JP2019110513A - Anomaly detection method, learning method, anomaly detection device, and learning device - Google Patents

Abstract

To provide, for example, an anomaly detection method which allows accurate identification of anomalous packets, or a learning method for learning anomaly detection models for the accurate identification.SOLUTION: An anomaly detection method includes the steps of: extracting, for each of multiple learning packets obtained, all possible combinations of N-grams in a payload included in the learning packet; counting a first number, which is the number of occurrences of each of all the combinations extracted from the packet in the payloads included in the packets obtained; calculating, as anomaly detection models, first probabilities by performing smoothing processing based on the multiple first numbers; and, when a score calculated for each of the multiple packets exceeds a predetermined threshold that is based on the anomaly detection models stored in a memory, outputting an indication that the packet having the score calculated has an anomaly.SELECTED DRAWING: Figure 14

Description

  The present disclosure relates to an abnormality detection method and an abnormality detection device for detecting an abnormality in a plurality of packets using a learning model, and a learning method and a learning device for the learning model.

  Patent Document 1 discloses a method of detecting abnormality of data using N-grams.

Japanese Patent Publication 2009-523270

  The present disclosure provides an anomaly detection method capable of identifying an abnormal packet with high accuracy, or a learning method of learning an anomaly detection model for identifying the packet with high accuracy.

  An abnormality detection method according to an aspect of the present disclosure detects whether there is an abnormality in communication within a monitoring target or communication between the monitoring target and a network to which the monitoring target is connected. The abnormality detection method executes the abnormality detection device, the abnormality detection device includes a processor and a memory, and the memory stores an abnormality detection model generated by learning using a plurality of learning packets. In the abnormality detection method, the processor acquires the plurality of learning packets, and for each of the acquired plurality of learning packets, a data string constituting a payload included in the learning packet is A (A Is an integer of 1 or more) N (N is an integer of 2 or more) of a plurality of data units obtained by dividing in units of bits Extracting a first combination of N data units in combination order of consecutive ones in the payload, or in the arrangement order of B (B is an integer of 1 or more) skips of the combination; For each of all the first combinations extracted for the plurality of learning packets, a first number, which is the number of times the first combination appears in the plurality of learning packets, is counted, and all the extracted combinations are extracted For each of the first combinations, the smoothing process is performed based on the plurality of first numbers obtained by counting, and the probability is that the first combination appears in the plurality of learning packets. Calculating a plurality of first probabilities and storing the calculated first probabilities in the memory as the abnormality detection model; If a score is calculated for each of a plurality of acquired packets and the acquired packets exceed a predetermined threshold based on the abnormality detection model stored in the memory, the score is calculated. Output that the packet being sent is above.

  In addition, the learning method according to an aspect of the present disclosure detects whether there is an abnormality in communication within a monitoring target or communication between the monitoring target and a network to which the monitoring target is connected. A learning device for learning an abnormality detection model to be executed, the learning device including a processor and a memory, in which the processor acquires and acquires a plurality of learning packets Of each of the plurality of learning packets, a plurality of data units obtained by dividing a data string constituting a payload included in the learning packet into A (A is an integer of 1 or more) bits units All possible first combinations of N (N is an integer of 2 or more) data units, in a sequential order of consecutive in the payload, or B (B is an integer of 1 or more) A first combination of N data units in the order of skipping is extracted, and for each of the first combinations extracted for the plurality of learning packets, A plurality of the first obtained by counting the first number which is the number of times the first combination appears in the plurality of learning packets, and counting each of the extracted first combinations. A plurality of first probabilities, which are probabilities of occurrence of the first combination in the plurality of learning packets, are calculated by performing smoothing processing based on the number of 1, and the plurality of calculated first probabilities Are stored in the memory as the abnormality detection model.

  Note that these general or specific aspects may be realized by a system, a device, an integrated circuit, a computer program, or a recording medium such as a computer readable CD-ROM, and the system, the device, the integrated circuit, the computer program And any combination of recording media.

  By using the abnormality detection method, the learning method, the abnormality detection device, and the learning device according to the present disclosure, an abnormal packet can be identified with high accuracy.

FIG. 1 is a schematic view of an abnormality detection system according to the embodiment. FIG. 2 is a block diagram showing an example of the hardware configuration of the abnormality detection apparatus according to the embodiment. FIG. 3 is a block diagram showing an example of a functional configuration of the abnormality detection device according to the present embodiment. FIG. 4A is a diagram showing the structure of an Ethernet frame. FIG. 4B is a diagram showing an example of a packet structure of the TCP protocol. FIG. 5 is a diagram showing an example of the abnormality detection model held by the abnormality detection model DB. FIG. 6 is a diagram showing an example of the abnormality detection model held by the abnormality detection model DB. FIG. 7 is a diagram showing an example of the abnormality detection model held by the abnormality detection model DB. FIG. 8 is a diagram showing an example of the abnormality detection model held by the abnormality detection model DB. FIG. 9 is a diagram showing correspondence information in which a destination port and an alert threshold are associated. FIG. 10 is a flowchart showing an outline of the operation in the abnormality detection device. FIG. 11 is a flowchart showing an example of the details of the learning process in the abnormality detection device. FIG. 12 is a flowchart illustrating an example of the alert threshold determination process in detail. FIG. 13 is a flowchart illustrating another example of details of the alert threshold determination process. FIG. 14 is a flowchart showing an example of the details of inspection processing in the abnormality detection device. FIG. 15 is a diagram showing an experimental result comparing the abnormality detection method according to the present embodiment and another method when evaluation is performed in the FTP protocol. FIG. 16 is a diagram showing experimental results comparing the anomaly detection method according to the present embodiment and another method when evaluation is performed in the TELNET protocol.

(Findings that formed the basis of the present invention)
[1-1 Background]
In recent years, the threat of cyber attacks on control systems (plants, plants, important infrastructure, etc.) has increased, and the damage by cyber attacks has been on the rise. The following points are pointed out as reasons for the increase in damage to control systems as described above.

  (1) In order to improve the reliability and the convenience of control, the systems including the control system are interconnected. Therefore, the control system is exposed to the outside, which is considered to have increased the threat of cyber security.

  (2) In order to improve system interoperability and versatility, the internal network of the control system has come to communicate using open protocols such as Modbus, EtherCAT, BACnet and the like. Therefore, it is considered that the control system has led to dramatically increasing the possibility of attacks such as malware infection.

  (3) Control systems often do not have security measures in place, and control systems often use one system for many decades. For this reason, in such a control system, there are often found cases where the support of the OS and the like is terminated during the use period and the security patch can not be applied to the PC terminal or cases where anti-virus software can not be introduced.

  With regard to the above (1) and (2), these trends are considered to be further expanded in the future, because the industrial merits are very large. The present disclosure focuses on intrusion detection technology at the network level in order to ensure security of a control system in which the introduction of security measures and the change of equipment are not easy as described in (3) above. A Network Intrusion Detection System (NIDS) is a system that passively monitors a target network, and there is no need to make a direct change to equipment. For this reason, there is an advantage that it is easy to introduce even in a control system where availability is important.

[1-1-1 Type and nature of intrusion detection system]
Intrusion detection systems (IDS) are generally classified into host-based intrusion detection systems (HIDS) and network-based IDS (NIDS). In control systems, it is common to use NIDS. The preferred use of NIDS in the control system is that it avoids direct manipulation of production equipment. If it is NIDS, it can be introduced regardless of OS, resources, etc. of the control device to be monitored. On the other hand, in HIDS such as virus detection software, a large load is placed on the terminal at the time of virus scanning, and there is a possibility that the processing speed of the software relating to production will be reduced to affect production activity.

  The NIDS is further roughly divided into a signature / rule system and an anomaly system, and the anomaly type NIDS is further classified into a flow base and a payload base. The signature / rule NIDS is commonly used and is alerted when it finds a particular byte string pattern contained in the payload, or when the traffic exceeds a predetermined threshold. Emit Flow-based NIDS observes only the packet header, generates a steady-state model for flow information such as traffic size and cycle in the network, and alerts when it detects traffic that deviates from the steady state . Since the flow-based NIDS uses only packet header information, it can detect anomalies even for encrypted communications or communications without payload. On the other hand, payload-based NIDS observes packet payload information and determines whether the payload deviates from normal communication content. The flow-based method may react sensitively to changes in the state that you do not want to detect, such as system maintenance and non-stationary file transfer, but the payload-based method is less likely to It is possible to detect clever attacks that are not reflected in the information.

[1-1-2 Summary and effect of the present disclosure]
This disclosure describes a new payload-based anomaly detection method. The following points can be mentioned as reasons for adopting the payload-based anomaly detection technology in the anomaly detection method of the present disclosure.

  Many operations are automated in environments where control systems are used. However, the control system includes many non-stationary operations during human operation, maintenance, product changes, and the like. In flow-based NIDS, many such non-stationary operations may be detected. On the other hand, payload-based NIDS has the advantage that false detection can be prevented if the contents of the operation itself are universal.

  ・ In the case of highly sophisticated malware, if a clever attack that does not appear in the flow information is launched, the control system may not be able to detect packet anomalies without monitoring the packet payload. .

  In the flow-based NIDS, if the control system is operated by a malicious authorized operator, or if an anomaly parameter is erroneously input by the authorized operator, the anomaly is regarded as a normal flow. It can not be detected because it matches. The payload-based NIDS can also detect such an anomaly.

  The following effects are exhibited by the abnormality detection method of the present disclosure and the like.

  -The abnormality detection method of this indication can implement | achieve high performance (low false alarm rate, high detection rate) by utilizing N-gram information of the payload of a packet.

  The abnormality detection method according to the present disclosure does not have to be tuned according to the deployment environment, and is suitable for automatically configuring an abnormality detection system even in a vast network environment.

  The anomaly detection method of the present disclosure exhibits superior performance in anomaly detection performance of the FTP protocol of the 1999 DARPA IDS Data Set and the TEL-NET protocol than PAYL and ANAGRAM, which are relatively less time-consuming tuning techniques. be able to.

[1-2 Basic technology]
Before describing the anomaly detection method of the present disclosure, the basic technology used in the present disclosure will be described.

