JP2020113216A - Analyzer and method for analysis - Google Patents

Abstract

To reduce the analysis load on an analyst generated by increase of analysis target alerts.SOLUTION: The analyzer can access behavior history information, behavior classification information, and behavior sequence information, acquires the result of classification of behaviors of the communication partner with a monitoring target before generation of an alert for each alert group generated in the monitoring target, determines whether a specific communication partner with the monitoring target before a specific one of the alert groups is generated exists in the behavior classification information, generates a specific behavior sequence as the time-series behavior of the specific communication partner on the basis of the result of classification of behaviors of the specific communication partner and the previous behavior history of the specific communication partner stored in the behavior history information if the specific communication partner does not exist in the behavior classification information, determines whether the specific behavior sequence is a part of another behavior sequence, by using the behavior sequence information, and selects the result of classification of the behaviors the specific communication partner if the specific behavior sequence is a part of another behavior sequence.SELECTED DRAWING: Figure 1

Description

The present invention relates to an analysis device and an analysis method for analyzing data.

The attacking side is structurally dominant in cyberspace, and the attacks are becoming more sophisticated, increasing, and changing day by day. Under such circumstances, the targets of attack are expanding from conventional financial businesses and IT (Information Technology) service businesses to infrastructure businesses. The cost of countermeasures required for countermeasures is increasing, but the current situation is that investment cannot keep up with it. The number of security experts is also insufficient, and securing human resources for the future is an issue. Since a sufficient number of security experts are not secured, it is feared that the operation work of SOC (Security Operation Center) will be hindered. In particular, social infrastructure operators monitor the entire system. Therefore, a significant improvement in SOC operational performance is required as compared with the past.

What requires the most man-hours in the SOC operation work is the work of judging the importance of the security alert notified from the FW (Firewall)/IPS (Intrusion Prevention System) (the work of manually judging whether it is an incident or a false positive). .. Conventionally, when an alert occurs, an SOC expert refers to each device log in the system and external threat information (for example, URL (Uniform Resource Locator) and malware risk evaluation), and the importance of the alert. Was judged based on experience and intuition. In order to realize sustainable SOC operation in the future against the ever-increasing number of cyber attacks and the large scale of monitored systems, automation of the above alert importance determination is essential. However, it is difficult in terms of cost to define all decision logic rules. Therefore, there is a need for a technique for creating a judgment logic of the alert importance level by machine learning from accumulated data of the alert importance level by an expert.

Further, Patent Document 1 discloses a teacher data collection device for collecting data relating to a specific field, which is used as teacher data for machine learning. This teacher data collection device includes a feature calculation unit that calculates a first feature vector, which is a feature vector of data relating to a specific field registered in advance, and data relating to the specific field from the first feature vector. And a collecting unit that collects data relating to the specific field based on the generated search condition, and a second feature that is a feature vector of the collected data. When the feature calculation unit calculates a vector, a similarity calculation unit that calculates a similarity between the second feature vector and the first feature vector, and the collected data whose similarity is within a predetermined range. Is extracted as the teacher data.

JP, 2008-124617, A

Cyber attacks change their methods over time. In order to keep up with change, continuous additional learning is essential. Therefore, it is necessary to have a security analyst, who is an expert, newly input a judgment (called a label) for an alert that cannot be judged mechanically and whose accuracy is low. However, as the number of inputs increases, the burden on the expert increases.

The disclosed technique aims to reduce the analysis burden on the security analyst due to an increase in the number of alerts to be analyzed.

An analysis apparatus and an analysis method according to an aspect of the present disclosure are an analysis apparatus and an analysis method that include a processor that executes a program and a storage device that stores the program, the processor including action history information. The action classification information and the action sequence information are accessible, and the action history information is information in which a past action history executed by the communication partner with the monitoring target for the monitoring target is stored, and the action classification information Is information that associates the communication partner with the classified action group of the communication partner, and the action sequence information is an action sequence that is a time-series action of the communication partner, and the action sequence is The included information indicating whether or not it is a part of another action sequence longer than the action sequence is information in which the associated information is associated with the processor, and the processor is provided for each alert of the alert group generated in the monitoring target. Acquisition processing for acquiring the classification result of the behavior of the communication partner with the monitoring target within the first predetermined period before occurrence, and the monitoring within the first predetermined period before the occurrence of a specific alert in the alert group A first determination process for determining whether or not a specific communication partner with the target exists in the action classification information, and it is determined by the first determination process that the specific communication partner does not exist in the action classification information. In this case, it is a time-series action of the specific communication partner based on the action classification result of the specific communication partner and the past action history of the specific communication partner stored in the action history information. A second determination process of generating a specific action sequence and using the action sequence information to determine whether the specific action sequence is a part of the other action sequence, and the second determination process. When it is determined that the specific action sequence is a part of the other action sequence, a selection process of selecting an action classification result of the specific communication partner, and the specific communication selected by the selection process And an output process for outputting the classification result of the actions of the other party.

An analysis apparatus and an analysis method according to another aspect of the disclosed technique are an analysis apparatus and an analysis method that include a processor that executes a program and a storage device that stores the program, wherein the processor is action history information. And action sequence information and action sequence information are accessible, and the action history information is information in which past action history executed by the communication partner with the monitoring target for the monitoring target is stored. The information is information in which the communication partner is associated with a classified action group of the communication partner, and the action sequence information is an action sequence that is a time-series action of the communication partner, and the action sequence. And the appearance frequency of each of the monitoring target, and the processor classifies the behavior of the communication partner with the monitoring target within the first predetermined period before the occurrence of each alert of the alert group generated in the monitoring target. An acquisition process for acquiring a result and determining whether or not a specific communication partner with the monitoring target within the first predetermined period before the occurrence of a specific alert in the alert group exists in the action classification information Stored in the action history information and the action classification result of the specific communication partner when it is determined by the first determination process that the specific communication partner does not exist in the action classification information. Based on the past action history of the specified communication partner, a specific action sequence that is a time-series action of the specific communication partner is generated, and using the action sequence information, the specific action Second determination processing for determining whether or not the appearance frequency of the sequence is less than or equal to a predetermined frequency, and when the appearance frequency of the specific action sequence is determined to be less than or equal to the predetermined frequency by the second determination processing, It is characterized in that a selection process for selecting the action classification result of the specific communication partner and an output process for outputting the action classification result of the specific communication partner selected by the selection process are performed.

According to the exemplary embodiment of the present invention, it is possible to automate the narrowing down of alerts that are highly related to the change in the tactics. Problems, configurations, and effects other than those described above will be clarified by the following description of the embodiments.

FIG. 1 is an explanatory diagram showing an example of cyber attack analysis. FIG. 2 is a block diagram showing a system configuration example of the monitoring system. FIG. 3 is a block diagram showing an example of the hardware configuration of the various computers shown in FIG. FIG. 4 is an explanatory diagram showing an example of the feature amount table. FIG. 5 is an explanatory diagram showing an example of the label table. FIG. 6 is an explanatory diagram showing an example of the action classification table. FIG. 7 is an explanatory diagram showing an example of the action sequence table. FIG. 8 is an explanatory diagram showing an example of the ratio table. FIG. 9 is a block diagram showing a functional configuration example of the analyzer. FIG. 10 is a sequence diagram showing the operation of the analyzer. FIG. 11 is an explanatory diagram showing an output screen display example of the analyst terminal. FIG. 12 is a flowchart showing a detailed processing procedure example of the action classification prediction (step S1005) shown in FIG. FIG. 13 is a flowchart showing a detailed processing procedure example of the communication partner-specific abnormal behavior determination (step S1007) shown in FIG. FIG. 14 is a flowchart showing a detailed processing procedure example of the abnormal behavior determination for each behavior (step S1009) shown in FIG. FIG. 15 is a flowchart showing a detailed processing procedure example of the feedback processing (step S1012) shown in FIG. FIG. 16 is a flowchart showing a detailed processing procedure example of the additional learning processing (step S1013) shown in FIG.

