JP2016054435A - Operation detection device, operation method of the same, and computer program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To detect an operation to a device without installing an application in the device.SOLUTION: An operation pattern extraction section 12 separates feature vectors into a feature vector of time in which there is no possibility of operation and a feature vector of time in which there is possibility of operation. Then, the operation pattern extraction section 12 learns a packet pattern of time in which there is no possibility of operation as a noise pattern and stores it in a noise database 17. Regarding the feature vector similar to the noise pattern, noise is removed from the feature vector by acquiring differences in the vector of the noise pattern from the feature vector. An operation detection section 13, regarding the feature vector similar to the noise pattern, acquires differences in the vector of the noise pattern from the feature vector to remove the noise.SELECTED DRAWING: Figure 9

Description

  The present invention relates to a technique for detecting an operation on a device without installing an application in the device.

  If a failure occurs when connecting a device such as a PC or printer to the network, a person with network expertise often responds, but at that time, the user can know what operation has been performed. If possible, it will be easier to handle.

  However, if the user does not remember the operation, if the device is used by multiple people, or if the failure is caused by an application such as a power failure, know what operation has been performed Is difficult and it takes time to investigate the cause.

  To deal with this problem, Non-Patent Document 1 and Patent Document 1 disclose, for example, a technique of installing an application on a PC and collecting operation information by the application.

  However, application installation is cumbersome and burdens the user. Further, when the application depends on the operating system, setting work is required. In addition, it is necessary to always operate the application, which places a load on the device.

  On the other hand, Patent Document 2 discloses a technique for detecting the type of application being used by analyzing traffic flowing on a network. If this technology is used, no application installation is required.

Japanese Patent No. 5350410 JP 2012-034262 A

Akinori Tanaka et al., “PC Operation History Collection System“ Memory Retriever ””, NTT Technical Journal, Vol.22, No.7, 2010.

  However, this technique can detect only the type of application that performs communication. That is, the operation cannot be detected. For example, it is useful to know that operations such as restarting the PC, changing network settings, and operating system updating are performed, but this is not possible with the technique of Patent Document 2.

  Furthermore, when new software is downloaded and installed via a web browser, the technology of Patent Document 2 can detect that a web browser has been used, but cannot detect that an operation for downloading software has been performed. .

  The present invention has been made in view of the above problems, and an object of the present invention is to provide an operation detection device that can detect an operation on a device without installing an application in the device.

  In order to solve the above-described problem, the first aspect of the present invention is an operation detection device that detects an operation on a device based on a packet used for communication by the device. An operation name database storing a record including an operation name of the operation, a rule applied at the time of the operation, and a center vector, and a center vector generated based on a packet at a time when the user is not likely to perform the operation. A packet corresponding to the predetermined information in the unit time for each of the predetermined information included in the header of the packet for each unit time in the noise database storing the record including A first feature amount calculating means for calculating a feature amount of a plurality of predetermined consecutive times starting from the unit time for a plurality of unit times. First feature vector generation means for generating a feature vector composed of feature amounts calculated for unit time, and an operation that is a feature vector of a time at which the user of the device may operate the plurality of feature vectors Feature vector dividing means for dividing a time feature vector into a noise time feature vector that is a time feature vector that is not likely to be operated by the user, and similarity between the noise time feature vectors from the plurality of noise time feature vectors Noise cluster generating means for generating a plurality of noise clusters based on the characteristics, and for each noise cluster, a center vector of a noise time feature vector in the noise cluster is generated and stored in the noise database Generating means, and for each operation time feature vector, the operation time A first similarity calculating means for calculating a similarity between the characteristic vector and each central vector of the noise database, a corresponding operation time feature vector when the maximum value of the similarity is equal to or greater than a predetermined threshold, and the maximum A first difference feature vector generating means for generating a difference feature vector having a difference from a center vector corresponding to the value as a feature amount; a corresponding operation time feature vector when the maximum value is less than the threshold; and the difference feature An operation cluster generating means for generating a plurality of operation clusters from a plurality of feature vectors consisting of vectors based on similarity between the feature vectors, and for each operation cluster, generating a center vector of the feature vectors in the operation cluster , Search the operation name database for a record including a rule that matches the center vector, and Second center vector generation means for associating the operation name in the record with the predetermined information in the unit time for each of the predetermined information included in the header of the packet for each unit time in the operation detection period Second feature quantity calculating means for calculating the feature quantity of the packet corresponding to the information of the above, second feature vector generating means for generating a feature vector composed of the feature quantity, and for each feature vector, A second similarity calculating means for calculating a similarity with each center vector of the noise database; a corresponding feature vector when the maximum value of the similarity is equal to or greater than a predetermined threshold; and a center corresponding to the maximum value A second difference feature vector generating means for calculating a difference from the vector and generating a difference feature vector having the difference as a feature amount; and the operation name data For each center vector in the base, the similarity with each of the difference feature vectors and the similarity with each corresponding feature vector when the maximum similarity calculated by the second similarity calculation means is greater than or equal to a threshold value are calculated. A third similarity calculating unit that reads out an operation name associated with a center vector corresponding to the maximum value from the operation name database if the maximum value of the similarity is equal to or greater than a predetermined threshold value. It is characterized by providing.

  The second aspect of the present invention is an operation detection device for detecting an operation on a device based on a packet used for communication by the device, and for a plurality of types of operations, the operation name of the operation and the operation Operation name database in which records including rules and center vectors applied at the time are stored, and a noise database in which records including center vectors generated based on packets at times when there is no possibility of user operation are stored And calculating a feature amount of the packet corresponding to the predetermined information in the unit time for each predetermined information included in the header of the packet for each unit time in a period before detecting the operation. Calculated for a plurality of predetermined unit times starting from the unit time for the feature amount calculation means and a plurality of unit times A first feature vector generating means for generating a feature vector composed of the collected amount; an operation time feature vector which is a feature vector of a time at which a user of the device may operate the plurality of feature vectors; and the user A feature vector dividing unit that divides a noise time feature vector that is a time feature vector that is unlikely to be operated, and a plurality of noise time feature vectors based on the similarity between the noise time feature vectors. Noise cluster generating means for generating a noise cluster; for each noise cluster, a first center vector generating means for generating a center vector of a noise time feature vector in the noise cluster and storing it in the noise database; and For the operation time feature vector, the operation time feature vector and the noise data A first similarity calculating means for calculating a similarity to each base vector of the base, a corresponding operation time feature vector when the maximum value of the similarity is equal to or greater than a predetermined threshold, and a center corresponding to the maximum value A first difference feature vector generating means for generating a difference feature vector having a difference from the vector as a feature quantity; a plurality of operation time feature vectors when the maximum value is less than the threshold; and a plurality of the difference feature vectors Operation cluster generation for determining whether or not there is a rule that matches the feature vector in the operation name database for each feature vector, and generating an operation cluster composed of feature vectors that match the rule for each rule determined to be compatible And for each operation cluster, a center vector of the operation cluster is generated, and the operation name database is generated. A second center vector generating means for searching a record including a rule corresponding to the operation cluster from the source and associating the center vector with an operation name in the record; In addition, for each piece of predetermined information included in the header of the packet, a second feature amount calculating means for calculating a feature amount of the packet corresponding to the predetermined information in the unit time, and a feature vector comprising the feature amount A second feature vector generating means for generating; a second similarity calculating means for calculating a similarity between the feature vector and each center vector of the noise database; and a maximum value of the similarity The difference between the corresponding feature vector when the value is equal to or greater than a predetermined threshold and the center vector corresponding to the maximum value is calculated, and the difference is characterized. Second difference feature vector generation means for generating a difference feature vector, and for each center vector in the operation name database, the similarity to each difference feature vector and the similarity calculated by the second similarity calculation means A third similarity calculating means for calculating a similarity with each corresponding feature vector when the maximum value of the degree is equal to or greater than a threshold; and if the maximum value of the similarity is equal to or greater than a predetermined threshold, the operation name database Operation name reading means for reading an operation name associated with the center vector corresponding to the maximum value is provided.

