WO2016190841A1 - Distribution marginale dans un modèle graphique - Google Patents

Distribution marginale dans un modèle graphique Download PDF

Info

Publication number
WO2016190841A1
WO2016190841A1 PCT/US2015/032212 US2015032212W WO2016190841A1 WO 2016190841 A1 WO2016190841 A1 WO 2016190841A1 US 2015032212 W US2015032212 W US 2015032212W WO 2016190841 A1 WO2016190841 A1 WO 2016190841A1
Authority
WO
WIPO (PCT)
Prior art keywords
nodes
time period
graphical model
subgraph
impacted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2015/032212
Other languages
English (en)
Inventor
Fei Chen
Krishnamurthy Viswanathan
Maria Teresa Gonzalez Diaz
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hewlett Packard Enterprise Development LP
Original Assignee
Hewlett Packard Enterprise Development LP
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Enterprise Development LP filed Critical Hewlett Packard Enterprise Development LP
Priority to PCT/US2015/032212 priority Critical patent/WO2016190841A1/fr
Publication of WO2016190841A1 publication Critical patent/WO2016190841A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N7/00Computing arrangements based on specific mathematical models
    • G06N7/01Probabilistic graphical models, e.g. probabilistic networks
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V10/00Arrangements for image or video recognition or understanding
    • G06V10/40Extraction of image or video features
    • G06V10/42Global feature extraction by analysis of the whole pattern, e.g. using frequency domain transformations or autocorrelation
    • G06V10/422Global feature extraction by analysis of the whole pattern, e.g. using frequency domain transformations or autocorrelation for representing the structure of the pattern or shape of an object therefor
    • G06V10/426Graphical representations

