 22 is configured to execute: - a module 30 for collecting formatted data representative of network communications 15 and / or formatted data 25 representative of the operation of the computer system; - a module 32 for splitting at least a subset of the collected formatted data into a sequence of elementary fragments, the elementary fragments belonging to a predetermined dictionary of elementary fragments; - a module 34 for applying a large language model 35, also called an LLM model 35 (acronym for the English "Large Language Model") on the sequence of elementary fragments, providing as output, for each elementary fragment, a likelihood value of the elementary fragment as a function of a context including at least some of the other elementary fragments of the sequence of elementary fragments; - a module 36 for calculating a perplexity value of the sequence of elementary fragments as a function of the likelihood values, - a module 38 for comparing the perplexity value to a normality threshold and detecting potential intrusion and issuing an intrusion alert in computer system 2.
[0057] The LLM 35 model is a parameterized model, trained by machine learning, that is to say, whose parameters are calculated during a preliminary machine learning phase on training data, also formatted according to the predetermined format, including at least data representative of a normal state of network communications or of the operation of the computer system.
[0058] The LLM 35 model is for example a deep neural network (in English “deep learning”).
[0059] Large language models (LLMs) are primarily based on a key mechanism called "attention", and more particularly on multi-head attention, which allows models to process the relationships between the components or fragments (in English "tokens") of a text, regardless of their distance in the sequence.
[0060] Multi-head attention allows the model to focus on different parts of a sequence in parallel, grasping the various relationships between the elements of the text. The fundamental idea is to create several "heads" of attention, each performing its own attention calculation on the input sequence, in order to allow the model to extract additional information.
[0061] Each attention head associates the input with three linear projections: queries, keys, and values. These vectors are obtained by multiplying a numerical representation of the input by specific weight matrices learned during training. The head then calculates a weighting (i.e., weights) based on the dot product of queries and keys, normalized by the square root of the key dimension. These weights, which determine the relative importance of each token compared to the others, are applied to the values, producing a weighted representation that reflects the relevant context for each token.
[0062] The outputs from the heads are then concatenated and transformed again by a linear layer to produce a final combined representation.
[0063] In natural language, multi-headed attention allows us to grasp different contextual relationships. Consider a simple sentence like "The cat is on the table." In this sequence, a first head might focus on grammatical relationships, for example, linking "cat" to "is," to identify that the cat is the subject of the action. A second head might link "cat" and "table" to grasp the general idea that the object of the state (the cat) is related to the location (the table).
[0064] Multi-head attention has also proven effective in analyzing many other types of sequential data, including formatted data and code written in different programming languages.
[0065] In one embodiment, the LLM 35 model is a large language model trained by unsupervised learning, on training data representative of network communications or of the operation of the computer system in a normal state of the computer system, i.e. a state without intrusion.
[0066] Alternatively, the LLM 35 model is a large-scale language model trained by semi-supervised learning, on training data representative of network communications or of the operation of the computer system in a normal state of the computer system, but incorporating a fitting method using training data representative of network communications or of the operation of the computer system in an abnormal state, representative of an intrusion.
[0067] In one embodiment, modules 30, 32, 34, 36, 38 are implemented in the form of software instructions forming a computer program, which, when executed by a programmable electronic device, implements a method for detecting intrusion into a computer system as described.
[0068] In an alternative not shown, modules 30, 32, 34, 36, 38 are each implemented as programmable logic components, such as FPGAs (Field Programmable Gate Arrays), microprocessors, GPGPUs (General-purpose processing on graphics processing), or dedicated integrated circuits, such as ASICs (Application-Specific Integrated Circuits).
[0069] The computer program comprising software instructions is further capable of being stored on a non-transient, computer-readable information storage medium. This computer-readable medium is, for example, a medium capable of storing electronic instructions and being connected to a bus of a computer system. By way of example, this medium is an optical disc, a magneto-optical disc, a ROM, a RAM, any type of non-volatile memory (e.g., EPROM, EEPROM, FLASH, NVRAM), a magnetic card, or an optical card.
[0070] Fig. 2 is a flowchart of the main steps of an intrusion detection process in a computer system according to a first embodiment, implemented by the computing processor 22 of an intrusion detection device in a computer system as described above.
[0071] In this first embodiment, the LLM model used is an autoregressive type model, such as for example the GPT model (from “Generative Pretrained Transformer”).
[0072] The process includes a step 40 of collecting formatted data representative of the network communications of the computer system 2.
