JP2017219947A - Abnormality detection device, abnormality detection method and abnormality detection program - Google Patents

Abnormality detection device, abnormality detection method and abnormality detection program Download PDF

Info

Publication number
JP2017219947A
JP2017219947A JP2016112486A JP2016112486A JP2017219947A JP 2017219947 A JP2017219947 A JP 2017219947A JP 2016112486 A JP2016112486 A JP 2016112486A JP 2016112486 A JP2016112486 A JP 2016112486A JP 2017219947 A JP2017219947 A JP 2017219947A
Authority
JP
Japan
Prior art keywords
power consumption
heat source
server
space
model
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
JP2016112486A
Other languages
Japanese (ja)
Other versions
JP6675608B2 (en
Inventor
修 明石
Osamu Akashi
修 明石
暢 間野
Noboru Mano
暢 間野
松岡 茂登
Shigeto Matsuoka
茂登 松岡
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nippon Telegraph and Telephone Corp
Osaka University NUC
Original Assignee
Nippon Telegraph and Telephone Corp
Osaka University NUC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nippon Telegraph and Telephone Corp, Osaka University NUC filed Critical Nippon Telegraph and Telephone Corp
Priority to JP2016112486A priority Critical patent/JP6675608B2/en
Publication of JP2017219947A publication Critical patent/JP2017219947A/en
Application granted granted Critical
Publication of JP6675608B2 publication Critical patent/JP6675608B2/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Air Conditioning Control Device (AREA)
  • Power Sources (AREA)

Abstract

PROBLEM TO BE SOLVED: To enable the detection of a parasite attack that cannot be detected by network log management and traffic monitoring.SOLUTION: An abnormality detection device includes a detection part 11, an information processing part 12 and a storage part 13. The storage part 13 stores each power model learned by a learning procedure. The information processing part 12 acquires processing information of a server 83 and an air conditioner 82 to notify a detection part 11 of the processing information. The detection part 11 compares the processing information acquired from the information processing part 12, power information of a single server 83 acquired from each server 83 and power information of the entire data center 81 acquired from the server 83 and the air conditioner with the power model stored in the storage part 13 to detect a parasite attack.SELECTED DRAWING: Figure 11

Description

本開示は、異常検出装置、方法及びプログラムに関する。   The present disclosure relates to an abnormality detection apparatus, method, and program.

データセンタや通信設備、あるいは企業等の種々のサーバへのネットワークを経由したDDoS(Distributed Denial of Service attack)などの情報セキュリティに対する攻撃が大きな社会的な問題となっている。複数のネットワークに分散する大量のコンピュータが一斉に特定のネットワークやコンピュータへ接続要求を送出し、通信容量をあふれさせて機能を停止させてしまうDDoS攻撃(Distributed Denial of Service attack)をはじめとする攻撃は、公開しているサーバであればどんなサーバであっても標的に成り得るため、社会的な損失は莫大である。そのため、外部とのネットワークログ管理やトラヒック監視によって大規模なトラヒックや挙動が不審な通信を検出して防護する事や、攻撃側の情報を事前に登録してその攻撃者からの通信を受付けない設定を行っておく、などの種々の対策がとられているところである(非特許文献1)。   Attacks on information security such as DDoS (Distributed Denial of Service attack) via a network to various servers such as data centers, communication facilities, and companies have become a major social problem. Attacks such as DDoS attack (Distributed Denial of Service attack), where a large number of computers distributed over multiple networks send connection requests to specific networks and computers all at once, overflowing the communication capacity and stopping the function Since any public server can be a target, social loss is enormous. Therefore, it is possible to detect and protect communications with suspicious large-scale traffic and behavior by network log management and traffic monitoring from the outside, and to register the attacker's information in advance and not accept communications from the attacker Various countermeasures such as setting are being taken (Non-Patent Document 1).

一方、一旦何らかの方法で、例えば、事前に攻撃者の情報がなく素通りさせてしまう場合や、ユーザがネットワークでなくメモリなどを接続することによってサーバ等を感染させてしまい、ネットワーク上の通信を発生させないで、サーバ内部の処理を異常に発生させてしまう結果、電源ダウンを発生させるパラサイトアタックが社会問題化している。この電源ダウンを発生させるパラサイトアタックは、通信を伴わない攻撃であることから、消費電力を監視することが必要であるが、この場合、あるタスク(正規の負荷)に対してどの電力値が正しい値なのか、アタックをかけられた電力なのか、異常として検知・判断することは不可能である。つまり、非特許文献1の方法では、パラサイトアタックは、通常のネットワークの監視や分析手法では検出できにくい、あるいは電力を監視しても検知できないという本質的な問題があった。   On the other hand, for example, when there is no attacker's information in advance by some means, or when the user connects a memory or the like instead of the network, the server etc. is infected and communication on the network occurs As a result of abnormally generating processing inside the server, parasite attack that causes power down has become a social problem. Since the parasite attack that causes this power down is an attack that does not involve communication, it is necessary to monitor the power consumption. In this case, which power value is correct for a certain task (regular load) It is impossible to detect or judge whether it is a value or an attacked power as an abnormality. That is, the method of Non-Patent Document 1 has an essential problem that a parasite attack is difficult to detect by a normal network monitoring or analysis technique or cannot be detected by monitoring power.