<Example of cyber attack analysis>
FIG. 1 is an explanatory diagram showing an example of cyber attack analysis. In FIG. 1, a case where the monitored system 110 receives a cyber attack from a communication terminal 120 (which may be simply referred to as an attacker) that performs a cyber attack will be described as an example. When the monitored system 110 receives a cyber attack from the communication terminal 120, the monitored system 110 sends an alert to the SOC 100. The alert includes, for example, an alert identifier that uniquely identifies the alert, an alert occurrence date and time, and a communication partner (the communication terminal 120 in this example).

The SOC 100 includes an alert management device 101, a log collection device 102, and an analysis device 103. The alert management apparatus 101 receives an alert from the monitored system 110 and transfers it to the log collection apparatus 102. The log collection device 102 acquires a log indicating the behavior of the monitored system 110 (for example, the number of cache misses and the number of abnormal responses) from the monitored system 110 and sends it to the analysis device 103.

The analysis device 103 has a DB 130, acquires a log within a predetermined period before an alert is generated from the log collection device 102, assigns an alert identifier of an alert generated within the predetermined period to the log, and stores the log in the DB 130. .. The log to which the alert identifier is given is called "alert characteristic data". Even if the same alert identifier is assigned to different logs, each becomes the alert feature data.

The analysis device 103 executes the machine learning process 131 to generate a classifier for classifying the alert feature data. The classifier is, for example, a learning parameter. Note that two types of learning data are applied in the machine learning process 131. One is unsupervised alert characteristic data, and the other is supervised alert characteristic data.

The unsupervised alert feature data is a log relating to the behavior of the monitored system 110 or its communication partner before the occurrence of past alerts. The supervised alert feature data is a combination of a log relating to the behavior of the monitored system 110 or its communication partner before the occurrence of a past alert, and a classification label given by the security analyst 141 to the log. By clustering the unsupervised alert characteristic data group in the machine learning process 131, the unsupervised alert characteristic data group is classified into a plurality of clusters. The security analyst 141 gives each cluster a label indicating the classification of cyber attacks. As a result, the unsupervised alert characteristic data becomes the supervised alert characteristic data. The analysis device 103 generates a classifier by executing the machine learning process 131 using the alert feature data with teacher.

When a prediction target alert feature data group within a predetermined period before the occurrence of a cyber attack prediction target alert is obtained from the log collection device 102, the analysis device 103 uses the generated classifier by the alert classification process 132. Then, the prediction target alert feature data group is classified, and the classification result is stored in the DB 130.

Through the sampling process 133, the analysis device 103 samples, from the labels that are the classification results obtained from the classifier, the labels that are strongly associated with the change in the signature according to the following viewpoints (1) and (2).

(1) By the communication partner-specific abnormal behavior determination processing 134, the analysis apparatus 103 determines whether the assigned label or the time-series sequence of the label is first appearance or low frequency for the communication partner that is the cause of the prediction target alert. To judge. If the given label or the time-series sequence of the label appears for the first time or the frequency is low, the analyzer 103 samples the prediction target alert corresponding to the prediction target alert feature data to which the label is given as a selected alert.

(2) By the behavior-specific abnormal behavior determination processing 135, the analysis apparatus 103 determines whether or not the assigned label or the time-series behavior sequence of the label has been a part of a long-term attack in the past for the communication partner group. Determine whether. If the assigned label or the action sequence has a history of being part of a long-term attack in the past, the analysis device 103 samples the prediction target alert corresponding to the prediction target alert feature data to which the label is assigned as a selected alert. To do.

From the viewpoints (1) and (2), the analysis apparatus 103 can automatically narrow down a prediction target alert group having a high degree of association with a change in signature to a selected alert. As a result, the analysis load on the security analyst 141 can be reduced.

The analyst terminal 140 receives the selected alert sampled in the sampling process 133, and the security analyst 141 analyzes the selected alert displayed on the analyst terminal 140. For example, the security analyst 141 changes the label of the selected alert. Then, the analyst terminal 140 transmits the feedback information created by the security analyst 141 to the analysis device 103. The feedback information includes, for example, the changed label of the selected alert. The analysis device 103 updates the label of the selected alert in the DB 130 based on the feedback information. The security analyst 141 may analyze the selected alert displayed on the analysis device 103 or may operate the analysis device 103 to create feedback information.

Further, the analysis device 103 suppresses the bias of the distribution of the additional learning data given to the classifier by the adjustment processing 137 when re-learning the classifier. The additional learning data is, for example, a combination of the prediction target alert feature data that has been subjected to the sampling process 133 and a label that is newly assigned to the prediction target alert feature data by the security analyst 141. Specifically, for example, the analysis device 103 adjusts the number of selection alerts for each label from the following viewpoint (3) by the adjustment processing 137 so that the labels of the additional learning data group are not concentrated on a specific label.

(3) The analysis device 103 replenishes unselected alerts that have not been sampled in the sampling process 133 to labels with a small number of selected alerts so that the number of selected alerts for each label is the same.

From the viewpoint (3), the bias of the distribution of the additional learning data is suppressed. Therefore, the analysis apparatus 103 can minimize the number of inquiries to the security analyst 141 regarding adjustment of the bias of the distribution of the additional learning data when re-learning with the additional learning data. Further, by suppressing the bias of the distribution of the additional learning data, it is possible to suppress over-learning due to concentration on a specific label. Therefore, it is possible to deal with a cyber attack whose method changes with the passage of time.

<Example of system configuration>
FIG. 2 is a block diagram showing a system configuration example of the monitoring system. The monitoring system 200 includes a monitoring target system 110 and an SOC 100. The monitoring target system 110 and the SOC 100 are communicably connected.

The monitoring target system 110 is a system monitored by the SOC 100. The monitored system 110 has, for example, a first network 210, one or more client terminals 211, a business server 212, a network monitoring device 213, a first FW/IPS 214, and a proxy server 216.

The first network 210 is, for example, a bus, and communicatively connects one or more client terminals 211, business servers 212, network monitoring devices 213, first FW/IPS 214, proxy servers 216, second FW/IPS 223, and SOC 100. .. The first FW/IPS 214 is communicatively connected to the external network 202. The external network 202 is, for example, a LAN (Local Area Network), a WAN (Wide Area Network), or the Internet.

Further, the monitored system 110 has, for example, a second network 220, a control device 221, a controller 222, and a second FW/IPS 223. The second network 220 is, for example, a bus, and communicatively connects the second network 220, the control device 221, the controller 222, and the second FW/IPS 223.