[1-2-1 N-gram]
An N-gram is N consecutive sequences for sequential data consisting of elements such as given characters and words. For example, given the sequence of ... AGCTTCGA ... in the base sequence of DNA, the 1-gram appearing in this sequence is ..., A, G, C, T, T, C, G, A, ..., 2-gram is ..., AG, GC, CT, TT, TC, CG, GA, ..., 3-gram is ..., AGC, GCT, CTT, TTC, TCG, CGA,. For example, when a sequence of to be or not to be appears in a sentence, if each element is regarded as a word, 1-gram appearing in this sequence is ..., to, be, or, not, to, be, ..., 2-gram is ..., to be, be or, or not, not to, to be, ..., 3-gram is ..., to be or , Be or not, or not to, not to be,.

For example, using N-grams, feature data of sequence data can be extracted simply by vectorizing the number of occurrences of N-grams. Assuming that the number of possible values of each element is M and the length of the series data is L for a certain series data, there are M ^L possible patterns for this series data. However, if, for example, the number of occurrences of 2-grams is used as a feature, this series data can be treated as an M ² -dimensional vector, which makes the data easy to handle. N-grams are often used in the field of natural language processing or in the field of life sciences, but past studies have shown that they are also effective in payload anomaly detection.

[1-2-2 Sequence generation model using N-gram]
As described above, N-gram is a useful model when dealing with sequence information. Using N-grams, it is possible to construct a very simple series generation model. In a generation model of a series using N-gram, it is treated as Pr (x _i | x _{i − (n−1)} ,..., X _i−1 ). That is, it is assumed that the probability that an element is output is determined only by the immediately preceding N-1 elements. Of course, this assumption is not correct in most cases, but it is convenient in that when given a sequence, it is possible to obtain the likelihood that the sequence will occur. For example, x ₁ , x ₂ ,. . . , When subjected to the series data _{x l,} the probability that the data is generated _{Pr (x 1, x 2,} ..., x l) is represented, in the model that uses 2-gram , Which can be decomposed into products of probabilities as follows:

Pr (x ₁ , x ₂ , ..., x _l ) (Equation 1)
= Pr (x ₁ ) · Pr (x ₂ | x ₁ ) · Pr (x ₃ | x ₁ , x ₂ )
... Pr (xlx ₁ , x ₂ , ..., x _{l -1} ) (Equation 2)
= P (x ₁ | start) · Pr (x ₂ | x ₁ ) · Pr (x ₃ | x ₂ )
... Pr (x _l | x _l-1 ) (Equation 3)

Only the beginning of the element, the top use the probability that x ₁ appears in, the probability of subsequent characters appear calculates the probability by using the property that depends only on the probability that the element of the immediately preceding appears. In the simplest method, assuming that the number of possible elements is M, and the number of occurrences of 2-gram x _i , x _j is k _xi, x _j , the probability of each term is determined by the following equation 4.

  The anomaly detection method of the present disclosure is a method of performing modeling using N-grams of byte sequences included in the payload to detect an abnormal payload sequence, which is superior to the prior art in terms of high detection performance and ease of tuning. Advantage.

[1-3 Existing method]
Introduce existing payload-based anomaly detection methods. The abnormality detection method mentioned here performs abnormality detection using, for example, a payload of a Transmission Control Protocol (TCP) / User Datagram Protocol (UDP) layer (a TCP / UDP payload portion of a packet having a structure of FIG. 4A). However, as a matter of course, the detection target is not limited to the protocol on TCP / UDP, and even if payloads of other protocols are used, abnormality detection can be similarly performed. Also, each method does not require prior knowledge. That is, the parser dedicated to the protocol is not used to perform an operation such as extracting a specific element of the payload. The following PAYL, POSEIDON, and ANAGRAM exist as a typical precedent example using N-gram as a payload-based anomaly detection method. PAYL and POSEIDON are both examples of identification using a unigram. ANAGRAM is an example of performing identification using N-gram (N = 3, 5, 7, etc.). Hereinafter, three methods will be described in order.

[1-3-1 PAYL]
PAYL is a method using unigram information of a payload sequence, and was proposed by Ke Wang et al. In PAYL, an anomaly detection model is learned separately by the packet destination IP, packet destination port, and packet payload length (1 byte unit). In the learning phase, all the payload sequences for learning are converted into 256-dimensional unigram vectors, and the information of the average and standard deviation of each dimension is accumulated. Also in the detection phase, the payload to be inspected is converted into a 256-dimensional (1 byte) unigram vector, and the simplified Mahalanobis distance between the converted vector and the average vector accumulated at learning is calculated as an abnormality score. The following equation 5 is used to calculate the abnormality score.

  In the naive PAYL implementation, the hyperparameters (parameters that need to be determined by humans at the pre-learning stage) are only α in the above equation, so there is less need for tuning. Also, additional learning of data is easily possible. PAYL is a simple and excellent discriminator, but the nature of using unigram results in the loss of any information about the alignment, which is considered to lead to the deterioration of accuracy. Then, in order to overcome the weak point by using unigram, various methods using N-gram (N> = 2) are devised.

  In other words, the problem with PAYL is that the discrimination accuracy is somewhat lower than the various proposed methods since unigrams are used.

[1-3-2 POSEIDON]
In PAYL, the intention was to divide the anomaly detection model according to the role of the packet, so the model was divided according to the payload length of the packet. However, it is POSEIDON proposed by Damiano Bolzoni et al. In 2006 that attempted to divide the model using different information, thinking that the payload length may not be able to separate the model for each role of the packet. In POSE IDON, a distance measure between payloads is defined, near packets are clustered under the distance measure, and the cluster information is used as information for dividing the model instead of the payload length. A self-organizing map is used as a clustering method. POSEIDON is the same anomaly detection method as PAYL except that this cluster information is used instead of the payload length. POSEIDON demonstrates high identification accuracy if it can learn an appropriate self-organizing map. However, self-organizing maps have a very large number of hyperparameters. For this reason, in POSEIDON, in order to divide packets into desirable clusters, it is necessary to perform tuning by many trials and cross verification methods, so the practicality is poor.

  In other words, there are two problems with POSEIDON: The first point is that tuning is very difficult because there are many hyperparameters in the self-organizing map. The second point is that learning a self-organizing map requires a lot of time and computational resources, and is unsuitable for use in a real environment.

[1-3-3 ANAGRAM]
ANAGRAM is a method proposed by Ke Wang et al. In 2006 to improve PAYL. PAYL has been pointed out that it is vulnerable to Mimicry Attack (an attack that tries to evade detection by a model), but in order to avoid this problem, NAG gram modeling for larger N is performed in ANAGRAM. There is. In the paper, a frequency-based method that uses the number of occurrences of each N-gram and a binary-based method that uses only whether each N-gram has appeared are introduced. Of these two methods, the accuracy of the binary-based ANAGRAM is considered to be better because the learning data is highly sparse (it will be pointed to the binary-based ANAGRAM when it is simply described as the ANAGRAM) ). As N-gram information increases in an exponential manner with respect to the size of N, in ANAGRAM, the Bloom filter is used to efficiently hold the N-gram information that appears in the payload to be learned. . The Bloom filter operates at high speed, and the memory usage does not become enormous. However, it is necessary to determine the filter size in advance according to the target data. If the filter size is too small, it may be mistaken if it is an observed N-gram that has not been observed so far, and if the filter size is large, a large amount of memory will be occupied. Also, by its nature, NAGRAM interprets the N-gram contained in the packet as a normal one if it observes a packet containing an invalid N-gram even once. Will deteriorate. This is a problem, for example, when the learning data includes an encrypted character string or a highly random byte string such as a binary string of data. The abnormality score in ANAGRAM (binary-based) is calculated by the following equation 6.

  On the other hand, the abnormality score in AnaGRAM (frequency-based) is calculated by the following equation 7.

As can be understood from these formulas, both the binary-based version and the frequency-based version are very simple methods, and since there are almost no hyperparameters, ANAGRAM is easy to handle.

  In other words, the problems with NAGRAM (frequency-based, binary-based) are the following three points. The first point is that since the information on frequency is dropped in ANAGRAM, when the N-gram of an incorrect packet is observed due to the influence of an incorrect packet or a highly random packet, the accuracy is extremely high. It is a point that leads to deterioration. The second point is that when using an ANAGRAM for a large N such as N ≧ 4, the use of the Bloom filter is essential, so it is necessary to design the Bloom filter size. The third point is that the function of calculating NAGRAM (frequency-based) scores is empirical and there is no probabilistic relevance.

  From the above, the inventors of the present invention have found out an abnormality detection method, a learning method, an abnormality detection device, and a learning device capable of identifying an abnormal packet with high accuracy, after intensive investigation.

  An abnormality detection method according to an aspect of the present disclosure detects whether there is an abnormality in communication within a monitoring target or communication between the monitoring target and a network to which the monitoring target is connected. The abnormality detection method executes the abnormality detection device, the abnormality detection device includes a processor and a memory, and the memory stores an abnormality detection model generated by learning using a plurality of learning packets. In the abnormality detection method, the processor acquires the plurality of learning packets, and for each of the acquired plurality of learning packets, a data string constituting a payload included in the learning packet is A (A Is an integer of 1 or more) N (N is an integer of 2 or more) of a plurality of data units obtained by dividing in units of bits Extracting a first combination of N data units in combination order of consecutive ones in the payload, or in the arrangement order of B (B is an integer of 1 or more) skips of the combination; For each of all the first combinations extracted for the plurality of learning packets, a first number, which is the number of times the first combination appears in the plurality of learning packets, is counted, and all the extracted combinations are extracted For each of the first combinations, the smoothing process is performed based on the plurality of first numbers obtained by counting, and the probability is that the first combination appears in the plurality of learning packets. Calculating a plurality of first probabilities and storing the calculated first probabilities in the memory as the abnormality detection model; If a score is calculated for each of a plurality of acquired packets and the acquired packets exceed a predetermined threshold based on the abnormality detection model stored in the memory, the score is calculated. Output that the packet being sent is above.

  According to this, since the anomaly detection model is learned in consideration of the alignment information of the data unit in the payload, the anomaly packet can be identified with high accuracy.

  Further, in learning, since the first probability calculated by performing the smoothing process is used, the robustness to noise can be improved.

  Further, in the calculation of the first probability, as the smoothing processing, a plurality of second numbers are calculated by adding a positive number to all of the first numbers, and all the extracted first numbers are calculated. The first probability may be calculated based on the plurality of second numbers calculated for each of the combinations of.