通信機器やサーバなどへの通信を伴った攻撃は、通信を直接検出したり、あるいはログを解析したりすることで分析が可能である。これに対して、一旦侵入したウィルスなどが、外部との通信を伴わないで、機器の内部の稼働を異常に増大させることで電力ダウンさせるなどのパラサイトアタックの場合、外部との通信を伴わないため、通信の直接監視やログ分析では検出できないという問題ある。   An attack involving communication with a communication device or server can be analyzed by directly detecting communication or analyzing a log. On the other hand, in the case of a parasite attack such as a virus that has entered once does not involve communication with the outside and powers down by abnormally increasing the internal operation of the device, it does not involve communication with the outside. Therefore, there is a problem that it cannot be detected by direct monitoring of communication or log analysis.

当然、ウィルス検知で一定の効果はあるものの、複数のデータセンタにまたがったマイグレーションの際などに乗じて侵入される場合があり、通常の検出では難しい場合が多い。そのため、機器ごとの電力の変化を高精度に分析することで、本来期待される以上の稼働が機器内部で実行されている状態を検出することが必要となる。   Naturally, although there is a certain effect in virus detection, there are cases in which it is intruded by the migration across multiple data centers, etc., and it is often difficult for normal detection. For this reason, it is necessary to detect a state in which the operation more than originally expected is performed in the device by analyzing the change in power for each device with high accuracy.

http://www.cisco.com/web/JP/product/hs/security/tad/prodlit/xt5600_ds.htmlhttp: // www. cisco. com / web / JP / product / hs / security / tad / product / xt5600_ds. html 北田和将,中村泰,松田和浩,松岡茂登,“数値流体解析と消費電力モデルを連携させたデータセンタの消費電力シミュレータの構築”,信学会NS・IN研究会,2016年2月25日Kazumasa Kitada, Yasushi Nakamura, Kazuhiro Matsuda, Shigeto Matsuoka, “Construction of a data center power simulator that combines numerical fluid analysis and power consumption model”, IEICE NS / IN Technical Committee, February 25, 2016

本開示は、ネットワークログ管理やトラヒック監視によって検出することができないパラサイトアタックを検出可能にすることを目的とする。   An object of the present disclosure is to make it possible to detect a parasite attack that cannot be detected by network log management or traffic monitoring.

本開示では、正常時の電力消費パターンを事前に学習しておき、消費電力を監視して比較することにより、「パラサイト」の有無を検出する。   In the present disclosure, the presence / absence of “parasite” is detected by learning in advance a power consumption pattern in a normal state and monitoring and comparing the power consumption.

具体的には、本開示に係る異常検出装置は、熱源機器の稼働量に対する消費電力及び温度変化を示す熱源機器消費電力モデルを保持し、熱源機器の稼働量及び第1の消費電力測定値を取得すると、前記熱源機器消費電力モデルを用いて導出した前記稼働量を稼働後の熱源機器の消費電力の第1の予測値と前記第1の消費電力測定値の差を求め、当該差を用いて熱源機器の異常を検出する検出部を備える。   Specifically, the abnormality detection device according to the present disclosure holds a heat source device power consumption model indicating power consumption and temperature change with respect to the operation amount of the heat source device, and calculates the operation amount of the heat source device and the first power consumption measurement value. When acquired, the difference between the first predicted value of the power consumption of the heat source device after operation and the first power consumption measurement value is obtained from the operation amount derived using the heat source device power consumption model, and the difference is used. And a detector for detecting an abnormality of the heat source device.

前記検出部は、熱源機器の配置されている空間における消費電力及び温度変化を示す空間消費電力モデルを保持し、前記空間における設定温度及び第2の消費電力測定値を取得すると、前記空間消費電力モデルを用いて導出した前記設定温度に設定時の前記空間の消費電力の第2の予測値と前記第2の消費電力測定値の差を求め、当該差を用いて前記空間の異常を検出してもよい。   The detection unit holds a space power consumption model indicating power consumption and a temperature change in a space where a heat source device is arranged, and obtains a set temperature and a second power consumption measurement value in the space. A difference between a second predicted value of power consumption of the space at the time of setting to the set temperature derived using a model and the second power consumption measurement value is obtained, and an abnormality of the space is detected using the difference. May be.

具体的には、本開示に係る異常検出方法は、熱源機器の稼働量に対する消費電力及び温度変化を示す熱源機器消費電力モデルを保持し、熱源機器の稼働量及び第1の消費電力測定値を取得すると、前記熱源機器消費電力モデルを用いて導出した前記稼働量を稼働後の熱源機器の消費電力の第1の予測値と前記第1の消費電力測定値の差を求め、当該差を用いて熱源機器の異常を検出する検出手順を備える。   Specifically, the abnormality detection method according to the present disclosure holds a heat source device power consumption model indicating power consumption and temperature change with respect to the operation amount of the heat source device, and calculates the operation amount of the heat source device and the first power consumption measurement value. When acquired, the difference between the first predicted value of the power consumption of the heat source device after operation and the first power consumption measurement value is obtained from the operation amount derived using the heat source device power consumption model, and the difference is used. And a detection procedure for detecting an abnormality of the heat source device.

前記検出手順において、熱源機器の配置されている空間における消費電力及び温度変化を示す空間消費電力モデルを保持し、前記空間における設定温度及び第2の消費電力測定値を取得すると、前記空間消費電力モデルを用いて導出した前記設定温度に設定時の前記空間の消費電力の第2の予測値と前記第2の消費電力測定値の差を求め、当該差を用いて前記空間の異常を検出してもよい。   In the detection procedure, when a space power consumption model indicating power consumption and temperature change in a space where a heat source device is arranged is held, and a set temperature and a second power consumption measurement value in the space are acquired, the space power consumption A difference between a second predicted value of power consumption of the space at the time of setting to the set temperature derived using a model and the second power consumption measurement value is obtained, and an abnormality of the space is detected using the difference. May be.

