METHOD FOR ADJUSTING A BOOSTED CLASSIFIER, BOOSTED CLASSIFIER AND DEVICE OR SYSTEM FOR PERFORMING THE METHOD

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of European patent application 23382926.6, filed 12 Sep. 2023, the disclosure of which is incorporated herein by reference in its entirety.

TECHNICAL FIELD

The present disclosure is encompassed within the field of detection of intrusion.

BACKGROUND

Intrusion detection systems monitor computing entities (for example, computing devices, computing systems or networks of computing devices) for detecting intrusion into the monitored resource (e.g., violation of security of the monitored resource, malicious activity within the monitored resource and/or misuse of the monitored resource).

There are two primary types of intrusion detection: network-based intrusion detection and host-based intrusion detection. Network-based intrusion detection monitors traffic of the network for detecting malicious activity within the network. Host-based intrusion detection monitors individual hosts or servers for detecting unauthorized access to the respective host or server and/or unauthorized activity within the respective host or server.

There are already a variety of techniques for detecting intrusion. For example, signature-based detection, which looks for known patterns of malicious activity; and behavior-based detection, which looks for unusual or suspicious activity. It is also known that intrusion detection may benefit from artificial intelligence algorithms (e.g., machine learning) to detect new or evolving types of intrusion.

Although several techniques of detection of intrusion already known in the art perform relatively well, it is desirable to further improve performance of detection of intrusion.

SUMMARY

A first aspect of the disclosure relates to a method comprising:

- adjusting weight values of a boosted classifier for reducing a value of a cost function of the boosted classifier, the boosted classifier being a classifier for calculating whether data is indicative of an intrusion into a computing entity;
- the boosted classifier comprising the weight values and a plurality of classifiers, each classifier of the plurality of classifiers being associated with a weight value of the weight values;
- the step of adjusting the weight values comprising executing, by at least one digital computing device, a quantum-inspired algorithm.

The performance of classification by the boosted classifier, as measured with the cost function, is enhanced by carrying out the method of the first aspect of the disclosure compared to methods wherein the weight values are adjusted by digitally executing algorithms which are not quantum-inspired. It has been shown that training boosted classifiers by adjusting the weight values thereof by executing, by at least one digital computing device, a quantum-inspired algorithm allows increasing performance of detection of intrusion by the boosted classifier trained in this manner. For example, it has been shown that training a boosted classifier in this manner allows obtaining a trained boosted classifier capable of detecting a higher proportion of intrusions than state-of-the-art techniques relying merely on classical machine learning. An example in which the boosted classifier of the first aspect of the disclosure has higher performance of classification than known state-of-the-art techniques is in classification of the Intrusion Detection Evaluation Dataset (CIC-IDS2017).

By adjusting weight values of the boosted classifier, it can be obtained a boosted classifier having better performance of classification than any individual classifier of the plurality of classifiers.

In addition, the first aspect of the disclosure allows enhancing classification performance without requiring a quantum computing device, since the quantum-inspired algorithm may be performed merely by classical (i.e. digital) computing.

The quantum-inspired algorithm is an algorithm which classically (i.e. digitally) emulates quantum phenomena.

The use of the quantum-inspired algorithm allows decreasing a size of data storage (e.g., a size of a memory of a digital computing device) required to perform the adjustment of the weight values. Since the required memory size is relatively low, it is enabled, for example, performing the adjustment of the weight values in premises (without requiring a relatively high investment in processing equipment) instead of remotely (e.g., in the cloud). In particular cases in which the required size of the data storage is particularly low, the method may be executed by a smart phone or similar. In addition, since the required memory size is lower, execution of the quantum-inspired algorithm consumes little energy and is quicker. This may be advantageous for particular applications having low memory size, such as, a watch or a satellite.

An example of the quantum-inspired algorithm is an algorithm of optimization based on a tensor network. An example of the algorithm of optimization based on a tensor network is: an algorithm of tensor networks of variational optimization, an algorithm of tensor networks of temporal evolution, an algorithm of tensor networks of evolution in imaginary time.

Algorithms based on a tensor network allow enhancing mimicking in a quantum-inspired way, by a digital computing device, quantum processing of information and correlations; the quantum processing being performed by a quantum computing device. Moreover, algorithms based on a tensor network may be tailored directly to correlations in data structure, without requiring emulating quantum processing by a quantum computing device, thereby allowing faster and more efficient computation.

In some embodiments, the method comprises: training each classifier of the plurality of classifiers before performing the step of adjusting the weight values.