  In addition, since the first probability based on the plurality of second numbers calculated by adding a positive number to all the plurality of first numbers is used in learning, the robustness to noise is improved. Can.

  In the extraction, the first combination of the N data units may be extracted by using an N-gram.

  Also, the N may be 2 or 3.

  Further, in the output, for each of the plurality of acquired packets, (1) a plurality of pieces obtained by dividing a data string constituting a payload included in the packet in A (A is an integer of 1 or more) bits All possible second combinations of N (N is an integer of 2 or more) data units of the data units in the order in which the payloads are consecutive in the payload, or B (B is 1 Extract the second combination of N data units in the order of the above integer) piece-by-piece, and (2) for each of the second combinations extracted from the packet, the second combination , Counting a third number which is the number of times of appearance in the payload of the acquired packet, (3) all the second combinations in the packet Based on a plurality of the third numbers obtained by counting each of the set, a plurality of second probabilities that are probabilities of the occurrence of the second combination in the packet are calculated, (4) The score is calculated by dividing the sum of logarithms of the plurality of second probabilities calculated for the packet by the specified value defined by the payload length of the payload, and (5) the calculated for the packet When the score exceeds a predetermined threshold based on the abnormality detection model stored in the memory, it may be output that the packet for which the score is calculated is abnormal.

  According to this, since the score is calculated in consideration of the alignment information of the data unit in the payload, an abnormal packet can be identified with high accuracy.

  Further, the memory stores, as the abnormality detection model, a fourth number based on the first number in each of the first combinations, and in the abnormality detection method, the processor further includes: The fourth number included in the abnormality detection model may be updated using the counted third number.

  Therefore, it is possible to additionally learn the anomaly detection model or to update the anomaly detection model from which old data has been deleted. Thus, abnormal packets can be identified with high accuracy.

  Further, in the abnormality detection method, the processor further sets, for each of the plurality of acquired learning packets, the learning packet to any one of a plurality of models according to a header of the learning packet. In each of a plurality of learning packets classified into the model among the plurality of learning packets using (1) and further counting the first number for each of the plurality of models. Calculating a fifth number, which is the number of times each of the first combinations appears, and (2) for each of the first combinations extracted from the plurality of learning packets classified into the model, The plurality of sixth numbers are calculated by adding a positive number to all of the calculated fifth numbers, and (3) all the first sets extracted For each set, based on the plurality of calculated sixth numbers, a plurality of first probabilities, which are probabilities of occurrence of the first combination in the plurality of learning packets classified into the model, are calculated You may

  In addition, the memory stores the predetermined threshold for each of the plurality of models, and in the abnormality detection method, the processor further includes a header having each of the plurality of acquired packets. Classified according to one of a plurality of models, and in the output, if the calculated score exceeds the predetermined threshold value corresponding to the model into which the packet for which the score is calculated is classified It may output that the packet is abnormal.

  Further, each of the plurality of models may be a model classified by at least one of a destination IP, a destination port, a source IP, and a protocol of the packet.

  Further, the memory stores the fifth number in each of the first combinations in each of the plurality of models as the abnormality detection model, and in the abnormality detection method, the processor further calculates The fifth number included in the abnormality detection model may be updated using the counted third number.

  A learning method according to an aspect of the present disclosure detects whether there is an abnormality in communication within a monitoring target or communication between the monitoring target and a network to which the monitoring target is connected. A learning device for learning an abnormality detection model, wherein the learning device includes a processor and a memory, and in the learning method, the processor acquires a plurality of learning packets and acquires the learning packets. For each of the plurality of learning packets, N of the plurality of data units obtained by dividing the data string constituting the payload included in the learning packet into A (A is an integer of 1 or more) bits N is an all possible first combination of two or more integers of data units, and the arrangement order in which the payloads are consecutive to one another, or B ( (A) extracts a first combination of N data units in the order of 1 or more integers, and the first combination of all the first combinations extracted for the plurality of learning packets A plurality of the first numbers obtained by counting the first number which is the number of times of the combination occurring in the plurality of learning packets and counting each of the extracted first combinations. And performing the smoothing process to calculate a plurality of first probabilities that are probabilities of occurrence of the first combination in the plurality of learning packets, and calculating the plurality of calculated first probabilities as the abnormality. It is stored in the memory as a detection model.

  According to this, since the anomaly detection model is learned in consideration of the alignment information of the data unit in the payload, the anomaly packet can be identified with high accuracy.

  In addition, since the first probability based on the plurality of first numbers calculated by adding a positive number to all the plurality of first numbers is used in learning, the robustness to noise is improved. Can.

  Note that these general or specific aspects may be realized by a system, a method, an integrated circuit, a computer program, or a recording medium such as a computer readable CD-ROM, a system, a method, an integrated circuit, a computer program Or it may be realized by any combination of recording media.

  Hereinafter, an abnormality detection method, a learning method, an abnormality detection device, and a learning device according to an aspect of the present invention will be specifically described with reference to the drawings.

  Each embodiment described below shows one specific example of the present invention. Numerical values, shapes, materials, components, arrangement positions and connection forms of components, steps, order of steps, and the like shown in the following embodiments are merely examples, and the present invention is not limited thereto. Further, among the components in the following embodiments, components not described in the independent claim indicating the highest concept are described as arbitrary components.

Embodiment 1
[2-1 Configuration of anomaly detection system]
First, a schematic configuration of the abnormality detection system according to the present embodiment will be described.

  FIG. 1 is a schematic view of an abnormality detection system according to the embodiment.

  Specifically, in FIG. 1, the abnormality detection system 1 includes an abnormality detection apparatus 100, a packet collection apparatus 200, and a monitoring target 300 communicably connected to an external network 500. In the abnormality detection system 1, the abnormality detection apparatus 100 detects whether there is an abnormality in the communication within the monitoring target 300 or the communication between the monitoring target and the network 500.

  The monitoring target 300 is a system that is a target of abnormality detection. The monitoring target 300 is, for example, a chemical plant, a control system, an in-vehicle network system, or the like. The monitoring target 300 includes hubs 311, 312, 321 and 322, supervisory control and data acquisition (SCADA) 313, programmable logic controller (PLC) 314, personal computer (PC) 315, 323 and 324, and router 400. Control system comprising

  The router 400 is a communication device that relays transmission and reception of data between the monitoring target 300 and the external network 500. The router 400 analyzes the received data and performs data transfer control such as selecting a data transfer path based on the analyzed result.

  The hubs 311 and 321 are, for example, switching hubs. The hub 311 is communicably connected to the router 400, the hub 312, the SCADA 313, the hub 321, and the packet collection device 200. The hub 321 is communicably connected to the hub 311, the hub 322, and the packet collection device 200. The hubs 311 and 321 transfer the received data to the connected device based on the destination information included in the received data. The hubs 311 and 321 have, for example, a mirror port that copies received data and outputs the copied data. The hubs 311 and 321 are connected to the packet collection device 200 at the mirror port. A plurality of packets transmitted and received between the monitoring target 300 and the external network 500 are extracted via the mirror ports of the hubs 311 and 321 and transmitted to the packet collection device 200.

  The hubs 312 and 322 are, for example, switching hubs. The hub 312 is communicably connected to the hub 311, the PLC 314, and the PC 315. The hub 322 is communicably connected to the hub 321 and the PCs 323 and 324. Similar to the hubs 311 and 321, the hubs 312 and 322 transfer the received data to the connected devices based on the destination information included in the received data.

  The SCADA 313 is a computer that performs system monitoring, process control, and the like of a control system to be monitored 300.

  The PLC 314 is a control device for controlling various machines.

  The PC 315 is a general-purpose computer.

  The packet collection device 200 is a device that receives a plurality of packets transmitted from the hubs 311 and 321 of the monitoring target 300 and stores the plurality of received packets. The packet collection device 200 is, for example, a server. The packet collection device 200 receives a plurality of packets from the monitoring target 300 over a predetermined period such as one week, for example, and stores a plurality of packets for a predetermined period. The packet collection device 200 transmits the stored plurality of packets to the abnormality detection device 100. The packet collection device 200 may also store a plurality of learning packets for the abnormality detection device 100 to generate an abnormality detection model. The plurality of learning packets are composed of normal packets that do not have an abnormality.

[2-2 Configuration of Abnormality Detection Device]
Next, the hardware configuration of the abnormality detection apparatus 100 will be described with reference to FIG.

  FIG. 2 is a block diagram showing an example of the hardware configuration of the abnormality detection apparatus according to the embodiment.

  As shown in FIG. 2, the abnormality detection apparatus 100 includes a CPU (Central Processing Unit) 101, a main memory 102, a storage 103, a communication IF (Interface) 104, and an input IF (Interface) 105 as a hardware configuration. And a display 106.

  The CPU 101 is an example of a processor that executes a control program stored in the storage 103 or the like.

  The main memory 102 is an example of a volatile storage area used as a work area used when the CPU 101 executes a control program, that is, an example of a memory.

  The storage 103 is an example of a non-volatile storage area holding a control program, content and the like, that is, a memory.

  The communication IF 104 is a communication interface that communicates with the packet collection device 200 via a communication network. The communication IF 104 is, for example, a wired LAN interface. The communication IF 104 may be a wireless LAN interface. The communication IF 104 is not limited to the LAN interface, and may be any communication interface as long as it can establish a communication connection with the packet collection device 200.

  The input IF 105 is an input device such as, for example, a ten key, a keyboard, or a mouse.

  The display 106 is a display device that displays the processing result of the CPU 101. The display 106 is, for example, a liquid crystal display or an organic EL display.

[2-3 Functional configuration of abnormality detection device]
Next, the functional configuration of the abnormality detection apparatus 100 will be described with reference to FIG. The abnormality detection apparatus 100 is also an example of a learning apparatus that also performs learning processing of an abnormality detection model for detecting an abnormality.

  FIG. 3 is a block diagram showing an example of a functional configuration of the abnormality detection device according to the present embodiment.

  Data 210 composed of a plurality of packets accumulated in the packet collection device 200 includes learning data 211 and inspection data 212.

