JP2017037382A - Abnormal vector detector and abnormal vector detection program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an abnormal vector detector and an abnormal vector program for detecting an abnormal vector based on a cluster classification of vectors, that can more precisely detect an abnormal vector if there are more than one abnormal clusters.SOLUTION: The abnormal vector detector performs the steps of: classifying a plurality of vectors into the j number of clusters for each of different values of a variable j (j is an integer of 2 or more) (step S4); detecting an abnormal cluster out of the j number of clusters (step S5); executing determination of the degree of abnormality for each vector in the abnormal cluster (step S6); and determining whether each vector is an abnormal vector based on the degree of abnormality of each vector (step S10).SELECTED DRAWING: Figure 3

Description

  The present invention relates to an abnormal vector detection device and an abnormal vector detection program.

  Various methods are known as a method for discriminating between normal data and abnormal data included in a large amount of vector data. For example, Patent Document 1 describes an outlier detection algorithm using a hypersphere.

Satoshi Ando, Hidenobu Suzuki “Detection of outlier clusters by information-theoretic clustering”, [online], October 12, 2008, “5.2 Outlier detection and one-class classification”, [June 2015 Search on the 17th], Internet <URL: http: www.cs.gunma-u.ac.jp/~ando/jsai08_revised.pdf>

  However, the conventional technique has a problem that when there are a plurality of abnormal clusters, the abnormal vector cannot be detected appropriately.

  For example, the algorithm of Non-Patent Document 1 can handle only a single hypersphere.

  The present invention has been made to solve such problems, and provides an abnormal vector detection apparatus and an abnormal vector detection program that can detect an abnormal vector more appropriately when there are a plurality of abnormal clusters. For the purpose.

In order to solve the above-mentioned problems, an abnormal vector detection device according to the present invention is an abnormal vector detection device that detects an abnormal vector from a plurality of vectors,
For different values of variable j (where j is an integer greater than or equal to 2)
-Classifying the plurality of vectors into j clusters;
An abnormal cluster detection step of detecting an abnormal cluster out of the j clusters;
An abnormality degree determining step for determining an abnormality degree for each vector belonging to the abnormal cluster;
An abnormality determination function for executing
And an abnormal vector determination function for determining whether each vector is an abnormal vector based on the degree of abnormality of each vector.

The abnormality degree determination function detects at least one abnormal cluster for a predetermined number of values of j, and the abnormality degree of at least one vector belonging to at least one abnormal cluster is equal to the predetermined number of values. It may be executed until all values of j are the same.
The abnormality determination function is executed for a plurality of different values of the variable i (where i is an integer of 1 or more),
The abnormal cluster detection step may be a step of detecting each cluster as an abnormal cluster when the number of vectors belonging to the cluster is i or less.
The abnormality vector determination function may be executed based on the provisional abnormality degree of each vector calculated for the variables i and j.
In the degree of abnormality determination step, the degree of abnormality of each vector may be calculated based on a distance between the vector and at least one latest support vector belonging to another cluster obtained by SVM.
Each of the vectors represents a value related to communication via a communication network,
The abnormal vector may be a value related to suspicious communication due to the influence of malware or the like.

  The abnormal vector detection program according to the present invention causes a computer to function as the above-described abnormal vector detection device.

  The anomaly vector detection apparatus and the anomaly vector detection program according to the present invention evaluate the anomaly degree while changing the number of clusters for classifying the vector, and therefore more appropriately detect an anomaly vector when there are a plurality of anomaly clusters. be able to.

It is a figure which shows the example of a structure of the abnormal vector detection apparatus which concerns on Embodiment 1 of this invention. It is a figure which shows the example of the set of the vector used as the object of abnormal vector detection. It is a flowchart which shows the flow of a process of the abnormal vector detection apparatus of FIG. It is a figure explaining the specific example of operation | movement of the abnormal vector detection apparatus of FIG. It is a figure explaining the specific example of operation | movement of the abnormal vector detection apparatus of FIG. It is a figure explaining the specific example of operation | movement of the abnormal vector detection apparatus of FIG. It is a figure explaining the specific example of operation | movement of the abnormal vector detection apparatus of FIG. It is a figure explaining the specific example of operation | movement of the abnormal vector detection apparatus of FIG. It is a figure explaining the specific example of operation | movement of the abnormal vector detection apparatus of FIG.