Training each classifier of the plurality of classifiers allows increasing individual performance of each classifier of the plurality of classifiers, thereby allowing increasing performance of the boosted classifier.

In some embodiments, at least one classifier of the plurality of classifiers is trained separately from the rest of classifiers of the plurality of classifiers. Training a classifier separately from the rest of classifiers allows relatively simpler and quicker training (compared to training a classifier of the plurality of classifiers considering at least another classifier of the plurality of classifiers), while allowing obtaining a boosted classifier having a relatively high performance of classification (i.e., detecting a higher proportion of intrusions).

In some embodiments, for allowing further simplicity and quickness of training (while allowing obtaining a boosted classifier having a relatively high performance of classification), all the classifiers of the plurality of classifiers are trained separately from the rest of classifiers of the plurality of classifiers.

In some embodiments, each classifier of the plurality of classifiers is a classifier for calculating whether data is indicative of an intrusion into a computing entity.

In some embodiments, the adjustment of the weight values is based on training data, the training data comprising sets of input data; each set of input data of the sets of input data being associated with output data indicative of whether the respective set of input data is indicative of an intrusion into a computing entity; each set of the sets of input data comprising at least one of: data indicative of a standard deviation of lengths of packets, data indicative of a total length of backward packets (i.e., packets in backward direction; in other words, packets that go from the receiver to the sender), data indicative of bytes of a backward subflow (i.e., data indicative of bytes received in a particular time range, the bytes going from the receiver to the sender), data indicative of a destination port of packets and data indicative of a variance of lengths of packets. It has been shown that using these features for adjusting the weight values allows achieving a boosted classifier having particularly high performance of classification. Preferably, for allowing achieving a relatively higher performance each set of the sets of input data comprises: data indicative of a standard deviation of lengths of packets, data indicative of a total length of backward packets, data indicative of bytes of a backward subflow, data indicative of a destination port of packets and data indicative of a variance of lengths of packets.

In some embodiments, the adjustment of the weight values is based on training data, the training data comprising sets of input data; each set of input data of the sets of input data being associated with output data indicative of whether the respective set of input data is indicative of an intrusion into a computing entity; each set of the sets of input data comprising at least one of: data indicative of an identification of a subentity within the computing entity, data indicative of an identification of a category of an event, data indicative of an identification of a campaign (i.e., data indicative of a context of the set of input data, such as, media or marketing), data indicative of a name of a campaign, data indicative of a name of a host, data indicative of an ip address of a host, data indicative of an event, data indicative of a path of a process, data indicative of a name of a working directory of a process and data indicative of a name of a user running a process. It has been shown that using these features for adjusting the weight values allows achieving a boosted classifier having particularly high performance. Preferably, for allowing achieving a relatively higher performance each set of the sets of input data comprises: data indicative of an identification of a subentity within the computing entity, data indicative of an identification of a category of an event, data indicative of an identification of a campaign, data indicative of a name of a campaign, data indicative of a name of a host, data indicative of an ip address of a host, data indicative of an event, data indicative of a path of a process, data indicative of a name of a working directory of a process and data indicative of a name of a user running a process.

In some embodiments, the cost function at least comprises an error function with the error of A relative to B, where:

- A is F({right arrow over (x_J)})=Σ_iα_if_i({right arrow over (x_J)}), where {right arrow over (x_J)} is a j-th set of data of a plurality of sets of input data; f_i({right arrow over (x_J)}) is a classification, performed by the i-th classifier of the plurality of classifiers, of the j-th set of data of the plurality of sets of input data; and a; is the weight value associated with the i-th classifier;
- B is an actual class of the j-th set of data of the plurality of sets of input data; and
- the error function being for all sets of data of the plurality of sets of input data or some sets of data of the plurality of sets of input data.

In some embodiments, the method comprises:

- computing a value of the cost function for the adjusted weight values,
- determining whether the computed value of the cost function fulfills a criterion of convergence of the cost function, and
- if the computed value of the cost function does not fulfill the criterion of convergence of the cost function, further performing the steps of:
  - adjusting the weight values for reducing a value of the cost function by executing, by at least one digital computing device, a quantum-inspired algorithm, thereby obtaining further adjusted weight values;
  - computing a value of the cost function for the further adjusted weight values, thereby obtaining a further computed value of the cost function; and
  - determining whether the further computed value of the cost function fulfills the criterion of convergence of the cost function;
- if the computed value of the cost function fulfills the criterion of convergence of the cost function, not performing the step of adjusting the weight values.