具体的には、本開示に係る異常検出プログラムは、本開示に係る異常検出装置に備わる各機能をコンピュータに実現させるためのプログラムであり、本開示に係る異常検出方法に備わる各手順をコンピュータに実行させるためのプログラムである。異常検出プログラムは、コンピュータ読み取り可能な記録媒体に記録されていてもよい。   Specifically, the abnormality detection program according to the present disclosure is a program for causing a computer to implement the functions provided in the abnormality detection device according to the present disclosure, and each procedure provided in the abnormality detection method according to the present disclosure is stored in the computer. This is a program to be executed. The abnormality detection program may be recorded on a computer-readable recording medium.

本開示によれば、正常時の電力消費パターンを事前に学習しておき、消費電力を監視して比較することにより、容易に「パラサイト」の有無を検出することができる。   According to the present disclosure, it is possible to easily detect the presence or absence of “parasite” by learning a power consumption pattern in a normal state in advance and monitoring and comparing the power consumption.

データセンタの構成例である。It is a structural example of a data center. 実施形態に係る異常検出方法の一例を示す。An example of the abnormality detection method which concerns on embodiment is shown. サーバ単体の電力モデルの一例を示す。An example of the power model of a single server is shown. 空調機器単体の電力モデルの一例を示す。An example of the power model of a single air conditioner is shown. タスクを変化させた場合の全サーバの消費電力の推移の一例を示す。An example of transition of power consumption of all servers when a task is changed is shown. タスクを変化させた場合の空調機器の消費電力の推移の一例を示す。An example of transition of the power consumption of an air-conditioning apparatus at the time of changing a task is shown. タスクを変化させない場合のデータセンタ全体及びサーバの消費電力の推移の一例を示す。An example of transition of power consumption of the entire data center and the server when the task is not changed is shown. データセンタ全体の電力モデルの一例を示す。An example of the power model of the whole data center is shown. 正常時と異常時のデータセンタ全体の消費電力の推移の一例を示す。An example of transition of power consumption of the entire data center during normal and abnormal times is shown. 正常時と異常時のサーバの消費電力の推移の一例を示す。An example of transition of the power consumption of the server at the time of normal and abnormal is shown. 実施形態に係る異常検出装置の構成例を示す。The structural example of the abnormality detection apparatus which concerns on embodiment is shown. 検出手順の具体例を示す。A specific example of the detection procedure is shown. 検出手順の別形態の一例を示す。An example of another form of a detection procedure is shown.

以下、本開示の実施形態について、図面を参照しながら詳細に説明する。なお、本開示は、以下に示す実施形態に限定されるものではない。これらの実施の例は例示に過ぎず、本開示は当業者の知識に基づいて種々の変更、改良を施した形態で実施することができる。なお、本明細書及び図面において符号が同じ構成要素は、相互に同一のものを示すものとする。   Hereinafter, embodiments of the present disclosure will be described in detail with reference to the drawings. In addition, this indication is not limited to embodiment shown below. These embodiments are merely examples, and the present disclosure can be implemented in various modifications and improvements based on the knowledge of those skilled in the art. In the present specification and drawings, the same reference numerals denote the same components.

実施形態に係る異常検出装置は、各構成要素(サーバ)毎の個別の電力モデルを事前に作っておき、あるタスクが与えられた際の消費電力を予測し、その予測値を上回る場合に、パラサイトアタックのような異常な稼働が機器内部に発生していると判断する。   The abnormality detection device according to the embodiment makes an individual power model for each component (server) in advance, predicts power consumption when a certain task is given, and exceeds the predicted value, Judge that abnormal operation such as parasite attack is occurring inside the equipment.

また、個別の電力モデルだけでなく、データセンタ全体の電力モデルを構築しておけば、タスクがデータセンタ内に分散された場合であっても、その予測値を大きく上回る場合に、パラサイトアタックのような異常な稼働が機器内部に発生していると判断することができる。   In addition, if a power model for the entire data center is built, not just the individual power model, even if tasks are distributed in the data center, if the predicted value is greatly exceeded, the parasite attack It can be determined that such an abnormal operation is occurring inside the device.

図1にデータセンタの構成例を示す。データセンタ81は、サーバやルータ等の熱源となるICT(Information and Communication Technology)機器の部分と、それを冷却する空調機器82と、を備える。以下の実施形態においては、理解の容易のため、ICT機器などの熱源機器がサーバ83である場合について説明する。これに伴い、熱源機器消費電力モデルをサーバ消費電力モデルと称する。   FIG. 1 shows a configuration example of a data center. The data center 81 includes an ICT (Information and Communication Technology) device part serving as a heat source such as a server or a router, and an air conditioner 82 that cools the ICT (Information and Communication Technology) device. In the following embodiment, a case where a heat source device such as an ICT device is the server 83 will be described for easy understanding. Accordingly, the heat source device power consumption model is referred to as a server power consumption model.

データセンタ81全体の消費電力は、主に全サーバ83の消費電力と空調機器82の消費電力の和である。ただし、それぞれの構成要素の消費電力は、サーバ83においてはCPU(Central Processing Unit)の稼働率や吸い込み温度や風量(空調の設定条件)、一方空調機器82においては、設定温度や風量、あるいはサーバ83が消費する電力(処理する熱量)や還帰温度等に大きく依存する。したがって、与えられたタスク量(処理量)におけるデータセンタ81全体の消費電力を正確に予測するには、それらの動作条件を明確にして学習によって把握することが必要である(例えば、非特許文献2参照)。   The power consumption of the entire data center 81 is mainly the sum of the power consumption of all the servers 83 and the power consumption of the air conditioner 82. However, in the server 83, the power consumption of each component is a CPU (Central Processing Unit) operating rate, suction temperature, and air volume (air condition setting conditions), while in the air conditioner 82, the set temperature, air volume, or server 83 greatly depends on the power consumed (the amount of heat to be processed), the return temperature, and the like. Therefore, in order to accurately predict the power consumption of the entire data center 81 at a given task amount (processing amount), it is necessary to clarify those operating conditions and to grasp them by learning (for example, non-patent literature). 2).