The SOC 100 includes, for example, an alert management device 101, a log collection device 102, an analysis device 103, an analyst terminal 140, and a third network 203. The third network 203 is, for example, a bus, and communicatively connects the alert management apparatus 101, the log collection apparatus 102, the analysis apparatus 103, the analyst terminal 140, and the external threat information database 201.

The alert management apparatus 101 acquires and stores alerts such as virus detection, abnormal behavior detection, and connection detection with an unregistered apparatus from the monitored system 110 as an example of an event. The alert includes, for example, the date and time of the alert, the alert target (computer in the monitored system 110 that is the source of the alert), and the communication partner of the alert target (for example, an IP address that identifies the communication terminal 120). It is the information to include. The alert management apparatus 101 notifies the analysis apparatus 103 of the acquired alert.

The log collection device 102 acquires and stores the log from the monitored system 110. The log is history information indicating when and which computer 300 in the monitored system 110 transmitted/received what data to/from which communication partner.

The analysis device 103 analyzes the alert using the alert managed by the alert management device 101, the log managed by the log collection device 102, and the threat information registered in the external threat information database 201. The external threat information database 201 is, for example, a database that publishes threat information on the Internet. The threat information includes, for example, malware, program vulnerability, spam, and malicious URL. The analyst terminal 140 is a terminal operated by the security analyst 141.

<Computer hardware configuration example>
FIG. 3 shows various computers (client terminal 211, business server 212, network monitoring device 213, first FW/IPS 214, proxy server 216, control device 221, controller 222, second FW/IPS 223, alert management device 101 shown in FIG. 2 is a block diagram showing an example of the hardware configuration of a log collection device 102, an analysis device 103, and an analyst terminal 140).

The computer 300 includes a processor 301, a storage device 302, an input device 303, an output device 304, and a communication interface (communication IF) 305. The processor 301, storage device 302, input device 303, output device 304, and communication IF 305 are connected by a bus 306. The processor 301 controls the computer 300.

The storage device 302 serves as a work area of the processor 301. The storage device 302 is a non-temporary or temporary recording medium that stores various programs and data. Examples of the storage device 302 include a ROM (Read Only Memory), a RAM (Random Access Memory), a HDD (Hard Disk Drive), and a flash memory. The input device 303 inputs data. Examples of the input device 303 include a keyboard, a mouse, a touch panel, a numeric keypad, and a scanner. The output device 304 outputs data. Examples of the output device 304 include a display and a printer. The communication IF 305 connects to a network and transmits/receives data.

<Feature amount table 400>
FIG. 4 is an explanatory diagram showing an example of the feature amount table 400. The feature amount table 400 is a table that stores alert feature amounts that indicate alert feature amounts, is collected from the log collection device 102 by the analysis device 103, and is stored in, for example, the storage device 302 of the analysis device 103. The feature amount table 400 may be stored in the log collection device 102.

The feature amount table 400 has an alert identifier 401, a total date/time 402, a proxy server log 403, a business server log 404, and external threat information 405 as fields. The combination of the values of the fields in a certain row is the entry that constitutes the alert feature data.

In addition to the proxy server log 403, the business server log 404, and the external threat information 405, there are logs for other computers in the monitored system 110 (the client terminal 211, the FW/IPS 214, 223, the network monitoring device 213, etc.). However, it is omitted in FIG.

The alert identifier 401 is identification information that uniquely identifies the alert. The alert from the alert management apparatus 101 includes the alert identifier 401, the date and time of occurrence, the alert target, and the communication partner. The date and time of occurrence is the date and time when the alert occurred. The alert target is a source of the alert, here, a computer in the monitored system 110. The communication partner is the destination of the data transmitted by the alert target or the transmission source of the data transmitted to the alert target. The analysis device 103 assigns the alert identifier 401 of the alert to an entry including the aggregated date and time 402 in the time zone from the date and time before the alert date and time to the date and time when the alert occurred.

The total date and time 402 is the date and time when the log collecting apparatus 102 totals the logs from the date and time when a predetermined time goes back from the date and time when the alert identified by the alert identifier 401 occurs to the date and time when the log is generated. In this example, the predetermined time is 1 hour and the fixed time interval is 10 minutes. The total date and time 402 indicates the end date and time of a fixed time interval. For example, the entry having the aggregation date/time 402 of “10/10 12:57” indicates the alert feature data specified by the log aggregated in 10 minutes from 12:48 to 12:57 of 10/10.

For example, if the date and time of occurrence of an alert whose alert identifier 401 is "Alert_005" is "10/10 13:57", the aggregated date and time 402 of alerts whose alert identifier 401 is "Alert_005" is "10/ "10/10 12:57" which goes back one hour from "10 13:57" and "10/10 13:07" and "10/10 13:17" in 10 minute intervals from "10/10 13:57" , "10/10 13:27", "10/10 13:37", "10/10 13:47", and "10/10 13:57". In this way, the collection timing of alert characteristic data when an alert is generated is set.

The proxy server log 403 has a cache miss count 431 and an abnormal response count 432 as subfields. The number of cache misses 431 is the number of times the proxy server 116 has made a cache miss at the total time 402. The abnormal response count 432 is the number of times the proxy server 116 has received an abnormal response at the total date/time 402. The subfield of the proxy server log 403 may be other than the cache miss count 431 and the abnormal response count 432 (for example, the communication byte count), but it is omitted in FIG.

The business server log 404 has an abnormal response count 441 and an access count 442 as subfields. The abnormal response count 441 is the number of times the business server 112 has received an abnormal response at the aggregation date/time 402. The access count 442 is the number of times the business server 112 was accessed by another computer 300 during the counting period of the fixed time interval specified by the counting date 402. The subfield of the business server log 404 may be other than the abnormal response count 441 and the access count 442 (for example, the authentication failure count), but it is omitted in FIG.

The external threat information 405 has an IP address risk 451 and a URL risk 452 as subfields. The IP address risk level 451 is an index value that indicates the risk level of the IP address in the external threat information database 201 in a stepwise manner when the communication target of the alert at the aggregation date/time 402 is specified by the IP address. In this example, 6 levels from 0 to 5 are set, and 5 indicates the highest risk.

The URL risk level 452 is an index value that indicates the risk level of the URL in the external threat information database 201 in a stepwise manner when the communication target of the alert at the aggregation date/time 402 is specified by the URL. In this example, 6 levels from 0 to 5 are set, and 5 indicates the highest risk. The subfield of the external threat information 405 may be other than the IP address risk 451 or the URL risk 452, but is omitted in FIG.

<Label table 500>
FIG. 5 is an explanatory diagram showing an example of the label table 500. The label table 500 is a table that stores classification labels, and is stored in, for example, the storage device 302 of the analyzer 103. The label table 500 may be stored in the log collection device 102.

The label table 500 includes an alert identifier 401, a total date/time 402, communication partner classification information 503, a behavior classification (label) 504, a probability 505, a behavior classification (old label) 506, sampling 507, and additional learning completed. And 508 as fields. The combination of the values of the fields in a certain row is the entry that constitutes the label data.

The communication partner classification information 503 is information for classifying communication partners, and is a communication partner of the monitored system 110 included in the alert. The behavior classification (label) 504 is the latest label for classifying the behavior of the communication partner, in other words, the cyber attack from the communication terminal 120, and threat information such as malware, program vulnerability, spam, and illegal URL. Is. In this embodiment, for convenience, individual values of the action classification (label) 504 are shown in uppercase letters.

