JP7125317B2 - UNAUTHORIZED ACCESS MONITORING DEVICE AND METHOD - Google Patents

Description

The present invention relates to unauthorized access monitoring technology for monitoring unauthorized access to equipment.

In facilities such as office buildings and tenant buildings, various equipment such as air conditioning, heat sources, lighting, access control, power receiving and transforming, disaster prevention, security, elevators, etc., are connected to multiple devices connected to communication lines. (For example, refer to Patent Literature 1, etc.).
In recent years, news about unauthorized access called cracking targeting facility management systems such as building systems is increasing year by year. If the facility management system is subjected to cyberattacks such as system destruction, information theft, and Web page alteration due to such unauthorized access, the impact spreads to the entire facility, and it is expected that the facility will suffer enormous damage.

Japanese Patent Application Laid-Open No. 2007-199798

However, in many cases, such a facility management system gives top priority to stable operation. Therefore, in existing facility management systems, it is very often difficult to update the OS, install security software, and introduce new security devices to each device. In addition, since each device of the facility management system is created with a wide variety of OS/platforms/software, it is difficult to ensure security by installing agents in all the devices. Therefore, it is difficult to detect unauthorized access.

In general, conventional techniques related to fraud detection in such facility management systems include fraud detection techniques such as firewalls, blacklist methods, and whitelist methods. However, these prior arts have the problem that if the equipment of the facility management system is hijacked by cracking, it is difficult to detect unauthorized access using the equipment.

SUMMARY OF THE INVENTION The present invention is intended to solve such problems, and an object thereof is to provide an unauthorized access monitoring technique capable of monitoring unauthorized access to equipment.

In order to achieve these objects, the unauthorized access monitoring device according to the present invention is used in a facility management system that manages various facilities installed in a facility using a plurality of devices connected to communication lines. an unauthorized access monitoring device for monitoring unauthorized access to said plurality of devices by detecting packets to be monitored exchanged between said plurality of devices via said communication line, wherein said device is in a normal state without unauthorized access. a storage unit configured to store an estimation model indicating the detection status of the monitored packet detected from the communication line in each time period in the above, and exchanged between the plurality of devices via the communication line a packet detection unit configured to detect a packet to be monitored, and a detection state of the packet to be monitored detected during a specified time period in the normal state based on the estimation model; a normal value identification unit configured to identify a detection state as a normal value; a detection state of the monitored packet detected by the packet detection unit during a target time period; and the detection state identified by the normal value identification unit and an unauthorized access determination unit configured to compare the value with a normal value in the target time period and determine whether or not the unauthorized access has occurred based on the obtained comparison result.

Further, one configuration example of the unauthorized access monitoring apparatus according to the present invention further includes a block number acquisition unit for acquiring the number of people in a specific block provided in the facility, and the storage unit stores the estimation model , an estimate showing the relationship between the detection status of the monitoring target packet detected from the communication line in each time period in the normal state and the number of people in the specific section of the facility in each time period. The normal value identification unit stores the model, and the normal value identification unit detects the number of people detected in the specified time period in the normal state based on the estimated model and the number of people in the specified time period acquired by the number of people in the compartment acquisition unit. The detection state of the packet to be monitored is estimated, and the obtained detection state is specified as the normal value.

In one configuration example of the unauthorized access monitoring apparatus according to the present invention, when the normal value identifying unit identifies the normal value, the monitoring object detected during the specified time period in the estimated normal state A value obtained by adding a fluctuation range related to the packet detection status to the packet detection status is specified as the normal value.

In one configuration example of the unauthorized access monitoring apparatus according to the present invention, the monitoring target packet newly detected by the packet detection unit during the period when the unauthorized access judgment unit judges that there is no unauthorized access. and an estimation model updater configured to update the estimation model based on the detection status of the.

In one configuration example of the unauthorized access monitoring apparatus according to the present invention, the monitoring target packet newly detected by the packet detection unit during the period when the unauthorized access judgment unit judges that there is no unauthorized access. and the number of persons in the section in the time period acquired by the number of persons in section acquiring section, the estimation model updating section configured to update the estimation model.

