JP7325557B2 - Abnormality diagnosis method and abnormality diagnosis device - Google Patents

Description

The present invention relates to an anomaly diagnosis method and an anomaly diagnosis apparatus for identifying variables that contribute to anomalies in multidimensional information.

Conventionally, as disclosed in Patent Documents 1 to 4 and Non-Patent Document 1, it is known to detect an abnormality by diagnosing whether there is an abnormality in observed values of a plurality of variables.

Japanese Patent No. 6076751 Japanese Patent No. 5858839 Japanese Patent No. 5811683 Japanese Patent No. 5108116

Sommer, Robin, and Vern Paxson. "Outside the closed world: On using machine learning for network intrusion detection." Security and Privacy (SP), 2010 IEEE Symposium on. IEEE, 2010. M. Tavallaee, E.; Bagheri, W.; Lu, and A.L. Gorbani, "A Detailed Analysis of the KDD CUP 99 Data Set," Submitted to Second IEEE Symposium on Computational Intelligence for Security and Defense Applications (CISDA), 2009. Mikolov, Tomas, et al. "Distributed representations of words and phrases and their compositionality." Advances in neural information processing systems. 2013. Yang, Sen, et al. "Feature grouping and selection over an undirected graph." Graph Embedding for Pattern Analysis. Springer New York, 2013. 27-43. Song, Jingping, Zhiliang Zhu, and Chris Price. "Feature grouping for intrusion detection system based on hierarchical clustering." International Conference on Availability, Reliability, and Security. Springer International Publishing, 2014.

The present disclosure provides an abnormality diagnosis method and an abnormality diagnosis device that can effectively identify the cause of an abnormality.

An abnormality diagnosis method according to an aspect of the present disclosure uses an observed value obtained by observing the state of a monitoring target and configured by values of a plurality of variables indicating the state, and determines whether the observed value is abnormal. An abnormality diagnosis method executed by an abnormality diagnosis device for diagnosing whether or not there is an abnormality, the abnormality diagnosis device comprising a processor and a memory, wherein the memory detects an abnormality generated by learning using a plurality of the observed values A detection model is stored, and the processor obtains group information indicating one or more groups each composed of a combination of at least two mutually related variables among the plurality of variables, and calculates the observation value. read the anomaly detection model from the memory, calculate a score by inputting the observed value into the anomaly detection model, and use the score to determine whether the observed value is anomalous , when the observed value is determined to be abnormal, using a loss function defined based on the score and the one or more groups indicated by the acquired group information, the one or more of the observed value Identify the group that is the cause of the anomaly among the groups.

An abnormality diagnosing device according to an aspect of the present disclosure uses an observed value obtained by observing the state of a monitoring target and configured by the values of a plurality of variables indicating the state, and determines whether the observed value is abnormal. An anomaly diagnosis device for diagnosing whether or not there is a Acquiring group information indicating one or more groups each formed by a combination of at least two mutually related variables among the plurality of variables, acquiring the observed value, and reading the anomaly detection model from the memory and calculating a score by inputting the observed value to the anomaly detection model, determining whether the observed value is abnormal using the score, and determining that the observed value is abnormal , using a loss function defined based on the score and the one or more groups indicated by the acquired group information, among the one or more groups of the observed values, identifying the group that is the cause of the abnormality do.

An abnormality diagnosis method according to an aspect of the present disclosure uses an observed value obtained by observing the state of a monitoring target and configured by values of a plurality of variables indicating the state, and determines whether the observed value is abnormal. An abnormality diagnosis method executed by an abnormality diagnosis device for diagnosing whether or not there is an abnormality, the abnormality diagnosis device comprising a processor and a memory, wherein the memory detects an abnormality generated by learning using a plurality of the observed values A detection model is stored, and the processor obtains group information indicating one or more groups each composed of a combination of at least two mutually related variables among the plurality of variables, and calculates the observation value. read the anomaly detection model from the memory, determine whether the observed value is abnormal using the read anomaly detection model, and if it is determined that the observed value is abnormal, Based on the observed value and the one or more groups indicated by the acquired group information, the group that is the cause of the abnormality is specified among the one or more groups of the observed value.

An abnormality diagnosing device according to an aspect of the present disclosure uses an observed value obtained by observing the state of a monitoring target and configured by the values of a plurality of variables indicating the state, and determines whether the observed value is abnormal. An anomaly diagnosis device for diagnosing whether or not there is a Acquiring group information indicating one or more groups each formed by a combination of at least two mutually related variables among the plurality of variables, acquiring the observed value, and reading the anomaly detection model from the memory Then, it is determined whether the observed value is abnormal using the read anomaly detection model, and if it is determined that the observed value is abnormal, it is indicated by the acquired observed value and the acquired group information. A group that is the cause of the abnormality is identified among the one or more groups of the observed values, based on the one or more groups that are obtained.

It should be noted that these general or specific aspects may be realized by a system, device, integrated circuit, computer program, or a recording medium such as a computer-readable CD-ROM. and any combination of recording media.

The abnormality diagnosis method and abnormality diagnosis device according to the present disclosure can effectively identify the cause of abnormality.

FIG. 1 is a schematic diagram of an abnormality diagnosis system according to an embodiment. FIG. 2 is a block diagram showing an example of the hardware configuration of the abnormality diagnosis device according to the embodiment. FIG. 3 is a diagram showing an example of a monitoring target in the abnormality diagnosis system according to this embodiment. FIG. 4 is a block diagram showing an example of the functional configuration of the abnormality diagnosis device according to this embodiment. FIG. 5 is a diagram showing an example of observation data acquired from a monitoring target. FIG. 6A is a diagram showing an example of a UI displayed on the display for setting groups of abnormality diagnosis devices according to the present embodiment. FIG. 6B is a diagram showing an example of a UI displayed on the display for setting groups of abnormality diagnosis devices according to the present embodiment. FIG. 7 is a diagram showing an autoencoder according to the embodiment. FIG. 8 is a flowchart illustrating an example of processing for generating an anomaly detection model according to the embodiment. FIG. 9 is a flowchart illustrating an example of determination processing using an anomaly detection model according to the embodiment. FIG. 10 is a flow chart showing an example of identification processing for identifying a group that is the cause of an abnormality.