  3rd this invention is the operation | movement method of the operation detection apparatus which detects operation with respect to the said apparatus based on the packet used for an apparatus to communicate, Comprising: The said operation detection apparatus is about multiple types of operation, An operation name database storing a record including an operation name of the operation, a rule applied at the time of the operation, and a center vector, and a center vector generated based on a packet at a time when the user is not likely to perform the operation. And a noise database in which a record including the information is stored, and the operation method includes a first feature value calculating unit of the operation detecting device in a header of a packet for each unit time in a period before detecting an operation. For each of the predetermined information included, the feature amount of the packet corresponding to the predetermined information in the unit time is calculated, and the first characteristic of the operation detecting device is calculated. For each of the plurality of unit times, the vector generation unit generates a feature vector composed of feature amounts calculated for a plurality of predetermined unit times starting from the unit time, and the feature vector dividing unit of the operation detection device The plurality of feature vectors are an operation time feature vector that is a time feature vector that is likely to be operated by a user of the device and a noise time feature that is a feature vector of a time that is not likely to be operated by the user. And the noise cluster generation means of the operation detection device generates a plurality of noise clusters from the plurality of noise time feature vectors based on the similarity between the noise time feature vectors, and the operation detection device includes: The first center vector generation means is configured to generate, for each noise cluster, a noise time characteristic in the noise cluster. A center vector of the vector is generated and stored in the noise database, and the first similarity calculation unit of the operation detection device is configured to determine, for each operation time feature vector, the operation time feature vector and each center vector of the noise database. The first difference feature vector generation unit of the operation detection device corresponds to the corresponding operation time feature vector and the maximum value when the maximum value of the similarity is equal to or greater than a predetermined threshold value. A difference feature vector having a difference from a center vector to be processed as a feature amount, and the operation cluster generation unit of the operation detection device includes the corresponding operation time feature vector and the difference feature vector when the maximum value is less than the threshold value. Generating a plurality of operation clusters from a plurality of feature vectors based on similarity between the feature vectors, A second center vector generation unit for each operation cluster generates a center vector of a feature vector in the operation cluster, and searches the operation name database for a record including a rule that matches the center vector. The center vector is associated with the operation name in the record, and predetermined information included in the header of the packet for each unit time in the period in which the second feature amount calculation unit of the operation detection device detects the operation. , The feature amount of the packet corresponding to the predetermined information in the unit time is calculated, the second feature vector generation means of the operation detection device generates a feature vector composed of the feature amount, and the operation For each feature vector, the second similarity calculation unit of the detection device performs the feature vector and each center of the noise database. The similarity with the kuttle is calculated, and the second difference feature vector generation unit of the operation detection device corresponds to the corresponding feature vector and the maximum value when the maximum value of the similarity is equal to or greater than a predetermined threshold. Calculating a difference from the center vector, generating a difference feature vector having the difference as a feature quantity, and the third similarity calculating means of the operation detecting device, for each center vector in the operation name database, The similarity with the feature vector and the similarity with each corresponding feature vector when the maximum similarity calculated by the second similarity calculation means is greater than or equal to a threshold value are read, and the operation name of the operation detecting device is read The means reads out an operation name associated with a center vector corresponding to the maximum value from the operation name database if the maximum value of the similarity is equal to or greater than a predetermined threshold value. That.

  A fourth aspect of the present invention is an operation method of an operation detection device that detects an operation on the device based on a packet used for communication by the device, and the operation detection device includes a plurality of types of operations. An operation name database storing a record including an operation name of the operation, a rule applied at the time of the operation, and a center vector, and a center vector generated based on a packet at a time when the user is not likely to perform the operation. And a noise database in which a record including the information is stored, and the operation method includes a first feature value calculating unit of the operation detecting device in a header of a packet for each unit time in a period before detecting an operation. For each of the predetermined information included, the feature amount of the packet corresponding to the predetermined information in the unit time is calculated, and the first characteristic of the operation detecting device is calculated. For each of the plurality of unit times, the vector generation unit generates a feature vector composed of feature amounts calculated for a plurality of predetermined unit times starting from the unit time, and the feature vector dividing unit of the operation detection device The plurality of feature vectors are an operation time feature vector that is a time feature vector that is likely to be operated by a user of the device and a noise time feature that is a feature vector of a time that is not likely to be operated by the user. And the noise cluster generation means of the operation detection device generates a plurality of noise clusters from the plurality of noise time feature vectors based on the similarity between the noise time feature vectors, and the operation detection device includes: The first center vector generation means is configured to generate, for each noise cluster, a noise time characteristic in the noise cluster. A center vector of the vector is generated and stored in the noise database, and the first similarity calculation unit of the operation detection device is configured to determine, for each operation time feature vector, the operation time feature vector and each center vector of the noise database. The first difference feature vector generation unit of the operation detection device corresponds to the corresponding operation time feature vector and the maximum value when the maximum value of the similarity is equal to or greater than a predetermined threshold value. A difference feature vector having a difference from a center vector to be processed as a feature amount, and the operation cluster generation unit of the operation detection device includes the corresponding operation time feature vector and the difference feature vector when the maximum value is less than the threshold value. For each of a plurality of feature vectors consisting of: a rule that matches the feature vector in the operation name database The presence / absence is determined, and for each rule determined to be compatible, an operation cluster including a feature vector that matches the rule is generated, and the second center vector generation unit of the operation detection device A center vector of the operation cluster is generated, a record including a rule corresponding to the operation cluster is searched from the operation name database, the center vector is associated with the operation name in the record, and the second operation detection device The feature amount calculation means calculates a feature amount of the packet corresponding to the predetermined information in the unit time for each of the predetermined information included in the header of the packet for each unit time in the period for detecting the operation. The second feature vector generation means of the operation detection device generates a feature vector composed of the feature amount, and the operation Second similarity calculation means of the detection device calculates, for each feature vector, the similarity between the feature vector and each center vector of the noise database, and second difference feature vector generation means of the operation detection device Calculates the difference between the corresponding feature vector when the maximum value of the similarity is equal to or greater than a predetermined threshold and the center vector corresponding to the maximum value, and generates a difference feature vector using the difference as a feature amount. The third similarity calculation means of the operation detection device has a maximum similarity between the similarity to each difference feature vector and the similarity calculated by the second similarity calculation means for each center vector in the operation name database. When the value is equal to or greater than a threshold value, the similarity with each corresponding feature vector is calculated, and the operation name reading unit of the operation detection device determines that the maximum value of the similarity is equal to or less than a predetermined threshold value. Nara, wherein the reading out operation name associated with the center vector corresponding to the maximum value from the operation name database.

  The fifth aspect of the present invention is a computer program for causing a computer to function as the operation detection device of the first aspect of the present invention or the second aspect of the present invention.

  According to the present invention, it is possible to detect an operation on a device without installing an application in the device, and it is possible to eliminate the influence of packet data generated even when no operation is performed.

It is a figure which illustrates the communication environment using the operation detection apparatus which concerns on 1st Embodiment. 1 is a block diagram illustrating a schematic configuration of an operation detection device 1. FIG. 3 is a diagram showing a configuration of a port number storage unit 15. FIG. 3 is a diagram showing a configuration of an operation name database 16. FIG. It is a flowchart which shows the flow of the process in the preparatory period before detecting operation. It is a detailed flowchart of step S2 in FIG. It is a figure which illustrates a center vector and a median value. It is a flowchart which shows the flow of a process at the time of detecting operation. It is a block diagram which shows schematic structure of 1 A of operation detection apparatuses. 3 is a diagram illustrating a configuration of a noise database 17. FIG. It is a flowchart which shows the flow of a process in the preparatory period before detecting operation in 6th Embodiment. It is a flowchart which shows the flow of a process at the time of detecting operation in 6th Embodiment.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

[First embodiment]
FIG. 1 is a diagram illustrating a communication environment using the operation detection device according to the first embodiment.

  The operation detection device 1 is a device that detects what operation has been performed on the device 2 based on a packet used for communication by the device 2 (for example, a PC (personal computer)). The operation here means not only an operation by a user (so-called manual operation) but also an operation by an application installed in the device 2 (that is, automatic processing in appearance), an operation by an external factor (for example, a power supply at the time of a power failure, etc. )). The device to be detected is not limited to a PC.

  The device 2 is connected to the Internet 5 via, for example, the switch 3 and the gateway device 4. The operation detection device 1 is connected to a mirroring port of the switch 3, for example. For example, a peripheral device 6 is connected to the switch 3.

  The switch 3 mirrors the packet flowing through the switch 3 and transmits it to the operation detection device 1 from the mirroring port. The switch 3 transmits a packet transmitted from the peripheral device 6 or received by the peripheral device 6 to the operation detection apparatus 1 in addition to a packet transmitted from the device 2 or received by the device 2.

  For example, the input unit 11 of the operation detection device 1 refers to the routing table or ARP table of the gateway device 4 in advance to obtain the IP address and MAC address of the device 2, and the corresponding source IP address and transmission Only packets including the original MAC address, the destination IP address, and the destination MAC address are received.

  FIG. 2 is a block diagram illustrating a schematic configuration of the operation detection device 1.

  The operation detection apparatus 1 generates an input unit 11 that receives a packet, generates a feature vector including a feature amount in the packet in a period before detecting an operation, clusters feature vectors that match a predetermined rule, An operation pattern extraction unit 12 that generates a center vector of the feature vectors as an operation pattern, generates a feature vector in a period for detecting an operation, calculates a similarity with the center vector, and detects an operation based on the similarity An operation detection unit 13, an output unit 14 that outputs a detected operation name, a port number storage unit 15 that stores port numbers in advance, and an operation name database 16 that stores records including rules and operation names in advance.