Embodiments of the present invention will be described below based on the accompanying drawings.
Embodiment 1 FIG.
FIG. 1 shows an example of the configuration of an abnormal vector detection apparatus 10 according to Embodiment 1 of the present invention. The abnormal vector detection device 10 is a device that detects an abnormal vector from a plurality of vectors.

  An abnormal vector refers to, for example, one or more vectors having a property different from other vectors among a plurality of vectors. For example, in a set of two-dimensional vectors, when most vectors have large value elements in any dimension, a small number of vectors have small value elements in any dimension. The small number of vectors can be considered anomalous vectors. However, the definition of the abnormal vector is not limited to this, and a well-known definition may be used, or a person skilled in the art may appropriately determine. In addition, the present invention can be implemented even if the mathematical definition of the anomaly vector is not clearly given.

  The abnormal vector detection device 10 includes a configuration as a computer, and includes a calculation unit 20 that performs a calculation and a storage unit 30 that stores information. For example, the computing means 20 includes a CPU (Central Processing Unit), and the storage means 30 includes a storage medium such as a semiconductor memory and an HDD (Hard Disk Drive).

  The storage means 30 stores an abnormal vector detection program. When the computing unit 20 executes this abnormal vector detection program, the computer including the computing unit 20 realizes the function as the abnormal vector detection device 10 described in this specification. That is, the abnormal vector detection program causes the computer to function as the abnormal vector detection device 10.

  Although not particularly illustrated, the abnormal vector detection apparatus 10 includes an input unit (such as a keyboard and / or a mouse) that receives user operations, an output unit (such as a display and / or a printer) that outputs information, and an external device. A network interface for receiving and inputting information to and from the communication network.

  FIG. 2 shows an example of a set of vectors that are targets of abnormal vector detection. The set of vectors includes a plurality of vectors, and in the example of FIG. 2, includes 4229 vectors. In this embodiment, the set of vectors is normalized so that the maximum value is 1 for each dimension. The set of vectors is stored in the storage unit 30, for example.

  In the present embodiment, a vector is data representing a value related to communication by a computer via a communication network (such as the Internet). The value related to communication is represented by, for example, the frequency of communication and the data size. As a specific example, a certain dimension (for example, the vertical axis) is the number of times HTTP requests are issued per hour, and another dimension (for example, the horizontal axis) is the average size of HTTP requests.

  The numerical values constituting each element of the vector are not limited to those relating to communication and network, and can be handled universally if they are vectors of continuous numerical data. In other words, any data that is meaningful for consecutive numbers such as the number of times and size can be handled.

  In the present embodiment, the abnormal vector is a value related to suspicious communication due to the influence of malware or the like, but is not limited thereto. For example, if communication with a frequency or data size that differs greatly from the normal frequency and data size occurs in a certain computer, it can be considered that there is a high possibility that the communication is not normal. The abnormal communication is, for example, suspicious communication or communication by, for example, malware. Here, the malware includes, but is not limited to, computer viruses and other malicious software.

The operation of the abnormal vector detection apparatus 10 configured as described above will be described below.
FIG. 3 is a flowchart illustrating an example of a processing flow of the abnormal vector detection device 10.
First, the computing means 20 of the abnormal vector detection device 10 acquires a set of a plurality of vectors (step S1). Here, each vector may be stored in the storage unit 30 in advance, or may be input via the input unit of the abnormality vector detection apparatus 10, a network interface, or the like.