Thereby, the adjustment of the weight values may be iteratively performed until a value of the cost function for adjusted weight values fulfills the criterion of convergence. The criterion of convergence may comprise comparing a value of a cost function for adjusted weight values with a value of a cost function for adjusted weight values previously obtained. For example, the criterion of convergence may comprise calculating whether an absolute value of a difference between the value of a cost function for adjusted weight values and the value of a cost function for adjusted weight values previously obtained is lower than a threshold, and determining that the convergence criterion has been met upon calculating that the absolute value is lower than the threshold.

In some embodiments, the method comprises:

- computing a parameter related to the value of the cost function for the adjusted weight values,
- determining whether the computed parameter related to the value of the cost function fulfills a criterion of convergence of the cost function, and
- if the computed parameter does not fulfill the criterion of convergence of the cost function, further performing the steps of:
  - adjusting the weight values for reducing a value of the cost function by executing, by at least one digital computing device, a quantum-inspired algorithm, thereby obtaining further adjusted weight values;
  - computing a parameter related to the value of the cost function for the further adjusted weight values, thereby obtaining a further computed parameter related to the value of the cost function; and
  - determining whether the further computed parameter related to the value of the cost function fulfills the criterion of convergence of the cost function;
- if the computed parameter related to the value of the cost function fulfills the criterion of convergence of the cost function, not performing the step of adjusting the weight values.

Thereby, the adjustment of the weight values may be iteratively performed until a parameter related to the value of the cost function for adjusted weight values fulfills the criterion of convergence. The criterion of convergence may comprise comparing a parameter related to the value of the cost function for adjusted weight values with a parameter related to the value of the cost function for adjusted weight values previously obtained.

In some embodiments, the computation of a value of the cost function (or the computation of a parameter related to the value of the cost function) is performed digitally. Performing the computation digitally allows not using a quantum computing device for performing said computation, thereby enabling the use of an optional quantum computing device in a task in which quantum computing may be relatively more advantageous.

In some embodiments, the boosted classifier is a classifier for calculating whether data is indicative of an intrusion into a network of computing devices; and the adjustment of the weight values is based on training data, the training data comprising sets of input data; each set of input data of the sets of input data being associated with output data indicative of whether the respective set of input data is indicative of an intrusion into a network of computing devices; the sets of input data comprising data of a network of computing devices. The boosted classifier may be a classifier for calculating whether data is indicative of an intrusion into a first network of computing devices, and the sets of input data may comprise data of a second network of computing devices.

In some embodiments, the boosted classifier may be a classifier for calculating whether data is indicative of an intrusion into a first network of computing devices, and the sets of input data may comprise data of the first network of computing devices. Thereby, the adjustment of the weight coefficients may be enhanced since the boosted classifier is trained with data from the network in which the boosted classifier detects intrusions.

In some embodiments, the boosted classifier is a classifier for calculating whether data is indicative of an intrusion into a computing device; and the adjustment of the weight values is based on training data, the training data comprising sets of input data; each set of input data of the sets of input data being associated with output data indicative of whether the respective set of input data is indicative of an intrusion into a computing device; the sets of input data comprising data of a computing device. The boosted classifier may be a classifier for calculating whether data is indicative of an intrusion into a first computing device, and the sets of input data may comprise data of a second computing device.

In some embodiments, the boosted classifier may be a classifier for calculating whether data is indicative of an intrusion into a first computing device, and the sets of input data may comprise data of the first computing device. Thereby, the adjustment of the weight coefficients may be enhanced since the boosted classifier is trained with data of the computing device in which the boosted classifier detects intrusions.

In some embodiments, the boosted classifier is a classifier for calculating whether data is indicative of an intrusion into a computing system; and the adjustment of the weight values is based on training data, the training data comprising sets of input data; each set of input data of the sets of input data being associated with output data indicative of whether the respective set of input data is indicative of an intrusion into a computing system; the sets of input data comprising data of a computing system. The boosted classifier may be a classifier for calculating whether data is indicative of an intrusion into a first computing system, and the sets of input data may comprise data of a second computing system.

In some embodiments, the boosted classifier may be a classifier for calculating whether data is indicative of an intrusion into a first computing system, and the sets of input data may comprise data of the first computing system. Thereby, the adjustment of the weight coefficients may be enhanced since the boosted classifier is trained with data of the computing system in which the boosted classifier detects intrusions.