The accuracy 505 is a numerical value indicating the likelihood of the value of the action classification (label) 504, and the larger the value, the more likely the action classification (label) 504 is. The value of the accuracy 505 ranges from 0.0 to 1.0. The value of the accuracy 505 is a learning result by the machine learning processing 131. The closer to the center of the cluster specified by the value of the action classification (label) 504, the larger the value of the accuracy 505.

The action classification (old label) 506 indicates a past label. When a new label is recorded in the action classification (label) 504, the label before recording is stored in the action classification (old label) 506 as an old label.

The sampling 507 is a flag indicating whether or not the alert is sampled as an analysis target, and the initial value is “N” indicating that the alert is not sampled. When sampled, it is updated to "Y" indicating that it has been sampled.

The additional learning completed 508 is a flag indicating whether or not the alert identifier and the action classification (label) of the alert are selected as the additional learning data when the bias of the additional learning data is suppressed by the adjustment processing 137. The initial value is “N” indicating that it is not additional learning data, and is updated to “Y” when added as additional learning data. The additional learning data will be described later.

<Behavior classification table 600>
FIG. 6 is an explanatory diagram showing an example of the action classification table 600. The action classification table 600 is a table that stores the action of the attacker, and is stored in, for example, the storage device 302 of the analysis device 103. The action classification table 600 may be stored in the log collection device 102.

The behavior classification table 600 has communication partner classification information 503 and behavior classification 601 as fields. The combination of the values of the fields in a certain row is the entry that constitutes the action classification data.

The action classification 601 has a label as a subfield. Therefore, for each label of the communication partner specified by the communication partner classification information 503, the appearance frequency and normal/abnormal of the label are specified. The appearance frequency of the label is defined by the number of times n of access from the communication partner corresponding to the label from the attacker specified by the communication partner classification information 503. In the present embodiment, the appearance frequency is defined in four levels of "H" (high), "M" (normal), "L" (low), and blank.

A blank indicates that the access count n of the communication partner is 0 (n=0) even once. “L” indicates that the number of times of access n in the action of the label by the communication partner is 1 or more and na−1 times (1≦n<na−1). “M” indicates that the number of accesses n in the action of the label by the communication partner is na times or more and nb−1 times (na≦n<nb−1). “H” indicates that the number of times of access n in the action of the label by the communication partner is nb or more (nb≦n). na and nb are preset values.

When it is detected from the communication party classification information 503 that there is a behavior such as a cyber attack corresponding to a certain label in the behavior classification 601, the number of times of access n corresponding to the relevant label is added once. When the number of accesses n after the addition becomes na, the appearance frequency of the label is updated from "L" to "M", and when the number of times n after the addition becomes nb, it is updated from "M" to "H". Further, the security analyst 141 determines whether the label is normal or abnormal. Specifically, for example, the feedback information from the analyst terminal 140 includes information indicating whether the label is normal or abnormal, and is updated by the feedback processing 136 shown in FIG.

<Behavior sequence table 700>
FIG. 7 is an explanatory diagram showing an example of the action sequence table 700. The action sequence table 700 is a table that stores abnormal actions of communication partners, and is stored in the storage device 302 of the analysis device 103, for example. The action sequence table 700 may be stored in the log collection device 102.

The action sequence table 700 has an action sequence 701, a frequency 702, and a long-term attack part 703 as fields. The combination of the values of the fields in a certain row is the entry that constitutes the action sequence data. The action sequence table 700 may have at least one of the frequency 702 and the part 703 of the long-term attack.

The action sequence 701 is a time series of one or more labels. When two or more same labels are consecutive, the number is reduced to one. For example, when the time series of the label is “A→B→B→B→C”, the action sequence 701 is “A→B→C” because “B” appears three times in a row. ..

The frequency 702 is the appearance frequency of the action sequence 701 defined by four levels of “H” (high), “M” (normal), “L” (low), as in the case of the action classification 601. is there.

The part 703 of the long-term attack is included information indicating whether or not the action sequence 701 is part of the long-term attack. The initial value of the part 703 of the long-term attack is “N” indicating that it is not the part 703 of the long-term attack, and is updated to “Y” if included in the part 703 of the long-term attack. The long-term attack is an action sequence that has appeared in the past, and has one or more labels than the action sequence 701.

For example, when “A→B→C→D” is defined as a long-term attack as a past action sequence, “A”, “B”, “C”, “D”, “A→B”, “B”. Each action sequence 701 of “→C”, “C→D”, “A→B→C”, and “B→C→D” corresponds to a part 703 of the long-term attack. Therefore, a part 703 of the long-term attacks in these action sequences 701 is updated to “Y”. Further, the number of labels of the part 703 of the long-term attack may be two or more. For example, when the number of labels of part of the long-term attack 703 is 3 or more, in the above example, each action sequence 701 of “A→B→C” and “B→C→D” is one of the long-term attacks. It corresponds to the section 703.

The security analyst 141 determines which action sequence 701 is part of the long-term attack 703. Specifically, for example, the feedback information from the analyst terminal 140 includes information indicating which action sequence 701 is part of the long-term attack 703. In this case, if there is an action sequence 701 corresponding to a part 703 of the long-term attack by the feedback processing 136 shown in FIG. 1, the part 703 of the long-term attack is updated to “Y”.

<Ratio table 800>
FIG. 8 is an explanatory diagram showing an example of the ratio table 800. The ratio table 800 is a table that stores the ratio of the number of alerts for each label, and is stored in the storage device 302 of the analyzer 103, for example. The ratio table 800 may be stored in the log collection device 102.

The ratio table 800 has an action classification (label) 504 and an alert number ratio 801 as fields. The ratio 801 of the number of alerts shows the ratio of the number of alerts (that is, the number of labels) added as additional learning data. The alert added as the additional learning data is an alert with a label of which sampling 507 is “Y”. In FIG. 8, labels whose sampling 507 is “Y” are “A”, “B”, and “C”. As the ratio 801 of the number of alerts of each label becomes closer to equal, the learning bias in the additional learning in the machine learning process 131, that is, the deterioration of the classification accuracy can be suppressed.

<Example of functional configuration of analyzer 103>
FIG. 9 is a block diagram showing a functional configuration example of the analysis device 103. The analysis device 103 includes a feature amount table 400, a label table 500, an action classification table 600, an action sequence table 700, a ratio table 800, a learning unit 901, a prediction unit 902, a first determination unit 903, It has a second determination unit 904, a communication unit 905, a sampling candidate list 911, and an additional learning alert list 912.

The learning unit 901, the prediction unit 902, the first determination unit 903, the second determination unit 904, and the communication unit 905, specifically, for example, in the processor 301, a program stored in the storage device 302 illustrated in FIG. It is realized by executing it. Further, the sampling candidate list 911 and the additional learning alert list 912 are specifically realized by, for example, the storage device 302 illustrated in FIG. 3.

The learning unit 901 executes the machine learning process shown in FIG. The prediction unit 902 executes the alert classification process 132 shown in FIG. The first determination unit 903 executes the communication partner-specific abnormal behavior determination processing 134 shown in FIG. The second determination unit 904 executes the behavioral abnormal behavior determination processing 135 and the feedback processing 136 illustrated in FIG. 1. The communication unit 905 transmits/receives data to/from the analyst terminal 140 via the communication IF 305.

