JP2015108898A - Abnormality detection system and abnormality detection method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To quickly and highly accurately detect abnormality.SOLUTION: In an abnormality detection system 100, a normal model integration device 10 collects a normal model from each of a plurality of terminals 20, and integrates the plurality of collected normal models to generate an integrated normal model. Then, the normal model integration device 10 transmits the integrated normal model to each of the plurality of terminals 20. Also, each of the plurality of terminals 20 acquires an operation performed by a user as a log, and calculates a degree of abnormality indicating a degree of abnormality of the operation by using the acquired log and the integrated normal model received from the normal model integration device 10, and determines whether or not the degree of abnormality is less than a threshold. When it is determined that degree of abnormality is less than the threshold as a result, the terminal 20 outputs information indicating that an abnormal operation is being performed, or forcedly completes the operation.

Description

  The present invention relates to an abnormality detection system and an abnormality detection method.

  Conventionally, terminals such as PCs (Personal Computers), smartphones, tablets, etc. possessed by users have acquired operations on the terminals as logs, and detected abnormalities in the terminals using the corresponding logs and normal models. ing.

  As a technique for detecting such an abnormality, for example, a technique for detecting an abnormal operation of a terminal by comprehensively comparing detection results of each terminal is known. Also, for example, for newly added terminals, since there is little information on the terminals and it is difficult to detect correct abnormality, it is less likely that normal operation is erroneously determined as abnormal by relaxing the abnormality determination threshold. The technology to do is known.

Japanese Patent No. 4940220

  However, such a conventional technique has a problem in that it cannot quickly and accurately detect an abnormality. In other words, for example, in the technology that compares the detection results of each terminal in an integrated manner, all the results of each terminal are compared. Therefore, in an environment with a large number of terminals, there is a problem that it takes a long time to detect an abnormality. It was. In addition, for example, a technique that prevents a normal operation from being erroneously determined to be abnormal by relaxing the threshold of abnormal operation has a problem that it may be difficult to accurately detect an abnormality in a terminal with a small number of logs. .

  Accordingly, an object of the present invention is to quickly and accurately detect an abnormality.

  In order to solve the above-described problems and achieve the object, the disclosed abnormality detection system includes a plurality of terminals and an integrated device, and the integrated device receives a normal model from each of the plurality of terminals. A collecting unit that collects a plurality of normal models collected by the collecting unit to generate an integrated normal model, and an integrated normal model integrated by the integrating unit to each of the plurality of terminals. Each of the plurality of terminals, an acquisition unit that acquires the operation performed by the user as a log, the log acquired by the acquisition unit, and the integration received from the integration device Using a normal model, a degree of abnormality indicating the degree of abnormality of the motion is calculated, and a determination unit that determines whether or not the degree of abnormality is below a predetermined threshold, and the determination unit When the degree of abnormality is determined to be below the threshold, an output indicating that an abnormal operation is being performed, or an output unit that forcibly terminates the operation is provided. And

  Further, the disclosed abnormality detection method is an abnormality detection method executed by an integrated device, and includes a collection step of collecting normal models from each of a plurality of terminals, and a plurality of normal models collected by the collection step. An integration step of integrating and generating an integrated normal model and a transmission step of transmitting the integrated normal model integrated by the integration step to each of the plurality of terminals are included.

  The abnormality detection system and the abnormality detection method disclosed in the present application can quickly and highly accurately detect an abnormality.