[0073] By way of non-exhaustive example, the formatted data collected includes information relating to network traffic, in particular to communication packets received and sent, the IP addresses of the source and / or the recipient, and the ports used by the recipient and the source. Depending on the application, the formatted data collected includes other information relating to network traffic, depending for example on the communication protocol.
[0074] Alternatively, the formatted data collected are representative of the operation of the computer system, for example data stored in operating history reports (or logs).
[0075] In the following, the case of formatted data representing network communications of computer system 2 will be described in more detail, it being understood that the intrusion detection method applies, in an analogous way, to the case of data representing the operation of the computer system.
[0076] The data is formatted in a predetermined format, for example CSV format or JSON format.
[0077] According to one embodiment, when the data from the computer system 2 are not formatted according to the recommended data format, a reformatting of the data to put them in the recommended format is implemented during step 40 of collecting formatted data.
[0078] The formatted data collected is provided in text form.
[0079] The process then includes a step 42 of slicing by the slicing module 32, also called "tokenizer" in English, which slices at least a subset of formatted data into a sequence of elementary fragments (or tokens from the English "tokens"), in a predetermined number T, T being a natural number.
[0080] The elementary fragments belong to a predetermined dictionary of elementary fragments.
[0081] The elementary fragments are of variable size.
[0082] The training of an LLM uses an associated slicing module.
[0083] For example, the slicing or "tokenizer" module used by BERT (for "Bidirectional Encoder Representations from Transformers") splits the string {src_ip: 10.0.0.1 ...} into the following sequence of elementary fragments:
[0084] ['{','s','##rc','_','i','##p',':','10','.','0','.','0','.','l',...}']
[0085] At the end of the cutting step 42, sequences of fragments are obtained: [00861 X = {*1- --«t}'
[0087] Each sequence of fragments is provided as input to the LLM 35 model, which is an autoregressive type model in this embodiment, previously trained to provide, on input data X, likelihood values of the elementary fragments as a function of a context.
[0088] The LLM 35 model is mathematically equivalent to applying a function fg, where 0 denotes the set of model parameters, the values of which have been previously learned by machine learning. The notation fg is a generic notation, It is understood that the function differs depending on the type of LLM. The LLM 35 model is applied in step 44 of the application of LLM 35 to the sequence of elementary fragments.
[0089] In this embodiment, the LLM model is of the autoregressive type and the context is formed from the previously processed elementary fragments.
[0090] The likelihood associated with an elementary fragment is the probability of the elementary fragment in a normal operating state:
[0091] [Math.l] f e (X, txj=p t (xjx <t )
[0092] Where X <t désigne l’ensemble des valeurs de fragments élémentaires de la séquence X d’indice strictement inférieur à l’indice t.
[0093] The process then involves a perplexity calculation 46, based on the likelihood values of each elementary fragment, and more specifically based on the log likelihood values of each elementary fragment, by applying the following formula:
[0094] [Math.2] n(X) = )
[0095] Perplexity is a known metric in the case of large autoregressive language models but is used in the training phase of the LLM model parameters. Indeed, in large autoregressive language models, log perplexity is used as a loss function during training.
[0096] In other words, perplexity is the inverse of the likelihood of the sequence of elementary fragments. The higher the perplexity, the less likely the sequence of elementary fragments is.
[0097] The proposed method for detecting intrusion into a computer system uses the perplexity value calculated by the formula [MATH 2] above as a metric representing the normality or abnormality of the collected formatted data.
[0098] The perplexity value is compared at comparison step 48 to a normality threshold Th, previously calculated and stored.
[0099] If the perplexity value is less than the normality threshold Th, intrusion detection continues on a subsequent sequence of elementary fragments.
[0100] If the perplexity value is greater than the normality threshold Th (response "yes" at comparison step 48), a potential intrusion is detected and an alert is issued (step 50) to the computer system operators.
[0101] For example, in the case where the data collected are representative of network communications, an alert is displayed by means of a graphical interface linked for example with a display of details relating to the communication packets detected as being abnormal.
[0102] In one embodiment, an additional analysis is carried out during step 50 in which elementary fragments or groups of elementary fragments responsible for the detected anomaly are highlighted, for example the elementary fragments with the lowest likelihood values.
[0103] As a concrete example, let us assume that during the learning and calibration phases, no traffic data includes a connection with the destination port 445.
[0104] If during intrusion detection the collected data includes: “{... src_port: 80, dst_port: 445 ...}”, this data will induce a perplexity value greater than the normality threshold Th.
[0105] Moreover, the perplexity value is calculated according to formula [MATH 2] (as well as [MATH 5] below in a second embodiment) as the sum of the contributions of the elementary fragments, it is possible to detect the highest contributions to the perplexity value.
