system
The system addresses inefficiencies in network security by standardizing and analyzing network data in real time, allowing for immediate threat detection and automated responses, thereby strengthening network security.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Applications
- Current Assignee / Owner
- SOFTBANK GROUP CORP
- Filing Date
- 2024-12-05
- Publication Date
- 2026-06-17
AI Technical Summary
Conventional methods for detecting network security threats are inefficient in processing large amounts of data in real time, leading to delayed responses and insufficient risk management, making networks vulnerable to security breaches.
A system that collects network traffic data, preprocesses it for standardization, and uses machine learning algorithms to detect anomalies in real time, providing immediate alerts and automated responses to high-priority incidents while predicting future threats and securing the AI system.
Enables rapid threat detection and response, minimizing network disruptions and enhancing overall security by automating initial actions and proactive threat management.
Smart Images

Figure 2026098796000001_ABST
Abstract
Description
Technical Field
[0001] The technology of the present disclosure relates to a system.
Background Art
[0002] Patent Document 1 discloses a method for controlling a persona chatbot, which is performed by at least one processor and includes steps of receiving a user utterance, adding the user utterance to a prompt including an instruction sentence related to an explanation of a chatbot character, encoding the prompt, and inputting the encoded prompt into a language model to generate a chatbot utterance in response to the user utterance.
Prior Art Documents
Patent Documents
[0003]
Patent Document 1
Summary of the Invention
Problems to be Solved by the Invention
[0004] While it is required to detect various and complex security threats occurring on the network in real time and respond quickly and effectively, the conventional methods have problems such as the load of analyzing a large amount of data and the delay in immediate response. Furthermore, if the predictive analysis of threats and the security management of the AI system itself are not properly performed, there is a problem that risk management becomes insufficient and the security situation of the organization becomes vulnerable.
Means for Solving the Problems
[0005] This invention provides a system that efficiently collects network traffic data, preprocesses it to standardize its format, and then uses machine learning algorithms to detect anomalous patterns in real time. This allows for immediate identification of threats by comparing them with existing threat data and prompt notification to relevant users. Furthermore, it automatically performs initial responses to high-priority incidents, enabling the isolation of network segments and the cessation of malicious processes. In addition, it strengthens overall security management by predicting future threats based on past incident data and evaluating and protecting the security of the AI system itself.
[0006] "Network traffic data" refers to a collection of data packets sent and received over a network, and is used to monitor and analyze the flow and operation of communications.
[0007] "Preprocessing" refers to the process of converting raw data into an analyzable format, and includes processes such as data cleansing and standardization.
[0008] An "abnormal pattern" is a data characteristic that indicates a deviation from normal network operation and has properties that serve as an indicator of a security threat.
[0009] An "AI algorithm" is a series of computational procedures designed to analyze data using artificial intelligence and achieve a specific objective.
[0010] A "threat" is a factor that poses a potential or actual danger to a system, and includes things like data breaches and unauthorized access.
[0011] A "user" is an individual or organization that uses the system and is the entity that receives security alerts and notifications.
[0012] An "incident" refers to an event or condition that disrupts the normal operation of a system and threatens security, and is an event that requires action.
[0013] A "network segment" is a logical or physical division of the entire network, enabling the management of data according to specific groups or functions.
[0014] "Prediction" is an estimation method that analyzes past data and current conditions to foresee future trends and events.
[0015] An "AI system" refers to an entire system that uses artificial intelligence technology to perform specific tasks and has the function of repeatedly learning and improving. [Brief explanation of the drawing]
[0016] [Figure 1] This is a conceptual diagram showing an example of the configuration of a data processing system according to the first embodiment. [Figure 2] This is a conceptual diagram showing an example of the essential functions of a data processing device and a smart device according to the first embodiment. [Figure 3] This is a conceptual diagram showing an example of the configuration of a data processing system according to the second embodiment. [Figure 4] This is a conceptual diagram showing an example of the main functions of a data processing device and smart glasses according to the second embodiment. [Figure 5] This is a conceptual diagram showing an example of the configuration of a data processing system according to the third embodiment. [Figure 6] This is a conceptual diagram showing an example of the main functions of a data processing device and a headset-type terminal according to the third embodiment. [Figure 7] This is a conceptual diagram showing an example of the configuration of a data processing system according to the fourth embodiment. [Figure 8] This is a conceptual diagram showing an example of the main functions of a data processing device and a robot according to the fourth embodiment. [Figure 9] This shows an emotion map where multiple emotions are mapped. [Figure 10] This shows an emotion map where multiple emotions are mapped. [Figure 11]It is a sequence diagram showing the processing flow of the data processing system in Embodiment 1. [Figure 12] It is a sequence diagram showing the processing flow of the data processing system in Application Example 1. [Figure 13] It is a sequence diagram showing the processing flow of the data processing system in Embodiment 2 when the emotion engine is combined. [Figure 14] It is a sequence diagram showing the processing flow of the data processing system in Application Example 2 when the emotion engine is combined.
Modes for Carrying Out the Invention
[0017] Hereinafter, an example of an embodiment of a system according to the technology of the present disclosure will be described with reference to the accompanying drawings.
[0018] First, the terms used in the following description will be explained.
[0019] In the following embodiments, a processor with a reference numeral (hereinafter simply referred to as "processor") may be a single arithmetic unit or a combination of multiple arithmetic units. Also, the processor may be a single type of arithmetic unit or a combination of multiple types of arithmetic units. Examples of arithmetic units include a CPU (Central Processing Unit), a GPU (Graphics Processing Unit), a GPGPU (General-Purpose computing on Graphics Processing Units), an APU (Accelerated Processing Unit), and the like.
[0020] In the following embodiments, a RAM (Random Access Memory) with a reference numeral is a memory in which information is temporarily stored and is used as a work memory by the processor.
[0021] In the following embodiments, the signed storage is one or more non-volatile storage devices that store various programs and various parameters. Examples of non-volatile storage devices include flash memory (SSD (Solid State Drive)), magnetic disks (e.g., hard disks), or magnetic tapes.
[0022] In the following embodiments, the signed communication interface (I / F) is an interface that includes a communication processor and an antenna, etc. The communication interface manages communication between multiple computers. Examples of communication standards applicable to the communication interface include wireless communication standards such as 5G (5th Generation Mobile Communication System), Wi-Fi (registered trademark), or Bluetooth (registered trademark).
[0023] In the following embodiments, "A and / or B" is synonymous with "at least one of A and B." That is, "A and / or B" means that it may be A alone, or B alone, or a combination of A and B. Furthermore, in this specification, the same concept as "A and / or B" applies when expressing three or more things linked by "and / or."
[0024] [First Embodiment]
[0025] Figure 1 shows an example of the configuration of the data processing system 10 according to the first embodiment.
[0026] As shown in Figure 1, the data processing system 10 includes a data processing device 12 and a smart device 14. An example of the data processing device 12 is a server.
[0027] The data processing device 12 comprises a computer 22, a database 24, and a communication interface 26. The computer 22 is an example of a "computer" related to the technology of this disclosure. The computer 22 comprises a processor 28, RAM 30, and storage 32. The processor 28, RAM 30, and storage 32 are connected to a bus 34. The database 24 and the communication interface 26 are also connected to the bus 34. The communication interface 26 is connected to a network 54. An example of the network 54 is a WAN (Wide Area Network) and / or a LAN (Local Area Network).
[0028] The smart device 14 comprises a computer 36, a reception device 38, an output device 40, a camera 42, and a communication interface 44. The computer 36 comprises a processor 46, RAM 48, and storage 50. The processor 46, RAM 48, and storage 50 are connected to a bus 52. The reception device 38, output device 40, and camera 42 are also connected to the bus 52.
[0029] The reception device 38 is equipped with a touch panel 38A and a microphone 38B, etc., and receives user input. The touch panel 38A receives user input by detecting contact with an object (e.g., a pen or finger). The microphone 38B receives user input by detecting the user's voice. The control unit 46A transmits data indicating the user input received by the touch panel 38A and microphone 38B to the data processing device 12. In the data processing device 12, the specific processing unit 290 acquires the data indicating the user input.
[0030] The output device 40 includes a display 40A and a speaker 40B, and presents data to the user 20 by outputting the data in a form perceptible to the user 20 (e.g., audio and / or text). The display 40A displays visible information such as text and images according to instructions from the processor 46. The speaker 40B outputs audio according to instructions from the processor 46. The camera 42 is a small digital camera equipped with an optical system such as a lens, aperture, and shutter, and an image sensor such as a CMOS (Complementary Metal-Oxide-Semiconductor) image sensor or a CCD (Charge Coupled Device) image sensor.
[0031] Communication interface 44 is connected to network 54. Communication interfaces 44 and 26 are responsible for the exchange of various types of information between processor 46 and processor 28 via network 54.
[0032] Figure 2 shows an example of the main functions of the data processing device 12 and the smart device 14.
[0033] As shown in Figure 2, in the data processing device 12, a specific processing is performed by the processor 28. A specific processing program 56 is stored in the storage 32. The specific processing program 56 is an example of a "program" related to the technology of this disclosure. The processor 28 reads the specific processing program 56 from the storage 32 and executes the read specific processing program 56 on the RAM 30. The specific processing is realized by the processor 28 operating as a specific processing unit 290 according to the specific processing program 56 executed on the RAM 30.
[0034] The storage 32 stores the data generation model 58 and the emotion identification model 59. The data generation model 58 and the emotion identification model 59 are used by the identification processing unit 290.
[0035] In the smart device 14, the processor 46 performs the reception output processing. The storage 50 stores the reception output program 60. The reception output program 60 is used in conjunction with a specific processing program 56 by the data processing system 10. The processor 46 reads the reception output program 60 from the storage 50 and executes the read reception output program 60 on the RAM 48. The reception output processing is realized by the processor 46 operating as a control unit 46A according to the reception output program 60 executed on the RAM 48.
[0036] Next, the specific processing performed by the specific processing unit 290 of the data processing device 12 will be described. In the following description, the data processing device 12 will be referred to as the "server" and the smart device 14 as the "terminal".
[0037] The present invention is implemented by a software platform that is installed on devices and servers that access a network. This platform enables a rapid response to security threats by leveraging AI technology to monitor network traffic in real time and to detect and report anomalies.
[0038] One primary embodiment of this system involves continuously collecting network traffic data and analyzing it immediately using AI algorithms. Specifically, a server captures every data packet transmitted over the network and standardizes its characteristics. This standardized data is then fed into a trained machine learning model to detect patterns of abnormal behavior.
[0039] The server then evaluates whether the detected anomaly matches any known attack profile. If it does, or if an unidentified threat pattern is found, it immediately sends an alert to users and security personnel. For example, if there is communication that deviates from normal traffic volume or access time, it will be notified as a possible sign of unauthorized access.
[0040] When an incident occurs, the terminal automatically performs actions to minimize the impact on the network according to predefined protocols. For example, if malware activity is detected, it automatically isolates the relevant network segment and stops suspicious processes.
[0041] In addition, the server analyzes past incident data, identifies statistical trends and unusual increases, and predicts future threats, which are then incorporated into the organization's security strategy. Users can use this predictive information to proactively take defensive measures against potential attacks.
[0042] Ultimately, the server periodically evaluates the security of the AI system itself and strengthens defensive measures as needed to prevent potential threats to the system. This process is carried out through regular updates of the AI model and patching of vulnerabilities. In this way, the present invention provides consistent security protection in a network environment.
[0043] The following describes the processing flow.
[0044] Step 1:
[0045] The server continuously monitors network traffic and collects all incoming and outgoing data packets, thereby forming a comprehensive dataset of communications within the network.
[0046] Step 2:
[0047] The server preprocesses the collected data, preparing it for analysis. This preprocessing includes standardizing the data format and removing noise and redundant data.
[0048] Step 3:
[0049] The server inputs pre-processed data into an AI algorithm to detect anomalous patterns in real time. The AI algorithm has learned normal traffic patterns and can instantly identify abnormal behavior.
[0050] Step 4:
[0051] The server compares detected anomalies with a database of known threats to identify the threat. This comparison allows for the rapid recognition of known attack methods and their variations.
[0052] Step 5:
[0053] The server notifies the user of the details of the identified threat. The notification includes the type of threat, the network segment in which it occurred, and recommended countermeasures.
[0054] Step 6:
[0055] The terminal automatically takes initial action in response to incidents deemed to be of high urgency. Specifically, it isolates the network segment and stops the malicious process.
[0056] Step 7:
[0057] The server performs predictive analysis based on past incident data. This analysis predicts the emergence of future threats and provides information for taking preventative measures.
[0058] Step 8:
[0059] The server performs regular security assessments of the AI system itself, and updates the system and retrains the models as needed. This maintains the security and accuracy of the AI system.
[0060] (Example 1)
[0061] Next, we will describe Example 1. In the following description, the data processing device 12 will be referred to as the "server," and the smart device 14 will be referred to as the "terminal."
[0062] In today's information and communication environment, which utilizes networks, the increasing volume and complexity of communication data necessitates early detection and rapid response to unauthorized access and security threats. However, existing methods have limitations in the accuracy and real-time capabilities of detecting abnormal phenomena, and there is also the risk of information leaks and business disruption due to delayed responses. Therefore, innovative technologies are needed to solve these problems.
[0063] The identification process performed by the identification processing unit 290 of the data processing device 12 in Example 1 is realized by the following means.
[0064] In this invention, the server includes means for aggregating communication information, means for pre-processing the aggregated information and standardizing its format, and means for executing an artificial intelligence method for detecting abnormal phenomena using the pre-processed information. This makes it possible to detect unauthorized access and potential security threats with high accuracy and in real time, and to deal with them automatically.
[0065] "Communication information" refers to all data packets and their metadata transmitted and received over a network.
[0066] "Preprocessing" refers to the process of standardizing collected raw data and preparing it into an analyzable format.
[0067] "Standardizing a format" refers to the process of transforming data into a unified structure to ensure compatibility with heterogeneous data sources.
[0068] An "abnormal phenomenon" refers to an event that deviates from normal communication patterns or indicates signs of unauthorized access.
[0069] "Artificial intelligence methods" refer to techniques that use computer algorithms, such as machine learning, to process information and solve specific problems.
[0070] "Existing threat intelligence" refers to data on security incidents that have been detected and recorded in the past.
[0071] "Reporting" refers to the act of notifying relevant parties of detected threat information, including any necessary details.
[0072] "Initial corrective action through self-operation" refers to a system autonomously executing a series of actions to correct an anomaly.
[0073] "Isolating a network" refers to the operation of physically or logically separating a specific network segment.
[0074] "Communication rules to stop unauthorized processing" refers to a set of rules designed to block unauthorized data processing and ensure network security.
[0075] This invention is implemented by a platform that is installed on a server connected to a network. The server first collects data in real time using a dedicated tool for aggregating network communication information. In this platform, a "packet capture tool" is typically used to capture communication data.
[0076] The server then preprocesses the aggregated communication data and standardizes the data format. This standardization ensures compatibility between different data sources. Data preprocessing tools are used for this preprocessing; for example, data processing using the Python Pandas library is one possibility.
[0077] Next, the server runs a machine learning model to detect anomalies. Anomalies are those that deviate from the normal communication patterns within the network, and an "anomaly detection algorithm" is used for this purpose. In this platform environment, artificial intelligence libraries such as "TENSORFLOW®" and "PyTorch" are common.
[0078] As a specific example, if a server detects a sudden surge in traffic during a particular time period, it identifies this as an anomaly and compares it with a database of past threat intelligence. If the identified threat matches a known threat profile, a notification is immediately sent to the user or security personnel. A "communication API" is used to send these notifications.
[0079] Furthermore, the server analyzes multiple past incident data to predict future threats. This allows users to take proactive measures based on the predicted risks.
[0080] An example of a prompt message would be, "Please tell me how to detect network traffic anomalies using AI. Please also provide specific library and algorithm names."
[0081] The flow of the specific processing in Example 1 will be explained using Figure 11.
[0082] Step 1:
[0083] The server aggregates network communication information in real time. To do this, the server uses a packet capture tool to obtain header information and payload data packets. It receives raw data from the network as input and saves this data as output to a structured log file. Specifically, the server extracts the necessary metadata (IP address, port number, data size, etc.) from each captured packet and records it in log format.
[0084] Step 2:
[0085] The server preprocesses the aggregated communication data and converts it into a standardized format. This process uses the Python Pandas library to clean and normalize the data. Log files are provided as input, and each data field is organized into a common format. The output is a unified dataset. Specifically, it performs operations such as imputing missing values and filtering outliers to create a data format suitable for analysis.
[0086] Step 3:
[0087] The server runs a machine learning model to detect anomalies using standardized data. This model, built with TensorFlow or PyTorch, outputs deviations from normal communication patterns as scores. The input is a pre-processed dataset, and the output is a list of anomaly scores. Specifically, it performs predictive modeling based on past normal data to determine whether new communication data exceeds the normal range.
[0088] Step 4:
[0089] The server evaluates whether the detected anomaly matches an existing threat database. This evaluation compares anomaly scores using known attack profiles. The inputs are the anomaly scores and the threat database, and the output is the threat identification result. Specifically, a similarity scoring algorithm is used to calculate the degree of match between the anomaly and the threat profile.
[0090] Step 5:
[0091] The server sends alerts to users and security personnel when a threat is identified. It uses a communication API to send notifications via email or SMS. The input is the threat identification result, and the output is an alert message. Specifically, it generates notification messages and logs the transmission history.
[0092] Step 6:
[0093] The terminal performs automated initial response to high-priority incidents. This response includes network isolation and cessation of malicious processes. The input is the result of identifying threats and abnormal behavior, and the output is the system state after the response. Specific actions include updating firewall rules using scripts and forcibly terminating malicious processes.
