JP2011166476A - Log analyzing apparatus and method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To allow even an operator who has no technical knowledge, etc., to easily comprehend the behavior of a communication apparatus from a large amount of communication logs generated by the communication apparatus. <P>SOLUTION: A feature amount group comprised of M kinds (M is an integer being ≥4) of feature amounts is extracted from an inputted communication log for each of communications included in the communication log, and a general-purpose log based on a predetermined format is generated for a plurality of feature amount groups. A plurality of general-purpose logs are classified based on a specific feature amount among the M kinds of feature amounts included in the extracted feature amount groups, and N-dimensional display (N is an integer being 3≤N<M) is performed on the plurality of feature amount groups extracted from the communication log for each specific feature amount obtained by classifying the general-purpose logs based on the classified general-purpose logs. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a log analysis device, a log analysis method, and a log analysis program for analyzing a communication log.

Conventionally, communication history (hereinafter referred to as “communication log”) output by a communication device is used for management and operation of the communication device. This communication log describes the history of communication exchanged between the communication device and other devices, and includes the communication source, communication destination, communication service name, communication start time, and communication volume in each communication. Information that characterizes the contents of each communication is described.
The communication device manager grasps the state of the communication device by periodically analyzing such a communication log. In addition, the communication device manager plans and implements the setting change of the communication device based on such a communication log, and realizes effective communication with the communication device. Further, when a failure occurs in the communication device, the communication device administrator analyzes the communication log and identifies the cause of the failure.

However, when the types of communication devices increase, the types of output communication logs increase (the problem of increased log types).
Further, the increase in the number of communication devices or the increase in the functions of the communication devices increases the amount of communication logs output from the communication devices (problem of increasing log size).
FIG. 11 is a diagram illustrating an example of a communication log. The communication log shown in FIG. 11 is a firewall communication log that controls data communication between computer networks and suppresses unnecessary data communication. The firewall communication log is output in text format. For example, in the communication log 900 illustrated in FIG. 11, one line represents the content of one communication, and information that characterizes the content of each communication is described. More specifically, one line of the communication log 900 includes a communication source, a communication destination, a communication service name, a communication start time, and a communication amount. The communication device manager opens a communication log as shown in FIG. 11 with an editor and analyzes whether the communication state is normal.

  However, the number of communications exchanged per day can range from hundreds of thousands to over millions. Accordingly, the number of lines output to the communication log can be several hundred thousand to several million lines. Therefore, there is a problem that it is very difficult to manually analyze the communication log. Furthermore, since the communication log is normally output in text format, when the communication device administrator performs analysis, there is a problem that the visibility of the communication log is low and the analysis is very difficult (the problem of analysis difficulty). ).

  To solve the above-mentioned problem of increasing log types, a method for converting an output communication log into a predetermined format prepared in advance has been proposed. For example, the log information analysis method described in Patent Document 1 extracts time and other desired data from the input log information, and forms the input log information according to a general-purpose log format prepared in advance. A general-purpose log is created, and analysis processing of unified log information can be executed.

Also, with respect to the above-mentioned problem of difficulty in analysis, Patent Document 1 proposes a method of displaying log information in text format in a diagram format and displaying a bird's-eye view in time series in a two-dimensional display.
In Patent Document 1, time information is extracted from a general-purpose log created from log information, and a histogram of the number of log information items is displayed in a bird's-eye view in time series based on the time information. By confirming the display of the histogram of the number of cases, it is possible to easily grasp the periodic movement of the log information for each day of the week and for each hour.

Patent Document 1 proposes an outline display method using a diagram corresponding to the length of a character string of log information. Specifically, in Patent Document 1, a part of the selected log information is displayed as an outline of the log information using an abstract graphic corresponding to the length of the character string of the log information, and specified by the user. The readability is improved by highlighting the selected word and tag information in different colors according to the appearance frequency.
Also, in Patent Document 1, a log message with a low appearance frequency is likely to indicate unauthorized intrusion, etc., and a method of measuring the appearance frequency of words from log information using text mining technology to determine unauthorized intrusion etc. Has been proposed.

JP 2001-356939 A

  Patent Document 1 proposes a method of displaying a communication log in a text format in a diagram format and displaying it in a time series, and attempts to solve the above-mentioned difficulty of analysis. However, the length of the character string of the communication log does not directly display the content of the communication log. Although the trend of the entire communication can be grasped from the illustration of the length of the character string of the communication log, the behavior reflecting the content of the communication cannot be understood.