(Knowledge on which the present invention is based)
2. Description of the Related Art In recent years, the use of IT and automation have advanced to a high degree in facilities such as factories. Accurate sensing and appropriate feedback are essential for efficient and safe automation of equipment. For this reason, anomaly detection, which detects anomalies due to failures, cyberattacks, etc., is an extremely important technology for avoiding major damage in advance due to equipment defects.

On the other hand, even if the anomaly can be detected appropriately, it is fraught with another difficulty to investigate the cause of the anomaly. General anomaly detection methods in machine learning only detect events that are unlikely to occur under normal conditions, and do not provide information about the cause of the anomaly. Therefore, the current situation is that anomaly detection is not very effectively used, especially in the field of networks and the like, in which there are various possibilities for an abnormal state (Non-Patent Document 1).

In order to identify the cause of an anomaly, it is useful to identify which variables in the observed values contribute significantly to the anomaly. For example, if a sensor fails, only the failed sensor's observations should show an abnormal value. Therefore, when an observed value is identified as abnormal, it is possible to quickly find the cause of the failure of the sensor from which the observed value was obtained (Patent Documents 1 and 2).

However, in actual abnormality diagnosis, the purpose is not always to identify the failed sensor as described above. In practice, it is often the case that a single underlying phenomenon or cause affects observations from multiple sensors or the like. For example, mathematics test scores and physics test scores are both influenced by the fundamental factor of mathematical thinking. Therefore, it can be said that both scores are highly correlated. Thus, an anomalous phenomenon that affects the root cause will affect multiple variables at the same time.

Further, in the technique of Patent Document 3, when it is determined that a certain variable may be abnormal, a plurality of variables having a strong correlation with that variable are extracted. Variables with strong correlations are likely to be influenced by common factors. Therefore, this method is also useful for abnormality diagnosis. The method of Patent Document 4 also summarizes variables with strong correlation as collinear data items.

However, the aforementioned methods were intended for physical systems such as failure diagnosis of equipment or sensors in chemical plants and the like. For this reason, if the anomaly diagnosis model is more complicated, such as for the purpose of detecting invalid parameters in packets flowing through the network, or if the parameters are manipulated maliciously, it is necessary to effectively detect anomalous variables. It may not be possible to specify.

Specifically, as cyber attacks and malware continue to evolve, by introducing an intrusion detection system (IDS: Intrusion Prevention System) or an intrusion prevention system (IPS: Intrusion Prevention System), attacks, etc. It has become essential to prevent An intrusion detection system or intrusion prevention system is a system that detects or prevents unauthorized activity on a computer or network.

However, with the recent diversification of attacks, it is no longer possible to catch unauthorized communications with the signature-type detection system that has been used in the past. For this reason, an anomaly detection system called an anomaly type has become necessary. While the signature type can only be applied to known patterns, the anomaly type may be able to detect unknown attack patterns as well. However, even if an anomaly is detected, there is a problem that the specific anomaly cannot be identified, and a large number of anomaly detection alerts are issued, which causes the user to be forced to deal with the problem.

In order to solve such a problem, an abnormality diagnosis method according to an embodiment of the present disclosure obtains an observed value composed of values of a plurality of variables indicating the state of a monitoring target, obtained by observing the state. An abnormality diagnosis method executed by an abnormality diagnosis device for diagnosing whether or not an observed value is abnormal using The processor stores an anomaly detection model generated by learning using Obtaining information, obtaining the observed value, reading the anomaly detection model from the memory, determining whether the observed value is abnormal using the read anomaly detection model, and determining whether the observed value is abnormal If it is determined to be abnormal, the group that is the cause of the abnormality is specified among the one or more groups of the observed value based on the observed value and the one or more groups indicated by the acquired group information. do.

This makes it possible to identify a group that causes anomalies with high precision for a wide range of problems.

In addition, the anomaly detection model is a model generated by at least one of an autoencoder for learning, a variational autoencoder, and a one-class support vector machine using the plurality of observed values. good too.

This allows anomaly detection, which is already known to perform well, to be used to determine if an observed value is anomalous. Moreover, it is possible to easily perform abnormality diagnosis using a natural loss function by using the score output by the abnormality detection.

Further, in determining whether or not the observed value is abnormal, a score is calculated by inputting the observed value into the anomaly detection model, and if the calculated score is equal to or greater than a predetermined first threshold , it may be determined that the acquired observation value is abnormal, and if the calculated score is less than the first threshold, it may be determined that the plurality of acquired observation values are not abnormal.

Therefore, it is possible to effectively detect abnormalities in observed values.

Further, the anomaly detection model is a model generated based on the probability density ratio of the plurality of normal observation values for learning and the plurality of observation values for diagnosis. Obtaining a plurality of the observed values, and in determining whether the observed values are abnormal, calculating a score using the anomaly detection model read from the memory and the obtained plurality of observed values, When the calculated score is equal to or greater than a predetermined first threshold, the obtained plurality of observed values are determined to be abnormal, and when the calculated score is less than the first threshold, the obtained plurality of observed values are determined to be abnormal. It may be determined that the observed value of is not abnormal.

As a result, when modeling is difficult due to reasons such as a small amount of data during the learning period, it becomes possible to judge whether the diagnosis target data is abnormal as a set, and if so, which variable group is abnormal. can be specified.

Further, in identifying the group, a loss function composed of the sum of the calculated score and a group regularization term obtained by regularizing each of the one or more groups indicated by the group information is a minimum value. may be calculated, and among the calculated displacement vectors, a group including a variable equal to or greater than a second threshold value less than 1 may be specified as the group causing the abnormality.

This makes it possible to effectively identify the group that is the cause of the anomaly.

Also, the group regularization term may satisfy Lp regularization with 0<p≦1 between groups and p>1 within groups.

This makes it possible to effectively identify the group that is the cause of the anomaly.

It should be noted that these general or specific aspects may be realized by a system, device, integrated circuit, computer program, or a recording medium such as a computer-readable CD-ROM. and any combination of recording media.

All of the embodiments described below represent specific examples of the present invention. Numerical values, shapes, components, steps, order of steps, and the like shown in the following embodiments are examples and are not intended to limit the present invention. In addition, among the constituent elements in the following embodiments, constituent elements that are not described in independent claims representing the highest concept will be described as optional constituent elements. Moreover, in all the embodiments, each content can be combined.