Definitions

  • Graphical models are graphs which compactly represent the joint distributions of many random variables. Graphical models have been widely used in various applications, such as malware detection, detecting malicious domains, topic modeling, information extraction, and many others.
  • Figure 1 is a schematic illustration of an example system for maintaining inference results on evolving graphical models in accordance with an implementation of the present disclosure.
  • Figure 2 illustrates a flowchart showing an example of a method for computing an approximation of a marginal distribution of all nodes in a graphical model in accordance with an implementation of the present disclosure.
  • Figure 3 is illustrates a flowchart showing an example of a method for identifying independent subgraphs in the graphical model in accordance with an implementation of the present disclosure.
  • Figure 4 illustrates a flowchart showing an example of a method for computing an approximation of the marginal distribution of all impacted nodes for each independent subgraph in accordance with an implementation of the present disclosure.
  • Figure 5 is an example block diagram illustrating a computer- readable medium in accordance with an implementation of the present disclosure.
  • Graphical models are widely used in many different applications. Graphical models may include a plurality of nodes or vertices connected by edges. In many of these applications, graphical models are constantly evolving. For example, in malware detection, the graphical model may be a bipartite graph where each node is a random binary variable which represents if a machine or a file is infected. There may be an edge between a file node and a machine node if the file is found on that machine. Such a graphical model changes when new files are installed on the machines, files are deleted and machines are added/deleted from system.
  • Such evolving scenarios as well as many non-evolving cases may generally create a graph inference problem: given a graphical model that encodes a joint probability distribution, it may be difficult and time consuming to determine the marginal probability distribution of a particular node in the graph conditioned on the known value of some other nodes in the graph.
  • the term graph inference result refers to the marginal distribution of each node in the graph.
  • changes in the graphical model may be identified between snapshots of the model in two different time periods.
  • the proposed techniques efficiently identify relatively small subgraphs in the changed large graphical models.
  • the techniques run an inference algorithm on these subgraphs to compute an approximation of marginal distribution of all impacted nodes in the subgraphs as fast as possible.
  • the techniques described herein perform graph inference incrementally (e.g., on a small neighborhood of impacted nodes), and not on the entire graphical model.
  • the changes for the second node may be approximately calculated because the changed first node would not have much effect over the second node. Therefore, when the changes between a graphical model in two different times are small, the proposed techniques offer a faster way to re-run an inference algorithm on the entire graph from scratch.
  • the techniques described herein propose to first identify impacted subgraphs of the original graph that are likely to contain nodes whose marginal distribution may change significantly based on the changes in the graph between the two different time periods. Then, the techniques propose to only run the inference algorithm on those subgraphs before combining data for the subgraphs with the data for the rest of the graph.
  • a processor may identify nodes and edges in a graphical model at a first time period and at a second time period that is later than the first time period.
  • the processor may further: determine changes between the graphical model at the first time period and the second time period, identify impacted nodes in the graphical model at the second time period, and identify independent subgraphs in the graphical model at the second time period.
  • the processor may compute an approximation of a marginal distribution of all impacted nodes for each independent subgraph, and may compute an approximation of a marginal distribution of all nodes in the graphical model at the second time period.
  • the proposed techniques may consider any type of change in a graphical model (e.g., deleted nodes, inserted nodes, nodes with changed edges, and nodes whose previously unknown values are revealed, etc.) and may apply any inference algorithm to the determined subgraphs. Further, the described techniques may efficiently compute inference results on evolving power-law graphs that include high-degree nodes.
  • FIG. 1 is a schematic illustration of an example system 10 for maintaining inference results on evolving graphical models.
  • the term "inference result" refers to an approximation of a marginal distribution of all nodes in the graphical model.
  • the illustrated system 10 is capable of carrying out the techniques described below.
  • the system 10 is depicted as including at least one a computing device 100.
  • computing device 100 includes a processor 102, an interface 106, and a machine-readable storage medium 110.
  • computing device 100 is described in details below, the techniques described herein may be performed with several computing devices or by engines distributed on different devices.
  • the computing device 100 may be any type of a computing device and may include at least engines 120-160. Engines 120-150 may or may not be part of the machine-readable storage medium 110. In one example, the computing device 100 may be an independent computing device. In another alternative example, engines 120-160 may be distributed between the computing device 100 and others computing devices.