図2に、実施形態に係る異常検出方法の一例を示す。検出の手順は以下の通りである。
学習手順S101:異常検出装置が、機械学習を用いて、あるタスク(処理)が正常に与えられた際のデータセンタ81全体の空間消費電力モデルを事前に把握する。
監視手順S102:異常検出装置が、運用時の消費電力の推移を常時監視し、処理が行われる際に、事前に把握した消費電力との違いを分析する。
検出手順S103:異常検出装置が、分析によって得られた違いを用いて、パラサイトアタックの有無を判定する。 FIG. 2 shows an example of the abnormality detection method according to the embodiment. The detection procedure is as follows.
Learning procedure S101: The anomaly detection apparatus grasps in advance a space power consumption model of the entire data center 81 when a certain task (processing) is normally given by using machine learning.
Monitoring procedure S102: The abnormality detection device constantly monitors the transition of power consumption during operation, and analyzes the difference from the power consumption grasped in advance when processing is performed.
Detection procedure S103: The abnormality detection device determines the presence or absence of a parasite attack using the difference obtained by the analysis.

学習手順S101における把握は、以下の点を考慮することが好ましい。
・サーバ83の消費電力は、サーバ83の処理量及び空調による給気の温度や風量によって大きく変化する。サーバ83の処理量は、例えば、CPUやメモリの動作状況である。
・空調機器82の消費電力は、サーバ83の消費電力(空調が処理する電力)、還帰温度又は給気温度、及び、風量によって大きく変化する。
・これらに基づき、サーバ83単体のサーバ消費電力モデル、空調機器82単体の空調消費電力モデル、データセンタ81全体の空間消費電力モデルを、個別に把握する。 In grasping in the learning procedure S101, it is preferable to consider the following points.
The power consumption of the server 83 varies greatly depending on the processing amount of the server 83 and the temperature and air volume of the air supplied by air conditioning. The processing amount of the server 83 is, for example, the operating status of the CPU and memory.
The power consumption of the air conditioner 82 varies greatly depending on the power consumption of the server 83 (power that the air conditioner processes), the return temperature or supply air temperature, and the air volume.
Based on these, the server power consumption model of the server 83 alone, the air conditioning power consumption model of the air conditioner 82 alone, and the space power consumption model of the entire data center 81 are grasped individually.

学習手順S101では、異常検出装置に、事前にサーバ83及び空調機器82の稼働データが入力される。サーバの稼働データは、データセンタ81に配置されるサーバ83の消費電力に関する情報をサーバ83ごとに収集したデータである。異常検出装置は、サーバ83の稼働データを用いた機械学習によって、機種毎の消費電力モデル(サーバ消費電力モデル)を作成する。空調機器の稼働データは、データセンタ81に配置される空調機器82の消費電力に関する情報を空調機器82ごとに収集したデータである。異常検出装置は、空調機器82の稼働データを用いた機械学習によって、空調機器82の機種毎の消費電力モデルである空調消費電力モデルを作成する。これらのモデルは、種々の条件で事前に動作させて電力を測定することによって得られる。   In the learning procedure S101, operation data of the server 83 and the air conditioner 82 is input to the abnormality detection device in advance. The server operation data is data obtained by collecting information about the power consumption of the server 83 arranged in the data center 81 for each server 83. The abnormality detection apparatus creates a power consumption model (server power consumption model) for each model by machine learning using the operation data of the server 83. The operation data of the air conditioner is data obtained by collecting information on the power consumption of the air conditioner 82 arranged in the data center 81 for each air conditioner 82. The abnormality detection device creates an air conditioning power consumption model that is a power consumption model for each model of the air conditioning equipment 82 by machine learning using the operation data of the air conditioning equipment 82. These models are obtained by operating in advance under various conditions and measuring the power.

図3に、サーバ83単体のサーバ消費電力モデルの一例を示す。これは、サーバ消費電力モデルの一例であり、サーバ83単体での、各種動作条件(CPU利用率(%)、吸気温度(℃))における消費電力(W)の変化の例である。サーバ消費電力モデルは、サーバ83を単体で動作させて構築する。サーバ83の機種毎にサーバ消費電力モデルを作成すればよく、実際にデータセンタ81に配置するサーバ83を用いてモデルを作成する必要はない。   FIG. 3 shows an example of a server power consumption model of the server 83 alone. This is an example of a server power consumption model, and is an example of changes in power consumption (W) under various operating conditions (CPU utilization (%), intake air temperature (° C.)) of the server 83 alone. The server power consumption model is constructed by operating the server 83 alone. A server power consumption model may be created for each model of the server 83, and it is not necessary to create a model using the server 83 actually arranged in the data center 81.

