JP2005128946A - Log analysis device, method, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a log analysis device and a log analysis method for reducing work man-hours required for a log analysis and grasping an outline of a network as a whole against any attack. <P>SOLUTION: A log collection 101 gathers logs output from respective apparatuses in networks 20-22 and outputs them to a log storage part 102. The log storage part 102 extracts a parameter used for analysis from the log and stores it in a storage part 103. The storage part 103 stores a table associating a key about vulnerability of an Attack Signature with a group, and by a request for an analysis on a specific parameter from an operator, a log analysis part 104 reads the table from the storage part 103 for reference and associates an event to be grouped with a predetermined group. The log analysis part 104 calculates an abnormal value about a parameter to be analyzed and outputs an analysis result to a Web browser 301 via an interface part 105. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a log analysis apparatus, a log analysis method, and a log analysis program for analyzing logs output from network devices such as IDS (Intrusion Detection System), Router, and Firewall.

  In recent years, more and more sites have introduced IDS for monitoring attacks on network systems. In general, the IDS simply compares a packet flowing on the network with an attack pattern file called Attack Signature, and outputs a log if there is a match.

Conventionally, it reduces the time required for analyzing log information indicating the operating status of the computer, integrates log information having various data formats and uneven distribution on the file system, and detects abnormalities that are not known abnormalities. A log information analysis device has been devised for the purpose of extracting the log information shown. In this log information analysis apparatus, a system administrator displays an enormous amount of log information in characters like a bar graph so as to quickly grasp information to be noted. (For example, see Patent Document 1)
JP 2001-356939 A

  However, the log output from the conventional IDS outputs a large amount of redundant logs such as false detection, multiple detection, and attack detection for a system with security countermeasures. Since such a log is output every time the same attack is repeated, it becomes more redundant. A large amount of logs is suitable for grasping the trend, but it tends to overlook logs with low frequency of appearance, making it difficult to accurately extract new attack signs. In addition, it is possible to grasp the details of the network by analyzing each parameter included in the log, but the amount of data necessary for the analysis becomes enormous, and it takes man-hours to grasp the overview of the entire network. There was a problem that it took.

  The present invention has been made in view of the above-described problems, and provides a log analysis device and a log analysis method capable of reducing the work man-hour required for log analysis and grasping the outline of the entire network against an attack. For the purpose.

The present invention has been made to solve the above problems, and the invention according to claim 1 is characterized in that a collecting means for collecting a log output from a network device, and a log in the log collected by the collecting means. Grouping means for performing grouping to divide events belonging to parameters into a plurality of groups, and calculation means for calculating a value related to the degree of abnormality of the network based on the amount of the events grouped by the grouping means. A log analyzer characterized by comprising:
Examples of the parameters in the previous period include Attack Signature, Source / Destination Port, and Source / Destination IP recorded in logs output from network devices such as IDS, Router, and Firewall. The first-term calculation means performs a ratio analysis or a rare rate analysis based on the amount of events in each group after grouping, and calculates a value related to the degree of abnormality of the network to be analyzed. As the value related to the degree of abnormality of the network to be analyzed, the ratio between the event amount of the short-term profile and the average value of the event amount of the long-term profile per unit time, the event amount of the own network profile and the event amount of the other network profile Examples include the ratio to the average per network, the upper rare rate, the lower rare rate, and the like.

According to a second aspect of the present invention, in the log analysis apparatus according to the first aspect, the grouping unit includes an event belonging to the signature for each semantic content indicated by the signature in the log collected by the collecting unit. It is characterized by grouping.
Examples of the signature include Attack Signature recorded in a log output from IDS. The Attack Signature is composed of events such as Ping Sweep and HTTP port probe, and the first grouping means groups each event according to the meaning content of these events.

According to a third aspect of the present invention, in the log analysis apparatus according to the first aspect, the grouping unit groups the IP addresses for each country indicated by the IP address in the log collected by the collecting unit. It is characterized by doing.
Examples of the first term IP address include Source / Destination IP output from IDS, Router, Firewall, and the like.