(Embodiment)
[1. Configuration of anomaly diagnosis system]
First, a schematic configuration of the abnormality diagnosis system according to the present embodiment will be described.

FIG. 1 is a schematic diagram of an abnormality diagnosis system according to an embodiment.

Specifically, in FIG. 1 , the abnormality diagnosis system 1 includes an abnormality diagnosis device 100 , a server 200 and a monitored object 300 . In the abnormality diagnosis system 1 , observation data, which is data obtained by observing the state of the monitored object 300 , is transmitted from the monitored object 300 to the server 200 . The observation data received by the server 200 are accumulated in the server 200 . The abnormality diagnosis device 100 acquires observation data accumulated in the server 200 . For example, the abnormality diagnosis device 100 may acquire observation data accumulated in the server 200 periodically, or may acquire observation data accumulated in the server 200 in real time.

The abnormality diagnosis apparatus 100 uses the obtained observation data to determine whether or not the observation data includes an abnormal observation value. Thereby, the abnormality diagnosis device 100 diagnoses the abnormality of the monitoring target.

A monitoring target 300 is a system targeted for abnormality diagnosis. The monitored object 300 is, for example, a chemical plant, a control system, an in-vehicle network system, or the like. Observation data can be obtained from the monitoring target 300 through observation. Observation data is data indicating observation values composed of values of a plurality of variables indicating the state of the monitoring target 300 . Observation data are multiple types of data strings indicating observation values acquired from the monitoring target 300 . A data string of observed values is represented by, for example, a time-series vector, and each dimension is a value obtained from a sensor or the like included in the monitored object 300 . In other words, an observed value is a value obtained at each of a plurality of different timings. An observed value is, for example, a value obtained by observation during a predetermined unit of processing, and is a value obtained at the timing when the processing ends.

In the abnormality diagnosis system 1, the abnormality diagnosis device 100, the server 200, and the monitored object 300 are connected so as to be able to communicate with each other. For example, in the abnormality diagnosis system 1, the abnormality diagnosis device 100 and the server 200 may be connected via a general-purpose network such as the Internet, or may be connected via a dedicated network. In the abnormality diagnosis system 1, the server 200 and the monitored object 300 may be connected via a general-purpose network such as the Internet, or may be connected via a dedicated network.

Note that the abnormality diagnosis system 1 does not have to include the server 200 . In other words, the abnormality diagnosis system may be configured to include the abnormality diagnosis device 100 and the monitored object 300 . In the abnormality diagnosis system 1 in this case, observation data obtained by observing the state of the monitored object 300 is directly transmitted from the monitored object 300 to the abnormality diagnosis device 100 . Further, in an abnormality diagnosis system that does not include the server 200, the abnormality diagnosis device 100 and the monitored object 300 are connected so as to be able to communicate with each other. It may be connected via a dedicated network.

[2. Hardware configuration]
[2-1. Configuration of abnormality diagnosis device]
Next, the hardware configuration of the abnormality diagnosis device 100 will be explained using FIG.

FIG. 2 is a block diagram showing an example of the hardware configuration of the abnormality diagnosis device according to the embodiment.

As shown in FIG. 2, the abnormality diagnosis apparatus 100 has a hardware configuration including a CPU 101 (Central Processing Unit), a main memory 102, a storage 103, a communication IF (Interface) 104, and an input IF (Interface) 105. , and a display 106 .

The CPU 101 is an example of a processor that executes control programs stored in the storage 103 or the like.

The main memory 102 is an example of a volatile storage area, that is, a memory used as a work area used when the CPU 101 executes the control program.

The storage 103 is an example of a non-volatile storage area that holds control programs, content, etc., that is, a memory.

Communication IF 104 is a communication interface that communicates with server 200 via a communication network. Communication IF 104 is, for example, a wired LAN interface. Note that the communication IF 104 may be a wireless LAN interface. Further, the communication IF 104 is not limited to a LAN interface, and may be any communication interface as long as it can establish a communication connection with a communication network.

The input IF 105 is, for example, an input device such as a numeric keypad, keyboard, or mouse.

A display 106 is a display device that displays the processing results of the CPU 101 . The display 106 is, for example, a liquid crystal display or an organic EL display.

[2-2. Monitoring target configuration]
Next, a case of obtaining observation data from the control system 310 as an example of the monitoring target 300 in the abnormality diagnosis system 1 will be described.

FIG. 3 is a diagram showing an example of a monitoring target in the abnormality diagnosis system according to this embodiment. In FIG. 3, in the abnormality diagnosis system 1, the monitored object 300 is, for example, the control system 310. As shown in FIG. Observation data obtained by observing in the control system 310 is transmitted to the server 200 . Observation data accumulated by being transmitted to the server 200 is transmitted to the abnormality diagnosis device 100 and used for abnormality diagnosis of the observation value in the abnormality diagnosis device 100 .

The control system 310 includes a router 311, a switching hub 312, a management terminal 313, a server 314, a PLC (Programmable Logic Controller) 315, and a sensor 31.
6.

The router 311 is a communication device that relays data transmission/reception between the control system 310 and other networks. The router 311 analyzes the received data and performs data transfer control such as selecting a data transfer route based on the analysis result.

The switching hub 312 is connected for communication with the router 311, the management terminal 313, the server 314, the PLC 315, and the sensor 316, and transfers the received data to one of the connected devices based on the destination information included in the received data. . The switching hub 312 has, for example, a mirror port that outputs data obtained by copying the received data. The switching hub 312 is connected to the server 200 at the mirror port. Observation data is extracted via the mirror port of the switching hub 312 and sent to the server 200 .

The management terminal 313 is, for example, a PC (Personal Computer), a tablet terminal, a smart phone, or the like.

The server 314 is a computer, and provides predetermined functions, data, etc. to the management terminal 313, for example.

The PLC 315 is a control device for controlling various machines.

The sensor 316 includes various sensors, and is, for example, a device that converts various physical quantities into electrical signals.

[3. Functional Configuration of Abnormality Diagnosis System]
Next, the functional configuration of the abnormality diagnosis system 1 will be explained using FIG.