  • the computing device 100 may include additional components and some of the components depicted therein may be removed and/or modified without departing from a scope of the system that allows for carrying out the functionality described herein.
  • Processor 102 may be central processing unit(s) (CPUs), microprocessors ), and/or other hardware device(s) suitable for retrieval and execution of instructions (not shown) stored in machine-readable storage medium 110.
  • Processor 102 may fetch, decode, and execute instructions to identify different groups in a dataset.
  • processor 102 may include electronic circuits comprising a number of electronic components for performing the functionality of instructions.
  • Interface 106 may include a number of electronic components for communicating with various devices.
  • interface 106 may be an Ethernet interface, a Universal Serial Bus (USB) interface, an IEEE 1394 (Firewire) interface, an external Serial Advanced Technology Attachment (eSATA) interface, or any other physical connection interface suitable for communication with the computing device.
  • interface 106 may be a wireless interface, such as a wireless local area network (WLAN) interface or a near-field communication (NFC) interface that is used to connect with other devices/systems and/or to a network.
  • the network may be a mesh sensor network (not shown).
  • the network may include any suitable type or configuration of network to allow for communication between the computing device 100, and any other devices/systems (e.g., other computing devices, displays, etc.), for example, to send and receive data to and from a corresponding interface of another device.
  • Each of the engines 120-160 may include, for example, at least one hardware device including electronic circuitry for implementing the functionality described below, such as control logic and/or memory.
  • the engines 120-160 may be implemented as any combination of hardware and software to implement the functionalities of the engines.
  • the hardware may be a processor and the software may be a series of instructions or microcode encoded on a machine-readable storage medium and executable by the processor. Therefore, as used herein, an engine may include program code, (e.g., computer executable instructions), hardware, firmware, and/or logic, or combination thereof to perform particular actions, tasks, and functions described in more detail herein in reference to Figures 2-5.
  • the identification engine 120 may identify nodes and edges in a graphical model at a first time period and at a second time period that is later than the first time period.
  • the graphical model may be represented as a first snapshot of the graphical model at the first time period and a second snapshot of the graphical model at the second time period.
  • the analysis engine 130 may determine changes between the graphical model at the first time period and the second time period, and may identify impacted nodes in the graphical model at the second time period.
  • the changes between the graphical model at the first time period and the second time period include at least one of: deleted nodes, inserted nodes, nodes with changed edges, and nodes whose previously unknown values are revealed. It may also include changes to factors on the edges and cliques (these factors encode the joint probability distribution of the nodes in the graphical model). In other examples, other types of changes may be detected.
  • each of the impacted nodes may have a topology change from the first time period to the second time period. The topology change may include adding or deleting an edge of the node, having a brand new node, etc.
  • the subgraphs engine 140 may identify independent subgraphs in the graphical model at the second time period.
  • the subgraphs engine 130 may: identify evidence nodes that have changed between the first time period and the second time period, identify high-degree nodes, identify active nodes, remove all edges that are not connected to active nodes, and determine a plurality of independent subgraphs.
  • active node refers to a node that has at least one active edge or has no inactive edges.
  • the term “evidence node” refers to a node in the graphical model that has a known value.
  • the term “high-degree node” refers to a node that is connected to a very large number of other nodes and the factors on the edges are such that a change in its neighbor nodes will not dramatically change its distribution.
  • the inference engine 150 may compute an approximation of a marginal distribution of all impacted nodes in each of the independent subgraphs. Thus, the inference engine 150 may apply an inference algorithm to each independent subgraph that was affected by the change in the graphical model.
  • the graphical model engine 160 may compute an approximation of a marginal distribution of all nodes in the graphical model at the second time period. Thus, the graphical model engine 160 may maintain the inference results of an evolving graphical model at a much faster rate.
  • Figure 2 illustrates a flowchart showing an example of a method 200 for computing an approximation of a marginal distribution of all nodes in a graphical model (i.e., for maintaining inference results on evolving graphical models).
  • execution of the method 200 is described below with reference to the system 10, the components for executing the method 200 may be spread among multiple devices/systems.
  • the method 200 may be implemented in the form of executable instructions stored on a machine-readable storage medium, and/or in the form of electronic circuitry.