[0094] Step 7:
[0095] The server analyzes past incident information to predict future threats. Regression analysis and time series analysis are used in this analysis. The input is historical incident data, and the output is a threat prediction report. Specifically, it analyzes the frequency and trends of each incident and visualizes the potential risks.
[0096] (Application Example 1)
[0097] Next, we will explain Application Example 1. In the following explanation, the data processing device 12 will be referred to as the "server," and the smart device 14 will be referred to as the "terminal."
[0098] Smart device networks are vulnerable to external threats and attacks, posing a high risk to individual users' privacy and data security. Furthermore, existing security systems require specialized knowledge and are not easily accessible to the average user. Additionally, identifying abnormal network activity in real time and providing immediate support to users is difficult, creating a need for simpler and more effective security solutions.
[0099] The specific processing performed by the specific processing unit 290 of the data processing device 12 in Application Example 1 is realized by the following means.
[0100] In this invention, the server includes means for monitoring network activity, means for preprocessing and standardizing the format of the monitored data, and means for executing an AI algorithm that detects unique communication patterns using the preprocessed data. This enables users to detect abnormal network activity in real time on their smart devices and take quick and appropriate action.
[0101] "Means of monitoring network activity" refers to functions that analyze communications on a network in real time and identify suspicious activity that deviates from normal activity patterns.
[0102] "Means of standardizing format" refers to a function that standardizes the format and protocol of monitoring data, thereby enabling consistent subsequent analysis processes.
[0103] "A means of executing an AI algorithm to detect unusual communication patterns" refers to a function that utilizes machine learning techniques to identify unusual communication behavior based on standardized data.
[0104] "Means for identifying potential risks" refers to a function that identifies potential risks and issues warnings by comparing detected unique patterns with existing threat intelligence.
[0105] "Means of sending warnings to users" refers to a notification function that immediately informs users that a danger has been detected and prompts them to take appropriate action.
[0106] "Means of automatically executing emergency response" refers to a function that minimizes damage by allowing the system to automatically take initial action immediately in response to detected dangers.
[0107] "Means of performing personal network monitoring" refers to features that monitor network activity on individual users' devices and identify abnormal behavior.
[0108] "Means for notifying the detection of abnormal activity" refers to a function that quickly communicates information to users when unusual network activity is detected.
[0109] "Means for managing excessive data traffic" refers to a function that identifies excessive data traffic when it occurs and warns the user.
[0110] The system implementing this invention is primarily composed of a software application installed on a mobile device such as a smartphone. The server has a data collection module for monitoring network activity in real time and standardizes this data through a format unification module. The standardized data is analyzed through an AI algorithm that detects unique communication patterns, and anomalies are identified using machine learning techniques. This process is realized using platforms such as TensorFlow and PyTorch.
[0111] The device is equipped with a notification system that immediately sends a warning to the user if abnormal activity is detected. This notification is triggered when excessive data traffic is detected or when suspicious background communication occurs. Furthermore, the system has the ability to automatically take initial action based on the identified threat, such as controlling the network segment or stopping processes.
[0112] For example, if a user's smartphone suddenly starts a large amount of data communication at night, this system will detect this as an anomaly and immediately notify the user. At this point, the user will be given the choice of continuing or stopping the communication. Furthermore, based on the user's past communication patterns, it is possible to proactively strengthen vigilance against predicted future threats.
[0113] An example of a prompt message is: "Immediately detect any activity on the user's smartphone that deviates from the normal network traffic pattern and display a warning to the user."
[0114] The flow of a specific process in Application Example 1 will be explained using Figure 12.
[0115] Step 1:
[0116] The server collects network traffic data from terminals in real time through a network monitoring module. The input to this process is raw packet data sent from terminals, and the output is an unstructured traffic dataset.
[0117] Step 2:
[0118] The server preprocesses and standardizes the collected traffic data using a format unification module. The input is raw traffic data, and the output is a standardized dataset. During this process, the data is filtered and converted into the necessary protocol information.
[0119] Step 3:
[0120] The server feeds pre-processed data to an AI algorithm for analysis to detect unique communication patterns. The input for this step is standardized data, and the output is the items identified as unique communication patterns. Machine learning models (TensorFlow or PyTorch) are used here.
[0121] Step 4:
[0122] The server compares detected unusual communication patterns with a database of known threats to identify potential dangers. Input is data on the unusual patterns, and output is information about potential threats. This information is compared and evaluated in real time.
[0123] Step 5:
[0124] The terminal receives potential threat information sent from the server and sends a warning to the user. The input is the potential threat information, and the output is the notification message to the user. The notification system immediately displays this message on the user's display.
[0125] Step 6:
[0126] The user receives a warning through a notification on their device and decides whether to continue or stop network communication based on that information. The input is the notification message, and the output is the user's selected action. This action determines whether the device continues or interrupts communication.
[0127] Furthermore, an emotion engine that estimates the user's emotions may be incorporated. That is, the identification processing unit 290 may use the emotion identification model 59 to estimate the user's emotions and perform identification processing using the user's emotions.
[0128] This invention integrates an emotion engine into a network security system to enable threat detection and incident response based on the user's emotional state. In addition to its basic functions of monitoring network traffic in real time and detecting anomalies with AI algorithms, the system aims to automate appropriate responses by analyzing the user's emotions.
[0129] This system first has a server collect and preprocess network traffic data, and then uses a machine learning model to identify anomalous patterns. When an anomaly is detected, the server compares it with known threat data and identifies the detected pattern as a threat. After this identification, the server uses an emotion engine to analyze the user's emotional state. For example, it recognizes emotions such as stress and anxiety based on historical data and real-time user activity logs.
[0130] Based on recognized emotions, the server optimizes the content and method of threat notifications. For example, if a user is experiencing high stress, the notification content is simplified, and a message encouraging a calm response is sent. The emotion engine can also adjust the notification frequency based on user responses, customizing the system to reduce stress.
[0131] Furthermore, the device automatically takes initial action in the event of an incident deemed to be of high urgency. In this process, the device considers the output of the emotion engine and proceeds with the response in a way that minimizes the burden on the user. For example, it can switch the notification method from visual display to voice guidance.
[0132] Finally, to ensure the security of the AI system itself, the server undergoes regular evaluation and updates, aiming to improve the accuracy of the emotion engine while strengthening security. In this way, an intelligent network security system that takes into account the user's emotional state is realized.
[0133] The following describes the processing flow.
[0134] Step 1:
[0135] The server continuously collects network traffic data and performs extensive analysis of each packet's details to gain a complete understanding of the data.
[0136] Step 2:
[0137] The server performs preprocessing to optimize the collected traffic data and convert it into a well-organized format. This includes noise reduction and supplementing incomplete data.
[0138] Step 3:
[0139] The server supplies pre-processed data to an AI algorithm to detect anomalies. The algorithm identifies deviant patterns in real time by comparing them to a model of normal operation.
[0140] Step 4:
[0141] The server compares detected anomaly patterns with a threat database to identify threats. This process enables the identification of both existing and new threats.
[0142] Step 5:
[0143] The server activates the sentiment engine in response to identified threats and evaluates the user's emotional state. Sentiment analysis is performed based on user activity logs and past interaction data.
[0144] Step 6:
[0145] The server adjusts the content and method of threat notifications based on the output of the emotion engine. If the user is under stress, it simplifies the information and creates messages that reduce mental burden.
[0146] Step 7:
[0147] The terminal automatically responds to high-priority incidents, implementing protocols to isolate the network segment on the terminal or halt malicious processes. The user's emotional state is taken into consideration when selecting these protocols.
[0148] Step 8:
[0149] The server performs regular security assessments and updates on its AI system. This continuously improves the accuracy and security of the AI system, and strengthens the overall system, including the emotion engine.
[0150] (Example 2)
[0151] Next, we will describe Example 2. In the following description, the data processing device 12 will be referred to as the "server" and the smart device 14 as the "terminal".
[0152] Conventional network security systems have lacked sufficient real-time responsiveness in detecting network anomalies and responding to incidents, as well as consideration for the psychological stress experienced by users. In particular, while rapid anomaly identification, appropriate warning provision, and advanced automated initial response are required, responses that take into account the emotional state of users are also necessary. This invention aims to solve these problems and realize advanced security measures without burdening users.
[0153] The identification process performed by the identification processing unit 290 of the data processing device 12 in Example 2 is realized by the following means.
[0154] In this invention, the server includes means for monitoring data communication, means for formatting and standardizing the monitored data, and means for running an algorithm for identifying anomalies. This enables immediate detection of anomalies and automatic, user-friendly responses.
[0155] "Data communication" refers to electrical or optical processes used to send and receive information.
[0156] "Monitoring" is the act of observing something over a set period of time to confirm the occurrence of anomalies or specific events.
[0157] "Formatting" refers to the process of converting raw data into a specific format or structure.
[0158] "Standardizing the format" means unifying the way data is represented and its structure.
[0159] "Abnormal" refers to an action or state that deviates from normal operation or condition.
[0160] An "algorithm" is a set of computational steps designed to solve a specific problem.
[0161] "To be operational" refers to a state in which a system or process is running.
[0162] A "server" is a computer system that provides data and services over a network.
[0163] This invention relates to a system that improves anomaly detection and incident response in network security systems. The system includes data communication monitoring, data formatting, operation of anomaly identification algorithms, real-time notification, notification optimization through sentiment analysis, and an automatic initial response function.
[0164] The server sends and receives information over the network. Specifically, it runs on a general-purpose computer system and intercepts network traffic using monitoring tools. The hardware requires a suitable processor and storage to manage network communications. For software, commonly used communication protocol analysis tools, such as Wireshark, are used for monitoring. Learning frameworks such as TensorFlow and PyTorch are utilized for data shaping and anomaly detection.
[0165] After detecting an anomaly, the server uses an emotion analysis engine to analyze the user's emotional state and optimize the content and method of notifications. This emotion analysis engine operates based on past user operation logs and real-time user interaction data. The engine uses the data to train an emotion model and infer the user's stress and anxiety.
[0166] The device notifies the user of an incident and, if necessary, provides voice guidance and performs automated recovery operations. The device is designed to minimize the burden on the user according to their situation and has features that simplify the interface format.
[0167] As a concrete example, let's consider a scenario where an unauthorized access attempt is made to a company's network. The server immediately detects the anomaly and, through a sentiment analysis engine, notifies the user of a message such as, "A network problem has been detected. We are automatically handling it, so please rest assured." in order to minimize the stress the user may experience.
[0168] The following prompt statements can be used as example inputs to a generative AI model:
[0169] "Please provide a detailed explanation of how anomalies in network traffic data are detected."
[0170] "Please explain the mechanism of the AI algorithm that analyzes user emotions."
[0171] "Please tell me what to do if the emotional engine detects a high-stress state."
[0172] The flow of the specific processing in Example 2 will be explained using Figure 13.
[0173] Step 1:
[0174] The server monitors network traffic. It receives real-time data communication information as input and captures each communication packet using monitoring tools. This data includes destination IP address, communication protocol, and packet size. The server formats this data and converts it into a format suitable for anomaly detection algorithms. It then generates formatted network traffic data as output.
[0175] Step 2:
[0176] The server inputs formatted network traffic data into a machine learning model to detect anomalous patterns. The input is the formatted data obtained in step 1, and the server uses TensorFlow to identify anomalies in real time. The model identifies behaviors that are considered anomalous compared to normal communication patterns. The output is the identified results showing the anomalous patterns.
[0177] Step 3:
[0178] When an anomaly is detected, the server uses an emotion analysis engine to analyze the user's emotional state. Input includes the user's past operation log data and current real-time activity data. The server uses a trained model to estimate the user's stress and anxiety levels. This analysis generates output data indicating the user's emotional state.
[0179] Step 4:
[0180] The server optimizes the content and method of incident notifications based on the identified anomalies and emotional states. The inputs used are the anomaly data obtained in step 2 and the emotional state data from step 3. The server adjusts the notification content, for example, to create a simple message such as "Please remain calm." The output is the optimized notification message.
[0181] Step 5:
[0182] If the anomaly is deemed to be of high urgency, the terminal automatically takes initial action. The input is emergency incident information sent from the server. The terminal takes measures such as modifying firewall rules, stopping malicious processes, or notifying the user with voice guidance. The output is the result of the initial action taken.
[0183] Step 6:
[0184] Periodically, the server performs a system-wide security assessment and updates the model. The input is the current system state and the latest security patch information. The server reassessss security based on the assessment criteria and retrains the generated AI model as needed. The output is an enhanced security configuration and an updated model.
[0185] (Application Example 2)
[0186] Next, we will explain application example 2. In the following explanation, the data processing device 12 will be referred to as a "server" and the smart device 14 as a "terminal".
[0187] In recent years, with the advancement of information technology, information processing via networks has become more diverse, but at the same time, unauthorized access and threats using networks have increased. In particular, as the need for immediate response to cyberattacks increases, conventional network security systems have been insufficient in terms of notifications and responses that take into account the emotional state of users, which has led to increased mental burden on users. The present invention aims to solve this problem.
[0188] The specific processing performed by the specific processing unit 290 of the data processing device 12 in Application Example 2 is realized by the following means.
[0189] In this invention, the server includes means for collecting network traffic data, means for preprocessing and standardizing the format of the collected data, means for executing an algorithm for detecting abnormal patterns using the preprocessed data, means for comparing the abnormal patterns with existing threat data to identify threats, means for notifying related information processing devices based on the identified threats, means for automatically performing initial responses to high-priority events, means for analyzing past event data to predict future threats, means for analyzing the emotional state of system users and optimizing notification content and methods, means for reducing emotional burden by adjusting notifications based on user operation logs, means for switching notifications from visual displays to voice guidance in the event of anomaly detection according to the emotional state of system users, and means for evaluating and protecting the security of the AI system itself. As a result, anomaly detection and incident response are optimized to the user's emotional state, enabling more effective and less burdensome security responses.
[0190] "Network traffic data" refers to the flow of data communicated between information processing devices, and this data is collected for analysis and monitoring purposes.
[0191] "Preprocessing" refers to the initial data processing steps performed to convert raw data into a format that is easy to analyze, and includes standardizing data formats and removing noise.
[0192] An "anomalous pattern" refers to unusual behavior or data characteristics that deviate from normal data or operations, suggesting potential threats or problems.
[0193] An "algorithm" refers to a series of computational steps or rules, and is a processing method designed to solve a specific problem.
[0194] A "threat" refers to any factor that could potentially or actually cause harm to a network or information system, including unauthorized access to or tampering with data.
[0195] An "information processing device" refers to an electronic device used for acquiring, processing, storing, and transmitting data, and usually includes a computer system.
[0196] An "incident" refers to an unexpected event in an information system that may disrupt the operation of the system.
[0197] "Emotional state" refers to the mental or psychological condition of a user of an information processing device, and includes the user's emotional responses, such as stress and anxiety.
[0198] "Voice guidance" refers to a means of transmitting information by voice, providing instructions and notifications to users as an alternative to visual information.
[0199] A "learning model" refers to a mathematical or statistical model that learns regularities and patterns from large amounts of data and uses them to make predictions and judgments about new data.
[0200] The system that realizes this invention consists of a server and an information processing device. The server is responsible for collecting network traffic data and preprocessing the collected data to standardize its format. The server also executes an algorithm to detect anomalous patterns using the preprocessed data and identifies threats by comparing the anomalous patterns with existing threat data. The identified threats are notified to the information processing device, and in the case of high-priority events, the server automatically takes initial action.
[0201] Furthermore, the server analyzes past event data to predict future threats. This process utilizes a data analysis learning model. The server also analyzes the emotional state of system users to optimize notification content and methods. By adjusting notifications based on user operation logs, care is taken to reduce the emotional burden on users. Specifically, if a user is determined to be in a high-stress state, it is possible to switch the notification of anomaly detection from a visual display to an audio guidance.
[0202] In this embodiment, anomaly detection and incident response are optimized based on the user's emotional state. The server is designed to periodically evaluate the security of the AI system itself, improving the accuracy of emotional state analysis while protecting security.
[0203] As a concrete example, consider an application for securely managing email communication within a company. This application monitors abnormal traffic both inside and outside the corporate network in real time and provides appropriate guidance tailored to the user's emotional state when an employee is subjected to a phishing attack or similar threat. For example, if the application determines that a user is in a high-stress state, it would notify them via voice with a concise message such as, "Warning: There are security concerns. Do not click on the link."
[0204] The following prompt statements can be used as examples of input to the generative AI model.
[0205] "I want to detect abnormal network activity and analyze the associated sentiment in order to tailor security notifications based on the user's emotional state. Please provide detailed instructions on the best way to implement this."
[0206] The flow of a specific process in Application Example 2 will be explained using Figure 14.
[0207] Step 1:
[0208] The server collects network traffic data in real time. This data includes user communication information and access logs. The server receives this raw data and preprocesses it to standardize its format. Specifically, it converts the data's format and removes unnecessary noise to make it easier to process later.
[0209] Step 2:
[0210] The server runs an algorithm to detect anomalous patterns using pre-processed data. By providing the pre-processed data as input to the anomaly detection model, the server identifies unique patterns and deviant traffic. Machine learning models are then used to extract potentially anomalous data. Simultaneously, known threats are quickly identified by comparing them with existing threat data.
[0211] Step 3:
[0212] The server notifies the information processing device, i.e., the user's terminal, based on the identified threat. The server uses detailed threat information as input to determine the most appropriate notification content and method. If the emotion engine determines that the user is in a high-stress state, the notification is simplified and voice guidance is provided to reduce the user's stress.
[0213] Step 4:
[0214] The server analyzes past incident data to predict potential future threats. Here, accumulated historical data is used as input, and predictive models perform data calculations to analyze trends in new threats. This enables proactive security responses.
[0215] Step 5:
[0216] Users take specific actions based on notifications from the server. In this case, users are provided with direct voice and visual guidance to support them in taking quick and appropriate action. If necessary, the system may automatically take additional protective measures.