  FIG. 3 is a diagram showing the configuration of the port number storage unit 15.

  The port number storage unit 15 stores, for example, port numbers from 0 to 1023 called Well-Known ports and protocol names corresponding to the port numbers.

  FIG. 4 is a diagram showing the configuration of the operation name database 16.

  The operation name database 16 stores a record including an operation name of the operation and a rule applied at the time of the operation for a plurality of types of operations. The rule is expressed by, for example, an expression. For the operation name, the center vector generated by the operation pattern extraction unit 12 and the threshold th are stored in association with each other later.

  FIG. 5 is a flowchart showing the flow of processing in the preparation period before detecting an operation. The processing in FIG. 5 is performed before an operation is detected, that is, in advance.

  S1: The input unit 11 receives only packets including a source IP address, a source MAC address, a destination IP address, and a destination MAC address corresponding to the IP address and MAC address of the device 2 acquired in advance over a certain period. Then, it is stored in a storage area (not shown) in association with the reception time. This period is a period during which a single operation is performed on the device 2, and is, for example, one month.

  S2: Next, the operation pattern extraction unit 12 calculates, for each of a plurality of protocols, a feature amount that is a data amount of a packet corresponding to the protocol in the unit time for each predetermined unit time. The unit time is preferably the time of the operation performed in the shortest time, and here is 1 second.

  FIG. 6 is a detailed flowchart of step S2 in FIG.

  S21: The operation pattern extraction unit 12 includes all packets received in one month, a packet group composed of packets received in unit time from the start of packet reception to one second later, and the subsequent one second (unit time). Are grouped as follows: a packet group made up of packets received in the next step, a packet group made up of packets received in the next 1 second (unit time), and so on.

  Next, the operation pattern extraction unit 12 performs S22 to S26 for each packet in one packet group. Further, the operation pattern extraction unit 12 performs the same process for each of the other packet groups.

  S22: The operation pattern extraction unit 12 refers to the header of the target packet and determines whether the packet protocol is TCP or UDP.

  S23: If the protocol is TCP or UDP (S22: YES), the operation pattern extraction unit 12 acquires the destination port number from the header of the packet, and whether or not the same port number is stored in the port number storage unit 15 Determine.

  S24: If the protocol is not TCP and UDP (S22: NO), or if the port number is not stored in the port number storage unit 15 (S23: NO), the operation pattern extraction unit 12 is the highest level of the packet. Get protocol name of. When the port number is not stored in the port number storage unit 15 (S23: NO), TCP or UDP is acquired (S24).

  S25: If the port number is stored in the port number storage unit 15 (S23: YES), the operation pattern extraction unit 12 acquires the protocol name corresponding to the port number. Here, HTTP or the like is acquired.

  S26: When the operation pattern extraction unit 12 acquires the protocol name (S24, S25), the operation pattern extraction unit 12 determines the target data for the total data amount (initially initialized to 0) of all packets of the protocol name in the corresponding packet group. The data amount of the packet is added, and the process ends.

  Hereinafter, the total data amount is referred to as a feature amount.

  Returning to FIG. 5, the description will be continued.

  S3: For a plurality of unit times, the operation pattern extraction unit 12 generates a feature vector composed of feature amounts calculated for a plurality of predetermined unit times starting from the unit time.

  For example, the operation pattern extraction unit 12 first includes a feature vector composed of feature amounts for each protocol name calculated for a packet group corresponding to each unit time included in the first time W (referred to as a time window) in one month. Is generated. Here, the time window W is 1 minute.

  Here, in order to facilitate understanding, the feature quantity of the protocol name i in the unit time j is expressed as f (i, j), and the total number of protocol names is m.

  Specifically, the operation pattern extraction unit 12 includes feature vectors {f (1,1), f (1,2),..., F (1,60), f (2,1), f (2,2 ,..., F (m, 1), f (m, 2),..., F (m, 60)}. That is, the operation pattern extraction unit 12 generates a feature vector including feature amounts calculated for 60 continuous unit times (1 minute).

  Next, the operation pattern extraction unit 12 includes feature values for each protocol name calculated for the packet group corresponding to each unit time included in the first time W of the period excluding the first time S in one month. Generate a feature vector. The time window W is also 1 minute, and S is 30 seconds.

  Specifically, the operation pattern extraction unit 12 includes feature vectors {f (1,31), f (1,32),..., F (1,90), f (2,31), f (2,32 , ..., f (m, 31), f (m, 32), ..., f (m, 90)}.

  In other words, the operation pattern extraction unit 12 slides the time window W for a certain time S, and similarly generates a feature vector composed of feature amounts corresponding to the time window W.

  Similarly, the operation pattern extraction unit 12 slides the time window W by S, generates a feature vector each time, and terminates the process if a part of the time window W exceeds the end point of one month. .

  The time window W and the slide amount S are not limited to 1 minute and 30 seconds.

  S4: Next, the operation pattern extraction unit 12 generates a plurality of clusters from the generated plurality of feature vectors based on the similarity between the feature vectors. Each feature vector is included in one of the clusters.

  Here, the operation pattern extraction unit 12 uses, for example, the k-means method which is one of the non-hierarchical clustering methods. That is, the operation pattern extraction unit 12 first sets the number of clusters to 2 and obtains an intra-group sum of squares that is the sum of the distances between the center vector of the cluster and the feature vector included in the cluster. Next, the operation pattern extraction unit 12 increases the number of clusters by 1, and calculates the in-group square sum and the decrease amount. This is performed up to the number of clusters n. For example, n is x times the number of operations on the device 2 (x is W / S). Next, the operation pattern extraction unit 12 generates clusters so as to be the same as the number of clusters after the increase when the amount of decrease is the largest.

  S5: Next, the operation pattern extraction unit 12 generates, for each cluster, the center vector of the feature vector in the cluster, searches the operation name database 16 for a record including a rule that matches the center vector, and The center vector is associated with the operation name in the record. That is, the operation pattern extraction unit 12 determines what operation each cluster indicates.

  In S5, the operation pattern extraction unit 12 selects the top three elements (features) corresponding to the unit time for each unit time in all the center vectors.

  In S5, next, the operation pattern extraction unit 12 extracts an element (feature amount) corresponding to the protocol name from all the center vectors for each protocol name, and obtains the median value of the extracted feature amounts.

  In S5, next, the operation pattern extraction unit 12 selects a feature quantity for a feature quantity other than the feature quantity selected as the top three if it is 10 times or more the corresponding median value.

  FIG. 7 is a diagram illustrating the center vector and the median value.

  Here, for easy understanding, the total number m of protocol names is 12, the number of unit times corresponding to one central vector is 5, and the central vector is shown in the form of a matrix.

  In the center vector of FIG. 7A, as shown in the background of the dot pattern, the feature quantities of TCP, DNS, and HTTP included in the top three are selected in the unit times 1 and 2, and in the unit time 3, the top level is selected. The feature quantities of TCP and HTTP included in the three are selected. There is no feature amount more than 10 times the median.

  In the center vector of FIG. 7B, as shown by the background of the dot pattern, in the unit time 1, the feature quantities of TCP, HTTP, and IMAP included in the top three are selected. Further, as shown by the background of the diagonal line pattern, a DNS feature amount that is 10 times or more the median value is selected.

  In S5, the operation pattern extraction unit 12 searches the operation name database 16 for a record including a rule that matches the selected feature quantity pattern of the center vector, and associates the center vector with the operation name in the record. .

  In S5, for example, as shown in FIG. 7A, TCP, DNS, and HTTP are selected in the first half frame, and TCP, HTTP, and IMAP are selected in the second half frame, and conform to the mail reception rules in FIG. Therefore, the center vector of FIG. 7A is associated with the operation name “mail reception”.

  S6: Next, the operation pattern extraction unit 12 calculates, for each cluster, an average value of the distances between the feature vectors in the cluster and the center vector of the cluster, for example, the inverse of the average value is calculated as the center vector. At the same time, the threshold value th used in the operation detection described later is stored in the operation name database 16 in association with the center vector, and the process is terminated.

  FIG. 8 is a flowchart showing the flow of processing when detecting an operation.

  The process of FIG. 8 is performed when an operation is detected after the process of FIG. Here, it is assumed that the process of FIG.

  S31: The input unit 11 transmits only packets including the source IP address, the source MAC address, the destination IP address, and the destination MAC address corresponding to the IP address and MAC address of the device 2 over the same one minute as the time window W. Receive.

  S32: The operation detection unit 13 uses the received packet to calculate a feature amount that is a data amount of a packet corresponding to the protocol in the unit time for each protocol for each unit time.

  That is, in S32, the operation detection unit 13 performs the processes of steps S22 to S26 in FIG. 6 on the received packet.