  Next, the calculation means 20 initializes the variable i (step S2). Here, i is a loop variable for repeatedly executing processing from step S3 to step S7 described later. Further, i is an abnormal cluster detection criterion and represents the number of vectors included in the abnormal cluster. That is, when an abnormal cluster is detected (for example, step S5 described later), a cluster having i or less belonging vectors is determined to be an abnormal cluster.

  The initial value of i (one limit of the loop range) is 1, for example, but this value can be arbitrarily designed as long as it is an integer of 1 or more. The final value of i (the other limit of the loop range) is, for example, 5. However, this value can be arbitrarily designed as long as it is an integer equal to or larger than the initial value.

  Next, the calculation means 20 initializes the variable j (step S3). Here, j is a loop variable for repeatedly executing processes from step S4 to step S7 described later. Further, j represents the number of clusters when performing cluster classification (for example, step S4 described later).

  The initial value of j (one limit of the loop range) is 2, for example, but this value can be arbitrarily designed as long as it is an integer of 2 or more. In the present embodiment, the final value of j (the other limit of the loop range) is not defined. However, the closing price of j may be defined, for example, a value equal to the number of vectors. In the example of FIG. 2, since 4229 vectors are handled, the final value of j may be 4229.

  Next, the computing means 20 classifies all vectors into j clusters (step S4). Here, as a method of classifying a plurality of vectors into a plurality of clusters, for example, the k-means method can be used, but any other method may be used.

  Next, the computing means 20 detects an abnormal cluster from the j clusters obtained in step S4 (step S5, abnormal cluster detection step). For example, for each cluster, when the number of vectors belonging to the cluster is i or less, the cluster is detected as an abnormal cluster. Alternatively, an abnormal cluster may be detected using other known criteria. It can be said that the vector belonging to the abnormal cluster detected here is an abnormal vector candidate (abnormal candidate vector).

  Next, the computing means 20 determines the provisional abnormality degree for each vector belonging to the abnormality cluster (step S6, abnormality degree determination step). Here, the provisional abnormality degree of each vector is calculated based on the distance (for example, Euclidean distance) between the vector and at least one vector belonging to another cluster, for example. This “at least one vector belonging to another cluster” can be selected as a vector closest to the abnormal cluster (or any of the vectors belonging to the abnormal cluster), for example.

  For example, SVM (Support Vector Machine) can be used for the calculation of the distance. When SVM is used, a hyperplane suitable for separating a certain cluster (abnormal cluster) from all other clusters can be obtained. In addition, when SVM is used, a cluster (abnormal cluster) and a vector (support vector) closest to this hyperplane among vectors belonging to another cluster can be obtained for each other cluster. In this case, the degree of abnormality of each vector belonging to the abnormal cluster can be calculated as a distance between the vector and the closest support vector to the vector (recent support vector).

  The calculation cost per vector belonging to the abnormal cluster is the number of clusters −1 [times]. When the SVM is not used, the calculation cost is the total number of vectors −1 [times]. However, the use of the SVM can reduce the number of clusters to −1 [times]. In the present embodiment, for example, calculation of 28-1 = 27 [times] may be sufficient instead of calculation of 4229-1 = 4228 [times] per vector belonging to the abnormal cluster. This effect of reducing the amount of calculation can be obtained even with three-dimensional data or more.

  For vectors that do not belong to an abnormal cluster, the degree of abnormality need not be determined, but may be determined as 0, another constant, or a specific value.

  Next, the calculating means 20 determines whether or not the provisional abnormality degree of the abnormality candidate vector is stable with respect to the change of j (step S7). Here, “stable” may be a state expressed as “converged”.

  Whether or not the provisional abnormality degree of the abnormality candidate vector is stable with respect to the change of j is determined, for example, by detecting at least one abnormality cluster for a predetermined number of values of j and at least one abnormality cluster. It is determined by whether or not at least one vector belonging to and the provisional abnormality degree are the same in all of the predetermined number of j values.