FIG. 4 is a block diagram showing an example of the functional configuration of the abnormality diagnosis device according to this embodiment.

Observation data 210 stored in server 200 includes learning data 211 and diagnosis data 212 .

The learning data 211 is data for generating an anomaly detection model by machine learning among the acquired observation data 210 . Diagnosis data 212 is data to be subjected to abnormality diagnosis for determining whether or not observation data 210 obtained from monitored object 300 is abnormal using a generated abnormality detection model, among acquired observation data 210. is. Note that the acquired observation data 210 including not only normal data but also abnormal data can be used as the learning data 211 . For example, the learning data 211 is data acquired in a predetermined period at the beginning of the observation data 210, and the diagnostic data 212 is data acquired in a period after the predetermined period in which the learning data 211 is acquired. good.

The abnormality diagnosis device 100 includes a first acquisition unit 110, a group information DB (Database) 120, a second acquisition unit 130, a generation unit 140, an abnormality detection model DB (Database) 150, a determination unit 160, and a determination unit 160. and a section 170 .

The first acquisition unit 110 acquires group information indicating one or more groups each configured by a combination of at least two mutually related variables among a plurality of variables indicating the state of the monitoring target 300 . The first acquisition unit 110 acquires group information, for example, by accepting an input indicating a group from a user. The first acquisition unit 110 is realized by, for example, the input IF 105, the display 106, and the like.

The group information DB 120 stores group information acquired by the first acquisition unit 110 . The group information DB 120 is implemented by, for example, the storage 103 or the like.

The second acquisition unit 130 acquires observation values included in the observation data 210 by acquiring the observation data 210 from the server 200 . The second acquisition unit 130 is implemented by, for example, the communication IF 104 or the like.

The generation unit 140 generates an anomaly detection model by machine learning using the learning data 211 of the observation data 210 acquired by the second acquisition unit 130 . Generating anomaly detection models by machine learning is usually formulated as an unsupervised learning problem. The generation unit 140 generates an anomaly detection model, which is a model for anomaly detection, by estimating the probability density distribution of data using the learning data 211, for example. The learning data 211 includes, for example, a large amount of unlabeled data obtained by observing the monitored object 300 for a predetermined period. A specific example of the generation processing of the anomaly detection model by the generation unit 140 will be described later. The generation unit 140 is implemented by, for example, the CPU 101, the main memory 102, the storage 103, and the like.

The anomaly detection model DB 150 stores the anomaly detection model generated by the generation unit 140 . The anomaly detection model DB 150 is implemented by, for example, storage.

The determination unit 160 reads the anomaly detection model stored in the anomaly detection model DB 150 . The determination unit 160 determines whether or not the diagnostic data 212 of the observation data 210 acquired by the second acquisition unit 130 is abnormal using the read anomaly detection model. For example, the determination unit 160 may perform the above determination for each of the plurality of observed values included in the diagnostic data 212, or may perform the above determination for the plurality of observed values. The determination unit 160 determines whether or not the diagnostic data 212 is abnormal depending on whether the probability density of the diagnostic data 212 with respect to the abnormality detection model exceeds a predetermined threshold. For example, when the obtained probability density is a negative logarithm, the determination unit 160 determines that the diagnostic data 212 from which the probability density is obtained contains an abnormality. The abnormality determination method of the determination unit 160 is not limited to this. A specific example of determination processing by the determination unit 160 will be described later. The determination unit 160 is implemented by, for example, the CPU 101, the main memory 102, the storage 103, and the like.

When the determining unit 160 determines that the diagnostic data 212 is abnormal, the specifying unit 170 determines that the diagnostic data 212 determined to be abnormal and one or more information indicated by the group information stored in the group information DB 120 , the group that is the cause of the abnormality is specified among the one or more groups of the diagnostic data 212 . The identification unit 170 performs abnormality diagnosis using the diagnostic data 212 determined to be abnormal and the group information. The abnormality diagnosis referred to here means diagnosing which variable group of the diagnostic data 212 that is determined to be abnormal by the determination unit 160 is abnormal. A specific example of abnormality diagnosis by the identifying unit 170 will be described later.

The identification unit 170 extracts which variable group is abnormal using the abnormality detection model of the abnormality detection model DB 150 and the group information of the group information DB 120, thereby generating an abnormality diagnosis model for abnormality diagnosis in advance. You may have In this case, the identification unit 170 performs abnormality diagnosis on the diagnostic data 212 determined to be abnormal by the determination unit 160 by using a previously generated abnormality diagnosis model.

The identification unit 170 is implemented by the CPU 101, the main memory 102, the storage 103, and the like.

Although the abnormality diagnosis apparatus 100 is configured to include the generation unit 140 that generates an abnormality detection model, the generation unit 140 may not be provided. In other words, the device that generates the anomaly detection model using the learning data may be realized by a device other than the anomaly diagnosis device 100, and the anomaly diagnosis device 100 acquires the anomaly detection model from the other device. may

Note that the abnormality diagnosis system 1 does not have to include the monitoring target 300 as long as the abnormality diagnosis device 100 can acquire the observation data 210 .

[4. An example of observation data]
Next, details of the observation data 210 will be described with reference to FIG.

FIG. 5 is a diagram showing an example of observation data acquired from a monitoring target.

In FIG. 5, the observation data 210 includes session duration time, protocol type, service name, flag, server transmission data amount, server reception data amount, server most recent communication count, server most recent error rate, login The items of each state of the monitored object 300 indicated by status, root shell flag, and number of instructions executed by the root are composed of observed values 1 to 7 observed for each of a plurality of sessions. In other words, the multiple items shown in FIG. 5 represent multiple variables indicating the state of the monitored object, and the observed values 1 to 7 represent observed values obtained at multiple different timings. For example, each of observed values 1 to 7 is a value obtained by observing the state indicated by each of the plurality of items of the monitoring target 300 in one session. Thus, the value observed in observation n (where n is a natural number) is the value observed during processing for session n (where n is a natural number).

The item of observation value of the observation data 210 in FIG. 5 is an example of the feature amount obtained by observing the network. These features are part of the features provided in the NSL-KDD dataset in Non-Patent Document 2. These feature quantities are obtained by observing various types of variables, with information on packets flowing through the network being monitored.