A second aspect of the disclosure relates to a boosted classifier comprising weight values and a plurality of classifiers, each classifier of the plurality of classifiers being associated with a weight value of the weight values, wherein the weight values have been adjusted by performing the method of the first aspect of the disclosure.

In some embodiments, the boosted classifier is a classifier for calculating whether data is indicative of an intrusion into at least one of: a network of computing devices, a computing device and a computing system.

In some embodiments, the boosted classifier is a classifier for calculating whether data is indicative of an intrusion, wherein the intrusion involves at least one of:

- unauthorized access to at least one of a network of computing devices, a computing device and a computing system, and
- misuse of at least one of a network of computing devices, a computing device and a computing system.

In some embodiments, the misuse of the network of computing devices may comprise modifying a configuration of the network of computing devices, for example, modifying the network so that the network transmits packets to an unauthorized destination or modifying the network so that the network receives packets from an unauthorized sender.

A third aspect of the disclosure relates to calculating whether data is indicative of an intrusion into a computing entity by digitally executing the boosted classifier of the second aspect of the disclosure.

In some embodiments, the adjustment of the weight values additionally comprises executing digital computations by first at least one computing device, and the boosted classifier is executed by second at least one computing device. Thereby, it is not required to stop execution of the boosted classifier by the second at least one computing device to adjust weight values of the boosted classifier. In other words, the boosted classifier may be executed by the second at least one computing device at the same time as the first at least one computing device adjusts weight values wherein the latest adjusted weight values may be subsequently sent to the second at least one computing device to update the boosted classifier to be executed by the second at least one computing device.

In some embodiments, the boosted classifier is digitally executed for calculating whether data of a network of computing devices (e.g., at least one of: data transmitted within the network, data received by a computing device of the network, data transmitted by a computing device of the network and data of configuration of the network) is indicative of an intrusion into the network of computing devices.

In some embodiments, the step of calculating whether data of a network of computing devices is indicative of an intrusion into the network of computing devices comprises classifying by the boosted classifier the data of the network so that the boosted classifier provides an output indicative of intrusion or non-intrusion.

In some embodiments, the step of calculating whether data of a network of computing devices is indicative of an intrusion into the network of computing devices comprises processing (e.g., by at least one digital computing device) the data of the network of computing devices to modify format of the data of the network and/or obtain aggregate parameters of the data of the network; the step of calculating whether data of the network of computing devices is indicative of an intrusion into the network of computing devices comprises classifying by the boosted classifier the processed data so that the boosted classifier provides an output indicative of intrusion or non-intrusion (i.e., of whether the data of the network of computing devices is indicative of an intrusion into the network of computing devices).

In some embodiments, the boosted classifier is digitally executed for calculating whether data of a computing device (e.g., at least one of: data processed by the computing device, data stored in the computing device, data received by the computing device, data sent by the computing device and data of configuration of the computing device) is indicative of an intrusion into the computing device.

In some embodiments, the step of calculating whether data of a computing device is indicative of an intrusion into the computing device comprises classifying by the boosted classifier the data of the computing device so that the boosted classifier provides an output indicative of intrusion or non-intrusion (i.e., indicative of whether the data of the computing device is indicative of an intrusion into the computing device).

In some embodiments, the step of calculating whether data of a computing device is indicative of an intrusion into the computing device comprises processing (e.g., by at least one digital computing device) the data of the computing device to modify format of the data of the computing device and/or obtain aggregate parameters of the data of the computing device; the step of calculating whether data of the computing device is indicative of an intrusion into the computing device comprises classifying by the boosted classifier the processed data so that the boosted classifier provides an output indicative of intrusion or non-intrusion (i.e., indicative of whether the data of the computing device is indicative of an intrusion into the computing device).

In some embodiments, the boosted classifier is digitally executed for calculating whether data of a computing system (e.g., at least one of: data processed by the computing system, data stored in the computing system, data received by the computing system, data sent by the computing system and data of configuration of the computing system) is indicative of an intrusion into the computing system.

In some embodiments, the step of calculating whether data of a computing system is indicative of an intrusion into the computing system comprises classifying by the boosted classifier the data of the computing system so that the boosted classifier provides an output indicative of intrusion or non-intrusion (i.e., indicative of whether the data of the computing system is indicative of an intrusion into the computing system).