[0217] Step 6:
[0218] The server periodically evaluates the security of the AI system itself and maintains protection. The server uses monitoring results and system logs as input to determine updates and patches that can be applied to improve security, and continuously ensures the health of the system.
[0219] The specific processing unit 290 transmits the result of the specific processing to the smart device 14. In the smart device 14, the control unit 46A causes the output device 40 to output the result of the specific processing. The microphone 38B acquires audio indicating user input for the result of the specific processing. The control unit 46A transmits the audio data indicating user input acquired by the microphone 38B to the data processing device 12. In the data processing device 12, the specific processing unit 290 acquires the audio data.
[0220] Data generation model 58 is a so-called generative AI (Artificial Intelligence). An example of data generation model 58 is ChatGPT (registered trademark) (Internet search).<URL: https: / / openai.com / blog / chatgpt> ), Gemini (registered trademark) (Internet search) <url: https: gemini.google.com ?hl="ja">Examples of generative AI include the following. The data generation model 58 is obtained by performing deep learning on a neural network. The data generation model 58 is input with prompts containing instructions, and with inference data such as audio data representing speech, text data representing text, and image data representing images. The data generation model 58 infers from the input inference data according to the instructions indicated by the prompts, and outputs the inference results in data formats such as audio data and text data. Here, inference refers to, for example, analysis, classification, prediction, and / or summarization.
[0221] In the above embodiment, an example was given in which specific processing is performed by the data processing device 12, but the technology of this disclosure is not limited thereto, and the specific processing may also be performed by the smart device 14.
[0222] [Second Embodiment]
[0223] Figure 3 shows an example of the configuration of the data processing system 210 according to the second embodiment.
[0224] As shown in Figure 3, the data processing system 210 includes a data processing device 12 and smart glasses 214. An example of the data processing device 12 is a server.
[0225] The data processing device 12 comprises a computer 22, a database 24, and a communication interface 26. The computer 22 is an example of a "computer" related to the technology of this disclosure. The computer 22 comprises a processor 28, RAM 30, and storage 32. The processor 28, RAM 30, and storage 32 are connected to a bus 34. The database 24 and the communication interface 26 are also connected to the bus 34. The communication interface 26 is connected to a network 54. An example of the network 54 is a WAN (Wide Area Network) and / or a LAN (Local Area Network).
[0226] The smart glasses 214 include a computer 36, a microphone 238, a speaker 240, a camera 42, and a communication interface 44. The computer 36 includes a processor 46, RAM 48, and storage 50. The processor 46, RAM 48, and storage 50 are connected to a bus 52. The microphone 238, speaker 240, and camera 42 are also connected to the bus 52.
[0227] The microphone 238 receives voice signals from the user 20 and receives instructions from the user 20. The microphone 238 captures the voice signals from the user 20, converts the captured voice into audio data, and outputs it to the processor 46. The speaker 240 outputs audio according to the instructions from the processor 46.
[0228] Camera 42 is a small digital camera equipped with an optical system including a lens, aperture, and shutter, and an image sensor such as a CMOS (Complementary Metal-Oxide-Semiconductor) image sensor or a CCD (Charge Coupled Device) image sensor, and captures images of the area around the user 20 (for example, an imaging range defined by a field of view equivalent to the width of a typical healthy person's field of vision).
[0229] Communication interface 44 is connected to network 54. Communication interfaces 44 and 26 are responsible for the exchange of various information between processor 46 and processor 28 via network 54. The exchange of various information between processor 46 and processor 28 using communication interfaces 44 and 26 is performed in a secure manner.
[0230] Figure 4 shows an example of the main functions of the data processing device 12 and the smart glasses 214. As shown in Figure 4, the data processing device 12 performs specific processing using the processor 28. The storage 32 stores the specific processing program 56.
[0231] The specific processing program 56 is an example of a "program" relating to the technology of this disclosure. The processor 28 reads the specific processing program 56 from the storage 32 and executes the read specific processing program 56 on the RAM 30. The specific processing is realized by the processor 28 operating as a specific processing unit 290 in accordance with the specific processing program 56 executed on the RAM 30.
[0232] The storage 32 stores the data generation model 58 and the emotion identification model 59. The data generation model 58 and the emotion identification model 59 are used by the identification processing unit 290.
[0233] In the smart glasses 214, the processor 46 performs the reception output processing. The storage 50 stores the reception output program 60. The processor 46 reads the reception output program 60 from the storage 50 and executes the read reception output program 60 on the RAM 48. The reception output processing is realized by the processor 46 operating as a control unit 46A according to the reception output program 60 executed on the RAM 48.
[0234] Next, the identification processing performed by the identification processing unit 290 of the data processing device 12 will be described. In the following description, the data processing device 12 will be referred to as the "server" and the smart glasses 214 will be referred to as the "terminal".
[0235] The present invention is implemented by a software platform that is installed on devices and servers that access a network. This platform enables a rapid response to security threats by leveraging AI technology to monitor network traffic in real time and to detect and report anomalies.
[0236] One primary embodiment of this system involves continuously collecting network traffic data and analyzing it immediately using AI algorithms. Specifically, a server captures every data packet transmitted over the network and standardizes its characteristics. This standardized data is then fed into a trained machine learning model to detect patterns of abnormal behavior.
[0237] The server then evaluates whether the detected anomaly matches any known attack profile. If it does, or if an unidentified threat pattern is found, it immediately sends an alert to users and security personnel. For example, if there is communication that deviates from normal traffic volume or access time, it will be notified as a possible sign of unauthorized access.
[0238] When an incident occurs, the terminal automatically performs actions to minimize the impact on the network according to predefined protocols. For example, if malware activity is detected, it automatically isolates the relevant network segment and stops suspicious processes.
[0239] In addition, the server analyzes past incident data, identifies statistical trends and unusual increases, and predicts future threats, which are then incorporated into the organization's security strategy. Users can use this predictive information to proactively take defensive measures against potential attacks.
[0240] Ultimately, the server periodically evaluates the security of the AI system itself and strengthens defensive measures as needed to prevent potential threats to the system. This process is carried out through regular updates of the AI model and patching of vulnerabilities. In this way, the present invention provides consistent security protection in a network environment.
[0241] The following describes the processing flow.
[0242] Step 1:
[0243] The server continuously monitors network traffic and collects all incoming and outgoing data packets, thereby forming a comprehensive dataset of communications within the network.
[0244] Step 2:
[0245] The server preprocesses the collected data, preparing it for analysis. This preprocessing includes standardizing the data format and removing noise and redundant data.
[0246] Step 3:
[0247] The server inputs pre-processed data into an AI algorithm to detect anomalous patterns in real time. The AI algorithm has learned normal traffic patterns and can instantly identify abnormal behavior.
[0248] Step 4:
[0249] The server compares detected anomalies with a database of known threats to identify the threat. This comparison allows for the rapid recognition of known attack methods and their variations.
[0250] Step 5:
[0251] The server notifies the user of the details of the identified threat. The notification includes the type of threat, the network segment in which it occurred, and recommended countermeasures.
[0252] Step 6:
[0253] The terminal automatically takes initial action in response to incidents deemed to be of high urgency. Specifically, it isolates the network segment and stops the malicious process.
[0254] Step 7:
[0255] The server performs predictive analysis based on past incident data. This analysis predicts the emergence of future threats and provides information for taking preventative measures.
[0256] Step 8:
[0257] The server performs regular security assessments of the AI system itself, and updates the system and retrains the models as needed. This maintains the security and accuracy of the AI system.
[0258] (Example 1)
[0259] Next, we will describe Example 1. In the following description, the data processing device 12 will be referred to as the "server," and the smart glasses 214 will be referred to as the "terminal."
[0260] In today's information and communication environment, which utilizes networks, the increasing volume and complexity of communication data necessitates early detection and rapid response to unauthorized access and security threats. However, existing methods have limitations in the accuracy and real-time capabilities of detecting abnormal phenomena, and there is also the risk of information leaks and business disruption due to delayed responses. Therefore, innovative technologies are needed to solve these problems.
[0261] The identification process performed by the identification processing unit 290 of the data processing device 12 in Example 1 is realized by the following means.
[0262] In this invention, the server includes means for aggregating communication information, means for pre-processing the aggregated information and standardizing its format, and means for executing an artificial intelligence method for detecting abnormal phenomena using the pre-processed information. This makes it possible to detect unauthorized access and potential security threats with high accuracy and in real time, and to deal with them automatically.
[0263] "Communication information" refers to all data packets and their metadata transmitted and received over a network.
[0264] "Preprocessing" refers to the process of standardizing collected raw data and preparing it into an analyzable format.
[0265] "Standardizing a format" refers to the process of transforming data into a unified structure to ensure compatibility with heterogeneous data sources.
[0266] An "abnormal phenomenon" refers to an event that deviates from normal communication patterns or indicates signs of unauthorized access.
[0267] "Artificial intelligence methods" refer to techniques that use computer algorithms, such as machine learning, to process information and solve specific problems.
[0268] "Existing threat intelligence" refers to data on security incidents that have been detected and recorded in the past.
[0269] "Reporting" refers to the act of notifying relevant parties of detected threat information, including any necessary details.
[0270] "Initial corrective action through self-operation" refers to a system autonomously executing a series of actions to correct an anomaly.
[0271] "Isolating a network" refers to the operation of physically or logically separating a specific network segment.
[0272] "Communication rules to stop unauthorized processing" refers to a set of rules designed to block unauthorized data processing and ensure network security.
[0273] This invention is implemented by a platform that is installed on a server connected to a network. The server first collects data in real time using a dedicated tool for aggregating network communication information. In this platform, a "packet capture tool" is typically used to capture communication data.
[0274] The server then preprocesses the aggregated communication data and standardizes the data format. This standardization ensures compatibility between different data sources. Data preprocessing tools are used for this preprocessing; for example, data processing using the Python Pandas library is one possibility.
[0275] Next, the server runs a machine learning model to detect anomalies. Anomalies are those that deviate from the normal communication patterns within the network, and an "anomaly detection algorithm" is used for this purpose. In this platform environment, artificial intelligence libraries such as "TensorFlow" and "PyTorch" are common.
[0276] As a specific example, if a server detects a sudden surge in traffic during a particular time period, it identifies this as an anomaly and compares it with a database of past threat intelligence. If the identified threat matches a known threat profile, a notification is immediately sent to the user or security personnel. A "communication API" is used to send these notifications.
[0277] Furthermore, the server analyzes multiple past incident data to predict future threats. This allows users to take proactive measures based on the predicted risks.
[0278] An example of a prompt message would be, "Please tell me how to detect network traffic anomalies using AI. Please also provide specific library and algorithm names."
[0279] The flow of the specific processing in Example 1 will be explained using Figure 11.
[0280] Step 1:
[0281] The server aggregates network communication information in real time. For this purpose, the server uses a packet capture tool to obtain the header information and payload of data packets. It receives raw data from the network as input and saves this data in a structured log file as output. As a specific operation, the server extracts the necessary metadata (such as IP address, port number, data size, etc.) from each packet captured and records it in log format.
[0282] Step 2:
[0283] The server preprocesses the aggregated communication data and converts it into a standardized format. For this process, the Pandas library in Python is used to perform data cleaning and normalization. The data in the log file is provided as input, and each data field is organized into a common format. The output is a dataset in a unified format. As specific operations, it performs imputation of missing values and filtering of outliers to create a data format suitable for analysis.
[0284] Step 3:
[0285] The server runs a machine learning model for detecting anomalies using the standardized data. This model is built with TensorFlow or PyTorch and outputs the deviation from the normal communication pattern as a score. The preprocessed dataset is provided as input, and the output is a list of anomaly scores. As a specific operation, it performs predictive modeling based on past normal data to determine whether new communication data exceeds the normal range.
[0286] Step 4:
[0287] The server evaluates whether the detected anomaly matches an existing threat database. This evaluation compares anomaly scores using known attack profiles. The inputs are the anomaly scores and the threat database, and the output is the threat identification result. Specifically, a similarity scoring algorithm is used to calculate the degree of match between the anomaly and the threat profile.
[0288] Step 5:
[0289] The server sends alerts to users and security personnel when a threat is identified. It uses a communication API to send notifications via email or SMS. The input is the threat identification result, and the output is an alert message. Specifically, it generates notification messages and logs the transmission history.
[0290] Step 6:
[0291] The terminal performs automated initial response to high-priority incidents. This response includes network isolation and cessation of malicious processes. The input is the result of identifying threats and abnormal behavior, and the output is the system state after the response. Specific actions include updating firewall rules using scripts and forcibly terminating malicious processes.
[0292] Step 7:
[0293] The server analyzes past incident information to predict future threats. Regression analysis and time series analysis are used in this analysis. The input is historical incident data, and the output is a threat prediction report. Specifically, it analyzes the frequency and trends of each incident and visualizes the potential risks.
[0294] (Application Example 1)
[0295] Next, we will explain Application Example 1. In the following explanation, the data processing device 12 will be referred to as the "server," and the smart glasses 214 will be referred to as the "terminal."
[0296] Smart device networks are vulnerable to external threats and attacks, posing a high risk to individual users' privacy and data security. Furthermore, existing security systems require specialized knowledge and are not easily accessible to the average user. Additionally, identifying abnormal network activity in real time and providing immediate support to users is difficult, creating a need for simpler and more effective security solutions.
[0297] The specific processing performed by the specific processing unit 290 of the data processing device 12 in Application Example 1 is realized by the following means.
[0298] In this invention, the server includes means for monitoring network activity, means for preprocessing and standardizing the format of the monitored data, and means for executing an AI algorithm that detects unique communication patterns using the preprocessed data. This enables users to detect abnormal network activity in real time on their smart devices and take quick and appropriate action.
[0299] "Means of monitoring network activity" refers to functions that analyze communications on a network in real time and identify suspicious activity that deviates from normal activity patterns.
[0300] "Means of standardizing format" refers to a function that standardizes the format and protocol of monitoring data, thereby enabling consistent subsequent analysis processes.
[0301] "A means of executing an AI algorithm to detect unusual communication patterns" refers to a function that utilizes machine learning techniques to identify unusual communication behavior based on standardized data.
[0302] "Means for identifying potential risks" refers to a function that identifies potential risks and issues warnings by comparing detected unique patterns with existing threat intelligence.
[0303] The "means for sending a warning to the user" is a notification function that immediately informs the user that a danger has been detected and prompts appropriate action.
[0304] The "means for automatically executing an emergency response" is a function that minimizes damage by having the system automatically perform an initial response immediately to the detected danger.
[0305] The "means for performing personal network monitoring" is a feature that monitors network activity on the devices of individual users and identifies abnormal behavior.
[0306] The "means for notifying the detection of abnormal activities" is a function that quickly transmits such information to the user when network activities different from normal are found.
[0307] The "means for managing excessive communication" is a function that identifies excessive data communication when it occurs and warns the user.
[0308] The system for implementing this invention is mainly composed of a software application installed on a mobile terminal such as a smartphone. The server has a data collection module for monitoring network activities in real time, and standardizes the data through a format unification module. The standardized data is analyzed through an AI algorithm that detects specific communication patterns, and anomalies are identified using machine learning techniques. This process is realized by using platforms such as TensorFlow and PyTorch.
[0309] The terminal is equipped with a notification system for immediately sending a warning to the user when abnormal activities are detected. This notification is triggered when excessive data communication is recognized or when suspicious background communication occurs. Furthermore, the system has a function of automatically performing an initial response based on the identified danger, and takes actions such as controlling network segments and stopping processes.
[0310] For example, if a user's smartphone suddenly starts a large amount of data communication at night, this system will detect this as an anomaly and immediately notify the user. At this point, the user will be given the choice of continuing or stopping the communication. Furthermore, based on the user's past communication patterns, it is possible to proactively strengthen vigilance against predicted future threats.
[0311] An example of a prompt message is: "Immediately detect any activity on the user's smartphone that deviates from the normal network traffic pattern and display a warning to the user."
[0312] The flow of a specific process in Application Example 1 will be explained using Figure 12.
[0313] Step 1:
[0314] The server collects network traffic data from terminals in real time through a network monitoring module. The input to this process is raw packet data sent from terminals, and the output is an unstructured traffic dataset.
[0315] Step 2:
[0316] The server preprocesses and standardizes the collected traffic data using a format unification module. The input is raw traffic data, and the output is a standardized dataset. During this process, the data is filtered and converted into the necessary protocol information.
[0317] Step 3:
[0318] The server feeds pre-processed data to an AI algorithm for analysis to detect unique communication patterns. The input for this step is standardized data, and the output is the items identified as unique communication patterns. Machine learning models (TensorFlow or PyTorch) are used here.
[0319] Step 4:
[0320] The server compares detected unusual communication patterns with a database of known threats to identify potential dangers. Input is data on the unusual patterns, and output is information about potential threats. This information is compared and evaluated in real time.
[0321] Step 5:
[0322] The terminal receives potential threat information sent from the server and sends a warning to the user. The input is the potential threat information, and the output is the notification message to the user. The notification system immediately displays this message on the user's display.
[0323] Step 6:
[0324] The user receives a warning through a notification on their device and decides whether to continue or stop network communication based on that information. The input is the notification message, and the output is the user's selected action. This action determines whether the device continues or interrupts communication.
[0325] Furthermore, an emotion engine that estimates the user's emotions may be incorporated. That is, the identification processing unit 290 may use the emotion identification model 59 to estimate the user's emotions and perform identification processing using the user's emotions.
[0326] This invention integrates an emotion engine into a network security system to enable threat detection and incident response based on the user's emotional state. In addition to its basic functions of monitoring network traffic in real time and detecting anomalies with AI algorithms, the system aims to automate appropriate responses by analyzing the user's emotions.