For example, when the predetermined number is “10”, the provisional abnormality degree is stable with respect to a change in j when the provisional abnormality degree of a certain abnormality candidate vector is the same for ten different values of j. It is determined. As a specific example, the provisional abnormality degree of each vector V (p) (where p is a vector index and the value range is an integer from 1 to the number of vectors) is represented as A (p, i, j). In some cases, a certain value p ₁ of p does not belong to an abnormal cluster when vector V (p ₁ ) is 1 ≦ j ≦ 18 (thus not an abnormal candidate vector), and belongs to an abnormal cluster when 19 ≦ j ≦ 28. If it becomes an abnormal candidate vector and A (p ₁ , i, j) = 0.31, it is determined that the temporary abnormal degree of the abnormal candidate vector is stable with respect to the change of j when j = 28. (Note that the determination in step S7 is performed comprehensively in consideration of all vectors. As is clear from the above, it is sufficient that the provisional abnormality degree of at least one abnormality candidate vector is stable, and the unit of vector is sufficient. (Even if there is an abnormality candidate vector whose provisional abnormality degree is not stable when viewed in step S7, the determination in step S7 is not affected.)

In this example, the value of j is continuous, but the value of j may not be continuous. For example, the vector V (p ₁ ) does not belong to the abnormal cluster when 1 ≦ j ≦ 18, and belongs to the abnormal cluster when 19 ≦ j ≦ 23, so that A (p ₁ , i, j) = 0.31, and 24 ≦ j ≦ If it is 26 and does not belong to the abnormal cluster, and 27 ≦ j ≦ 31, it belongs to the abnormal cluster and A (p ₁ , i, j) = 0.31. When the temporary abnormal degree of the abnormal candidate vector is j = 31 Is determined to be stable with respect to changes in j.

  In other words, if the same abnormality candidate vector and its provisional abnormality degree appear intermittently or continuously n times (n = 10 in the above example) while j increases by 1, it is stable or converged. To be judged.

  Alternatively, whether or not the provisional abnormality degree of the abnormality candidate vector is stable with respect to the change of j is determined by detecting at least one abnormality cluster for a predetermined number of “continuous” j values and at least 1 The determination may be made based on whether or not at least one vector belonging to one abnormal cluster and the provisional abnormal degree thereof are the same in all of the predetermined number of consecutive j values.

  When it is determined that the provisional abnormality degree of the abnormality candidate vector is not stable with respect to the change of j, the calculation means 20 changes the value of j to the next value (for example, increases by 1), and performs the processing. Return to step S4. In this way, the calculation means 20 repeatedly executes the processing of steps S4 to S6 (abnormality determination function) for a plurality of values having different j.

  In step S7, when it is determined that the provisional abnormality degree of the abnormality candidate vector is stable with respect to the change of j, the arithmetic unit 20 determines whether or not the loop of i has ended (step S8). For example, if i is equal to a predetermined closing price, it is determined that the loop of i has ended, and otherwise, it is determined that it has not ended.

  If it is determined that the loop of i has not ended, the computing means 20 changes the value of i to the next value (for example, increases it by 1), and returns the process to step S3. In this way, the calculation means 20 repeatedly executes the processes of steps S3 to S7 for a plurality of values having different i. Here, since this loop includes the processing (abnormality determination function) of steps S4 to S6, it can be said that the computing means 20 repeatedly executes the abnormality degree determination function for a plurality of values having different i.

  If it is determined in step S8 that the i loop has been completed, the computing means 20 determines the final abnormality degree of each vector (step S9). The final abnormality degree of each vector is determined based on, for example, the provisional abnormality degree calculated for i and j.

The final abnormality degree of each vector can be calculated as follows, for example. First, for all vectors V (p) that are abnormal candidate vectors and i and j in which the abnormal candidate vectors are detected, provisional abnormality degree A (p, i, j when j is changed ) To obtain the mode value L (p, i). For example, for a given p and i, there are five values of j for which the provisional abnormality degree A (p, i, j) = 0.2, and j values for which the provisional abnormality degree A (p, i, j) = 0.31. If there are ten, the mode L (p, i) = 0.31. When there are a plurality of mode values, the final L (p, i) may be determined based on them, and for example, the smallest one of them may be L (p, i). Next, the value of i that minimizes L (p, i) and the provisional abnormality degree Min _i {L (p, i)} at that time are determined. Next, the value of p that maximizes Min _i {L (p, i)} and the provisional abnormality degree A _m = Max _p [Min _i {L (p, i)}] are determined. Then, the final abnormality degree A _f (p) of each abnormality candidate vector V (p) is calculated as a ratio thereof, that is, A _f (p) = Min _i {L (p, i)} / A _m .