<Operation sequence of analyzer 103>
FIG. 10 is a sequence diagram showing the operation of the analyzer 103. The learning unit 901 acquires the log stored in the feature amount table 400 from the log collection device 102 (step S1001). The learning unit 901 inputs the acquired log as an unsupervised alert feature data group and executes machine learning (step S1002). As a result, the unsupervised alert feature data group is classified into a plurality of clusters. A label indicating the classification is given to each cluster by the security analyst 141. As a result, the classifier 900 is generated.

The learning unit 901 may re-learn using the unsupervised alert feature data group in which a label is added to the unsupervised alert feature data group, and update the classifier 900. The classifier 900 may be created by the security analyst 141.

Next, the prediction unit 902 acquires a prediction target alert that has occurred in the monitoring target system 110 from the alert management apparatus 101, and predicts the log before the prediction target alert stored in the feature amount table 400 from the log collection apparatus 102 as a prediction target. It is acquired as alert characteristic data (step S1003). The prediction unit 902 acquires the classifier 900 (step S1004).

The prediction unit 902 executes the behavior classification prediction by giving each of the prediction target alert feature data groups to the classifier 900 (step S1005), and the classification result (the label in which the prediction target alert feature data is classified and its accuracy). The combination) is output to the first determination unit 903 (step S1006). Details of the behavior classification prediction (step S1005) will be described later with reference to FIG. The security analyst 141 may create the classification result by referring to the prediction target alert feature data at the analyst terminal 140 without executing the action classification prediction (step S1005).

Next, the first determination unit 903 executes the communication partner-specific abnormal behavior determination using the classification result (step S1007), and outputs the first-appearing or low-frequency classification result to the second determination unit 904 (step S1008). ). Details of the abnormal behavior determination for each communication partner (step S1007) will be described later with reference to FIG.

Next, the second determination unit 904 executes the behavior-specific abnormal behavior determination using the first-appearing or low-frequency classification result (step S1009), and selects an alert to be sampled (hereinafter, selected alert) from the prediction target alert group. Alert). The selected alert is, for example, a combination of an alert identifier 401 that identifies the selected alert and the classification result of the selected alert. The selection alert may include a behavior class (old label) 506 of the selection alert. The second determination unit 904 transmits the selection alert to the analyst terminal 140 via the communication unit 905 (step S1010). Details of the behavioral abnormal behavior determination (step S1010) will be described later with reference to FIG.

The analyst terminal 140 receives the selection alert from the communication unit 905 and displays it on the display. An output screen display example will be described later with reference to FIG. The security analyst 141 inputs information such as the label of the selected alert and the action attribute (normal/abnormal) from the output screen. As a result, the analyst terminal 140 generates feedback information and transmits it to the analysis device 103 (step S1011).

Upon receiving the feedback information, the analysis device 103 executes the feedback process (step S1012). Specifically, for example, the second determination unit 904 updates the label table 500 according to the feedback information (step S1021). The first determination unit 903 also updates the action classification table 600 according to the feedback information (step S1022).

The learning unit 901 also executes additional learning processing (step S1013). Specifically, for example, the learning unit 901 selects additional learning data (step S1031) and executes ratio adjustment (step S1032). This suppresses the bias of the additional learning data. After adjusting the ratio, the learning unit 901 re-learns and updates the classifier 900 based on the additional learning data (step S1033). Thereby, when a log is newly acquired after that (step S1003), the prediction unit 902 can execute the action classification of the input alert group with the latest classifier 900.

<Example of output screen display of analyst terminal 140>
FIG. 11 is an explanatory diagram showing an output screen display example of the analyst terminal 140. The output screen 1100 displays the analysis alert list 1101. The analysis alert list includes an alert identifier 401, an occurrence date and time 1102, a sampling result 1103, and an analysis priority 1104. An entry for each list number in the analysis alert list 1101 defines a selection alert.

The occurrence date and time 1102 is the date and time when the selected alert specified by the alert identifier 401 occurred in the alert management apparatus 101. The sampling result 1103 is a character string indicating the background of sampling of the selected alert identified by the alert identifier 401 as the selected alert. The sampling result 1103 includes, for example, the behavior classification (label) 504 of the selected alert, the behavior classification (old label) 506, and the appearance probability of the label having the highest appearance frequency specified by the behavior classification (old label) 506. It is created by the first determination unit 903. For example, in the case of the sampling result 1103 of the selection alert with the list number “1”, the action classification (label) 504 includes “A”, and the action classification (old label) 506 includes the label “B” having the highest appearance frequency, The appearance probability of “B” is “0.7”.

The analysis priority 1104 is a character string indicating the priority when the security analyst 141 analyzes the selected alert specified by the alert identifier 401. The analysis priority 1104 uses, for example, the action category 601 of the selected alert, the attacker ratio for the alert corresponding to the action category 601, and the long-term attack part 703 for the corresponding action sequence 701. , The second determination unit 904.

For example, in the case of the analysis priority 1103 of the selected alert whose list number is “1”, the action classification 601 is “A” (“normal/abnormal” has not yet been given by the security analyst 141). In addition, the ratio of attackers to alerts corresponding to the action classification 601 is the total number of entries in the communication counterpart classification information 503, and the frequency of “A” of the action classification 601 is “H”, “M”, or “L”. It is a value obtained by dividing the number of entries corresponding to any one. Further, a part 703 of the long-term attack on the corresponding action sequence 701 is “Y”.

The security analyst 141 refers to the analysis alert list 1101 and selects a tab (not shown) different from the tab (labeling request alert) displaying the analysis alert list 1101 by operating the input device 303. The label of the alert is given, either normal or abnormal is given to the label of the selected alert, and a flag (Y or N) indicating whether it is a part 703 of the long-term attack is given. The added information becomes feedback information. Then, the analyst terminal 140 transmits the feedback information to the analysis device 103 (step S1011).

<Behavior classification prediction (step S1005)>
FIG. 12 is a flowchart showing a detailed processing procedure example of the action classification prediction (step S1005) shown in FIG. The action classification prediction (step S1005) is executed for each prediction target alert feature data that is an entry of the feature amount table 400, for example. The prediction unit 902 acquires prediction target alert characteristic data that is an entry in the characteristic amount table 400 (step S1201). The prediction unit 902 acquires the classifier 900 from the learning unit 901 (step S1202). The prediction unit 902 inputs the prediction target alert characteristic data to the classifier 900 (step S1203).

The prediction unit 902 inputs the prediction target alert characteristic data to the classifier 900 and classifies the behavior of the communication partner (step S1204). The prediction unit 902 acquires the label and the accuracy that are the classification results from the classifier 900 (step S1205). The prediction unit 902 stores the label and the probability 505 in the action classification (label) 504 and the probability 505 of the label table 500, respectively (step S1206). The label stored in the action classification (label) 504 before the storage is stored at the end of the action classification (old label) 506. As a result, the action classification prediction (step S1005) for the prediction target alert feature data ends.

<Abnormal behavior determination by communication partner (step S1007)>
FIG. 13 is a flowchart showing a detailed processing procedure example of the communication partner-specific abnormal behavior determination (step S1007) shown in FIG. The abnormal behavior determination for each communication partner (step S1007) is executed for each label data of the label table 500 to which the classification result is newly added in the behavior classification prediction (step S1005), for example.