図4に空調機器82単体の空調消費電力モデルの一例を示す。これは、空調機器82単体での、各種動作条件(設定風量(%)、設定温度(℃))における消費電力(kW)の変化の例である。ここで、図4では、空調機器82の設定風量の一例として、ファンの最大回転数に対する割合(%)で示した。また温度は、空調機器82がデータセンタ81に供給する空気の給気温度である。空調機器82の機種ごとに空調消費電力モデルを作成すればよく、実際にデータセンタ81に配置する空調機器82を用いてモデルを作成する必要はない。   FIG. 4 shows an example of an air conditioning power consumption model of the air conditioning device 82 alone. This is an example of changes in power consumption (kW) under various operating conditions (set air volume (%), set temperature (° C.)) in the air conditioner 82 alone. Here, in FIG. 4, as an example of the set air volume of the air conditioner 82, the ratio (%) with respect to the maximum rotation speed of the fan is shown. The temperature is an air supply temperature of air supplied from the air conditioner 82 to the data center 81. An air-conditioning power consumption model may be created for each model of the air-conditioning equipment 82, and it is not necessary to create a model using the air-conditioning equipment 82 actually arranged in the data center 81.

図5及び図6に、タスク(処理)を変化させた際の全サーバ及び空調機器の消費電力の一例を示す。これはタスク(処理の量)を変化させた場合の、消費電力(全サーバ、空調機器)の測定値と、機械学習によって予測した消費電力(全サーバ、空調機)の予測値の比較である。サーバ全体の消費電力については平均で5%の精度で予測できていることが分かる。   FIG. 5 and FIG. 6 show an example of power consumption of all servers and air conditioners when the task (process) is changed. This is a comparison between measured values of power consumption (all servers, air conditioning equipment) and predicted values of power consumption (all servers, air conditioners) predicted by machine learning when the task (amount of processing) is changed. . It can be seen that the power consumption of the entire server can be predicted with an accuracy of 5% on average.

図7に、タスクを一定とし、空調の吹き出し温度を変化させた場合のデータセンタの全消費電力の一例を示す。これは、図5及び図6とは違い、タスク(処理量)を一定にして、各種動作条件(空調の吹き出し温度)を変化させた場合のサーバ83とデータセンタ81全体の消費電力の推移の例である。同じ処理量でも、データセンタ81全体の消費電力が変化していくことが分かる。   FIG. 7 shows an example of the total power consumption of the data center when the task is constant and the air-conditioning blowout temperature is changed. Unlike FIG. 5 and FIG. 6, the transition of power consumption of the server 83 and the entire data center 81 when the task (processing amount) is constant and various operation conditions (air-conditioning blowout temperature) are changed. It is an example. It can be seen that even with the same amount of processing, the power consumption of the entire data center 81 changes.

図8に、データセンタ81全体の消費電力モデルの一例を示す。これは、空間消費電力モデルの一例であり、種々の動作条件に対するデータセンタ81の消費電力の変化の例である。wind−max、wind−minは空調機器82の風量である。このように、すべての動作条件に対する消費電力を事前に学習によって把握することで、アタックを受けた場合の消費電力の増加に対して、アタックの有無を検出することが可能である。   FIG. 8 shows an example of the power consumption model of the entire data center 81. This is an example of a space power consumption model, and is an example of a change in power consumption of the data center 81 with respect to various operating conditions. Wind-max and wind-min are air volumes of the air conditioner 82. Thus, by grasping the power consumption for all the operating conditions by learning in advance, it is possible to detect the presence or absence of an attack with respect to an increase in power consumption when receiving an attack.

図9と図10に、それぞれ、正常な消費電力の推移LNとアタック時の消費電力の推移LAの比較を示す。図9はデータセンタ81の全体を示し、図10はサーバ83個別を示す。あるタスク(処理量)が与えられた際の消費電力LNは、これまでの図に示した通り、事前に学習した電力モデル(サーバ単体、あるいはデータセンタ全電力)を基準に、正確に(サーバ単体では7%、データセンタ全体の電力では5%の精度で)予測することができる。このため、図10に示す消費電力の推移LA1及びLA2、図9に示す消費電力の推移LAのような、その値から増加した消費電力については、パラサイトアタックと判断することができる。   FIG. 9 and FIG. 10 show a comparison between a normal power consumption transition LN and an attack power consumption transition LA, respectively. FIG. 9 shows the entire data center 81, and FIG. The power consumption LN when a certain task (processing amount) is given is accurately (server) based on the power model (server alone or total data center power) learned in advance as shown in the previous figures. 7% on a standalone basis and 5% accuracy on overall data center power). Therefore, the power consumption increased from the values, such as the power consumption transitions LA1 and LA2 shown in FIG. 10 and the power consumption transition LA shown in FIG. 9, can be determined as a parasite attack.

通常のパラサイトアタックにおいては、図10に示す消費電力の推移LA1とLA2に示す通り、定常的な負荷を与え続ける事が多いため、事前に学習した電力消費パターンを用いて、バースト的に発生する負荷(電力増大)を無視し、定常的に増大した消費電力値をもとにパラサイトアタックを容易に検出可能である。実施形態では、20%以上の定常的な消費電力増の状態をパラサイトアタックと判断してそのサーバの消費電力を落としてネットワークから切り離す対応とした。   In a normal parasite attack, as shown in transitions LA1 and LA2 of power consumption shown in FIG. 10, there are many cases where a constant load is continuously applied, and therefore, it occurs in bursts using a power consumption pattern learned in advance. It is possible to easily detect a parasite attack on the basis of a power consumption value that is constantly increased while ignoring the load (power increase). In the embodiment, a state where a steady increase in power consumption of 20% or more is determined as a parasite attack, and the power consumption of the server is reduced to be separated from the network.