  S33: Next, the operation detection unit 13 generates a feature vector including the feature amount.

  That is, in S33, the operation detection unit 13 generates a feature vector as if the feature vector was generated in step S3 of FIG.

  S <b> 34: Next, the operation detection unit 13 calculates the similarity between the feature vector and the center vector for each center vector in the operation name database 16.

  In S <b> 34, the operation detection unit 13 calculates the distance d between the feature vector and the center vector, for example, using equation (1), for example, calculates the reciprocal of the distance d, and sets this as the similarity. That is, the similarity is increased as the distance is smaller.

ここで、ｘｉは、特徴ベクトルのプロトコル名ｉに対応する特徴量、
ｙｉは、中心ベクトルのプロトコル名ｉに対応する特徴量、
ｍは、プロトコル名の総数である。

Here, xi is a feature quantity corresponding to the protocol name i of the feature vector,
yi is a feature amount corresponding to the protocol name i of the center vector,
m is the total number of protocol names.

  S35: Next, the operation detection unit 13 reads the threshold th stored in association with the center vector corresponding to the maximum value of similarity from the operation name database 16, and determines whether or not the maximum value of similarity is equal to or greater than the threshold. To do.

  If the maximum value of the similarity is less than the threshold value (S35: NO), the operation detection unit 13 ends the process.

  S36: If the maximum value of the similarity is equal to or greater than the threshold (S35: YES), the operation detection unit 13 reads the operation name associated with the center vector corresponding to the maximum value from the operation name database 16.

  S37: Next, the output unit 14 displays the read operation name on, for example, a display device (not shown), and the process ends.

  In the first embodiment, in step S6, the smaller the distance is, the higher the threshold is, and in step S34, the smaller the distance is, the higher the similarity is. In step S35, whether the maximum similarity is greater than or equal to the threshold. If the maximum value of the similarity is greater than or equal to the threshold value, the operation name corresponding to the maximum value is read in step S36. In step S6, for example, the distance is set as the threshold value, and in step S34, the distance is determined as the similarity level. In step S35, it is determined whether or not the minimum value of the similarity is equal to or less than the threshold value. If the minimum value of the similarity is equal to or less than the threshold value, the operation name corresponding to the minimum value may be read in step S36. That is, the former process is substantially the same as the latter process.

  That is, in any case, the process of S36 is a process of reading the operation name associated with the center vector corresponding to the maximum value from the operation name database if the maximum value of the similarity is equal to or greater than a predetermined threshold value.

  In the first embodiment, the feature amount is calculated for each protocol. For example, the feature amount may be calculated for each destination of the packet.

  In the first embodiment, the integrated value of the packet data amount is used as the feature amount. However, for example, the total number of packets may be used as the feature amount.

  Therefore, the operation detection device 1 according to the first embodiment is an operation detection device that detects an operation on the device 2 based on a packet used for the device 2 to perform communication. , The operation name database 16 in which a record including the operation name of the operation and a rule applied at the time of the operation is stored, and included in the header of the packet for each unit time in the period before detecting the operation First feature amount calculation means (step S2) for calculating a feature amount of a packet corresponding to the predetermined information in the unit time for each of the predetermined information, and starting from the unit time for a plurality of unit times in advance First feature vector generation means (step S3) for generating a feature vector composed of feature amounts calculated for a plurality of predetermined continuous unit times; Cluster generation means (step S4) for generating a plurality of clusters from a plurality of feature vectors based on the similarity between the feature vectors, and for each cluster, a center vector of the feature vectors in the cluster is generated, and the operation name A record including a rule that matches the center vector is searched from the database, and a center vector generating means (step S5) for associating the center vector with an operation name in the record, and a unit time in a period for detecting the operation In addition, for each piece of predetermined information included in the header of the packet, second feature amount calculation means (step S32) for calculating the feature amount of the packet corresponding to the predetermined information in the unit time, from the feature amount Second feature vector generation means (step S33) for generating a feature vector For each center vector, the similarity calculation means (step S34) for calculating the similarity between the feature vector and the center vector, and if the maximum value of the similarity is equal to or greater than a predetermined threshold, the operation name database corresponds to the maximum value. Operation name reading means (step S36) for reading the operation name associated with the center vector to be performed, the feature vector and the center vector indicate a plurality of feature amount increase / decrease patterns. An operation on the device 2 can be detected.

[Second Embodiment]
Next, a second embodiment of the present invention will be described. In the second embodiment, the same or similar apparatus and apparatus configuration as those in the first embodiment are used, and the same or similar elements are redundantly described by using the reference numerals used in the first embodiment. For brevity, the description will focus on matters different from the first embodiment.

  In the second embodiment, the processing in step S4 is different from that of the first embodiment as follows, and the others are the same as those in the first embodiment.

  S4: The operation pattern extraction unit 12 determines whether or not there is a rule that matches the feature vector in the operation name database 16 for each of the plurality of feature vectors generated in step S3, and for each rule that is determined to match, A cluster composed of feature vectors matching the rule is generated.

  Here, the presence or absence of a rule that matches the feature vector is determined by pattern matching.

  In S4, first, the operation pattern extraction unit 12 generates, for each rule, a cluster including a plurality of feature vectors indicating the operation of the operation name corresponding to the rule, and the protocol name used in communication at the time of the operation. Associate a set with the cluster.

  In S4, the operation pattern extraction unit 12 next selects the top three elements (features) corresponding to the unit time for each unit time in all feature vectors.

  Next, in S4, the operation pattern extraction unit 12 extracts an element (feature amount) corresponding to the protocol name from all feature vectors for each protocol name, and obtains the median value of the extracted feature amounts.

  In S4, next, the operation pattern extraction unit 12 selects a feature quantity if the feature quantity other than the feature quantity selected as the top three is 10 times or more the corresponding median value.

  In S4, next, the operation pattern extraction unit 12 sets, for each feature vector, a set of protocol names corresponding to the feature quantity selected as the top three or 10 times the median and the protocol name associated with the cluster. Are compared, and if the set matches the set of protocol names corresponding to one of the clusters (that is, if the rule and the feature vector match), the feature vector is included in the cluster. If it does not match the set of protocol names associated with any cluster, there is a possibility that an operation not defined by the rule has been performed. For example, it is included in another operation cluster.

  Therefore, according to the operation detection apparatus 1 according to the second embodiment, for a plurality of types of operations, an operation name database in which records including operation names of the operations and rules applied at the time of the operations are stored. 16 and a feature amount of a packet corresponding to the predetermined information in the unit time is calculated for each predetermined information included in the header of the packet for each unit time in a period before detecting the operation. And a first feature vector for generating a feature vector composed of feature amounts calculated for a plurality of predetermined unit times starting from the unit time, for a plurality of unit times. The generation unit (step S3) and each of the plurality of feature vectors conforms to the feature vector in the operation name database 16 For each rule determined to be suitable, a cluster generation means for generating a cluster of feature vectors that conform to the rule (step S4 in the second embodiment), and for each cluster Generating a center vector of feature vectors in the cluster, searching a record including a rule matching the center vector from the operation name database, and associating the center vector with an operation name in the record (Step S5) and, for each unit time in the period during which the operation is detected, a feature amount of the packet corresponding to the predetermined information in the unit time is calculated for each predetermined information included in the header of the packet. 2 feature quantity calculating means (step S32) and generating a feature vector comprising the feature quantity Second feature vector generation means (step S33), similarity calculation means (step S34) for calculating the similarity between the feature vector and the center vector for each of the center vectors, and a maximum similarity value in advance. If it is equal to or more than the predetermined threshold value, the operation name reading means (step S36) for reading the operation name associated with the center vector corresponding to the maximum value from the operation name database is provided. This indicates an increase / decrease pattern of the amount. Therefore, an operation on the device 2 can be detected by the increase / decrease pattern.

  Also, in the second embodiment, noise data is less mixed and feature vectors that do not conform to the rules can be excluded from the cluster as compared to the method of the first embodiment performed by a non-hierarchical clustering method or the like. Then, the generated center vector becomes more accurate. As a result, the operation can be detected more accurately.

[Third embodiment]
Next, a third embodiment of the present invention will be described. In the third embodiment, the same or similar apparatus and apparatus configuration as those in the first or second embodiment are used, and the same or similar reference numerals used in the first embodiment or the like are used for the same or similar elements. Therefore, the description will be omitted, and the description will focus on matters different from the first embodiment.

  In the third embodiment, the feature values obtained in steps S2 and S32 are standardized with respect to the first embodiment, and the others are the same as those in the first embodiment.

  That is, in S2 (first feature value calculation means), for example, when the feature value for one month is obtained, the operation pattern extraction unit 12 selects a feature value corresponding to the protocol name for each protocol name. The feature amount is converted (standardized) so that the average is 0 and the variance is 1.