According to a fourth aspect of the present invention, in the log analysis device according to the first aspect, the grouping unit stores in advance a table in which the event and a group to which the event belongs are associated with each other, and the collecting unit The events belonging to the collected parameters in the log are grouped into a predetermined group based on the table.
In the previous term table, there are a table in which each event of Attack Signature and a group grouped for each semantic content indicated by those events are associated, a table in which Source / Destination IP is associated with a country name or domain, and the like. is there.

  According to a fifth aspect of the present invention, in the log analysis device according to the first aspect, the grouping unit sets the amount of the event to an event belonging to the parameter in the log collected by the collecting unit. Priorities are assigned based on the events, and the events are grouped in an order based on the priorities so that the total amount of the events in each group approaches equally.

According to a sixth aspect of the present invention, in the log analysis device according to the first aspect, the grouping unit is included in the event that belongs to the parameter in the log collected by the collecting unit. Priorities are assigned based on identification information, and the events are grouped in an order based on the priorities so that the total amount of the events in each group approaches evenly.
The identification information is, for example, an Attack Signature number determined for each product in the case of Attack Signature, a Port number in the case of Source / Destination Port, and an IP address order in the case of Source / Destination IP.

  According to a seventh aspect of the present invention, in the log analysis device according to the first aspect, the grouping means is based on the value of the IP address with respect to the IP address in the log collected by the collecting means. The priority is set so that the IP addresses having the same n bits (n is a positive integer) from the beginning are in the same group so that the total amount of the events in each group approaches evenly. The IP addresses are grouped in a sequence based on the order.

  The invention according to claim 8 includes a step of collecting logs output from network devices, a step of performing grouping to divide events belonging to parameters in the collected logs into a plurality of groups, and Calculating a value related to the degree of abnormality of the network based on the amount of the event.

  According to a ninth aspect of the present invention, in the log analysis method according to the eighth aspect, in the step of grouping the events belonging to the parameters in the collected logs, each meaning content indicated by the signature in the collected logs is included. In addition, events belonging to the signature are grouped.

  According to a tenth aspect of the present invention, in the log analysis method according to the eighth aspect, in the step of grouping the events belonging to the parameters in the collected log, for each country indicated by the IP address in the collected log The IP addresses are grouped together.

  The invention according to claim 11 is the log analysis method according to claim 8, wherein in the step of grouping the events belonging to the parameters in the collected logs, the events belonging to the parameters in the collected logs are The event is grouped into a predetermined group based on a table in which the event and a group to which the event belongs are associated with each other.

  According to a twelfth aspect of the present invention, in the log analysis method according to the eighth aspect, in the step of grouping the events belonging to the parameters in the collected logs, the events belonging to the parameters in the collected logs Then, a priority is assigned based on the amount of the event, and the events are grouped in an order based on the priority so that the total amount of the events in each group approaches equally.

  According to a thirteenth aspect of the present invention, in the log analysis method according to the eighth aspect, in the step of grouping the events belonging to the parameters in the collected logs, the events belonging to the parameters in the collected logs And assigning priorities based on the identification information included in the events, and grouping the events in an order based on the priorities so that the total amount of the events in each group approaches equally To do.

  According to a fourteenth aspect of the present invention, in the log analysis method according to the eighth aspect, in the step of grouping the events belonging to the parameters in the collected log, for the IP addresses in the collected log, Priorities are assigned based on the value of the IP address, and the IP addresses having the same n bits (n is a positive integer) from the beginning are in the same group so that the total amount of the events in each group approaches equally. As described above, the IP addresses are grouped in an order based on the priority.

  The invention according to claim 15 includes a step of collecting logs output from a network device, a step of performing grouping to divide events belonging to parameters in the collected logs into a plurality of groups, and A log analysis program for causing a computer to execute a step of calculating a value relating to a degree of network abnormality based on the amount of the event.

  According to a sixteenth aspect of the present invention, in the log analysis program according to the fifteenth aspect, in the step of grouping the events belonging to the parameters in the collected log, each meaning content indicated by the signature in the collected log is included. In addition, events belonging to the signature are grouped.