[0106] In this example, the highest contributions in the calculation of the perplexity value are:
[0107] -log pt('44'lcontext) and / or -log pt('##5'lcontext)
[0108] This information is then provided to the user, for example via the graphical interface.
[0109] The [Fig.3] is a flowchart of the main steps of an intrusion detection process in a computer system according to a second embodiment, implemented by the computing processor 22 of an intrusion detection device in a computer system as described above.
[0110] In this second embodiment, the LLM model used is a masking language model, such as for example the BERT model (English acronym for "Bidirectional Encoder Representations from Transformers").
[0111] Certain steps of the method for detecting intrusion into a computer system in this second embodiment are analogous to the steps of the method for detecting intrusion into a computer system in the first embodiment, in which case the same references are retained.
[0112] The method for detecting intrusion into a computer system includes, in the second embodiment, steps of collecting 40 formatted data and cutting 42 at least one subset of formatted data into a sequence of elementary fragments in a predetermined number T, T being a natural number.
[0113] At the end of the cutting step 42, sequences of fragments are obtained
[0114] Each sequence of fragments is provided as input to the LLM 35 model, which is a masking language model in this embodiment, previously trained to provide, on input data X, likelihood values of elementary fragments as a function of a context including unmasked elementary fragments.
[0115] The LLM 35 model is mathematically equivalent to applying a function fq, where 0 denotes the set of parameters of the model, whose values have been previously learned by machine learning.
[0116] In order to calculate a perplexity value associated with the application of the LLM model in this second embodiment, it is proposed to iteratively mask each elementary fragment, using as context the Tl unmasked elementary fragments.
[0117] In this second embodiment, the process includes, after the cutting step 42, an initialization 52 of a fragment index, t, to the value 1.
[0118] The process then includes a masking 54, in the sequence of elementary fragments, of the elementary fragment with index t, the other elementary fragments being unchanged:
[0119] [Math.3] Mask^X, t) = {xp Xf.pm t , x t+1 .... x r}
[0120] The LLM model is applied (step 56) to the masked fragment sequence:
[0121] [Math.4] f ^Mask(X), t,x t )= P t
[0122] The likelihood value Pt of the elementary fragment X t as a function of the context composed of the elementary fragments is obtained by applying the model LLM, this likelihood value of the elementary fragment with index t is memorized at memorization step 58.
[0123] It is then checked whether the index t is equal to T, the number of elementary fragments of the sequence, at the comparison step 60.
[0124] In case of a negative response in step 60, therefore if t <T, cette étape est suivie d’une étape 62 à laquelle l’indice t est incrémenté de 1, et les étapes 54 à 60 sont répétées.
[0125] Thus, masking 54 is applied successively to each elementary fragment of the sequence of elementary fragments.
[0126] In case of a positive response in step 60, i.e. if all the elementary fragments have been processed, step 60 is followed by a perplexity calculation step 64.
[0127] In this embodiment, perplexity is calculated using the formula:
[0128] [Math.5] n(X) = exp[j^ =1 lo^p t (x& k * t ) ) = exp(4^ =1 log(P t ))
[0129] The process continues with step 48 of comparison to a normality threshold Th, previously calculated and stored.
[0130] As in the first embodiment, if the perplexity value is less than the normality threshold Th, intrusion detection continues on a subsequent sequence of elementary fragments.
[0131] If the perplexity value is greater than the normality threshold Th (response "yes" in comparison step 48), a potential intrusion is detected and an alert is issued (step 50) to the computer system operators.
[0132] Each of the embodiments described above applies to an LLM model trained by unsupervised learning or by semi-supervised learning.
[0133] The process includes, in addition to the anomaly detection phases described, a preparatory phase of training the LLM model and calibrating the normality threshold Th, described with reference to [Fig.4].
[0134] The LLM model training (step 70) is done at least on formatted DB-A training data representative of a normal traffic state, in the absence of anomaly due to an intrusion.
[0135] In one embodiment, the learning 70 of the LLM model is of the unsupervised type, and is carried out only on formatted DB-A training data representative of a normal state of the computer system 2.
[0136] In another embodiment, the learning 70 of the LLM model is semi-supervised and includes an additional step of fitting the model to formatted training data representative of an anomaly state. A distinction is then made between first training data representative of the normal state and second training data representative of an anomaly state.
[0137] Preferably, for semi-supervised learning, training data representative of the actual operation of the computer system under consideration are used to illustrate the state of anomaly rather than external training data from public databases.