FIG. 1 is a diagram illustrating an example of the configuration of the abnormality detection system according to the first embodiment. FIG. 2 is a block diagram illustrating a configuration of the normal model integration device according to the first embodiment. FIG. 3 is a diagram illustrating an example of information stored in the normal model score storage unit according to the first embodiment. FIG. 4 is a diagram for explaining the overall processing flow in the normal model integration device according to the first embodiment. FIG. 5 is a block diagram illustrating a configuration of the terminal according to the first embodiment. FIG. 6 is a diagram illustrating a normal model creation process of the terminal according to the first embodiment. FIG. 7 is a diagram for explaining the abnormality detection process of the terminal according to the first embodiment. FIG. 8 is a diagram for explaining the overall processing of the abnormality detection system according to the first embodiment. FIG. 9 is a flowchart for explaining the flow of normal model integration processing in the normal model integration device according to the first embodiment. FIG. 10 is a flowchart for explaining the flow of the normal model transmission process in the terminal according to the first embodiment. FIG. 11 is a flowchart for explaining the flow of the abnormality detection process in the terminal according to the first embodiment. FIG. 12 is a diagram for explaining a conventional abnormality detection system. FIG. 13 is a diagram for explaining a conventional abnormality detection system. FIG. 14 is a diagram illustrating an overview of the abnormality detection system according to the first embodiment. FIG. 15 is a diagram illustrating an example of a configuration of an abnormality detection system in a case where normal model integration processing is performed on one terminal. FIG. 16 is a diagram illustrating an example of a configuration of an abnormality detection system when each terminal performs normal model integration processing. FIG. 17 is a diagram illustrating a computer that executes a model integration program.

  Hereinafter, embodiments of an abnormality detection system and an abnormality detection method according to the present invention will be described in detail with reference to the drawings. In addition, this invention is not limited by this embodiment.

[First embodiment]
In the following embodiments, the configuration of the abnormality detection system according to the first embodiment, the configuration of the normal model integration device, the configuration of the terminal, the processing flow in the normal model integration device, and the processing flow in the terminal will be described in order. Next, effects of the first embodiment will be described.

[System configuration]
First, an example of the configuration of the abnormality detection system 100 according to the first embodiment will be described. FIG. 1 is a diagram illustrating an example of the configuration of the abnormality detection system according to the first embodiment. As illustrated in FIG. 1, the abnormality detection system 100 includes a normal model integration device 10 and a plurality of terminals 20A to 20N. The normal model integration device 10 and the plurality of terminals 20 </ b> A to 20 </ b> N are connected via a network 30. Note that the terminals 20A to 20N are described as “terminal 20” when they are not particularly distinguished. Moreover, the installation number of each apparatus illustrated in FIG. 1 is an example to the last, and is not limited to this.

  The normal model integration device 10 collects normal model scores from the terminals 20A to 20N, and integrates the collected normal models of the terminals 20A to 20N. Then, the normal model integration device 10 transmits the integrated normal model to each of the terminals 20A to 20N. Here, the normal model represents a tendency / feature of the normal operation of the user, and the abnormal degree of the operation is output by inputting the operation log into the normal model.

  In this way, the normal model integration device 10 creates a normal model unique to the user by integrating the created normal models for each terminal. As an integration method, for example, a normal model of a terminal having a maximum weighted average / score based on a score indicating reliability of a normal model for each terminal is selected, but is not limited thereto. The normal model integration device 10 transmits the normal models to the terminals 20A to 20N after integrating the normal models. The score is reset at the transmission timing. In addition, as a normal model collection / transmission method for each of the terminals 20A to 20N, sharing within a LAN, use of a cloud service, and via an external storage medium such as a USB memory are conceivable, but are not limited thereto.

  The plurality of terminals 20A to 20N are terminal devices such as PCs, smartphones, and tablets owned by a certain user. Each of the terminals 20 </ b> A to 20 </ b> N acquires the operation performed by the user as a log, and calculates the degree of abnormality of the operation using the acquired log and the normal model received from the normal model integration device 10. Then, each of the terminals 20A to 20N determines whether or not the calculated abnormality degree is below the threshold value, and if it is determined that the abnormality degree is below the threshold value, an abnormal operation is performed. The output or operation is forcibly terminated.

  Further, the terminals 20A to 20N record normal operation as a log, and create a normal model for each terminal based on the log. As a normal model creation method, for example, there is a method of approximating the distribution of feature vectors obtained from the features of the log with a probability distribution such as a normal distribution or a mixed normal distribution, but is not limited thereto. Also, the terminals 20A to 20N calculate and record a score representing the reliability of how correct the normal model is based on the number of logs used for creating the normal model. The normal model score is updated each time a new action log is recorded.