  According to a seventeenth aspect of the present invention, in the log analysis program according to the fifteenth aspect, in the step of grouping the events belonging to the parameters in the collected log, for each country indicated by the IP address in the collected log The IP addresses are grouped together.

  The invention according to claim 18 is the log analysis program according to claim 15, wherein in the step of grouping the events belonging to the parameters in the collected logs, the events belonging to the parameters in the collected logs are The event is grouped into a predetermined group based on a table in which the event and a group to which the event belongs are associated with each other.

  According to a nineteenth aspect of the present invention, in the log analysis program according to the fifteenth aspect, in the step of grouping the events belonging to the parameters in the collected logs, the events belonging to the parameters in the collected logs Then, a priority is assigned based on the amount of the event, and the events are grouped in an order based on the priority so that the total amount of the events in each group approaches equally.

  According to a twentieth aspect of the present invention, in the log analysis program according to the fifteenth aspect, in the step of grouping the events belonging to the parameters in the collected logs, the events belonging to the parameters in the collected logs And assigning priorities based on the identification information included in the events, and grouping the events in an order based on the priorities so that the total amount of the events in each group approaches equally To do.

  According to a twenty-first aspect of the present invention, in the log analysis program according to the fifteenth aspect, in the step of grouping the events belonging to the parameters in the collected logs, the events belonging to the IP addresses in the collected logs are included. On the other hand, priorities are assigned based on the IP address included in the event, and the event has the same n bits (n is a positive integer) from the beginning so that the total amount of the events in each group approaches equally. The events are grouped in an order based on the priority so as to be in the same group.

  The invention described in claim 22 is a computer-readable recording medium on which the log analysis program according to any one of claims 15 to 21 is recorded.

  According to the present invention, the events included in the parameters to be analyzed are grouped, and an abnormal value related to the network to be analyzed is calculated for each group. It is possible to obtain an overview of the entire network for. In particular, grouping can significantly reduce the number of variables used to calculate outliers, greatly reducing the time required to calculate outliers and detecting attacks in real time. be able to. In addition, by performing grouping, it is possible to capture a large tendency of logs, and it is possible to obtain an effect of reducing false detection of abnormality and improving analysis reliability.

  The best mode for carrying out the present invention will be described below with reference to the drawings. FIG. 1 is a configuration diagram showing the configuration of a network including a log analysis device according to an embodiment of the present invention. In the figure, 10 is a log analyzer. The log analysis device 10 collects and analyzes logs output from the analysis target networks 20 to 22 and outputs the analysis results to the security operation center 30. The routers, firewalls, and IDSs of the networks 20 to 22 generate logs, and output the logs to the log analysis device 10 using functions such as syslog. The security operation center 30 has a web browser 301, and the operator can determine the degree of abnormality of the networks 20 to 22 based on the analysis result displayed on the web browser 301.

  In the log analysis device 10, reference numeral 101 denotes a log collection unit that periodically collects logs output from devices in the networks 20 to 22 and outputs the logs to the log storage unit 102. The log storage unit 102 extracts parameters used for analysis from the log output by the log collection unit 101 and stores them in the storage unit 103. When the operator requests a parameter desired for analysis via the Web browser 301, instruction information for instructing analysis is input to the log analysis unit 104 via the interface unit 105.

  The log analysis unit 104 reads the analysis parameters from the storage unit 103 according to the instruction information, calculates an abnormal value related to the network to be analyzed, and outputs it to the interface unit 105. The interface unit 105 outputs the abnormal value output from the log analysis unit 104 to the Web browser 301 via the communication line. Based on this abnormal value, the operator determines whether an attack is being performed on the networks 20 to 22.

  FIG. 2 shows parameters to be analyzed in the log in this embodiment. In the present embodiment, events belonging to parameters of Attack Signature, Source / Destination Port, and Source / Destination IP are grouped, and a statistical anomaly value of each parameter group is calculated. Source / Destination Port indicates a port number of a transmission source / destination device. Source / Destination IP indicates the IP address of the source / destination device. Note that the Source / Destination Port indicates one of the two parameters of the Source Port and the Destination Port, and the same applies to the Source / Destination IP.