[0327] This system first has a server collect and preprocess network traffic data, and then uses a machine learning model to identify anomalous patterns. When an anomaly is detected, the server compares it with known threat data and identifies the detected pattern as a threat. After this identification, the server uses an emotion engine to analyze the user's emotional state. For example, it recognizes emotions such as stress and anxiety based on historical data and real-time user activity logs.
[0328] Based on recognized emotions, the server optimizes the content and method of threat notifications. For example, if a user is experiencing high stress, the notification content is simplified, and a message encouraging a calm response is sent. The emotion engine can also adjust the notification frequency based on user responses, customizing the system to reduce stress.
[0329] Furthermore, the device automatically takes initial action in the event of an incident deemed to be of high urgency. In this process, the device considers the output of the emotion engine and proceeds with the response in a way that minimizes the burden on the user. For example, it can switch the notification method from visual display to voice guidance.
[0330] Finally, to ensure the security of the AI system itself, the server undergoes regular evaluation and updates, aiming to improve the accuracy of the emotion engine while strengthening security. In this way, an intelligent network security system that takes into account the user's emotional state is realized.
[0331] The following describes the processing flow.
[0332] Step 1:
[0333] The server continuously collects network traffic data and performs extensive analysis of each packet's details to gain a complete understanding of the data.
[0334] Step 2:
[0335] The server performs preprocessing to optimize the collected traffic data and convert it into a well-organized format. This includes noise reduction and supplementing incomplete data.
[0336] Step 3:
[0337] The server supplies pre-processed data to an AI algorithm to detect anomalies. The algorithm identifies deviant patterns in real time by comparing them to a model of normal operation.
[0338] Step 4:
[0339] The server compares detected anomaly patterns with a threat database to identify threats. This process enables the identification of both existing and new threats.
[0340] Step 5:
[0341] The server activates the sentiment engine in response to identified threats and evaluates the user's emotional state. Sentiment analysis is performed based on user activity logs and past interaction data.
[0342] Step 6:
[0343] The server adjusts the content and method of threat notifications based on the output of the emotion engine. If the user is under stress, it simplifies the information and creates messages that reduce mental burden.
[0344] Step 7:
[0345] The terminal automatically responds to high-priority incidents, implementing protocols to isolate the network segment on the terminal or halt malicious processes. The user's emotional state is taken into consideration when selecting these protocols.
[0346] Step 8:
[0347] The server performs regular security assessments and updates on its AI system. This continuously improves the accuracy and security of the AI system, and strengthens the overall system, including the emotion engine.
[0348] (Example 2)
[0349] Next, we will describe Example 2. In the following description, the data processing device 12 will be referred to as the "server" and the smart glasses 214 will be referred to as the "terminal".
[0350] Conventional network security systems have lacked sufficient real-time responsiveness in detecting network anomalies and responding to incidents, as well as consideration for the psychological stress experienced by users. In particular, while rapid anomaly identification, appropriate warning provision, and advanced automated initial response are required, responses that take into account the emotional state of users are also necessary. This invention aims to solve these problems and realize advanced security measures without burdening users.
[0351] The identification process performed by the identification processing unit 290 of the data processing device 12 in Example 2 is realized by the following means.
[0352] In this invention, the server includes means for monitoring data communication, means for formatting and standardizing the monitored data, and means for running an algorithm for identifying anomalies. This enables immediate detection of anomalies and automatic, user-friendly responses.
[0353] "Data communication" refers to electrical or optical processes used to send and receive information.
[0354] "Monitoring" is the act of observing something over a set period of time to confirm the occurrence of anomalies or specific events.
[0355] "Formatting" refers to the process of converting raw data into a specific format or structure.
[0356] "Standardizing the format" means unifying the way data is represented and its structure.
[0357] "Abnormal" refers to an action or state that deviates from normal operation or condition.
[0358] An "algorithm" is a set of computational steps designed to solve a specific problem.
[0359] "To be operational" refers to a state in which a system or process is running.
[0360] A "server" is a computer system that provides data and services over a network.
[0361] This invention relates to a system that improves anomaly detection and incident response in network security systems. The system includes data communication monitoring, data formatting, operation of anomaly identification algorithms, real-time notification, notification optimization through sentiment analysis, and an automatic initial response function.
[0362] The server sends and receives information over the network. Specifically, it runs on a general-purpose computer system and intercepts network traffic using monitoring tools. The hardware requires a suitable processor and storage to manage network communications. For software, commonly used communication protocol analysis tools, such as Wireshark, are used for monitoring. Learning frameworks such as TensorFlow and PyTorch are utilized for data shaping and anomaly detection.
[0363] After detecting an anomaly, the server uses an emotion analysis engine to analyze the user's emotional state and optimize the content and method of notifications. This emotion analysis engine operates based on past user operation logs and real-time user interaction data. The engine uses the data to train an emotion model and infer the user's stress and anxiety.
[0364] The device notifies the user of an incident and, if necessary, provides voice guidance and performs automated recovery operations. The device is designed to minimize the burden on the user according to their situation and has features that simplify the interface format.
[0365] As a concrete example, let's consider a scenario where an unauthorized access attempt is made to a company's network. The server immediately detects the anomaly and, through a sentiment analysis engine, notifies the user of a message such as, "A network problem has been detected. We are automatically handling it, so please rest assured." in order to minimize the stress the user may experience.
[0366] The following prompt statements can be used as example inputs to a generative AI model:
[0367] "Please provide a detailed explanation of how anomalies in network traffic data are detected."
[0368] "Please explain the mechanism of the AI algorithm that analyzes user emotions."
[0369] "Please tell me what to do if the emotional engine detects a high-stress state."
[0370] The flow of the specific processing in Example 2 will be explained using Figure 13.
[0371] Step 1:
[0372] The server monitors network traffic. It receives real-time data communication information as input and captures each communication packet using monitoring tools. This data includes destination IP address, communication protocol, and packet size. The server formats this data and converts it into a format suitable for anomaly detection algorithms. It then generates formatted network traffic data as output.
[0373] Step 2:
[0374] The server inputs formatted network traffic data into a machine learning model to detect anomalous patterns. The input is the formatted data obtained in step 1, and the server uses TensorFlow to identify anomalies in real time. The model identifies behaviors that are considered anomalous compared to normal communication patterns. The output is the identified results showing the anomalous patterns.
[0375] Step 3:
[0376] When an anomaly is detected, the server uses an emotion analysis engine to analyze the user's emotional state. Input includes the user's past operation log data and current real-time activity data. The server uses a trained model to estimate the user's stress and anxiety levels. This analysis generates output data indicating the user's emotional state.
[0377] Step 4:
[0378] The server optimizes the content and method of incident notifications based on the identified anomalies and emotional states. The inputs used are the anomaly data obtained in step 2 and the emotional state data from step 3. The server adjusts the notification content, for example, to create a simple message such as "Please remain calm." The output is the optimized notification message.
[0379] Step 5:
[0380] If the anomaly is deemed to be of high urgency, the terminal automatically takes initial action. The input is emergency incident information sent from the server. The terminal takes measures such as modifying firewall rules, stopping malicious processes, or notifying the user with voice guidance. The output is the result of the initial action taken.
[0381] Step 6:
[0382] Periodically, the server performs a system-wide security assessment and updates the model. The input is the current system state and the latest security patch information. The server reassessss security based on the assessment criteria and retrains the generated AI model as needed. The output is an enhanced security configuration and an updated model.
[0383] (Application Example 2)
[0384] Next, we will explain application example 2. In the following explanation, the data processing device 12 will be referred to as the "server," and the smart glasses 214 will be referred to as the "terminal."
[0385] In recent years, with the advancement of information technology, information processing via networks has become more diverse, but at the same time, unauthorized access and threats using networks have increased. In particular, as the need for immediate response to cyberattacks increases, conventional network security systems have been insufficient in terms of notifications and responses that take into account the emotional state of users, which has led to increased mental burden on users. The present invention aims to solve this problem.
[0386] The specific processing performed by the specific processing unit 290 of the data processing device 12 in Application Example 2 is realized by the following means.
[0387] In this invention, the server includes means for collecting network traffic data, means for preprocessing and standardizing the format of the collected data, means for executing an algorithm for detecting abnormal patterns using the preprocessed data, means for comparing the abnormal patterns with existing threat data to identify threats, means for notifying related information processing devices based on the identified threats, means for automatically performing initial responses to high-priority events, means for analyzing past event data to predict future threats, means for analyzing the emotional state of system users and optimizing notification content and methods, means for reducing emotional burden by adjusting notifications based on user operation logs, means for switching notifications from visual displays to voice guidance in the event of anomaly detection according to the emotional state of system users, and means for evaluating and protecting the security of the AI system itself. As a result, anomaly detection and incident response are optimized to the user's emotional state, enabling more effective and less burdensome security responses.
[0388] "Network traffic data" refers to the flow of data communicated between information processing devices, and this data is collected for analysis and monitoring purposes.
[0389] "Preprocessing" refers to the initial data processing steps performed to convert raw data into a format that is easy to analyze, and includes standardizing data formats and removing noise.
[0390] An "anomalous pattern" refers to unusual behavior or data characteristics that deviate from normal data or operations, suggesting potential threats or problems.
[0391] An "algorithm" refers to a series of computational steps or rules, and is a processing method designed to solve a specific problem.
[0392] A "threat" refers to any factor that could potentially or actually cause harm to a network or information system, including unauthorized access to or tampering with data.
[0393] An "information processing device" refers to an electronic device used for acquiring, processing, storing, and transmitting data, and usually includes a computer system.
[0394] An "incident" refers to an unexpected event in an information system that may disrupt the operation of the system.
[0395] "Emotional state" refers to the mental or psychological condition of a user of an information processing device, and includes the user's emotional responses, such as stress and anxiety.
[0396] "Voice guidance" refers to a means of transmitting information by voice, providing instructions and notifications to users as an alternative to visual information.
[0397] A "learning model" refers to a mathematical or statistical model that learns regularities and patterns from large amounts of data and uses them to make predictions and judgments about new data.
[0398] The system that realizes this invention consists of a server and an information processing device. The server is responsible for collecting network traffic data and preprocessing the collected data to standardize its format. The server also executes an algorithm to detect anomalous patterns using the preprocessed data and identifies threats by comparing the anomalous patterns with existing threat data. The identified threats are notified to the information processing device, and in the case of high-priority events, the server automatically takes initial action.
[0399] Furthermore, the server analyzes past event data to predict future threats. This process utilizes a data analysis learning model. The server also analyzes the emotional state of system users to optimize notification content and methods. By adjusting notifications based on user operation logs, care is taken to reduce the emotional burden on users. Specifically, if a user is determined to be in a high-stress state, it is possible to switch the notification of anomaly detection from a visual display to an audio guidance.
[0400] In this embodiment, anomaly detection and incident response are optimized based on the user's emotional state. The server is designed to periodically evaluate the security of the AI system itself, improving the accuracy of emotional state analysis while protecting security.
[0401] As a concrete example, consider an application for securely managing email communication within a company. This application monitors abnormal traffic both inside and outside the corporate network in real time and provides appropriate guidance tailored to the user's emotional state when an employee is subjected to a phishing attack or similar threat. For example, if the application determines that a user is in a high-stress state, it would notify them via voice with a concise message such as, "Warning: There are security concerns. Do not click on the link."
[0402] The following prompt statements can be used as examples of input to the generative AI model.
[0403] "I want to detect abnormal network activity and analyze the associated sentiment in order to tailor security notifications based on the user's emotional state. Please provide detailed instructions on the best way to implement this."
[0404] The flow of a specific process in Application Example 2 will be explained using Figure 14.
[0405] Step 1:
[0406] The server collects network traffic data in real time. This data includes user communication information and access logs. The server receives this raw data and preprocesses it to standardize its format. Specifically, it converts the data's format and removes unnecessary noise to make it easier to process later.
[0407] Step 2:
[0408] The server runs an algorithm to detect anomalous patterns using pre-processed data. By providing the pre-processed data as input to the anomaly detection model, the server identifies unique patterns and deviant traffic. Machine learning models are then used to extract potentially anomalous data. Simultaneously, known threats are quickly identified by comparing them with existing threat data.
[0409] Step 3:
[0410] The server notifies the information processing device, i.e., the user's terminal, based on the identified threat. The server uses detailed threat information as input to determine the most appropriate notification content and method. If the emotion engine determines that the user is in a high-stress state, the notification is simplified and voice guidance is provided to reduce the user's stress.
[0411] Step 4:
[0412] The server analyzes past incident data to predict potential future threats. Here, accumulated historical data is used as input, and predictive models perform data calculations to analyze trends in new threats. This enables proactive security responses.
[0413] Step 5:
[0414] Users take specific actions based on notifications from the server. In this case, users are provided with direct voice and visual guidance to support them in taking quick and appropriate action. If necessary, the system may automatically take additional protective measures.
[0415] Step 6:
[0416] The server periodically evaluates the security of the AI system itself and maintains protection. The server uses monitoring results and system logs as input to determine updates and patches that can be applied to improve security, and continuously ensures the health of the system.
[0417] The specific processing unit 290 transmits the result of the specific processing to the smart glasses 214. In the smart glasses 214, the control unit 46A causes the speaker 240 to output the result of the specific processing. The microphone 238 acquires audio indicating user input for the result of the specific processing. The control unit 46A transmits the audio data indicating user input acquired by the microphone 238 to the data processing unit 12. In the data processing unit 12, the specific processing unit 290 acquires the audio data.
[0418] Data generation model 58 is a type of so-called generative AI (Artificial Intelligence). One example of data generation model 58 is ChatGPT (Internet search<URL: https: / / openai.com / blog / chatgpt> ), Gemini (Internet search) <url: https: gemini.google.com ?hl="ja">Examples of generative AI include the following. The data generation model 58 is obtained by performing deep learning on a neural network. The data generation model 58 is input with prompts containing instructions, and with inference data such as audio data representing speech, text data representing text, and image data representing images. The data generation model 58 infers from the input inference data according to the instructions indicated by the prompts, and outputs the inference results in data formats such as audio data and text data. Here, inference refers to, for example, analysis, classification, prediction, and / or summarization.
[0419] In the above embodiment, an example was given in which specific processing is performed by the data processing device 12, but the technology of this disclosure is not limited thereto, and the specific processing may also be performed by the smart glasses 214.
[0420] [Third Embodiment]
[0421] Figure 5 shows an example of the configuration of the data processing system 310 according to the third embodiment.
[0422] As shown in Figure 5, the data processing system 310 includes a data processing device 12 and a headset terminal 314. An example of the data processing device 12 is a server.
[0423] The data processing device 12 comprises a computer 22, a database 24, and a communication interface 26. The computer 22 is an example of a "computer" related to the technology of this disclosure. The computer 22 comprises a processor 28, RAM 30, and storage 32. The processor 28, RAM 30, and storage 32 are connected to a bus 34. The database 24 and the communication interface 26 are also connected to the bus 34. The communication interface 26 is connected to a network 54. An example of the network 54 is a WAN (Wide Area Network) and / or a LAN (Local Area Network).
[0424] The headset terminal 314 includes a computer 36, a microphone 238, a speaker 240, a camera 42, a communication interface 44, and a display 343. The computer 36 includes a processor 46, RAM 48, and storage 50. The processor 46, RAM 48, and storage 50 are connected to a bus 52. The microphone 238, speaker 240, camera 42, and display 343 are also connected to the bus 52.
[0425] The microphone 238 receives voice signals from the user 20 and receives instructions from the user 20. The microphone 238 captures the voice signals from the user 20, converts the captured voice into audio data, and outputs it to the processor 46. The speaker 240 outputs audio according to the instructions from the processor 46.
[0426] Camera 42 is a small digital camera equipped with an optical system including a lens, aperture, and shutter, and an image sensor such as a CMOS (Complementary Metal-Oxide-Semiconductor) image sensor or a CCD (Charge Coupled Device) image sensor, and captures images of the area around the user 20 (for example, an imaging range defined by a field of view equivalent to the width of a typical healthy person's field of vision).
[0427] Communication interface 44 is connected to network 54. Communication interfaces 44 and 26 are responsible for the exchange of various information between processor 46 and processor 28 via network 54. The exchange of various information between processor 46 and processor 28 using communication interfaces 44 and 26 is performed in a secure manner.
[0428] Figure 6 shows an example of the main functions of the data processing device 12 and the headset terminal 314. As shown in Figure 6, the data processing device 12 performs specific processing using the processor 28. The storage 32 stores the specific processing program 56.
[0429] The specific processing program 56 is an example of a "program" relating to the technology of this disclosure. The processor 28 reads the specific processing program 56 from the storage 32 and executes the read specific processing program 56 on the RAM 30. The specific processing is realized by the processor 28 operating as a specific processing unit 290 in accordance with the specific processing program 56 executed on the RAM 30.
[0430] The storage 32 stores the data generation model 58 and the emotion identification model 59. The data generation model 58 and the emotion identification model 59 are used by the identification processing unit 290.
[0431] In the headset terminal 314, the processor 46 performs the reception output processing. The storage 50 stores the reception output program 60. The processor 46 reads the reception output program 60 from the storage 50 and executes the read reception output program 60 on the RAM 48. The reception output processing is realized by the processor 46 operating as a control unit 46A according to the reception output program 60 executed on the RAM 48.
[0432] Next, the specific processing performed by the specific processing unit 290 of the data processing device 12 will be described. In the following description, the data processing device 12 will be referred to as the "server" and the headset terminal 314 will be referred to as the "terminal".
[0433] The present invention is implemented by a software platform that is installed on devices and servers that access a network. This platform enables a rapid response to security threats by leveraging AI technology to monitor network traffic in real time and to detect and report anomalies.
