JP6712944B2 - Communication prediction device, communication prediction method, and communication prediction program - Google Patents

Description

The present invention relates to an apparatus, method and program for predicting future communication.

Conventionally, as a method of monitoring unauthorized communication and predicting whether a cyber attack will occur against a certain host in the future, preparatory actions taken by the attacker before executing the attack, such as port scan or introduction of malware, etc. Has been proposed, and a method of predicting the target of an actual attack and the presence/absence of the actual attack based on this preparatory action has been proposed (see Non-Patent Document 1, for example).

Daisuke Makita, Katsunari Yoshioka, Tsutomu Matsumoto, Junji Nakazato, Junpei Shimamura, Daisuke Inoue, Correlation analysis of DNS honeypot and darknet for proactive measures against DNS amp attack, IPSJ Journal, Vol. 56, No. 3, p921-931, 2015

However, since the conventional prediction method is targeted at an attack method that performs a preparatory action, the occurrence of an attack cannot be predicted when the preparatory action is not performed or cannot be detected. Therefore, the types of predictable attacks were limited.

An object of the present invention is to provide a communication prediction device, a communication prediction method, and a communication prediction program that can predict the occurrence of a wide range of communication types.

A communication prediction apparatus according to the present invention includes a collection unit that collects a reception history of a packet group having a predetermined characteristic for each host based on flow information in a network, and a reception of the collected packet group for each host. A calculation unit that aggregates the number of times and calculates the proportion of hosts that have received n+1 or more times among the hosts that have received n times or more as the probability of occurrence of communication at the (n+1)th time, and the prediction target host has previously used the packet A determination unit that determines the communication occurrence probability based on the number of times the group is received and outputs the communication probability as a predicted value.

The calculation unit clusters the packet group based on at least one of communication volume scale, host type, communication occurrence interval, presence/absence of communication with a neighboring host within a predetermined range, packet type, and source region. However, the communication occurrence probability may be calculated for each cluster.

The determination unit may calculate an occurrence probability of the packet group in a router having a host group as a subordinate based on the communication occurrence probability determined for each host included in the host group.

A communication prediction method according to the present invention includes a collecting step of collecting a reception history of a packet group having a predetermined characteristic for each host based on flow information in a network, and receiving the collected packet group for each host. A calculation step of totaling the number of times, and calculating a ratio of the hosts receiving the number of receptions n+1 or more among the hosts receiving the number of receptions n times or more as the communication occurrence probability of the n+1th time, The computer executes a determination step of determining the communication occurrence probability based on the number of times the group has been received and outputting the communication probability as a predicted value.

A communication prediction program according to the present invention includes a collecting step of collecting a reception history of a packet group having a predetermined characteristic for each host based on flow information in a network, and receiving the collected packet group for each host. A calculation step of totaling the number of times, and calculating a ratio of the hosts receiving the number of receptions n+1 or more among the hosts receiving the number of receptions n times or more as the communication occurrence probability of the n+1th time, The computer is made to perform a determination step of determining the communication occurrence probability based on the number of times the group is received, and outputting the communication probability as a predicted value.

According to the present invention, occurrence can be predicted for a wide range of communication types.

It is a block diagram which shows the functional structure of the communication prediction apparatus which concerns on embodiment. It is a schematic diagram which shows the inclusion relation of the host set which makes the number of attacks the condition which concerns on embodiment. It is a schematic diagram which illustrates the attack occurrence probability for every cluster which concerns on embodiment. 9 is a flowchart showing a process of generating attack occurrence probability data for each cluster according to the embodiment. 5 is a flowchart showing an attack occurrence probability acquisition process in the prediction target host according to the embodiment.

Hereinafter, an example of the embodiment of the present invention will be described.
FIG. 1 is a block diagram showing a functional configuration of the communication prediction device 1 according to this embodiment.
The communication prediction device 1 is an information processing device (computer) such as a server device or a personal computer. The communication prediction device 1 predicts the possibility that a packet group having a predetermined characteristic will be transmitted to the prediction target host.
Here, the packet group having a predetermined characteristic is, for example, a packet group that is transmitted in large quantities to the same host, and is a packet group having a large communication volume generated by a DoS (Denial of Service) attack. This is the case. In the present embodiment, the packet group is an attack having a certain amount of communication volume that may affect the network device or the host, and the communication predicting apparatus 1 allows the same host to receive the same attack again. Sex should be predicted.

The communication prediction device 1 includes an input/output device for various data, a communication device, and the like in addition to the control unit 10 and the storage unit 20.
The control unit 10 is a unit that controls the entire communication prediction device 1, and implements various functions in the present embodiment by appropriately reading and executing various programs stored in the storage unit 20. The control unit 10 may be a CPU.

The storage unit 20 is a storage area for storing various programs and various data for causing the hardware group to function as the communication prediction device 1, and may be a ROM, a RAM, a flash memory, a hard disk (HDD), or the like. Specifically, the storage unit 20 stores a communication prediction program that causes the control unit 10 to execute each function of the present embodiment, and attack occurrence probability data obtained by the process described below that is executed by the program.