図11に、実施形態の異常検出装置の構成図を示す。異常検出装置は、検出部11、情報処理部12及び記憶部13を備える。記憶部13は、学習手順S101において学習した各電力モデルを記憶する。情報処理部12は、サーバ83及び空調機器82の処理情報を取得して検出部11に通知する。検出部11は、情報処理部12から得られる処理情報、各サーバ83から得られるサーバ83単体の電力情報、並びに、サーバ83及び空調機器82から得られるデータセンタ81全体の電力情報を、記憶部13に記憶されている電力モデルと比較し、パラサイトアタックを検出する。   In FIG. 11, the block diagram of the abnormality detection apparatus of embodiment is shown. The abnormality detection device includes a detection unit 11, an information processing unit 12, and a storage unit 13. The storage unit 13 stores each power model learned in the learning procedure S101. The information processing unit 12 acquires processing information of the server 83 and the air conditioner 82 and notifies the detection unit 11 of the processing information. The detection unit 11 stores processing information obtained from the information processing unit 12, power information of the server 83 alone obtained from each server 83, and power information of the entire data center 81 obtained from the server 83 and the air conditioner 82. Compared with the power model stored in 13, the parasite attack is detected.

サーバ83単体の電力情報は、サーバ消費電力モデルのパラメータであり、例えば、CPU利用率及び吸気温度である。データセンタ81全体の電力情報は、空間消費電力モデルのパラメータであり、例えば、サーバ数、空調機器82の設定温度である。   The power information of the server 83 alone is a parameter of the server power consumption model, such as a CPU utilization rate and an intake air temperature. The power information of the entire data center 81 is a parameter of the space power consumption model, for example, the number of servers and the set temperature of the air conditioner 82.

図12に、検出手順S103における異常検出装置の動作を示す。監視手順S102において、検出部11は、運用時の消費電力の推移を監視し、各サーバ83において計算処理(タスク)が行われる際に、事前に把握した消費電力との違いを分析する。   FIG. 12 shows the operation of the abnormality detection apparatus in the detection procedure S103. In the monitoring procedure S102, the detection unit 11 monitors the transition of power consumption during operation, and analyzes the difference from the power consumption grasped in advance when a calculation process (task) is performed in each server 83.

検出部11は、データセンタ81全体の消費電力の予測値と消費電力の測定値を比較し(S111)、予測値と測定値の違いが設定値を超えた場合(S111においてYes)、ステップS112に移行する。   The detection unit 11 compares the predicted value of the power consumption of the entire data center 81 with the measured value of power consumption (S111), and if the difference between the predicted value and the measured value exceeds the set value (Yes in S111), step S112. Migrate to

検出部11は、各サーバ83の消費電力の予測値と消費電力の測定値を比較し(S112)、予測値と測定値の違いが設定値を超えた場合(S112においてYes)、ステップS113に移行する。   The detection unit 11 compares the predicted power consumption value of each server 83 with the measured power consumption value (S112). If the difference between the predicted value and the measured value exceeds the set value (Yes in S112), the process proceeds to step S113. Transition.

検出部11は、各サーバ83の消費電力の測定値の推移とサーバ消費電力モデルとを比較し、パラサイトアタックを検出する(S113)。例えば、あるサーバ83の消費電力が設定値以上でありその状態が設定時間を経過した場合、当該サーバ83がパラサイトアタックを受けていると判定する。検出部11は、パラサイトアタックを検出した場合(ステップS113においてYes)、パラサイトアタックを検出したサーバ83の消費電力を落とす旨の制御情報を情報処理部12に通知する。情報処理部12は、この通知を受信すると、通知のあったサーバ83の消費電力を落としてネットワークから切り離す(S114)。   The detection unit 11 compares the transition of the measured power consumption value of each server 83 with the server power consumption model, and detects a parasite attack (S113). For example, when the power consumption of a certain server 83 is equal to or greater than a set value and the state has exceeded a set time, it is determined that the server 83 is receiving a parasite attack. When detecting a parasite attack (Yes in step S113), the detection unit 11 notifies the information processing unit 12 of control information indicating that the power consumption of the server 83 that has detected the parasite attack is reduced. Upon receiving this notification, the information processing unit 12 reduces the power consumption of the server 83 that has received the notification and disconnects it from the network (S114).

なお、図13に示すように、検出手順S103において、ステップS111を省略してもよい。また、実施形態に係る異常検出装置は、コンピュータを検出部11及び情報処理部12として機能させることで自右舷してもよい。この場合、コンピュータが、記憶部13に記憶されたコンピュータプログラムを実行することで、各構成を実現する。このように、実施形態の装置は、コンピュータとプログラムによっても実現でき、プログラムを記録媒体に記録することも、ネットワークを通して提供することも可能である。   As shown in FIG. 13, step S111 may be omitted in the detection procedure S103. In addition, the abnormality detection device according to the embodiment may stare by causing the computer to function as the detection unit 11 and the information processing unit 12. In this case, each configuration is realized by the computer executing the computer program stored in the storage unit 13. As described above, the apparatus of the embodiment can be realized by a computer and a program, and the program can be recorded on a recording medium or provided through a network.

(実施形態の効果)
本実施形態では、外部とのネットワークログ管理やトラヒック監視によって大規模なトラヒックや挙動が不審な通信を検出することができない内部の「パラサイトアタック」に対して、データセンタや通信設備、あるいは企業などのサーバ等の機器毎の消費電力のパターンを事前に学習によって求めてさえおけば、容易に検出することができる。この手法では、消費電力の監視を行うだけで、「パラサイト」攻撃を検出でき、通信の詳細に関わる検出や分析が不要なため、運用セキュリティやプライバシー上もメリットがある。 (Effect of embodiment)
In this embodiment, a data center, a communication facility, a company, etc., against an internal “parasite attack” that cannot detect communications with suspicious large-scale traffic or behavior by external network log management or traffic monitoring As long as the power consumption pattern for each device such as a server is obtained by learning in advance, it can be easily detected. This method has advantages in terms of operational security and privacy because it can detect “parasite” attacks simply by monitoring power consumption, and does not require detection or analysis related to communication details.