Observation data 210 in FIG. 5 are observed values of session duration, amount of data sent to server, amount of data received by server, number of most recent server communications, most recent server error rate, and number of instructions executed by the route. Contains a real number and a raw value including protocol type, service name, category information observed in flags, login status and flag information observed in root shell flags, and so on. It is difficult for the abnormality diagnosis apparatus 100 to use, for example, category information among these observed values as raw values in each process such as abnormality detection and abnormality diagnosis. Therefore, observed values such as category information are converted into vector values using 1-of-N encoding. The conversion into vector values may be performed in the server 200 or in the abnormality diagnosis device 100 .

Here, 1-of-N encoding refers to assigning one dimension to each of the N types of observed values, and determining a numerical value by assigning 1 to only the dimension to which the observed value corresponds and 0 to the other dimensions. is an encoding for converting observed values such as category information into vector values.

For example, if 1-of-N encoding is used for three types of observations, sunny/rainy/cloudy, N=3, so for example, clear is (1,0,0) and rain is (0,1 , 0), and (0, 0, 1) for cloudy, a vector value can be obtained from the observed values of fine/rainy/cloudy.

Further, the observation value of a binary flag such as ON/OFF may be digitized by performing a conversion that expresses ON as 1 and OFF as 0 as a feature quantity.

[5. Example of group settings]
Next, a group setting method will be described in detail with reference to FIGS. 6A and 6B.

6A and 6B are diagrams showing examples of UIs displayed on the display for setting groups of abnormality diagnosis devices according to the embodiment.

In FIG. 6A, the display 106 displays a UI 111 for setting groups composed of combinations of at least two variables. The UI 111 is composed of items 112 , a group addition button 113 and a group deletion button 114 . Items 112 display a plurality of items included in the observation data 210 acquired from the monitored object 300 . Specifically, the items 112 are session duration time, protocol type, service name, flag, server transmission data amount, server reception data amount, server most recent communication count, server most recent error rate, login Contains status, root shell flags, and number of instructions executed by root. The user sets groups for these items 112 by inputting to the UI 111 using the input IF 105 .

FIG. 6A shows the initial state of the UI 111, and a check box for setting no group 115 indicating that the item 112 does not belong to a group is displayed.

When grouping is performed, the user can add a group by pressing the add group button 113, and can set items belonging to the added group.

FIG. 6B shows the UI 111a displayed when the group addition button 113 is pressed to add "group 1" and "group 2" as groups.

In the UI 111a, "session duration", "server transmission data amount", and "server reception data amount" are set as "group 1". Since the "duration of session" increases when the amount of transmitted and received data is large, "duration of session", "amount of data transmitted by server", and "amount of data received by server" are related to each other. Therefore, "session duration", "server transmission data amount", and "server reception data amount" are grouped.

In addition, in the UI 111a, "root shell flag" and "number of instructions executed by root" are set as "group 2". When the "root shell flag" is ON, the "number of instructions executed by the root" is 1 or more, so the "root shell flag" and the "number of instructions executed by the root" are related to each other. Therefore, "root shell flag" and "number of instructions executed by root" are grouped.

In setting the group of the item 112 using the UIs 111 and 111a, each of the plurality of items is set to be included in one group including "no group", and no item belongs to two or more groups.

In item 112, "protocol type" is an observed value, but instead, three types of observed values, "tcp", "udp", and "icmp" are used. Alternatively, if there are three items of "tcp", "udp", and "icmp", these three items may be set as the same group.

When deleting the set group, the selected group can be deleted by selecting the group to be deleted and pressing the delete group button 114 . In the UIs 111 and 111a, selecting a group means that, for example, when an input to select one of "group 1", "group 2" and "no group" is received, the group indicated by the input is It may be indicated by being highlighted.

[6. Generation process]
Next, generation processing of an anomaly detection model by the generation unit 140 will be described in detail.

As an example of generating an anomaly detection model, a case where an autoencoder is used will be described with reference to FIG.

FIG. 7 is a diagram showing an autoencoder according to the embodiment.

As shown in FIG. 7, an autoencoder is a kind of neural network, and extracts the information amount of features representing an input by dimensional compression. An autoencoder is machine learning that determines weights so that an input feature vector and an output vector have the same value in a neural network with three or more layers having an intermediate layer of smaller dimension than the input and output layers.

FIG. 8 is a flowchart illustrating an example of processing for generating an anomaly detection model according to the embodiment.

The generation unit 140 acquires the hyperparameters of the autoencoder (S11). The hyperparameters are the number of nodes in the middle layer of the autoencoder, the learning rate, parameters of the dropout function, and so on. Dropout is a technique that randomly sets intermediate node values to 0 when training an autoencoder. The generation unit 140 may acquire hyperparameters by accepting input to the input IF 105 from the user, may acquire hyperparameters stored in advance in the storage 103 from the storage 103, or acquire hyperparameters from an external device. hyperparameters may be obtained using the communication IF 104 from .

The generation unit 140 acquires the learning data 211 to be learned by the autoencoder from the second acquisition unit 130 (S12).

The generation unit 140 performs learning using an autoencoder and adjusts the weighting parameter in the autoencoder, thereby obtaining a weighting parameter that can appropriately compress and restore the learning data 211 (S13). The generation unit 140 generates an anomaly detection model by applying the acquired weight parameter to the autoencoder set with the hyperparameter acquired in step S11.

[7. Determination process]
Next, determination processing by the determination unit 160 using the generated anomaly detection model will be described in detail.

FIG. 9 is a flowchart illustrating an example of determination processing using an anomaly detection model according to the embodiment. Abnormalities are determined using an autoencoder.

The determination unit 160 reads an anomaly detection model from the anomaly detection model DB 150 (S21). The determination unit 160 reads a learned autoencoder from the anomaly detection model DB 150, for example.

The determination unit 160 acquires a first threshold for determining that the score is abnormal (S22). The determination unit 160 may acquire the first threshold by calculating the first threshold using, for example, a cross-validation method. In the cross-validation method, for example, a plurality of learning data 211 are divided into 4:1, a part (4:1 of 4) of the division is used for learning, and the rest (1 of 4:1) is used for verification. An autoencoder is learned using data used for learning out of the divided learning data 211, and an abnormality is determined by the autoencoder obtained by the learning using data used for verification out of the divided learning data 211. and the determination unit 160 may calculate the first threshold so that the probability of being determined to be abnormal is about 0.01%. The determination unit 160 may acquire the first threshold value by accepting the user's input to the input IF 105, or may acquire the first threshold value stored in the storage 103 in advance from the storage 103. Alternatively, the first threshold may be obtained from an external device using the communication IF 104 .