  • the method 200 can be executed by at least one processor of a computing device (e.g., processor 102 of device 100). In other examples, the method may be executed by another processor in communication with the system 10.
  • a computing device e.g., processor 102 of device 100
  • the method may be executed by another processor in communication with the system 10.
  • Various elements or blocks described herein with respect to the method 200 are capable of being executed simultaneously, in parallel, or in an order that differs from the illustrated serial manner of execution.
  • the method 200 is also capable of being executed using additional or fewer elements than are shown in the illustrated examples.
  • the method 200 begins at 210, where at least one processor may identify nodes and edges in a graphical model at a first time period.
  • the graphical model may be represented as a first snapshot of the graphical model at the first time period.
  • the processor may identify nodes and edges in the graphical model at a second time period that is later than the first time period.
  • the graphical model may be represented as a second snapshot of the graphical model at the second time period.
  • the processor may receive and/or identify the following information: a first graph snapshot Gtfor the first time period t, its set of nodes or vertices V/and edges E t , a second graph snapshot GM for the first time period t+1, its set of nodes or vertices Vt+i, and edges Et+i.
  • a change or evolution in the graphical model is examined by the processor.
  • the processor may use different techniques to identify nodes and edges in the graphical model at the different time periods.
  • the processor may determine changes between the graphical model at the first time period t and the second time period t+1.
  • the changes between the graphical model at the first time period and the second time period include at least one of: deleted nodes, inserted nodes, nodes with changed edges, and nodes whose previously unknown values are revealed.
  • other changes in the graphical model may also be identified.
  • the processor may use various techniques to determine the changes in the graphical model.
  • the processor may identify impacted nodes / in the graphical model at the second time period (at 240). For example, the processor may use the changes in the graphical model determined in block 230 to identity the impacted nodes / in the graph.
  • each of the impacted nodes has a topology change from the first time period to the second time period.
  • the topology change may include adding or deleting an edge of the node, having a brand new node, etc.
  • the values of the impacted nodes may be recomputed using an inference to calculate an approximation of the marginal distribution of all nodes.
  • the processor may identify independent subgraphs CM in the graphical model at the second time period.
  • the processor may first identify the impacted regions (i.e., subgraphs) within the original large graph that are likely to contain nodes whose marginal distribution may change significantly based on the changes in the graph between the two different time periods.
  • the processor may compute, for each independent subgraph, an approximation of the marginal distribution of all impacted nodes (at 260).
  • the process for computing an approximation of the marginal distribution of all impacted nodes for each independent subgraph is described in below in relation to Figure 4.
  • the processor applies an inference algorithm A to each subgraph to compute an approximation of the marginal distribution of all impacted nodes in each of the subgraphs. Therefore, the processor applies the inference algorithm only to the identified impacted subgraphs and not to the entire graphical model. Considering the size of many graphical models, this selective process speeds up the generation of inference results.
  • the processor may compute an approximation - (G T+1 ) of the marginal distribution of all nodes in the graphical model A(Gt+i) at the second time period.
  • the processor returns the approximated marginal distribution i4(G t+1 ) for the entire graphical model at the second period of time t+1 in order to maintain the inference results on the evolving graphical model in an expedited paste.
  • the processor may merge the calculated approximation of the marginal distribution for all subgraphs A(l) with the unchanged nodes at time t+1 in the graphical model
  • a method 300 for identifying independent subgraphs in the graphical model at the second time period is described in more details in relation to Figure 3.
  • the method 300 can be executed by at least one processor of a computing device (e.g., processor 102 of device 100). In other examples, the method may be executed by another processor in communication with the system 10.
  • the trained model may be generated by using a training dataset.
  • the method 300 begins at 310, where the processor may identify evidence nodes Ethat have changed between the first time period and the second time period.
  • evidence node refers to a node in the graphical model that has a known value and, therefore, there is no randomness in that respect. Thus, their distribution is unaffected by the value of any other nodes. For an evidence node, changes in its few neighbors will not dramatically change the distribution of the node.
  • the processor may identify evidence nodes E that have not changed between the first time period t and the second time period f+1 in the group of all nodes VM n Vt.
  • Various techniques may be used to identify evidence nodes that have changed between the two time periods.
  • the processor may identify high-degree nodes in the graphical model.
  • a high-degree node is a node that is connected to a very large number of other nodes such that a change in its neighbor nodes will not dramatically change its distribution.