  The learning data 211 is data for generating an abnormality detection model by machine learning among the acquired data 210. The inspection data 212 is data to be subjected to abnormality diagnosis to determine whether the data 210 obtained from the monitoring target 300 is abnormal using the generated abnormality detection model among the acquired data 210. . In addition, as the data for learning 211, a plurality of acquired packets including not only normal data but also abnormal data can be used. For example, the learning data 211 may be data acquired in a predetermined period at the beginning of the data 210, and the inspection data 212 may be data acquired in a period after the predetermined period in which the learning data 211 is acquired. . Also, the inspection data 212 may be used as learning data for updating the abnormality detection model.

  The plurality of packets are, for example, packets of the TCP protocol as shown in FIG. 4B. FIG. 4B is a diagram showing an example of a packet structure of the TCP protocol. The structure of the TCP protocol is defined by RFC 793.

  The abnormality detection apparatus 100 includes an acquisition unit 110, a detection model learning unit 120, an abnormality detection model DB (Database) 130, an input reception unit 140, an alert threshold calculation unit 150, a detection unit 160, and a presentation unit 170. Equipped with

  The acquisition unit 110 acquires a plurality of learning packets, which are a plurality of packets as the learning data 211, from the packet collection device 200. The acquisition unit 110 may acquire a plurality of packets as the inspection data 212 from the packet collection device 200. The acquisition unit 110 is realized by, for example, the CPU 101, the main memory 102, the storage 103, and the communication IF 104.

  The detection model learning unit 120 generates an abnormality detection model by performing learning processing using the plurality of learning packets acquired by the acquisition unit 110. Specifically, for each of the plurality of learning packets acquired by the acquiring unit 110, the detection model learning unit 120 sets a data string constituting the payload included in the learning packet to A (A is an integer of 1 or more). All possible combinations of N (N is an integer of 2 or more) data units out of a plurality of data units obtained by dividing into bit units, in the order in which they are consecutive in the payload Extract combinations of N data units of Here, the extracted combination is an example of a first combination. Here, the A-bit unit is, for example, an 8-bit unit, that is, a 1-byte unit. Note that A is not limited to eight, and may be another numerical value other than eight. The detection model learning unit 120 extracts a combination of N data units by using the N-gram. Here, N is, for example, 2 or 3. That is, the detection model learning unit 120 extracts a combination of two data units or a combination of three data units by using 2-gram or 3-gram. In addition, the detection model learning unit 120 is not limited to the combination of N data units in a sequential order such as N-gram, but the arrangement order of B (B is an integer of 1 or more) skips A combination of N data units in may be extracted.

  Next, the detection model learning unit 120 causes the combination to appear in the learning packet for each of all the combinations extracted from the data string constituting the plurality of payloads of the plurality of learning packets acquired by the acquiring unit 110. Count the first number which is the number of times The detection model learning unit 120 calculates a plurality of second numbers by adding a positive number to all of the plurality of first numbers obtained by counting for each of all the extracted combinations. . The detection model learning unit 120 determines a plurality of first probabilities that are probabilities that the first combination appears in a plurality of learning packets, based on the plurality of second numbers calculated for each of all the extracted combinations. Calculate

  Note that the detection model learning unit 120 calculates a plurality of second numbers by adding a positive number to all of the plurality of first numbers, and generates a plurality of second numbers based on the plurality of second numbers. Although the probability of 1 is calculated, it is not limited thereto. The detection model learning unit 120 calculates a plurality of probabilities in which the combination appears in the plurality of learning packets based on the plurality of first numbers calculated for each of all the extracted combinations, for example. The plurality of first probabilities may be calculated by adding a positive number to the probability of.

  The detection model learning unit 120 further classifies the learning packet into any one of a plurality of models according to the header of the learning packet for each of the plurality of learning packets acquired by the acquiring unit 110. You may The detection model learning unit 120 may hold or learn a plurality of abnormality detection models. In this case, the detection model learning unit 120 switches the plurality of abnormality detection models according to at least one value of the destination IP, the destination port, the transmission source IP, and the protocol, which are information included in the header of the packet, for example. Process the learning or examination.

  When classifying a plurality of learning packets into a plurality of models, the detection model learning unit 120 classifies the plurality of learning packets into the model using the first number counted for each of the plurality of models. In the plurality of learning packets, a fifth number may be calculated, which is the number of times each of all the combinations appear. Then, for each of the plurality of models, the detection model learning unit 120 generates a positive number for all of the calculated fifth numbers for each of all the combinations extracted from the plurality of learning packets classified into the model. The plurality of sixth numbers are calculated by adding. After that, the detection model learning unit 120 performs the combination in the plurality of learning packets classified into the model based on the calculated plurality of sixth numbers for each of all the combinations extracted for each of the plurality of models. The probability that C appears may be calculated as the first probability.

  The detection model learning unit 120 is realized by, for example, the CPU 101, the main memory 102, the storage 103, and the like.

  For example, the detection model learning unit 120 performs learning by performing the following process.

を初期化しておく。各モデルは、ペイロードの２−ｇｒａｍを記録する

を保持しており、その初期値は６５５３６次元の零ベクトルである。その後、学習対象となる全パケットに対し、学習対象のパケットの（宛先ＩＰ、宛先ポート）のペアが（ｉｐ_ｉ，Ｐｏｒｔ_ｊ）の場合、各パケットを、下記の方法で２−ｇｒａｍのベクトル（∈Ｎ^{６５５３６}）に変換し、

に加算する。各バケットの２−ｇｒａｍベクトルへの変換法は下記の通りである：パケットのペイロードのバイト列が｛Ｘ_１，Ｘ_２，Ｘ_３，．．．，Ｘ_Ｌ｝であったとする（Ｌはペイロード長）。ここで各Ｘ_ｋ（ｋ＝１，．．．，Ｌ）∈｛０，．．．，２５５｝である。２−ｇｒａｍを取得する場合、上記バイト列から次の２−ｇｒａｍの列を得る。｛Ｘ_１Ｘ_２，Ｘ_２Ｘ_３，．．．，Ｘ_Ｌ−１Ｘ_Ｌ｝。この２−ｇｒａｍの列から、次のルールで２−ｇｒａｍベクトルを生成する：
１．空のベクトルｙ（∈Ｎ^{６５５３６}）を準備する。
２．各２−ｇｒａｍ Ｘ_ｉＸ_ｉ＋１（ｉ＝１，．．．，Ｌ一１）に対して、ｔ_ｉ＝２５６＊Ｘ_ｉ＋Ｘ_ｉ＋１を計算する。（ｔ_ｉ∈｛０，．．．，６５５３５｝）
３．全てのｉ＝１，．．．，Ｌ一１に対してｙ［ｔ_ｉ］＋１を実行する（ここでｙ［ｔ_ｉ］はベクトルｙのｔ_ｉ番目の要素を表す）。
４．パケットの２−ｇｒａｍベクトルへの変換結果ｙを得る。 In the learning method in the anomaly detection method, since the model is divided for each destination IP and destination port of the packet, in the learning phase, only the number of unique (destination IP, destination port) pairs is used.

Initialize it. Each model records a 2-gram of the payload

And its initial value is a 65536-dimensional zero vector. After that, if the pair of (destination IP, destination port) of the packet to be learned is (ip _i , Port _j ) for all packets to be learned, each packet is a 2-gram vector ( Convert to ∈ N 65 ⁵³⁶ ),

Add to The method of converting each bucket to a 2-gram vector is as follows: the packet payload byte sequence is {X ₁ , X ₂ , X ₃ ,. . . , X _L } (where L is the payload length). Where each X _k (k = 1,..., L) ∈ {0,. . . , 255}. When obtaining a 2-gram, the next 2-gram string is obtained from the byte string. {X ₁ X ₂ , X ₂ X ₃ ,. . . , X _L-1 X _L }. From this 2-gram column, generate a 2-gram vector according to the following rules:
1. Prepare an empty vector y (∈ N ⁶⁵⁵³⁶ ).
2. For each 2-gram X _i X _{i + 1} (i = 1,..., L 1 1), calculate t _i = 256 * X _i + X _{i +1} . (T _i ∈ {0, ..., 65535})
3. All i = 1,. . . , L 1 1 execute y [t _i ] +1 (where y [t _i ] represents the t _i th element of the vector y).
4. The conversion result y of the packet into a 2-gram vector is obtained.

は、どの２−ｇｒａｍが何回出現したかを表すベクトル

を保持している。この２−ｇｒａｍが何回出現したかを表すベクトルは、全ての組み合わせのそれぞれについて、カウントされることにより得られた第１の数の一例である。このベクトルを用いて、各２−ｇｒａｍの出現確率を算出する。最も単純に考えると、２−ｇｒａｍのインデックスをｋ∈｛０，１，．．．，６５５３５｝としたとき、２−ｇｒａｍ ｇ_ｋが出現する確率ｐ（ｇ_ｋ）は、学習対象バケットに現れた２−ｇｒａｍ ｇ_ｋの出現回数をｘ_ｉ，ｊ［ｋ］としたとき、下記の式８で表すことができる。式８で表される出現確率は、複数の第１の確率の一例である。 Once all packets have been learned, each model

Is a vector representing which 2-gram has appeared and how many times

Hold A vector indicating how many times this 2-gram has appeared is an example of the first number obtained by being counted for each of all the combinations. The occurrence probability of each 2-gram is calculated using this vector. In the simplest way, the indices of 2-grams are k∈ {0, 1,. . . , When a 65535}, the probability p _{(g k)} that 2-gram g _k appears, when the number of occurrences of 2-gram g _k appearing in the learning target bucket was _{x i,} j _[k], the following Equation 8 of The appearance probability represented by Equation 8 is an example of a plurality of first probabilities.

However, when the probability is expressed by this expression, the probability of 2-gram that has never appeared in the learning target packet is set to 0, and the score is diverged when the scoring method described later is used. Several methods have been proposed to avoid this phenomenon, but in this embodiment, a method called Laplace smoothing, which is one of the smoothing processes, is employed. Laplace smoothing is one of the methods for smoothing categorical data, and when there are data x = (x ₁ , ..., x _d ) obtained from multinomial distribution of N trials, parameters of this multinomial distribution This is a method of estimating θ = (θ ₁ ,..., θ _d ) according to the following equation 9.

That is, this corresponds to applying Equation 10 to the number of occurrences x _i by α for each category. Usually, α is selected to be a value such as 1, 0.1 or 0.01. When this method is applied to the proposed method, the following equation is obtained. Here, α is an example of a positive number to be added.