The first determination unit 903 acquires label data from the label table 500 (step S1301). The first determination unit 903 identifies the action classification 601 corresponding to the alert acquired in step S1301 from the action classification table 600 (step S1302). The first determination unit 903 determines whether or not there is a value of the action classification 601 (step S1303).

For example, when the communication partner classification information 503 belonging to the acquired label data is “www.aaaa.bb” and the action classification (label) 504 is “A”, the communication partner classification information 503 in the action classification table 600 is “www.aaa.bb”. The entry “aaa.bb” has a value “L/abnormal” when the action classification 601 is “A”. On the other hand, when the communication partner classification information 503 belonging to the acquired alert is “123.45.6.7” and the action classification (label) 504 is “A”, the communication partner classification information 503 in the action classification table 600 is “123”. .45.6.7”, there is no value when the action classification 601 is “A” (blank).

When there is no value of the identified action classification 601 (step S1303: No), the first determination unit 903 adds the label data (which may be a pointer to the label data) acquired in step S1301 to the sampling candidate list 911 ( Step S1304). In this case, the first determination unit 903 newly registers the communication partner classification information 503 and the behavior classification (label) 504 in the behavior classification table 600. As a result, the abnormal behavior determination for each communication partner (step S1007) for the label data acquired in step S1301 ends.

When there is a value of the identified action classification 601 (step S1303: Yes), the first determination unit 903 determines whether the action attribute in the entry is “abnormal” (step S1305). At this time, the number of times of access n may be added once and the appearance frequency may be updated. When it is abnormal (step S1305: Yes), the first determination unit 903 transmits the label data acquired in step S1301 to the analyst terminal 140 via the communication unit 905 (step S1306). Instead of the label data, the alert feature data in which the label data and the alert identifier 401 and the total date/time 402 are the same may be transmitted. As a result, the abnormal behavior determination for each communication partner for the acquired label data (step S1007) ends.

On the other hand, if not abnormal (step S1305: No), the first determination unit 903 determines whether or not the frequency included in the value of the identified action classification 601 is “L” (step S1307). When the frequency is “L” (step S1304: Yes), the first determination unit 903 adds the label data (which may be a pointer to the label data) acquired in step S1301 to the sampling candidate list 911 (step S1304). ). As a result, the abnormal behavior determination for each communication partner for the acquired label data (step S1007) ends. On the other hand, when the frequency is not "L" (step S1307: No), the frequency is "M" or "H" higher than "L". Therefore, the abnormal behavior determination for each communication partner for the acquired label data (step S1007) ends.

<Abnormal Behavior Judgment by Behavior (Step S1009)>
FIG. 14 is a flowchart showing a detailed processing procedure example of the abnormal behavior determination for each behavior (step S1009) shown in FIG. The behavior-specific abnormal behavior determination (step S1009) is executed for each label data registered in the sampling candidate list 911 in the communication partner-specific abnormal behavior determination (step S1007), for example.

The second determination unit 904 acquires label data from the sampling candidate list 911 (step S1401). The second determination unit 904 generates an action sequence 701 from the action classification (label) 504 and the action classification (old label) 506 included in the label data acquired in step S1401 (step S1402).

The second determination unit 904 refers to the action sequence table 700 to identify the entry of the action sequence 701 generated in step S1402 (step S1403). If the entry is not specified (step S1404: No), that is, if the entry does not exist, the second determination unit 904 creates a new entry in the action sequence table 700, and the label data acquired in step S1401 is a sampling candidate. It is deleted from the list 911 (step S1405). As a result, the behavior-specific abnormal behavior determination (step S1009) for the acquired label data ends.

On the other hand, when the entry of the action sequence 701 generated in step S1402 is identified (step S1404: Yes), the second determination unit 904 determines that part of the long-term attack 703 of the identified action sequence 701 entry is “Y”. Or not (step S1406). In the case of “Y” (step S1406: Yes), the second determination unit 904 updates the sampling 507 of the label data acquired in step S1401 to “Y” (step S1407). As a result, the behavior-specific abnormal behavior determination (step S1009) for the acquired label data ends.

On the other hand, when a part of the long-term attack 703 of the entry of the identified action sequence 701 is not “Y” (step S1406: No), the second determination unit 904 determines that the frequency in the entry of the identified action sequence 701 is It is determined whether or not it is “L” (step S1408). When the frequency is “L” (step S1408: Yes), the process proceeds to step S1407. That is, even if the identified action sequence 701 is not part of the long-term attack 703, if the frequency is “L”, the action classification (label) 504 in the identified action sequence 701 becomes a sampling target.

On the other hand, if the frequency is not “L” (step S1408: No), the second determination unit 904 deletes the label data acquired in step S1401 from the sampling candidates (step S1409). As a result, the behavior-specific abnormal behavior determination (step S1009) for the acquired label data ends. Thereafter, when the abnormal behavior determination by communication partner (step S1007) is completed for all the label data registered in the sampling candidate list 911, the communication unit 905 determines that the label data group in the sampling candidate list 911 is used as the selection alert group. It is transmitted to the wrist terminal 140. As a result, as shown in FIG. 11, the analyst terminal 140 analyzes each alert in the sampling candidate list 911 and displays the analysis alert list 1101.

<Feedback processing (step S1012)>
FIG. 15 is a flowchart showing a detailed processing procedure example of the feedback processing (step S1012) shown in FIG. The feedback process (step S1012) is executed for each selected alert included in the feedback information. The analysis apparatus 103 acquires feedback information from the analyst terminal 140 (step S1501). The analysis device 103 determines whether or not there is label update for the selected alert in the feedback information (step S1502). If there is no label update (step S1502: No), the feedback process ends for the selected alert.

On the other hand, when there is a label update (step S1502: Yes), the analysis apparatus 103 causes the second determination unit 904 to include the action classification (label) 504 of the label data of the label table 500, which is the selection alert, in the feedback information. The same selected alert is updated to the changed label, and the label recorded in the action classification (label) 504 is stored at the end of the action classification (old label) 506 (step S1503).

Then, the analysis apparatus 103 updates the action classification table 600 by the first determination unit 903 (step S1504). Specifically, for example, when the communication partner classification information 503 of the selected alert does not exist in the action classification table 600, the analysis device 103 creates a new entry in the action classification table 600.

When the communication partner classification information 503 of the selected alert is in the behavior classification table 600, the analysis device 103 updates the frequency of the value of the behavior classification 601. If the behavior attribute (normal/abnormal) registered in the value of the behavior classification 601 is different from the behavior attribute (normal/abnormal) of the selected alert included in the feedback information, the analysis device 103 causes the behavior classification 601. The action attribute of the value of is updated to the action attribute (normal/abnormal) of the selected alert included in the feedback information.

The analysis apparatus 103 refers to the action sequence table 700 and determines whether or not the action sequence 701 obtained from the updated selected alert in step S1503 is a part of the long-term attack 703 (step S1505). When it is not part of the long-term attack 703 (step S1505: No), the feedback process ends for the selected alert.

On the other hand, when it is the long-term attack part 703 (step S1505: Yes), the analysis device 103 updates the long-term attack part 703 of the action sequence 701 of the action sequence table 700 to “Y”. Then, the feedback process ends for the selected alert.