The control unit 10 includes a collection unit 11, a calculation unit 12, and a determination unit 13.
The collection unit 11 acquires the flow information of the network to be observed from the router (core router) of the upper layer in the network, and based on the acquired flow information of the predetermined period (for example, the past one year), the communication destination The reception history of a packet group having a predetermined characteristic for each host is collected as attack information. The attack information includes a destination IP address, an attack occurrence time, an attack scale, and the like.
The observation target network may be different from the network in which the prediction target host exists.

The calculating unit 12 totals the number of times of reception of the packet group for each host collected by the collecting unit 11, that is, the number of attacks, and the ratio of the hosts having the number of attacks n+1 or more to the hosts having the number of attacks n or more. Is calculated as the attack occurrence probability of the (n+1)th time (communication occurrence probability).
At this time, the calculation unit 12 clusters the packet group for at least one of the following multiple attributes (a) to (f) in addition to the number of attacks, and calculates the following equation for each cluster. The attack probability is calculated as follows.
Probability of an attack occurring on a host with n past attacks = number of hosts with n+1 attacks or more / number of hosts with cluster (n or more attacks)

(A) Scale of communication volume For example, the types of attacks are classified according to the scale of communication volume, such as 100 to 500 Mbps, 500 to 1 Gbps, and 1 Gbps or more.

(B) Host type For example, the destination host may be a server (Web, DNS, NTP, etc.) that provides a service accessed by an unspecified number of users, or an individual terminal that does not provide such a service. The types are classified.

(C) Attack occurrence interval or frequency For example, the attack occurrence interval is less than one day, less than one week, etc., or, as another expression, the frequency of occurrence is one or more times a day, one or more times a week, etc. , The types of attacks are classified.

(D) Presence/absence of attack against a neighboring host within a predetermined range For example, an attack may occur also to a host having a close IP address (for example, different only in the fourth octet) or a host having a close network topological position. The types of attacks are classified according to whether or not they are present.

(E) Type of Packet The type of attack is classified according to what kind of method is used such as SYN flood and UDP reflection as an attack method.

(F) Source area The type of attack is classified according to which area the source IP address belongs to, such as the country.

With the above attributes, the hosts in the network are, for example, cluster A “attack count: 1 or more & scale: 100 Mbps & type: individual”, cluster B “attack count: 2 or more & scale: 500 Mbps & type: server” Etc. are classified into a plurality of clusters.

The determination unit 13 further classifies the past attack information for the prediction target host into one of the clusters generated by the calculation unit 12 to determine the attack occurrence probability of further attack, and outputs it as a predicted value.
Here, the attack information is information on the above attributes extracted from the communication log, and the determination unit determines the cluster based on these attributes including the number of attacks.
The attack information may be input from the outside or the determination unit 13 may extract the attack information from the communication log.

Further, the determination unit 13 may calculate the probability of occurrence of an attack packet group in an upper router having a host group under its control by integrating the attack probability determined for each host included in the host group.

FIG. 2 is a schematic diagram showing the inclusion relationship of host sets subject to the number of attacks according to this embodiment.
A set to which all hosts belong to 0 or more attacks includes a set to which one or more attacks belong. Further, a set having one or more attacks includes a set having two or more attacks.
In this way, as the number of attacks increases, the set becomes smaller in the form of being included in the set having a smaller number of attacks.
The communication prediction device 1 calculates the ratio of the size of the included set as the attack occurrence probability.

FIG. 3 is a schematic diagram illustrating an attack occurrence probability for each cluster according to this embodiment.
The probability that a host classified into cluster A0 (the number of attacks is 0 or more) will be attacked next by the same kind is the ratio of the number of hosts in cluster A1 to cluster A0, and is represented by the size of the area in the figure. There is. The attack occurrence probability in each cluster may be different for each cluster, that is, for each attack count and other attributes.

For example, the ratio of cluster A1 (the number of attacks is 1 or more) to cluster A0, the ratio of cluster A2 to cluster A1 (the number of attacks is 2 or more), and the ratio of cluster A3 to cluster A2 (the number of attacks is 3 or more). The percentages are different.
Further, clusters A0 and B0, A1 and B1, and A2 and B2, which have the same number of attacks but different attributes, have different attack probabilities.

FIG. 4 is a flowchart showing a process of generating attack probability data for each cluster according to this embodiment.
In step S1, the collection unit 11 collects attack information for each host from the network to be observed.

In step S2, the calculation unit 12 clusters hosts based on the attack information collected in step S1 according to an attribute including the number of attacks.
In step S3, the calculation unit 12 calculates the attack occurrence probability for each cluster generated in step S2 and stores it in the storage unit 20 in association with the cluster information.