Further, in one configuration example of the unauthorized access monitoring apparatus according to the present invention, the packet detection unit detects identification information registered in the exclusion list of the storage unit among the monitoring target packets detected from the communication line. It excludes packets that contain

In one configuration example of the unauthorized access monitoring apparatus according to the present invention, the number of transmissions or receptions of the monitoring target packets in the target time zone in which the unauthorized access determination unit determines that the unauthorized access has occurred in the device A specified number of devices are identified as candidates for devices that have made unauthorized access in descending order of the number.

In one configuration example of the unauthorized access monitoring apparatus according to the present invention, the number of transmissions or receptions of the monitoring target packets in the target time zone in which the unauthorized access determination unit determines that the unauthorized access has occurred in the device In ascending order of the number, a specified number of devices are identified as candidates for devices that have been subject to unauthorized access.

Further, an unauthorized access monitoring method according to the present invention is an unauthorized access monitoring device used in a facility management system for managing various equipment installed in a facility using a plurality of devices connected to a communication line. An unauthorized access monitoring method for monitoring unauthorized access to the plurality of devices by detecting monitored packets exchanged between the plurality of devices via a line, wherein a storage unit is configured to prevent unauthorized access. a storage step of storing an estimation model indicating the detection status of the monitored packet detected from the communication line in each time zone in a normal state; a packet detection step of detecting exchanged monitoring target packets; and a normal value identifying unit estimating the detection status of the monitoring target packets detected during a specified time period in the normal state based on the estimation model, a normal value identifying step of identifying the obtained detection status as a normal value; and an unauthorized access determination step of comparing the specified value with a normal value in the target time period, and determining presence or absence of the unauthorized access based on the obtained comparison result.

According to the present invention, in an existing facility management system, unauthorized access can be monitored without updating the OS for each device, installing security software, or introducing new security devices. It becomes possible. In addition, it is possible to monitor unauthorized access from devices hijacked by cracking, which was difficult with fraud detection technologies such as firewalls, blacklist methods, and whitelist methods.

1 is a block diagram showing the configuration of an unauthorized access monitoring device; FIG. It is a configuration example of an estimation model. FIG. 10 is an explanatory diagram showing an example of unauthorized access determination; 10 is a flowchart showing unauthorized access monitoring processing; 9 is a flowchart showing estimation model update processing;

[Principle of Invention]
First, the principle of the present invention will be explained.
In general, the first action taken in cracking is a preliminary investigation. For example, in a facility management system that manages various equipment installed in a facility using multiple devices connected to a communication line, if one of the devices is hijacked to gain unauthorized access to other devices, a preliminary investigation will be conducted. Investigate what kind of equipment is connected to the communication line.

A hijacked unauthorized device transmits an investigation packet for existence confirmation or the like to a communication line by, for example, a communication method such as broadcast, multicast, or round-robin. When other devices connected to the communication line receive the investigation packet from the unauthorized device, they return a response packet containing their own control information to the unauthorized device.

For example, in a building system such as a BACnet (Building Automation and Control Networking protocol) system, as a mechanism for determining whether the equipment in the system is normal or abnormal, each equipment checks that it is operating normally at a certain interval. A notification packet (i-am packet) for notifying is transmitted, and when the notification packet cannot be received within a certain period of time, it is determined that there is an abnormality.

Using such a mechanism, a cracker sends a search packet (a who-is packet in which a BACnet device returns an i-am response) to inquire whether each device is normal by broadcasting from a hijacked unauthorized device. Then, by detecting a notification packet (i-am packet) for the search packet, the source is specified as the BACnet device to be attacked. Therefore, when an unauthorized device transmits a search packet, each device returns a response packet, resulting in more packets than usual being exchanged on the communication line.

Therefore, if an unauthorized device conducts such a preliminary investigation, the detection status of packets exchanged via communication lines, such as the number of packets or statistical values related to the number of packets, will temporarily increase compared to normal conditions without fraud. It will be done. On the other hand, when communication interruption or equipment failure occurs due to cracking, the detection status of packets exchanged via communication lines decreases compared to normal times without fraud. In particular, in a large-scale environment in which many devices are connected, such as in a facility management system, the detection status significantly increases or decreases according to the number of devices. The same is true for DOS attacks.