In some embodiments, the step of calculating whether data of a computing system is indicative of an intrusion into the computing system comprises processing (e.g., by at least one digital computing device) the data of the computing system to modify format of the data of the computing system and/or obtain aggregate parameters of the data of the computing system; the step of calculating whether data of the computing system is indicative of an intrusion into the computing system comprises classifying by the boosted classifier the processed data so that the boosted classifier provides an output indicative of intrusion or non-intrusion (i.e., indicative of whether the data of the computing system is indicative of an intrusion into the computing system).

In some embodiments, upon calculating that data is indicative of an intrusion into a computing entity (e.g., at least one of: a network of computing devices, a computing device and a computing system), at least one of the following is performed:

- generating a signal indicative of an intrusion,
- blocking traffic of a network of computing devices, the network being associated with the data classified as indicative of an intrusion by the boosted classifier (e.g., the data is data of the network of computing devices), and
- disconnecting a computing device from a network to prevent propagation of an intrusion through the network, the computing device being associated with the data classified as indicative of an intrusion by the boosted classifier (e.g., the data is data of the computing device).

The step of generating a signal indicative of an intrusion may comprise generating a signal indicative of an intrusion into a particular computing entity (e.g., an intrusion into a particular computing device, into a particular computing network or into a particular computing system). In this way, the particular computing entity subjected to the intrusion can be identified in a relatively quick manner, thereby allowing relatively quick response to the intrusion as detected by the boosted classifier.

In some embodiments, the signal indicative of an intrusion is a signal perceivable by at least one person (e.g., an alert perceivable by at least one person), the signal enabling that the at least one person perceives that the boosted classifier has classified data as indicative of an intrusion. The at least one person may respond to the signal indicative of an intrusion, for example, by checking whether the alert is a false positive and/or by actuating the computing entity subjected to the intrusion for minimizing a negative impact that may be caused (in at least one of: a direct and an indirect manner) by the intrusion as detected by the boosted classifier in the computing entity subjected to the detected intrusion.

In some embodiments, the signal indicative of an intrusion may be received by at least one computing device, the at least one computing device being configured to respond to the signal by executing (by the at least one computing device) instructions, particularly, instructions for minimizing a negative impact that may be caused (in at least one of: a direct and an indirect manner) by the intrusion as detected by the boosted classifier in the computing entity subjected to the detected intrusion. For example, the instructions may be for: disconnecting a computing device subjected to the intrusion from a network to prevent that the intrusion propagates through the network, blocking packets sent from the computing entity subjected to the detected intrusion to a particular computing entity (e.g., to a particular IP address), blocking packets sent from a particular computing entity (e.g., a particular IP address) and received by the computing entity subjected to the detected intrusion.

By blocking traffic of a network, a negative impact of an intrusion into the network may be minimized. For example, intrusion into several nodes of the network of computing devices may be detected, and transmission of data to and/or reception of data from said nodes may be blocked to make it more difficult intruding into other nodes of the network.

By isolating a computing device from a network it is prevented that an intrusion to which the computing device is subjected propagates through the network.

A fourth aspect of the disclosure relates to:

- a computing system comprising means for carrying out the steps of the method of the first aspect of the disclosure, or
- to at least one computing device comprising means for carrying out the steps of the method of the first aspect of the disclosure.

Additional advantages and features of the disclosure will become apparent from the detailed description that follows and will be particularly pointed out in the appended claims.

BRIEF DESCRIPTION OF THE DRAWINGS

To complete the description and to provide for a better understanding of the disclosure, a set of drawings is provided. Said drawings form an integral part of the description and illustrate embodiments of the disclosure, which should not be interpreted as restricting the scope of the disclosure, but just as examples of how the disclosure can be carried out. The drawings comprise the following figures:

FIG. 1 diagrammatically shows a method in accordance with embodiments.

FIG. 2 diagrammatically shows a system in accordance with embodiments.

FIG. 3 diagrammatically shows a method.

DETAILED DESCRIPTION OF THE DRAWINGS

The following description is not to be taken in a limiting sense but is given solely for the purpose of describing the broad principles of the disclosure. Embodiments of the disclosure will be described by way of example, with reference to the above-mentioned drawings.

FIG. 1 shows a method 100 according to the present disclosure. FIG. 2 shows a computing system 20. Methods according to the present disclosure may be carried out, for example, by the system 20.

The system 20 may comprise at least one digital computing device 21. The at least one digital computing device 21 may be, for example, a CPU, a GPU, an FPGA, an ASIC, a personal computer, a laptop, etc. The system 20 optionally comprises at least one quantum computing device 22. The system 20 comprises at least one memory 23, the at least one memory 23 may be part of the at least one digital computing device 21.