P (g _k ) obtained by this equation is regarded as the appearance probability of 2-gram g _k . That is, the appearance probability obtained by Equation 10 is an example of the first probability.

  The smoothing process is not limited to Laplace smoothing, and other smoothing processes such as Kneser-Ney smoothing may be performed.

  The abnormality detection model DB 130 stores the plurality of first probabilities generated by the detection model learning unit 120, that is, calculated, as an abnormality detection model. The abnormality detection model DB 130 may store, as an abnormality detection model, a fourth number based on the first number in each of all the first combinations. Note that the fourth number based on the first number stored in the abnormality detection model may be the first number, the second number, or the fifth number. It may be a sixth number.

  5-8 is a figure which shows the example of the abnormality detection model which abnormality detection model DB hold | maintains.

The abnormality detection model 131 illustrated in FIG. 5 includes data of each item of model ID, destination IP, destination port, N-gram acquisition target data, N-gram appearance frequency, and N-gram appearance probability. The model ID is an identifier uniquely assigned to the model for identifying each of the plurality of models. The destination IP is information indicating the destination IP of the packet associated with the model. The destination port is information indicating the destination port of the packet associated with the model. The N-gram acquisition target data is information indicating data to be an N-gram acquisition target associated with the model, and is, for example, a payload indicating a data section of a packet of each protocol. The N-gram appearance frequency n _{1 to} n ₆ is an example of the N-gram appearance frequency of the packet associated with the model, that is, the sixth number. The N-gram appearance frequency n _{1 to} n ₆ is vector data of a dimension corresponding to the number of all N-grams because it is represented by the number of appearances of all N-grams. That is, n ₁ is, for example, [00: 51 times, 01: 12 times,. . . , FF: 31 times]. Therefore, n _k (k is an integer of 1 to 6) is represented by, for example, [n _k1 , n _k2 ,..., N _kL ]. N-gram probability _Pr 1 to PR ₆ is the probability of occurrence of N-gram in the packet associated with the model, that is, an example of the first probability. The N-gram appearance probabilities Pr _{1 to} Pr ₆ are also vector data of dimensions corresponding to the number of all N-grams, similarly to the N-gram appearance times n _{1 to} n ₆ . That is, Pr ₁ is, for example, [00: 0.1, 01: 0.02,. . . , FF: 0.06]. Therefore, Pr _k (k is an integer of 1 to 6) is represented by, for example, {Pr _k1 , Pr _k2 ,..., Pr _kL }. Thus, in the anomaly detection model 131, a plurality of models are classified according to the combination of the destination IP and the destination port.

  That is, the detection model learning unit 120 learns for each destination IP and destination port, and generates the learning result as the abnormality detection model 131. The reason for learning the anomaly detection model for each destination IP and destination port is that there are many packets having similar roles in buckets having the same destination IP and destination port.

  The abnormality detection model 132 shown in FIG. 6 is a model obtained by further adding an item of Sorce IP to the abnormality detection model 131 shown in FIG. 5. Sorce IP is information indicating a transmission source IP of a packet associated with the model. Thus, in the anomaly detection model 132, a plurality of models are classified according to the combination of the destination IP and the destination IP in addition to the source IP.

  The abnormality detection model 133 shown in FIG. 7 is a model in which the item of the destination port of the abnormality detection model 132 shown in FIG. 6 is replaced with the item of the target protocol. The target protocol is information indicating the protocol of the packet associated with the model. As described above, in the abnormality detection model 133, a plurality of models are classified according to the combination of the destination IP, the transmission source IP, and the target protocol.

  The abnormality detection model 134 shown in FIG. 8 is a model in which an alert threshold item is further added to the abnormality detection model 131 shown in FIG. 5. The alert threshold, which will be described later, is a threshold determined according to, for example, the user's input, and is a threshold for detecting a packet abnormality. The alert threshold is a threshold to be compared with the score calculated in the packet. Thus, the anomaly detection model 134 may be associated with an alert threshold for detecting an anomaly of a packet in addition to the classification of the model.

  As in the abnormality detection model 134 shown in FIG. 8, the alert threshold may not necessarily be associated with the classification of the model.

  In the abnormality detection models 131 to 134 shown in FIGS. 5 to 8, the number of models is six, but the number is not limited to six, and may be a number other than two or more than six.

  FIG. 9 is a diagram showing correspondence information in which a destination port and an alert threshold are associated.

  As shown in the correspondence information 135 shown in FIG. 9, the alert threshold may not be associated with each model, but may be associated with each destination port. That is, according to any one of the abnormality detection models 131 to 133 and the correspondence information 135, an alert threshold may be associated with each model.

  The abnormality detection model DB 130 may hold any one of the abnormality detection models 131 to 133 and the correspondence information 135 as a set, or may hold only the abnormality detection model 134.

  The abnormality detection model DB 130 is realized by, for example, the storage 103 or the like.

  The input receiving unit 140 receives an input from the user. The input reception unit 140 indicates, from the user, at least one of the range of the IP to be monitored and the range of the port among a plurality of packets obtained from the monitoring target 300, for example, and a range of extracting the N-gram. Accept input. Here, the range from which the N-gram is extracted refers to, for example, a data unit to be subjected to inspection of a packet indicated by N-gram acquisition target data in the abnormality detection models 131 to 134, and corresponds to each protocol, for example. Payload. Further, the input receiving unit 140 receives input of a parameter related to an alert occurrence rate for generating an alert. The alert occurrence rate is, for example, to determine that the deviation from the normal state based on the occurrence rate is large for the occurrence rate in which all combinations such as one in a packets and b times a day occur. The threshold value is used to determine that the packet contains an abnormality. Here, the input accepting unit 140 accepts a plurality of parameters respectively corresponding to a plurality of models. The input accepting unit 140 may accept the above-described parameter as one parameter common to a plurality of models. The input receiving unit 140 may receive an input indicating an alert threshold. The alert threshold is, for example, a score to be described later, in order to determine that the deviation from the normal state based on the score is large, that is, based on the appearance probability of all combinations for determining that the packet includes an abnormality. It is a threshold to be determined.

  The input receiving unit 140 is realized by, for example, the CPU 101, the main memory 102, the storage 103, the input IF 105, and the like.

  The alert threshold calculation unit 150 calculates an alert threshold based on the parameter related to the alert occurrence rate accepted by the input acceptance unit 140 and the score calculated for the learning packet. The alert threshold calculation unit 150 calculates the score for the learning packet by applying the plurality of first probabilities calculated in the learning packet to Equation 12 described later. The alert threshold calculation unit 150 calculates an alert threshold so as to be, for example, equal to or less than the alert occurrence rate specified by the parameter. The alert threshold calculation unit 150 calculates an alert threshold based on parameters for each of a plurality of models when a plurality of parameters are input to each of a plurality of models. The alert threshold for each of the plurality of models calculated by the alert threshold calculation unit 150 is stored as an abnormality detection model of the abnormality detection model DB 130. The alert threshold calculation unit 150 is realized by, for example, the CPU 101, the main memory 102, the storage 103, and the like.

  The detection unit 160 detects whether there is an abnormality in each of the plurality of packets acquired by the acquisition unit 110. Specifically, the detection unit 160 sequentially performs the following processes (1) to (6) for each of the plurality of packets acquired by the acquisition unit 110.

  (1) The detection unit 160 selects all possible second combinations of N data units among the plurality of data units obtained by dividing the data string making up the payload included in the packet into A bit units. And extract a combination of N data units in consecutive order in the payload. The combination extracted here is an example of a second combination. Specifically, the detection unit 160 extracts a combination of N data units by using an N-gram as in the detection model learning unit 120. Here, N is, for example, 2 or 3. That is, the detection unit 160 extracts a combination of two data units or a combination of three data units by using 2-gram or 3-gram. Note that the detection unit 160 is not limited to the combination of N data units in a sequential order such as N-gram, but may be a sequential order of B (B is an integer of 1 or more) skips. A combination of N data units may be extracted.

  (2) The detection unit 160 counts, for each of all combinations extracted from the packet, a third number, which is the number of times the combination appears in the payload of the acquired packet.

  (3) The detection unit 160 determines a plurality of probability that the combination appears in the packet based on the plurality of third numbers obtained by counting each of all the combinations extracted from the packet. Calculate the second probability.

  (4) The detection unit 160 calculates a score by dividing the sum of logarithms of the plurality of second probabilities calculated for the packet by a specified value defined by the payload length of the payload.

  (5) The detection unit 160 determines whether the score calculated for the packet exceeds an alert threshold as a predetermined threshold based on the abnormality detection model stored in the abnormality detection model DB 130. The detection unit 160 detects that there is an abnormality in the packet in which the score exceeding the alert threshold is calculated, and detects that there is no abnormality in the packet in which the score below the alert threshold is calculated.

  As in the detection model learning unit 120, the detection unit 160 classifies each of the plurality of packets acquired by the acquisition unit 110 into any one of a plurality of models according to the header of the packet. It is also good. In this case, the detection unit 160 may determine whether the calculated score exceeds a predetermined threshold value corresponding to the model into which the packet for which the score is calculated is classified.

  The detection unit 160 is realized by, for example, the CPU 101, the main memory 102, the storage 103, and the like.

  For example, the detection unit 160 performs an inspection by performing the following process.

In the abnormality detection method according to the present embodiment, the detection unit 160 calculates an abnormality score for each packet in the inspection phase, as in PAYL and ANAGRAM. Each packet to be subjected to abnormality score calculation is converted into a 2-gram vector y (∈N ⁶⁵⁵³⁶ ) in the same manner as the conversion method performed in the learning phase. Score the transformed vector using the following formula.

  The reason for taking the L-th power in Equation 11 is to enable equal score comparison to be performed for payloads of different lengths. This score is directly calculated because the load is high due to the addition of an exponentiation operation, and a packet with a larger score is treated as a packet with a higher degree of anomaly, so the negative logarithm of the score 'is treated as a score. That is, calculation of score is performed by the following equation 12.

  The higher the score, the higher the degree of abnormality. This scoring method is rational as compared to that of ANAGRAM (frequency-based), and exhibits higher performance than ANAGRAM (frequency-based) as can be understood from the evaluation results described later.