  In addition, when an operation occurs in the terminal, the terminals 20A to 20N calculate the degree of abnormality of the operation by comparing the normal model with the log of the operation. Then, the terminals 20A to 20N detect that the operation is abnormal when the degree of abnormality is below a predetermined threshold.

  As described above, the normal model integration device 10 can effectively perform abnormality detection processing with higher detection accuracy by effectively integrating the normal models of the terminals 20A to 20N. Further, even in an environment with a large number of terminals, it is possible to quickly perform an abnormality detection process without applying a intensive load on a specific device.

[Configuration of normal model integration device]
Next, the configuration of the normal model integration device 10 shown in FIG. 1 will be described with reference to FIG. FIG. 2 is a block diagram illustrating a configuration of the normal model integration device according to the first embodiment. As shown in FIG. 2, the normal model integration device 10 includes a communication processing unit 11, a control unit 12, and a storage unit 13.

  The communication processing unit 11 controls communication related to various types of information exchanged with the connected terminals 20A to 20N. For example, the communication processing unit 11 receives a normal model and a score indicating the reliability of the normal model from each terminal 20A to 20N, and transmits the integrated normal model to each terminal 20A to 20N.

  As shown in FIG. 2, the storage unit 13 includes a normal model / score storage unit 13a. The storage unit 13 is, for example, a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk.

  The normal model / score storage unit 13a stores a normal model of each of the terminals 20A to 20N and a score indicating the reliability of each normal model. Here, an example of information stored in the normal model / score storage unit 13a will be described with reference to FIG. FIG. 3 is a diagram illustrating an example of information stored in the normal model score storage unit according to the first embodiment.

As illustrated in FIG. 3, the normal model score storage unit 13 a includes a “terminal ID” that uniquely identifies the terminal 20, a “normal model” that is a normal model set in each terminal 20, and a normal model A “score”, which is a value indicating the reliability, is stored in association with each other. For example, the normal model / score storage unit 13a stores the terminal ID “A”, the normal model “ω ₁ ”, and the score “20” in association with each other.

  Returning to FIG. 2, the control unit 12 includes a collection unit 12a, an integration unit 12b, and a transmission unit 12c. Here, the control unit 12 is an electronic circuit such as a CPU (Central Processing Unit) or MPU (Micro Processing Unit), or an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or an FPGA (Field Programmable Gate Array).

  The collection unit 12a collects normal models from each terminal 20. Further, the collection unit 12a collects a score indicating the reliability of each normal model together with the normal model from each terminal 20. For example, the collection unit 12a collects normal models and scores obtained by each terminal 20 and stores them in the normal model / score storage unit 13a. When the scores of all the terminals 20 are “0”, the process for integrating the normal models described below is not performed.

  The integration unit 12b integrates the normal models of the terminals 20 collected by the collection unit 12a. In addition, the integration unit 12b integrates the normal models of the terminals 20 so that the normal model having a larger score has a larger influence.

For example, the integration unit 12b integrates the collected normal models of the terminals according to the following equation (1). “Ω” is the integrated normal model, “ω _k ” is the normal model of terminal k, “α _k ” is the score of terminal k, and “N” is the terminal owned by the user Is a number. As a method for integrating such normal models, by performing weighted averaging based on the score of the normal model of each terminal 20, the terminal 20 having a higher score has a stronger influence on the integration.

  The transmission unit 12 c transmits the normal model integrated by the integration unit 12 b to each terminal 20. In this way, by transmitting the integrated normal model to each terminal 20, the normal model set in each terminal 20 is replaced. After the transmission unit 12c transmits the normal model to each terminal 20, the scores stored in the normal model / score storage unit 13a are all reset to “0”.

Here, an overall processing flow in the normal model integration device 10 will be described. FIG. 4 is a diagram for explaining the overall processing flow in the normal model integration device according to the first embodiment. As illustrated in FIG. 4, the normal model integration device 10 collects the normal model “ω _k ” / score of each terminal (see (1) in FIG. 4). Then, the normal model integration device 10 creates an integrated normal model (see (2) in FIG. 4).