In step S4, the calculation unit 12 determines whether the attack occurrence probabilities have been calculated for all the clusters. If the determination is YES, the process ends, and if the determination is NO, the process proceeds to step S3.

FIG. 5 is a flowchart showing an attack occurrence probability acquisition process in the prediction target host according to the present embodiment.
In step S11, the determination unit 13 receives an input from, for example, the administrator of the operation target network, and specifies the prediction target host.

In step S12, the determination unit 13 acquires attack information from the communication log related to the prediction target host specified in step S11.
In step S13, the determination unit 13 determines which of the clusters stored in the storage unit 20 the prediction target host corresponds to, based on the attack information acquired in step S12.
In step S14, the determination unit 13 acquires the attack occurrence probability of the cluster determined in step S13 and outputs it as a predicted value.

According to the present embodiment, the communication prediction device 1 collects the history of attack information for each host to determine the ratio of the hosts that have been attacked n+1 times or more to the hosts that have been attacked n or more times. , And the probability that a host that has been attacked n times will be attacked n+1 times. The communication prediction device 1 acquires the probability of the next attack based on the number of attacks on the prediction target host.
Therefore, the communication prediction device 1 predicts the occurrence of a future attack on an arbitrary prediction target host by using the statistical event of the attack that occurred in the past, without using the information of the pre-action before the attack. , Predictable against a wide range of attack types.

Further, the communication prediction device 1 clusters hosts by at least one of the scale of communication volume, the type of host, the communication occurrence interval, the presence or absence of communication with a neighboring host within a predetermined range, the packet type, and the source region. Then, the attack occurrence probability is calculated for each cluster.
Therefore, the communication prediction device 1 can accurately output the attack occurrence probability that varies according to the attack attribute.

Further, the communication prediction device 1 calculates the probability of occurrence of a packet group related to an attack in a router having a plurality of host groups under its control, by integrating the attack occurrence probabilities determined for each of these hosts.
Therefore, the communication prediction device 1 can predict a communication abnormality according to the occurrence of an attack, such as an increase in the amount of communication in the router serving as the communication path, and thus can help the efficient operation of the network equipment.

Although the embodiments of the present invention have been described above, the present invention is not limited to the above-described embodiments. In addition, the effects described in the present embodiment are merely enumeration of the most suitable effects resulting from the present invention, and the effects according to the present invention are not limited to those described in the present embodiment.

The communication prediction method by the communication prediction device 1 is realized by software. When implemented by software, a program forming the software is installed in an information processing device (computer). Further, these programs may be recorded on a removable medium such as a CD-ROM and distributed to users, or may be distributed by being downloaded to a user's computer via a network. Further, these programs may be provided to the user's computer as a Web service via the network without being downloaded.

1 Communication Prediction Device 10 Control Section 11 Collection Section 12 Calculation Section 13 Judgment Section 20 Storage Section

Claims (5)

A collection unit that collects a reception history of a packet group having a predetermined characteristic for each host based on the flow information in the network,
The number of times the collected packet groups are received for each host is collected, and the ratio of the hosts having the number of reception times of n+1 or more to the hosts having the number of reception times of n+1 or more is received n times in the past of the packet groups. A calculation unit that calculates the probability of occurrence of the ( n+1)th communication in the cluster of hosts
Determining the clusters corresponding to the number of times the prediction target host receives the packets in the past, the communication predicting apparatus comprising: a determination unit that the communication probability of the cluster outputs as predictors, the. The calculation unit clusters the packet group based on at least one of communication volume scale, host type, communication occurrence interval, presence/absence of communication with a neighboring host within a predetermined range, packet type, and source region. The communication prediction device according to claim 1, wherein the communication occurrence probability is calculated for each cluster. 3. The determination unit calculates the probability of occurrence of the packet group in a router having a host group as a subordinate based on the communication occurrence probability determined for each host included in the host group. The communication prediction device described in 1. A collection step of collecting a reception history of a packet group having a predetermined characteristic for each host based on the flow information in the network,
The number of times the collected packet groups are received for each host is collected, and the ratio of the hosts having the number of reception times of n+1 or more to the hosts having the number of reception times of n+1 or more is received n times in the past of the packet groups. A calculation step for calculating the probability of occurrence of the ( n+1)th communication in the cluster of hosts
Communication prediction method prediction target host to determine the cluster corresponding to the number of times of receiving the packets in the past, and the determination step of outputting the communication probability of the cluster as predictors, the computer executes. A collection step of collecting a reception history of a packet group having a predetermined characteristic for each host based on the flow information in the network,
The number of times the collected packet groups are received for each host is collected, and the ratio of the hosts having the number of reception times of n+1 or more to the hosts having the number of reception times of n+1 or more is received n times in the past of the packet groups. A calculation step for calculating the probability of occurrence of the ( n+1)th communication in the cluster of hosts
The clusters prediction target host corresponds to the number of times received the packets in the past to determine, communication prediction program for the communication probability of the cluster to execute a determination step of outputting as predictors, to the computer ..

Images