JP7033560B2 - Analytical equipment and analytical method - Google Patents

Description

The present invention relates to an analyzer and an analysis method for analyzing data.

In cyberspace, the attacker has a structural advantage, and the attacks are becoming more sophisticated, increasing, and changing every day. Under such circumstances, the targets of attacks are expanding from conventional financial businesses and IT (Information Technology) service businesses to infrastructure businesses. The cost of countermeasures required for countermeasures is rising, but the current situation is that investment cannot keep up with it. The number of security experts is also insufficient, and securing human resources for the future is an issue. Since a sufficient number of security experts are not secured, there is a concern that it will hinder the operation of SOC (Security Operation Center). In particular, social infrastructure operators monitor the entire system. Therefore, a significant improvement in SOC operation performance is required as compared with the past.

The most man-hours required in SOC operation work is the work of determining the importance of security alerts notified from FW (Firewall) / IPS (Intrusion Prevention System) (work of manually determining whether an incident or false positive is detected). .. Conventionally, when an alert occurs, an SOC expert refers to each device log in the system and external threat information (for example, URL (Uniform Experience Locator) and malware risk assessment), and the importance of the alert. Was judged based on experience and intuition. In order to realize sustainable SOC operation in the future against the ever-increasing number of cyber attacks and the scale-up of monitored systems, it is essential to automate the above-mentioned alert importance judgment. However, it is difficult in terms of cost to define all the judgment logic rules. Therefore, by machine learning, a technique for creating an alert importance judgment logic from the accumulated data of the alert importance by an expert is required.

Further, Patent Document 1 discloses a teacher data collecting device that collects data relating to a specific field for use as teacher data for machine learning. This teacher data collecting device is a feature calculation unit that calculates a first feature vector that is a feature vector of data related to a specific field registered in advance, and data related to the specific field from the first feature vector. A generation unit that generates search conditions used for collecting data, a collection unit that collects data related to the specific field based on the generated search conditions, and a second feature that is a feature vector of the collected data. When the feature calculation unit calculates the vector, the similarity calculation unit calculates the similarity between the second feature vector and the first feature vector, and the collected data in which the similarity is within a predetermined range. Is provided with an extraction unit for extracting the teacher data.

Japanese Unexamined Patent Publication No. 2018-124617

Cyber attacks change over time. Continuous additional learning is essential to keep up with change. Therefore, it is necessary to have a security analyst who is an expert enter a new judgment (called a label) for an alert that cannot be judged mechanically and has a low accuracy of judgment. However, as the number of inputs increases, the burden on the expert increases.

The purpose of this disclosure technology is to reduce the analysis burden of security analysts due to the increase in alerts to be analyzed.

An analyzer and an analysis method according to one aspect of the present disclosure technique are an analyzer and an analysis method including a processor for executing a program and a storage device for storing the program, wherein the processor is a behavior history information. The behavior classification information and the behavior sequence information can be accessed, and the behavior history information is information that stores the past behavior history executed by the communication partner with the monitoring target for the monitoring target, and the behavior classification information. Is information in which the communication partner and the classified action group of the communication partner are associated with each other, and the action sequence information includes an action sequence which is a time-series action of the communication partner and the action sequence. The information is associated with the included information indicating whether or not it is a part of another action sequence longer than the action sequence, and the processor is an alert of each alert group generated in the monitoring target. The acquisition process for acquiring the classification result of the behavior of the communication partner with the monitoring target within the first predetermined period before the occurrence, and the monitoring within the first predetermined period before the occurrence of a specific alert in the alert group. The first determination process for determining whether or not a specific communication partner with the target exists in the behavior classification information and the first determination processing determine that the specific communication partner does not exist in the behavior classification information. In this case, it is a time-series action of the specific communication partner based on the classification result of the action of the specific communication partner and the past action history of the specific communication partner stored in the action history information. By the second determination process of generating a specific action sequence and using the action sequence information to determine whether or not the specific action sequence is a part of the other action sequence, and the second determination process. When it is determined that the specific action sequence is a part of the other action sequence, a selection process for selecting the classification result of the action of the specific communication partner and the specific communication selected by the selection process. It is characterized by executing an output process that outputs the classification result of the behavior of the other party.

An analyzer and an analysis method according to another aspect of the present disclosure technique are an analyzer and an analysis method having a processor for executing a program and a storage device for storing the program, wherein the processor is a behavior history information. And the action classification information and the action sequence information can be accessed, and the action history information is information that stores the past action history executed by the communication partner with the monitoring target for the monitoring target, and the action classification. The information is information in which the communication partner and the classified action group of the communication partner are associated with each other, and the action sequence information is an action sequence which is a time-series action of the communication partner and the action sequence. It is information corresponding to the appearance frequency of the above, and the processor classifies the behavior of the communication partner with the monitoring target within the first predetermined period before the occurrence of each alert of the alert group generated in the monitoring target. The acquisition process for acquiring the result and determination of whether or not a specific communication partner with the monitoring target exists in the behavior classification information within the first predetermined period before the occurrence of the specific alert in the alert group. When it is determined by the first determination process and the first determination process that the specific communication partner does not exist in the action classification information, the action classification result of the specific communication partner and the action history information are stored. Based on the past action history of the specific communication partner, a specific action sequence which is a time-series action of the specific communication partner is generated, and the action sequence information is used to generate the specific action. When the second determination process for determining whether or not the appearance frequency of the sequence is less than or equal to the predetermined frequency and the second determination process determine that the appearance frequency of the specific action sequence is less than or equal to the predetermined frequency, the said It is characterized by executing a selection process for selecting a classification result of the behavior of a specific communication partner and an output process for outputting the classification result of the behavior of the specific communication partner selected by the selection process.

According to a typical embodiment of the present invention, it is possible to automate the narrowing down of alerts that are highly related to the change in technique. Issues, configurations and effects other than those described above will be clarified by the description of the following examples.

FIG. 1 is an explanatory diagram showing an analysis example of a cyber attack. FIG. 2 is a block diagram showing a system configuration example of the monitoring system. FIG. 3 is a block diagram showing a hardware configuration example of various computers shown in FIG. FIG. 4 is an explanatory diagram showing an example of a feature amount table. FIG. 5 is an explanatory diagram showing an example of a label table. FIG. 6 is an explanatory diagram showing an example of a behavior classification table. FIG. 7 is an explanatory diagram showing an example of an action sequence table. FIG. 8 is an explanatory diagram showing an example of a ratio table. FIG. 9 is a block diagram showing a functional configuration example of the analyzer. FIG. 10 is a sequence diagram showing the operation of the analyzer. FIG. 11 is an explanatory diagram showing an output screen display example of the analyst terminal. FIG. 12 is a flowchart showing a detailed processing procedure example of the behavior classification prediction (step S1005) shown in FIG. FIG. 13 is a flowchart showing a detailed processing procedure example of the abnormal behavior determination (step S1007) for each communication partner shown in FIG. FIG. 14 is a flowchart showing a detailed processing procedure example of the behavior-specific abnormal behavior determination (step S1009) shown in FIG. FIG. 15 is a flowchart showing a detailed processing procedure example of the feedback processing (step S1012) shown in FIG. FIG. 16 is a flowchart showing a detailed processing procedure example of the additional learning process (step S1013) shown in FIG.

<Analysis example of cyber attack>
FIG. 1 is an explanatory diagram showing an analysis example of a cyber attack. In FIG. 1, a case where the monitored system 110 receives a cyber attack from a communication terminal 120 (sometimes simply referred to as an attacker) performing a cyber attack will be described as an example. When the monitoring target system 110 receives a cyber attack from the communication terminal 120, the monitoring target system 110 sends an alert to the SOC 100. The alert includes, for example, an alert identifier that uniquely identifies the alert, the date and time when the alert occurred, and a communication partner (communication terminal 120 in this example).

The SOC 100 includes an alert management device 101, a log collection device 102, and an analysis device 103. The alert management device 101 receives the alert from the monitored system 110 and forwards it to the log collecting device 102. The log collecting device 102 acquires a log (for example, the number of cache misses and the number of abnormal responses) indicating the behavior of the monitored system 110 from the monitored system 110 and transmits it to the analyzer 103.