  Subsequently, the normal model integration device 10 distributes the integrated normal models to the terminals 20 (see (3) in FIG. 4). As a result, the created normal model is distributed to each terminal 20 and is replaced with the existing normal model to function on each terminal 20.

[Terminal configuration]
Next, the configuration of the terminal 20 shown in FIG. 1 will be described with reference to FIG. FIG. 5 is a block diagram illustrating a configuration of the terminal according to the first embodiment. As illustrated in FIG. 5, the terminal 20 includes a communication processing unit 21, a control unit 22, and a storage unit 23.

  The communication processing unit 21 controls communication related to various types of information exchanged with the normal model integration device 10 connected thereto. For example, the communication processing unit 21 transmits a normal model and a score indicating the reliability of the normal model to the normal model integration device 10, and receives the integrated normal model from the normal model integration device 10.

  As shown in FIG. 5, the storage unit 23 includes a normal model / score storage unit 23a. The storage unit 23 is, for example, a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk.

  The normal model / score storage unit 23a stores a normal model set in the terminal itself and a score indicating the reliability of the normal model. Specifically, the normal model / score storage unit 23a stores a “normal model” that is a normal model set in the terminal itself and a “score” that is a value indicating the reliability of the normal model in association with each other. .

  The control unit 22 includes an acquisition unit 22a, a conversion unit 22b, a calculation unit 22c, a determination unit 22d, and an output unit 22e. Here, the control unit 22 is an electronic circuit such as a CPU (Central Processing Unit) or MPU (Micro Processing Unit), or an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or an FPGA (Field Programmable Gate Array).

  The acquisition unit 22a acquires an operation performed by the user as a log. Specifically, the acquisition unit 22a acquires an operation on the terminal 20 (for example, a user's Web access operation via the terminal 20) as a log.

  The conversion unit 22b converts the log acquired by the acquisition unit 22a into a feature vector. Specifically, the log acquired by the acquisition unit 22a is converted into a feature vector in order to be used for the processing of the calculation unit 22c described later. Here, the feature vector is expressed by a log feature n-dimensional number vector.

  For example, an example of a feature vector when the operation on the terminal is Web access will be described. In the case of a Web access log, the characteristics of the log appear in, for example, “access destination URL character string”, and therefore the conversion unit 22b generates a feature vector from the URL character string. As a method for converting a character string into a feature vector, for example, there is an N-gram method. N-gram is a method of creating a set of n characters while shifting character by character from the beginning of a character string.

  For example, when the URL is “http://www.AAABBBCCC.co.jp” and N = 7, “http: //”, “ttp: // w”, “tp: // “ww”, “p: // www”, and so on. Then, the URL divided into elements is converted into a feature vector. For the conversion, there are a feature vector method in which the number of times each element appears as it is, and a method in which “1” and “0” are associated with each element depending on whether it appears regardless of the number of times.

  The calculation unit 22c creates a normal model based on the feature vector converted by the conversion unit 22b. Specifically, for each terminal owned by the user, the calculation unit 22c collects normal operations (such as web access) performed by the user as a log, and uses the log to perform normal operation of the user on the terminal. Create a “normal model” that represents trends and features of Here, as a method for creating a normal model, there is a method of approximating the distribution of feature vectors with a probability distribution such as a normal distribution or a mixed normal distribution, but it is not limited thereto.

  Here, the normal model creation process will be described with reference to the example of FIG. FIG. 6 is a diagram illustrating a normal model creation process of the terminal according to the first embodiment. As illustrated in FIG. 6, the normal operation logs A to C in the terminal 1 are input to the calculation unit 22 c that generates a normal model, and the normal model “ω” of the terminal 1 is generated. As a normal model, there is a probability distribution or the like indicating normal and ease of operation, but is not limited to this.