The determination unit 160 acquires the diagnostic data 212 acquired by the second acquisition unit 130 (S23).

The determination unit 160 calculates a score by inputting the diagnostic data 212 acquired by the second acquisition unit 130 to the learned autoencoder (S24). The determination unit 160 calculates the score using Equation 1, for example.

In Equation 1, x indicates the input vector to the autoencoder, i indicates the i-th dimension of x, and i indicates the i-th dimension of the output vector of the autoencoder. Also, in Equation 1, m indicates the number of dimensions of the input vector and the output vector. Also, in Equation 1, the score J(x) indicates the mean square error between the diagnostic data input to the autoencoder and the output vector.

The determination unit 160 determines whether or not the calculated score is greater than or equal to the first threshold (S25).

If the score is greater than or equal to the first threshold (Yes in S25), the determination unit 160 determines that the input diagnostic data is abnormal (S26), and notifies the identification unit 170 of the determination result.

If the score is less than the first threshold (No in S25), the determination unit 160 determines that the input diagnostic data is normal (S27).

The identification unit 170 performs identification processing for identifying the group that is the cause of the abnormality using the calculated score and group information (S28). Details of the specific processing will be described later.

[8. Specific processing]
Next, the identification processing for identifying the group that is the cause of the abnormality will be described in detail.

FIG. 10 is a flowchart illustrating an example of identifying processing for identifying a group that is the cause of an abnormality according to the embodiment.

The identifying unit 170 uses the score of the diagnostic data 212 determined to be abnormal by the determining unit 160 to perform identification processing for identifying the group that is the cause of the abnormality. Equation 2 is the loss function used to identify the group responsible for the anomaly.

In Equation 2, δ indicates a displacement vector with the same number of dimensions as the input vector, λ indicates a regularization parameter, n _g indicates the number of variable groups, and d _i indicates the number of variables belonging to variable group g _i . show. J(x) indicates the score.

The loss function is defined as the sum of the score and the groupwise summed score of the L2 norm of the displacement δ from the original input value due to group regularization, as shown in Equation 2.

The group regularization term in Equation 2 is a formula that satisfies Lp regularization with p=1 between groups and p=2 within groups. Note that the group regularization term is not limited to Equation 2, and may satisfy Lp regularization where 0<p≦1 between groups and p>1 within a group.

Also, in Equation 2, the group regularization is weighted by multiplying by the parameter λ.

The identifying unit 170 acquires the parameter λ (S31). The specifying unit 170 may acquire an arbitrary value as the parameter λ, or may acquire it by performing calculation using a cross-validation method. Further, the specifying unit 170 may acquire the parameter λ by accepting an input to the input IF 105 from the user, acquire the parameter λ stored in advance in the storage 103 from the storage 103, or acquire the parameter λ stored in the storage 103 in advance. parameter λ may be acquired from the device using the communication IF 104 .

The specifying unit 170 searches and calculates the displacement vector δ that minimizes the value of the loss function of Equation 2 by using the gradient method as the initial value 0 (S32). That is, the identifying unit 170 adds the score determined by the determining unit 160 to be equal to or greater than the first threshold and the group regularization term obtained by regularizing each of the one or more groups indicated by the group information. Calculate the displacement vector δ at which the loss function composed of is the minimum value.

The identification unit 170 selects a group including a variable whose absolute value is equal to or greater than the second threshold ε for a non-zero variable or a very small positive number ε (second threshold) among the plurality of variables of the observation value. (S33). The second threshold is a value greater than 0 and less than 1.

[9. effects, etc.]
According to the abnormality diagnosis method according to the present embodiment, in the observed values composed of observed values of a plurality of variables, a group of variables is determined in advance. group can be specified.

Further, according to the abnormality diagnosis method, it is possible to determine whether or not an observed value is abnormal using abnormality detection such as an autoencoder, which is already known to exhibit good performance. Moreover, it is possible to easily perform abnormality diagnosis using a natural loss function by using the score output by the abnormality detection.

In addition, according to the abnormality diagnosis method, among the displacement vectors in which the loss function has a local minimum value, a group including a variable equal to or greater than the second threshold is specified as a group that is the cause of the abnormality. can identify groups that are

In addition, according to the abnormality diagnosis method, the group regularization term satisfies Lp regularization that 0 < p ≤ 1 between groups and p > 1 within the group, so it is effectively a cause of abnormality. A group can be identified.

[10. Other Modifications]
Although the present invention has been described based on the above embodiments, the present invention is of course not limited to the above embodiments. The following cases are also included in the present invention.

(1)
In the above embodiment, the configuration of the control system has been described as an object to be monitored. And although it demonstrated as what implements abnormality determination using the observation data obtained from a switching hub, it is not restricted only to it. For example, observation values obtained from various sensors in a chemical plant may be obtained as observation data, and abnormality determination may be performed using the observation data.

(2)
In the abnormality diagnosis apparatus 100 according to the above embodiment, 1-of-N encoding is used as a means of conversion into vector values for digitization, but the encoding method is not limited to this. For example, a method using embedding as described in Non-Patent Document 3, a method of encoding using random numbers, or a method of converting to a real-valued vector with a specific number of dimensions can be considered. As a result, an abnormality detection model can be generated and abnormality determination can be performed with higher accuracy. Furthermore, even if new categories arise, they can be vectorized without increasing the dimensionality of the variables.

(3)
In the abnormality diagnosis device 100 according to the above embodiment, the grouping of variables is set based on the input to the input IF 105 from the user, but it is not limited to this. The UIs 111 and 111a may further include a display showing mutual information between variables. Also, when an input indicating the number of groups to be grouped is received by the input IF 105 from the user, grouping is automatically performed by the method described in Non-Patent Document 4 or Non-Patent Document 5 according to the number of groups indicated by the input. may

In addition, as a grouping of variables, a function with an arbitrary variable as an argument, for example, when the identity function is another variable, or when sin θ and cos θ, which are trigonometric functions of an arbitrary angle θ, are different variables, These variables may be grouped according to the degree of association between them.