本開示は情報通信産業に適用することができる。   The present disclosure can be applied to the information communication industry.

11:検出部
12:情報処理部
13:記憶部
81:データセンタ
82:空調機器
83:サーバ 11: Detection unit 12: Information processing unit 13: Storage unit 81: Data center 82: Air conditioner 83: Server

Claims (5)

熱源機器の稼働量に対する消費電力及び温度変化を示す熱源機器消費電力モデルを保持し、熱源機器の稼働量及び第1の消費電力測定値を取得すると、前記熱源機器消費電力モデルを用いて導出した前記稼働量を稼働後の熱源機器の消費電力の第1の予測値と前記第1の消費電力測定値の差を求め、当該差を用いて熱源機器の異常を検出する検出部を備える、
異常検出装置。 Holding the heat source equipment power consumption model indicating the power consumption and the temperature change with respect to the operating amount of the heat source equipment, and obtaining the operating amount of the heat source equipment and the first power consumption measurement value, derived using the heat source equipment power consumption model A detection unit that obtains a difference between a first predicted value of power consumption of the heat source device after operation of the operation amount and the first power consumption measurement value, and detects an abnormality of the heat source device using the difference,
Anomaly detection device. 前記検出部は、熱源機器の配置されている空間における消費電力及び温度変化を示す空間消費電力モデルを保持し、前記空間における設定温度及び第2の消費電力測定値を取得すると、前記空間消費電力モデルを用いて導出した前記設定温度に設定時の前記空間の消費電力の第2の予測値と前記第2の消費電力測定値の差を求め、当該差を用いて前記空間の異常を検出する、
請求項1に記載の異常検出装置。 The detection unit holds a space power consumption model indicating power consumption and a temperature change in a space where a heat source device is arranged, and obtains a set temperature and a second power consumption measurement value in the space. A difference between a second predicted value of power consumption of the space at the time of setting to the set temperature derived using a model and the second power consumption measurement value is obtained, and an abnormality in the space is detected using the difference. ,
The abnormality detection device according to claim 1. 熱源機器の稼働量に対する消費電力及び温度変化を示す熱源機器消費電力モデルを保持し、熱源機器の稼働量及び第1の消費電力測定値を取得すると、前記熱源機器消費電力モデルを用いて導出した前記稼働量を稼働後の熱源機器の消費電力の第1の予測値と前記第1の消費電力測定値の差を求め、当該差を用いて熱源機器の異常を検出する検出手順を備える、
異常検出方法。 Holding the heat source equipment power consumption model indicating the power consumption and the temperature change with respect to the operating amount of the heat source equipment, and obtaining the operating amount of the heat source equipment and the first power consumption measurement value, derived using the heat source equipment power consumption model Obtaining a difference between a first predicted value of the power consumption of the heat source device after operation of the operating amount and the first power consumption measurement value, and using a detection procedure for detecting an abnormality of the heat source device using the difference;
Anomaly detection method. 前記検出手順において、熱源機器の配置されている空間における消費電力及び温度変化を示す空間消費電力モデルを保持し、前記空間における設定温度及び第2の消費電力測定値を取得すると、前記空間消費電力モデルを用いて導出した前記設定温度に設定時の前記空間の消費電力の第2の予測値と前記第2の消費電力測定値の差を求め、当該差を用いて前記空間の異常を検出する、
請求項3に記載の異常検出方法。 In the detection procedure, when a space power consumption model indicating power consumption and temperature change in a space where a heat source device is arranged is held, and a set temperature and a second power consumption measurement value in the space are acquired, the space power consumption A difference between a second predicted value of power consumption of the space at the time of setting to the set temperature derived using a model and the second power consumption measurement value is obtained, and an abnormality in the space is detected using the difference. ,
The abnormality detection method according to claim 3. 請求項3又は4に記載の手順をコンピュータに実行させるための異常検出プログラム。   An abnormality detection program for causing a computer to execute the procedure according to claim 3 or 4.
JP2016112486A 2016-06-06 2016-06-06 Abnormality detection device, abnormality detection method and abnormality detection program Active JP6675608B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2016112486A JP6675608B2 (en) 2016-06-06 2016-06-06 Abnormality detection device, abnormality detection method and abnormality detection program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2016112486A JP6675608B2 (en) 2016-06-06 2016-06-06 Abnormality detection device, abnormality detection method and abnormality detection program

Publications (2)

Publication Number Publication Date
JP2017219947A true JP2017219947A (en) 2017-12-14
JP6675608B2 JP6675608B2 (en) 2020-04-01

Family

ID=60656400

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2016112486A Active JP6675608B2 (en) 2016-06-06 2016-06-06 Abnormality detection device, abnormality detection method and abnormality detection program

Country Status (1)

Country Link
JP (1) JP6675608B2 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109579917A (en) * 2018-12-27 2019-04-05 湖南宸睿通信科技有限公司 A kind of finished product measurement method based on communication apparatus production
JP2022522474A (en) * 2019-03-05 2022-04-19 シーメンス インダストリー ソフトウェア インコーポレイテッド Machine learning-based anomaly detection for embedded software applications
WO2023282193A1 (en) * 2021-07-08 2023-01-12 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Malware detection method, malware detection device, and program
WO2023282192A1 (en) * 2021-07-08 2023-01-12 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Malware detection method, malware detection device, and program
JP7297860B1 (en) 2021-12-24 2023-06-26 株式会社ラック Information processing device, information processing method and program