  Here, a case where the normal distribution is a normal distribution N (x; m, Σ) will be described. x is a feature vector, m is an average, and Σ is variance. In this normal model, when an operation represented by the feature vector x is input, a probability of how easily the operation occurs is returned as an output. If this probability is smaller than a predetermined threshold, it is determined that the operation is abnormal.

  Each time a feature vector x ′ representing normal operation is given, the average m of the normal distribution and the variance Σ are updated. As a renewal method, a method using Bayes's law can be considered. Bayes' law is defined as “P (A | B) = P (B” where P (A) is the probability that A will occur and P (B | A) is the probability that B will occur when A is known to have occurred. | A) P (A) / P (B) "is satisfied.

  Here, assuming that B is a feature vector x, A is (m, Σ), and P is a normal distribution N, the left side is the average and variance of the normal distribution N when it is known that the feature vector x has occurred from the normal distribution N Represents the probability that is m, Σ. As an update method using Bayes' law, when a feature vector x is given, m and Σ that maximize the left side are selected. Although the updating method based on Bayes' law is described here, the updating method is not limited to this.

  The feature vector used for creating the normal model is used to calculate a score representing the reliability of the normal model. In particular, the score is defined as “score = total number of feature vectors used for creating the normal model”. This utilizes the feature that, as the number of feature vectors used for normal model creation increases, the abnormality detection accuracy using the feature vector generally increases.

  The determination unit 22d uses the log acquired by the acquisition unit 22a and the integrated normal model received from the normal model integration device 10 to calculate an abnormality level indicating the degree of abnormal operation, and the abnormality level falls below a predetermined threshold. It is determined whether or not. Specifically, the determination unit 22d inputs the feature vector converted by the conversion unit 22b to the normal model, calculates the degree of abnormality, and determines whether the degree of abnormality exceeds a predetermined threshold.

  Here, the abnormality detection process of the terminal 20 will be described with reference to FIG. FIG. 7 is a diagram for explaining the abnormality detection process of the terminal according to the first embodiment. When operating on the terminal 20, the operation abnormality level is output by inputting the operation log to the normal model. When the degree of abnormality falls below a preset threshold, it is detected that the operation is abnormal.

  If it demonstrates using the example of FIG. 7, the determination part 22d shall input the operation log D to the normal model (omega), and the abnormality degree 0.1 shall be output. Since the degree of abnormality “0.1” is below the preset threshold value “0.2”, the operation of the operation log D is detected as being abnormal. On the other hand, if the degree of abnormality is greater than or equal to the threshold value and it is determined that the normality is normal, the feature vector is sent to the calculation unit 22c described above and used for creating (updating) a normal model.

  If the determination unit 22d determines that the degree of abnormality is below the threshold, the output unit 22e outputs that the abnormal operation is being performed, or forcibly terminates the operation. For example, the output unit 22e notifies the user or the administrator that an abnormal operation is being performed, a process for notifying that the abnormal operation is being performed as a message, or a process for forcibly stopping the operation. I do.

  Here, the overall processing of the abnormality detection system 100 will be described with reference to FIG. FIG. 8 is a diagram for explaining the overall processing of the abnormality detection system according to the first embodiment. As shown in FIG. 8, the normal model integration device 10 collects normal models and scores from the terminals 20A to 20N, and integrates the collected normal models of the terminals 20A to 20N. Then, the normal model integration device 10 transmits the integrated normal model to each of the terminals 20A to 20N.

  And each terminal 20A-20N acquires operation | movement which the user performed as a log, and calculates the abnormal degree of operation | movement using the acquired log and the normal model received from the normal model integration apparatus 10. FIG. Then, each terminal 20A to 20N determines whether or not the calculated abnormality degree is below the threshold value, and if it is determined that the abnormality degree is below the threshold value, it indicates that an abnormal operation is being performed. Output.

  Thus, in the abnormality detection system 100 according to the first embodiment, the normal model integration device 10 effectively integrates the normal models of the terminals 20A to 20N, thereby performing abnormality detection processing with higher detection accuracy. Can be done. Further, even in an environment with a large number of terminals, it is possible to quickly perform an abnormality detection process without applying a intensive load on a specific device.