The analysis device 103 has a DB 130, acquires a log within a predetermined period before an alert is generated from the log collection device 102, assigns an alert identifier of an alert generated within the predetermined period to the log, and stores the log in the DB 130. .. The log to which the alert identifier is attached is called "alert feature data". Even if the same alert identifier is assigned to different logs, each will be alert feature data.

The analyzer 103 executes machine learning processing 131 to generate a classifier for classifying alert feature data. The classifier is, for example, a learning parameter. In the machine learning process 131, two types of learning data are applied. One is unsupervised alert feature data and the other is supervised alert feature data.

The unsupervised alert feature data is a log relating to the behavior of the monitored system 110 or its communication partner before the occurrence of past alerts. The supervised alert feature data is a combination of a log relating to the behavior of the monitored system 110 or its communication partner before the occurrence of a past alert, and a classification label assigned to the log by security analyst 141. By clustering the unsupervised alert feature data group in the machine learning process 131, the unsupervised alert feature data group is classified into a plurality of clusters. Each cluster is labeled by security analyst 141 to indicate the classification of cyber attacks. As a result, the unsupervised alert feature data becomes the supervised alert feature data. The analyzer 103 generates a classifier by executing the machine learning process 131 using the supervised alert feature data.

When the predicted target alert feature data group within the predetermined period before the occurrence of the predicted target alert of the cyber attack is newly obtained from the log collecting device 102, the analyzer 103 uses the generated classifier by the alert classification process 132. The prediction target alert feature data group is classified, and the classification result is stored in the DB 130.

The analyzer 103 samples the labels that are strongly related to the tactical change from the labels that are the classification results obtained from the classifier by the sampling process 133 from the following viewpoints (1) and (2).

(1) Whether or not the label or the time-series sequence of the label given to the communication partner that causes the prediction target alert to occur is the first appearance or the frequency of the time series sequence of the label by the communication partner-specific abnormal behavior determination process 134. To judge. If the labeled label or the time-series sequence of labels appears for the first time or is infrequent, the analyzer 103 samples the predicted target alert corresponding to the predicted target alert feature data to which the label is assigned as a selection alert.

(2) By the behavior-specific abnormal behavior determination process 135, the analyzer 103 has a track record of whether the given label or the time-series behavior sequence of the label has been a part of a long-term attack in the past for the communication partner group. Is determined. If the given label or action sequence has a track record of being part of a long-term attack in the past, the analyzer 103 samples the predicted alert corresponding to the predicted alert feature data to which the label is given as a selection alert. do.

From the viewpoints (1) and (2), the analyzer 103 can automatically narrow down the prediction target alert group having a high relevance of the technique change to the selection alert. As a result, the analysis burden of the security analyst 141 can be reduced.

The analyst terminal 140 receives the selection alert sampled by the sampling process 133, and the security analyst 141 analyzes the selection alert displayed on the analyst terminal 140. For example, security analyst 141 changes the label of a selection alert. Then, the analyst terminal 140 transmits the feedback information created by the security analyst 141 to the analyzer 103. The feedback information includes, for example, the modified label of the selection alert. The analyzer 103 updates the label of the selection alert in the DB 130 based on the feedback information. Note that the security analyst 141 may analyze the selection alert displayed on the analyzer 103 or operate the analyzer 103 to create feedback information.

Further, the analyzer 103 suppresses the bias of the distribution of the additional learning data given to the classifier by the adjustment process 137 when the classifier is relearned. The additional learning data is, for example, a combination of the predicted target alert feature data that has been sampled 133 and a label indicating the classification newly assigned by the security analyst 141 to the predicted target alert feature data. Specifically, for example, the analyzer 103 adjusts the number of selection alerts for each label from the following viewpoint (3) by the adjustment process 137 so that the labels of the additional learning data group do not concentrate on a specific label.

(3) The analyzer 103 replenishes the label having a small number of selected alerts with unselected alerts not sampled by the sampling process 133 so that the number of selected alerts for each label is the same.

From the viewpoint (3), the bias of the distribution of the additional learning data is suppressed. Therefore, the analyzer 103 can minimize the number of inquiries to the security analyst 141 regarding the bias adjustment of the distribution of the additional learning data when re-learning with the additional learning data. In addition, by suppressing the bias of the distribution of the additional learning data, overfitting due to concentration on a specific label is suppressed. Therefore, it is possible to respond to cyber attacks whose methods change over time.

<System configuration example>
FIG. 2 is a block diagram showing a system configuration example of the monitoring system. The monitoring system 200 includes a monitoring target system 110 and an SOC 100. The monitored system 110 and the SOC 100 are communicably connected.

The monitored system 110 is a system monitored by the SOC 100. The monitoring target system 110 includes, for example, a first network 210, one or more client terminals 211, a business server 212, a network monitoring device 213, a first FW / IPS 214, and a proxy server 216.

The first network 210 is, for example, a bus, and connects one or more client terminals 211, a business server 212, a network monitoring device 213, a first FW / IPS 214, a proxy server 216, a second FW / IPS 223, and an SOC 100 communicably. .. The first FW / IPS 214 is communicably connected to the external network 202. The external network 202 is, for example, a LAN (Local Area Network), a WAN (Wide Area Network), or the Internet.

Further, the monitored system 110 includes, for example, a second network 220, a control device 221, a controller 222, and a second FW / IPS223. The second network 220 is, for example, a bus and communicably connects the second network 220, the control device 221, the controller 222, and the second FW / IPS223.

The SOC 100 has, for example, an alert management device 101, a log collection device 102, an analysis device 103, an analyst terminal 140, and a third network 203. The third network 203 is, for example, a bus, and connects the alert management device 101, the log collection device 102, the analysis device 103, the analyst terminal 140, and the external threat information database 201 so as to be communicable.

As an example of an event, the alert management device 101 acquires and stores alerts such as virus detection, abnormal behavior detection, and connection detection with an unregistered device from the monitored system 110. The alert includes, for example, the date and time when the alert occurred, the alert target (the computer in the monitored system 110 that is the source of the alert), and the communication partner (for example, the IP address that identifies the communication terminal 120) that is the alert target. Information included. The alert management device 101 notifies the analysis device 103 of the acquired alert.

The log collecting device 102 acquires and stores the log from the monitored system 110. The log is historical information indicating when, which computer 300 in the monitored system 110 sends and receives what data to which communication partner.

The analysis device 103 analyzes the alert using the alert managed by the alert management device 101, the log managed by the log collection device 102, and the threat information registered in the external threat information database 201. The external threat information database 201 is, for example, a database that discloses threat information on the Internet. Threat information includes, for example, malware, program vulnerabilities, spam, and malicious URLs. The analyst terminal 140 is a terminal operated by the security analyst 141.

<Computer hardware configuration example>
FIG. 3 shows various computers (client terminal 211, business server 212, network monitoring device 213, first FW / IPS 214, proxy server 216, control device 221, controller 222, second FW / IPS 223, alert management device 101) shown in FIG. , Log collection device 102, analysis device 103, analyst terminal 140) is a block diagram showing a hardware configuration example.

The computer 300 has a processor 301, a storage device 302, an input device 303, an output device 304, and a communication interface (communication IF) 305. The processor 301, the storage device 302, the input device 303, the output device 304, and the communication IF 305 are connected by the bus 306. The processor 301 controls the computer 300.

The storage device 302 serves as a work area for the processor 301. Further, the storage device 302 is a non-temporary or temporary recording medium for storing various programs and data. Examples of the storage device 302 include a ROM (Read Only Memory), a RAM (Random Access Memory), an HDD (Hard Disk Drive), and a flash memory. The input device 303 inputs data. The input device 303 includes, for example, a keyboard, a mouse, a touch panel, a numeric keypad, and a scanner. The output device 304 outputs data. Examples of the output device 304 include a display and a printer. Communication IF305 connects to a network and sends and receives data.

<Feature table 400>
FIG. 4 is an explanatory diagram showing an example of the feature amount table 400. The feature amount table 400 is a table that stores an alert feature amount indicating the feature amount of the alert, is collected from the log collecting device 102 by the analysis device 103, and is stored in the storage device 302 of the analysis device 103, for example. The feature amount table 400 may be stored in the log collecting device 102.