[0434] One primary embodiment of this system involves continuously collecting network traffic data and analyzing it immediately using AI algorithms. Specifically, a server captures every data packet transmitted over the network and standardizes its characteristics. This standardized data is then fed into a trained machine learning model to detect patterns of abnormal behavior.
[0435] The server then evaluates whether the detected anomaly matches any known attack profile. If it does, or if an unidentified threat pattern is found, it immediately sends an alert to users and security personnel. For example, if there is communication that deviates from normal traffic volume or access time, it will be notified as a possible sign of unauthorized access.
[0436] When an incident occurs, the terminal automatically performs actions to minimize the impact on the network according to predefined protocols. For example, if malware activity is detected, it automatically isolates the relevant network segment and stops suspicious processes.
[0437] In addition, the server analyzes past incident data, identifies statistical trends and unusual increases, and predicts future threats, which are then incorporated into the organization's security strategy. Users can use this predictive information to proactively take defensive measures against potential attacks.
[0438] Ultimately, the server periodically evaluates the security of the AI system itself and strengthens defensive measures as needed to prevent potential threats to the system. This process is carried out through regular updates of the AI model and patching of vulnerabilities. In this way, the present invention provides consistent security protection in a network environment.
[0439] The following describes the processing flow.
[0440] Step 1:
[0441] The server continuously monitors network traffic and collects all incoming and outgoing data packets, thereby forming a comprehensive dataset of communications within the network.
[0442] Step 2:
[0443] The server preprocesses the collected data, preparing it for analysis. This preprocessing includes standardizing the data format and removing noise and redundant data.
[0444] Step 3:
[0445] The server inputs pre-processed data into an AI algorithm to detect anomalous patterns in real time. The AI algorithm has learned normal traffic patterns and can instantly identify abnormal behavior.
[0446] Step 4:
[0447] The server compares detected anomalies with a database of known threats to identify the threat. This comparison allows for the rapid recognition of known attack methods and their variations.
[0448] Step 5:
[0449] The server notifies the user of the details of the identified threat. The notification includes the type of threat, the network segment in which it occurred, and recommended countermeasures.
[0450] Step 6:
[0451] The terminal automatically takes initial action in response to incidents deemed to be of high urgency. Specifically, it isolates the network segment and stops the malicious process.
[0452] Step 7:
[0453] The server performs predictive analysis based on past incident data. This analysis predicts the emergence of future threats and provides information for taking preventative measures.
[0454] Step 8:
[0455] The server performs regular security assessments of the AI system itself, and updates the system and retrains the models as needed. This maintains the security and accuracy of the AI system.
[0456] (Example 1)
[0457] Next, we will describe Example 1. In the following description, the data processing device 12 will be referred to as the "server," and the headset-type terminal 314 will be referred to as the "terminal."
[0458] In today's information and communication environment, which utilizes networks, the increasing volume and complexity of communication data necessitates early detection and rapid response to unauthorized access and security threats. However, existing methods have limitations in the accuracy and real-time capabilities of detecting abnormal phenomena, and there is also the risk of information leaks and business disruption due to delayed responses. Therefore, innovative technologies are needed to solve these problems.
[0459] The identification process performed by the identification processing unit 290 of the data processing device 12 in Example 1 is realized by the following means.
[0460] In this invention, the server includes means for aggregating communication information, means for pre-processing the aggregated information and standardizing its format, and means for executing an artificial intelligence method for detecting abnormal phenomena using the pre-processed information. This makes it possible to detect unauthorized access and potential security threats with high accuracy and in real time, and to deal with them automatically.
[0461] "Communication information" refers to all data packets and their metadata transmitted and received over a network.
[0462] "Preprocessing" refers to the process of standardizing collected raw data and preparing it into an analyzable format.
[0463] "Standardizing a format" refers to the process of transforming data into a unified structure to ensure compatibility with heterogeneous data sources.
[0464] An "abnormal phenomenon" refers to an event that deviates from normal communication patterns or indicates signs of unauthorized access.
[0465] "Artificial intelligence methods" refer to techniques that use computer algorithms, such as machine learning, to process information and solve specific problems.
[0466] "Existing threat intelligence" refers to data on security incidents that have been detected and recorded in the past.
[0467] "Reporting" refers to the act of notifying relevant parties of detected threat information, including any necessary details.
[0468] "Initial corrective action through self-operation" refers to a system autonomously executing a series of actions to correct an anomaly.
[0469] "Isolating a network" refers to the operation of physically or logically separating a specific network segment.
[0470] "Communication rules to stop unauthorized processing" refers to a set of rules designed to block unauthorized data processing and ensure network security.
[0471] This invention is implemented by a platform that is installed on a server connected to a network. The server first collects data in real time using a dedicated tool for aggregating network communication information. In this platform, a "packet capture tool" is typically used to capture communication data.
[0472] The server then preprocesses the aggregated communication data and standardizes the data format. This standardization ensures compatibility between different data sources. Data preprocessing tools are used for this preprocessing; for example, data processing using the Python Pandas library is one possibility.
[0473] Next, the server runs a machine learning model to detect anomalies. Anomalies are those that deviate from the normal communication patterns within the network, and an "anomaly detection algorithm" is used for this purpose. In this platform environment, artificial intelligence libraries such as "TensorFlow" and "PyTorch" are common.
[0474] As a specific example, if a server detects a sudden surge in traffic during a particular time period, it identifies this as an anomaly and compares it with a database of past threat intelligence. If the identified threat matches a known threat profile, a notification is immediately sent to the user or security personnel. A "communication API" is used to send these notifications.
[0475] Furthermore, the server analyzes multiple past incident data to predict future threats. This allows users to take proactive measures based on the predicted risks.
[0476] An example of a prompt message would be, "Please tell me how to detect network traffic anomalies using AI. Please also provide specific library and algorithm names."
[0477] The flow of the specific processing in Example 1 will be explained using Figure 11.
[0478] Step 1:
[0479] The server aggregates network communication information in real time. To do this, the server uses a packet capture tool to obtain header information and payload data packets. It receives raw data from the network as input and saves this data as output to a structured log file. Specifically, the server extracts the necessary metadata (IP address, port number, data size, etc.) from each captured packet and records it in log format.
[0480] Step 2:
[0481] The server preprocesses the aggregated communication data and converts it into a standardized format. This process uses the Python Pandas library to clean and normalize the data. Log files are provided as input, and each data field is organized into a common format. The output is a unified dataset. Specifically, it performs operations such as imputing missing values and filtering outliers to create a data format suitable for analysis.
[0482] Step 3:
[0483] The server runs a machine learning model to detect anomalies using standardized data. This model, built with TensorFlow or PyTorch, outputs deviations from normal communication patterns as scores. The input is a pre-processed dataset, and the output is a list of anomaly scores. Specifically, it performs predictive modeling based on past normal data to determine whether new communication data exceeds the normal range.
[0484] Step 4:
[0485] The server evaluates whether the detected anomaly matches an existing threat database. This evaluation compares anomaly scores using known attack profiles. The inputs are the anomaly scores and the threat database, and the output is the threat identification result. Specifically, a similarity scoring algorithm is used to calculate the degree of match between the anomaly and the threat profile.
[0486] Step 5:
[0487] The server sends alerts to users and security personnel when a threat is identified. It uses a communication API to send notifications via email or SMS. The input is the threat identification result, and the output is an alert message. Specifically, it generates notification messages and logs the transmission history.
[0488] Step 6:
[0489] The terminal performs automated initial response to high-priority incidents. This response includes network isolation and cessation of malicious processes. The input is the result of identifying threats and abnormal behavior, and the output is the system state after the response. Specific actions include updating firewall rules using scripts and forcibly terminating malicious processes.
[0490] Step 7:
[0491] The server analyzes past incident information to predict future threats. Regression analysis and time series analysis are used in this analysis. The input is historical incident data, and the output is a threat prediction report. Specifically, it analyzes the frequency and trends of each incident and visualizes the potential risks.
[0492] (Application Example 1)
[0493] Next, we will explain Application Example 1. In the following explanation, the data processing device 12 will be referred to as the "server," and the headset-type terminal 314 will be referred to as the "terminal."
[0494] Smart device networks are vulnerable to external threats and attacks, posing a high risk to individual users' privacy and data security. Furthermore, existing security systems require specialized knowledge and are not easily accessible to the average user. Additionally, identifying abnormal network activity in real time and providing immediate support to users is difficult, creating a need for simpler and more effective security solutions.
[0495] The specific processing performed by the specific processing unit 290 of the data processing device 12 in Application Example 1 is realized by the following means.
[0496] In this invention, the server includes means for monitoring network activity, means for preprocessing and standardizing the format of the monitored data, and means for executing an AI algorithm that detects unique communication patterns using the preprocessed data. This enables users to detect abnormal network activity in real time on their smart devices and take quick and appropriate action.
[0497] "Means of monitoring network activity" refers to functions that analyze communications on a network in real time and identify suspicious activity that deviates from normal activity patterns.
[0498] "Means of standardizing format" refers to a function that standardizes the format and protocol of monitoring data, thereby enabling consistent subsequent analysis processes.
[0499] "A means of executing an AI algorithm to detect unusual communication patterns" refers to a function that utilizes machine learning techniques to identify unusual communication behavior based on standardized data.
[0500] "Means for identifying potential risks" refers to a function that identifies potential risks and issues warnings by comparing detected unique patterns with existing threat intelligence.
[0501] "Means of sending warnings to users" refers to a notification function that immediately informs users that a danger has been detected and prompts them to take appropriate action.
[0502] "Means of automatically executing emergency response" refers to a function that minimizes damage by allowing the system to automatically take initial action immediately in response to detected dangers.
[0503] "Means of performing personal network monitoring" refers to features that monitor network activity on individual users' devices and identify abnormal behavior.
[0504] "Means for notifying the detection of abnormal activity" refers to a function that quickly communicates information to users when unusual network activity is detected.
[0505] "Means for managing excessive data traffic" refers to a function that identifies excessive data traffic when it occurs and warns the user.
[0506] The system implementing this invention is primarily composed of a software application installed on a mobile device such as a smartphone. The server has a data collection module for monitoring network activity in real time and standardizes this data through a format unification module. The standardized data is analyzed through an AI algorithm that detects unique communication patterns, and anomalies are identified using machine learning techniques. This process is realized using platforms such as TensorFlow and PyTorch.
[0507] The device is equipped with a notification system that immediately sends a warning to the user if abnormal activity is detected. This notification is triggered when excessive data traffic is detected or when suspicious background communication occurs. Furthermore, the system has the ability to automatically take initial action based on the identified threat, such as controlling the network segment or stopping processes.
[0508] For example, if a user's smartphone suddenly starts a large amount of data communication at night, this system will detect this as an anomaly and immediately notify the user. At this point, the user will be given the choice of continuing or stopping the communication. Furthermore, based on the user's past communication patterns, it is possible to proactively strengthen vigilance against predicted future threats.
[0509] An example of a prompt message is: "Immediately detect any activity on the user's smartphone that deviates from the normal network traffic pattern and display a warning to the user."
[0510] The flow of a specific process in Application Example 1 will be explained using Figure 12.
[0511] Step 1:
[0512] The server collects network traffic data from terminals in real time through a network monitoring module. The input to this process is raw packet data sent from terminals, and the output is an unstructured traffic dataset.
[0513] Step 2:
[0514] The server preprocesses and standardizes the collected traffic data using a format unification module. The input is raw traffic data, and the output is a standardized dataset. During this process, the data is filtered and converted into the necessary protocol information.
[0515] Step 3:
[0516] The server feeds pre-processed data to an AI algorithm for analysis to detect unique communication patterns. The input for this step is standardized data, and the output is the items identified as unique communication patterns. Machine learning models (TensorFlow or PyTorch) are used here.
[0517] Step 4:
[0518] The server compares detected unusual communication patterns with a database of known threats to identify potential dangers. Input is data on the unusual patterns, and output is information about potential threats. This information is compared and evaluated in real time.
[0519] Step 5:
[0520] The terminal receives potential threat information sent from the server and sends a warning to the user. The input is the potential threat information, and the output is the notification message to the user. The notification system immediately displays this message on the user's display.
[0521] Step 6:
[0522] The user receives a warning through a notification on their device and decides whether to continue or stop network communication based on that information. The input is the notification message, and the output is the user's selected action. This action determines whether the device continues or interrupts communication.
[0523] Furthermore, an emotion engine that estimates the user's emotions may be incorporated. That is, the identification processing unit 290 may use the emotion identification model 59 to estimate the user's emotions and perform identification processing using the user's emotions.
[0524] This invention integrates an emotion engine into a network security system to enable threat detection and incident response based on the user's emotional state. In addition to its basic functions of monitoring network traffic in real time and detecting anomalies with AI algorithms, the system aims to automate appropriate responses by analyzing the user's emotions.
[0525] This system first has a server collect and preprocess network traffic data, and then uses a machine learning model to identify anomalous patterns. When an anomaly is detected, the server compares it with known threat data and identifies the detected pattern as a threat. After this identification, the server uses an emotion engine to analyze the user's emotional state. For example, it recognizes emotions such as stress and anxiety based on historical data and real-time user activity logs.
[0526] Based on recognized emotions, the server optimizes the content and method of threat notifications. For example, if a user is experiencing high stress, the notification content is simplified, and a message encouraging a calm response is sent. The emotion engine can also adjust the notification frequency based on user responses, customizing the system to reduce stress.
[0527] Furthermore, the device automatically takes initial action in the event of an incident deemed to be of high urgency. In this process, the device considers the output of the emotion engine and proceeds with the response in a way that minimizes the burden on the user. For example, it can switch the notification method from visual display to voice guidance.
[0528] Finally, to ensure the security of the AI system itself, the server undergoes regular evaluation and updates, aiming to improve the accuracy of the emotion engine while strengthening security. In this way, an intelligent network security system that takes into account the user's emotional state is realized.
[0529] The following describes the processing flow.
[0530] Step 1:
[0531] The server continuously collects network traffic data and performs extensive analysis of each packet's details to gain a complete understanding of the data.
[0532] Step 2:
[0533] The server performs preprocessing to optimize the collected traffic data and convert it into a well-organized format. This includes noise reduction and supplementing incomplete data.
[0534] Step 3:
[0535] The server supplies pre-processed data to an AI algorithm to detect anomalies. The algorithm identifies deviant patterns in real time by comparing them to a model of normal operation.
[0536] Step 4:
[0537] The server compares detected anomaly patterns with a threat database to identify threats. This process enables the identification of both existing and new threats.
[0538] Step 5:
[0539] The server activates the sentiment engine in response to identified threats and evaluates the user's emotional state. Sentiment analysis is performed based on user activity logs and past interaction data.
[0540] Step 6:
[0541] The server adjusts the content and method of threat notifications based on the output of the emotion engine. If the user is under stress, it simplifies the information and creates messages that reduce mental burden.
[0542] Step 7:
[0543] The terminal automatically responds to high-priority incidents, implementing protocols to isolate the network segment on the terminal or halt malicious processes. The user's emotional state is taken into consideration when selecting these protocols.
[0544] Step 8:
[0545] The server performs regular security assessments and updates on its AI system. This continuously improves the accuracy and security of the AI system, and strengthens the overall system, including the emotion engine.
[0546] (Example 2)
[0547] Next, we will describe Example 2. In the following description, the data processing device 12 will be referred to as the "server," and the headset-type terminal 314 will be referred to as the "terminal."
[0548] Conventional network security systems have lacked sufficient real-time responsiveness in detecting network anomalies and responding to incidents, as well as consideration for the psychological stress experienced by users. In particular, while rapid anomaly identification, appropriate warning provision, and advanced automated initial response are required, responses that take into account the emotional state of users are also necessary. This invention aims to solve these problems and realize advanced security measures without burdening users.
[0549] The identification process performed by the identification processing unit 290 of the data processing device 12 in Example 2 is realized by the following means.
[0550] In this invention, the server includes means for monitoring data communication, means for formatting and standardizing the monitored data, and means for running an algorithm for identifying anomalies. This enables immediate detection of anomalies and automatic, user-friendly responses.
[0551] "Data communication" refers to electrical or optical processes used to send and receive information.
[0552] "Monitoring" is the act of observing something over a set period of time to confirm the occurrence of anomalies or specific events.
[0553] "Formatting" refers to the process of converting raw data into a specific format or structure.
[0554] "Standardizing the format" means unifying the way data is represented and its structure.
[0555] "Abnormal" refers to an action or state that deviates from normal operation or condition.
[0556] An "algorithm" is a set of computational steps designed to solve a specific problem.
[0557] "To be operational" refers to a state in which a system or process is running.
[0558] A "server" is a computer system that provides data and services over a network.
[0559] This invention relates to a system that improves anomaly detection and incident response in network security systems. The system includes data communication monitoring, data formatting, operation of anomaly identification algorithms, real-time notification, notification optimization through sentiment analysis, and an automatic initial response function.
[0560] The server sends and receives information over the network. Specifically, it runs on a general-purpose computer system and intercepts network traffic using monitoring tools. The hardware requires a suitable processor and storage to manage network communications. For software, commonly used communication protocol analysis tools, such as Wireshark, are used for monitoring. Learning frameworks such as TensorFlow and PyTorch are utilized for data shaping and anomaly detection.
[0561] After detecting an anomaly, the server uses an emotion analysis engine to analyze the user's emotional state and optimize the content and method of notifications. This emotion analysis engine operates based on past user operation logs and real-time user interaction data. The engine uses the data to train an emotion model and infer the user's stress and anxiety.
[0562] The device notifies the user of an incident and, if necessary, provides voice guidance and performs automated recovery operations. The device is designed to minimize the burden on the user according to their situation and has features that simplify the interface format.
[0563] As a concrete example, let's consider a scenario where an unauthorized access attempt is made to a company's network. The server immediately detects the anomaly and, through a sentiment analysis engine, notifies the user of a message such as, "A network problem has been detected. We are automatically handling it, so please rest assured." in order to minimize the stress the user may experience.