  The Attack Signature is a parameter included in the log output from the IDS. By analyzing the Attack Signature, it is possible to specify the type of attack being performed on the analysis target network. All network type IDSs and some host type IDSs can output an attack signature. Source / Destination Port and Source / Destination IP are parameters included in logs output from IDS, Router, and Firewall. By analyzing the Source / Destination Port, the port number of the attack source / attack target can be specified. Further, by analyzing the Source / Destination IP, the IP address of the attack source / attack target can be specified. The above parameters consist of a plurality of events as shown in FIG. When a plurality of the same events are recorded in the log, the total number is defined as the event amount of the event.

  Next, the operation of the log analysis apparatus 10 in this embodiment will be described. FIG. 3 is a flowchart showing the operation of the log analysis apparatus 10. The log collection unit 101 collects logs output from the devices of the networks 20 to 22 and outputs them to the log storage unit 102 (step S30). The log storage unit 102 extracts parameters used for analysis from the log output by the log collection unit 101 and stores them in the storage unit 103 (step S31). When an analysis request regarding a specific parameter is made from the operator via the Web browser 301, the instruction information output from the Web browser 301 is input to the log analysis unit 104 via the interface unit 105. Then, the log analysis unit 104 reads parameters from the storage unit 103 based on the instruction information (step S32).

  Subsequently, the log analysis unit 104 groups events included in the read parameters according to a predetermined method as described later (step S33). Then, the log analysis unit 104 calculates an abnormal value related to the parameter to be analyzed (step S34). Subsequently, the log analysis unit 104 outputs the abnormal value as an analysis result to the web browser 301 via the interface 105 (step S35). The analysis result is displayed on the Web browser 301, and the operator determines whether an attack is being performed on the networks 20 to 22 based on the analysis result.

  Next, the analysis process performed by the log analysis unit 104 in step S34 will be described. Here, a ratio analysis and a rare rate analysis are given as examples. In the ratio analysis, when the short period of interest is a unit time (for example, one day), the amount of events included in a short period (defined as a short-term profile) and the amount of events included in a plurality of past unit times The ratio with the average (defined as long-term profile) is evaluated as an abnormal value. FIG. 4 shows an example of the ratio analysis model when the unit time is one day.

In the figure, _El represents the average per unit time of the event amount in the long-term profile. When the event the amount of short-term profile and E _s, the ratio D of long-term profile for short-term profile is expressed as [Equation 1]. The short-term profile is stored in the storage unit 103, and the log analysis unit 104 reads a plurality of past short-term profiles from the storage unit 103 and creates a long-term profile. Alternatively, a plurality of past logs may be stored in the storage unit 103, and a long-term profile may be created from these logs.

On the other hand, in the rare rate analysis, anomalies of events in which the number of outputs fluctuates variously are evaluated using the average and standard deviation of statistical values. In the statistical analysis, an index of 95% confidence interval is often used. The rare rate analysis here is to calculate a complement of this confidence interval. FIG. 5 shows an example of a rare rate analysis model when the unit time is one day. _El is the average of the event amount of the long-term profile per unit time, and SD is the standard deviation. The horizontal axis represents the distance from the average value _El , with the standard deviation SD as a unit, and the vertical axis represents the number of unit times (number of days) in which the event amount becomes the value indicated on the horizontal axis. The standard deviation SD is obtained from [Equation 2]. The upper rare rate R _u when the event amount of the short-term profile is larger than the average E _{l of the} long-term profile is defined as [Equation 3], and the lower rare rate R _l when the event amount is smaller is defined as [Equation 4]. E ₁ , E ₂ ,... E _k are event amounts for each unit time in the long-term profile.

  In [Equation 3] and [Equation 4], f (E) is a density function of a normal distribution and is expressed by the following [Equation 5]. In the above example, it is assumed that the attack distribution for calculating the rare rate is a normal distribution, but a function such as an exponential distribution or a gamma distribution may be appropriately selected as f (E).