The feature amount table 400 has an alert identifier 401, an aggregation date and time 402, a proxy server log 403, a business server log 404, and external threat information 405 as fields. The combination of the values of each field in a row is the entry that makes up the alert feature data.

In addition to the proxy server log 403, business server log 404, and external threat information 405, there are logs for other computers in the monitored system 110 (client terminal 211, FW / IPS214,223, network monitoring device 213, etc.). It may be, but it is omitted in FIG.

The alert identifier 401 is identification information that uniquely identifies the alert. The alert from the alert management device 101 includes the alert identifier 401, the date and time of occurrence, the alert target, and the communication partner. The date and time of occurrence is the date and time when the alert occurred. The alert target is the source of the alert, in this case, the computer in the monitored system 110. The communication partner is the destination of the data sent by the alert target or the sender of the data sent to the alert target. In addition, the analyzer 103 assigns the alert identifier 401 of the alert to the entry including the aggregated date and time 402 in the time zone from the date and time retroactive to the occurrence date and time to the occurrence date and time from before the occurrence date and time of the alert.

The aggregation date and time 402 is a date and time when the log collection device 102 aggregates the logs from the date and time retroactive to the occurrence date and time of the alert specified by the alert identifier 401 to the occurrence date and time at regular time intervals. In this example, the predetermined time is 1 hour and the fixed time interval is 10 minutes. The aggregation date and time 402 indicates the end date and time at a fixed time interval. For example, an entry with an aggregation date and time 402 of "10/10 12:57" indicates alert feature data identified in a log aggregated in 10 minutes from 12:48 to 12:57 on 10/10.

For example, if the alert occurrence date and time when the alert identifier 401 is "Alert_005" is "10/10 13:57", the aggregated date and time 402 of the alert whose alert identifier 401 is "Alert_005" is the occurrence date and time "10 /". "10/10 12:57" one hour back from "10 13:57" and "10/10 13:07" and "10/10 13:17" in 10-minute increments from "10/10 13:57" , "10/10 13:27", "10/10 13:37", "10/10 13:47", and "10/10 13:57". In this way, the collection timing of alert feature data when an alert occurs is set.

The proxy server log 403 has a cache miss count 431 and an abnormal response count 432 as subfields. The number of cache misses 431 is the number of times the proxy server 116 has made a cache miss at the aggregation date and time 402. The number of abnormal responses 432 is the number of times that the proxy server 116 received the abnormal response at the aggregation date and time 402. The subfield of the proxy server log 403 may be other than the number of cache misses 431 and the number of abnormal responses 432 (for example, the number of communication bytes), but it is omitted in FIG.

The business server log 404 has an abnormal response number 441 and an access number 442 as subfields. The number of abnormal responses 441 is the number of times that the business server 112 received the abnormal response at the aggregation date and time 402. The number of accesses 442 is the number of times that the business server 112 is accessed by the other computer 300 during the aggregation period specified by the aggregation date and time 402. The subfield of the business server log 404 may be other than the number of abnormal responses 441 and the number of accesses 442 (for example, the number of authentication failures), but it is omitted in FIG.

The external threat information 405 has an IP address risk level 451 and a URL risk level 452 as subfields. The IP address risk level 451 is an index value indicating stepwise the risk level of the IP address in the external threat information database 201 when the communication partner to be alerted at the aggregation date and time 402 is specified by the IP address. In this example, there are 6 levels from 0 to 5, and 5 indicates the highest risk.

The URL risk level 452 is an index value indicating the risk level of the URL in the external threat information database 201 stepwise when the communication partner to be alerted at the aggregation date and time 402 is specified by the URL. In this example, there are 6 levels from 0 to 5, and 5 indicates the highest risk. The subfield of the external threat information 405 may be other than the IP address risk level 451 and the URL risk level 452, but it is omitted in FIG.

<Label table 500>
FIG. 5 is an explanatory diagram showing an example of the label table 500. The label table 500 is a table for storing classification labels, and is stored in, for example, the storage device 302 of the analyzer 103. The label table 500 may be stored in the log collecting device 102.

In the label table 500, the alert identifier 401, the aggregation date and time 402, the communication partner classification information 503, the action classification (label) 504, the accuracy 505, the action classification (old label) 506, the sampling 507, and additional learning have been completed. 508 and as a field. The combination of the values of each field in a row is the entry that makes up the label data.

The communication partner classification information 503 is information for classifying the communication partner, and is the communication partner of the monitoring target system 110 included in the alert. The behavior classification (label) 504 is the latest label that classifies the behavior of the communication partner, in other words, the cyber attack from the communication terminal 120, and is threat information such as malware, program vulnerability, spam, and malicious URL. Is. In this embodiment, for convenience, the individual values of the behavior classification (label) 504 are shown in uppercase letters.

The accuracy 505 is a numerical value indicating the certainty of the value of the behavior classification (label) 504, and the larger the value, the more likely the behavior classification (label) 504 is. The value of the accuracy 505 takes a range of 0.0 or more and 1.0 or less. The value of the accuracy 505 is the learning result by the machine learning process 131. The closer to the center of the cluster specified by the value of the behavior classification (label) 504, the larger the value of the accuracy 505.

The behavior classification (old label) 506 indicates the past label. When a new label is recorded in the action classification (label) 504, the label before recording is stored in the action classification (old label) 506 as an old label.

The sampling 507 is a flag indicating whether or not the alert has been sampled for analysis, and the initial value is "N" indicating that the alert has not been sampled. When it is sampled, it is updated to "Y" indicating that it has been sampled.

The additional learning 508 is a flag indicating whether or not the alert identifier and the action classification (label) of the alert are selected as the additional learning data when the bias of the additional learning data is suppressed by the adjustment process 137. The initial value is "N" indicating that the data is not additional learning data, and is updated to "Y" when added as additional learning data. The additional learning data will be described later.

<Behavior classification table 600>
FIG. 6 is an explanatory diagram showing an example of the behavior classification table 600. The behavior classification table 600 is a table that stores the behavior of the attacker, and is stored in, for example, the storage device 302 of the analyzer 103. The action classification table 600 may be stored in the log collecting device 102.

The action classification table 600 has communication partner classification information 503 and action classification 601 as fields. The combination of the values of each field in a row is the entry that constitutes the behavior classification data.

The behavior classification 601 has a label as a subfield. Therefore, for each label of the communication partner specified in the communication partner classification information 503, the appearance frequency and normal / abnormal of the label are specified. The frequency of appearance of the label is defined by the number of accesses n from the communication partner corresponding to the label from the attacker specified in the communication partner classification information 503. In this embodiment, the frequency of appearance is defined in four stages of "H" (more), "M" (normal), "L" (less), and blank.

The blank indicates that the number of accesses n of the communication partner is 0 (n = 0) even once. “L” indicates that the number of times n of access by the communication partner in the action of the label is one or more na-1 times (1 ≦ n <na-1). “M” indicates that the number of accesses n by the communication partner in the action of the label is na times or more and nb-1 times (na ≦ n <nb-1). “H” indicates that the number of accesses n by the communication partner in the action of the label is nb times or more (nb ≦ n). na and nb are preset values.

When it is detected from the communication partner classification information 503 that there is a behavior such as a cyber attack corresponding to a certain label in the behavior classification 601 the access count n corresponding to the label is added once. When the number of accesses n after addition is na, the frequency of appearance of the label is updated from "L" to "M", and when the number of times n after addition is changed from n to nb, "M" is updated to "H". In addition, security analyst 141 determines whether the label is normal or abnormal. Specifically, for example, the feedback information from the analyst terminal 140 includes information indicating whether the label is normal or abnormal, and is updated by the feedback process 136 shown in FIG.

<Action sequence table 700>
FIG. 7 is an explanatory diagram showing an example of the action sequence table 700. The action sequence table 700 is a table that stores the abnormal behavior of the communication partner, and is stored in, for example, the storage device 302 of the analyzer 103. The action sequence table 700 may be stored in the log collection device 102.

The action sequence table 700 has an action sequence 701, a frequency 702, and a part of a long-term attack 703 as fields. The combination of the values of each field in a row is the entry that constitutes the action sequence data. The action sequence table 700 may have at least one of the frequency 702 and the part 703 of the long-term attack.