Next, the calculation means 20 determines whether each vector is an abnormal vector based on the final abnormality degree of each vector (step S10, abnormal vector determination function). Here, the final abnormality degree satisfying a predetermined criterion may be determined as an abnormality vector. As the predetermined reference, it may be used whether or not it is a predetermined threshold value or more. For example, based on the above-described final abnormality degree, it is determined that a vector V (p) satisfying A _f (p) ≧ 0.8 is an abnormal vector, and a vector V (p) other than that is determined not to be an abnormal vector. May be.

A specific example of the operation performed by the abnormal vector detection apparatus 10 and the abnormal vector detection program that operate as described above will be described below with reference to the example of FIG.
In the following specific example, the initial value of the variable i is 1 and the final value is 5. The initial value of variable j is 2. The closing price of the variable j is not defined, but may be defined as 4229. The degree of abnormality is calculated as the distance between each vector and the corresponding recent support vector. When at least one abnormality candidate vector has the same provisional abnormality degree for ten different values of j (which may be continuous or discontinuous), the abnormality candidate vector and its provisional abnormality degree Is determined to be stable with respect to changes in j. The criterion for determining an abnormal vector is 0.80. The effective number is two digits.

  In the example of FIG. 2, it is assumed that the vectors X1 to X3 are abnormal vectors that are originally desired to be detected. First, an abnormal cluster is detected with i = 1 (that is, only a cluster including a single vector becomes an abnormal cluster). When j <19 (that is, the number of clusters is less than 19), a plurality of vectors are classified into all clusters, and no abnormal cluster is detected.

  As shown in FIG. 4, when j = 19, cluster C1 including only X1 (0.02, 1.00) appears, and this becomes an abnormal cluster. All other clusters contain two or more vectors and are not anomalous clusters. The latest support vector for X1 (0.02, 1.00) belonging to the abnormal cluster C1 is Y1 (0.03, 0.69), and the temporary abnormality degree of X1, that is, the distance between X1 and Y1 is 0.31. 4 to 7, the cluster that is not an abnormal cluster is not particularly illustrated.

  The same result is obtained when 20 ≦ j ≦ 28. That is, the abnormal cluster is only C1, and the provisional abnormality degree of the vector X1 belonging to this is 0.31. Here, when j = 28, the tentative abnormality degree of the vector X1 is the same for 10 different values of j from 19 to 28 (which are continuous values in this example, but may be intermittent). Then, it is determined that the provisional abnormality degree of the abnormality candidate vector is stable with respect to the change of j. In this way, the i = 1 loop is completed.

  Next, similar processing is executed for i = 2 (that is, a cluster including only two or less vectors becomes an abnormal cluster). When j <14 (that is, the number of clusters is less than 14), three or more vectors are classified into all clusters, and no abnormal cluster is detected.

  As shown in FIG. 5, when j = 14, cluster C2 including only X2 (1.00, 0.00) and X3 (0.98, 0.00) appears, and this becomes an abnormal cluster. All other clusters contain more than two vectors and are not anomalous clusters. The recent support vectors for X2 (1.00, 0.00) and X3 (0.98, 0.00) belonging to the abnormal cluster C2 are both Y5 (0.65, 0.00), and the provisional abnormalities of X2 and X3, that is, the distance from Y5 are each 0.35. And 0.33.

  Similar results are obtained when 15 ≦ j ≦ 18. That is, the abnormal cluster is only C2, and the provisional abnormalities of the vectors X2 and X3 belonging thereto are 0.35 and 0.33, respectively.