Moreover, in patent document 1, since the communication log is displayed in two dimensions, it is difficult to analyze from a multifaceted viewpoint.
Patent Document 1 proposes a histogram display method for the number of communication logs, but it is possible to understand the transition of the number of cases using the histogram display method, but it fully reflects the contents of important communications in the analysis of communication logs. Not what you want. In order to effectively analyze the communication log, it is effective to display attributes reflecting the contents of communication described in the communication log in time series, but Patent Document 1 does not mention this point.

For communication device managers, analysis of communication permission / non-permission according to the communication contents, whether the communication described in the communication log is communication that should be permitted or not. And the display of the result is important, but such a reference is not made in Patent Document 1.
Further, in Patent Document 1, although the user-designated word and tag information are color-coded and displayed according to the appearance frequency, the fact that the appearance frequency is low is characteristic in comparison with other communications. This suggests that it is not likely to indicate unauthorized intrusion. If the frequency of unauthorized intrusion is high, the frequency of normal operation is relatively low, and the operation may be the opposite of the expected operation. In addition, if characteristic communication is extracted, it is necessary to identify communication having a high appearance frequency.

  Therefore, the present invention has been made by paying attention to the above-mentioned conventional unsolved problems, and even if the operator does not have specialized knowledge, the communication device performs communication from a large amount of communication logs generated by the communication device. It is an object of the present invention to provide a log analysis device, a log analysis method, and a log analysis program that make it possible to easily understand the behavior.

  In order to solve the above problem, the present invention is characterized by communication log input means for receiving input of a communication log including a plurality of communications, and M types (M is an integer of 4 or more) for each communication of the communication log. Feature quantity extraction means for extracting a feature quantity group consisting of quantities, and communication status display means for performing N-dimensional display (N is an integer satisfying 3 ≦ N <M) for the plurality of feature quantity groups, Proposed a log analysis device characterized in that at least one of the feature quantities included in the feature quantity group relates to time, and the communication status display means relates to time in at least one of the N dimensions. To do.

According to this configuration, since the communication status is displayed based on the feature amount that specifically represents the content of communication, it is possible to easily understand the behavior reflecting the content of communication at a glance. Further, by displaying N-dimensionally the contents of communication, it is possible to grasp the state of communication from a multifaceted viewpoint.
In addition, the log analysis device includes a general-purpose log generation unit that generates a general-purpose log based on a predetermined format for the plurality of feature amount groups, and a specific feature amount among M types of feature amounts included in the feature amount group. A general-purpose log classifying unit that classifies the plurality of general-purpose logs based on the N-dimensional display for each of the specific feature values based on the classified general-purpose log. You may come to do.

In addition, the log analysis device permits determination model holding means for holding a determination model for determining whether communication should be permitted, and communication included in the communication log is permitted based on the determination model. Determination means for determining whether or not it should be, and the communication status display means may perform the N-dimensional display based on a determination result in the determination means.
According to this configuration, it is possible to easily understand at a glance whether the communication described in the communication log is communication that should be permitted or not. Effective communication log analysis can be performed.

In addition, the log analysis device permits determination model holding means for holding a determination model for determining whether communication should be permitted, and communication included in the communication log is permitted based on the determination model. The general-purpose log classified by the determination means for determining whether it should be and the general-purpose log classification means is classified based on a feature quantity different from the specific feature quantity among the M kinds of feature quantities And a general-purpose log time-series classification unit for further classifying in a predetermined time unit, and the determination unit performs the determination for each general-purpose log classified in a predetermined time unit by the general-purpose log time-series classification unit. The communication status display means may perform the N-dimensional display based on the determination result.
According to this configuration, in a predetermined time unit, it is N-dimensionally displayed whether the communication is originally permitted communication or not. Thereby, it is possible to grasp at a glance an overall tendency as to whether the communication should be permitted originally or not.

Further, the communication status display means may further perform the N-dimensional display based on a communication amount in a predetermined time unit of each communication included in the communication log.
It may be.
According to this configuration, it is also possible to easily understand the transition of the number of communications, and to grasp over time the locations of characteristic communications where the number of communications is conspicuous in the overall communications. Becomes easy.
The feature quantities included in the feature quantity group are a communication source IP address, a communication destination IP address, a communication destination port number, and a communication start time, and the communication status display means performs communication for each communication source IP address. Three-dimensional display may be performed for the destination IP address, the destination port number, and the communication start time.