The action sequence 701 is a time series of one or more labels. If two or more of the same label are consecutive, the label is reduced to one. For example, when the time series of the label is "A-> B-> B-> B-> C", the action sequence 701 becomes "A-> B-> C" because "B" appears three times in a row. ..

The frequency 702 is the appearance frequency of the behavior sequence 701 defined by four stages of "H" (more), "M" (normal), "L" (less), and blank, as in the case shown in the behavior classification 601. be.

The part 703 of the long-term attack is included information indicating whether or not the action sequence 701 is a part of the long-term attack. The initial value of the part 703 of the long-term attack is "N" indicating that it is not the part 703 of the long-term attack, and if it is included in the part 703 of the long-term attack, it is updated to "Y". The long-term attack is an action sequence that has appeared in the past, and has one or more labels than the action sequence 701.

For example, if "A-> B-> C-> D" is defined as a long-term attack as a past action sequence, "A", "B", "C", "D", "A-> B", "B" Each action sequence 701 of "-> C", "C-> D", "A-> B-> C", and "B-> C-> D" corresponds to a part 703 of a long-term attack. Therefore, some 703 of these long-term attacks in the action sequence 701 are updated to "Y". Further, the number of labels of the part 703 of the long-term attack may be two or more. For example, when the number of labels of a part 703 of a long-term attack is 3 or more, in the above example, each action sequence 701 of "A-> B-> C" and "B-> C-> D" is one of the long-term attacks. Corresponds to part 703.

The security analyst 141 determines which action sequence 701 is part of the long-term attack 703. Specifically, for example, the feedback information from the analyst terminal 140 includes information indicating which action sequence 701 is part of the long-term attack 703. In this case, if there is an action sequence 701 corresponding to the part 703 of the long-term attack by the feedback process 136 shown in FIG. 1, the part 703 of the long-term attack is updated to "Y".

<Ratio table 800>
FIG. 8 is an explanatory diagram showing an example of the ratio table 800. The ratio table 800 is a table that stores the ratio of the number of alerts for each label, and is stored in, for example, the storage device 302 of the analyzer 103. The ratio table 800 may be stored in the log collecting device 102.

The ratio table 800 has an action classification (label) 504 and an alert number ratio 801 as fields. The ratio of the number of alerts 801 indicates the ratio of the number of alerts (that is, the number of labels) added as additional learning data. The alert added as additional learning data is an alert labeled with a sampling 507 of "Y". In FIG. 8, the labels whose sampling 507 is “Y” are “A”, “B”, and “C”. As the ratio 801 of the number of alerts for each label approaches evenly, it is possible to suppress a learning bias in the additional learning in the machine learning process 131, that is, a decrease in classification accuracy.

<Example of functional configuration of analyzer 103>
FIG. 9 is a block diagram showing a functional configuration example of the analyzer 103. The analyzer 103 includes a feature amount table 400, a label table 500, an action classification table 600, an action sequence table 700, a ratio table 800, a learning unit 901, a prediction unit 902, and a first determination unit 903. It has a second determination unit 904, a communication unit 905, a sampling candidate list 911, and an additional learning alert list 912.

Specifically, the learning unit 901, the prediction unit 902, the first determination unit 903, the second determination unit 904, and the communication unit 905 transfer the program stored in the storage device 302 shown in FIG. 3 to the processor 301. It is realized by executing it. Further, the sampling candidate list 911 and the alert list 912 for additional learning are specifically realized by, for example, the storage device 302 shown in FIG.

The learning unit 901 executes the machine learning process shown in FIG. The prediction unit 902 executes the alert classification process 132 shown in FIG. The first determination unit 903 executes the communication partner-specific abnormal behavior determination process 134 shown in FIG. The second determination unit 904 executes the behavior-specific abnormal behavior determination processing 135 and the feedback processing 136 shown in FIG. The communication unit 905 transmits / receives data to / from the analyst terminal 140 by the communication IF 305.

<Operation sequence of analyzer 103>
FIG. 10 is a sequence diagram showing the operation of the analyzer 103. The learning unit 901 acquires the log stored in the feature amount table 400 from the log collecting device 102 (step S1001). The learning unit 901 inputs the acquired log as an unsupervised alert feature data group, and executes machine learning (step S1002). As a result, the unsupervised alert feature data group is classified into a plurality of clusters. Each cluster is labeled with a classification by security analyst 141. As a result, the classifier 900 is generated.

The learning unit 901 may relearn using the supervised alert feature data group to which the unsupervised alert feature data group is labeled, and update the classifier 900. The classifier 900 may be created by the security analyst 141.

Next, the prediction unit 902 acquires the prediction target alert generated in the monitoring target system 110 from the alert management device 101, and predicts the log before the prediction target alert generated stored in the feature amount table 400 from the log collection device 102. Acquired as alert feature data (step S1003). The prediction unit 902 acquires the classifier 900 (step S1004).

The prediction unit 902 executes the behavior classification prediction by giving each of the prediction target alert feature data groups to the classifier 900 (step S1005), and classifies the classification result (the label on which the prediction target alert feature data is classified and its accuracy). The combination) is output to the first determination unit 903 (step S1006). The details of the behavior classification prediction (step S1005) will be described later in FIG. Note that the security analyst 141 may create a classification result by referring to the prediction target alert feature data on the analyst terminal 140 without executing the behavior classification prediction (step S1005).

Next, the first determination unit 903 executes the abnormal behavior determination for each communication partner using the classification result (step S1007), and outputs the first appearance or low frequency classification result to the second determination unit 904 (step S1008). ). The details of the abnormal behavior determination for each communication partner (step S1007) will be described later with reference to FIG.

Next, the second determination unit 904 executes an abnormal behavior determination by behavior using the first appearance or low frequency classification result (step S1009), and alerts to be sampled from the prediction target alert group (hereinafter, selection). Alert) is decided. The selection alert is, for example, a combination of an alert identifier 401 that identifies the selection alert and a classification result of the selection alert. The selection alert may include the behavior classification (old label) 506 of the selection alert. The second determination unit 904 transmits the selection alert to the analyst terminal 140 via the communication unit 905 (step S1010). The details of the behavior-specific abnormal behavior determination (step S1010) will be described later with reference to FIG.

The analyst terminal 140 receives a selection alert from the communication unit 905 and displays it on the display. An output screen display example will be described later with reference to FIG. The security analyst 141 inputs information such as a label of a selection alert and an action attribute (normal / abnormal) from the output screen. As a result, the analyst terminal 140 generates feedback information and transmits it to the analyzer 103 (step S1011).

Upon receiving the feedback information, the analyzer 103 executes the feedback process (step S1012). Specifically, for example, the second determination unit 904 updates the label table 500 according to the feedback information (step S1021). Further, the first determination unit 903 also updates the action classification table 600 according to the feedback information (step S1022).

Further, the learning unit 901 executes the additional learning process (step S1013). Specifically, for example, the learning unit 901 selects additional learning data (step S1031) and executes ratio adjustment (step S1032). As a result, the bias of the additional learning data is suppressed. After adjusting the ratio, the learning unit 901 relearns and updates the classifier 900 based on the additional learning data (step S1033). As a result, when a new log is acquired after that (step S1003), the prediction unit 902 can execute the action classification of the input alert group with the latest classifier 900.

<Example of output screen display of analyst terminal 140>
FIG. 11 is an explanatory diagram showing an output screen display example of the analyst terminal 140. The output screen 1100 displays the analysis alert list 1101. The analysis alert list includes an alert identifier 401, an occurrence date and time 1102, a sampling result 1103, and an analysis priority 1104. An entry for each list number in the analysis alert list 1101 defines a selection alert.

The occurrence date and time 1102 is the date and time when the selection alert specified by the alert identifier 401 occurs in the alert management device 101. The sampling result 1103 is a character string indicating how the selection alert specified by the alert identifier 401 was sampled as the selection alert. The sampling result 1103 includes, for example, the behavior classification (label) 504 of the selection alert, the behavior classification (old label) 506, and the appearance probability of the label with the highest appearance frequency specified by the behavior classification (old label) 506. It is created by the first determination unit 903. For example, in the case of the sampling result 1103 of the selection alert whose list number is "1", the behavior classification (label) 504 includes "A" and the behavior classification (old label) 506 includes the label "B" having the highest frequency of appearance. The appearance probability of "B" is "0.7".