  In S32 (second feature amount calculating means), for example, if the operation detection unit 13 calculates a feature amount for one minute, for each protocol name, select a feature amount corresponding to the protocol name, The feature quantity is converted (standardized) so that the average is 0 and the variance is 1.

  According to the third embodiment, since the feature amount is standardized, even an operation using a protocol with a small number of packets can be detected.

[Fourth embodiment]
Next, a fourth embodiment of the present invention will be described. In the fourth embodiment, the same or similar apparatus and apparatus configuration are used in the first, second or third embodiment, and the same or similar elements are used in the first embodiment or the like. The description will be omitted, and the description will focus on matters that are different from the first embodiment.

  In the fourth embodiment, the feature vectors obtained in steps S3 and S33 are normalized with respect to the first embodiment, and the others are the same as in the first embodiment.

  That is, in S3 (first feature vector generation means), when the operation pattern extraction unit 12 obtains a feature vector, the feature vector is calculated so that the size of the feature vector becomes 1 for each feature vector. Convert (normalize).

  In S33 (second feature vector generating means), when the operation detection unit 13 obtains the feature vector, the operation detection unit 13 converts (normalizes) the feature vector so that the size of the feature vector becomes 1.

  According to the fourth embodiment, since the feature vector is normalized, the feature vector indicates the ratio of the data amount of the packet when the corresponding operation is performed, that is, whether the data amount is large or small is irrelevant. Therefore, even an operation using a protocol with a small number of packets can be detected.

[Fifth embodiment]
Next, a fifth embodiment of the present invention will be described. In the fifth embodiment, the same or similar apparatus and apparatus configuration are used in the first, second, third or fourth embodiment, and the same or similar elements are used in the first embodiment or the like. The overlapping description will be omitted by using the reference numerals used, and the description will be focused on matters different from the first embodiment.

  The fifth embodiment differs from the first embodiment in the method for obtaining the threshold value in step S6 and the processing from S34 onward, and is otherwise the same as the first embodiment.

  In S6, the operation pattern extraction unit 12 obtains, for each cluster, the similarity sim (cosine similarity) between each feature vector in the cluster and the center vector of the cluster using Expression (2).

ここで、ｘは、特徴ベクトル、
ｙは、中心ベクトル、
ｘ・ｙは、ｘとｙの積、
｜ｘ｜は、ｘの長さ、
｜ｙ｜は、ｙの長さである。

Where x is a feature vector,
y is the center vector,
x · y is the product of x and y,
| X | is the length of x,
| Y | is the length of y.

  The similarity sim decreases as the angle between the feature vector and the center vector decreases.

  In S6, the operation pattern extraction unit 12 next calculates the average of the similarity sim and sets this as the threshold th corresponding to the central vector.

  In S <b> 34, the operation detection unit 13 calculates, for each center vector in the operation name database 16, the similarity between the feature vector and the center vector using Expression (2).

  In S35, the operation detection unit 13 reads the threshold th stored in association with the center vector corresponding to the minimum value of similarity from the operation name database 16, and determines whether the minimum value of similarity is equal to or less than the threshold.

  In S36, if the minimum value of the similarity is equal to or less than the threshold value (S35: YES), the operation detection unit 13 reads the operation name associated with the center vector corresponding to the minimum value from the operation name database 16.

  In step S6, the reciprocal of the average value of the similarity sim is set as a threshold, that is, the threshold is increased as the angle between the feature vector and the center vector is smaller. In step S34, the reciprocal of the similarity sim is set as the similarity. That is, the smaller the angle between the feature vector and the center vector is, the higher the similarity is. In step S35, it is determined whether or not the maximum value of the similarity is equal to or greater than a threshold value. In step S37, the operation name corresponding to the maximum value may be read. That is, the process of the fifth embodiment is substantially the same as such a process.

  Therefore, in the fifth embodiment, the smaller the angle between the feature vector and the center vector, the higher the similarity, and if the maximum value of the similarity is equal to or greater than a threshold, the center vector corresponding to the maximum value from the operation name database. The operation name associated with is read out.

  By the way, in the first to fifth embodiments, it is determined that the operation is different because the packet pattern is different even in the same operation due to the influence of the packet data generated even when the operation is not performed. Or it may be determined that there is no corresponding operation. In the sixth embodiment, this problem is solved.

[Sixth embodiment]
Next, a sixth embodiment of the present invention will be described. In the sixth embodiment, the same or similar apparatus and apparatus configuration as those in the first, second, third, fourth, or fifth embodiment are used, and the same or similar elements are used in the first embodiment. The duplicated explanation is omitted by using the reference numerals used in the form and the like, and the explanation is focused on matters different from the first embodiment and the like.

  In the sixth embodiment, at the time of operation pattern extraction, a feature vector is separated into a feature vector at a time when the operation is not likely to be performed and a feature vector at a time when the operation is likely to be performed. Then, a packet pattern at a time when there is no possibility of operation is learned as a noise pattern and stored. Further, with respect to a feature vector similar to a noise pattern, noise is removed from the feature vector by obtaining a difference of the noise pattern vector from the feature vector. Similarly, at the time of detecting an operation, for a feature vector similar to the noise pattern, a noise pattern vector difference is obtained from the feature vector, and the noise is removed.

  FIG. 9 is a block diagram illustrating a schematic configuration of the operation detection device 1A. The operation detection device 1 </ b> A replaces the operation detection device 1.

  The operation detection device 1 </ b> A is a device that detects what operation is performed on the device 2 based on a packet used by the device 2 (for example, a PC (personal computer)) to perform communication. The operation here includes not only an operation by a user (so-called manual operation) but also an operation due to an external factor (for example, power interruption at the time of a power failure, etc.). Operation by an application installed in the device 2 (that is, apparently automatic processing) is not included. The device to be detected is not limited to a PC.

  The operation detection apparatus 1A includes an input unit 11, an operation pattern extraction unit 12, an operation detection unit 13, an output unit 14, a port number storage unit 15, an operation name database 16, and a noise database 17.

  FIG. 10 is a diagram showing the configuration of the noise database 17.

  In the noise database 17, a center vector obtained by processing described later by the operation pattern extraction unit 12 and a threshold value th are stored in association with each other.

  FIG. 11 is a flowchart illustrating a process flow in a preparation period before an operation is detected in the sixth embodiment.

  Steps S1 to S3 are the same as the processing in FIG.

  S4: The operation pattern extraction unit 12 converts the feature vector generated in S3 into a feature vector in a time that the user of the device may perform an operation and a feature vector in a time that the user may not perform an operation. To divide.

  For example, a time when there is no possibility that the user will perform an operation is given in advance to the operation detection device by the user. The time when the user is likely to perform the operation is, for example, a time other than the time when the user is not likely to perform the operation.

  Alternatively, the operation pattern extraction unit 12 automatically detects a time when there is no possibility of the user performing an operation. For example, if the time during which the packet flow rate is equal to or less than a predetermined threshold continues for a certain period, the operation pattern extraction unit 12 determines that this is the time when the user is not likely to perform an operation. In this case, the operation pattern extraction unit 12 sets the time when the user may perform an operation other than the time when the user does not perform the operation.

  Here, a feature vector within a time that the user may perform an operation is referred to as an operation time feature vector, and a feature vector within the time that the user is not likely to perform an operation is referred to as a noise time feature vector.

  Note that feature quantities (such as the number of protocols) other than the packet flow rate may be used. Since the number of protocols used in packets generated when the user is not operating is limited (small), there is no possibility that the user will perform an operation depending on whether the number of protocols included in the unit time is less than or equal to the threshold value. It is thought that time can be estimated and time that is not.

  S5: Next, the operation pattern extraction unit 12 generates a plurality of clusters (hereinafter referred to as noise clusters) from the plurality of noise time feature vectors based on the similarity between the noise time feature vectors. Each noise time feature vector is included in one of the clusters.

  Here, the operation pattern extraction unit 12 uses, for example, the k-means method which is one of the non-hierarchical clustering methods. That is, the operation pattern extraction unit 12 first sets the number of clusters to 2 and obtains an intra-group sum of squares that is the sum of the distances between the center vector of the cluster and the feature vector included in the cluster. Next, the operation pattern extraction unit 12 increases the number of clusters by 1, and calculates the in-group square sum and the decrease amount. This is performed up to the number of clusters n. For example, n is 50. Next, the operation pattern extraction unit 12 generates clusters so as to be the same as the number of clusters after the increase when the amount of decrease is the largest.

  S6: Next, the operation pattern extraction unit 12 generates, for each noise cluster, a center vector of the noise time feature vector in the noise cluster, and a distance between each noise time feature vector in the noise cluster and the center vector. For example, the reciprocal number of the average value is stored in the noise database 17 in association with the center vector as a threshold th_n used in later-described operation vector generation and operation detection together with the center vector.