  • the graphical models include power law graphs. In such graphs, some high-degree nodes have thousands of neighbors.
  • the processor may use a predetermined threshold d of high- degree nodes to identify the high-degree nodes in the group of all nodes
  • High-degree nodes also block the changes or dependencies to other neighbors.
  • high-degree nodes and the evidence nodes may block the dependency among nodes in the graph. Any path that contains either an evidence node or a high-degree node may be identified as an inactive path.
  • the processor may identify the union H of high-degree nodes and relevance nodes.
  • the processor may identify active nodes in the graphical user interface.
  • an “active node” refers to a node that has at least one active edge or has no inactive edges.
  • the processor may identify active nodes in all nodes at the second time
  • two nodes X and Y are conditionally independent given Z if knowledge about X gives no extra information about Y once there is knowledge of Z. In other words, once there is knowledge of Z, X adds nothing to the knowledge about Y. Thus, a path between two nodes is active if it carries information or dependence. Two nodes X and Y might be connected by many paths in a graph, where all, some, or none of the paths are active. Therefore, X and Y are dependent-separated if all the paths that connect them are inactive, or, equivalently, if no path between them is active.
  • the processor may remove all edges that are not
  • the processor may find all active paths, and that information may be used to identify the active nodes and to break the graph into several smaller independent subgraphs if there is no active path connecting them.
  • a first subgraph and a second subgraph of the graphical model are independent when there are no active paths connecting the subgraphs, and where changes in the first independent subgraph do not affect the marginal distribution of any nodes in the second independent subgraph.
  • Figure 4 illustrates a flowchart showing an example of a method 400 for computing an approximation of the marginal distribution of all impacted nodes for each independent subgraph.
  • the method 400 can be executed by at least one processor of a computing device (e.g., processor 102 of device 100). In other examples, the method may be executed by another processor in communication with the system 10.
  • the method 400 begins at 410 where the processor may identify each impacted node in the subgraph. Then, at 420, the processor may identify all k-neighborhood nodes for each impacted node in the subgraph.
  • k-neighborhood nodes refers to nodes that are reachable from a node and are within a predetermine distance k. The size of the k-neighborhood may vary and may be fixed or flexible.
  • the processor may use the length of a path between two nodes (i.e., the number of other nodes it needs to go through to get from one node to the other) to identify all k-neighborhood nodes for each impacted node in the subgraph. For example, even if nodes X and Y are connected via some active paths, if all these active paths are very long, the dependence between X and Y is very weak. Therefore, changes in X's distribution only impact Y's distribution slightly. The processor, therefore, identifies the k-neighborhood of nodes to be considered for a subgraph. For instance, a threshold (e.g., Z number of nodes to get from node X to node Y) that would identify long paths may be used.
  • a threshold e.g., Z number of nodes to get from node X to node Y
  • the processor may add the identified k-neighborhood nodes for each impacted node to the set of impacted nodes.
  • the processor "grows" the set of impacted nodes in the subgraph by adding non-impacted nodes to identify the right size subgraph to which to apply an inference algorithm.
  • the right size subgraph is a subgraph where changes in the nodes would strongly impact the marginal distribution of adjacent nodes.
  • the processor may apply an inference algorithm A to each independent subgraph.
  • the inference algorithm is applied to the entire independent subgraph - including impacted and non-impacted nodes. That way, the processor may receive inference results for all nodes within the independent subgraph.
  • Figure 5 illustrates a computer 501 and a non-transitory machine- readable medium 505 according to an example.
  • the computer 501 maybe similar to the computing device 100 of the system 10 or may include a plurality of computers.
  • the computer may be a server computes, a workstation computer, a desktop computer, a laptop, a mobile device, or the like, and may be part of a distributed system.
  • the computer may include one or more processors and one or more machine-readable storage media.
  • the computer may include a user interface (e.g., touch interface, mouse, keyboard, gesture input device, etc.).
  • Computer 501 may perform methods 200-400 and variations thereof. Additionally, the functionality implemented by computer 501 may be part of a larger software platform, system, application, or the like. Computer 501 may be connected to a database (not shown) via a network.
  • the network may be any type of communications network, including, but not limited to, wire-based networks (e.g., cable), wireless networks (e.g., cellular, satellite), cellular telecommunications network(s), and IP-based telecommunications network(s) (e.g., Voice over Internet Protocol networks).
  • the network may also include traditional landline or a public switched telephone network (PSTN), or combinations of the foregoing.
  • PSTN public switched telephone network
  • the computer 501 may include a processor 503 and non-transitory machine-readable storage medium 505.