The analysis priority 1104 is a character string indicating the priority when the security analyst 141 analyzes the selection alert specified by the alert identifier 401. The analysis priority 1104 uses, for example, the behavior classification 601 of the selection alert, the percentage of attackers for the alert corresponding to the behavior classification 601 and the partial long-term attack 703 for the corresponding behavior sequence 701. , Created by the second determination unit 904.

For example, in the case of the analysis priority 1103 of the selection alert whose list number is "1", the action classification 601 is "A" ("normal / abnormal" has not yet been assigned by the security analyst 141). Further, the percentage of attackers for the alert corresponding to the behavior classification 601 is the total number of entries of the communication partner classification information 503, and the frequency of "A" in the behavior classification 601 is "H", "M", "L". It is the value obtained by dividing the number of entries corresponding to any of them. Also, part of the long-term attack 703 for the corresponding action sequence 701 is "Y".

The security analyst 141 refers to the analysis alert list 1101 and selects by operating the input device 303 in a tab (not shown) different from the tab (labeling request alert) for displaying the analysis alert list 1101. Label the alert, label the selected alert either normal or abnormal, or flag it as part of a long-term attack 703 (Y or N). The added information becomes feedback information. Then, the analyst terminal 140 transmits the feedback information to the analyzer 103 (step S1011).

<Behavior classification prediction (step S1005)>
FIG. 12 is a flowchart showing a detailed processing procedure example of the behavior classification prediction (step S1005) shown in FIG. The behavior classification prediction (step S1005) is executed for each prediction target alert feature data which is an entry in the feature amount table 400, for example. The prediction unit 902 acquires the prediction target alert feature data which is an entry of the feature amount table 400 (step S1201). The prediction unit 902 acquires the classifier 900 from the learning unit 901 (step S1202). The prediction unit 902 inputs the prediction target alert feature data to the classifier 900 (step S1203).

The prediction unit 902 inputs the prediction target alert feature data into the classifier 900 and classifies the behavior of the communication partner (step S1204). The prediction unit 902 acquires the label and the accuracy as the classification result from the classifier 900 (step S1205). The prediction unit 902 stores the label and the accuracy 505 in the action classification (label) 504 and the accuracy 505 of the label table 500, respectively (step S1206). The label stored in the action classification (label) 504 before the storage is stored at the end of the action classification (old label) 506. As a result, the behavior classification prediction (step S1005) for the prediction target alert feature data is completed.

<Abnormal behavior determination by communication partner (step S1007)>
FIG. 13 is a flowchart showing a detailed processing procedure example of the abnormal behavior determination (step S1007) for each communication partner shown in FIG. The communication partner-specific abnormal behavior determination (step S1007) is executed for each label data of the label table 500 to which the classification result is newly added in the behavior classification prediction (step S1005), for example.

The first determination unit 903 acquires label data from the label table 500 (step S1301). The first determination unit 903 identifies the action classification 601 corresponding to the alert acquired in step S1301 from the action classification table 600 (step S1302). The first determination unit 903 determines whether or not there is a value of the behavior classification 601 (step S1303).

For example, when the communication partner classification information 503 belonging to the acquired label data is "www.aaaaa.bb" and the action classification (label) 504 is "A", the communication partner classification information 503 in the action classification table 600 is "www. In the entry of "aaaa.bb", there is a value "L / abnormality" when the behavior classification 601 is "A". On the other hand, when the communication partner classification information 503 belonging to the acquired alert is "123.45.6.7" and the action classification (label) 504 is "A", the communication partner classification information 503 in the action classification table 600 is "123". In the entry of ".45.6.7", there is no value when the action classification 601 is "A" (blank).

When there is no value of the specified action classification 601 (step S1303: No), the first determination unit 903 adds the label data (which may be a pointer to the label data) acquired in step S1301 to the sampling candidate list 911 (may be a pointer to the label data). Step S1304). Further, in this case, the first determination unit 903 newly registers the communication partner classification information 503 and the action classification (label) 504 in the action classification table 600. As a result, the abnormal behavior determination for each communication partner (step S1007) for the label data acquired in step S1301 is completed.

Further, when there is a value of the specified action classification 601 (step S1303: Yes), the first determination unit 903 determines whether or not the action attribute in the entry is "abnormal" (step S1305). At this time, the number of accesses n is also added once, and the appearance frequency may be updated. If it is abnormal (step S1305: Yes), the first determination unit 903 transmits the label data acquired in step S1301 to the analyst terminal 140 via the communication unit 905 (step S1306). Instead of the label data, the label data and the alert feature data having the same alert identifier 401 and aggregation date and time 402 may be transmitted. As a result, the abnormal behavior determination for each communication partner (step S1007) for the acquired label data is completed.

On the other hand, if it is not abnormal (step S1305: No), the first determination unit 903 determines whether or not the frequency included in the value of the specified behavior classification 601 is “L” (step S1307). When the frequency is "L" (step S1304: Yes), the first determination unit 903 adds the label data (which may be a pointer to the label data) acquired in step S1301 to the sampling candidate list 911 (step S1304). ). As a result, the abnormal behavior determination for each communication partner (step S1007) for the acquired label data is completed. On the other hand, when the frequency is not "L" (step S1307: No), the frequency is "M" or "H" higher than "L". Therefore, the abnormal behavior determination for each communication partner (step S1007) for the acquired label data ends.

<Abnormal behavior determination by behavior (step S1009)>
FIG. 14 is a flowchart showing a detailed processing procedure example of the behavior-specific abnormal behavior determination (step S1009) shown in FIG. The behavior-specific abnormal behavior determination (step S1009) is executed for each label data registered in the sampling candidate list 911 in the communication partner-specific abnormal behavior determination (step S1007), for example.

The second determination unit 904 acquires label data from the sampling candidate list 911 (step S1401). The second determination unit 904 generates an action sequence 701 from the action classification (label) 504 and the action classification (old label) 506 included in the label data acquired in step S1401 (step S1402).

The second determination unit 904 identifies the entry of the action sequence 701 generated in step S1402 with reference to the action sequence table 700 (step S1403). If the entry is not specified (step S1404: No), that is, if the entry does not exist, the second determination unit 904 creates a new entry in the action sequence table 700, and samples the label data acquired in step S1401 as sampling candidates. It is deleted from the list 911 (step S1405). As a result, the behavior-specific abnormal behavior determination (step S1009) for the acquired label data is completed.

On the other hand, when the entry of the action sequence 701 generated in step S1402 is specified (step S1404: Yes), the second determination unit 904 determines that a part of the long-term attack 703 of the entry of the specified action sequence 701 is “Y”. (Step S1406). When it is "Y" (step S1406: Yes), the second determination unit 904 updates the sampling 507 of the label data acquired in step S1401 to "Y" (step S1407). As a result, the behavior-specific abnormal behavior determination (step S1009) for the acquired label data is completed.

On the other hand, when a part 703 of the long-term attack of the entry of the specified action sequence 701 is not "Y" (step S1406: No), the second determination unit 904 determines the frequency in the entry of the specified action sequence 701. It is determined whether or not it is "L" (step S1408). When the frequency is "L" (step S1408: Yes), the process proceeds to step S1407. That is, even if the specified action sequence 701 is not a part of the long-term attack 703, if the frequency is "L", the action classification (label) 504 in the specified action sequence 701 is a sampling target.

On the other hand, when the frequency is not "L" (step S1408: No), the second determination unit 904 deletes the label data acquired in step S1401 from the sampling candidates (step S1409). As a result, the behavior-specific abnormal behavior determination (step S1009) for the acquired label data is completed. After that, when the communication partner-specific abnormal behavior determination (step S1007) for all the label data registered in the sampling candidate list 911 is completed, the communication unit 905 analyzes the label data group in the sampling candidate list 911 as a selection alert group. Send to the list terminal 140. As a result, as shown in FIG. 11, the analyst terminal 140 analyzes each alert in the sampling candidate list 911 and displays the analysis alert list 1101.