(4)
In the above embodiment, abnormality determination is performed using an autoencoder, but abnormality determination may be performed using other methods. For example, a method of estimating the probability density function by kernel density estimation and determining that it is abnormal when it is below a predetermined threshold may be used, or a one-class support vector machine or a variational autoencoder may be used instead of the autoencoder. Abnormality determination may be performed.

When a one-class support vector machine is used, the kernel method is used to map the input vector to the feature space, and the boundary plane that distinguishes between normal and abnormal is determined on the feature space to perform abnormality determination.

When using a variational autoencoder, the loss function used to identify groups of variables responsible for anomalies is the negative log-likelihood, rather than the mean squared error, to calculate the likelihood that the input data will be generated. etc. can be used.

Alternatively, an abnormality may be determined using density ratio estimation, which estimates the ratio of probability densities between a group of samples that can be assumed to be normal and a group of samples that are subject to abnormality determination. In this case, in the abnormality diagnosis apparatus 100, the generation unit 140 generates an abnormality based on the probability density ratio between the learning data and the diagnosis data based on the plurality of normal observation data for learning and the plurality of observation data for diagnosis. Generate a detection model. That is, in the above embodiment, the generation unit 140 uses the observation data 210 including abnormal data as the learning data 211. However, when generating an abnormality detection model based on the probability density ratio, the abnormal data is removed. The difference is that learning data 211 containing only normal data is used, and diagnostic data 212 is used. Further, the determination unit 160 calculates a score for a plurality of observation data for diagnosis using an anomaly detection model based on the probability density ratio generated by the generation unit 140 . Then, when the calculated score is equal to or greater than a predetermined first threshold, the determination unit 160 determines that the acquired plurality of observation values are abnormal, and when the calculated score is less than the first threshold, the acquired It is judged that the observed values are not abnormal.

(5)
In the above embodiments, group regularization is used as a method of identifying variable groups that cause anomalies, but various other methods are conceivable. For example, a variable group in which the mean square error of the output value of the autoencoder exceeds a predetermined value may be identified as the variable group that causes the abnormality, or variables other than the specific variable group may be fixed and identified. may be regarded as variables, the value that minimizes the score may be obtained by the gradient method, and the variable group with the smallest score may be regarded as the variable group causing the abnormality.

In each of the above-described embodiments, each component may be configured by dedicated hardware, or realized by executing a software program suitable for each component. Each component may be realized by reading and executing a software program recorded in a recording medium such as a hard disk or a semiconductor memory by a program execution unit such as a CPU or processor. Here, the software that implements the abnormality diagnosis method and the like of each of the above embodiments is the following program.

That is, this program uses an observed value obtained by observing the state of a monitoring target, which is composed of the values of a plurality of variables indicating the state, to determine whether the observed value is abnormal. An abnormality diagnosis method executed by an abnormality diagnosis device for diagnosing a storing, the processor acquires group information indicating one or more groups each composed of a combination of at least two mutually related variables among the plurality of variables, acquires the observed value, reading the anomaly detection model from the memory, determining whether the observed value is abnormal using the read anomaly detection model, and determining that the observed value is abnormal, the observed value and Based on the one or more groups indicated by the acquired group information, an abnormality diagnosis method is executed to identify the group that is the cause of the abnormality among the one or more groups of the observed values.

Although the abnormality diagnosis method and the abnormality diagnosis device according to one or more aspects of the present invention have been described above based on the embodiments, the present invention is not limited to these embodiments. As long as it does not depart from the gist of the present invention, one or more modifications of the present embodiment that can be considered by those skilled in the art, or a form constructed by combining the components of different embodiments may be included within the scope of the embodiments.

The present disclosure is useful in identifying variables that contribute to anomalies in multidimensional information.

1 abnormality diagnosis system 100 abnormality diagnosis device 101 CPU
102 Main memory 103 Storage 104 Communication IF
105 input interface
106 display 110 first acquisition unit 111, 111a UI
112 Item 113 Group add button 114 Group delete button 115 No group 120 Group information DB
130 Second acquisition unit 140 Generation unit 150 Anomaly detection model DB
160 determination unit 170 identification unit 200 server 210 observation data 211 learning data 212 diagnostic data 300 monitoring target 310 control system 311 router 312 switching hub 313 management terminal 314 server 315 PLC
316 sensor

Claims (9)