  • the processor 503 e.g., a central processing unit, a group of distributed processors, a microprocessor, a microcontroller, an application-specific integrated circuit (ASIC), a graphics processor, a multiprocessor, a virtual processor, a cloud processing system, or another suitable controller or programmable device
  • ASIC application-specific integrated circuit
  • the storage medium 505 may include any suitable type, number, and configuration of volatile or non- volatile machine-readable storage media to store instructions and data.
  • machine-readable storage media in include read-only memory (“ROM”), random access memory (“RAM”) (e.g., dynamic RAM ["DRAM”], synchronous DRAM ["SDRAM”], etc.), electrically erasable programmable read-only memory (“EEPROM”), magnetoresistive random access memory (MRAM), memristor, flash memory, SD card, floppy disk, compact disc read only memory (CD-ROM), digital video disc read only memory (DVD-ROM), and other suitable magnetic, optical, physical, or electronic memory on which software may be stored.
  • ROM read-only memory
  • RAM random access memory
  • EEPROM electrically erasable programmable read-only memory
  • MRAM magnetoresistive random access memory
  • CD-ROM compact disc read only memory
  • DVD-ROM digital video disc read only memory
  • Software stored on the non-transitory machine-readable storage media 505 and executed by the processor 503 includes, for example, firmware, applications, program data, filters, rules, program modules, and other executable instructions.
  • the processor 503 retrieves from the machine-readable storage media 505 and executes, among other things, instructions related to the control processes and methods described herein.
  • the processor 503 may fetch, decode, and execute instructions 307- 311 among others, to implement various processing.
  • processor 503 may include at least one integrated circuit (IC), other control logic, other electronic circuits, or combinations thereof that include a number of electronic components for performing the functionality of instructions 507-515. Accordingly, processor 503 may be implemented across multiple processing units and instructions 507-515 may be implemented by different processing units in different areas of computer 501.
  • IC integrated circuit
  • the instructions 507-515 when executed by processor 503 can cause processor 503 to perform processes, for example, methods 200-400, and/or variations and portions thereof. In other examples, the execution of these and other methods may be distributed between the processor 503 and other processors in communication with the processors 603.
  • data identification instructions 507 may cause processor 503 to identify nodes and edges in a graphical model at a first time period and at a second time period that is later than the first time period.
  • the graphical model may be represented as a first snapshot of the graphical model at the first time period and a second snapshot of the graphical model at the second time period.
  • Analysis instructions 509 may cause the processor 503 to determine changes between the graphical model at the first time period and the second time period, and to identify impacted nodes in each of the independent subgraphs in the graphical model at the second time period.
  • Each of the impacted nodes may have a topology change from the first time period to the second time period.
  • each of the impacted nodes has a value in the second time period that is different from the value of the node in the first time period.
  • These instructions may function similarly to the techniques described in blocks 230-240 of method 200.
  • the changes between the graphical model at the first time period and the second time period include at least one of: deleted nodes, inserted nodes, nodes with changed edges, and nodes whose previously unknown values are revealed. In other example, other types of changes may be detected.
  • Subgraphs instructions 511 may cause the processor 503 to identify independent subgraphs in the graphical model at the second time period. These instructions may function similarly to the techniques described in block 250 of method 200 and to the techniques described in method 300. For example, the subgraphs instructions 511 may cause the processor 503 to: identify evidence nodes that have changed between the first time period and the second time period, identify high-degree nodes, identify active nodes, remove all edges that are not connected to active nodes, and determine a plurality of independent subgraphs.
  • Inference instructions 513 may cause the processor 503 to compute an approximation of a marginal distribution of all impacted nodes in each of the independent subgraphs. These instructions may function similarly to the techniques described blocks 260 of method 200 and to the techniques described in method 400. Thus, inference instructions 513 may cause the processor 503 to apply an inference algorithm to each independent subgraph that was affected by the change in the graphical model.
  • Graphical model instructions 515 may cause the processor 503 to compute an approximation of a marginal distribution of all nodes in the graphical model at the second time period. These instructions may function similarly to the techniques described blocks 270 of method 200. Thus, graphical model instructions 515 may cause the processor 503 to maintain the inference results of an evolving graphical model at a very fast paste.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Computation (AREA)
  • Multimedia (AREA)
  • Mathematical Physics (AREA)
  • Artificial Intelligence (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computational Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Algebra (AREA)
  • Medical Informatics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