[Process by normal model integration device]
Next, processing performed by the normal model integration device 10 according to the first embodiment will be described with reference to FIG. FIG. 9 is a flowchart for explaining the flow of normal model integration processing in the normal model integration device according to the first embodiment.

  As illustrated in FIG. 9, when the collection unit 12a of the normal model integration device 10 receives an instruction to integrate normal models (Yes in Step 101), the normal model score of each terminal 20 is collected (Step 102). . For example, the collection unit 12a collects normal models and scores obtained by each terminal 20 and stores them in the normal model / score storage unit 13a.

  Then, the integration unit 12b integrates the normal models of the terminals 20 (Step 103). For example, the integration unit 12b integrates the collected normal models of each terminal according to the above equation (1). Then, the transmission unit 12c distributes the integrated normal model to each terminal 20 (step 104). In this way, by transmitting the integrated normal model to each terminal 20, the normal model set in each terminal 20 is replaced. After the transmission unit 12c transmits the normal model to each terminal 20, the scores stored in the normal model / score storage unit 13a are all reset to “0”.

[Processing by terminal]
Next, processing by the terminal 20 according to the first embodiment will be described with reference to FIGS. 10 and 11. FIG. 10 is a flowchart for explaining the flow of the normal model transmission process in the terminal according to the first embodiment. FIG. 11 is a flowchart for explaining the flow of the abnormality detection process in the terminal according to the first embodiment.

  First, the flow of normal model transmission processing will be described with reference to FIG. As shown in FIG. 10, when the predetermined time has elapsed (Yes in Step 201), the conversion unit 22b of the terminal 20 converts the log acquired by the acquisition unit 22a into a feature vector (Step 202). For example, the conversion unit 22b performs conversion into a feature vector in order to use the log acquired by the acquisition unit 22a at a predetermined cycle, which is used for processing of the calculation unit 22c described later.

  Then, the calculation unit 22c creates a normal model based on the feature vector (step 203). Specifically, for each terminal owned by the user, the calculation unit 22c collects normal operations (such as web access) performed by the user as a log, and uses the log to perform normal operation of the user on the terminal. Create a “normal model” that represents trends and features of Thereafter, the communication processing unit 21 transmits the created normal model to the normal model integration device 10 when there is a request from the normal model integration device 10 (step 204).

  Next, the flow of the abnormality detection process will be described with reference to FIG. As shown in FIG. 11, when the acquisition unit 22a of the terminal 20 acquires the operation on the terminal as a log (Yes at Step 301), the conversion unit 22b converts the acquired log into a feature vector (Step 302).

Then, the determination unit 22d performs an abnormality determination process using the feature vector (step 303). Specifically, the determination unit 22d inputs the feature vector converted by the conversion unit 22b to the normal model, calculates the degree of abnormality, and determines whether the degree of abnormality exceeds a predetermined threshold.
As a result, the determination unit 22d determines whether or not the degree of abnormality is smaller than a threshold value (step 304).

  As a result, when the determination unit 22d determines that the degree of abnormality is smaller than the threshold value, the output unit 22e warns the user / administrator and forcibly stops the operation (step 305). On the other hand, if the determination unit 22d determines that the degree of abnormality is greater than or equal to the threshold value, the process ends. When an abnormality is detected, it is not always necessary to both warn the user / administrator and forcibly stop the operation. One of the forced stop may be performed.

[Effect of the first embodiment]
As described above, in the abnormality detection system 100 according to the first embodiment, the normal model integration device 10 collects the normal model score from each of the plurality of terminals 20, and uses the collected plurality of normal models. Integrate to generate an integrated normal model. Then, the normal model integration device 10 transmits the integrated integrated normal model to each of the plurality of terminals 20. In addition, each of the plurality of terminals 20 acquires the operation performed by the user as a log, and uses the acquired log and the integrated normal model received from the normal model integration device 10 to indicate the degree of abnormality of the operation. Is calculated, and it is determined whether or not the degree of abnormality is below a predetermined threshold. As a result, when it is determined that the degree of abnormality is below the threshold, the terminal 20 outputs that the abnormal operation is being performed, or forcibly terminates the operation.