In addition, the present invention provides a communication log input step (for example, step S102 in FIG. 2) for receiving input of a communication log including a plurality of communications, and a feature amount including M types of feature amounts for each communication of the communication log. A feature amount extracting step for extracting groups (for example, step S104 in FIG. 2), and a communication status display step for performing N-dimensional display for the plurality of feature amount groups (for example, step S110 in FIG. 2). A log analysis method characterized in that at least one of the feature values included in the feature value group relates to time, and the communication status display step includes at least one of the N dimensions related to time. suggest.
According to this configuration, since the communication status is displayed based on the feature amount that specifically represents the content of communication, it is possible to easily understand the behavior reflecting the content of communication at a glance. Further, by displaying N-dimensionally the contents of communication, it is possible to grasp the state of communication from a multifaceted viewpoint.

In addition, the present invention provides a communication log input step (for example, step S102 in FIG. 2) for accepting input of a communication log including a plurality of communications to a computer, and M types of feature amounts for each communication of the communication log. A feature amount extraction step (for example, step S104 in FIG. 2) for extracting a feature amount group, a communication status display step for performing N-dimensional display for the plurality of feature amount groups (for example, step S110 in FIG. 2), Log analysis program for executing at least one of the feature quantities included in the feature quantity group relates to time, and the communication status display step relates to time in at least one of the N dimensions. We propose a log analysis program characterized by
According to this configuration, since the communication status is displayed based on the feature amount that specifically represents the content of communication, it is possible to easily understand the behavior reflecting the content of communication at a glance. Further, by displaying N-dimensionally the contents of communication, it is possible to grasp the state of communication from a multifaceted viewpoint.

  According to the present invention, the behavior of communication can be grasped at a glance, and the behavior of communication performed by the communication device can be determined from a large amount of communication logs generated by the communication device, even for an operator who does not have specialized knowledge. It can be easily understood.

It is a figure which shows the structural example of the log analyzer concerning Embodiment 1. FIG. It is a flowchart which shows the flow of a process of the log analyzer concerning Embodiment 1. It is a figure which shows the specific example of the display in the communication condition display part 110 of Embodiment 1. FIG. It is a figure which shows the structural example of the log analyzer concerning Embodiment 2. FIG. 10 is a diagram illustrating a specific example of display in a communication status display unit 110 of Embodiment 2. FIG. It is a figure which shows the structural example of the log analyzer concerning Embodiment 3. FIG. FIG. 10 is a flowchart illustrating a processing flow of the log analysis apparatus according to the third embodiment. It is a figure which shows the specific example of the display in the communication condition display part 110 of Embodiment 3. FIG. It is a figure which shows the structural example of the apparatus which produces | generates the communication permission non-permission determination model. It is a figure showing the performance of the communication permission non-permission flag output in the communication permission non-permission determination part 122. It is a figure which shows an example of a communication log.

Hereinafter, embodiments of the present invention will be described with reference to the drawings. In the drawings referred to in the following description, the same parts as those in the other drawings are denoted by the same reference numerals.
(Embodiment 1)
(Configuration of log analyzer)
FIG. 1 is a diagram illustrating a configuration example of a log analysis apparatus according to the present embodiment. As illustrated in FIG. 1, the log analysis apparatus 1 includes a communication log input unit 102, a feature amount extraction unit 104, a general log generation unit 106, a general log classification unit 108, and a communication status display unit 110.
The functions of the components described below are such that a CPU (Central Processing Unit) (not shown) included in the log analysis device 1 executes a program stored in a storage device such as a hard disk or a ROM (Read Only Memory). This is a function realized by. (The same applies hereinafter throughout the specification.)

  The communication log input unit 102 receives input of a communication log including a plurality of communications. As a method for inputting the communication log, the communication log may be received from an external device via a network, or may be input via a recording medium. In the present embodiment, the communication log that receives input in the communication log input unit 102 is a communication log of Syslog, which is a log message transfer protocol. Specifically, the communication log input unit 102 stores, for example, a communication log received via a network interface (not shown) in a storage device such as a hard disk in a database format or the like.

  The feature amount extraction unit 104 extracts a feature amount group including M types of feature amounts for each communication included in the communication log received by the communication log input unit 102. At least one of the feature values is related to time. Specific examples of the feature amount include a communication source IP address, a communication destination IP address, a communication destination port number, a communication start time, and the like of each communication. Specifically, the feature amount extraction unit 104 executes a process for extracting M types of feature amounts for each communication from a communication log stored in a storage device in a format such as a database. The extraction result is stored in a storage device such as a hard disk.