  S7: Next, the operation pattern extraction unit 12 calculates the similarity between the operation time feature vector and each central vector of the noise database 17 for each operation time feature vector.

  In S7, the operation pattern extraction unit 12 calculates the distance d between the operation time feature vector and the center vector by, for example, the expression (1) of the first embodiment, for example, calculates the reciprocal of the distance d, and calculates this. Similarity. That is, the similarity is increased as the distance is smaller.

  In equation (1), xi is a feature amount corresponding to the protocol name i of the operation time feature vector, yi is a feature amount corresponding to the protocol name i of the center vector, and m is the total number of protocol names.

  S8: Next, the operation pattern extraction unit 12 reads the threshold value th_n stored in association with the center vector corresponding to the maximum value of the similarity for each operation time feature vector from the noise database 17, and the maximum value of the similarity is It is determined whether or not the threshold value is exceeded.

  If the maximum value of the similarity is less than the threshold (S8: NO), the operation pattern extraction unit 12 takes the corresponding operation time feature vector as an input in S10.

  S9: If the maximum value of the similarity is greater than or equal to the threshold (S8: YES), the operation pattern extraction unit 12 calculates a difference between the corresponding operation time feature vector and the center vector corresponding to the maximum value, and uses the difference as a feature. A vector as a quantity (referred to as difference feature vector) is generated.

  S10: Next, the operation pattern extraction unit 12 calculates the interval between the feature vectors from the plurality of feature vectors including the corresponding operation time feature vector and the difference feature vector when the maximum value of the similarity is less than the threshold (S8: NO). A plurality of clusters (referred to as operation clusters) are generated on the basis of the similarity. Each feature vector is included in any operation cluster.

Here, the same processing as the clustering processing of S5 is performed.
S11: Next, the operation pattern extraction unit 12 generates a center vector of the feature vector in the operation cluster for each operation cluster, and searches the operation name database 16 for a record including a rule that matches the center vector. The center vector is associated with the operation name in the record. That is, the operation pattern extraction unit 12 determines what operation each operation cluster indicates.

  In S11, the operation pattern extraction unit 12 selects the top three elements (features) corresponding to the unit time for each unit time in all the center vectors.

  Next, in S11, the operation pattern extraction unit 12 extracts an element (feature amount) corresponding to the protocol name from all the center vectors for each protocol name, and obtains the median value of the extracted feature amounts.

  Next, in S11, the operation pattern extraction unit 12 selects a feature quantity for a feature quantity other than the feature quantity selected as the top three if it is 10 times or more the corresponding median value.

  As described with reference to FIG. 7, here, in order to facilitate understanding, the total number m of protocol names is 12, the number of unit times corresponding to one central vector is 5, and the central vector is a matrix format. It shows with.

  In the center vector of FIG. 7A, as shown in the background of the dot pattern, the feature quantities of TCP, DNS, and HTTP included in the top three are selected in the unit times 1 and 2, and in the unit time 3, the top level is selected. The feature quantities of TCP and HTTP included in the three are selected. There is no feature amount more than 10 times the median.

  In the center vector of FIG. 7B, as shown by the background of the dot pattern, in the unit time 1, the feature quantities of TCP, HTTP, and IMAP included in the top three are selected. Further, as shown by the background of the diagonal line pattern, a DNS feature amount that is 10 times or more the median value is selected.

  In S11, the operation pattern extraction unit 12 searches the operation name database 16 for a record including a rule that matches the selected feature amount pattern of the center vector, and associates the center vector with the operation name in the record. .

  In S11, for example, as shown in FIG. 7A, TCP, DNS, and HTTP are selected in the first half frame, and TCP, HTTP, and IMAP are selected in the second half frame, and conform to the mail reception rule in FIG. Therefore, the center vector of FIG. 7A is associated with the operation name “mail reception”.

  S12: Next, the operation pattern extraction unit 12 calculates, for each operation cluster, an average value of the distances between the feature vectors in the operation cluster and the center vector of the operation cluster, and, for example, calculates the reciprocal of the average value. The threshold value th used in operation detection described later together with the center vector is stored in the operation name database 16 in association with the center vector, and the process is terminated.

  FIG. 12 is a flowchart showing the flow of processing when detecting an operation in the sixth embodiment.

  Steps S31 to S33 are the same as the processing in FIG.

  S <b> 34: For each feature vector, the operation detection unit 13 calculates the similarity between the feature vector and each center vector of the noise database 17.

  Here, the same similarity calculation method as in S7 is used.

  S35: Next, for each feature vector, the operation detection unit 13 reads the threshold th_n stored in the noise database 17 in association with the center vector corresponding to the maximum value of the similarity from the noise database 17, and the maximum value of the similarity Is determined to be greater than or equal to a threshold value.

  If the maximum value of the similarity is less than the threshold value (S35: NO), the operation detection unit 13 takes the corresponding feature vector as an input in S37.

  S36: If the maximum value of the similarity is greater than or equal to the threshold (S35: YES), the operation detection unit 13 calculates a difference between the corresponding feature vector and the center vector corresponding to the maximum value, and uses the difference as a feature amount. A vector (difference feature vector) is generated.

  S37: Next, for each center vector in the operation name database 16, the operation detection unit 13 has the similarity to each difference feature vector and the maximum value of the similarity calculated in S34 less than the threshold (S35: NO). The similarity with each feature vector is calculated.

In S37, the same similarity calculation method as in S7 is used.
S38: Next, the operation detection unit 13 reads the threshold th stored in association with the center vector corresponding to the maximum value of similarity from the operation name database 16, and determines whether or not the maximum value of similarity is equal to or greater than the threshold th. judge.

  If the maximum value of the similarity is less than the threshold value (S38: NO), the operation detection unit 13 ends the process.

  S39: If the maximum value of the similarity is equal to or greater than the threshold (S38: YES), the operation detection unit 13 reads the operation name associated with the center vector corresponding to the maximum value from the operation name database 16.

  S40: Next, the output unit 14 displays the read operation name on a display device (not shown), for example, and ends the process.

  Therefore, the operation detection device 1A according to the sixth embodiment is an operation detection device that detects an operation on the device based on a packet used for the device to perform communication. An operation name database 16 storing a record including an operation name of the operation, a rule applied at the time of the operation, and a center vector, and a center generated based on a packet at a time when the user is not likely to perform the operation Corresponding to the predetermined information in the unit time for each of the predetermined information included in the header of the packet for each unit time in the noise database 17 in which the record including the vector is stored and the period before the operation is detected A first feature amount calculating means (step S2) for calculating a feature amount of a packet to be transmitted, and for a plurality of unit times, First feature vector generation means (step S3) for generating a feature vector composed of feature amounts calculated for a plurality of predetermined continuous unit times starting, and a user of the device operating the plurality of feature vectors A feature vector dividing means (step S4) for dividing an operation time feature vector that is a time feature vector that is likely to be performed into a noise time feature vector that is a time feature vector that is not likely to be operated by the user; Noise cluster generating means (step S5) for generating a plurality of noise clusters from a plurality of the noise time feature vectors based on the similarity between the noise time feature vectors, and for each noise cluster, the noise in the noise cluster Generates the center vector of the time feature vector and stores it in the noise database First center vector generation means (step S6) for generating, and, for each operation time feature vector, first similarity calculation means for calculating the similarity between the operation time feature vector and each center vector of the noise database ( Step S7) and generating a difference feature vector having a feature amount as a difference between a corresponding operation time feature vector when the maximum value of the similarity is equal to or greater than a predetermined threshold and a center vector corresponding to the maximum value. 1 difference feature vector generation means (steps S8 and S9) and similarity between the feature vectors from the plurality of feature vectors including the corresponding operation time feature vector and the difference feature vector when the maximum value is less than the threshold value Operation cluster generating means (step S10) for generating a plurality of operation clusters based on the Generating a center vector of feature vectors in the operation cluster, searching the operation name database for a record including a rule matching the center vector, and associating the center vector with an operation name in the record; For each of the predetermined information included in the header of the packet for each unit time in the period during which the center vector generating means (step S11) detects the operation, the feature amount of the packet corresponding to the predetermined information in the unit time Second feature quantity calculating means (step S32) for calculating, second feature vector generating means (step S33) for generating a feature vector composed of the feature quantity, and for each feature vector, the feature vector and the Second similarity calculation means for calculating similarity with each central vector of the noise database (step S34), and calculating a difference between the corresponding feature vector when the maximum value of the similarity is equal to or greater than a predetermined threshold and a center vector corresponding to the maximum value, and calculating a difference feature vector having the difference as a feature amount. Second difference feature vector generation means (steps S35 and S36) to be generated, and for each center vector in the operation name database, the similarity between each difference feature vector and the similarity calculated by the second similarity calculation means Third similarity calculation means (step S37) for calculating the similarity with each corresponding feature vector when the maximum value of the degree is equal to or greater than a threshold; and if the maximum value of the similarity is equal to or greater than a predetermined threshold, In other words, operation name reading means (step S39) for reading the operation name associated with the center vector corresponding to the maximum value from the operation name database is provided. For example, the operation is performed by learning the packet pattern of the time when the operation is not performed in advance as a noise pattern and removing a similar noise pattern from the feature vector of the operation pattern extraction target and the feature vector of the operation detection target. It is possible to eliminate the influence of packet data generated even when there is not, and to solve the problem.