La présente invention concerne, dans une mise en œuvre, un exemple de procédé. Le procédé comprend d'identifier des nœuds et des bords dans un modèle graphique à une première période temporelle, d'identifier des nœuds et des bords dans le modèle graphique à une seconde période temporelle qui est postérieure à la première période temporelle, de déterminer des changements entre le modèle graphique à la première période temporelle et à la seconde période temporelle, et d'identifier des nœuds affectés dans le modèle graphique à la seconde période temporelle. Le procédé comprend en outre d'identifier des sous-graphes indépendants dans le modèle graphique à la seconde période temporelle, de calculer, pour chaque sous-graphe indépendant, une approximation d'une distribution marginale de tous les nœuds affectés, et de calculer une approximation d'une distribution marginale de tous les nœuds dans le modèle graphique à la seconde période temporelle.
PCT/US2015/032212 2015-05-22 2015-05-22 Distribution marginale dans un modèle graphique Ceased WO2016190841A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2015/032212 WO2016190841A1 (fr) 2015-05-22 2015-05-22 Distribution marginale dans un modèle graphique

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2015/032212 WO2016190841A1 (fr) 2015-05-22 2015-05-22 Distribution marginale dans un modèle graphique

Publications (1)

Publication Number Publication Date
WO2016190841A1 true WO2016190841A1 (fr) 2016-12-01

Family

ID=57393565

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2015/032212 Ceased WO2016190841A1 (fr) 2015-05-22 2015-05-22 Distribution marginale dans un modèle graphique

Country Status (1)

Country Link
WO (1) WO2016190841A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070016898A1 (en) * 2005-07-13 2007-01-18 International Business Machines Corporation Method and system for finding evolving regions in graphs without persistent node identity
WO2007117567A2 (fr) * 2006-04-06 2007-10-18 Smobile Systems Inc. Système et procédé de détection de maliciels pour des plates-formes mobiles à accès limité
US20130179974A1 (en) * 2012-01-11 2013-07-11 Pratyusa Kumar Manadhata Inferring a state of behavior through marginal probability estimation
US20140181819A1 (en) * 2012-12-21 2014-06-26 Microsoft Corporation Virtualization detection
US9021260B1 (en) * 2014-07-03 2015-04-28 Palantir Technologies Inc. Malware data item analysis

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070016898A1 (en) * 2005-07-13 2007-01-18 International Business Machines Corporation Method and system for finding evolving regions in graphs without persistent node identity
WO2007117567A2 (fr) * 2006-04-06 2007-10-18 Smobile Systems Inc. Système et procédé de détection de maliciels pour des plates-formes mobiles à accès limité
US20130179974A1 (en) * 2012-01-11 2013-07-11 Pratyusa Kumar Manadhata Inferring a state of behavior through marginal probability estimation
US20140181819A1 (en) * 2012-12-21 2014-06-26 Microsoft Corporation Virtualization detection
US9021260B1 (en) * 2014-07-03 2015-04-28 Palantir Technologies Inc. Malware data item analysis

Similar Documents

Publication Publication Date Title
US9836603B2 (en) Systems and methods for automated generation of generic signatures used to detect polymorphic malware
US10917415B2 (en) Machine learning-based determination of program code characteristics
US10679055B2 (en) Anomaly detection using non-target clustering
CN110378413A (zh) 神经网络模型处理方法、装置以及电子设备
US20110055123A1 (en) Systems and Methods for Using Multiple In-line Heuristics to Reduce False Positives
CN108229156A (zh) Url攻击检测方法、装置以及电子设备
CN108604239A (zh) 用于有效分类数据对象的系统和方法
US20180247226A1 (en) Classifier
CN111859093A (zh) 敏感词处理方法、装置及可读存储介质
CN113890821A (zh) 一种日志关联的方法、装置及电子设备
CN110334262B (zh) 一种模型训练方法、装置及电子设备
CN109213972B (zh) 确定文档相似度的方法、装置、设备和计算机存储介质
US8978001B1 (en) Enhanced case-splitting based property checking
JP7063274B2 (ja) 情報処理装置、ニューラルネットワークの設計方法及びプログラム
CN111860554A (zh) 风险监控方法、装置、存储介质及电子设备
WO2016195639A1 (fr) Commande d'accès de mémoire distante dans un moteur d'inférence de graphe à nœuds de traitement multiples
WO2025139642A1 (fr) Procédé et appareil d'identification d'utilisateur cible, et dispositif électronique
CN116150746B (zh) 一种攻击检测方法、装置、电子设备及存储介质
WO2016190841A1 (fr) Distribution marginale dans un modèle graphique
CN109800775B (zh) 文件聚类方法、装置、设备及可读介质
CN114139711B (zh) 分布式推断方法、数据处理方法、装置、终端及计算设备
US11169964B2 (en) Hash suppression
AU2019446476A1 (en) Information processing device, creation method, and creation program
CN113377796B (zh) 自动更新埋点事件及其字段的方法、装置及存储介质
CN116361153A (zh) 固件代码的测试方法、装置、电子设备、存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15893486

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15893486

Country of ref document: EP

Kind code of ref document: A1