  The general-purpose log generation unit 106 generates a general-purpose log based on a predetermined format for a plurality of feature amount groups extracted by the feature amount extraction unit 104. Specifically, the “general-purpose log” is, for example, a list of a plurality of extracted feature quantities. Specifically, the general-purpose log generation unit 106 generates, for example, a general-purpose log from the extraction result of the feature amount extraction unit 104 stored in the storage device, and stores the generated general-purpose log in a storage device such as a hard disk. .

  The general-purpose log classification unit 108 classifies the plurality of general-purpose logs generated by the general-purpose log generation unit 106 based on specific feature amounts among the M types of feature amounts included in the feature amount group. Specifically, the general-purpose log classification unit 108 reads, for example, the general-purpose log stored in the storage device, executes a process for classifying the general-purpose log for each specific feature amount, and uses the classification result as a hard disk or the like. Stored in the storage device.

  The communication status display unit 110 performs N-dimensional display for the plurality of feature amount groups extracted by the feature amount extraction unit 104. Further, the communication status display unit 110 regards at least one of the N dimensions related to time. Further, the communication status display unit 110 performs N-dimensional display for each feature amount in which the general-purpose log is classified by the general-purpose log classification unit 108 based on the general-purpose log classified by the general-purpose log classification unit 108. Specifically, for example, the communication status display unit 110 reads out the classification result in the general log classification unit 108 from the storage device, and displays the display image data for N-dimensional display output according to the contents of the classification result. After executing processing such as generation, display is output to a display device such as a display.

In the first to third embodiments, a case where M = 4 and N = 3 will be described.
(Operation of log analyzer)
The operation of the log analysis apparatus 1 according to the present embodiment will be described with reference to FIG. FIG. 2 is a flowchart showing a processing flow of the log analysis apparatus according to the present embodiment.
Syslog 100, which is a communication log output from a communication device such as a firewall, is input to the log analysis device 1 via the communication log input unit 102 (step S102). The Syslog 100 received by the communication log input unit 102 is, in the feature amount extraction unit 104, as a feature amount group in each communication, for each communication, a communication source IP address, a communication destination IP address, a communication destination port number, and a communication A combination of start times is extracted (step S104).

  The general-purpose log generation unit 106 generates one general-purpose log for each communication according to a predetermined format using the plurality of feature amount groups extracted by the feature amount extraction unit 104 (step S106). In other words, a plurality of general-purpose logs corresponding to a plurality of communications included in the communication log are generated here. The generated general-purpose logs are classified for each communication source IP address in the general-purpose log classification unit 108, and a set of general-purpose logs for each communication source IP address is generated (step S108).

Finally, the communication status display unit 110 uses the communication start time, the communication destination IP address, and the communication destination port number based on the contents of the general purpose log for each communication source IP address output from the general purpose log classification unit 108. Displayed and output in three dimensions for each source IP address (step S110).
FIG. 3 is a diagram illustrating a specific example of display in the communication status display unit 110. In the three-dimensional graph 200 shown in FIG. 3, the X-axis direction indicates a communication start time, the Y-axis direction indicates a communication destination IP address, and the Z-axis direction indicates a communication destination port number. Then, for each combination of the communication start time, the communication destination IP address, and the communication destination port number included in the general-purpose log for each communication source IP address, a graph 200 of the corresponding communication start time, the communication destination IP address, and the communication destination port number. The intersection on the top is displayed as a single point. A graph 200 in FIG. 3 represents communication from a specific communication source IP address to two communication destination IP addresses, IP address A and IP address B.

Although there is only one graph shown in FIG. 3, actually, a graph as shown in FIG. 3 is displayed for each communication source IP address. In this case, a plurality of graphs for each communication source IP address may be displayed together on one screen, for example, each time the button is pressed by a switching button, the graphs are sequentially displayed on the screen. May be.
According to the graph 200 illustrated in FIG. 3, it is possible to easily understand the behavior of communication in which the communication port number sequentially changes with respect to the same communication destination IP address as the communication start time changes. In other words, by displaying the communication start time, the communication destination port number, and the communication destination IP address in a three-dimensional manner, even for operators who do not have expertise in firewalls or network communication, some regularity is included in the communication behavior. Can be easily understood.

  The act of accessing and scanning various communication port numbers as shown in FIG. 3 is called port scanning. For example, a computer virus that has infected a computer that has been damaged by a computer virus causes it to transfer itself to another computer. This is one of the methods used to search for vulnerabilities in other computers for the purpose of self-diffusion. In other words, by classifying and displaying the general-purpose log by the communication source IP address that is the feature amount included in the communication log, the operator of the log analysis apparatus 1 can quickly perform the unique operation of the computer infected with such a computer virus. I can grasp it.