(Modification)
In S10 of the sixth embodiment, an operation name database is provided for each of the operation time feature vector and the difference feature vector (collectively referred to as feature vector) for which the maximum similarity is less than the threshold (S8: NO). It may be determined whether or not there is a rule that matches the feature vector in 16, and an operation cluster including feature vectors that match the rule may be generated for each rule that is determined to be matched.

  The presence / absence of a rule that matches the feature vector can be determined by pattern matching, as in the second embodiment.

  When the rule is used in S10 as described above, in S11, for each operation cluster, a center vector of the operation cluster is generated, and a record including a rule corresponding to the operation cluster is searched from the operation name database 16, The center vector may be associated with the operation name in the record.

  Therefore, the operation detection device 1A according to the modification of the sixth embodiment is an operation detection device that detects an operation on the device based on a packet used for communication by the device, and includes a plurality of types of operation detection devices. Generated based on the operation name database 16 in which a record including the operation name of the operation, the rule applied at the time of the operation, and the central vector is stored, and a packet of a time when the user is not likely to perform the operation. The noise database 17 in which the record including the center vector is stored and the predetermined information in the unit time for each of the predetermined information included in the header of the packet for each unit time in the period before the operation is detected. A first feature amount calculating means (step S2) for calculating a feature amount of the packet corresponding to the information, and the unit for a plurality of unit times. A first feature vector generating means (step S3) for generating a feature vector composed of feature amounts calculated for a plurality of predetermined unit times starting from a time; A feature vector dividing means for dividing an operation time feature vector that is a time feature vector that is likely to be operated and a noise time feature vector that is a time feature vector that is not likely to be operated by the user (step S4) ), Noise cluster generation means (step S5) for generating a plurality of noise clusters from a plurality of the noise time feature vectors based on the similarity between the noise time feature vectors, and for each noise cluster, Generating a center vector of the noise time feature vector of the noise database. A first center vector generation unit (step S6) to be stored in a first similarity calculation for calculating a similarity between each operation time feature vector and each center vector of the noise database for each operation time feature vector; Means (step S7) and generating a difference feature vector having a feature amount as a difference between a corresponding operation time feature vector when the maximum value of the similarity is equal to or greater than a predetermined threshold and a center vector corresponding to the maximum value The first difference feature vector generation means (steps S8 and S9), the operation time feature vector when the maximum value is less than the threshold value, and each of the plurality of feature vectors including the difference feature vector. Determine whether there is a rule that matches the feature vector in the name database. , Operation cluster generation means (step S10) for generating an operation cluster composed of feature vectors conforming to the rule, a center vector of the operation cluster is generated for each operation cluster, and the operation cluster is generated from the operation name database. And a second center vector generating means (step S11) for searching for a record including a rule corresponding to, and associating the center vector with an operation name in the record, and a packet for each unit time in the period for detecting the operation. Second feature amount calculation means (step S32) for calculating a feature amount of a packet corresponding to the predetermined information in the unit time for each of the predetermined information included in the header, and a feature vector comprising the feature amount Second feature vector generation means (step S33) for generating Second similarity calculation means (step S34) for calculating the similarity between the feature vector and each central vector of the noise database, and the case where the maximum value of the similarity is equal to or greater than a predetermined threshold Second difference feature vector generation means (steps S35 and S36) for calculating a difference between the feature vector of the first and a center vector corresponding to the maximum value, and generating a difference feature vector having the difference as a feature amount, and the operation For each central vector in the name database, the similarity with each of the difference feature vectors and the similarity with each corresponding feature vector when the maximum similarity calculated by the second similarity calculation means is equal to or greater than a threshold value If the third similarity calculation means (step S37) to be calculated and the maximum value of the similarity is equal to or greater than a predetermined threshold, the operation name database Since operation name reading means (step S39) for reading the operation name associated with the center vector corresponding to the maximum value is provided, in other words, a packet pattern of a time when no operation is performed in advance is learned as a noise pattern. By removing similar noise patterns from the operation pattern extraction target feature vector and the operation detection target feature vector, it is possible to eliminate the influence of packet data that occurs even when no operation is performed. Can be solved.

  The computer program for causing the computer to function as the operation detection device according to each embodiment can be recorded on a computer-readable recording medium such as a semiconductor memory, a magnetic disk, an optical disk, a magneto-optical disk, or a magnetic tape. It can be widely distributed by being transmitted via a communication network such as the Internet.

DESCRIPTION OF SYMBOLS 1, 1A Operation detection apparatus 11 Input part 12 Operation pattern extraction part 13 Operation detection part 14 Output part 15 Port number memory | storage part 16 Operation name database 17 Noise database

Claims (6)