  Thereafter, as shown in FIG. 6, when j = 19, a new cluster C1 including only X1 appears, which becomes an abnormal cluster. Further, the cluster C2 including only X2 and X3 still exists and remains an abnormal cluster. All other clusters contain more than two vectors and are not anomalous clusters. The provisional abnormalities of X1, X2, and X3 are 0.31, 0.35, and 0.33, respectively.

Also in the case of 20 ≦ j ≦ 23, the same result as in the case of j = 19 is obtained. When j = 23, the provisional abnormality degree of the abnormal candidate vectors X2 and X3 is the same for 10 different values of j from 14 to 23, so that the provisional abnormality degree of the abnormality candidate vector is stable against the change of j. It is determined that In this way, the i = 2 loop is completed. The provisional abnormality degree of the vector X1 is the same for only five js of 19 ≦ j ≦ 23, but is detected as an abnormality candidate vector here. However, such a vector may not be detected as an abnormal candidate vector.
When i = 3, the same result as when i = 2 is obtained.

  In the case of i = 4, as shown in FIG. 7, the temporary abnormality degree of the abnormality candidate vector is stable at j = 23. In the example of FIG. 7, C1 to C3 are detected as abnormal clusters. C1 includes only X1, C2 includes only X2 and X3, and C3 includes only Y1 to Y4. The recent support vector for X1 (0.02, 1.00) is Y1 (0.03, 0.69). The recent support vector for X2 (1.00, 0.00) and X3 (0.98, 0.00) are both Y5 (0.65, 0.01). The recent support vectors for Y1 (0.03, 0.69), Y2 (0.03, 0.64), Y3 (0.03, 0.62), and Y4 (0.03, 0.60) are all Y6 (0.01, 0.43).

  In the case of i = 5, as shown in FIG. 8, when j = 9, a cluster C4 including only X1 and Y1 to Y4 appears, and this becomes an abnormal cluster. All other clusters contain 6 or more vectors and are not anomalous clusters. The latest support vector for X1 and Y1 to Y4 belonging to the abnormal cluster C4 is Y6. In the case of 1 ≦ i ≦ 4, the recent support vectors of X1 were all Y1, but in the case of i = 5 and j = 9, it becomes Y6 and the provisional abnormality degree is 0.57, which is larger than before. Become.

  Similar results are obtained when 10 ≦ j ≦ 13. That is, the abnormal cluster is only C4, and the provisional abnormalities of the vectors X1 and Y1 to Y4 belonging thereto are 0.57, 0.26, 0.21, 0.19, and 0.17, respectively.

  Thereafter, as shown in FIG. 9, when j = 14, a cluster C4 including only X1 and Y1 to Y4 and a cluster C2 including only X2 and X3 appear, and these become abnormal clusters. All other clusters contain 6 or more vectors and are not anomalous clusters. The provisional abnormalities of X1 to X3 and Y1 to Y4 are 0.57, 0.35, 0.33, 0.26, 0.21, 0.19, and 0.17, respectively.

  In the case of 15 ≦ j ≦ 18, the same result as in the case of j = 14 is obtained. When j = 18, the vectors X1 and Y1 to Y4 and the provisional abnormality degree thereof are the same for 10 different values of j from 9 to 18, so that the provisional abnormality degree of the abnormality candidate vector corresponds to the change of j. Determined to be stable. In this way, the i = 5 loop is completed. Note that the vectors of X2 and X3 and their provisional abnormalities are the same for only five j of 14 ≦ j ≦ 18, but are detected as abnormal candidate vectors here. However, such a vector may not be detected as an abnormal candidate vector.