(Embodiment 2)
The log analysis apparatus according to the second embodiment is characterized in that the display reflects the traffic in a predetermined time unit.
(Configuration of log analyzer)
FIG. 4 is a diagram illustrating a configuration example of the log analysis apparatus 1 according to the present embodiment. The log analysis apparatus 1 according to the present embodiment is different from the log analysis apparatus according to the first embodiment in that it has a weighted communication status display unit 110 ′. It is the same.

  In addition to the function of the communication status display unit 100 of the first embodiment, the weighted communication status display unit 110 ′ further displays an N-dimensional display based on the communication volume in a predetermined time unit of each communication described in the communication log. I do. Specifically, the weighted communication status display unit 110 ′ indicates, for example, a location on the graph specified by the communication start time, the communication destination IP address, and the communication destination port number, the number of communication or the communication size in a predetermined time unit. It displays with the point of the size proportional to etc. This not only facilitates understanding of the communication behavior, but also facilitates understanding of changes in the number of communications and the communication size.

  FIG. 5 is a diagram illustrating a specific example of display on the weighted communication status display unit 110 ′. In the three-dimensional graph 300 shown in FIG. 5, the X-axis direction indicates the communication start time, the Y-axis direction indicates the communication destination IP address, and the Z-axis direction indicates the communication destination port number, as in FIG. The graph 300 shown in FIG. 5 is different from the graph 200 shown in FIG. 3 in that the size of each point displayed on the graph 300 is proportional to the communication amount within a predetermined time unit at the communication start time. Is a point.

  According to the graph 300 illustrated in FIG. 5, not only the communication behavior but also the communication start time, for example, the portion indicated by the range A on the graph 300 indicates that a large amount of communication is being performed. It can be easily grasped. Thereafter, for example, the operator of the log analysis device 1 can analyze quickly and effectively by preferentially analyzing a communication log corresponding to a place where a large amount of communication is performed.

(Embodiment 3)
The log analysis device according to the third embodiment is characterized in that each communication included in the communication log is determined whether or not the communication should be permitted, and a display reflecting the determination result is performed.
(Configuration of log analyzer)
FIG. 6 is a diagram illustrating a configuration example of the log analysis apparatus 1 according to the present embodiment. Compared with the log analysis device of the first embodiment, the log analysis device 1 according to the present embodiment includes a general-purpose log time-series classification unit 120, a communication permission / denial determination unit 122, and a communication permission / non-permission determination model holding unit 124. In other respects, the configuration is the same as that of the log analysis apparatus according to the first embodiment.

The communication permission / non-permission determination model holding unit 124 holds a communication permission / non-permission determination model 130 for determining whether communication should be permitted in a storage device such as a hard disk.
The general-purpose log time-series classification unit 120 is configured to classify the general-purpose log classified by the general-purpose log classification unit 108, which is different from the feature amount of the general-purpose log classification unit 108 among the M types of feature amounts. After the classification based on the feature amount, the classification is further performed in predetermined time units. Specifically, the general-purpose log time-series classification unit 120 reads, for example, the classification result of the general-purpose log classification unit 108 from the storage device, and uses the classification result as the feature amount obtained by classifying the general-purpose log by the general-purpose log classification unit 108. Executes a process for classifying each different feature quantity, and further executes a process for classifying the result of the process in a predetermined time unit. The processing result is stored in a storage device such as a hard disk.

The communication permission / denial determination unit 122 includes a communication log included in the communication log received by the communication log input unit 102 based on the communication permission / non-permission determination model 130 held in the communication permission / non-permission determination model holding unit 124. To determine if it should be allowed. Further, the communication permission / denial determination unit 122 performs this determination for each general-purpose log classified by the general-purpose log time-series classification unit 120 in a predetermined time unit. Specifically, the communication permission / denial determination unit 122 reads the communication permission / non-permission determination model 130 and the processing result of the general-purpose log time series classification unit 120 from a storage device such as a hard disk, for example. The process of determining whether or not the communication should be permitted is executed, and the determination result is stored in a storage device such as a hard disk.
Further, the communication status display unit 110 performs N-dimensional display based on the determination result in the communication permission / denial determination unit 122.