<Feedback processing (step S1012)>
FIG. 15 is a flowchart showing a detailed processing procedure example of the feedback processing (step S1012) shown in FIG. The feedback process (step S1012) is executed for each selection alert included in the feedback information. The analyzer 103 acquires feedback information from the analyst terminal 140 (step S1501). The analyzer 103 determines whether or not there is a label update for the selection alert in the feedback information (step S1502). If there is no label update (step S1502: No), the feedback process ends for the selection alert.

On the other hand, when there is a label update (step S1502: Yes), the analyzer 103 includes the behavior classification (label) 504 of the label data of the label table 500, which is a selection alert, in the feedback information by the second determination unit 904. The label is updated to the changed label of the same selection alert, and the label recorded in the behavior classification (label) 504 is stored at the end of the behavior classification (old label) 506 (step S1503).

Then, the analyzer 103 updates the behavior classification table 600 by the first determination unit 903 (step S1504). Specifically, for example, the analyzer 103 creates a new entry in the behavior classification table 600 when the communication partner classification information 503 of the selection alert is not in the behavior classification table 600.

When the communication partner classification information 503 of the selection alert is in the action classification table 600, the analyzer 103 updates the frequency of the value of the action classification 601. Further, when the behavior attribute (normal / abnormal) registered in the value of the behavior classification 601 is different from the behavior attribute (normal / abnormal) of the selection alert included in the feedback information, the analyzer 103 uses the behavior classification 601. Update the behavior attribute of the value of to the behavior attribute (normal / abnormal) of the selection alert included in the feedback information.

The analyzer 103 refers to the action sequence table 700 to determine whether the action sequence 701 obtained from the updated selection alert in step S1503 is part of the long-term attack 703 (step S1505). If it is not part of the long-term attack 703 (step S1505: No), the feedback process ends for the selection alert.

On the other hand, when it is a part 703 of the long-term attack (step S1505: Yes), the analyzer 103 updates the part 703 of the long-term attack of the action sequence 701 of the action sequence table 700 to "Y". Then, the feedback process ends for the selection alert.

<Additional learning process (step S1012)>
FIG. 16 is a flowchart showing a detailed processing procedure example of the additional learning process (step S1013) shown in FIG. The additional learning process (step S1012) is executed at regular intervals. The fixed period may be a period from the date and time retroactive to the forecast target alert occurrence date and time to the forecast target alert occurrence date and time, or may be a period from the preset scheduled date and time to the predetermined period retroactive date and time to the scheduled date and time. ..

In FIG. 16, as an example, labels A to E are registered in the label table 500, and the number of label data for a certain period is 1000. Further, out of the 1000 label data, 30 selection alerts have a sampling 507 of "Y" and an additional learning 508 of "N". The breakdown of these 30 is that the value "A" of the behavior classification (label) 504 is 15, "B" is 10, "C" is 5, and "D" and "E" are 0, respectively.

The learning unit 901 acquires label data (1000 in this example) for a certain period from the label table 500 (step S1601). The learning unit 901 acquires selection alerts (30 in this example) whose sampling 507 is "Y" from the label data for a certain period, updates the additional learning 508 to "Y", and alerts for additional learning. Add to list 912 (step S1602).

The learning unit 901 aggregates the selection alerts in the additional learning alert list 912 by action classification (label) 504 and calculates the ratio (step S1603). The ratio is the ratio occupied by the selection alert for each action classification (label) 504 of the selection alert. For example, there are 30 selection alerts. Of these, 15 selection alerts have an action classification (label) 504 of "A". Therefore, the ratio of the label A is 15/30 = 1/2. Similarly, the ratio of the behavior classification (label) 504 to "B" is 10/30 = 1/3, and the ratio of the behavior classification (label) 504 to "C" is 5/30 = 1/6. The ratio of the action classification (label) 504 to "D" and "E" is 0 because the selection alert is 0.

In the learning unit 901, whether or not all the action classifications (labels) 504 included in the alert for a certain period satisfy the following equation (1), that is, the absolute value of the value subtracted from the target ratio in step S1603 is equal to or less than the threshold value. It is determined whether or not it is (step S1604).

| Target ratio-Ratio | ≤ Threshold ... (1)

Here, the target ratio is the reciprocal of the number of types of the action classification (label) 504 of the selection alert. In this example, since the number of types of the action classification (label) 504 of the selection alert is 5 from A to E, the target ratio is 1/5. Further, the threshold value is set to 0.15. If there is an action classification (label) 504 that does not satisfy even one of the equations (1) (step S1604: No), the process proceeds to step S1605. When all the labels satisfy the equation (1) (step S1604: Yes), the process proceeds to step S1608.

In the case of label A, the ratio is 1/2, so the left side of the equation (1) is 0.30, which does not satisfy the equation (1). In the case of label B, the ratio is 1/3, so the left side of the equation (1) is 0.13, which satisfies the equation (1). In the case of label C, the ratio is 1/6, so the left side of the equation (1) is 0.03, which satisfies the equation (1).

In the case of labels D and E, the ratio is 0, so the left side of the equation (1) is 0.20, which does not satisfy the equation (1). In this example, the process proceeds to step S1605.

In step S1605, the learning unit 901 selects one label that exceeds the threshold value in step S1604 (step S1605). For example, it is assumed that A is selected from labels A, D, and E that exceed the threshold value. The selected label is referred to as the "selection label".

The learning unit 901 selects one selection alert in which the action classification (label) 504 is the selection label and the sampling 507 is "N" from the label data for a certain period acquired in step S1601 (step S1606). That is, one of 1000 label data for a certain period is selected from 970 label data excluding 30 selection alerts in which sampling 507 is "Y". The learning unit 901 adds the selection alert (which may be a pointer to the selection alert) in step S1606 to the additional learning alert list 912 (step S1607). Then, the process returns to step S1603, the ratio is recalculated, and it is determined whether or not all the labels included in the label data for a certain period satisfy the equation (1).

When all the action classifications (labels) 504 included in the label data for a certain period satisfy the equation (1), the ratio of the labels A to E is evenly compared with the initial start of the additional learning process (step S1013). It is approaching. At this point, the selection alert existing in the additional learning alert list 912 becomes the source of the additional learning data. Then, the learning unit 901 updates the additional learning 508 of the selection alert in the additional learning alert list 912 to "Y" (step S1608).

Then, the learning unit 901 acquires the alert identifier 401, the aggregation date / time 402, and the action classification (label) 504 from the selection alert in the additional learning alert list 912, and the alert that matches the acquired alert identifier 401 and the aggregation date / time 402. The feature data is acquired from the feature amount table 400, and additional learning data is generated. Then, the learning unit 901 gives the additional learning data to the classifier 900 and relearns (step S1609). As a result, the classifier 900 is updated to suppress overfitting and to suppress deterioration of classification accuracy.

(1) As described above, the analyzer 103 according to the present embodiment can access the label table 500, the action classification table 600, and the action sequence table 700. The label table 500 is information that stores the action classification (old label) 506 executed by the communication partner classification information 503 with the monitoring target system 110 for the monitoring target system 110. The action classification table 600 is information in which the communication partner classification information 503 and the action classification 601 of the classified communication partner classification information 503 are associated with each other. The action sequence table 700 is a long-term attack indicating whether or not the action sequence 701, which is a time-series action of the communication partner classification information 503, and the action sequence 701 are part of another action sequence longer than the action sequence 701. This is information associated with a part of 703.

The processor 301 acquires the classification result of the action of the communication partner classification information 503 with the monitored system 110 within the first predetermined period before the occurrence of each alert of the alert group generated in the monitored system 110 (step S1003). ..

The processor 301 determines whether or not the specific communication partner classification information 503 with the monitored system 110 within the first predetermined period before the occurrence of the specific alert in the alert group exists in the behavior classification table 600 (. Step S1007).