The present invention focuses on the relationship between the presence or absence of unauthorized access by a hijacked unauthorized device and the change in the detection status of monitored packets exchanged between devices via a communication line. An estimation model is created in advance to show the detection status in each time zone of the state, and the reference value that shows the detection status in the specified time zone in the normal state obtained from this estimation model and the detection from the communication line during the specified time zone The presence or absence of unauthorized access is determined by comparing with the detection status thus obtained. In the following description, the number of packets to be monitored is used as the detection status of packets to be monitored, but the number of packets to be monitored is not limited to this. For example, a general statistical value such as an average value, maximum value, minimum value, or median value regarding the number of monitored packets detected within a certain detection period may be used as the detection status.

Next, one embodiment of the present invention will be described with reference to the drawings.
[Unauthorized access monitoring device]
First, referring to FIG. 1, an unauthorized access monitoring device 10 according to this embodiment will be described. FIG. 1 is a block diagram showing the configuration of an unauthorized access monitoring device.

This unauthorized access monitoring device 10 is generally composed of information processing devices such as a server device and an industrial controller, and manages various facilities installed in a facility using a plurality of devices 20 connected to a communication line L. It is used in the facility management system 1 and has a function of monitoring unauthorized access to the equipment 20 by detecting monitored packets exchanged between the equipment 20 via the communication line L. FIG.

As shown in FIG. 1, the unauthorized access monitoring device 10 includes, as main functional units, a communication I/F unit 11, a storage unit 12, a packet detection unit 13, a section number acquisition unit 14, a normal value identification unit 15, an unauthorized access It has a determination unit 16 and an estimation model update unit 17, and is connected via an internal bus B so that data can be exchanged. Among these functional units, the packet detection unit 13, the number of persons in the compartment acquisition unit 14, the normal value identification unit 15, the unauthorized access determination unit 16, and the estimation model update unit 17 are realized by cooperation between the CPU and the program. there is

The communication I/F unit 11 has a function of transmitting/receiving packets to/from the equipment 20 and the entrance/exit management system 30 via the communication line L. FIG.

The storage unit 12 is composed of a storage device such as a hard disk or a semiconductor memory, and has a function of storing various data and programs used for unauthorized access monitoring processing. Main processing data stored in the storage unit 12 include an exclusion list and an estimation model.

The exclusion list is a so-called white list in which identification information for specifying packets to be excluded from the monitoring target packets is registered. Packets that are not affected by unauthorized access need not be detected as monitored packets. Therefore, identification information for identifying such packets may be registered in the exclusion list in advance. Specific examples of identification information include an IP address included in a packet, a port number, a packet ID indicating a specific service packet used in the device control protocol, and the like.

The estimation model is an estimation model for estimating the number of monitoring target packets detected from the communication line L in each time zone in a normal state without unauthorized access. This estimation model may be constructed using a function, or may be constructed using other general techniques such as a database. FIG. 2 is a configuration example of an estimation model. The estimation model shown in FIG. 2 is a three-dimensional estimation model having three variables, namely, the number of people in a specific compartment, the time slot, and the number of packets to be monitored.

In general, the number of people using a building changes depending on the section and time period, so the control of the building system also changes, and the number of packets exchanged between devices also changes. Therefore, by using such an estimation model, it is possible to estimate the number of monitoring target packets detected under the specified conditions of the number of people in the block and the time slot.

In the present embodiment, an example of estimating the number of packets in a specified time period using an estimation model having three variables consisting of the number of people in a section, the time period, and the number of packets, as shown in FIG. However, it is not limited to this. A two-dimensional estimation model having at least two variables, ie, the time slot and the number of packets, should be used to estimate the number of packets in the specified time slot.
In addition, since the number of people using the building changes depending on the type of day, such as weekdays, holidays, and holidays, such types of days may be included in the time period. Alternatively, the type of day may be added as a variable of the estimation model, or an estimation model may be created for each type of day and used by switching.

In addition, the number of people in a section used as a variable in the estimation model is not limited to that related to one specific section, and the number of people in a section related to a plurality of specific sections may be used as variables. As a result, the number of packets can be estimated with high accuracy.
Alternatively, the estimation model itself may be individually created for each specific section. At this time, each estimation model may be created based on the relationship between the specific section and the device 20, such as using the number of packets of the device 20 arranged in the specific section as a variable. This makes it possible to estimate the number of packets with high accuracy.