(Operation of log analyzer)
The operation of the log analysis apparatus 1 according to the present embodiment will be described with reference to FIG. FIG. 7 is a flowchart showing a processing flow of the log analysis apparatus according to the present embodiment.
Syslog 100, which is a communication log output from a communication device such as a firewall, is input to log analysis device 1 via communication log input unit 102 (step S202). The Syslog 100 received by the communication log input unit 102 is, in the feature amount extraction unit 104, as a feature amount group in each communication, for each communication, a communication source IP address, a communication destination IP address, a communication destination port number, and a communication A combination of start times is extracted (step S204).

  The general-purpose log generation unit 106 generates one general-purpose log for each communication according to a predetermined format using the feature amount group extracted by the feature amount extraction unit 104 (step S206). In other words, a plurality of general-purpose logs corresponding to a plurality of communications included in the communication log are generated here. The generated general-purpose logs are classified for each communication source IP address in the general-purpose log classification unit 108, and a set of general-purpose logs for each communication source IP address is generated (step S208).

  The general log for each communication source IP address output by the general log classification unit 108 is input to the general log time series classification unit 120. The general-purpose log time-series classification unit 120 classifies the input general-purpose logs for each communication source IP address by communication destination IP address, thereby generating a set of general-purpose logs for each communication source IP address and communication destination IP address. (Step S210). Furthermore, for each set, a plurality of general-purpose logs included in each set are sorted in order of communication start time, classified at intervals of 15 minutes from the beginning, and finally for each source IP address and destination IP address. A set of general-purpose logs by time series collected in units of 15 minutes is generated (step S212).

  The set of general logs generated in this way by time series is input to the communication permission / denial determination unit 122, and for each set of general logs by time series, the entire plurality of communications included in the set are: A determination is made as to whether it should be permitted or not (step S214). Specifically, using a communication permission / denial determination model 130 prepared in advance, a communication permission / denial indicating either permission or non-permission of each communication is performed by SVM (support vector machine) which is one of machine learning methods. A permission flag is output. Here, for a plurality of communications included in each set, one determination is made for a set of general-purpose logs by time series, using the movement of the port number such as how the port number is changing as a determination factor. Made.

Here, in this embodiment, the communication permission / denial determination unit 122 uses the SVM that is one of machine learning methods to perform permission / denial determination processing. However, the determination is not limited to SVM. Any technique is possible as long as it is possible.
For example, even if SVM is not used, the permission / denial determination process may be performed using a communication permission / deny rule prepared in advance. Specifically, the communication permission / denial rules describe how port numbers should be permitted or not permitted, and are included in this condition and the general log collection by time series. Permitted / not-permitted determination processing may be performed by comparing the transition of the communication port number. In this case, the communication permission / denial model 130 is a communication permission / denial rule.

  Returning to FIG. 7, the communication status display unit 110 uses the communication start time, the communication destination IP address, and the communication destination port number based on the contents of the general purpose log for each communication source IP address output from the general purpose log classification unit 108. The communication source IP address is displayed and output in three dimensions (step S216). Further, when displaying on the communication status display unit 110, each of the logs included in the general-purpose log set according to time series based on the communication permission non-permission flag output from the communication permission non-permission determination unit 122 in step S214. By displaying permission and disapproval in different colors and shades for points on the graph corresponding to communication, display is made so that permission and disapproval can be clearly identified.

  In the communication status display unit 110, the communication source IP address and the communication destination generated by the general-purpose log time series classification unit 120 are not the contents of the general-purpose log for each communication source IP address generated by the general-purpose log classification unit 108. Based on the contents of the general-purpose log for each IP address, the communication start time, the communication destination IP address, and the communication destination port number may be used to display and output in three dimensions for each communication source IP address and communication destination IP address. .

  FIG. 8 is a diagram illustrating a specific example of display in the communication status display unit 110. A three-dimensional graph 400 shown in FIG. 8 is a three-dimensional graph in which a three-dimensional display is performed based on the contents of the general-purpose log for each communication source IP address and communication destination IP address generated by the general-purpose log time series classification unit 120. . As in FIG. 3, in the three-dimensional graph 400, the X-axis direction indicates the communication start time, the Y-axis direction indicates the communication destination IP address, and the Z-axis direction indicates the communication destination port number. Then, for each combination of the communication start time and the communication destination port number included in the general log for each communication source IP address and communication destination IP address, a graph 400 of the corresponding communication destination IP address, communication start time, and communication destination port number. The intersection on the top is displayed as a single point. Although there is only one graph shown in FIG. 8, actually, a graph as shown in FIG. 8 is displayed for each communication source IP address and communication destination IP address.