When the processor 301 determines that the specific communication partner classification information 503 does not exist in the action classification table 600, the processor 301 sets the behavior classification result of the specific communication partner classification information 503 and the specific communication partner stored in the label table 500. Based on the action classification (old label) 506 of the classification information 503, a specific action sequence 701 which is a time-series action of the specific communication partner classification information 503 is generated, and a specific action sequence table 700 is used to generate a specific action sequence. It is determined whether or not the action sequence 701 is a part 703 of the long-term attack (step S1009).

When it is determined that the specific action sequence 701 is a part of the long-term attack 703, the processor 301 selects the action classification result of the specific communication partner classification information 503 (steps S1405, S1407, S1409).

The processor 301 outputs the classification result of the action of the selected specific communication partner classification information 503 (step S1010).

The classification result of the action of the selected specific communication partner classification information 503 is the first action for the communication partner, and is a part of the long-term attack in the past in the past action of the communication partner group including the communication partner. Therefore, it belongs to an alert that is highly related to the change in technique. Therefore, the analyzer 103 can automatically narrow down the alerts with high relevance of the technique change from the alert group. As described above, since it is not necessary for the security analyst 141 to determine which alert is highly relevant to the method change, the burden on the security analyst 141 can be reduced.

(2) Further, in the analyzer 103 according to the present embodiment, when the processor 301 determines that the specific communication partner classification information 503 does not exist in the action classification table 600, the processor 301 performs the action of the specific communication partner classification information 503. Based on the classification result and the action classification (old label) 506 of the specific communication partner classification information 503 stored in the label table 500, a specific action sequence which is a time-series action of the specific communication partner classification information 503. 701 is generated, and the action sequence table 700 is used to determine whether or not the frequency 702 of the specific action sequence 701 is less than or equal to the predetermined frequency (step S1408).

When it is determined that the frequency 702 of the specific action sequence 701 is less than or equal to the predetermined frequency, the processor 301 selects the action classification result of the specific communication partner classification information 503 (steps S1407 and S1409).

The processor 301 outputs the classification result of the action of the selected specific communication partner classification information 503 (step S1010).

Because the classification result of the action of the selected specific communication partner classification information 503 is the first action for the communication partner and the low frequency action sequence in the past actions of the communication partner group including the communication partner. , Belongs to alerts with high relevance of tactical changes. Therefore, the analyzer 103 can automatically narrow down the alerts with high relevance of the technique change from the alert group. As described above, since it is not necessary for the security analyst 141 to determine which alert is highly relevant to the method change, the burden on the security analyst 141 can be reduced.

(3) Further, in the analysis device 103 of the above (1), the action classification table 600 has an action attribute indicating whether the action is a normal action or an abnormal action in the action of the communication partner classification information 503. , Is the information associated with the appearance frequency of the action of the communication partner classification information 503.

When the processor 301 determines that the action attribute of the specific communication partner classification information 503 is normal and the appearance frequency of the action of the specific communication partner classification information 503 is less than or equal to a predetermined frequency, the processor 301 determines the specific action sequence 701. Determines if is part of a long-term attack 703.

(4) Further, in the analysis device 103 of the above (1), the action sequence table 700 is information in which the action sequence 701 is associated with the frequency 702 of the action sequence 701 and a part of the long-term attack 703. ..

When it is determined that the specific action sequence 701 is not a part of the long-term attack 703, the processor 301 determines whether or not the frequency 702 of the specific action sequence 701 is less than or equal to the predetermined frequency (step S1408).

When it is determined that the frequency 702 of the specific action sequence 701 is equal to or lower than the predetermined frequency, the processor 301 selects the action classification result of the specific communication partner classification information 503.

The classification result of the action of the selected specific communication partner classification information 503 is a low frequency action for the communication partner, and is a part of a long-term attack in the past in the past action of the communication partner group including the communication partner. Therefore, it belongs to an alert that is highly relevant to the change in technique. Therefore, the analyzer 103 can automatically narrow down the alerts with high relevance of the technique change from the alert group. As described above, since it is not necessary for the security analyst 141 to determine which alert is highly relevant to the method change, the burden on the security analyst 141 can be reduced.

(5) Further, in the analyzer 103 of the above (1), when it is determined that the specific communication partner classification information 503 does not exist in the behavior classification table 600, the processor 301 identifies the specific communication partner classification information 503 as the specific communication partner classification information 503. The behavior classification result of the communication partner classification information 503 of the above is associated with and registered in the behavior classification table 600.

As a result, the behavior classification table 600 can be automatically updated, and the burden on the administrator of the analyzer 103 (may be security analyst 141) can be reduced.

(6) Further, in the analyzer 103 of the above (1), when the specific action sequence 701 does not exist in the action sequence table 700, the processor 301 registers the specific action sequence 701 in the action sequence table 700.

As a result, the action sequence table 700 can be automatically updated, and the burden on the administrator of the analyzer 103 (may be security analyst 141) can be reduced.

(7) Further, in the analyzer 103 of the above (1), the processor 301 can access the feature amount table 400 that stores the feature amount indicating the behavior of the monitored system 110.

The processor 301 is based on the combination of the feature amount in the second predetermined period before the first predetermined period and the classification result of the behavior of the communication partner classification information 503 within the second predetermined period, and the communication partner classification information 503. Generate a classifier 900 that predicts the behavior classification result (step S1002).

The processor 301 acquires a feature amount indicating the behavior of the monitored system 110 within the first predetermined period from the feature amount table 400, and gives the acquired feature amount to the classifier 900, whereby the action of the communication partner classification information 503 is performed. Get the classification result of.

(8) Further, in the analyzer 103 of the above (7), the processor 301 corresponds to the classification result of the action of the selected specific communication partner classification information 503 and the classification result, and is within the first predetermined period. The classifier 900 is relearned based on the feature amount showing the behavior of the monitored system 110 in the above (step S1013).

As a result, the classification accuracy of the classifier 900 can be improved.

(9) Further, in the analyzer 103 of the above (8), the processor 301 aggregates the classification results of the actions of the specific communication partner classification information 503 as additional target classification results for each classification result, and relatives to the total number of additional target classification results. A ratio indicating a number for each classification result is calculated (step S1603).

The processor 301 determines whether or not the difference between each ratio and the predetermined target ratio is within the allowable range (step S1604).

When the difference between each ratio and the predetermined target ratio is within the permissible range (step S1604: Yes), the processor 301 corresponds to the additional target classification result and the additional target classification result, and is within the first predetermined period. The classification result is relearned based on the feature amount showing the behavior of the monitored system 110 in the above (step S1609).

When the difference between any ratio and the predetermined target ratio is within the permissible range (step S1604: No), the processor 301 adds the classification result of the action of the specific communication partner classification information 503 that was not selected. Each ratio is recalculated in addition to the classification result (steps S1605 to S1607, S1603).

As a result, the circumference coefficient for each classification result is adjusted so that the additional target classification result is not concentrated on a specific classification result. Therefore, the analyzer 103 can respond to a cyber attack whose method changes over time while minimizing the number of inquiries to the security analyst 141 when re-learning the classifier 900 based on the additional target classification result.

It should be noted that the present invention is not limited to the above-mentioned examples, but includes various modifications and equivalent configurations within the scope of the attached claims. For example, the above-described examples have been described in detail in order to explain the present invention in an easy-to-understand manner, and the present invention is not necessarily limited to those having all the described configurations. Further, a part of the configuration of one embodiment may be replaced with the configuration of another embodiment. Further, the configuration of another embodiment may be added to the configuration of one embodiment. In addition, other configurations may be added, deleted, or replaced with respect to a part of the configurations of each embodiment.

Further, each configuration, function, processing unit, processing means, etc. described above may be realized by hardware by designing a part or all of them by, for example, an integrated circuit, and the processor 301 performs each function. It may be realized by software by interpreting and executing the program to be realized.

Information such as programs, tables, and files that realize each function is recorded in a storage device such as a memory, a hard disk, an SSD (Solid State Drive), or an IC (Integrated Circuit) card, an SD card, or a DVD (Digital Versail Disc). It can be stored in a medium.

In addition, the control lines and information lines show what is considered necessary for explanation, and do not necessarily show all the control lines and information lines necessary for mounting. In practice, it can be considered that almost all configurations are interconnected.