The method 100 is an example of a method comprising adjusting weight values of a boosted classifier by adjusting, by at least one digital computing device, the weight values by using a quantum-inspired algorithm.

The boosted classifier is a classifier for calculating whether data is indicative of an intrusion, in particular, whether data is indicative of an intrusion into a computing entity, for example, into at least one of: a network of computing devices, a computing device and a computing system. Thereby the boosted classifier is a classifier for classifying data in at least two classes: data indicative of an intrusion and data which is not indicative of an intrusion.

The boosted classifier may be, for example, the following weighed combination of the plurality of classifiers:

$F (\vec{x_{j}}) = \sum_{i} α_{i} f_{i} (\vec{x_{j}})$

- wherein:
- {right arrow over (x_J)} is a vector containing input data (e.g., data associated with at least one of: a network of computing devices, a computing device and a computing system),
- F({right arrow over (x_J)}) is a classification, calculated by the boosted classifier, of {right arrow over (x_J)},
- α_iis a weight value associated with the i-th classifier of the plurality of classifiers, and
- f_i({right arrow over (x_J)}) is a classification, calculated with the i-th classifier of the plurality of classifiers, of {right arrow over (x_J)}.

Each classifier of the plurality of classifiers may be a classifier for calculating whether data is indicative of an intrusion.

In a first step of the method 100 (the first step being optional), the plurality of classifiers may be trained 101. Thereby, a plurality of trained classifiers is obtained.

At least one classifier of the plurality of classifiers may be trained separately from the remaining classifier(s) of the plurality of classifiers, so that the training of the at least one classifier of the plurality of classifiers is not affected by any other classifier of the plurality of classifiers.

At least one classifier of the plurality of classifiers may be trained, for example, by digital computing (for example, by the at least one digital computing device 21). At least one classifier of the plurality of classifiers may be trained, for example, by quantum computing (for example, by the at least one quantum computing device 22).

Each classifier of the plurality of classifiers may be, for example, a model of supervised machine learning based on a decision tree. Each classifier of the plurality of classifiers may be, for example, one of: a random forest classifier, an adaboost classifier and an xgbclassifier. For example, at least one classifier of the plurality of classifiers is a random forest classifier, at least one classifier of the plurality of classifiers is an adaboost classifier and at least one classifier of the plurality of classifiers is an xgbclassifier.

The training data used for training the plurality of classifiers may comprise a plurality of sets of input data and a plurality of sets of output data, wherein:

- each set of the plurality of sets of input data comprises, for example: data indicative of a standard deviation of lengths of packets, data indicative of a total length of backward packets, data indicative of bytes of a backward subflow, data indicative of a destination port of packets and data indicative of a variance of lengths of packets;
- each set of the plurality of sets of output data is associated with a set of the plurality of sets of input data; and
- each set of output data of the plurality of sets of output data comprises data indicative of whether the set of the plurality of sets of input data associated with the respective set of output data is indicative of an intrusion.

In some embodiments, at least one classifier of the plurality of classifiers may be trained by using less categories of data of the plurality of sets of input data than the total number of categories of data of the plurality of sets of input data. For example, each set of the plurality of sets of input data may comprise a first category of data indicative of a standard deviation of length of packets, a second category of data indicative of a total length of backward packets and a third category of data indicative of bytes of a backward subflow; a first classifier of the plurality of classifiers may be trained by using data of the first category of the plurality of sets of input data and not using data of the second category nor data of the third category of the plurality of sets of input data, and a second classifier of the plurality of classifiers may be trained by using data of the second category of the plurality of sets of input data and not using data of the first category nor data of the third category of the plurality of sets of input data.

In a second step of the method 100 (the second step being optional), a cost function of the boosted classifier may be generated 102. The cost function may comprise, for example, an error function with the error of A relative to B, where:

- A is F({right arrow over (x_J)})=Σ_iα_if_i({right arrow over (x_J)}), where {right arrow over (x_J)} is a j-th set of data of a plurality of sets of input data, f_i({right arrow over (x_J)}) is a classification of the j-th set of data of the plurality of sets of input data by the i-th classifier of the plurality of classifiers, and α_iis the weight value associated with the i-th classifier;

B is an actual class of the j-th set of data of the plurality of sets of input data; and

- the error function being for all sets of data of the plurality of sets of input data or some sets of data of the plurality of sets of input data.