  The presentation unit 170 outputs an alert, which is information indicating that the packet is abnormal, for the packet whose abnormality is detected by the detection unit 160. In addition, the presentation unit 170 may output the calculated score. When presenting the score, the presentation unit 170 may output the score regardless of whether or not the alert is output, and may output the score and may not output the alert. The presentation unit 170 presents an alert to the user, for example, by causing the display 106 to display an image indicating the alert. The presentation unit 170 is realized by, for example, the CPU 101, the main memory 102, the storage 103, the display 106, and the like.

  In addition, the presentation part 170 may present an alert to a user from a speaker by a sound, when the abnormality detection apparatus 100 has a speaker. In addition, the presentation unit 170 may cause the information terminal to present the alert by outputting information indicating the alert to the information terminal such as a smartphone.

[2-4 Operation]
Next, the operation of the abnormality detection apparatus 100 will be described.

  FIG. 10 is a flowchart showing an outline of the operation in the abnormality detection device.

  First, the abnormality detection apparatus 100 executes a learning process using a plurality of learning packets that are learning data 211 acquired by the acquisition unit 110 (S1). Thereby, in the abnormality detection apparatus 100, an abnormality detection model is generated for each of the plurality of models. Details of the learning process will be described later.

  Next, the abnormality detection apparatus 100 executes alert threshold determination processing (S2). Hereby, in the abnormality detection apparatus 100, the alert threshold is associated with each model of the abnormality detection model. Details of the alert threshold determination process will be described later.

  Finally, the abnormality detection apparatus 100 executes an inspection process using a plurality of packets that are inspection data 212 acquired by the acquisition unit 110 (S3). Thus, the abnormality detection apparatus 100 detects whether there is an abnormality in each of the plurality of packets. Details of the inspection process will be described later.

  Next, the learning process, that is, the learning method will be described in detail.

  FIG. 11 is a flowchart showing an example of the details of the learning process in the abnormality detection device.

  First, in the abnormality detection apparatus 100, of the plurality of packets obtained from the monitoring target 300, the input receiving unit 140 extracts at least one of the range of the monitoring target IP and the range of the port, and the range in which the N-gram is extracted Is accepted (S11). At this time, the input accepting unit 140 may accept input of information indicating whether it is necessary to identify the protocol of the learning packet from the user. The process of step S11 may be performed once and may not be performed each time learning.

  Next, the acquisition unit 110 acquires a plurality of learning packets that are the learning data 211 (S12).

  Subsequently, the detection model learning unit 120 repeats the processing of steps S13 to S20 for each of the plurality of learning packets.

  The detection model learning unit 120 determines whether it is necessary to identify the protocol of the learning packet in order to execute learning (S13). For example, if the input accepting unit 140 accepts the input of information indicating that the identification of the protocol is required in step S11, the detection model learning unit 120 determines that the identification of the protocol is necessary. For example, it is determined that identification of the protocol is unnecessary. If the detection model learning unit 120 determines that the identification of the protocol is necessary (Yes in S13), the process proceeds to Step S14. If the identification of the protocol is not necessary (No in S13), the process proceeds to Step S15.

  In step S14, the detection model learning unit 120 executes a protocol identification process based on the header of the processing target learning packet, and proceeds to step S15.

  In step S15, the detection model learning unit 120 specifies a model to which the processing target learning packet corresponds. The detection model learning unit 120 specifies a model according to at least one of the destination IP, the destination port, the protocol, and the transmission source IP, which is obtained by reading the header of the processing target learning packet. Here, the detection model learning unit 120 classifies the model to be identified according to at least one of the range of the IP to be monitored received in step S11 and the range of the port and the range for extracting the N-gram. Decide.

  The detection model learning unit 120 determines whether the identified model already exists (S16). That is, the detection model learning unit 120 determines whether a learning packet belonging to the specified model already exists. If the detection model learning unit 120 determines that the specified model does not exist yet (No in S16), the process proceeds to step S17, and if it is determined that the specified model already exists (Yes in S16), the process proceeds to step S18. move on.

  In step S17, the detection model learning unit 120 adds the identified model as a new model, and the process proceeds to step S18.

  In step S18, the detection model learning unit 120 extracts the target data portion in the processing target learning packet. Specifically, the detection model learning unit 120 is a target data unit identified based on the input indicating the range for extracting the N-gram received in step S11, and is an examination of the examination associated with each model. Extract the target data part to be the target.

The detection model learning unit 120 counts the N-gram appearance frequency n _{1 to} n ₆ of the model to which the processing target learning packet belongs (S19). Here, the detection model learning unit 120 counts the fifth number as the N-gram appearance frequency n _{1 to} n ₆ , and calculates the sixth number from the fifth number. Thus, the detection model learning unit 120 ends the learning process on the processing target packet.

  The detection model learning unit 120 determines whether an unlearned packet exists among the plurality of learning packets (S20), and if an unlearned packet exists (Yes in S20), the unlearned packet The processing of step S13 to step S19 is executed. The detection model learning unit 120 ends the learning process if the unlearned packet does not exist (No in S20), that is, if the process of steps S13 to S19 is completed for all the learning packets.

  Note that the acquiring unit 110 may not acquire all of the plurality of learning packets at one time, may divide it into multiple times, and may acquire multiple learning packets one by one, for example . As described above, when the acquisition unit 110 divides a plurality of times and acquires a plurality of learning packets, the abnormality detection apparatus 100 repeats steps S12 to S20.

  Next, the details of the alert threshold determination process will be described.

  FIG. 12 is a flowchart illustrating an example of the alert threshold determination process in detail.

  In the abnormality detection apparatus 100, the input receiving unit 140 receives an input of a parameter related to the alert occurrence rate for generating an alert, and sets the received parameter (S21).

  Next, the alert threshold calculation unit 150 calculates a score for the learning packet by applying the plurality of first probabilities calculated in the learning packet to Equation 12 (S22).

  Then, the alert threshold calculation unit 150 calculates an alert threshold based on the parameter related to the alert occurrence rate received by the input receiving unit 140 and the score calculated for the learning packet (S23). The alert threshold calculation unit 150 calculates an alert threshold so as to be, for example, equal to or less than the alert occurrence rate specified by the parameter.

  Although the abnormality detection apparatus 100 calculates the alert threshold from the parameter in the example of FIG. 12, the alert threshold may be directly received from the user as follows.

  FIG. 13 is a flowchart illustrating another example of details of the alert threshold determination process.

  In the abnormality detection apparatus 100, the input receiving unit 140 receives an input indicating an alert threshold (S21A).

  The alert threshold calculation unit 150 sets an alert threshold indicated by the input received by the input reception unit 140 as an alert threshold (S22A).

  Next, the inspection process, that is, the abnormality detection method will be described in detail.

  FIG. 14 is a flowchart showing an example of the details of inspection processing in the abnormality detection device.

In the abnormality detecting device 100, the detection model learning unit 120 calculates the N-gram probability _Pr 1 to PR ₆ from each of the N-gram number of occurrences _n 1 ~n ₆ of a plurality of models in the abnormality detection model (S31).

  Next, the acquisition unit 110 acquires a plurality of packets that are inspection data 212 (S32).

  Thereafter, the detection unit 160 repeats the processing of step S33 to step S41 for each of the plurality of packets.

  In addition, since step S33-step S36 which the detection part 160 performs are the same as step S13-step S16 which the detection model learning part 120 performs, description is abbreviate | omitted.

  If the detection unit 160 determines that the specified model already exists (Yes in S36), the process proceeds to step S37, and if it is determined that the specified model does not exist yet (No in S36), the process proceeds to step S41.

  In step S37, the detection unit 160 extracts the target data portion in the packet to be processed. Since this process is the same as step S18 of the learning process, the description will be omitted.

  The detection unit 160 calculates the score of the processing target packet (S38). Specifically, the detection unit 160 calculates the score of the processing target packet by performing the processes (1) to (6) in the description of the detection unit 160 described above.

  Does the detection unit 160 determine whether the score calculated for the processing target packet exceeds the alert threshold value associated with the processing target packet model in the abnormality detection model stored in the abnormality detection model DB 130? It is determined whether or not it is (S39). The detecting unit 160 presents an alert if the calculated score exceeds the corresponding alert threshold (Yes in S39) (S40), and if the calculated score is less than or equal to the corresponding alert threshold (S40) No), the process proceeds to step S41.

  The detection unit 160 determines whether an unchecked packet exists among the plurality of packets (S41), and if an unchecked packet exists (Yes in S41), the unchecked packet is processed in steps S33 to S33. The process of step S40 is performed. If there is no untested packet (No in S41), that is, if the processing in step S33 to step S40 is completed for all the packets, the detection unit 160 ends the inspection process.

  Note that the acquiring unit 110 may not acquire a plurality of packets all at once, may divide and acquire the packets a plurality of times, and may acquire a plurality of packets one by one, for example. As described above, when the acquisition unit 110 divides a plurality of times and acquires a plurality of learning packets, the abnormality detection apparatus 100 repeats steps S32 to S41.

[3 effects etc]
According to the anomaly detection method of the present embodiment, among the payloads included in the packet, the payload includes a sequence of N data units among the plurality of data units obtained by dividing in A bit units in the payload. It is a combination of the N data units, and all possible combinations are extracted, a second probability that each of all the combinations appears is calculated, and a score is calculated based on the calculated plurality of second probabilities. calculate. As described above, since the score is calculated based on the probability that the combination including the arrangement of the N data units in the payload appears, the accurate score can be calculated in consideration of the arrangement information.

  Further, according to the learning method according to the present embodiment, it is possible to additionally learn the anomaly detection model or update the anomaly detection model from which old data has been deleted. Thus, abnormal packets can be identified with high accuracy.

  Thus, the anomaly detection method according to the present embodiment is considered to overcome the drawbacks found in the existing method. First, PAYL has the disadvantage that it ignores the information on the byte sequence, but the anomaly detection method according to the present embodiment uses this information by using N-gram (N = 2, 3) information. Is avoiding. In addition, although ANAGRAM has completely discarded information on the number of occurrences of N-grams, in the proposed method, consider a model in which the number of occurrences of N-grams is also taken into consideration. Although ANAGRAM (frequency-based) used N-gram frequency information, the score calculation method was an empirical method, so the proposed method uses Laplace smoothing and uses log likelihood Natural scoring is used to avoid this problem.