[0564] The following prompt statements can be used as example inputs to a generative AI model:
[0565] "Please provide a detailed explanation of how anomalies in network traffic data are detected."
[0566] "Please explain the mechanism of the AI algorithm that analyzes user emotions."
[0567] "Please tell me what to do if the emotional engine detects a high-stress state."
[0568] The flow of the specific processing in Example 2 will be explained using Figure 13.
[0569] Step 1:
[0570] The server monitors network traffic. It receives real-time data communication information as input and captures each communication packet using monitoring tools. This data includes destination IP address, communication protocol, and packet size. The server formats this data and converts it into a format suitable for anomaly detection algorithms. It then generates formatted network traffic data as output.
[0571] Step 2:
[0572] The server inputs formatted network traffic data into a machine learning model to detect anomalous patterns. The input is the formatted data obtained in step 1, and the server uses TensorFlow to identify anomalies in real time. The model identifies behaviors that are considered anomalous compared to normal communication patterns. The output is the identified results showing the anomalous patterns.
[0573] Step 3:
[0574] When an anomaly is detected, the server uses an emotion analysis engine to analyze the user's emotional state. Input includes the user's past operation log data and current real-time activity data. The server uses a trained model to estimate the user's stress and anxiety levels. This analysis generates output data indicating the user's emotional state.
[0575] Step 4:
[0576] The server optimizes the content and method of incident notifications based on the identified anomalies and emotional states. The inputs used are the anomaly data obtained in step 2 and the emotional state data from step 3. The server adjusts the notification content, for example, to create a simple message such as "Please remain calm." The output is the optimized notification message.
[0577] Step 5:
[0578] If the anomaly is deemed to be of high urgency, the terminal automatically takes initial action. The input is emergency incident information sent from the server. The terminal takes measures such as modifying firewall rules, stopping malicious processes, or notifying the user with voice guidance. The output is the result of the initial action taken.
[0579] Step 6:
[0580] Periodically, the server performs a system-wide security assessment and updates the model. The input is the current system state and the latest security patch information. The server reassessss security based on the assessment criteria and retrains the generated AI model as needed. The output is an enhanced security configuration and an updated model.
[0581] (Application Example 2)
[0582] Next, we will explain application example 2. In the following explanation, the data processing device 12 will be referred to as the "server," and the headset-type terminal 314 will be referred to as the "terminal."
[0583] In recent years, with the advancement of information technology, information processing via networks has become more diverse, but at the same time, unauthorized access and threats using networks have increased. In particular, as the need for immediate response to cyberattacks increases, conventional network security systems have been insufficient in terms of notifications and responses that take into account the emotional state of users, which has led to increased mental burden on users. The present invention aims to solve this problem.
[0584] The specific processing performed by the specific processing unit 290 of the data processing device 12 in Application Example 2 is realized by the following means.
[0585] In this invention, the server includes means for collecting network traffic data, means for preprocessing and standardizing the format of the collected data, means for executing an algorithm for detecting abnormal patterns using the preprocessed data, means for comparing the abnormal patterns with existing threat data to identify threats, means for notifying related information processing devices based on the identified threats, means for automatically performing initial responses to high-priority events, means for analyzing past event data to predict future threats, means for analyzing the emotional state of system users and optimizing notification content and methods, means for reducing emotional burden by adjusting notifications based on user operation logs, means for switching notifications from visual displays to voice guidance in the event of anomaly detection according to the emotional state of system users, and means for evaluating and protecting the security of the AI system itself. As a result, anomaly detection and incident response are optimized to the user's emotional state, enabling more effective and less burdensome security responses.
[0586] "Network traffic data" refers to the flow of data communicated between information processing devices, and this data is collected for analysis and monitoring purposes.
[0587] "Preprocessing" refers to the initial data processing steps performed to convert raw data into a format that is easy to analyze, and includes standardizing data formats and removing noise.
[0588] An "anomalous pattern" refers to unusual behavior or data characteristics that deviate from normal data or operations, suggesting potential threats or problems.
[0589] An "algorithm" refers to a series of computational steps or rules, and is a processing method designed to solve a specific problem.
[0590] A "threat" refers to any factor that could potentially or actually cause harm to a network or information system, including unauthorized access to or tampering with data.
[0591] An "information processing device" refers to an electronic device used for acquiring, processing, storing, and transmitting data, and usually includes a computer system.
[0592] An "incident" refers to an unexpected event in an information system that may disrupt the operation of the system.
[0593] "Emotional state" refers to the mental or psychological condition of a user of an information processing device, and includes the user's emotional responses, such as stress and anxiety.
[0594] "Voice guidance" refers to a means of transmitting information by voice, providing instructions and notifications to users as an alternative to visual information.
[0595] A "learning model" refers to a mathematical or statistical model that learns regularities and patterns from large amounts of data and uses them to make predictions and judgments about new data.
[0596] The system that realizes this invention consists of a server and an information processing device. The server is responsible for collecting network traffic data and preprocessing the collected data to standardize its format. The server also executes an algorithm to detect anomalous patterns using the preprocessed data and identifies threats by comparing the anomalous patterns with existing threat data. The identified threats are notified to the information processing device, and in the case of high-priority events, the server automatically takes initial action.
[0597] Furthermore, the server analyzes past event data to predict future threats. This process utilizes a data analysis learning model. The server also analyzes the emotional state of system users to optimize notification content and methods. By adjusting notifications based on user operation logs, care is taken to reduce the emotional burden on users. Specifically, if a user is determined to be in a high-stress state, it is possible to switch the notification of anomaly detection from a visual display to an audio guidance.
[0598] In this embodiment, anomaly detection and incident response are optimized based on the user's emotional state. The server is designed to periodically evaluate the security of the AI system itself, improving the accuracy of emotional state analysis while protecting security.
[0599] As a concrete example, consider an application for securely managing email communication within a company. This application monitors abnormal traffic both inside and outside the corporate network in real time and provides appropriate guidance tailored to the user's emotional state when an employee is subjected to a phishing attack or similar threat. For example, if the application determines that a user is in a high-stress state, it would notify them via voice with a concise message such as, "Warning: There are security concerns. Do not click on the link."
[0600] The following prompt statements can be used as examples of input to the generative AI model.
[0601] "I want to detect abnormal network activity and analyze the associated sentiment in order to tailor security notifications based on the user's emotional state. Please provide detailed instructions on the best way to implement this."
[0602] The flow of a specific process in Application Example 2 will be explained using Figure 14.
[0603] Step 1:
[0604] The server collects network traffic data in real time. This data includes user communication information and access logs. The server receives this raw data and preprocesses it to standardize its format. Specifically, it converts the data's format and removes unnecessary noise to make it easier to process later.
[0605] Step 2:
[0606] The server runs an algorithm to detect anomalous patterns using pre-processed data. By providing the pre-processed data as input to the anomaly detection model, the server identifies unique patterns and deviant traffic. Machine learning models are then used to extract potentially anomalous data. Simultaneously, known threats are quickly identified by comparing them with existing threat data.
[0607] Step 3:
[0608] The server notifies the information processing device, i.e., the user's terminal, based on the identified threat. The server uses detailed threat information as input to determine the most appropriate notification content and method. If the emotion engine determines that the user is in a high-stress state, the notification is simplified and voice guidance is provided to reduce the user's stress.
[0609] Step 4:
[0610] The server analyzes past incident data to predict potential future threats. Here, accumulated historical data is used as input, and predictive models perform data calculations to analyze trends in new threats. This enables proactive security responses.
[0611] Step 5:
[0612] Users take specific actions based on notifications from the server. In this case, users are provided with direct voice and visual guidance to support them in taking quick and appropriate action. If necessary, the system may automatically take additional protective measures.
[0613] Step 6:
[0614] The server periodically evaluates the security of the AI system itself and maintains protection. The server uses monitoring results and system logs as input to determine updates and patches that can be applied to improve security, and continuously ensures the health of the system.
[0615] The specific processing unit 290 transmits the result of the specific processing to the headset terminal 314. In the headset terminal 314, the control unit 46A causes the speaker 240 and display 343 to output the result of the specific processing. The microphone 238 acquires audio indicating user input for the result of the specific processing. The control unit 46A transmits the audio data indicating user input acquired by the microphone 238 to the data processing unit 12. In the data processing unit 12, the specific processing unit 290 acquires the audio data.
[0616] Data generation model 58 is a type of so-called generative AI (Artificial Intelligence). One example of data generation model 58 is ChatGPT (Internet search<URL: https: / / openai.com / blog / chatgpt> ), Gemini (Internet search) <url: https: gemini.google.com ?hl="ja">Examples of generative AI include the following. The data generation model 58 is obtained by performing deep learning on a neural network. The data generation model 58 is input with prompts containing instructions, and with inference data such as audio data representing speech, text data representing text, and image data representing images. The data generation model 58 infers from the input inference data according to the instructions indicated by the prompts, and outputs the inference results in data formats such as audio data and text data. Here, inference refers to, for example, analysis, classification, prediction, and / or summarization.
[0617] In the above embodiment, an example was given in which specific processing is performed by the data processing device 12, but the technology of this disclosure is not limited thereto, and specific processing may also be performed by the headset terminal 314.
[0618] [Fourth Embodiment]
[0619] Figure 7 shows an example of the configuration of the data processing system 410 according to the fourth embodiment.
[0620] As shown in Figure 7, the data processing system 410 includes a data processing device 12 and a robot 414. An example of the data processing device 12 is a server.
[0621] The data processing device 12 comprises a computer 22, a database 24, and a communication interface 26. The computer 22 is an example of a "computer" related to the technology of this disclosure. The computer 22 comprises a processor 28, RAM 30, and storage 32. The processor 28, RAM 30, and storage 32 are connected to a bus 34. The database 24 and the communication interface 26 are also connected to the bus 34. The communication interface 26 is connected to a network 54. An example of the network 54 is a WAN (Wide Area Network) and / or a LAN (Local Area Network).
[0622] The robot 414 includes a computer 36, a microphone 238, a speaker 240, a camera 42, a communication interface 44, and a controlled object 443. The computer 36 includes a processor 46, RAM 48, and storage 50. The processor 46, RAM 48, and storage 50 are connected to a bus 52. The microphone 238, speaker 240, camera 42, and controlled object 443 are also connected to the bus 52.
[0623] The microphone 238 receives voice signals from the user 20 and receives instructions from the user 20. The microphone 238 captures the voice signals from the user 20, converts the captured voice into audio data, and outputs it to the processor 46. The speaker 240 outputs audio according to the instructions from the processor 46.
[0624] Camera 42 is a small digital camera equipped with an optical system including a lens, aperture, and shutter, and an image sensor such as a CMOS (Complementary Metal-Oxide-Semiconductor) image sensor or a CCD (Charge Coupled Device) image sensor, and captures images of the area around the user 20 (for example, an imaging range defined by a field of view equivalent to the width of a typical healthy person's field of vision).
[0625] Communication interface 44 is connected to network 54. Communication interfaces 44 and 26 are responsible for the exchange of various information between processor 46 and processor 28 via network 54. The exchange of various information between processor 46 and processor 28 using communication interfaces 44 and 26 is performed in a secure manner.
[0626] The controlled object 443 includes a display device, LEDs in the eyes, and motors that drive the arms, hands, and feet. The posture and gestures of the robot 414 are controlled by controlling the motors of the arms, hands, and feet. Some of the robot 414's emotions can be expressed by controlling these motors. Furthermore, the robot 414's facial expressions can also be expressed by controlling the illumination state of the LEDs in its eyes.
[0627] Figure 8 shows an example of the main functions of the data processing device 12 and the robot 414. As shown in Figure 8, the data processing device 12 performs specific processing using the processor 28. The storage 32 stores the specific processing program 56.
[0628] The specific processing program 56 is an example of a "program" relating to the technology of this disclosure. The processor 28 reads the specific processing program 56 from the storage 32 and executes the read specific processing program 56 on the RAM 30. The specific processing is realized by the processor 28 operating as a specific processing unit 290 in accordance with the specific processing program 56 executed on the RAM 30.
[0629] The storage 32 stores the data generation model 58 and the emotion identification model 59. The data generation model 58 and the emotion identification model 59 are used by the identification processing unit 290.
[0630] In robot 414, the processor 46 performs the reception output processing. The storage 50 stores the reception output program 60. The processor 46 reads the reception output program 60 from the storage 50 and executes the read reception output program 60 on the RAM 48. The reception output processing is realized by the processor 46 operating as a control unit 46A according to the reception output program 60 executed on the RAM 48.
[0631] Next, the specific processing performed by the specific processing unit 290 of the data processing device 12 will be described. In the following description, the data processing device 12 will be referred to as the "server" and the robot 414 as the "terminal".
[0632] The present invention is implemented by a software platform that is installed on devices and servers that access a network. This platform enables a rapid response to security threats by leveraging AI technology to monitor network traffic in real time and to detect and report anomalies.
[0633] One primary embodiment of this system involves continuously collecting network traffic data and analyzing it immediately using AI algorithms. Specifically, a server captures every data packet transmitted over the network and standardizes its characteristics. This standardized data is then fed into a trained machine learning model to detect patterns of abnormal behavior.
[0634] The server then evaluates whether the detected anomaly matches any known attack profile. If it does, or if an unidentified threat pattern is found, it immediately sends an alert to users and security personnel. For example, if there is communication that deviates from normal traffic volume or access time, it will be notified as a possible sign of unauthorized access.
[0635] When an incident occurs, the terminal automatically performs actions to minimize the impact on the network according to predefined protocols. For example, if malware activity is detected, it automatically isolates the relevant network segment and stops suspicious processes.
[0636] In addition, the server analyzes past incident data, identifies statistical trends and unusual increases, and predicts future threats, which are then incorporated into the organization's security strategy. Users can use this predictive information to proactively take defensive measures against potential attacks.
[0637] Ultimately, the server periodically evaluates the security of the AI system itself and strengthens defensive measures as needed to prevent potential threats to the system. This process is carried out through regular updates of the AI model and patching of vulnerabilities. In this way, the present invention provides consistent security protection in a network environment.
[0638] The following describes the processing flow.
[0639] Step 1:
[0640] The server continuously monitors network traffic and collects all incoming and outgoing data packets, thereby forming a comprehensive dataset of communications within the network.
[0641] Step 2:
[0642] The server preprocesses the collected data, preparing it for analysis. This preprocessing includes standardizing the data format and removing noise and redundant data.
[0643] Step 3:
[0644] The server inputs pre-processed data into an AI algorithm to detect anomalous patterns in real time. The AI algorithm has learned normal traffic patterns and can instantly identify abnormal behavior.
[0645] Step 4:
[0646] The server compares detected anomalies with a database of known threats to identify the threat. This comparison allows for the rapid recognition of known attack methods and their variations.
[0647] Step 5:
[0648] The server notifies the user of the details of the identified threat. The notification includes the type of threat, the network segment in which it occurred, and recommended countermeasures.
[0649] Step 6:
[0650] The terminal automatically takes initial action in response to incidents deemed to be of high urgency. Specifically, it isolates the network segment and stops the malicious process.
[0651] Step 7:
[0652] The server performs predictive analysis based on past incident data. This analysis predicts the emergence of future threats and provides information for taking preventative measures.
[0653] Step 8:
[0654] The server performs regular security assessments of the AI system itself, and updates the system and retrains the models as needed. This maintains the security and accuracy of the AI system.
[0655] (Example 1)
[0656] Next, we will describe Example 1. In the following description, the data processing device 12 will be referred to as the "server" and the robot 414 as the "terminal".
[0657] In today's information and communication environment, which utilizes networks, the increasing volume and complexity of communication data necessitates early detection and rapid response to unauthorized access and security threats. However, existing methods have limitations in the accuracy and real-time capabilities of detecting abnormal phenomena, and there is also the risk of information leaks and business disruption due to delayed responses. Therefore, innovative technologies are needed to solve these problems.
[0658] The identification process performed by the identification processing unit 290 of the data processing device 12 in Example 1 is realized by the following means.
[0659] In this invention, the server includes means for aggregating communication information, means for pre-processing the aggregated information and standardizing its format, and means for executing an artificial intelligence method for detecting abnormal phenomena using the pre-processed information. This makes it possible to detect unauthorized access and potential security threats with high accuracy and in real time, and to deal with them automatically.
[0660] "Communication information" refers to all data packets and their metadata transmitted and received over a network.
[0661] "Preprocessing" refers to the process of standardizing collected raw data and preparing it into an analyzable format.
[0662] "Standardizing a format" refers to the process of transforming data into a unified structure to ensure compatibility with heterogeneous data sources.
[0663] An "abnormal phenomenon" refers to an event that deviates from normal communication patterns or indicates signs of unauthorized access.
[0664] "Artificial intelligence methods" refer to techniques that use computer algorithms, such as machine learning, to process information and solve specific problems.
[0665] "Existing threat intelligence" refers to data on security incidents that have been detected and recorded in the past.
[0666] "Reporting" refers to the act of notifying relevant parties of detected threat information, including any necessary details.
[0667] "Initial corrective action through self-operation" refers to a system autonomously executing a series of actions to correct an anomaly.
[0668] "Isolating a network" refers to the operation of physically or logically separating a specific network segment.
[0669] "Communication rules to stop unauthorized processing" refers to a set of rules designed to block unauthorized data processing and ensure network security.
[0670] This invention is implemented by a platform that is installed on a server connected to a network. The server first collects data in real time using a dedicated tool for aggregating network communication information. In this platform, a "packet capture tool" is typically used to capture communication data.
[0671] The server then preprocesses the aggregated communication data and standardizes the data format. This standardization ensures compatibility between different data sources. Data preprocessing tools are used for this preprocessing; for example, data processing using the Python Pandas library is one possibility.