  In addition, the part indicated by the range Y on the graph 400 in FIG. 8 is a part representing communication that should be permitted, and the other part is a part representing communication that should not be permitted. . In this way, enabling or disabling communication can be identified by color, etc., making it easy for operators who do not have expertise in firewalls and network communications to perform the behavior of communications performed by communication devices. This makes it possible to effectively understand the settings of the firewall and the like.

(Method for generating communication permission / denial determination model 130)
The communication permission / denial determination model 130 can be created by the method described below. FIG. 9 is a diagram illustrating a configuration example of an apparatus that generates the communication permission / denial determination model 130.
As illustrated in FIG. 9, the communication permission / denial determination model generation apparatus includes a log input unit 502, a feature amount extraction unit 504 with an action, a general-purpose log generation unit 506 with an action, a general-purpose log classification unit 508 with an action, and a general-purpose log with an action. A time-series classification unit 510 and a communication permission / denial determination model generation unit 512 are provided.
First, the communication log 500 is input to the communication permission / denial determination model generation device via the log input unit 502. The communication log 500 is, for example, a Syslog communication log. In the communication log 500, the feature-value extracting unit 504 extracts the communication source IP address, the communication destination IP address, the communication destination port number, the communication start time, and the action for each communication as the feature value with the action. The

Here, “Action” is a flag indicating whether or not a communication device such as a firewall that has output the communication log 500 has permitted the communication to pass through its own device, and the communication is passed. “Permit” is set when the communication is permitted, and “Deny” is set when the passage of the communication is not permitted.
The extracted feature quantity with the action is input to the general-purpose log generation unit 506 with the action. In the general-purpose log generation unit 506 with an action, one general-purpose log with an action is generated for each communication according to a predetermined format using the feature amount with the action. That is, here, a plurality of general-purpose logs with Actions corresponding to a plurality of communications included in the communication log are generated.

The generated general-purpose logs with an action are classified for each communication source IP address in the general-purpose log classification unit 508 with an action, and a set of general-purpose logs with an action for each communication source IP address is generated.
The general-purpose log with Action for each communication source IP address output from the general-purpose log classification with action 508 is further classified for each communication destination IP address by the general-purpose log time-series classification unit 510 with Action. A set of general logs with an action for each destination IP address is generated. Further, for each set, a plurality of general-purpose logs with actions included in each set are sorted in order of communication start time, and then classified at intervals of 15 minutes from the beginning. Finally, the source IP address and the destination IP address Separately, a set of general-purpose logs with an action by time series collected in units of 15 minutes is generated.

The time-series sets of general logs with actions generated in this way are input to the communication permission / denial determination model generating unit 512 and described in a plurality of communications included in the time-series sets of general logs with actions. The machine action learning is performed with SVM, which is one of machine learning techniques, using the action information of the above as correct answer data, and a communication permission / denial determination model 130 is generated.
FIG. 10 is a diagram illustrating the performance of the communication permission / denial flag output from the communication permission / denial determination unit 122. A table 600 shown in FIG. 10 shows a communication permission / non-permission determination unit using two different models for two different communication logs (Syslog10, Syslog20) that have been identified in advance as to whether or not the communication should be originally permitted. It is a table | surface which compares the correct answer rate at the time of performing the determination process in 122. FIG.

  The two different models differ in the communication destination port number of the feature amount used for learning in the SVM in the communication permission / denial determination model generation unit 512. One generates the communication permission / denial determination model 130 using the communication port number itself (absolute value) as the value of the communication destination port number, and the other changes the communication port number as the value of the communication destination port number. The communication permission / denial determination model 130 is generated using the value (relative value).

The fluctuation value of the communication port number is determined by subdividing the communication port number of communication described at the beginning of the time-series set of the general-purpose log with action generated by the general-purpose log time-series classification unit 510 with action as 0. The communication port number of the subsequent communication described in the general log is replaced with a value indicating a difference from the communication port number of the communication described at the top.
The communication permission / inhibition determination model 130 generated using the communication port number fluctuation value (relative value) is more versatile than the communication permission / inhibition determination model 130 generated using the communication port number itself (absolute value). Is a high model.