The packet detection unit 13 has a function of detecting (capturing), via the communication I/F unit 11, a monitoring target packet exchanged between the devices 20 via the communication line L, and a monitoring target packet obtained during the target time period. It has a function of acquiring the number of packets, and a function of excluding packets containing identification information registered in the exclusion list of the storage unit 12 among the packets to be monitored detected from the communication line L from the packets to be monitored. ing.

The section number acquisition unit 14 has a function of acquiring the section number of people existing in a specific section provided in the facility. Regarding a specific method of obtaining the number of people in a specific section, for example, from the entrance/exit management system 30 that manages the entry and exit of people in each section of the facility, A method of acquiring the number of people in a section to be used is conceivable. Also, in place of the entry/exit management system 30, the number of people in a specific section is acquired from a human detection system that detects people existing in a specific section based on a thermal image detected by a pyroelectric infrared sensor placed on the ceiling. good too. Known systems may be used for the entrance/exit management system 30 and the human detection system.

The normal value identification unit 15 detects monitoring targets detected during a specified time period in a normal state based on the estimation model stored in the storage unit 12 and the number of people in a block during a specified time period acquired by the number of people in a block acquisition unit 14. It has a function of estimating the number of packets and specifying the obtained number of packets as a normal value. It should be noted that, as described above, when using an estimation model having two variables, namely, the time period and the number of packets, the number of packets may be estimated based on the estimation model stored in the storage unit 12 .

Further, when identifying the normal value, the normal value identifying unit 15 determines the value obtained by adding the fluctuation range regarding the number of packets to the number of monitoring target packets detected in the specified time period in the estimated normal state. It has a function to specify as a value. In general, the number of monitored packets detected from the communication line L has a certain degree of error fluctuation. By adding such a fluctuation range, it is possible to more accurately determine the presence or absence of unauthorized access.

The unauthorized access determination unit 16 has a function of comparing the detected packet number Y of the monitored packets detected by the packet detection unit 13 in the target time period with the normal value in the target time period identified by the normal value identification unit 15. , and has a function of judging the presence or absence of unauthorized access based on the obtained comparison result.

FIG. 3 is an explanatory diagram showing an example of unauthorized access determination. FIG. 3 shows an estimation model M(t) in the case where the number of people in the specific section A is X among the estimation models in FIG. Above and below the estimated model M(t), a normal range E(t) consisting of an upper limit normal value EU(t) and a lower limit normal value EL(t) having a variation range obtained by the normal value identifying unit 15 is provided. there is EU(t) and EL(t) may be calculated based on the estimated error of E(t), but are calculated by adding or subtracting a preset fluctuation range to E(t). You may Only one of EU(t) and EL(t), for example, only EU(t) may be specified as the normal value.

The unauthorized access judging unit 16 judges the presence or absence of unauthorized access by comparing the number of detected packets Y(t) detected in the target time period t to be judged with the normal value, ie, the normal range E(t).
For example, since the number of detected packets Y(t1) in the target time period t1 is included between the upper limit normal value EU(t1) and the lower limit normal value EL(t) at t1, it is determined to be normal, ie, no unauthorized access. be done.

On the other hand, Y(t2) in the target time period t2 exceeds EU(t2), and search packets and confirmation packets are exchanged between the devices 20 via the communication line L due to cracking, and the number of packets increases from the normal state. Since there is a possibility that it has increased, it is determined that there is an abnormality, ie, that there is unauthorized access.
In addition, Y(t3) in the target time period t3 is lower than EU(t3), and the number of packets is reduced from the normal state due to the occurrence of communication interruption and failure of the device 20 due to cracking. Therefore, it is determined that there is an abnormality, that is, that there is unauthorized access.

In addition, the unauthorized access determination unit 16 selects, among the devices 20, the specified number of devices 20 that have been illegally accessed, in descending order of the number of transmissions or receptions of monitored packets in the target time period in which it is determined that there has been unauthorized access. 20 candidates, and a specified number of devices 20 that have been subjected to unauthorized access in descending order of the number of transmissions or receptions of monitored packets during the target time period when it is determined that there is unauthorized access. 20 candidates, and a function of storing, in the storage unit 12, monitoring target packets detected in the target time period and the period before and after the target time period as the packets for unauthorized access analysis.

The estimated model updating unit 17 detects the number of packets to be monitored by the packet detecting unit 13 during the period when the unauthorized access determining unit 16 determines that there is no unauthorized access, and It has a function to update the estimation model based on the number of people in the block in the time period. It should be noted that, as described above, when using an estimation model having two variables, namely, the time period and the number of packets, the estimation model may be updated based on the number of packets detected in the time period.