The determination regarding the abnormal values D, R _u , and R _l calculated by the ratio analysis and the rare rate analysis described above can be made as follows. First, when D> 1.0 or R _u ≈0.0%, when a new attack starts to appear on the Internet, when an internal host is infected with a worm, a DDoS (Destroyed Denial of Service) attack (attack) An attacker enters multiple websites that are vulnerable to security on the Internet and uses them as attack bases. The programs prepared at the multiple attack bases operate simultaneously to send a large number of packets to the attack target server. This shows that the amount of short-term events has increased rapidly, such as when an attack that stops. The attack is at an active stage and you need to be vigilant. Through the ratio analysis, it is possible to quickly and accurately detect that the internal host has been infected with a worm or received a DDoS attack.

In addition, when D≈0.0 or R ₁ ≈0.0%, it indicates that the alarms that have been continuously output have suddenly decreased or disappeared. This is the stage where the attack is converging, or the system is stopped. By analyzing the ratio, it is possible to quickly and accurately detect anomalies related to network and host outages.

Further, when D≈1.0 or R _u , R _l ≈50.0%, it is possible to distinguish a log that has been continuously detected. This is an attack for which countermeasures have already been taken, or an event that is easily misdetected, and does not require special attention. The network operator may perform the above-described evaluation based on values such as D, R _u , and R _l output from the log analysis device 10.

  In the analysis process described above, a technique for fixing the network to be analyzed and evaluating how abnormal the short-term profile is with respect to the long-term profile has been shown, but the following analysis process can also be performed. When the period of analysis target is fixed, the event amount (defined as own network profile) for a specific parameter detected in the analysis target network is detected in other networks. This is a method for evaluating how much abnormality is defined with respect to a network profile.

For example, the ratio analysis, the detection event amount in analyte network and E _m, when the average per network detection event amount in each of the other networks that do not have this network as E _o, the ratio D the following [ It is expressed as [Equation 6]. Similarly, in the rare rate analysis, the upper rare rate when the event amount of the own network profile is larger than the average and the lower rare rate when the event amount is smaller than the average can be calculated.

  Next, event grouping in the present embodiment will be described. In this embodiment, rather than grasping the details of the network based on individual events included in the parameters to be analyzed, events in the parameters to be analyzed are grouped into appropriate units, and based on those groups. Perform ratio analysis and rare rate analysis to get an overview of the entire network. The parameters to be grouped are the parameters shown in FIG.

Static grouping 1
Attack Signatures are grouped according to semantic content in consideration of the communication layer, attack purpose, and service. FIG. 6 and FIG. 7 are examples in which Attack Signatures in the log output from Snort IDS are grouped into 10 semantic units (classes). The number is the number of Attack Signatures included in each group. The Snort rule file is a file in which Attack Signatures are collected in a certain semantic unit. Each Attack Signature is originally assigned a key relating to vulnerability, and grouping is performed for each semantic content based on this key. The storage unit 103 stores in advance a table in which the key and the group are associated with each other, and the log analysis unit 104 performs event grouping with reference to the table.

  FIG. 8 is a flowchart showing the event grouping operation in step S33 of FIG. 3 in this case. Assume that the storage unit 103 stores the above-described table. The log analysis unit 104 reads the table from the storage unit 103 and refers to the table (step S330), and associates the event with a predetermined group based on the key related to the vulnerability of the event to be grouped (step S331). The grouping results are stored in the storage unit 103 in the form of a table shown as an example in FIGS. In this case, the long-term profile (or other network profile) and the short-term profile (or own network profile) are grouped based on the table in the storage unit 103, and the ratio analysis is performed based on the event amount in each group after grouping. And rare rate analysis.

Static grouping 2
Source / Destination IP is grouped by country or domain. FIG. 9 shows a conversion table for converting an IP address to a country name to which the IP address belongs. In the figure, for example, IP addresses of 0.0.0.0 to 0.255.255.255 belong to the US (United States), and 24.42.0.0 to 24.43.255.255 belong to the CA (Canada). I understand that

  This conversion table can be created from an IP address and a domain table managed by the IANA (The Internet Assigned Numbers Authority) or the like. A conversion table indicating conversion from an IP address to a domain can be created in the same manner. Also in this case, the long-term profile (or other network profile) and the short-term profile (or own network profile) are grouped based on the table in the storage unit 103, and each group after grouping is regarded as one event as described above. Perform ratio analysis and rare rate analysis.