[0672] Next, the server runs a machine learning model to detect anomalies. Anomalies are those that deviate from the normal communication patterns within the network, and an "anomaly detection algorithm" is used for this purpose. In this platform environment, artificial intelligence libraries such as "TensorFlow" and "PyTorch" are common.
[0673] As a specific example, if a server detects a sudden surge in traffic during a particular time period, it identifies this as an anomaly and compares it with a database of past threat intelligence. If the identified threat matches a known threat profile, a notification is immediately sent to the user or security personnel. A "communication API" is used to send these notifications.
[0674] Furthermore, the server analyzes multiple past incident data to predict future threats. This allows users to take proactive measures based on the predicted risks.
[0675] An example of a prompt message would be, "Please tell me how to detect network traffic anomalies using AI. Please also provide specific library and algorithm names."
[0676] The flow of the specific processing in Example 1 will be explained using Figure 11.
[0677] Step 1:
[0678] The server aggregates network communication information in real time. To do this, the server uses a packet capture tool to obtain header information and payload data packets. It receives raw data from the network as input and saves this data as output to a structured log file. Specifically, the server extracts the necessary metadata (IP address, port number, data size, etc.) from each captured packet and records it in log format.
[0679] Step 2:
[0680] The server preprocesses the aggregated communication data and converts it into a standardized format. This process uses the Python Pandas library to clean and normalize the data. Log files are provided as input, and each data field is organized into a common format. The output is a unified dataset. Specifically, it performs operations such as imputing missing values and filtering outliers to create a data format suitable for analysis.
[0681] Step 3:
[0682] The server runs a machine learning model to detect anomalies using standardized data. This model, built with TensorFlow or PyTorch, outputs deviations from normal communication patterns as scores. The input is a pre-processed dataset, and the output is a list of anomaly scores. Specifically, it performs predictive modeling based on past normal data to determine whether new communication data exceeds the normal range.
[0683] Step 4:
[0684] The server evaluates whether the detected anomaly matches an existing threat database. This evaluation compares anomaly scores using known attack profiles. The inputs are the anomaly scores and the threat database, and the output is the threat identification result. Specifically, a similarity scoring algorithm is used to calculate the degree of match between the anomaly and the threat profile.
[0685] Step 5:
[0686] The server sends alerts to users and security personnel when a threat is identified. It uses a communication API to send notifications via email or SMS. The input is the threat identification result, and the output is an alert message. Specifically, it generates notification messages and logs the transmission history.
[0687] Step 6:
[0688] The terminal performs automated initial response to high-priority incidents. This response includes network isolation and cessation of malicious processes. The input is the result of identifying threats and abnormal behavior, and the output is the system state after the response. Specific actions include updating firewall rules using scripts and forcibly terminating malicious processes.
[0689] Step 7:
[0690] The server analyzes past incident information to predict future threats. Regression analysis and time series analysis are used in this analysis. The input is historical incident data, and the output is a threat prediction report. Specifically, it analyzes the frequency and trends of each incident and visualizes the potential risks.
[0691] (Application Example 1)
[0692] Next, we will explain Application Example 1. In the following explanation, the data processing device 12 will be referred to as the "server" and the robot 414 as the "terminal".
[0693] Smart device networks are vulnerable to external threats and attacks, posing a high risk to individual users' privacy and data security. Furthermore, existing security systems require specialized knowledge and are not easily accessible to the average user. Additionally, identifying abnormal network activity in real time and providing immediate support to users is difficult, creating a need for simpler and more effective security solutions.
[0694] The specific processing performed by the specific processing unit 290 of the data processing device 12 in Application Example 1 is realized by the following means.
[0695] In this invention, the server includes means for monitoring network activity, means for preprocessing and standardizing the format of the monitored data, and means for executing an AI algorithm that detects unique communication patterns using the preprocessed data. This enables users to detect abnormal network activity in real time on their smart devices and take quick and appropriate action.
[0696] "Means of monitoring network activity" refers to functions that analyze communications on a network in real time and identify suspicious activity that deviates from normal activity patterns.
[0697] "Means of standardizing format" refers to a function that standardizes the format and protocol of monitoring data, thereby enabling consistent subsequent analysis processes.
[0698] "A means of executing an AI algorithm to detect unusual communication patterns" refers to a function that utilizes machine learning techniques to identify unusual communication behavior based on standardized data.
[0699] "Means for identifying potential risks" refers to a function that identifies potential risks and issues warnings by comparing detected unique patterns with existing threat intelligence.
[0700] "Means of sending warnings to users" refers to a notification function that immediately informs users that a danger has been detected and prompts them to take appropriate action.
[0701] "Means of automatically executing emergency response" refers to a function that minimizes damage by allowing the system to automatically take initial action immediately in response to detected dangers.
[0702] "Means of performing personal network monitoring" refers to features that monitor network activity on individual users' devices and identify abnormal behavior.
[0703] "Means for notifying the detection of abnormal activity" refers to a function that quickly communicates information to users when unusual network activity is detected.
[0704] "Means for managing excessive data traffic" refers to a function that identifies excessive data traffic when it occurs and warns the user.
[0705] The system implementing this invention is primarily composed of a software application installed on a mobile device such as a smartphone. The server has a data collection module for monitoring network activity in real time and standardizes this data through a format unification module. The standardized data is analyzed through an AI algorithm that detects unique communication patterns, and anomalies are identified using machine learning techniques. This process is realized using platforms such as TensorFlow and PyTorch.
[0706] The device is equipped with a notification system that immediately sends a warning to the user if abnormal activity is detected. This notification is triggered when excessive data traffic is detected or when suspicious background communication occurs. Furthermore, the system has the ability to automatically take initial action based on the identified threat, such as controlling the network segment or stopping processes.
[0707] For example, if a user's smartphone suddenly starts a large amount of data communication at night, this system will detect this as an anomaly and immediately notify the user. At this point, the user will be given the choice of continuing or stopping the communication. Furthermore, based on the user's past communication patterns, it is possible to proactively strengthen vigilance against predicted future threats.
[0708] An example of a prompt message is: "Immediately detect any activity on the user's smartphone that deviates from the normal network traffic pattern and display a warning to the user."
[0709] The flow of a specific process in Application Example 1 will be explained using Figure 12.
[0710] Step 1:
[0711] The server collects network traffic data from terminals in real time through a network monitoring module. The input to this process is raw packet data sent from terminals, and the output is an unstructured traffic dataset.
[0712] Step 2:
[0713] The server preprocesses and standardizes the collected traffic data using a format unification module. The input is raw traffic data, and the output is a standardized dataset. During this process, the data is filtered and converted into the necessary protocol information.
[0714] Step 3:
[0715] The server feeds pre-processed data to an AI algorithm for analysis to detect unique communication patterns. The input for this step is standardized data, and the output is the items identified as unique communication patterns. Machine learning models (TensorFlow or PyTorch) are used here.
[0716] Step 4:
[0717] The server compares detected unusual communication patterns with a database of known threats to identify potential dangers. Input is data on the unusual patterns, and output is information about potential threats. This information is compared and evaluated in real time.
[0718] Step 5:
[0719] The terminal receives potential threat information sent from the server and sends a warning to the user. The input is the potential threat information, and the output is the notification message to the user. The notification system immediately displays this message on the user's display.
[0720] Step 6:
[0721] The user receives a warning through a notification on their device and decides whether to continue or stop network communication based on that information. The input is the notification message, and the output is the user's selected action. This action determines whether the device continues or interrupts communication.
[0722] Furthermore, an emotion engine that estimates the user's emotions may be incorporated. That is, the identification processing unit 290 may use the emotion identification model 59 to estimate the user's emotions and perform identification processing using the user's emotions.
[0723] This invention integrates an emotion engine into a network security system to enable threat detection and incident response based on the user's emotional state. In addition to its basic functions of monitoring network traffic in real time and detecting anomalies with AI algorithms, the system aims to automate appropriate responses by analyzing the user's emotions.
[0724] This system first has a server collect and preprocess network traffic data, and then uses a machine learning model to identify anomalous patterns. When an anomaly is detected, the server compares it with known threat data and identifies the detected pattern as a threat. After this identification, the server uses an emotion engine to analyze the user's emotional state. For example, it recognizes emotions such as stress and anxiety based on historical data and real-time user activity logs.
[0725] Based on recognized emotions, the server optimizes the content and method of threat notifications. For example, if a user is experiencing high stress, the notification content is simplified, and a message encouraging a calm response is sent. The emotion engine can also adjust the notification frequency based on user responses, customizing the system to reduce stress.
[0726] Furthermore, the device automatically takes initial action in the event of an incident deemed to be of high urgency. In this process, the device considers the output of the emotion engine and proceeds with the response in a way that minimizes the burden on the user. For example, it can switch the notification method from visual display to voice guidance.
[0727] Finally, to ensure the security of the AI system itself, the server undergoes regular evaluation and updates, aiming to improve the accuracy of the emotion engine while strengthening security. In this way, an intelligent network security system that takes into account the user's emotional state is realized.
[0728] The following describes the processing flow.
[0729] Step 1:
[0730] The server continuously collects network traffic data and performs extensive analysis of each packet's details to gain a complete understanding of the data.
[0731] Step 2:
[0732] The server performs preprocessing to optimize the collected traffic data and convert it into a well-organized format. This includes noise reduction and supplementing incomplete data.
[0733] Step 3:
[0734] The server supplies pre-processed data to an AI algorithm to detect anomalies. The algorithm identifies deviant patterns in real time by comparing them to a model of normal operation.
[0735] Step 4:
[0736] The server compares detected anomaly patterns with a threat database to identify threats. This process enables the identification of both existing and new threats.
[0737] Step 5:
[0738] The server activates the sentiment engine in response to identified threats and evaluates the user's emotional state. Sentiment analysis is performed based on user activity logs and past interaction data.
[0739] Step 6:
[0740] The server adjusts the content and method of threat notifications based on the output of the emotion engine. If the user is under stress, it simplifies the information and creates messages that reduce mental burden.
[0741] Step 7:
[0742] The terminal automatically responds to high-priority incidents, implementing protocols to isolate the network segment on the terminal or halt malicious processes. The user's emotional state is taken into consideration when selecting these protocols.
[0743] Step 8:
[0744] The server performs regular security assessments and updates on its AI system. This continuously improves the accuracy and security of the AI system, and strengthens the overall system, including the emotion engine.
[0745] (Example 2)
[0746] Next, we will describe Example 2. In the following description, the data processing device 12 will be referred to as the "server" and the robot 414 as the "terminal".
[0747] Conventional network security systems have lacked sufficient real-time responsiveness in detecting network anomalies and responding to incidents, as well as consideration for the psychological stress experienced by users. In particular, while rapid anomaly identification, appropriate warning provision, and advanced automated initial response are required, responses that take into account the emotional state of users are also necessary. This invention aims to solve these problems and realize advanced security measures without burdening users.
[0748] The identification process performed by the identification processing unit 290 of the data processing device 12 in Example 2 is realized by the following means.
[0749] In this invention, the server includes means for monitoring data communication, means for formatting and standardizing the monitored data, and means for running an algorithm for identifying anomalies. This enables immediate detection of anomalies and automatic, user-friendly responses.
[0750] "Data communication" refers to electrical or optical processes used to send and receive information.
[0751] "Monitoring" is the act of observing something over a set period of time to confirm the occurrence of anomalies or specific events.
[0752] "Formatting" refers to the process of converting raw data into a specific format or structure.
[0753] "Standardizing the format" means unifying the way data is represented and its structure.
[0754] "Abnormal" refers to an action or state that deviates from normal operation or condition.
[0755] An "algorithm" is a set of computational steps designed to solve a specific problem.
[0756] "To be operational" refers to a state in which a system or process is running.
[0757] A "server" is a computer system that provides data and services over a network.
[0758] This invention relates to a system that improves anomaly detection and incident response in network security systems. The system includes data communication monitoring, data formatting, operation of anomaly identification algorithms, real-time notification, notification optimization through sentiment analysis, and an automatic initial response function.
[0759] The server sends and receives information over the network. Specifically, it runs on a general-purpose computer system and intercepts network traffic using monitoring tools. The hardware requires a suitable processor and storage to manage network communications. For software, commonly used communication protocol analysis tools, such as Wireshark, are used for monitoring. Learning frameworks such as TensorFlow and PyTorch are utilized for data shaping and anomaly detection.
[0760] After detecting an anomaly, the server uses an emotion analysis engine to analyze the user's emotional state and optimize the content and method of notifications. This emotion analysis engine operates based on past user operation logs and real-time user interaction data. The engine uses the data to train an emotion model and infer the user's stress and anxiety.
[0761] The device notifies the user of an incident and, if necessary, provides voice guidance and performs automated recovery operations. The device is designed to minimize the burden on the user according to their situation and has features that simplify the interface format.
[0762] As a concrete example, let's consider a scenario where an unauthorized access attempt is made to a company's network. The server immediately detects the anomaly and, through a sentiment analysis engine, notifies the user of a message such as, "A network problem has been detected. We are automatically handling it, so please rest assured." in order to minimize the stress the user may experience.
[0763] The following prompt statements can be used as example inputs to a generative AI model:
[0764] "Please provide a detailed explanation of how anomalies in network traffic data are detected."
[0765] "Please explain the mechanism of the AI algorithm that analyzes user emotions."
[0766] "Please tell me what to do if the emotional engine detects a high-stress state."
[0767] The flow of the specific processing in Example 2 will be explained using Figure 13.
[0768] Step 1:
[0769] The server monitors network traffic. It receives real-time data communication information as input and captures each communication packet using monitoring tools. This data includes destination IP address, communication protocol, and packet size. The server formats this data and converts it into a format suitable for anomaly detection algorithms. It then generates formatted network traffic data as output.
[0770] Step 2:
[0771] The server inputs formatted network traffic data into a machine learning model to detect anomalous patterns. The input is the formatted data obtained in step 1, and the server uses TensorFlow to identify anomalies in real time. The model identifies behaviors that are considered anomalous compared to normal communication patterns. The output is the identified results showing the anomalous patterns.
[0772] Step 3:
[0773] When an anomaly is detected, the server uses an emotion analysis engine to analyze the user's emotional state. Input includes the user's past operation log data and current real-time activity data. The server uses a trained model to estimate the user's stress and anxiety levels. This analysis generates output data indicating the user's emotional state.
[0774] Step 4:
[0775] The server optimizes the content and method of incident notifications based on the identified anomalies and emotional states. The inputs used are the anomaly data obtained in step 2 and the emotional state data from step 3. The server adjusts the notification content, for example, to create a simple message such as "Please remain calm." The output is the optimized notification message.
[0776] Step 5:
[0777] If the anomaly is deemed to be of high urgency, the terminal automatically takes initial action. The input is emergency incident information sent from the server. The terminal takes measures such as modifying firewall rules, stopping malicious processes, or notifying the user with voice guidance. The output is the result of the initial action taken.
[0778] Step 6:
[0779] Periodically, the server performs a system-wide security assessment and updates the model. The input is the current system state and the latest security patch information. The server reassessss security based on the assessment criteria and retrains the generated AI model as needed. The output is an enhanced security configuration and an updated model.
[0780] (Application Example 2)
[0781] Next, we will explain application example 2. In the following explanation, the data processing device 12 will be referred to as the "server" and the robot 414 as the "terminal".
[0782] In recent years, with the advancement of information technology, information processing via networks has become more diverse, but at the same time, unauthorized access and threats using networks have increased. In particular, as the need for immediate response to cyberattacks increases, conventional network security systems have been insufficient in terms of notifications and responses that take into account the emotional state of users, which has led to increased mental burden on users. The present invention aims to solve this problem.
[0783] The specific processing performed by the specific processing unit 290 of the data processing device 12 in Application Example 2 is realized by the following means.
[0784] In this invention, the server includes means for collecting network traffic data, means for preprocessing and standardizing the format of the collected data, means for executing an algorithm for detecting abnormal patterns using the preprocessed data, means for comparing the abnormal patterns with existing threat data to identify threats, means for notifying related information processing devices based on the identified threats, means for automatically performing initial responses to high-priority events, means for analyzing past event data to predict future threats, means for analyzing the emotional state of system users and optimizing notification content and methods, means for reducing emotional burden by adjusting notifications based on user operation logs, means for switching notifications from visual displays to voice guidance in the event of anomaly detection according to the emotional state of system users, and means for evaluating and protecting the security of the AI system itself. As a result, anomaly detection and incident response are optimized to the user's emotional state, enabling more effective and less burdensome security responses.
[0785] "Network traffic data" refers to the flow of data communicated between information processing devices, and this data is collected for analysis and monitoring purposes.
[0786] "Preprocessing" refers to the initial data processing steps performed to convert raw data into a format that is easy to analyze, and includes standardizing data formats and removing noise.
[0787] An "anomalous pattern" refers to unusual behavior or data characteristics that deviate from normal data or operations, suggesting potential threats or problems.
[0788] An "algorithm" refers to a series of computational steps or rules, and is a processing method designed to solve a specific problem.
[0789] A "threat" refers to any factor that could potentially or actually cause harm to a network or information system, including unauthorized access to or tampering with data.
[0790] An "information processing device" refers to an electronic device used for acquiring, processing, storing, and transmitting data, and usually includes a computer system.
[0791] An "incident" refers to an unexpected event in an information system that may disrupt the operation of the system.
[0792] "Emotional state" refers to the mental or psychological condition of a user of an information processing device, and includes the user's emotional responses, such as stress and anxiety.
[0793] "Voice guidance" refers to a means of transmitting information by voice, providing instructions and notifications to users as an alternative to visual information.
[0794] A "learning model" refers to a mathematical or statistical model that learns regularities and patterns from large amounts of data and uses them to make predictions and judgments about new data.