In a third step of the method 100, weight values of a boosted classifier are adjusted 103 for reducing a value of a cost function. By reducing the value of the cost function, an error among classifications of data calculated by the boosted classifiers and respective actual classifications of the data is reduced.

The third step of the method 100 comprises adjusting, by at least one digital computing device (for example, the at least one digital computing device 21), the weight values by executing a quantum-inspired algorithm for reducing a value of the cost function. Next, an example of a quantum-inspired algorithm of optimization is explained in reference to FIG. 3, the example uses a Tensor Network—i.e. TN—for solving an Unconstrained Optimization—i.e. UO-problem. This example is non-limiting in the sense that the at least one digital computing device 21 may implement other quantum-inspired algorithms.

By way of example, when the cost function may relate to a QUBO (Quadratic Unconstrained Binary Optimization), the equation might be of the form:

$H = \sum_{〈 i, j 〉} Q_{ij} x_{i} x_{j} + \sum_{i} q_{i} x_{i}$

- where x_iand x_jare the weight values, and Q_ijand q_iare classifications by classifiers of the plurality of classifiers.

The method 300 comprises a step whereby the at least one digital computing device 21 converts 310 the cost function equation, with the plurality of weight values, into an UO problem.

The method 300 comprises a step whereby the at least one digital computing device 21 provides 320 a TN with tensors. The TN is configured in such a way that it covers all possible configurations of weight values of the UO problem provided in the converting step 310.

The method 300 comprises a step whereby the at least one digital computing device 21 provides 325 a set of parameters with at least one parameter being for modifying the TN (e.g. a bond dimension of the TN, a unit cell of the TN, etc.), and/or with at least one parameter for influencing the subsequent step of modifying 330 coefficients (e.g. a Trotter-step in imaginary-time evolution, an error tolerance in algebra functions used for modifying the coefficients, a number of times that each tensor must have its coefficients modified, etc.).

The method 300 comprises a step whereby the at least one digital computing device 21 modifies 330, one or more times, coefficients of each tensor of the TN provided 320 for the set of parameters provided 325. The coefficients of the tensors are modified 330 such that the cost function of the UO problem decreases each time in order to minimize the cost function.

In a fourth step of the method 100 (the fourth step being optional), a value of the cost function for the adjusted weight values may be computed by the at least one digital computing device 21. In the fourth step of the method 100 a value of a parameter related to the value of the cost function for the adjusted weight values may be computed by the at least one digital computing device 21.

The value of the cost function for particular adjusted weight values is the value of the cost function of the boosted classifier wherein the weight values of the boosted classifier are the particular adjusted weight values.

In a fifth step of the method 100 (the fifth step being optional), the method 100 comprises determining 105 whether the computed value of the cost function (or the computed parameter related to the value of the cost function) fulfills a criterion of convergence of the cost function, and

- if the computed value of the cost function (or the computed parameter related to the value of the cost function) does not fulfill the criterion of convergence of the cost function, the following steps are repeated until it is determined that the computed value of the cost function (or the computed parameter related to the value of the cost function) fulfills the criterion of convergence:
  - adjusting 103 the weight values by executing, by at least one digital computing device, the quantum-inspired algorithm (e.g., by repeating the step of modifying 340 the coefficients), thereby obtaining later adjusted weight values,
  - computing a later value of the cost function (or a later parameter related to the value of the cost function) for the later adjusted weight values, and
  - determining 105 whether the computed later value of the cost function (or the computed later parameter related to the value of the cost function) fulfills the criterion of convergence of the cost function;
- if the computed value of the cost function (or the computed parameter related to the value of the cost function) fulfills the criterion of convergence of the cost function, the step of adjusting 103 the weight values is not performed. In addition, if the computed value of the cost function (or the computed parameter related to the value of the cost function) fulfills the criterion of convergence of the cost function, a boosted classifier comprising the adjusted weight values (i.e., the adjusted weight values for which the criterion of convergence is fulfilled by the computed value of the cost function or by the computed parameter related to the value of the cost function) may be set 106.

Thereby, the step of adjusting 103 the weight values may be repeated (i.e., repeated one or more times) for further reducing the value of the cost function. For example, the step of adjusting 103 the weight values may be repeated until one or more parameters related to the value of the cost function have attained a predetermined level of convergence. By way of example, said one or more parameters can be at least one of: the value of the cost function itself, a derivative of the value of the cost function, an analytic function of the value of the cost function and a derivative of an analytic function of the value of the cost function.