Dynamic grouping 1
With respect to the parameters to be analyzed, the events are rearranged in order of the event amount, and grouping is performed so that the total event amount in each group is substantially equal based on the total amount of events. FIG. 10 shows the grouping in this case. In the figure, each bar graph represents an event (HTTP Port Probe, Smurf Attack...). In the figure, as an example, events are arranged from the left in descending order of event volume, and G1, G2,... Are grouped from the left so that the total event volume in each group is almost equal. ing.

  Based on the total amount of events, the specific method of grouping so that the total amount of events within each group is almost equal is as follows. For example, the event is divided into 10 groups, and the event amount in each group is grouped so that it is about 1/10 of the total event amount. In FIG. 10, the event amount is added from the event on the left, and when the amount becomes 1/10 or more of the total event amount, a group is formed. At this time, for example, the lowest digit of the event amount is rounded off.

  Alternatively, the event amount is added from the left event, and a group is formed when the amount exceeds one-tenth of the total event amount. By the above method, the first grouping is performed, and for the next group, the second grouping is performed in the same manner as described above so that the event amount is about 1/9 of the remaining event amount. Do. Further, for the next group, similarly, the third grouping is performed so that the event amount is about one-eighth of the remaining event amount. By repeating this, the event is divided into 10 groups. Note that the above-described method is an example, and any method can be used as long as it can be grouped so that the amount of events in each group is substantially equal.

  FIG. 11 is a flowchart showing the event grouping operation in step S33 of FIG. 3 in this case. The log analysis unit 104 orders the events in the parameters read from the storage unit 103 based on the event amount (orders each event in the order of the event amount) (step S332). Then, the log analysis unit 104 groups the ordered events so that the event amounts in the groups are substantially equal, and generates a predetermined number of groups (step S333).

  The log analysis unit 104 performs the above grouping every time a long-term profile (or other network profile) statistic is calculated. Thereby, each group of the long-term profile has almost the same total event amount in the group. Subsequently, using the same group as the group of the long-term profile, the events of the short-term profile (or the own network profile) are grouped.

  In steady state, the amount of events in each group in the short-term profile is almost the same, but when an attack is being performed, the total amount of events between each group is lost, and the event amount of a specific group Significantly more than other groups. By applying ratio analysis to the long-term profile (or other network profile) and the short-term profile (or own network profile) grouped as described above, it becomes easier to detect anomalies. This method is preferably applied to the analysis of Attack Signature and Source / Destination Port.

Dynamic grouping 2
The parameters to be analyzed are rearranged in the order of event IDs, and grouping is performed so that the total amount of events in each group is substantially equal based on the total amount of events. Here, the ID is an Attack Signature number determined for each product in the case of Attack Signature, a Port number in the case of Source / Destination Port, and an IP address order in the case of Source / Destination IP. FIG. 12 shows the state of grouping in this case. The grouping method so that the total event amount in each group is almost equal is the same as that of the dynamic grouping 1.

  In the figure, each bar graph represents a parameter (HTTP Port Probe, Smurf Attack...). In the figure, as an example, events are arranged from the left in descending order of event volume, and G1, G2,... Are grouped from the left so that the total event volume in each group is almost equal. ing. The operation of the log analysis apparatus 10 in this case is the same as that of the dynamic grouping 1. This method is suitable for application to analysis of Attack Signature, Source / Destination Port, and Source / Destination IP.

Dynamic grouping 3
It is desirable to analyze Source / Destination IP in units of countries and domains. The country and domain are divided into power-of-two units, and it is desirable to consider this point when applying the grouping method described in Dynamic Grouping 2 to the analysis of IP addresses. Therefore, when the grouping method based on dynamic grouping 2 is applied to the analysis of IP addresses, the IP addresses are grouped in units of powers of 2 so that the number of IP addresses in each group is almost equal.