[Operation of this embodiment]
Next, the operation of the unauthorized access monitoring device 10 according to this embodiment will be described.

[Unauthorized access monitoring operation]
First, referring to FIG. 4, the unauthorized access monitoring operation of the unauthorized access monitoring device 10 will be described. FIG. 4 is a flowchart showing unauthorized access monitoring processing.
The unauthorized access monitoring device 10 executes the unauthorized access monitoring process of FIG. 4 in response to the arrival of the preset target time period t. It is assumed that an estimation model is stored in advance in the storage unit 12 when executing the unauthorized access monitoring process.

First, the packet detection unit 13 detects, via the communication I/F unit 11, a monitored packet exchanged between the devices 20 via the communication line L (step S100), The number Y(t) of packets to be monitored is obtained (step S101). At this time, packets containing identification information registered in the exclusion list of the storage unit 12 may be excluded from the monitoring target packets.

Further, the block number acquisition unit 14 acquires the block number X(t) in the target time zone t of the specific block A provided in the facility (step S102).
Subsequently, the normal value identifying unit 15 determines the normal Estimate the number of monitoring target packets Y(t) detected in the target time period t in the state, and add the fluctuation range for the number of packets Y(t), that is, the upper limit normal value EU(t) and the lower limit A normal range E(t) consisting of normal values EL(t) is specified (step S103).

Thereafter, the unauthorized access determination unit 16 determines the number of detected packets Y(t) of the monitored packets detected by the packet detection unit 13 in the target time period t and It is compared with the normal range E(t) (step S104).
Here, if the number of detected packets Y(t) is within the normal range E(t) (step S104: YES), it is determined that there is no unauthorized access (step S105), and a series of unauthorized access determination processing ends.

On the other hand, if the number of detected packets Y(t) is outside the normal range E(t) (step S104: NO), it is determined that there is unauthorized access (step S106), and the series of unauthorized access determination processing ends.
The determination result obtained is stored in the storage unit 12, but may be displayed on the display unit (not shown) of the unauthorized access monitoring device 10. A device (not shown) may be notified.

[Estimated model update operation]
Next, the estimated model update operation of the unauthorized access monitoring device 10 will be described with reference to FIG. FIG. 5 is a flowchart showing estimation model update processing.
The unauthorized access monitoring apparatus 10 executes the estimation model update process of FIG. 5 in response to the arrival of a preset update process timing. The timing of the update process is suitable, for example, once a day at 0:00 of the next day, when the number of detected packets Y(t) and the number of people in the block X(t) in each new time period of the previous day are all the same.

It is assumed that the storage unit 12 stores the number of people X(t) and the number of detected packets Y(t) for each time slot t for several days when executing the estimation model update process. The number of detected packets Y(t) is the number of monitored packets detected by the packet detection unit 13 during the target time period t when the unauthorized access determination unit 16 determines that there is no unauthorized access.

First, the estimation model updating unit 17 acquires from the storage unit 12 the number of people X(t) in the specific section A for each time slot t for several days (step S110), and , the detected packet number Y(t) of the monitored packets detected by the packet detector 13 is obtained (step S111).

After that, the estimation model updating unit 17 creates a new estimation model for the specific block A as shown in FIG. M is created (step S112). As a result, the number of detected packets Y(t) and the number of persons X(t) in the section for several days are calculated in consideration of the new number of detected packets Y(t) and the number of persons X(t) in the section in each new time zone of the previous day. A new representative estimation model M is created.
Subsequently, the estimation model updating unit 17 updates the estimation model stored in the storage unit 12 with the new estimation model M (step S113), and ends the series of estimation model updating processes.

[Effects of this embodiment]
Thus, in this embodiment, the storage unit 12 stores the number Y(t) (detection status) of monitored packets detected from the communication line L in each time slot t in a normal state without unauthorized access. The estimated model M shown in FIG. It compares with the normal value E(t) in the target time period t, and determines the presence or absence of unauthorized access based on the obtained comparison result.

As a result, in the existing facility management system 1, unauthorized access can be monitored without the need to update the OS, install security software, or install new security equipment for each device 20. becomes. It is also possible to monitor unauthorized access from the device 20 hijacked by cracking, which has been difficult with fraud detection techniques such as firewall, blacklist method, and whitelist method fraud detection.