[0138] After learning the parameters of the LLM model, denoted fq, the preparatory phase includes a calibration 72 of the normality threshold Th, carried out on DB-C threshold training data, also formatted according to the predetermined format.
[0139] Advantageously, the DB-C threshold training data used for threshold calibration are distinct from the DB-A training data used for LLM model training.
[0140] In one embodiment, in the case of unsupervised learning, calibration 72 is performed from DB-C training data representative of a normal network traffic state in the computer system 2.
[0141] In this embodiment, at calibration step 72, the normality threshold is defined as a percentile of the perplexity values calculated for the elementary fragment sequences of the DB-C threshold training data. For example, the percentile is between 95% and 100%, which guarantees a false positive rate of less than 5%.
[0142] In another embodiment, in which the machine learning of the LLM model is of the semi-supervised type, the DB-C threshold learning data includes first threshold learning data representative of a normal state of network traffic and second threshold learning data representative of a state of network traffic anomaly.
[0143] In the semi-supervised mode, at calibration step 72, the normality threshold Th is set to the minimum perplexity value calculated for the second threshold training data representative of an anomaly state.
[0144] According to one variant, in the case of semi-supervised learning, the normality threshold Th is defined as a predetermined percentile of the perplexity values calculated for the second threshold learning data representative of an anomaly network traffic state.
[0145] According to another variant, in the case of machine learning of the semi-supervised type LLM model, at calibration step 72 the normality threshold is calculated as a function of a combined error metric, calculated from a combination of first threshold learning data representative of a normal state and second threshold learning data representative of an anomaly state.
[0146] The [Fig.5] is a synoptic diagram of an embodiment of the calibration step 72 of the normality threshold implementing a combined error calculation metric.
[0147] Input is provided perplexity values calculated on a number N of sequences of elementary fragments X-, ordered in ascending order: {u(XJ, n(XN)}, where n^X^ < rr(Xi+1).
[0148] Each sequence of elementary fragments Xj is also associated with a label yi5 equal to 0 if the sequence of elementary fragments belongs to data representative of normal network traffic and equal to 1 if the sequence of elementary fragments belongs to data representative of network traffic in anomaly.
[0149] Calibration step 72 includes a step 78 of counting the number No of labels equal to 0 and the number Ni of labels equal to 1:
[0150] [Math.6] 101511 N l =^lay i
[0152] Next, a step 80 initializes first error variables FPR, second error variables FNR, minimum error variables E* and an associated sequence index. At initialization, the sequence index is set to 1: j* = | .
[0153] [Math.7] iy, FPR^l-^ [° 154 1 FNR^
[0155] E* = 0.5xFPR1+0.5*FNR1
[0156] At initialization, the minimum error is equal to a sum of the first error and the second error for the index i=l of the sequence of elementary fragments in increasing order of perplexities.
[0157] Next, the calibration of the normality threshold Th involves an iteration for each index i between 2 and N (iteration 82) of the following steps:
[0158] - update 84 of the combined error for the sequence of elementary fragments index i,
[0159] -comparison 86 of the combined error E; to the minimum error E*, and if the combined error E; is less than E*,
[0160] -update 88 of the minimum error E* and the associated index i*.
[0161] During update step 84 of the combined error for the fragment sequence elementary operations of index i, calculating the first error, second error, and combined error, are performed: - if yi=l, [Math. 8]
[0162] Ej= 0.5xFNRj + 0.5xFPR^
[0163] The combined error E; is a weighted sum of the first error and second error for the index i.
[0164] During the minimum error update step 88, the calculated combined error value Ei is stored as the minimum error, and i*=i:
[0165] [Math.9] E^Ei^i
[0166] When the index i reaches the value N, the previously calculated perplexity value for the sequence of fragments with index i* is assigned at the assignment step 90 to the normality threshold Th:
[0167] [Math. 10] Th = n(X^)
[0168] In other words, the normality threshold value is a perplexity value that corresponds to the minimum of the combined error over the set of N fragment sequences.
[0169] Advantageously, it is proposed to use the calculation of perplexity values to detect a potential intrusion into a computer system.
[0170] A formula for calculating perplexity value for masking LLM models is proposed.
[0171] Advantageously, several methods for calibrating the normality threshold are proposed, ensuring good accuracy in detecting potential intrusions into a computer system, and making it possible to avoid too many false positives, i.e., alerts of potential intrusion when the data collected are in fact representative of communications or normal operation.