  For example, when IP addresses 192.168.0.1 and 202.2555.44.1 are expressed in binary numbers, they are “11000000 10101000 00000000 00000001” and “11001010 11111111 00101100 00000001”, and the first 4 bits have the same prefix. . In this way, when binary numbers are displayed, grouping is performed so that the first n bits (n is a positive integer) bits form one group, and the total event amount in each group is substantially equal. .

  The ratio analysis and the rare rate analysis described above are applied to the events grouped as described above. In this case, a ratio analysis and a rare rate analysis are performed for each group. Therefore, the number of times the ratio analysis and the rare rate analysis are performed is reduced as compared with the case where the ratio analysis and the rare rate analysis are performed for each event type. In addition, since the unit of analysis is increased by grouping, it is possible to grasp an outline of a wider range of abnormalities.

  As described above, the embodiments of the present invention have been described in detail with reference to the drawings, but the specific configuration is not limited to these embodiments, and includes design changes and the like within a scope not departing from the gist of the present invention. It is. For example, the log analysis device in the above-described embodiment records a program for realizing the operation and function on a computer-readable recording medium, and causes the computer to read and execute the program recorded on the recording medium. May be realized.

  Here, the “computer” includes a homepage providing environment (or display environment) if the WWW system is used. The “computer-readable recording medium” refers to a storage device such as a portable medium such as a flexible disk, a magneto-optical disk, a ROM, and a CD-ROM, and a hard disk built in the computer. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The log analysis program described above may be transmitted from a computer storing the program in a storage device or the like to another computer via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. Further, the log analysis program described above may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer, what is called a difference file (difference program) may be sufficient.

It is a block diagram which shows the structure of the network provided with the log analyzer 10 by one Embodiment of this invention. 5 is a reference diagram showing parameters to be analyzed in the embodiment. FIG. It is a flowchart which shows operation | movement of the log analyzer 10 in the same embodiment. It is a figure which shows the ratio analysis model in the same embodiment. It is a figure which shows the rare rate analysis model in the embodiment. It is a reference figure for demonstrating the grouping of the event of Attack Signature in the embodiment. It is a reference figure for demonstrating the grouping of the event of Attack Signature in the embodiment. It is a flowchart which shows operation | movement of the log analyzer 10 in the same embodiment. It is a reference figure which shows the content of the conversion table for converting into the country name from Source / Destination IP in the embodiment. It is a figure which shows the method of the dynamic grouping 1 of the event in the embodiment. It is a flowchart which shows operation | movement of the log analyzer 10 in the same embodiment. It is a figure which shows the method of the dynamic grouping 2 of the event in the embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 ... Log analyzer, 20, 21, 22 ... Network, 30 ... Security operation center, 101 ... Log collection part, 102 ... Log storage part, 103 ... Storage part, 104 ... Log analysis part, 105 ... Interface part, 301 ... Web browser.

Claims (22)