An operation detection device that detects an operation on the device based on a packet used for communication by the device,
For a plurality of types of operations, an operation name database storing a record including an operation name of the operation, a rule applied at the time of the operation, and a center vector;
A noise database in which a record including a center vector generated based on a packet at a time when the user is not likely to perform an operation is stored;
A first feature amount for calculating a feature amount of a packet corresponding to the predetermined information in the unit time for each of predetermined information included in the header of the packet for each unit time in a period before detecting the operation. A calculation means;
First feature vector generation means for generating a feature vector composed of feature amounts calculated for a plurality of predetermined unit times starting from the unit time for a plurality of unit times;
The plurality of feature vectors are an operation time feature vector that is a time feature vector that is likely to be operated by the user of the device and a noise time feature vector that is a time feature vector that is not likely to be operated by the user. Feature vector dividing means for dividing
Noise cluster generating means for generating a plurality of noise clusters based on the similarity between the noise time feature vectors from the plurality of noise time feature vectors;
For each noise cluster, first center vector generation means for generating a center vector of a noise time feature vector in the noise cluster and storing the center vector in the noise database;
First similarity calculation means for calculating a similarity between the operation time feature vector and each central vector of the noise database for each operation time feature vector;
A first difference feature vector that generates a difference feature vector having a difference between a corresponding operation time feature vector and a center vector corresponding to the maximum value when the maximum value of the similarity is equal to or greater than a predetermined threshold. Generating means;
An operation cluster generating means for generating a plurality of operation clusters from a plurality of feature vectors including the corresponding operation time feature vector and the difference feature vector when the maximum value is less than the threshold; ,
For each operation cluster, generate a center vector of the feature vector in the operation cluster, search the operation name database for a record including a rule that matches the center vector, and use the center vector as the operation name in the record Second center vector generating means for associating with
Second feature amount calculation means for calculating, for each unit time, the feature amount of the packet corresponding to the predetermined information in the unit time for each unit time in the period for detecting the operation When,
Second feature vector generation means for generating a feature vector comprising the feature amount;
For each feature vector, second similarity calculation means for calculating the similarity between the feature vector and each central vector of the noise database;
Calculating a difference between a corresponding feature vector when the maximum value of the similarity is equal to or greater than a predetermined threshold and a center vector corresponding to the maximum value, and generating a difference feature vector having the difference as a feature amount Differential feature vector generation means of
For each center vector in the operation name database, the similarity with each difference feature vector and the similarity with the corresponding feature vector when the maximum value of the similarity calculated by the second similarity calculation means is greater than or equal to a threshold value Third similarity calculation means for calculating the degree;
If the maximum value of the similarity is equal to or greater than a predetermined threshold value, an operation name reading unit is provided that reads an operation name associated with a center vector corresponding to the maximum value from the operation name database. apparatus. An operation detection device that detects an operation on the device based on a packet used for communication by the device,
For a plurality of types of operations, an operation name database storing a record including an operation name of the operation, a rule applied at the time of the operation, and a center vector;
A noise database in which a record including a center vector generated based on a packet at a time when the user is not likely to perform an operation is stored;
A first feature amount for calculating a feature amount of a packet corresponding to the predetermined information in the unit time for each of predetermined information included in the header of the packet for each unit time in a period before detecting the operation. A calculation means;
First feature vector generation means for generating a feature vector composed of feature amounts calculated for a plurality of predetermined unit times starting from the unit time for a plurality of unit times;
The plurality of feature vectors are an operation time feature vector that is a time feature vector that is likely to be operated by the user of the device and a noise time feature vector that is a time feature vector that is not likely to be operated by the user. Feature vector dividing means for dividing
Noise cluster generating means for generating a plurality of noise clusters based on the similarity between the noise time feature vectors from the plurality of noise time feature vectors;
For each noise cluster, first center vector generation means for generating a center vector of a noise time feature vector in the noise cluster and storing the center vector in the noise database;
First similarity calculation means for calculating a similarity between the operation time feature vector and each central vector of the noise database for each operation time feature vector;
A first difference feature vector that generates a difference feature vector having a difference between a corresponding operation time feature vector and a center vector corresponding to the maximum value when the maximum value of the similarity is equal to or greater than a predetermined threshold. Generating means;
For each of a plurality of feature vectors composed of the corresponding operation time feature vector and the difference feature vector when the maximum value is less than the threshold value, it is determined whether or not there is a rule that matches the feature vector in the operation name database. Then, for each rule determined, an operation cluster generation means for generating an operation cluster composed of feature vectors that match the rule,
For each operation cluster, a center vector of the operation cluster is generated, a record including a rule corresponding to the operation cluster is searched from the operation name database, and the center vector is associated with the operation name in the record. Two center vector generating means;
Second feature amount calculation means for calculating, for each unit time, the feature amount of the packet corresponding to the predetermined information in the unit time for each unit time in the period for detecting the operation When,
Second feature vector generation means for generating a feature vector comprising the feature amount;
For each feature vector, second similarity calculation means for calculating the similarity between the feature vector and each central vector of the noise database;
Calculating a difference between a corresponding feature vector when the maximum value of the similarity is equal to or greater than a predetermined threshold and a center vector corresponding to the maximum value, and generating a difference feature vector having the difference as a feature amount Differential feature vector generation means of
For each center vector in the operation name database, the similarity with each difference feature vector and the similarity with the corresponding feature vector when the maximum value of the similarity calculated by the second similarity calculation means is greater than or equal to a threshold value Third similarity calculation means for calculating the degree;
If the maximum value of the similarity is equal to or greater than a predetermined threshold value, an operation name reading unit is provided that reads an operation name associated with a center vector corresponding to the maximum value from the operation name database. apparatus. The feature vector dividing means includes:
The plurality of feature vectors generated by the first feature vector generation unit are divided into an operation time feature vector and a noise time feature vector using the feature amount of the packet and a predetermined threshold value. Item 3. The operation detection device according to Item 1 or 2. An operation method of an operation detection device that detects an operation on the device based on a packet used for communication by the device,
The operation detection device includes:
For a plurality of types of operations, an operation name database storing a record including an operation name of the operation, a rule applied at the time of the operation, and a center vector;
A noise database in which a record including a center vector generated based on a packet of a time at which the user cannot perform an operation is stored;
The operation method is as follows:
A first feature amount calculating means of the operation detecting device;
For each period of time before detecting the operation, for each of the predetermined information included in the header of the packet, calculate the feature amount of the packet corresponding to the predetermined information in the unit time,
A first feature vector generating means of the operation detecting device;
For a plurality of unit times, generate a feature vector composed of feature amounts calculated for a plurality of predetermined continuous unit times starting from the unit time,
The feature vector dividing means of the operation detecting device comprises:
The plurality of feature vectors are an operation time feature vector that is a time feature vector that is likely to be operated by the user of the device and a noise time feature vector that is a time feature vector that is not likely to be operated by the user. Divided into
The noise cluster generating means of the operation detecting device is
Generating a plurality of noise clusters based on the similarity between the noise time feature vectors from the plurality of noise time feature vectors;
A first center vector generating means of the operation detecting device;
For each noise cluster, generate a center vector of the noise time feature vector in the noise cluster, and store it in the noise database;
A first similarity calculating unit of the operation detecting device;
For each operation time feature vector, calculate the similarity between the operation time feature vector and each central vector of the noise database,
A first difference feature vector generating means of the operation detecting device;
A difference feature vector having a feature amount as a difference between a corresponding operation time feature vector when the maximum value of the similarity is equal to or greater than a predetermined threshold and a center vector corresponding to the maximum value;
The operation cluster generation means of the operation detection device comprises:
A plurality of operation clusters are generated based on the similarity between the feature vectors from the plurality of feature vectors including the corresponding operation time feature vector and the difference feature vector when the maximum value is less than the threshold value,
A second center vector generating means of the operation detecting device;
For each operation cluster, generate a center vector of the feature vector in the operation cluster, search the operation name database for a record including a rule that matches the center vector, and use the center vector as the operation name in the record To
A second feature amount calculating means of the operation detecting device;
In the period for detecting the operation, for each unit time, for each of the predetermined information included in the header of the packet, the feature amount of the packet corresponding to the predetermined information in the unit time is calculated,
A second feature vector generating means of the operation detecting device;
Generate a feature vector consisting of the feature quantity,
A second similarity calculating means of the operation detecting device;
For each feature vector, calculate the similarity between the feature vector and each central vector of the noise database,
A second difference feature vector generating means of the operation detecting device;
Calculating a difference between the corresponding feature vector when the maximum value of the similarity is equal to or greater than a predetermined threshold and a center vector corresponding to the maximum value, and generating a difference feature vector having the difference as a feature amount;
A third similarity calculating means of the operation detecting device;
For each center vector in the operation name database, the similarity with each difference feature vector and the similarity with the corresponding feature vector when the maximum value of the similarity calculated by the second similarity calculation means is greater than or equal to a threshold value Calculate the degree,
The operation name reading means of the operation detecting device is
If the maximum value of the similarity is greater than or equal to a predetermined threshold value, the operation name associated with the center vector corresponding to the maximum value is read from the operation name database. An operation method of an operation detection device that detects an operation on the device based on a packet used for communication by the device,
The operation detection device includes:
For a plurality of types of operations, an operation name database storing a record including an operation name of the operation, a rule applied at the time of the operation, and a center vector;
A noise database in which a record including a center vector generated based on a packet of a time at which the user cannot perform an operation is stored;
The operation method is as follows:
A first feature amount calculating means of the operation detecting device;
For each period of time before detecting the operation, for each of the predetermined information included in the header of the packet, calculate the feature amount of the packet corresponding to the predetermined information in the unit time,
A first feature vector generating means of the operation detecting device;
For a plurality of unit times, generate a feature vector composed of feature amounts calculated for a plurality of predetermined continuous unit times starting from the unit time,
The feature vector dividing means of the operation detecting device comprises:
The plurality of feature vectors are an operation time feature vector that is a time feature vector that is likely to be operated by the user of the device and a noise time feature vector that is a time feature vector that is not likely to be operated by the user. Divided into
The noise cluster generating means of the operation detecting device is
Generating a plurality of noise clusters based on the similarity between the noise time feature vectors from the plurality of noise time feature vectors;
A first center vector generating means of the operation detecting device;
For each noise cluster, generate a center vector of the noise time feature vector in the noise cluster, and store it in the noise database;
A first similarity calculating unit of the operation detecting device;
For each operation time feature vector, calculate the similarity between the operation time feature vector and each central vector of the noise database,
A first difference feature vector generating means of the operation detecting device;
A difference feature vector having a feature amount as a difference between a corresponding operation time feature vector when the maximum value of the similarity is equal to or greater than a predetermined threshold and a center vector corresponding to the maximum value;
The operation cluster generation means of the operation detection device comprises:
For each of a plurality of feature vectors composed of the corresponding operation time feature vector and the difference feature vector when the maximum value is less than the threshold value, it is determined whether or not there is a rule that matches the feature vector in the operation name database. Then, for each rule determined, an operation cluster composed of feature vectors matching the rule is generated,
A second center vector generating means of the operation detecting device;
For each operation cluster, generate a center vector of the operation cluster, search the operation name database for a record including a rule corresponding to the operation cluster, associate the center vector with the operation name in the record,
A second feature amount calculating means of the operation detecting device;
In the period for detecting the operation, for each unit time, for each of the predetermined information included in the header of the packet, the feature amount of the packet corresponding to the predetermined information in the unit time is calculated,
A second feature vector generating means of the operation detecting device;
Generate a feature vector consisting of the feature quantity,
A second similarity calculating means of the operation detecting device;
For each feature vector, calculate the similarity between the feature vector and each central vector of the noise database,
A second difference feature vector generating means of the operation detecting device;
Calculating a difference between the corresponding feature vector when the maximum value of the similarity is equal to or greater than a predetermined threshold and a center vector corresponding to the maximum value, and generating a difference feature vector having the difference as a feature amount;
A third similarity calculating means of the operation detecting device;
For each center vector in the operation name database, the similarity with each difference feature vector and the similarity with the corresponding feature vector when the maximum value of the similarity calculated by the second similarity calculation means is greater than or equal to a threshold value Calculate the degree,
The operation name reading means of the operation detecting device is
If the maximum value of the similarity is greater than or equal to a predetermined threshold value, the operation name associated with the center vector corresponding to the maximum value is read from the operation name database. A computer program for causing a computer to function as the operation detection device according to claim 1.

Images