  Thereby, in the abnormality detection system 100 according to the first embodiment, it is possible to perform rapid detection by performing abnormality detection on each terminal without comparing the detection results of all terminals, and a terminal with few logs. It is possible to detect anomalies with high accuracy even if it is placed. Here, a conventional abnormality detection system will be described with reference to FIGS. 12 and 13. 12 and 13 are diagrams for explaining a conventional abnormality detection system. That is, as illustrated in FIG. 12, in one of the conventional abnormality detection systems, the degree of abnormality calculated by the abnormality detection system of each terminal is integrated. Then, in order to determine an operation abnormality in a certain terminal, it is necessary to provide an operation log as an input to all abnormality detection systems. Then, the degree of abnormality determined by each abnormality detection system is collected, integrated, and finally determined. For this reason, in an environment where the number of terminals is large, it takes time to detect an abnormality.

  Further, as illustrated in FIG. 13, in one of the conventional abnormality detection systems, the operation log of each terminal is input to one abnormality detection system. And since the operation log of all the terminals is processed in one abnormality detection system, the load on the abnormality detection system increases.

  On the other hand, in the abnormality detection system 100 according to the first embodiment, as shown in FIG. 14, the normal model integration device 10 integrates the normal models of the abnormality detection system of each terminal, and creates a new normal model. create. The created normal model is redistributed to each terminal 20 and used for abnormality detection. As described above, since the abnormality detection is performed on each terminal 20, the load is not concentrated on one device, and the normal model is integrated to quickly and highly accurately all the terminals 20. Anomaly detection can be performed.

  Further, in the abnormality detection system 100 according to the first embodiment, by integrating the normal models in consideration of the score, the influence of the normal model having a low score is reduced and the influence of the normal model having a high score is greatly influenced. Normal models can be created automatically. In addition, since normal models are integrated instead of logs and feature vectors themselves, it is possible to reduce the cost of transferring a huge log and creating a normal model from a huge log. Moreover, since abnormality detection is performed for each terminal 20, the normal model integration device 10 has no cost related to integration of determination results.

[System configuration, etc.]
In the abnormality detection system 100 according to the first embodiment described above, the normal model integration device 10 collects the normal models and scores of the terminals, integrates the normal models, and transmits the integrated normal models to the terminals. As described above, the function of the normal model integration device 10 may be provided in a user-owned terminal. For example, as illustrated in FIG. 15, in the abnormality detection system 100 </ b> A, the collection unit 12 a is integrated as a normal model integration function that is a function of the normal model integration device 10 described above, into one terminal 20 </ b> A among a plurality of terminals. The unit 12b and the transmission unit 12c are provided. Then, the terminal 20A collects the normal models and scores of the terminals 20B to 20N, integrates the normal models, and transmits the normal models integrated to the terminals 20B to 20N.

  Further, as illustrated in FIG. 16, a plurality of terminals 200 </ b> A to 200 </ b> N are provided with a collection unit 12 a, an integration unit 12 b, and a transmission unit 12 c as normal model integration functions that are functions of the normal model integration device 10 described above. Also good. In this case, each of the terminals 200 </ b> A to 200 </ b> N collects normal models and scores from terminals other than the own apparatus, integrates the normal models, and transmits the integrated normal model to terminals other than the own apparatus.

  Further, each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. For example, the collection unit 12a and the integration unit 12b may be integrated. Further, all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

  In addition, among the processes described in the present embodiment, all or part of the processes described as being performed automatically can be performed manually, or the processes described as being performed manually can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the above-described document and drawings can be arbitrarily changed unless otherwise specified.

