Anomaly detection apparatus based on outlier score in EDR

摘要

The present invention relates to an apparatus and method for detecting anomalies in EDR based on an outlier score.In particular, a distance is calculated using a Euclidean distance, Minkowski distance, and a cosine distance calculation method for a network traffic log or event, and then the corresponding distance is calculated. The present invention relates to an apparatus and method for detecting anomalies in an EDR based on an outlier score that enables detection of an outlier in a network traffic log or an event by using it as an outlier score. In addition, according to the present invention, there is provided a feature extraction unit for extracting a feature of network traffic data; A distance calculator that calculates a distance of data using the extracted features; And an analysis unit that extracts statistics using the number of data within a specific range from the distance of the data, and then determines the analyzed data as an outlier of the top n%. An apparatus and method for detecting anomalies in an EDR based on an outlier score is provided. .