  In addition, since the abnormality detection method according to the present embodiment only needs to hold the number of appearances of N-gram (N = 2, 3) appearing with respect to each model, memory efficiency is also good, and Bloom filter like ANAGRAM. There is no need to estimate the size of the

  Also, the hyper parameter in the abnormality detection method according to the present embodiment is only the raising parameter β used in Laplace smoothing, and this parameter may be fixed to, for example, β = 0.01 or the like. A slight variation of this value has been found to have little effect on the performance of the anomaly detection model.

  In addition, in the anomaly detection method according to the present embodiment, if only the appearance frequency vector x of 2-gram in each model is stored, additional learning is performed on the already learned model (additional learning), and conversely, already. It is possible to return the data learned by the model back to the unlearned state (forgetting). In particular, the function of oblivion is a feature not found in other approaches. By using the forgetting function, it is possible to keep only one month's worth of data learned at all times, or to selectively forget from the model the date / time when unwanted data was obtained as normal data. This property is useful in practical operation of the anomaly detection system. That is, the detection unit 160 may update the fourth number included in the abnormality detection model using the counted third number. For example, the detection unit 160 can add learning data to the abnormality detection model by adding the third number to the fourth number. Moreover, while adding the 3rd number obtained by newly counting and deleting the number counted in the past predetermined period from the 4th number of the abnormality detection model, the latest state of the abnormality detection model It can be done. Note that the number counted in the past predetermined period may be deleted from the fourth number without adding the newly counted number to the fourth number of the abnormality detection model.

(Others)
As described above, the abnormality detection apparatus 100 executes the following abnormality detection method.

  1. When unigram is used, information on byte string arrangement is completely lost, so N-gram (N ≧ 2) is used as a feature amount.

  2. Information on the number of occurrences of N-grams is used without completely dropping information on the occurrence frequency of N-grams as in ANAGRAM.

  3. The ANAGRAM (frequency-based) method focuses on the fact that the calculation of the anomaly score is a method using a simple calculation average, assumes a probabilistic model, and calculates an anomaly score that is more theoretically valid. Using

  4. In the real environment, it is difficult to obtain teacher data that can properly tune hyperparameters, so models with few hyperparameters are used.

  The first reason is to obviously use rich information possessed by N-gram (N ≧ 2) rather than unigram. This is because the accuracy of PAYL is lower than that of ANAGRAM because the reason is using unigram.

  The same applies to the second one, because the information indicating how many times an N-gram has appeared contains more information than the information indicating whether an N-gram has appeared. Also, in a packet of a control system network that is considered to contain many highly random binary strings, if it is determined whether or not a certain N-gram has occurred, random binary This is because the N-gram contained therein may be regarded as a normal string.

  The first and second characteristics are identical to the characteristics of frequency-based ANAGRAM. However, in the paper of ANAGRAM, frequency-based ANAGRAM was described as being clearly inferior to binary-based ANAGRAM. As stated in the third characteristic, this paper shows that there was a problem in the method of calculating the anomaly score of the frequency-based NAGRAM, and under the appropriate anomaly score calculation method, the bigram (N = 2 If the N-gram of the time is used, it may be more accurate than PAYL or ANAGRAM.

  The abnormality detection method according to the present embodiment also uses N-gram information of the payload sequence as a feature, as in the method using the past N-gram. In the present embodiment, the case of N = 2, that is, 2-gram is used as a feature. The reason why N ≧ 3 where N N3 is not used is that in the case of NN3, the information of each N-gram becomes sparse, and the reliability of the appearance frequency information drops (this is an ANAGRAM (frequency- However, if the data is abundant, it is expected that high accuracy will be achieved even if N = 3 and this method is applied. In the case of N ≧ 4, in a realistic scene, N-gram data is considered to be sparse and not practical.

  Most anomaly-based anomaly detection techniques have a learning phase, and use data provided as a learning period to learn normal communication behavior. In the inspection phase, it is determined using a detection model obtained in the learning phase whether a given packet is normal or abnormal. Although the anomaly detection method according to the present embodiment is a payload-based method, header information is also used. This is because the proposed method changes the anomaly detection model used for learning / inspection according to the destination IP address and destination port. For example, in the HTTP protocol and the FTP protocol, observed payloads are completely different.

[4 variations]
In the abnormality detection method according to the above-described embodiment, it is also possible to perform scoring in accordance with a sequence generation model using an N-gram. Here _{x i, j [X T,} X T + 1] and the 2-gramX _T, the number of occurrences of _{X T + 1} in the model. At this time, p (X _{T + 1} | X _T ) is determined by the following equation.

Further, p (X ₁ ) is separately determined by the following equation. However, start is a symbol that means the start of data.

  In order to acquire this value, it is necessary to hold the number of appearances of the first character in the payload for each model at the time of learning.

  Further, in the process of inspection, it can be naturally derived from Expression 4 by Expression 15 below.

[5 Experiment and evaluation result]
In this experiment, the anomaly detection method according to the present embodiment is evaluated, comparing PAYL, an ANAGRAM (frequency-based), and an ANAGRAM (binary-based), which are mentioned as existing methods, as comparison targets. ANAGRAM (binary-based) targets 3-gram as an evaluation target, and ANAGRAM (frequency-based) evaluates both 2-gram and 3-gram. As the abnormality detection method according to the present embodiment, 2-gram is used.

[5-1 Data set used for experiment and evaluation method]
Here, 1999 DARPA IDS Data Set (hereinafter DARPA 99 data set) is used as a data set. The DARPA 99 data set is a data set collected for IDS evaluation at MIT Lincoln Labs, and all network traffic including the payload of each packet is provided in tcpdump format. The data consists of 3 weeks of training data and 2 weeks of testing data, and the training data consists of data without 2 weeks of attacks and data with 1 week of attacks . Test data includes attacks on all dates. In addition, attack data is collected in a unit called an instance that combines a series of attacks, and in the DARPA 99 data set, information such as a time period in which each attack instance has occurred, a target IP, and a target port is disclosed. In this evaluation experiment, each method performs learning using data for 2 weeks not including attack data among learning data, and calculates an abnormality score for a packet appearing in test data for 2 weeks. did. In addition, since the procedure evaluated this time uses N = 1, 2, and 3 N-grams, only packets having a payload length of 3 bytes or more were subjected to learning and testing so as to obtain equal evaluation results.

  In this experiment, according to PAYL thesis, in the DARPA 99 data set, we narrow down to attack instances where information appears in the payload, and use a graph of instance-based detection rate (vertical axis) and packet-based false alarm rate (horizontal axis) for each protocol. Evaluate each method. Since each method only calculates an anomaly score (scalar value) for each packet, whether a packet is determined to be abnormal or normal depends on a defined score threshold value. . That is, it is determined that a packet with an abnormal score exceeding a predetermined threshold value is abnormal, and a packet that is not is normal. The larger the threshold, the lower the false alarm rate, but the lower the false alarm rate. Conversely, the smaller the threshold, the higher the detection rate, but the higher the false detection rate.

(Instance-based detection rate)
When one or more packets are detected from a packet group included in a specific attack instance, it is determined that the instance is detected. Instance-based detection rate indicates the ratio of detected instances among all instances under this criterion.

(Packet based false alarm rate)
Of those determined as abnormal by the abnormality detection model, those excluding the packet included in the attack instance are called normal packets. The packet-based false alarm rate is the ratio of packets which are erroneously determined to be abnormal among the normal packets.

  Although DARPA 99 data contains packets of multiple protocols, the number of packets included in each protocol and the number of attack instances vary widely, so there is a large amount of data that can be used as data for evaluation. It is thought that there are about four types of HTTP, FTP, TELNET, and SMTP. Although the present technology is specifically intended for use in a control system, packet data of the protocol for the control system does not exist in the data of DARPA 99. Therefore, we evaluated the FTP protocol and TELNET protocol, which are considered to be relatively close to the control commands found in the protocol for control system, among the data of DARPA 99.

[5-2 experimental result]
FIG. 15 is a diagram showing an experimental result comparing the abnormality detection method according to the present embodiment and another method when evaluation is performed in the FTP protocol. FIG. 16 is a diagram showing experimental results comparing the anomaly detection method according to the present embodiment and another method when evaluation is performed in the TELNET protocol.

  The result of each method is an upward-sloping line, which is a plot of the variation from a small threshold to a large threshold. As the evaluation results of the FTP protocol show, it is understood that the proposed method exhibits performance equivalent to or better than the existing 3-gram-based ANGRAM (binary-based, frequency-based). It clearly performs better than PAYL and 2-gram ANAGRAM (frequency-based). Moreover, in the evaluation result of the TELNET protocol, the anomaly detection method according to the embodiment exhibits superior detection performance than any other method. From this, it can be seen that the anomaly detection method according to the embodiment is an algorithm that exhibits relatively good performance among anomaly detection methods that require less tuning.

  In the above embodiments, each component may be configured by dedicated hardware or may be realized by executing a software program suitable for each component. Each component may be realized by a program execution unit such as a CPU or a processor reading and executing a software program recorded in a recording medium such as a hard disk or a semiconductor memory. Here, software for realizing the abnormality detection method, the learning method, and the like of each of the above-described embodiments is a program as follows.

  That is, this program detects whether or not there is an abnormality in the communication within the monitoring target or the communication between the monitoring target and the network to which the monitoring target is connected to the computer. The anomaly detection apparatus includes a processor and a memory, and the memory stores an anomaly detection model generated by learning using a plurality of learning packets, and the anomaly is detected by the anomaly detection method. In the detection method, the processor acquires the plurality of learning packets, and for each of the plurality of acquired learning packets, a data string constituting a payload included in the learning packet is A (A is one or more; Of (N is an integer of 2 or more) of the plurality of data units obtained by dividing in units of bits A first combination of N data units in an arrangement order of consecutive ones in the payload, or in an arrangement order of B (B is an integer of 1 or more) skips, of all the first combinations. The first number which is the number of times the first combination appears in the plurality of learning packets is counted and extracted for each of all the first combinations extracted and extracted for the plurality of learning packets The first combination appears in the plurality of learning packets by performing the smoothing process on the basis of the plurality of first numbers obtained by counting for each of the first combinations described above. Calculating a plurality of first probabilities which are the probability of occurrence and storing the plurality of calculated first probabilities in the memory as the abnormality detection model When a plurality of packets are acquired, and a score calculated for the plurality of packets for each of the plurality of acquired packets exceeds a predetermined threshold based on the abnormality detection model stored in the memory, the score Execute an abnormality detection method that outputs that the calculated packet is greater than or equal to.