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010244543A (en) * 2009-04-01 2010-10-28 Accenture Global Services Gmbh System for monitoring energy efficiency of technology component
JP2013143126A (en) * 2012-01-10 2013-07-22 O2 Micro Inc Detecting status of application program running in device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010244543A (en) * 2009-04-01 2010-10-28 Accenture Global Services Gmbh System for monitoring energy efficiency of technology component
JP2013143126A (en) * 2012-01-10 2013-07-22 O2 Micro Inc Detecting status of application program running in device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
北田 和将 KAZUMASA KITADA: "数値流体解析と消費電力モデルを連携させたデータセンタの消費電力シミュレータの構築 Dynamic power simu", 電子情報通信学会技術研究報告 VOL.115 NO.483 IEICE TECHNICAL REPORT, vol. 第115巻, JPN6019017978, 25 February 2016 (2016-02-25), JP, pages 291 - 296, ISSN: 0004037437 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109579917A (en) * 2018-12-27 2019-04-05 湖南宸睿通信科技有限公司 A kind of finished product measurement method based on communication apparatus production
JP2022522474A (en) * 2019-03-05 2022-04-19 シーメンス インダストリー ソフトウェア インコーポレイテッド Machine learning-based anomaly detection for embedded software applications
JP7282195B2 (en) 2019-03-05 2023-05-26 シーメンス インダストリー ソフトウェア インコーポレイテッド Machine learning-based anomaly detection for embedded software applications
WO2023282193A1 (en) * 2021-07-08 2023-01-12 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Malware detection method, malware detection device, and program
WO2023282192A1 (en) * 2021-07-08 2023-01-12 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Malware detection method, malware detection device, and program
JP7297860B1 (en) 2021-12-24 2023-06-26 株式会社ラック Information processing device, information processing method and program

Also Published As

Publication number Publication date
JP6675608B2 (en) 2020-04-01

Similar Documents

Publication Publication Date Title
JP6675608B2 (en) Abnormality detection device, abnormality detection method and abnormality detection program
Ha et al. Suspicious traffic sampling for intrusion detection in software-defined networks
US8949668B2 (en) Methods and systems for use in identifying abnormal behavior in a control system including independent comparisons to user policies and an event correlation model
EP2835948B1 (en) Method for processing a signature rule, server and intrusion prevention system
Simpson et al. Assessing the impact of intra-cloud live migration on anomaly detection
WO2016101870A1 (en) Network attack analysis method and device
US9661016B2 (en) Data center infrastructure management system incorporating security for managed infrastructure devices
JP2018007179A (en) Device, method and program for monitoring
JP2019028891A (en) Information processing device, information processing method and information processing program
Chauhan et al. An efficient centralized DDoS attack detection approach for Software Defined Internet of Things
Peng et al. ADVICE: Towards adaptive scheduling for data collection and DDoS detection in SDN
US20210208578A1 (en) Abnormality analysis device, abnormality analysis method, and manufacturing system
JPWO2019240020A1 (en) Fraudulent communication detection device, fraudulent communication detection method and manufacturing system
US11095651B2 (en) Communication apparatus and non-transitory computer readable storage medium
WO2019235403A1 (en) Infection-spreading attack detection system and method, and program
Sanghi et al. Anomaly detection in data plane systems using packet execution paths
US11316770B2 (en) Abnormality detection apparatus, abnormality detection method, and abnormality detection program
Tang et al. FTODefender: An efficient flow table overflow attacks defending system in SDN
Smirnov et al. Network traffic processing module for infrastructure attacks detection in cloud computing platforms
Mansour et al. Design of an SDN security mechanism to detect malicious activities
Li et al. The Approaches of Prevention, Detection, and Response for Cybersecurity of I&C Systems in NPPs
JP7176630B2 (en) DETECTION DEVICE, DETECTION METHOD AND DETECTION PROGRAM
Yang et al. A security protection approach based on software defined network for inter-area communication in industrial control systems
US11271832B2 (en) Communication monitoring apparatus and communication monitoring method
US11558266B2 (en) Scoring network traffic service requests using response time metrics

Legal Events

Date Code Title Description
A521 Request for written amendment filed

Free format text: JAPANESE INTERMEDIATE CODE: A821

Effective date: 20160607

A621 Written request for application examination

Free format text: JAPANESE INTERMEDIATE CODE: A621

Effective date: 20180720

A521 Request for written amendment filed

Free format text: JAPANESE INTERMEDIATE CODE: A821

Effective date: 20180720

A977 Report on retrieval

Free format text: JAPANESE INTERMEDIATE CODE: A971007

Effective date: 20190410

A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20190521

A521 Request for written amendment filed

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20190717

A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20200107

A521 Request for written amendment filed

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20200206

TRDD Decision of grant or rejection written
A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

Effective date: 20200225

A61 First payment of annual fees (during grant procedure)

Free format text: JAPANESE INTERMEDIATE CODE: A61

Effective date: 20200226

R150 Certificate of patent or registration of utility model

Ref document number: 6675608

Country of ref document: JP

Free format text: JAPANESE INTERMEDIATE CODE: R150

R250 Receipt of annual fees

Free format text: JAPANESE INTERMEDIATE CODE: R250

R250 Receipt of annual fees

Free format text: JAPANESE INTERMEDIATE CODE: R250