[program]
It is also possible to create a program that describes the processing executed by the normal model integration device 10 described in the above embodiment in a language that can be executed by a computer. For example, it is possible to create a model integration program in which the processing executed by the normal model integration device 10 according to the first embodiment is described in a language that can be executed by a computer. In this case, when the computer executes the model integration program, the same effect as in the above embodiment can be obtained. Further, the model integration program is recorded on a computer-readable recording medium, and the processing similar to that of the first embodiment is realized by recording the model integration program on the recording medium and causing the computer to read and execute the model integration program. May be. An example of a computer that executes a model integration program that implements the same function as that of the normal model integration device 10 illustrated in FIG. 2 will be described below.

  FIG. 17 is a diagram illustrating a computer 1000 that executes a model integration program. As illustrated in FIG. 17, the computer 1000 includes, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012 as illustrated in FIG. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090 as illustrated in FIG. The disk drive interface 1040 is connected to the disk drive 1100 as illustrated in FIG. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100. The serial port interface 1050 is connected to, for example, a mouse 1110 and a keyboard 1120 as illustrated in FIG. The video adapter 1060 is connected to a display 1130, for example, as illustrated in FIG.

  Here, as illustrated in FIG. 17, the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, the model integration program is stored in, for example, the hard disk drive 1090 as a program module in which a command to be executed by the computer 1000 is described.

  In addition, various data described in the above embodiment is stored as program data in, for example, the memory 1010 or the hard disk drive 1090. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 as necessary, and executes various processing procedures.

  Note that the program module 1093 and the program data 1094 related to the model integration program are not limited to being stored in the hard disk drive 1090, but are stored in, for example, a removable storage medium and read out by the CPU 1020 via the disk drive or the like. Also good. Alternatively, the program module 1093 and the program data 1094 related to the model integration program are stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.), and the network interface 1070 is stored. Via the CPU 1020.

DESCRIPTION OF SYMBOLS 10 Normal model integration apparatus 11, 21 Communication processing part 12, 22 Control part 12a Collection part 12b Integration part 12c Transmission part 13, 23 Storage part 13a, 23a Normal model score storage part 20, 20A-20N, 200A-200N Terminal 22a Acquisition unit 22b Conversion unit 22c Calculation unit 22d Determination unit 22e Output unit 30 Network 100, 100A, 100B Abnormality detection system

Claims (5)

In an anomaly detection system having a plurality of terminals and an integrated device,
The integrated device is
A collection unit that collects normal models from each of the plurality of terminals;
An integration unit that integrates a plurality of normal models collected by the collection unit to generate an integrated normal model;
A transmission unit that transmits an integrated normal model integrated by the integration unit to each of the plurality of terminals;
With
Each of the plurality of terminals is
An acquisition unit for acquiring a user's actions as a log;
Using the log acquired by the acquisition unit and the integrated normal model received from the integration device, an abnormality level indicating the degree of abnormality of the operation is calculated, and whether or not the abnormality level is below a predetermined threshold value. A determination unit for determining;
When it is determined by the determination unit that the degree of abnormality is below a threshold, an output indicating that an abnormal operation is being performed, or an output unit that forcibly terminates the operation;
An anomaly detection system comprising: The collection unit collects a value indicating the reliability of each normal model together with the normal model from each terminal,
The anomaly detection system according to claim 1, wherein the integration unit integrates the normal models of the terminals so that the normal model having a larger value has a larger influence. The terminal further includes a conversion unit that converts the log acquired by the acquisition unit into a feature vector,
The determination unit inputs the feature vector converted by the conversion unit to the normal model, calculates the degree of abnormality, and determines whether or not the degree of abnormality is below a predetermined threshold. The abnormality detection system according to claim 1 or 2. An anomaly detection method executed by an integrated device,
A collection step for collecting normal models from each of a plurality of terminals;
An integration step of generating a unified normal model by integrating a plurality of normal models collected in the collecting step;
A transmitting step of transmitting the integrated normal model integrated by the integrating step to each of the plurality of terminals;
An abnormality detection method characterized by including The collecting step collects a value indicating the reliability of each normal model together with the normal model from each terminal,
The abnormality detection method according to claim 5, wherein in the integration step, the normal models of the terminals are integrated so that the normal model having the larger value has a larger influence.

Images