At this time, organizing by abnormality candidate vector,
-Anomaly candidate vector index p
-Anomaly candidate vector V (p)
-Loop variable i
-Of the recent support vectors w (p, i, j) of V (p), the one that becomes the most frequent when j is changed W (p, i)
Of the provisional abnormality degree A (p, i, j) of −V (p), the mode L (p, i) when j is changed
Are summarized as follows, for example.

p V (p) i W (p, i) L (p, i)
-----------------------------
2064 X1 1 Y1 0.31
2064 X1 2 Y1 0.31
2064 X1 3 Y1 0.31
2064 X1 4 Y1 0.31
2064 X1 5 Y6 0.57
-----------------------------
923 X2 2 Y5 0.35
923 X2 3 Y5 0.35
923 X2 4 Y5 0.35
923 X2 5 Y5 0.35
-----------------------------
899 X3 2 Y5 0.33
899 X3 3 Y5 0.33
899 X3 4 Y5 0.33
899 X3 5 Y5 0.33
-----------------------------
3274 Y1 4 Y6 0.26
3274 Y1 5 Y6 0.26
-----------------------------
3726 Y2 4 Y6 0.21
3726 Y2 5 Y6 0.21
-----------------------------
2317 Y3 4 Y6 0.19
2317 Y3 5 Y6 0.19
-----------------------------
3730 Y4 4 Y6 0.17
3730 Y4 5 Y6 0.17

  In this way, the loop of i ends, and the provisional abnormality degree of each vector is determined. Final abnormalities are calculated only for X1-X3 and Y1-Y4.

In order to calculate the final abnormality level, the same abnormality candidate vectors can be summarized as follows:
-Anomaly candidate vector index p
-Anomaly candidate vector V (p)
-Among the provisional abnormalities A (p, i, j), the mode L (p, i) when j is changed is obtained, and further, the minimum value Min _i {L when i is changed (P, i)}
For example,
p V (p) Min _i {L (p, i)}
2064 X1 0.31
923 X2 0.35
899 X3 0.33
3274 Y1 0.26
3726 Y2 0.21
2317 Y3 0.19
3730 Y4 0.17

The abnormality candidate vector that maximizes Min _i {L (p, i)} is X2, that is, p = 923, and the provisional abnormality degree A _m = Max _p [Min _i {L (p, i)}] = 0.35. From these, the final abnormalities of X1 to X3 and Y1 to Y4 are as follows.
X1 (0.02, 1.00)… 0.31 / 0.35 ≒ 0.89 ≥ 0.80
X2 (1.00, 0.00)… 0.35 / 0.35 ≒ 1.00 ≥ 0.80
X3 (0.98, 0.00)… 0.33 / 0.35 ≒ 0.94 ≥ 0.80
Y1 (0.03, 0.69)… 0.26 / 0.35 ≒ 0.74 <0.80
Y2 (0.03, 0.64)… 0.21 / 0.35 ≒ 0.60 <0.80
Y3 (0.02, 0.62)… 0.19 / 0.35 ≒ 0.54 <0.80
Y4 (0.03, 0.60)… 0.17 / 0.35 ≒ 0.49 <0.80

  From the above, it is determined that X1 to X3 whose final abnormality level is equal to or higher than the abnormality vector determination standard are abnormal vectors (true abnormality vectors), and Y1 to Y4 whose final abnormality level is less than the abnormality vector determination standard are It is determined that the vector is not an abnormal vector (or is a false abnormal vector).

  As described above, the abnormal vector detection device 10 and the abnormal vector detection program according to Embodiment 1 of the present invention detect an abnormal vector from among a plurality of vectors. Here, the abnormal vector detection apparatus 10 and the abnormal vector detection program evaluate the degree of abnormality while changing the number of clusters that classify the vector. Therefore, when there are a plurality of abnormal clusters (when the number of abnormal clusters is unknown). The abnormal vector can be detected more appropriately.

  For example, by detecting an abnormal vector from vectors having the frequency and data size of communication by a computer as values, it becomes easy to find suspicious communication due to the influence of malware or the like.