[0795] The system that realizes this invention consists of a server and an information processing device. The server is responsible for collecting network traffic data and preprocessing the collected data to standardize its format. The server also executes an algorithm to detect anomalous patterns using the preprocessed data and identifies threats by comparing the anomalous patterns with existing threat data. The identified threats are notified to the information processing device, and in the case of high-priority events, the server automatically takes initial action.
[0796] Furthermore, the server analyzes past event data to predict future threats. This process utilizes a data analysis learning model. The server also analyzes the emotional state of system users to optimize notification content and methods. By adjusting notifications based on user operation logs, care is taken to reduce the emotional burden on users. Specifically, if a user is determined to be in a high-stress state, it is possible to switch the notification of anomaly detection from a visual display to an audio guidance.
[0797] In this embodiment, anomaly detection and incident response are optimized based on the user's emotional state. The server is designed to periodically evaluate the security of the AI system itself, improving the accuracy of emotional state analysis while protecting security.
[0798] As a concrete example, consider an application for securely managing email communication within a company. This application monitors abnormal traffic both inside and outside the corporate network in real time and provides appropriate guidance tailored to the user's emotional state when an employee is subjected to a phishing attack or similar threat. For example, if the application determines that a user is in a high-stress state, it would notify them via voice with a concise message such as, "Warning: There are security concerns. Do not click on the link."
[0799] The following prompt statements can be used as examples of input to the generative AI model.
[0800] "I want to detect abnormal network activity and analyze the associated sentiment in order to tailor security notifications based on the user's emotional state. Please provide detailed instructions on the best way to implement this."
[0801] The flow of a specific process in Application Example 2 will be explained using Figure 14.
[0802] Step 1:
[0803] The server collects network traffic data in real time. This data includes user communication information and access logs. The server receives this raw data and preprocesses it to standardize its format. Specifically, it converts the data's format and removes unnecessary noise to make it easier to process later.
[0804] Step 2:
[0805] The server runs an algorithm to detect anomalous patterns using pre-processed data. By providing the pre-processed data as input to the anomaly detection model, the server identifies unique patterns and deviant traffic. Machine learning models are then used to extract potentially anomalous data. Simultaneously, known threats are quickly identified by comparing them with existing threat data.
[0806] Step 3:
[0807] The server notifies the information processing device, i.e., the user's terminal, based on the identified threat. The server uses detailed threat information as input to determine the most appropriate notification content and method. If the emotion engine determines that the user is in a high-stress state, the notification is simplified and voice guidance is provided to reduce the user's stress.
[0808] Step 4:
[0809] The server analyzes past incident data to predict potential future threats. Here, accumulated historical data is used as input, and predictive models perform data calculations to analyze trends in new threats. This enables proactive security responses.
[0810] Step 5:
[0811] Users take specific actions based on notifications from the server. In this case, users are provided with direct voice and visual guidance to support them in taking quick and appropriate action. If necessary, the system may automatically take additional protective measures.
[0812] Step 6:
[0813] The server periodically evaluates the security of the AI system itself and maintains protection. The server uses monitoring results and system logs as input to determine updates and patches that can be applied to improve security, and continuously ensures the health of the system.
[0814] The specific processing unit 290 transmits the result of the specific processing to the robot 414. In the robot 414, the control unit 46A causes the speaker 240 and the controlled object 443 to output the result of the specific processing. The microphone 238 acquires audio indicating user input for the result of the specific processing. The control unit 46A transmits the audio data indicating user input acquired by the microphone 238 to the data processing unit 12. In the data processing unit 12, the specific processing unit 290 acquires the audio data.
[0815] Data generation model 58 is a type of so-called generative AI (Artificial Intelligence). One example of data generation model 58 is ChatGPT (Internet search<URL: https: / / openai.com / blog / chatgpt> ), Gemini (Internet search) <url: https: gemini.google.com ?hl="ja">Examples of generative AI include the following. The data generation model 58 is obtained by performing deep learning on a neural network. The data generation model 58 is input with prompts containing instructions, and with inference data such as audio data representing speech, text data representing text, and image data representing images. The data generation model 58 infers from the input inference data according to the instructions indicated by the prompts, and outputs the inference results in data formats such as audio data and text data. Here, inference refers to, for example, analysis, classification, prediction, and / or summarization.
[0816] In the above embodiment, an example was given in which the specific processing is performed by the data processing device 12, but the technology of this disclosure is not limited thereto, and the specific processing may also be performed by the robot 414.
[0817] Furthermore, the emotion identification model 59, acting as an emotion engine, may determine the user's emotion according to a specific mapping. Specifically, the emotion identification model 59 may determine the user's emotion according to a specific mapping, which is an emotion map (see Figure 9). Similarly, the emotion identification model 59 may also determine the robot's emotion, and the identification processing unit 290 may perform identification processing using the robot's emotion.
[0818] Figure 9 shows an emotion map 400 in which multiple emotions are mapped. In the emotion map 400, emotions are arranged in concentric circles radiating from the center. The closer to the center of the concentric circles, the more primitive the emotions are located. Further out of the concentric circles, emotions representing states and actions arising from mental states are located. Emotion is a concept that includes feelings and mental states. On the left side of the concentric circles, emotions that are generally generated from reactions occurring in the brain are located. On the right side of the concentric circles, emotions that are generally induced by situational judgment are located. Above and below the concentric circles, emotions that are generally generated from reactions occurring in the brain and induced by situational judgment are located. In addition, the emotion of "pleasure" is located on the upper side of the concentric circles, and the emotion of "displeasure" is located on the lower side. Thus, in the emotion map 400, multiple emotions are mapped based on the structure in which emotions arise, and emotions that are likely to occur simultaneously are mapped close together.
[0819] These emotions are distributed at the 3 o'clock position on the Emotion Map 400, and usually fluctuate between feelings of security and anxiety. In the right half of the Emotion Map 400, situational awareness takes precedence over internal feelings, resulting in a calm impression.
[0820] The inside of the Emotion Map 400 represents inner thoughts, while the outside represents actions. Therefore, the further you go from the outside of the Emotion Map 400, the more visible (expressed in actions) your emotions become.
[0821] Here, human emotions are based on various balances, such as posture and blood sugar levels. When these balances deviate from the ideal, it results in discomfort, and when they approach the ideal, it results in pleasure. Similarly, in robots, cars, motorcycles, etc., emotions can be created based on various balances, such as posture and battery level. When these balances deviate from the ideal, it results in discomfort, and when they approach the ideal, it results in pleasure. The emotion map can be generated, for example, based on Dr. Mitsuyoshi's emotion map (Research on a system for analyzing brain physiological signals of speech emotion recognition and emotion, Tokushima University, doctoral dissertation: https: / / ci.nii.ac.jp / naid / 500000375379). The left half of the emotion map contains emotions belonging to a region called "response," where sensation is dominant. The right half of the emotion map contains emotions belonging to a region called "situation," where situational awareness is dominant.
[0822] The emotion map defines two emotions that promote learning. One is the emotion around the middle of the negative "repentance" and "reflection" on the situation side. In other words, it is when the robot experiences negative emotions such as "I never want to feel this way again" or "I don't want to be scolded again." The other is the emotion around the positive "desire" on the reaction side. In other words, it is when the robot has positive feelings such as "I want more" or "I want to know more."
[0823] The emotion identification model 59 inputs user input into a pre-trained neural network, obtains emotion values representing each emotion shown in the emotion map 400, and determines the user's emotion. This neural network is pre-trained based on multiple training data sets, which are combinations of user input and emotion values representing each emotion shown in the emotion map 400. Furthermore, this neural network is trained so that emotions located close together have similar values, as shown in the emotion map 900 in Figure 10. Figure 10 shows an example where multiple emotions such as "reassured," "calm," and "confident" have similar emotion values.
[0824] The above description primarily focuses on the functions of the data processing device 12 in relation to this disclosure. However, the system related to this disclosure is not necessarily implemented on a server. The system related to this disclosure may be implemented as a general information processing system. This disclosure may be implemented, for example, as a software program that runs on a personal computer or as an application that runs on a smartphone. The method related to this disclosure may be provided to users in SaaS (Software as a Service) format.
[0825] In the above embodiment, an example was given in which a specific process is performed by a single computer 22. However, the technology of this disclosure is not limited thereto, and a distributed processing of the specific process may be performed by multiple computers, including computer 22. For example, a data generation model 58 may be provided in an external device of the data processing device 12, and the external device may generate data according to the input data.
[0826] In the above embodiment, an example was given in which the specific processing program 56 is stored in the storage 32, but the technology of this disclosure is not limited thereto. For example, the specific processing program 56 may be stored in a portable, computer-readable, non-temporary storage medium such as a USB (Universal Serial Bus) memory. The specific processing program 56 stored in the non-temporary storage medium is installed in the computer 22 of the data processing device 12. The processor 28 executes specific processing according to the specific processing program 56.
[0827] Alternatively, the specific processing program 56 may be stored in a storage device such as a server connected to the data processing device 12 via the network 54, and the specific processing program 56 may be downloaded and installed on the computer 22 in response to a request from the data processing device 12.
[0828] Furthermore, it is not necessary to store the entirety of the specific processing program 56 in a storage device such as a server connected to the data processing device 12 via the network 54, or to store the entirety of the specific processing program 56 in the storage 32; it is acceptable to store only a portion of the specific processing program 56.
[0829] The following types of processors can be used as hardware resources to perform specific processing. Examples of processors include a CPU, a general-purpose processor that functions as a hardware resource to perform specific processing by executing software, i.e., a program. Other examples of processors include dedicated electrical circuits, such as FPGAs (Field-Programmable Gate Arrays), PLDs (Programmable Logic Devices), or ASICs (Application Specific Integrated Circuits), which have circuit configurations specifically designed to perform specific processing. All of these processors have built-in or connected memory, and all of them perform specific processing by using memory.
[0830] The hardware resource that performs a specific process may consist of one of these various processors, or it may consist of a combination of two or more processors of the same or different types (for example, a combination of multiple FPGAs, or a combination of a CPU and an FPGA). Alternatively, the hardware resource that performs a specific process may consist of a single processor.
[0831] Examples of configurations using a single processor include, firstly, a configuration in which one or more CPUs and software are combined to form a single processor, and this processor functions as a hardware resource that performs a specific process. Secondly, there is a configuration using a processor that realizes the functions of the entire system, including multiple hardware resources that perform a specific process, on a single IC chip, as exemplified by SoCs (System-on-a-chip). In this way, a specific process is realized using one or more of the above types of processors as hardware resources.
[0832] Furthermore, the hardware structure of these various processors can more specifically utilize electrical circuits that combine circuit elements such as semiconductor devices. Also, the specific processing described above is merely an example. Therefore, it goes without saying that unnecessary steps can be deleted, new steps added, or the processing order rearranged, as long as it does not deviate from the main purpose.
[0833] The descriptions and illustrations presented above are detailed explanations of the technical aspects of this disclosure and are merely examples of the technical aspects. For example, the above descriptions of the structure, function, operation, and effect are examples of the structure, function, operation, and effect of the technical aspects of this disclosure. Therefore, it goes without saying that you may delete unnecessary parts, add new elements, or replace elements in the descriptions and illustrations presented above, as long as you do not deviate from the essence of the technical aspects of this disclosure. Furthermore, in order to avoid confusion and facilitate understanding of the technical aspects of this disclosure, explanations of common technical knowledge and the like that do not require special explanation to enable the implementation of the technical aspects of this disclosure have been omitted from the descriptions and illustrations presented above.
[0834] All documents, patent applications, and technical standards described herein are incorporated by reference to the same extent as if each individual document, patent application, and technical standard were specifically and individually noted to be incorporated by reference.
[0835] The following is further disclosed regarding the embodiments described above.
[0836] (Claim 1)
[0837] Means for collecting network traffic data,
[0838] A means for preprocessing the collected data and standardizing its format,
[0839] A means for executing an AI algorithm that detects abnormal patterns using the aforementioned preprocessed data,
[0840] A means for comparing the abnormal pattern with existing threat data and identifying a threat,
[0841] A means of notifying relevant users based on identified threats,
[0842] A means of automatically performing initial response in high-priority incidents,
[0843] A means of analyzing past incident data to predict future threats,
[0844] Means for evaluating and protecting the security of the AI system itself,
[0845] A system that includes this.
[0846] (Claim 2)
[0847] The system according to claim 1, characterized in that the AI algorithm for detecting the abnormal pattern is executed in real time using a machine learning model.
[0848] (Claim 3)
[0849] The system according to claim 1, characterized in that the means for automatically performing initial response includes a protocol for isolating a network segment and stopping the associated malicious process.
[0850] "Example 1"
[0851] (Claim 1)
[0852] A means of aggregating communication information,
[0853] A means for pre-processing the aggregated information and standardizing its format,
[0854] Means for executing an artificial intelligence method for detecting abnormal phenomena using the aforementioned pre-processed information,
[0855] A means for comparing the abnormal phenomenon with existing threat information and identifying the threat,
[0856] A means of reporting to relevant users based on identified threats,
[0857] A means of performing initial response through self-operation in high-priority events,
[0858] A means of analyzing past event information to predict future threats,
[0859] Means for evaluating and maintaining the safety of the artificial intelligence system itself,
[0860] A means of presenting data using characteristic information obtained from communication information,
[0861] A means to block communication commands in the event of potential unauthorized access,
[0862] A system that includes this.
[0863] (Claim 2)
[0864] The system according to claim 1, characterized in that the artificial intelligence method for detecting the abnormal phenomenon is executed immediately using a machine learning method.
[0865] (Claim 3)
[0866] The system according to claim 1, characterized in that the means for performing initial countermeasures by self-operation includes communication rules for isolating the communication network and stopping the relevant malicious processing.
[0867] "Application Example 1"
[0868] (Claim 1)
[0869] Means for monitoring network activity,
[0870] A means for preprocessing the monitored data and standardizing its format,
[0871] A means for executing an AI algorithm that detects unique communication patterns using the pre-processed data,
[0872] A means of identifying potential risks by comparing detected patterns with existing threat intelligence,
[0873] A means of sending warnings to relevant users based on identified risks,
[0874] A means of automatically executing emergency responses as needed,
[0875] Methods for analyzing and predicting past events,
[0876] Means for evaluating and enhancing the security of AI platforms,
[0877] A means of performing personal network monitoring using smart devices,
[0878] A means of notifying the detection of abnormal activity,
[0879] Means for managing excessive communication,
[0880] A system that includes this.
[0881] (Claim 2)
[0882] The system according to claim 1, characterized in that it executes the aforementioned unique communication pattern in real time.
[0883] (Claim 3)
[0884] The system according to claim 1, characterized in that the means for automatically performing emergency response includes a protocol for managing data communications and stopping malicious activity.
[0885] "Example 2 of combining an emotion engine"
[0886] (Claim 1)
[0887] A means of monitoring data communications,
[0888] A means for formatting and standardizing the monitored data,
[0889] A means for operating an algorithm that identifies anomalies based on the aforementioned formatted data,
[0890] A means for comparing the anomaly with reference information and determining the risk,
[0891] A means of notifying relevant users based on the identified risks,
[0892] A means for analyzing the user's emotional state and adjusting the content and frequency of notifications,
[0893] A means of automatically providing an initial response in urgent situations,
[0894] Means for evaluating and maintaining the security of the data processing system itself,
[0895] A system that includes this.
[0896] (Claim 2)
[0897] The system according to claim 1, characterized in that the algorithm for identifying the anomaly is immediately put into operation using a learning model.
[0898] (Claim 3)
[0899] The system according to claim 1, characterized in that the means for automatically providing an initial response includes a mechanism for isolating a data communication section and halting related unauthorized activity.
[0900] "Application example 2 when combining with an emotional engine"
[0901] (Claim 1)
[0902] Means for collecting network traffic data,
[0903] A means for preprocessing the collected data and standardizing its format,
[0904] Means for executing an algorithm that detects abnormal patterns using the pre-processed data,
[0905] A means for comparing the abnormal pattern with existing threat data and identifying a threat,
[0906] Means for notifying relevant information processing devices based on identified threats,
[0907] A means of automatically performing initial response in high-priority events,
[0908] A means of analyzing past event data to predict future threats,
[0909] A means for analyzing the emotional state of system users and optimizing notification content and methods,
[0910] By adjusting notifications based on user activity logs, this can be a means of reducing emotional burden.
[0911] A means to switch the notification of anomaly detection from a visual display to an audio guidance depending on the emotional state of the system user,
[0912] Means to evaluate and protect the security of the AI system itself,
[0913] A system that includes this.
[0914] (Claim 2)
[0915] The system according to claim 1, characterized in that the algorithm for detecting the abnormal pattern is executed in real time using a learning model.
[0916] (Claim 3)
[0917] The system according to claim 1, characterized in that the means for automatically performing initial response includes a protocol for separating the communication path and stopping related fraudulent processing. [Explanation of Symbols]
[0918] 10, 210, 310, 410 Data Processing Systems 12 Data Processing Devices 14 Smart Devices 214 Smart Glasses 314 Headset-type terminal 414 Robots< / url:> < / url:> < / url:> < / url:>
Claims
1. Means for collecting network traffic data, A means for preprocessing the collected data and standardizing its format, A means for executing an AI algorithm that detects abnormal patterns using the aforementioned preprocessed data, A means for comparing the abnormal pattern with existing threat data and identifying a threat, A means of notifying relevant users based on identified threats, A means of automatically performing initial response in high-priority incidents, A means of analyzing past incident data to predict future threats, Means for evaluating and protecting the security of the AI system itself, A system that includes this.
2. The system according to claim 1, characterized in that the AI algorithm for detecting the abnormal pattern is executed in real time using a machine learning model.
3. The system according to claim 1, characterized in that the means for automatically performing initial response includes a protocol for isolating a network segment and stopping the associated malicious process.