<Additional learning process (step S1012)>
FIG. 16 is a flowchart showing a detailed processing procedure example of the additional learning processing (step S1013) shown in FIG. The additional learning process (step S1012) is executed at regular intervals. The fixed period may be a period from the date and time of the forecast target alert going back a predetermined period to the date and time of the forecast target alert, or may be a period from the preset scheduled date and time back to the predetermined period to the scheduled date and time. ..

In FIG. 16, as an example, the labels A to E are registered in the label table 500, and the number of label data for a certain period is 1000. Further, among the 1000 pieces of label data, the number of selection alerts in which the sampling 507 is “Y” and the additional learning completed 508 is “N” is 30. Of these 30 items, the value “A” of the action classification (label) 504 is 15, “B” is 10, “C” is 5, and “D” and “E” are 0.

The learning unit 901 acquires label data for a certain period (1000 pieces in this example) from the label table 500 (step S1601). The learning unit 901 acquires the selected alerts (30 in this example) whose sampling 507 is “Y” from the label data for a fixed period, updates the additional learned 508 to “Y”, and alerts for additional learning. It is added to the list 912 (step S1602).

The learning unit 901 aggregates the selected alerts in the additional learning alert list 912 for each action classification (label) 504 and calculates the ratio (step S1603). The ratio is the ratio occupied by the selected alert for each action classification (label) 504 of the selected alert. For example, there are 30 selected alerts. Among them, there are 15 selection alerts whose action classification (label) 504 is “A”. Therefore, the ratio of label A is 15/30=1/2. Similarly, the ratio of “B” in the behavior classification (label) 504 is 10/30=1/3, and the ratio of “C” in the behavior classification (label) 504 is 5/30=1/6. The ratio of the action classification (label) 504 to “D” and “E” is 0 because the number of selected alerts is 0.

The learning unit 901 determines whether or not all the action classifications (labels) 504 included in the alert for a certain period satisfy the following formula (1), that is, the absolute value of the value subtracted from the target ratio in step S1603 is less than or equal to the threshold value. It is determined whether or not (step S1604).

|Target ratio-Ratio |≦threshold value (1)

Here, the target ratio is the reciprocal of the number of types of the action classification (label) 504 of the selected alert. In this example, the number of types of the action classification (label) 504 of the selected alert is 5 from A to E, so the target ratio is ⅕. Further, the threshold value is 0.15. When there is at least one action classification (label) 504 that does not satisfy the formula (1) (step S1604: No), the process proceeds to step S1605. When all the labels satisfy the expression (1) (step S1604: Yes), the process proceeds to step S1608.

In the case of label A, the ratio is 1/2, so the left side of equation (1) is 0.30, which does not satisfy equation (1). In the case of label B, the ratio is 1/3, so the left side of equation (1) is 0.13, which satisfies equation (1). In the case of label C, the ratio is 1/6, so the left side of equation (1) is 0.03, which satisfies equation (1).

In the case of labels D and E, since the ratio is 0, the left side of Expression (1) is 0.20, which does not satisfy Expression (1). In this example, the process proceeds to step S1605.

In step S1605, the learning unit 901 selects one label that has exceeded the threshold in step S1604 (step S1605). For example, assume that A is selected from the labels A, D, and E that exceed the threshold. The selected label is called a "selected label".

The learning unit 901 selects one selection alert in which the action classification (label) 504 is the selected label and the sampling 507 is “N” from the label data for the certain period acquired in step S1601 (step S1606). That is, one piece is selected from 970 pieces of label data excluding 30 pieces of selection alerts for which the sampling 507 is “Y”, out of the 1000 pieces of label data for a certain period. The learning unit 901 adds the selected alert in step S1606 (which may be a pointer to the selected alert) to the additional learning alert list 912 (step S1607). Then, returning to step S1603, the ratio is recalculated, and it is determined whether or not all the labels included in the label data for a certain period satisfy the expression (1).

When all the action classifications (labels) 504 included in the label data for a certain period satisfy the expression (1), the ratios of the labels A to E become even compared to the beginning of the additional learning process (step S1013). It is approaching. At this point, the selected alert existing in the additional learning alert list 912 becomes the source of the additional learning data. Then, the learning unit 901 updates the additional learning completed 508 of the selected alert in the additional learning alert list 912 to “Y” (step S1608).

Then, the learning unit 901 acquires the alert identifier 401, the total date and time 402, and the action classification (label) 504 from the selected alerts in the additional learning alert list 912, and the alerts that match the acquired alert identifier 401 and total date and time 402. The characteristic data is acquired from the characteristic amount table 400, and additional learning data is generated. Then, the learning unit 901 gives the additional learning data to the classifier 900 to relearn (step S1609). As a result, the classifier 900 is updated, over-learning is suppressed, and deterioration of classification accuracy is suppressed.

(1) As described above, the analysis device 103 according to the present embodiment can access the label table 500, the action classification table 600, and the action sequence table 700. The label table 500 is information in which the action classification (old label) 506 executed on the monitoring target system 110 by the communication partner classification information 503 with the monitoring target system 110 is stored. The action classification table 600 is information in which the communication partner classification information 503 and the action classification 601 of the classified communication partner classification information 503 are associated with each other. The action sequence table 700 includes the action sequence 701, which is a time-series action of the communication partner classification information 503, and a long-term attack indicating whether the action sequence 701 is part of another action sequence longer than the action sequence 701. This is information in which the part 703 is associated with each other.

The processor 301 acquires the classification result of the action of the communication partner classification information 503 with the monitoring target system 110 within the first predetermined period before the occurrence of each alert of the alert group generated in the monitoring target system 110 (step S1003). ..

The processor 301 determines whether or not the action classification table 600 has the specific communication partner classification information 503 with the monitored system 110 within the first predetermined period before the specific alert in the alert group is generated ( Step S1007).

When it is determined that the specific communication partner classification information 503 does not exist in the behavior classification table 600, the processor 301 determines the behavior classification result of the specific communication partner classification information 503 and the specific communication partner stored in the label table 500. Based on the action classification (old label) 506 of the classification information 503, a specific action sequence 701, which is a time-series action of the specific communication partner classification information 503, is generated, and a specific action sequence table 700 is used. It is determined whether the action sequence 701 is part of the long-term attack 703 (step S1009).

When it is determined that the specific action sequence 701 is part of the long-term attack 703, the processor 301 selects the action classification result of the specific communication partner classification information 503 (steps S1405, S1407, S1409).

The processor 301 outputs the action classification result of the selected specific communication partner classification information 503 (step S1010).

The action classification result of the selected specific communication partner classification information 503 is the first action for the communication partner, and is a part of a long-term attack in the past in the past behavior of the communication partner group including the communication partner. Because of this, it belongs to the alerts that are highly relevant to changes in tactics. Therefore, the analysis device 103 can automatically narrow down the alerts that are highly relevant to the change in the signature from the alert group. As described above, the security analyst 141 does not need to determine which alert has a high relevance to the change in the signature, and thus the burden on the security analyst 141 can be reduced.

(2) Further, in the analysis device 103 according to the present exemplary embodiment, when the processor 301 determines that the specific communication partner classification information 503 does not exist in the behavior classification table 600, the processor 301 determines the behavior of the specific communication partner classification information 503. Based on the classification result and the action classification (old label) 506 of the specific communication partner classification information 503 stored in the label table 500, a specific action sequence that is a time-series action of the specific communication partner classification information 503. 701 is generated, and the action sequence table 700 is used to determine whether or not the frequency 702 of the specific action sequence 701 is equal to or lower than a predetermined frequency (step S1408).