  Moreover, since the provisional abnormality degree is evaluated by changing the detection criterion of the abnormal cluster based on the variable i, more appropriate detection is possible regardless of the density of the abnormal vector distribution. For example, in the example of FIG. 2, when i = 1, the abnormal cluster C1 is detected first, and when i = 2, the abnormal cluster C2 is detected first. The stable abnormal cluster may be different. According to the first embodiment, the results for different values of i can be comprehensively considered, so that appropriate detection can be performed in such a case.

In the first embodiment, the following modifications can be made.
The loop of variable i may be omitted. That is, the number of vectors serving as a reference for detecting an abnormal cluster may be fixed.

  In the first embodiment, the closing price of the variable j is not defined, but the closing price of the variable j may be defined. In that case, for example, a step for determining whether or not j has reached the closing price may be provided between step S6 and step S7, and if j has reached the closing price, the process may proceed to step S8. Note that the closing price of j may be set as appropriate. The maximum closing price that can be set is the number of vectors.

  In the first embodiment, the provisional abnormality degree is waited for stabilization as in step S7, but the stabilization may not be waited for. For example, j may be looped to the closing price in the same manner as i.

  In the first embodiment, the vectors are two-dimensional as shown in FIG. 2, but an abnormal vector can be similarly detected for a set of vectors of three or more dimensions.

  In Embodiment 1, each vector represents a value related to communication via the communication network, but may represent another value. For example, it may relate to sports, and may represent values such as the number of strikes, the number of strikes, the goal, the defense rate, etc. of a baseball player (for example, a pitcher). If it does in this way, useful information can be obtained when determining appointment of the next year of each player by detecting an abnormal vector. In addition, it is possible to handle various data for general purposes.

  In the first embodiment, the vector set is normalized as shown in FIG. 2, but a non-normalized set may be used. In that case, the abnormal vector detection apparatus 10 may have a function of normalizing a set of vectors. When a set is normalized, the degree of anomaly can be evaluated with equal weight for each dimension. However, it is not normalized when such evaluation is unnecessary or when any dimension is particularly important. A set may be used.

  10. Abnormal vector detection device, X1-X3, Y1-Y6 vectors (X1-X3 abnormal candidate vectors and abnormal vectors, Y1-Y4 abnormal candidate vectors), C1-C4 clusters (abnormal clusters).

Claims (7)

An anomaly vector detection device for detecting an anomaly vector from a plurality of vectors,
For different values of variable j (where j is an integer greater than or equal to 2)
-Classifying the plurality of vectors into j clusters;
An abnormal cluster detection step of detecting an abnormal cluster out of the j clusters;
An abnormality degree determining step for determining an abnormality degree for each vector belonging to the abnormal cluster;
An abnormality determination function for executing
An abnormal vector detection device, comprising: an abnormal vector determination function that determines whether each vector is an abnormal vector based on the degree of abnormality of each vector.   The abnormality degree determination function detects at least one abnormal cluster for a predetermined number of values of j, and the abnormality degree of at least one vector belonging to at least one abnormal cluster is equal to the predetermined number of values. The abnormal vector detection device according to claim 1, which is executed until all values of j are the same. The abnormality determination function is executed for a plurality of different values of the variable i (where i is an integer of 1 or more),
The abnormal vector detection step according to claim 1 or 2, wherein the abnormal cluster detection step is a step of detecting each cluster as an abnormal cluster when the number of vectors belonging to the cluster is i or less. apparatus.   The abnormality vector detection device according to claim 3, wherein the abnormality vector determination function is executed based on a provisional abnormality degree of each vector calculated for variables i and j.   5. The abnormality degree determination step according to claim 1, wherein in the abnormality degree determination step, the abnormality degree of each vector is calculated based on a distance between the vector and at least one recent support vector belonging to another cluster obtained by SVM. The abnormal vector detection device according to any one of the above. Each of the vectors represents a value related to communication via a communication network,
The abnormal vector is a value related to suspicious communication due to the influence of malware, etc.
The anomaly vector detection device according to any one of claims 1 to 5.   An abnormal vector detection program for causing a computer to function as the abnormal vector detection device according to any one of claims 1 to 6.

Images