Further, the communication port number fluctuation value (relative value) lacks information on the communication port number itself as compared to the communication port number itself (absolute value). Therefore, when the determination process in the communication permission / denial determination unit 122 is performed based on the communication permission / non-permission determination model 130 generated using the variation value (relative value) of the communication port number, the communication port number itself (absolute The correct answer rate is lower than that in the case where the determination process in the communication permission / denial determination unit 122 is performed based on the communication permission / denial determination model 130 generated using the (value). However, it can be seen that even when the determination process is performed using any communication permission / denial determination model 130, a high correct answer rate of 97% or more is shown for both Syslog1 and Syslog2.
According to the log analysis apparatus according to the present embodiment, communication permission / denial is displayed in different colors, so even an operator who does not have expertise in firewalls or network communication can adjust the settings of the firewalls. It becomes possible to carry out effectively.

DESCRIPTION OF SYMBOLS 1 Log analyzer 100 Communication status display part 102 Communication log input part 104 Feature-value extraction part 106 General-purpose log generation part 108 General-purpose log classification part 110 Communication status display part 110 'Weighted communication status display part 120 General-purpose log time series classification part 122 Communication permission / denial determination unit 124 Communication permission / non-permission determination model holding unit 130 Communication permission / non-permission model 200, 300, 400 Three-dimensional graph 500 Communication log 502 Log input unit 504 Feature extraction unit with action 506 General-purpose log generation unit with action 508 General-purpose log classification unit with Action 510 General-purpose log time series classification unit with Action 512 Communication permission / denial determination model generation unit

Claims (8)

A communication log input means for receiving input of a communication log including a plurality of communications;
Feature quantity extraction means for extracting a feature quantity group consisting of M kinds (M is an integer of 4 or more) of feature quantities for each communication of the communication log;
Communication status display means for performing N-dimensional display (N is an integer satisfying 3 ≦ N <M) for the plurality of feature quantity groups;
Have
At least one of the feature quantities included in the feature quantity group relates to time;
The log analysis device according to claim 1, wherein the communication status display means relates to time in at least one of the N dimensions. General log generation means for generating a general log based on a predetermined format for the plurality of feature amount groups;
General-purpose log classification means for classifying the plurality of general-purpose logs based on a specific feature amount among M types of feature amounts included in the feature amount group;
Further comprising
The log analysis apparatus according to claim 1, wherein the communication status display unit performs the N-dimensional display for each specific feature amount based on the classified general-purpose log. Determination model holding means for holding a determination model for determining whether communication should be permitted;
Based on the determination model, a determination unit that determines whether communication included in the communication log is to be permitted;
Further comprising
The log analysis apparatus according to claim 1, wherein the communication status display unit performs the N-dimensional display based on a determination result in the determination unit. Determination model holding means for holding a determination model for determining whether communication should be permitted;
Based on the determination model, a determination unit that determines whether communication included in the communication log is to be permitted;
The general purpose log classified by the general purpose log classification means is classified based on a feature quantity different from the specific feature quantity among the M types of feature quantities, and further classified by a predetermined time unit. Log time series classification means,
Further comprising
The determination means performs the determination for each general-purpose log classified by a predetermined time unit in the general-purpose log time series classification means,
The log analysis apparatus according to claim 2, wherein the communication status display means performs the N-dimensional display based on the determination result.   5. The communication status display unit further performs the N-dimensional display based on a communication amount in a predetermined time unit of each communication included in the communication log. Log analysis device described in 1. The feature amounts included in the feature amount group are a communication source IP address, a communication destination IP address, a communication destination port number, and a communication start time.
The said communication status display means performs a three-dimensional display about a communication destination IP address, a communication destination port number, and a communication start time for every communication origin IP address, It is any one of Claim 1 to 5 characterized by the above-mentioned. The log analysis device described. A communication log input step for receiving input of a communication log including a plurality of communications;
A feature amount extraction step of extracting a feature amount group composed of M types (M is an integer of 4 or more) feature amounts for each communication of the communication log;
A communication status display step for performing N-dimensional display (N is an integer satisfying 3 ≦ N <M) for the plurality of feature quantity groups;
Have
At least one of the feature quantities included in the feature quantity group relates to time;
The log analysis method according to claim 1, wherein in the communication status display step, at least one of the N dimensions is related to time. On the computer,
A communication log input step for receiving input of a communication log including a plurality of communications;
A feature amount extraction step of extracting a feature amount group composed of M types (M is an integer of 4 or more) feature amounts for each communication of the communication log;
A communication status display step for performing N-dimensional display (N is an integer satisfying 3 ≦ N <M) for the plurality of feature quantity groups;
Log analysis program for executing
At least one of the feature quantities included in the feature quantity group relates to time;
In the communication status display step, at least one of the N dimensions is related to time.

Images