A collection means for collecting logs output from network devices;
Grouping means for performing grouping to divide events belonging to the parameters in the log collected by the collecting means into a plurality of groups;
Calculation means for calculating a value relating to the degree of abnormality of the network based on the amount of the events grouped by the grouping means;
A log analyzer characterized by comprising:   2. The log analysis apparatus according to claim 1, wherein the grouping unit groups events belonging to the signature for each semantic content indicated by the signature in the log collected by the collecting unit.   The log analysis apparatus according to claim 1, wherein the grouping unit groups the IP addresses for each country indicated by the IP address in the log collected by the collecting unit.   The grouping means stores in advance a table in which the event and a group to which the event belongs are stored in advance, and events belonging to the parameters in the log collected by the collecting means are determined based on the table. The log analysis apparatus according to claim 1, wherein the log analysis apparatus is grouped into groups.   The grouping unit assigns priorities to the events belonging to the parameters in the log collected by the collecting unit based on the amount of the events so that the total amount of the events in each group approaches equally. The log analysis apparatus according to claim 1, wherein the events are grouped in an order based on the priority.   The grouping means assigns priorities to the events belonging to the parameters in the log collected by the collecting means based on the identification information included in the events, and the total amount of the events in each group is equal. The log analysis apparatus according to claim 1, wherein the events are grouped in an order based on the priority so as to be closer to.   The grouping unit assigns a priority to the IP addresses in the log collected by the collecting unit based on the value of the IP address, so that the total amount of the events in each group approaches equally. 2. The IP addresses are grouped in an order based on the priority so that the IP addresses having the same n bits (n is a positive integer) from the beginning are in the same group. Log analysis device described in 1. Collecting logs output from network devices;
Performing a grouping to divide events belonging to the parameters in the collected logs into a plurality of groups;
Calculating a value related to the degree of abnormality of the network based on the amount of the grouped events;
A log analysis method comprising:   9. The step of grouping events belonging to a parameter in the collected log includes grouping events belonging to the signature for each semantic content indicated by the signature in the collected log. The log analysis method described.   9. The log according to claim 8, wherein, in the step of grouping the events belonging to the parameters in the collected log, the IP addresses are grouped for each country indicated by the IP address in the collected log. Analysis method.   In the step of grouping the events belonging to the collected parameters in the log, the events belonging to the collected parameters in the log are determined based on a table in which the event and the group to which the event belongs are associated with each other. The log analysis method according to claim 8, wherein the log analysis method is grouped into groups.   In the step of grouping the events belonging to the parameters in the collected logs, priorities are given to the events belonging to the parameters in the collected logs based on the amount of the events, and the events in each group The log analysis method according to claim 8, wherein the events are grouped in an order based on the priority so that the total amount approaches the same.   In the step of grouping events belonging to the parameters in the collected logs, priorities are assigned to the events belonging to the parameters in the collected logs based on the identification information included in the events, and The log analysis method according to claim 8, wherein the events are grouped in an order based on the priority so that a total amount of the events approaches the same.   In the step of grouping the events belonging to the parameters in the collected logs, priorities are assigned to the IP addresses in the collected logs based on the values of the IP addresses, and the events in each group Grouping the IP addresses in the order based on the priority so that the total amount approaches the same and the IP addresses having the same n bits (n is a positive integer) from the beginning are in the same group. The log analysis method according to claim 8. Collecting logs output from network devices;
Performing a grouping to divide events belonging to the parameters in the collected logs into a plurality of groups;
Calculating a value related to the degree of abnormality of the network based on the amount of the grouped events;
Log analysis program to make a computer execute.   16. The step of grouping events belonging to a parameter in the collected log includes grouping events belonging to the signature for each semantic content indicated by the signature in the collected log. The log analysis program described.   16. The log according to claim 15, wherein, in the step of grouping the events belonging to the parameters in the collected log, the IP addresses are grouped for each country indicated by the IP address in the collected log. Analysis program.   In the step of grouping the events belonging to the collected parameters in the log, the events belonging to the collected parameters in the log are determined based on a table in which the event and the group to which the event belongs are associated with each other. The log analysis program according to claim 15, wherein the log analysis program is grouped into groups.   In the step of grouping the events belonging to the parameters in the collected logs, priorities are given to the events belonging to the parameters in the collected logs based on the amount of the events, and the events in each group 16. The log analysis program according to claim 15, wherein the events are grouped in an order based on the priority so that the total amount approaches the same.   In the step of grouping events belonging to the parameters in the collected logs, priorities are assigned to the events belonging to the parameters in the collected logs based on the identification information included in the events, and 16. The log analysis program according to claim 15, wherein the events are grouped in an order based on the priority so that the total amount of the events approaches equally.   In the step of grouping the events belonging to the parameters in the collected logs, priorities are assigned to the events belonging to the IP addresses in the collected logs based on the IP addresses included in the events. The events are grouped in the order based on the priority so that the total amount of the events in the group approaches the same amount, and the events having the same n bits (n is a positive integer) from the beginning are in the same group. The log analysis program according to claim 15, characterized by: A computer-readable recording medium in which the log analysis program according to any one of claims 15 to 21 is recorded.

Images