An abnormality diagnosis device for diagnosing whether or not an observed value is abnormal using an observed value composed of values of a plurality of variables indicating the state obtained by observing the state of a monitoring target. An abnormality diagnosis method for
The abnormality diagnosis device includes a processor and a memory,
The memory stores an anomaly detection model generated by learning using the plurality of observed values,
The processor
Acquiring group information indicating one or more groups each composed of a combination of at least two mutually related variables among the plurality of variables;
obtaining said observations;
reading the anomaly detection model from the memory and calculating a score by inputting the observed value into the anomaly detection model;
Determining whether the observed value is abnormal using the score,
When the observed value is determined to be abnormal, using a loss function defined based on the score and the one or more groups indicated by the acquired group information, the one or more groups of the observed value Identify the group responsible for the anomaly among
The anomaly detection model is a model generated by at least one of an autoencoder as learning, a variational autoencoder, and a one-class support vector machine using the plurality of observations.
Anomaly diagnosis method. An abnormality diagnosis device for diagnosing whether or not an observed value is abnormal using an observed value composed of values of a plurality of variables indicating the state obtained by observing the state of a monitoring target. An abnormality diagnosis method for
The abnormality diagnosis device includes a processor and a memory,
The memory stores an anomaly detection model generated by learning using the plurality of observed values,
The processor
Acquiring group information indicating one or more groups each composed of a combination of at least two mutually related variables among the plurality of variables;
obtaining said observations;
reading the anomaly detection model from the memory and calculating a score by inputting the observed value into the anomaly detection model;
Determining whether the observed value is abnormal using the score,
When the observed value is determined to be abnormal, using a loss function defined based on the score and the one or more groups indicated by the acquired group information, the one or more groups of the observed value Identify the group responsible for the anomaly among
If the anomaly detection model is a model generated by an autoencoder as the learning using the plurality of observations, the score is the mean squared error between the input and output vectors to the autoencoder. calculated by
Abnormal diagnosis method. An abnormality diagnosis device for diagnosing whether or not an observed value is abnormal using an observed value composed of values of a plurality of variables indicating the state obtained by observing the state of a monitoring target. An abnormality diagnosis method for
The abnormality diagnosis device includes a processor and a memory,
The memory stores an anomaly detection model generated by learning using the plurality of observed values,
The processor
Acquiring group information indicating one or more groups each composed of a combination of at least two mutually related variables among the plurality of variables;
obtaining said observations;
reading the anomaly detection model from the memory and calculating a score by inputting the observed value into the anomaly detection model;
Determining whether the observed value is abnormal using the score,
When the observed value is determined to be abnormal, using a loss function defined based on the score and the one or more groups indicated by the acquired group information, the one or more groups of the observed value Identify the group responsible for the anomaly among
If the anomaly detection model is a model generated by a variational autoencoder as the learning using the plurality of observations, the loss function is defined using negative log-likelihood.
Abnormal diagnosis method. An abnormality diagnosis device for diagnosing whether or not an observed value is abnormal using an observed value composed of values of a plurality of variables indicating the state obtained by observing the state of a monitoring target. An abnormality diagnosis method for
The abnormality diagnosis device includes a processor and a memory,
The memory stores an anomaly detection model generated by learning using the plurality of observed values,
The processor
Acquiring group information indicating one or more groups each composed of a combination of at least two mutually related variables among the plurality of variables;
obtaining said observations;
reading the anomaly detection model from the memory and calculating a score by inputting the observed value into the anomaly detection model;
Determining whether the observed value is abnormal using the score,
When the observed value is determined to be abnormal, using a loss function defined based on the score and the one or more groups indicated by the acquired group information, the one or more groups of the observed value Identify the group responsible for the anomaly among
In identifying the group responsible for the anomaly,
Obtaining a displacement vector that reduces the value of the loss function using the observed value as an initial value,
Identify a group containing non-zero variables in the displacement vector as the cause of the anomaly
Abnormal diagnosis method. In determining whether the observed value is abnormal,
If the calculated score is equal to or greater than a predetermined first threshold, determine that the acquired observation value is abnormal,
The abnormality diagnosis method according to any one of claims 1 to 4 , wherein if the calculated score is less than the first threshold, it is determined that the plurality of acquired observation values are not abnormal. An anomaly diagnosis apparatus for diagnosing whether or not an observed value is anomalous, using an observed value composed of a plurality of variable values indicating the state obtained by observing the state of a monitoring target. hand,
with processor and memory,
The memory stores an anomaly detection model generated by learning using the plurality of observed values,
The processor
Acquiring group information indicating one or more groups each composed of a combination of at least two mutually related variables among the plurality of variables;
obtaining said observations;
reading the anomaly detection model from the memory and calculating a score by inputting the observed value into the anomaly detection model;
Determining whether the observed value is abnormal using the score,
When the observed value is determined to be abnormal, using a loss function defined based on the score and the one or more groups indicated by the acquired group information, the one or more groups of the observed value Identify the group responsible for the anomaly among
The anomaly detection model is a model generated by at least one of an autoencoder as learning, a variational autoencoder, and a one-class support vector machine using the plurality of observations.
Abnormal diagnosis device. Consists of multiple variable values that indicate the state of a monitoring target, obtained by observing the state of the monitoring target
An abnormality diagnosis device for diagnosing whether the observed value is abnormal using the observed value obtained,
with processor and memory,
The memory stores an anomaly detection model generated by learning using the plurality of observed values,
The processor
Acquiring group information indicating one or more groups each composed of a combination of at least two mutually related variables among the plurality of variables;
obtaining said observations;
reading the anomaly detection model from the memory and calculating a score by inputting the observed value into the anomaly detection model;
Determining whether the observed value is abnormal using the score,
When the observed value is determined to be abnormal, using a loss function defined based on the score and the one or more groups indicated by the acquired group information, the one or more groups of the observed value Identify the group responsible for the anomaly among
If the anomaly detection model is a model generated by an autoencoder as the learning using the plurality of observations, the score is the mean squared error between the input and output vectors to the autoencoder. calculated by
Abnormal diagnosis device. Consists of multiple variable values that indicate the state of a monitoring target, obtained by observing the state of the monitoring target
An abnormality diagnosis device for diagnosing whether the observed value is abnormal using the observed value obtained,
with processor and memory,
The memory stores an anomaly detection model generated by learning using the plurality of observed values,
The processor
Acquiring group information indicating one or more groups each composed of a combination of at least two mutually related variables among the plurality of variables;
obtaining said observations;
reading the anomaly detection model from the memory and calculating a score by inputting the observed value into the anomaly detection model;
Determining whether the observed value is abnormal using the score,
When the observed value is determined to be abnormal, using a loss function defined based on the score and the one or more groups indicated by the acquired group information, the one or more groups of the observed value Identify the group responsible for the anomaly among
If the anomaly detection model is a model generated by a variational autoencoder as the learning using the plurality of observations, the loss function is defined using negative log-likelihood.
Abnormal diagnosis device. Consists of multiple variable values that indicate the state of a monitoring target, obtained by observing the state of the monitoring target
An abnormality diagnosis device for diagnosing whether the observed value is abnormal using the observed value obtained,
with processor and memory,
The memory stores an anomaly detection model generated by learning using the plurality of observed values,
The processor
Acquiring group information indicating one or more groups each composed of a combination of at least two mutually related variables among the plurality of variables;
obtaining said observations;
reading the anomaly detection model from the memory and calculating a score by inputting the observed value into the anomaly detection model;
Determining whether the observed value is abnormal using the score,
When the observed value is determined to be abnormal, using a loss function defined based on the score and the one or more groups indicated by the acquired group information, the one or more groups of the observed value Identify the group responsible for the anomaly among
In identifying the group responsible for the anomaly,
Obtaining a displacement vector that reduces the value of the loss function using the observed value as an initial value,
Identify a group containing non-zero variables in the displacement vector as the cause of the anomaly
Abnormal diagnosis device.

Images