Thereby, the method 100 comprises adjusting the weight values several times so that the value of the cost function can be further reduced. The resulting value of the cost function for the adjusted weight values obtained in each iteration may be stored. In this way it may be assessed whether sufficient optimization has been achieved. In this sense, when at least two values have been stored, the method comprises checking whether the value of the cost function for the adjusted weight values meets a predetermined criterion which is indicative of the degree of convergence attained by the cost function so far, i.e., whether the value of the cost function has converged to a sufficient extent according to a predetermined threshold or set of thresholds. Based on this assessment, the weight values are to be adjusted once again or, alternatively, it is deemed that the adjusted weight values optimize the cost function sufficiently.

The convergence can be established, for example, by computing a difference between the value (or a parameter thereof) of the cost function for adjusted weight values and the value (or a parameter thereof) of the cost function for previously adjusted weight values and comparing said difference with a predetermined threshold, or by computing a difference between the value (or the parameter thereof) of the cost function for adjusted weight values and the value (or the parameter thereof) of the cost function for weight values adjusted before having effected the N (with N equal to e.g. 50, 100, 500, etc.) most recent adjustment of weight values and comparing said difference with a predetermined threshold; when the difference does not exceed the predetermined threshold it is deemed that the value of the cost function (or the parameter thereof) has converged sufficiently.

Steps 103, 104 and 105 may be repeated until it is determined in step 105 that the computed value of the cost function (or the computed parameter related to the value of the cost function) fulfills the criterion of convergence of the cost function.

Data indicative of the weight values for which the criterion of convergence is fulfilled, may be stored in a memory and/or sent to at least one computing device (e.g., at least one digital computing device) for allowing execution of the boosted classifier by the at least one digital computing device.

In some embodiments, the boosted classifier is sent to at least one computing device (for example, to at least one digital computing device) for allowing execution of the boosted classifier by the at least one computing device.

In some embodiments, merely the adjusted weight values are sent to at least one computing device (for example, to at least one digital computing device), the at least one computing device having stored therein the plurality of classifiers. In this way, the amount of data sent to the at least one computing device is relatively lower since the plurality of classifiers are not sent to the at least one computing device. For example, the plurality of classifiers may have been sent in a previous version of the boosted classifier and, since a newer version of the boosted classifier does not require updating the plurality of classifiers, the plurality of classifiers of the previous version of the boosted classifier may be reused.

In a seventh step of the method 100 (the seventh step being optional), the boosted classifier may be executed 107 by at least one digital computing device for classifying input data associated with at least one of: a network of computing devices, a computing device and a computing system; thereby respectively calculating whether:

- the data associated with a network of computing devices is indicative of an intrusion into the network of computing devices,
- the data associated with a computing device is indicative of an intrusion into the computing device, and
- the data associated with a computing system is indicative of an intrusion into the computing system.

Some examples of data indicative of an intrusion are:

- data indicative of an unauthorized access to at least one of the network of computing devices, the computing device and the computing system, and
- data indicative of a misuse of at least one of the network of computing devices, the computing device and the computing system.

In an eighth step of the method 100 (the eighth step being optional), upon calculating that data is indicative of an intrusion, at least one of the following is performed 108:

- generating a signal indicative of an intrusion,
- blocking traffic of a network of computing devices, the network being associated with the input data classified by the boosted classifier (for example, the input data being data transmitted through the network of computing devices), and
- disconnecting a computing device from a network to prevent that the intrusion into the computing device propagates through the network, the computing device being associated with the input data classified by the boosted classifier (for example, the input data being at least one of: data received by the computing device, transmitted by the computing device and processed by the computing device).

In this text, the term “comprises” and its derivations (such as “comprising”, etc.) should not be understood in an excluding sense, that is, these terms should not be interpreted as excluding the possibility that what is described and defined may include further elements, steps, etc.

On the other hand, the disclosure is obviously not limited to the specific embodiment(s) described herein, but also encompasses any variations that may be considered by any person skilled in the art (for example, as regards the choice of materials, dimensions, components, configuration, etc.), within the general scope of the disclosure as defined in the claims.

METHOD FOR ADJUSTING A BOOSTED CLASSIFIER, BOOSTED CLASSIFIER AND DEVICE OR SYSTEM FOR PERFORMING THE METHOD

Information

Publication Number

Date Filed

Date Published

Inventors

Original Assignees

CPC

International Classifications

Abstract

Description

Claims

Priority Claims (1)