In addition, in the present embodiment, the block number acquisition unit 14 acquires the number of people in a block existing in a specific block provided in the facility, and the storage unit 12, as an estimation model, performs communication at each time zone in a normal state. Stores an estimation model showing the relationship between the number of monitored packets detected from the line L and the number of people in a specific section of the facility in each time zone, and the normal value identification unit 15 stores the number of people in the section Based on the number of people in the designated time zone and the estimation model acquired by the acquisition unit 14, the number of monitored packets detected during the specified time zone in a normal state is estimated, and the obtained number of packets is taken as a normal value. You may make it specify.
As a result, it is possible to cope with an increase or decrease in the number of packets due to an increase or decrease in the number of people in a section, and to accurately determine whether or not unauthorized access has occurred.

Further, in the present embodiment, when the normal value identifying unit 15 identifies the normal value, a value obtained by adding a fluctuation range regarding the number of packets to the estimated number of packets detected in a specified time period in the normal state is , may be identified as normal values.
As a result, errors in the estimation model can be dealt with, and the presence or absence of unauthorized access can be accurately determined.

In the present embodiment, the estimation model updating unit 17 detects the number of packets to be monitored newly detected by the packet detecting unit 13 during the period when the unauthorized access determining unit 16 determines that there is no unauthorized access. You may make it update an estimation model based on.
In particular, in building systems, with the progress of IoT (Internet of Things), various devices are added, so the number of detected packets changes, and the same estimation model cannot be used for a long period of time. By updating the estimation model in this way, it is possible to cope with an increase or decrease in the number of packets due to the addition or removal of the device 20, and it is possible to accurately determine the presence or absence of unauthorized access.

In the present embodiment, the estimation model updating unit 17 detects the number of packets to be monitored newly detected by the packet detecting unit 13 during the period when the unauthorized access determining unit 16 determines that there is no unauthorized access. , and the number of people in the compartment in the time period newly acquired by the number of people in the compartment acquiring unit 14, the estimation model may be updated.
As a result, it is possible to cope with an increase or decrease in the number of packets due to the addition or removal of the device 20, and it is also possible to respond to an increase or decrease in the number of packets due to an increase or decrease in the number of people in the section, and it is possible to determine the presence or absence of unauthorized access with higher accuracy. can be done.

Further, in the present embodiment, the packet detection unit 13 may exclude packets containing identification information registered in the exclusion list of the storage unit 12 from the monitoring target packets detected from the communication line L. .
As a result, it is possible to exclude legitimate packets that do not exist in a normal state, such as maintenance packets exchanged with the device 20 during system maintenance, and to accurately determine the presence or absence of unauthorized access.

In addition, in the present embodiment, the unauthorized access determination unit 16 selects a specified number of devices 20 in descending order of the number of transmissions or receptions of monitored packets in the target time period when it is determined that there is unauthorized access. It may be specified as a candidate for the device 20 that has made unauthorized access.
As a result, in addition to the presence or absence of unauthorized access, it is possible to specify a candidate for the device 20 that has made unauthorized access, and to promptly respond to unauthorized access.

Further, in the present embodiment, the unauthorized access determination unit 16 selects a specified number of the devices 20 in descending order of the number of transmissions or receptions of monitored packets during the target time period when it is determined that there is unauthorized access. It may be specified as a candidate for the device 20 that has suffered unauthorized access.
As a result, in addition to the presence or absence of unauthorized access, it is possible to specify a candidate for the device 20 that has been subjected to unauthorized access, and it is possible to quickly respond to unauthorized access.

[Expansion of Embodiment]
Although the present invention has been described with reference to the embodiments, the present invention is not limited to the above embodiments. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention within the scope of the present invention.

DESCRIPTION OF SYMBOLS 1... Facility management system 10... Unauthorized access monitoring apparatus 11... Communication I/F part 12... Storage part 13... Packet detection part 14... Section number acquisition part 15... Normal value identification part 16... Unauthorized access Judgment unit 17 Estimation model update unit 20 Equipment 30 Entering/leaving management system L Communication line.