101 Alert management device 102 Log collection device 103 Analytical device 110 Monitoring target system 120 Communication terminal 131 Machine learning processing 132 Alert classification processing 133 Sampling processing 134 Communication partner-specific abnormal behavior judgment processing 135 Behavior-specific abnormal behavior judgment processing 136 Feedback processing 137 Adjustment processing 140 Analyst terminal 141 Security analyst 201 External threat information database 300 Computer 301 Processor 302 Storage device 400 Feature table 401 Alert identifier 500 Label table 503 Communication partner classification information 600 Action classification table 700 Action sequence table 701 Action sequence 702 Frequency 703 Long-term Part of the attack 800 Ratio table 900 Classifier 901 Learning unit 902 Prediction unit 903 First judgment unit 904 Second judgment unit 911 Sampling candidate list 912 Alert list for additional learning

Claims (10)

An analyzer having a processor for executing a program and a storage device for storing the program.
The processor can access the action history information, the action classification information, and the action sequence information, and the action history information stores the past action history executed by the communication partner with the monitoring target for the monitoring target. The action classification information is information in which the communication partner and the classified action group of the communication partner are associated with each other, and the action sequence information is a time-series action of the communication partner. Information in which an action sequence is associated with inclusive information indicating whether or not the action sequence is a part of another action sequence longer than the action sequence.
The processor
Acquisition processing for acquiring the classification result of the behavior of the communication partner with the monitoring target within the first predetermined period before the occurrence of each alert of the alert group generated in the monitoring target, and
The first determination process for determining whether or not a specific communication partner with the monitoring target exists in the behavior classification information within the first predetermined period before the occurrence of the specific alert in the alert group.
When it is determined by the first determination process that the specific communication partner does not exist in the action classification information, the action classification result of the specific communication partner and the specific communication partner stored in the action history information are stored. A specific action sequence, which is a time-series action of the specific communication partner, is generated based on the past action history of the above, and the specific action sequence is the other action sequence using the action sequence information. The second judgment process to determine whether or not it is a part of
When the specific action sequence is determined to be a part of the other action sequence by the second determination process, the selection process for selecting the classification result of the action of the specific communication partner, and the selection process.
Output processing that outputs the classification result of the behavior of the specific communication partner selected by the selection processing, and
An analyzer characterized by performing. An analyzer having a processor for executing a program and a storage device for storing the program.
The processor can access the action history information, the action classification information, and the action sequence information, and the action history information stores the past action history executed by the communication partner with the monitoring target for the monitoring target. The action classification information is information in which the communication partner and the classified action group of the communication partner are associated with each other, and the action sequence information is a time-series action of the communication partner. Information that associates an action sequence with the frequency of appearance of the action sequence.
The processor
Acquisition processing for acquiring the classification result of the behavior of the communication partner with the monitoring target within the first predetermined period before the occurrence of each alert of the alert group generated in the monitoring target, and
The first determination process for determining whether or not a specific communication partner with the monitoring target exists in the behavior classification information within the first predetermined period before the occurrence of the specific alert in the alert group.
When it is determined by the first determination process that the specific communication partner does not exist in the action classification information, the action classification result of the specific communication partner and the specific communication partner stored in the action history information are stored. Based on the past action history of the above, a specific action sequence which is a time-series action of the specific communication partner is generated, and the appearance frequency of the specific action sequence is a predetermined frequency using the action sequence information. The second determination process to determine whether or not it is as follows,
When it is determined by the second determination process that the appearance frequency of the specific action sequence is less than or equal to the predetermined frequency, the selection process for selecting the classification result of the action of the specific communication partner, and the selection process.
Output processing that outputs the classification result of the behavior of the specific communication partner selected by the selection processing, and
An analyzer characterized by performing. The analyzer according to claim 1.
The behavior classification information is information in which an action attribute indicating whether the behavior is a normal behavior or an abnormal behavior and an appearance frequency of the behavior of the communication partner are associated with the behavior of the communication partner. And
In the second determination process, the processor determines that the behavior attribute of the specific communication partner is normal and the appearance frequency of the behavior of the specific communication partner is a predetermined frequency or less by the first determination process. If so, it is determined whether the particular action sequence is part of the other action sequence.
An analyzer characterized by that. The analyzer according to claim 1.
The action sequence information is information in which the appearance frequency of the action sequence and the included information are associated with the action sequence.
In the second determination process, when the processor determines that the specific action sequence is not a part of the other action sequence, the processor determines whether or not the appearance frequency of the specific action sequence is less than or equal to the predetermined frequency. Judgment,
In the selection process, when the second determination process determines that the appearance frequency of the specific action sequence is less than or equal to the predetermined frequency, the processor selects the classification result of the action of the specific communication partner.
An analyzer characterized by that. The analyzer according to claim 1.
In the first determination process, when it is determined that the specific communication partner does not exist in the behavior classification information, the processor determines the specific communication partner and the behavior classification result of the specific communication partner. Register in the behavior classification information in association with each other,
An analyzer characterized by that. The analyzer according to claim 1.
In the second determination process, when the specific action sequence does not exist in the action sequence information, the processor registers the specific action sequence in the action sequence information.
An analyzer characterized by that. The analyzer according to claim 1.
The processor can access the feature amount information that stores the feature amount indicating the behavior of the monitored object.
The processor
Based on the combination of the feature amount within the second predetermined period before the first predetermined period and the classification result of the behavior of the communication partner within the second predetermined period, the classification result of the behavior of the communication partner is obtained. Perform a learning process to generate a predictive classifier,
In the acquisition process, the processor acquires a feature amount indicating the behavior of the monitored object from the feature amount information within the first predetermined period, and transfers the acquired feature amount to the classifier generated by the learning process. By giving, the classification result of the behavior of the communication partner is acquired.
An analyzer characterized by that. The analyzer according to claim 7.
In the learning process, the processor responds to the classification result of the behavior of the specific communication partner selected by the selection process and the behavior of the monitoring target within the first predetermined period. Relearn the classifier based on the features shown.
An analyzer characterized by that. The analyzer according to claim 8.
In the learning process, the processor
A calculation process in which the classification results of the behaviors of the specific communication partner are aggregated as additional target classification results for each classification result, and the ratio indicating the number of each additional target classification result to the total number of the additional target classification results is calculated.
Judgment processing for determining whether or not the difference between each ratio and a predetermined target ratio is within the permissible range, and
When the difference between each ratio and the predetermined target ratio is within the permissible range, the additional target classification result and the additional target classification result correspond to the additional target classification result, and the monitoring target within the first predetermined period. A re-learning process for re-learning the classification result based on the feature amount showing the behavior, and
When the difference between any of the above ratios and the predetermined target ratio is within the permissible range, the classification result of the behavior of the specific communication partner not selected by the selection process is added to the addition target classification result. Then, the recalculation process for recalculating each ratio and
An analyzer characterized by performing. An analysis method executed by an analyzer having a processor that executes a program and a storage device that stores the program.
The processor can access the action history information, the action classification information, and the action sequence information, and the action history information stores the past action history executed by the communication partner with the monitoring target for the monitoring target. The action classification information is information in which the communication partner and the classified action group of the communication partner are associated with each other, and the action sequence information is a time-series action of the communication partner. Information in which an action sequence is associated with inclusive information indicating whether or not the action sequence is a part of another action sequence longer than the action sequence.
The processor
Acquisition processing for acquiring the classification result of the behavior of the communication partner with the monitoring target within the first predetermined period before the occurrence of each alert of the alert group generated in the monitoring target, and
The first determination process for determining whether or not a specific communication partner with the monitoring target exists in the behavior classification information within the first predetermined period before the occurrence of the specific alert in the alert group.
When it is determined by the first determination process that the specific communication partner does not exist in the action classification information, the action classification result of the specific communication partner and the specific communication partner stored in the action history information are stored. A specific action sequence, which is a time-series action of the specific communication partner, is generated based on the past action history of the above, and the specific action sequence is the other action sequence using the action sequence information. The second judgment process to determine whether or not it is a part of
When the specific action sequence is determined to be a part of the other action sequence by the second determination process, the selection process for selecting the classification result of the action of the specific communication partner, and the selection process.
Output processing that outputs the classification result of the behavior of the specific communication partner selected by the selection processing, and
An analysis method characterized by performing.

Images