[0172]
Claims
Demands
1. A method for detecting intrusion into a computer system (2) comprising at least one communication interface (4) via a communication network (6), comprising a collection (40) of formatted data representative of network communications or of the operation of said computer system, the method implementing a large language model (35), previously trained by machine learning on training data comprising at least training data representative of a normal state of network communications or of the operation of said computer system, the method being characterized in that it comprises steps, implemented by a computing processor, of: - slicing (42) at least a subset of said collected formatted data into a sequence of elementary fragments, said elementary fragments belonging to a predetermined dictionary of elementary fragments, - application (44;56) said large language model on the sequence of elementary fragments, providing as output, for each elementary fragment, a likelihood value of said elementary fragment as a function of a context comprising at least some of the other elementary fragments of said sequence of elementary fragments, - calculation (46, 64) of a perplexity value of said sequence of elementary fragments as a function of said likelihood values, - comparison (48) of the calculated perplexity value to a normality threshold, and - in case of exceeding the normality threshold, detection (50) of potential intrusion and issuing of an intrusion alert in said computer system.;
2. A method according to claim 1, wherein the large language model is a masking language model, and wherein the application of said large masking language model involves successive masking (54) of each fragment elementary of said sequence, and for each masked elementary fragment, an application (56) of the large-size masking language model allowing to obtain a likelihood value of the masked elementary fragment as a function of the context formed by the unmasked elementary fragments.
3. Method according to claim 2, wherein the perplexity value of said sequence is calculated (64) by the following formula: n(X) = exp[^=1log[pt(x^ ) Where X is the sequence of elementary fragments, p 'a likelihood of the elementary fragment of index t and n(X) the perplexity value of the sequence of elementary fragments.
4. A method according to claim 1, wherein the large-size language model is an autoregressive language model, and wherein, for each elementary fragment, a likelihood value of said elementary fragment is calculated as a function of a context comprising the preceding elementary fragments in said sequence of elementary fragments and the perplexity value is calculated (46) by the formula: n(X) = ) Where X is the sequence of elementary fragments, p ( x Jx^)) 'the likelihood of the elementary fragment of index t and u(X) the perplexity value of the sequence of elementary fragments.
5. A method according to any one of claims 1 to 4, further comprising, in a preparatory phase, a calibration step (72) of the normality threshold from threshold training data, separate from the training data used for training said large language model.
6. A method according to any one of claims 1 to 5, wherein said large language model (35) is pre-trained by unsupervised learning, in said preparatory phase, only on training data (DB-A) representative of a normal state of network communications or of the operation of said computer system.
7. A method according to claim 6 dependent on claim 5, wherein in the calibration step (72), the normality threshold is set at a predetermined percentile of the perplexity values calculated for the elementary fragment sequences of the threshold training data.
8. A method according to claim 5, wherein said large language model (35) is pre-trained by semi-supervised learning, in the preparatory phase, on first training data representative of a normal state of network communications or of the operation of said computer system and on second formatted training data representative of a state of anomaly of network communications or of the operation of said computer system.
9. A method according to claim 8, wherein during the calibration step (72), the normality threshold is set to the minimum perplexity value calculated for second threshold training data (DB-C) representative of an anomaly state.
10. A method according to claim 8, wherein during the calibration step (72), the normality threshold is set at a predetermined percentile of the perplexity values calculated for elementary fragment sequences of second threshold training data (DB-C) representative of an anomaly state.
11. A method according to claim 8, wherein during the calibration step (72), the normality threshold is calculated (80-90) as a function of a combined error metric calculated from first threshold training data representative of a normal state and second threshold training data representative of an anomaly state.
12. A computer program comprising software instructions which, when implemented by a programmable electronic device, implement a method for detecting intrusion into a computer system in accordance with claims 1 to 11.
13. An intrusion detection device (20) in a computer system (2) comprising at least one communication interface (4) via a communication network (6), comprising a module (30) for collecting formatted data representative of network communications or the operation of said computer system, the device (20) being configured to implement a language model of large size (35), previously trained by machine learning on training data representative of a normal state of network communications or of the operation of said computer system (2), the device (20) being characterized in that it comprises a computing processor, configured to implement: - a slicing module (32) of at least a subset of said formatted data collected into a sequence of elementary fragments, said elementary fragments belonging to a predetermined dictionary of elementary fragments, - an application module (34) of said large language model on the sequence of elementary fragments, providing as output, for each elementary fragment, a likelihood value of said elementary fragment as a function of a context comprising at least a part of the other elementary fragments of said sequence of elementary fragments, - a calculation module (36) for a perplexity value of said sequence of elementary fragments as a function of said likelihood values, - a module (38) for comparing the calculated perplexity value to a normality threshold, and in the event of exceeding the normality threshold, for detecting potential intrusion and issuing an intrusion alert in said computer system.