Claims (8)

Packets to be monitored that are used in a facility management system that manages various equipment installed in a facility using a plurality of devices connected to a communication line, and that are exchanged between the plurality of devices via the communication line. An unauthorized access monitoring device that monitors unauthorized access to the plurality of devices by detecting
a section number acquisition unit that acquires the section number of people existing in a specific section provided in the facility;
Shows the relationship between the detection status of the monitoring target packet detected from the communication line in each time zone in a normal state without unauthorized access and the number of people in the specific zone in the facility during each time zone. a storage unit configured to store an estimation model;
a packet detection unit configured to detect monitored packets exchanged between the plurality of devices via the communication line;
Based on the number of persons in the designated time period acquired by the number of persons in the designated time period and the estimation model , the detection status of the monitoring target packet detected during the designated time period in the normal state is estimated and obtained. a normal value identifying unit configured to identify the detection status as a normal value;
The detection status of the monitored packet detected by the packet detection unit during the target time period is compared with the normal value in the target time period identified by the normal value identification unit, and based on the obtained comparison result An unauthorized access monitoring device comprising: an unauthorized access judgment unit configured to judge whether or not there is unauthorized access. The unauthorized access monitoring device according to claim 1 ,
Detection status of the monitoring target packet newly detected by the packet detection unit during the time period when the unauthorized access determination unit determines that there is no unauthorized access, and in the time period acquired by the section number of people acquisition unit An unauthorized access monitoring device, further comprising an estimation model updating unit configured to update the estimation model based on the number of people in the block. In the unauthorized access monitoring device according to any one of claims 1 and 2 ,
The unauthorized access determination unit selects, among the devices, a specified number of devices that have been illegally accessed in descending order of the number of transmissions or receptions of the monitoring target packets during the target time period in which the unauthorized access is determined. An unauthorized access monitoring device characterized by specifying as a candidate for In the unauthorized access monitoring device according to any one of claims 1 to 3 ,
The unauthorized access determination unit selects, among the devices, a specified number of devices subjected to the unauthorized access in descending order of the number of transmissions or receptions of the packets to be monitored in the target time period determined to be the occurrence of the unauthorized access. An unauthorized access monitoring device characterized by specifying as a candidate for An unauthorized access monitoring device used in a facility management system that manages various equipment installed in a facility using a plurality of devices connected to a communication line, and exchanges between the plurality of devices via the communication line. An unauthorized access monitoring method for monitoring unauthorized access to the plurality of devices by detecting a packet to be monitored, comprising:
a compartment number acquisition step of acquiring the compartment number of people existing in a specific compartment provided in the facility;
The storage unit stores the detection status of the monitoring target packet detected from the communication line in each time period in a normal state without unauthorized access, and the number of people in the specific section of the facility in each time period. a storage step of storing an estimated model showing the relationship of
a packet detection step in which a packet detection unit detects monitored packets exchanged between the plurality of devices via the communication line;
A normal value specifying unit determines the detection status of the monitoring target packet detected during the specified time period in the normal state based on the number of people in the specified time period acquired in the step of acquiring the number of people in the compartment and the estimation model. a normal value identification step of estimating and identifying the obtained detection status as a normal value;
An unauthorized access determination unit compares the detection status of the monitored packet detected by the packet detection unit in the target time period with the normal value in the target time period identified by the normal value identification unit, and obtains and an unauthorized access determination step of determining whether or not the unauthorized access has occurred based on the comparison result. In the unauthorized access monitoring method according to claim 5,
Detection status of the monitoring target packet newly detected in the packet detection step during the time period when it is determined that there is no unauthorized access in the unauthorized access determination step, and in the time period acquired in the section number of people acquisition step An unauthorized access monitoring method, further comprising an estimated model update step configured to update the estimated model based on the number of people in the parcel. In the unauthorized access monitoring method according to any one of claims 5 and 6,
In the unauthorized access determination step, among the devices, a specified number of devices that have been illegally accessed are selected in descending order of the number of transmissions or receptions of the monitored packets during the target time period in which the unauthorized access is determined. An unauthorized access monitoring method characterized by specifying as a candidate for In the unauthorized access monitoring method according to any one of claims 5 to 7,
In the unauthorized access determination step, among the devices, a specified number of devices are subjected to unauthorized access in descending order of the number of transmissions or receptions of the monitoring target packets during the target time period in which the unauthorized access is determined. An unauthorized access monitoring method characterized by specifying as a candidate for

Images