  In addition, this program is an abnormality for detecting whether the computer has an abnormality in communication within the monitoring target or communication between the monitoring target and the network to which the monitoring target is connected. A learning method executed by a learning device for learning a detection model, wherein the learning device includes a processor and a memory, and in the learning method, the processor acquires a plurality of learning packets and acquires the plurality of acquired packets. For each of the learning packets, N (N is a number) of the plurality of data units obtained by dividing the data string constituting the payload included in the learning packet into A (A is an integer of 1 or more) bits. All possible first combinations of two or more integers) of data units, in a sequential order in which the payloads are contiguous, and , B (B is an integer greater than or equal to 1) pieces of first combinations of N data units in the order of skipping, and for each of the first combinations extracted for the plurality of learning packets A plurality of the above obtained by counting a first number which is the number of times the first combination appears in the plurality of learning packets, and counting each of the extracted first combinations. A plurality of first probabilities, which are probabilities of occurrence of the first combination in the plurality of learning packets, are calculated by performing smoothing processing based on the first number, and the plurality of calculated first plurality of first probabilities are calculated. A learning method is executed to store the probability in the memory as the abnormality detection model.

  The abnormality detection method, the abnormality detection device, the learning method, and the learning device according to one or more aspects of the present invention have been described above based on the embodiments, but the present invention is limited to these embodiments. It is not something to be done. Without departing from the spirit of the present invention, various modifications as may occur to those skilled in the art may be applied to this embodiment, or a configuration constructed by combining components in different embodiments may be one or more of the present invention. It may be included within the scope of the embodiments.

  The present disclosure is useful as an anomaly detection method capable of identifying an abnormal packet with high accuracy, or as a learning method of learning an anomaly detection model for identifying the packet with high accuracy.

1 abnormality detection system 100 abnormality detection device 101 CPU
102 Main memory 103 Storage 104 Communication IF
105 Input IF
106 Display 110 Acquisition unit 120 Detection model learning unit 130 Abnormality detection model DB
131 to 134 anomaly detection model 135 correspondence information 140 input acceptance unit 150 alert threshold calculation unit 160 detection unit 170 presentation unit 200 packet collection device 210 data 211 learning data 212 inspection data 300 monitoring targets 311, 312, 321, 322 hub 313 SCADA
314 PLC
315, 323, 324 PC
400 router 500 network

Claims (13)

An abnormality detection method executed by an abnormality detection apparatus that detects whether there is an abnormality in communication within a monitoring target or communication between the monitoring target and a network to which the monitoring target is connected. ,
The anomaly detection device comprises a processor and a memory,
The memory stores an abnormality detection model generated by learning using a plurality of learning packets,
In the abnormality detection method, the processor
Acquire the plurality of learning packets,
Among a plurality of data units obtained by dividing a data string constituting a payload included in the learning packet for each of the acquired plurality of learning packets into A (A is an integer of 1 or more) bits. All possible first combinations of N (N is an integer of 2 or more) data units, in mutually consecutive arrangement order in the payload, or B (B is an integer of 1 or more) Extract the first combination of N data units in the order of the skipping,
A first number, which is the number of times that the first combination appears in the plurality of learning packets, is counted for each of the first combinations extracted for the plurality of learning packets,
The smoothing process is performed based on the plurality of first numbers obtained by counting each of the extracted first combinations, and the first combination is obtained in the plurality of learning packets. Calculate a plurality of first probabilities that are probabilities of appearing,
Storing the plurality of calculated first probabilities in the memory as the abnormality detection model;
Get multiple packets,
For each of the plurality of acquired packets, when the score calculated for the packet exceeds a predetermined threshold based on the abnormality detection model stored in the memory, the packet for which the score is calculated is greater than or equal to An anomaly detection method that outputs In the calculation of the first probability, as the smoothing process, a plurality of second numbers are calculated by adding a positive number to all of the first numbers, and the extracted first combinations of all The abnormality detection method according to claim 1, wherein the first probability is calculated based on the plurality of second numbers calculated for each of. The abnormality detection method according to claim 1, wherein the first combination of the N data units is extracted by using an N-gram in the extraction. The abnormality detection method according to claim 3, wherein the N is 2 or 3. At the output, for each of the plurality of acquired packets,
(1) N (N is an integer of 2 or more) of a plurality of data units obtained by dividing the data string constituting the payload included in the packet into A (A is an integer of 1 or more) bits All possible second combinations of the data units of N, and N data units in consecutive order in the payload or in order of B (B is an integer of 1 or more) skipping order Extract the second combination of
(2) For each of all the second combinations extracted from the packet, a third number is counted, which is the number of times the second combination appears in the payload of the acquired packet,
(3) A plurality of probability that the second combination appears in the packet, based on the plurality of third numbers obtained by counting each of all the second combinations in the packet Calculate the second probability,
(4) A score is calculated by dividing the sum of logarithms of the plurality of second probabilities calculated for the packet by a specified value defined by the payload length of the payload,
(5) If the score calculated for the packet exceeds a predetermined threshold based on the abnormality detection model stored in the memory, the packet for which the score is calculated is output as being abnormal The abnormality detection method according to any one of claims 1 to 4. The memory stores, as the anomaly detection model, a fourth number based on the first number in each of the first combinations.
In the abnormality detection method, the processor further includes:
The abnormality detection method according to claim 5, wherein the fourth number included in the abnormality detection model is updated using the counted third number. In the abnormality detection method, the processor further includes:
The learning packet is classified into any one of a plurality of models according to the header of the learning packet for each of the plurality of learning packets acquired,
For each of the plurality of models,
(1) The number of times each of the first combinations appears in a plurality of learning packets classified into the model among the plurality of learning packets using the counted first number Calculate the fifth number, which is
(2) For each of the first combinations extracted from the plurality of learning packets classified into the model, the plurality of fifth combinations calculated by adding a positive number to all of the calculated fifth numbers Calculate the sixth number of
(3) The first combination appears in the plurality of learning packets classified into the model based on the calculated plurality of sixth numbers for each of the extracted first combinations. The abnormality detection method according to claim 5, wherein a plurality of first probabilities that are probabilities are calculated. The memory stores the predetermined threshold for each of the plurality of models.
In the abnormality detection method, the processor further includes:
Classify each of the plurality of acquired packets into any one of a plurality of models according to a header of the packet,
The output indicates that the packet is abnormal if the calculated score exceeds the predetermined threshold corresponding to a model into which the packet for which the score is calculated is classified. Anomaly detection method. 9. The anomaly detection method according to claim 7, wherein each of the plurality of models is a model classified according to at least one of a destination IP, a destination port, a source IP, and a protocol of the packet. The memory stores, as the abnormality detection model, the fifth number in each of the first combinations for each of the plurality of models.
In the abnormality detection method, the processor further includes:
The abnormality detection method according to any one of claims 7 to 9, wherein the fifth number included in the abnormality detection model is updated using the counted third number. A learning device for learning an abnormality detection model for detecting whether there is an abnormality in communication within the monitoring target or communication between the monitoring target and the network to which the monitoring target is connected is executed Learning method, and
The learning device comprises a processor and a memory,
In the learning method, the processor
Get multiple learning packets,
Among a plurality of data units obtained by dividing a data string constituting a payload included in the learning packet for each of the acquired plurality of learning packets into A (A is an integer of 1 or more) bits. All possible first combinations of N (N is an integer of 2 or more) data units, in mutually consecutive arrangement order in the payload, or B (B is an integer of 1 or more) Extract the first combination of N data units in the order of the skipping,
A first number, which is the number of times that the first combination appears in the plurality of learning packets, is counted for each of the first combinations extracted for the plurality of learning packets,
The smoothing process is performed based on the plurality of first numbers obtained by counting each of the extracted first combinations, and the first combination is obtained in the plurality of learning packets. Calculate a plurality of first probabilities that are probabilities of appearing,
A learning method for storing the plurality of calculated first probabilities in the memory as the abnormality detection model. An abnormality detection device that detects whether there is an abnormality in communication within a monitoring target or communication between the monitoring target and a network to which the monitoring target is connected,
The anomaly detection device comprises a processor and a memory,
The memory stores an abnormality detection model generated by learning using a plurality of learning packets,
The processor is
Acquire the plurality of learning packets,
Among a plurality of data units obtained by dividing a data string constituting a payload included in the learning packet for each of the acquired plurality of learning packets into A (A is an integer of 1 or more) bits. All possible first combinations of N (N is an integer of 2 or more) data units, in mutually consecutive arrangement order in the payload, or B (B is an integer of 1 or more) Extract the first combination of N data units in the order of the skipping,
A first number, which is the number of times that the first combination appears in the plurality of learning packets, is counted for each of the first combinations extracted for the plurality of learning packets,
The smoothing process is performed based on the plurality of first numbers obtained by counting each of the extracted first combinations, and the first combination is obtained in the plurality of learning packets. Calculate a plurality of first probabilities that are probabilities of appearing,
Storing the plurality of calculated first probabilities in the memory as the abnormality detection model;
Get multiple packets,
For each of the plurality of acquired packets, when the score calculated for the packet exceeds a predetermined threshold based on the abnormality detection model stored in the memory, the packet for which the score is calculated is greater than or equal to An anomaly detection device that outputs A learning device for learning an abnormality detection model for detecting whether there is an abnormality in communication within a monitoring target or communication between the monitoring target and a network to which the monitoring target is connected. ,
The learning device comprises a processor and a memory,
The processor is
Get multiple learning packets,
Among a plurality of data units obtained by dividing a data string constituting a payload included in the learning packet for each of the acquired plurality of learning packets into A (A is an integer of 1 or more) bits. All possible first combinations of N (N is an integer of 2 or more) data units, in mutually consecutive arrangement order in the payload, or B (B is an integer of 1 or more) Extract the first combination of N data units in the order of the skipping,
A first number, which is the number of times that the first combination appears in the plurality of learning packets, is counted for each of the first combinations extracted for the plurality of learning packets,
The smoothing process is performed based on the plurality of first numbers obtained by counting each of the extracted first combinations, and the first combination is obtained in the plurality of learning packets. Calculate a plurality of first probabilities that are probabilities of appearing,
A learning device for storing the plurality of calculated first probabilities in the memory as the abnormality detection model.

Images