When it is determined that the frequency 702 of the specific action sequence 701 is less than or equal to the predetermined frequency, the processor 301 selects the action classification result of the specific communication partner classification information 503 (steps S1407 and S1409).

The processor 301 outputs the action classification result of the selected specific communication partner classification information 503 (step S1010).

Since the action classification result of the selected specific communication partner classification information 503 is a first-time action for the communication partner, and is a low-frequency action sequence in the past actions of the communication partner group including the communication partner. , Belongs to alerts that are highly relevant to tactic changes. Therefore, the analysis device 103 can automatically narrow down the alerts that are highly relevant to the change in the signature from the alert group. As described above, the security analyst 141 does not need to determine which alert has a high relevance to the change in the signature, and thus the burden on the security analyst 141 can be reduced.

(3) Further, in the analysis device 103 of (1) above, the behavior classification table 600 includes, in the behavior of the communication partner classification information 503, a behavior attribute indicating whether the behavior is a normal behavior or an abnormal behavior. , And the appearance frequency of the action of the communication partner classification information 503 are associated with each other.

When it is determined that the behavior attribute of the specific communication partner classification information 503 is normal and the appearance frequency of the behavior of the specific communication partner classification information 503 is equal to or lower than the predetermined frequency, the processor 301 determines that the specific behavior sequence 701. Is a part 703 of the long-term attack.

(4) In the analysis device 103 of (1), the action sequence table 700 is information in which the action sequence 701 is associated with the frequency 702 of the action sequence 701 and a part of the long-term attack 703. ..

When it is determined that the specific action sequence 701 is not part of the long-term attack 703, the processor 301 determines whether the frequency 702 of the specific action sequence 701 is equal to or lower than a predetermined frequency (step S1408).

When the frequency 702 of the specific action sequence 701 is determined to be equal to or lower than the predetermined frequency, the processor 301 selects the action classification result of the specific communication partner classification information 503.

The action classification result of the selected specific communication partner classification information 503 is a low frequency action for the communication partner, and a part of the long-term attack in the past in the past behavior of the communication partner group including the communication partner. Therefore, it belongs to an alert that has a high relevance to changes in tactics. Therefore, the analysis device 103 can automatically narrow down the alerts that are highly relevant to the change in the signature from the alert group. As described above, the security analyst 141 does not need to determine which alert has a high relevance to the change in the signature, and thus the burden on the security analyst 141 can be reduced.

(5) Further, in the analysis device 103 of (1) above, when the processor 301 determines that the specific communication partner classification information 503 does not exist in the action classification table 600, the processor 301 identifies the specific communication partner classification information 503 and And the action classification result of the communication partner classification information 503 are registered in the action classification table 600 in association with each other.

As a result, the action classification table 600 can be automatically updated, and the burden on the administrator (or the security analyst 141) of the analysis apparatus 103 can be reduced.

(6) Further, in the analysis device 103 of (1) above, the processor 301 registers the specific action sequence 701 in the action sequence table 700 when the specific action sequence 701 does not exist in the action sequence table 700.

As a result, the action sequence table 700 can be automatically updated, and the burden on the administrator (or the security analyst 141) of the analyzer 103 can be reduced.

(7) Further, in the analysis device 103 of (1) above, the processor 301 can access the feature amount table 400 that stores the feature amount indicating the behavior of the monitored system 110.

The processor 301 stores the communication partner classification information 503 based on the combination of the feature amount in the second predetermined period before the first predetermined period and the action classification result of the communication partner classification information 503 in the second predetermined period. The classifier 900 that predicts the action classification result is generated (step S1002).

The processor 301 acquires a characteristic amount indicating the behavior of the monitored system 110 within the first predetermined period from the characteristic amount table 400, and gives the acquired characteristic amount to the classifier 900, whereby the behavior of the communication partner classification information 503 is obtained. Get the classification result of.

(8) Further, in the analysis device 103 of (7) above, the processor 301 corresponds to the classification result of the action of the selected specific communication partner classification information 503, and corresponds to the classification result, and within the first predetermined period. The classifier 900 is relearned based on the feature amount indicating the behavior of the monitored system 110 in step S1013 (step S1013).

Thereby, the classification accuracy of the classifier 900 can be improved.

(9) Further, in the analysis device 103 of (8) above, the processor 301 aggregates the action classification results of the specific communication partner classification information 503 as additional target classification results by classification result, and compares the total result of the additional target classification results. A ratio indicating the number of classified results is calculated (step S1603).

The processor 301 determines whether the difference between each ratio and the predetermined target ratio is within the allowable range (step S1604).

When the difference between each ratio and the predetermined target ratio is within the allowable range (step S1604: Yes), the processor 301 corresponds to the additional target classification result and the additional target classification result, and within the first predetermined period. The classification result is relearned based on the feature amount indicating the behavior of the monitoring target system 110 in step S1609 (step S1609).

When the difference between any of the ratios and the predetermined target ratio is within the allowable range (step S1604: No), the processor 301 adds the action classification result of the specific communication partner classification information 503 that has not been selected. Each ratio is recalculated in addition to the classification result (steps S1605 to S1607, S1603).

Thereby, the division coefficient for each classification result is adjusted so that the addition target classification result is not concentrated on a specific classification result. Therefore, the analysis device 103 can deal with a cyber attack that changes its method over time while minimizing the number of inquiries to the security analyst 141 when re-learning the classifier 900 with the addition target classification result.

The present invention is not limited to the above-described embodiments, but includes various modifications and equivalent configurations within the spirit of the appended claims. For example, the above-described embodiments have been described in detail in order to explain the present invention in an easy-to-understand manner, and the present invention is not necessarily limited to those having all the configurations described. Further, part of the configuration of one embodiment may be replaced with the configuration of another embodiment. Further, the configuration of another embodiment may be added to the configuration of one embodiment. Further, with respect to a part of the configuration of each embodiment, another configuration may be added, deleted, or replaced.

Further, the above-described respective configurations, functions, processing units, processing means, etc. may be realized by hardware by designing a part or all of them with, for example, an integrated circuit, and the processor 301 realizes each function. It may be realized by software by interpreting and executing the realized program.

Information such as a program, a table, and a file for realizing each function is recorded in a memory, a hard disk, a storage device such as an SSD (Solid State Drive), or an IC (Integrated Circuit) card, an SD card, a DVD (Digital Versatile Disc). It can be stored on the medium.

Further, the control lines and information lines are shown to be necessary for explanation, and not all the control lines and information lines necessary for mounting are shown. In reality, it can be considered that almost all configurations are connected to each other.

101 Alert Management Device 102 Log Collection Device 103 Analysis Device 110 Monitoring Target System 120 Communication Terminal 131 Machine Learning Process 132 Alert Classification Process 133 Sampling Process 134 Communication Party Abnormal Behavior Judgment Process 135 Behavior Specific Abnormal Behavior Judgment Process 136 Feedback Process 137 Adjustment Process 140 Analyst terminal 141 Security analyst 201 External threat information database 300 Computer 301 Processor 302 Storage device 400 Feature amount table 401 Alert identifier 500 Label table 503 Communication partner classification information 600 Action classification table 700 Action sequence table 701 Action sequence 702 Frequency 703 Long term Part of attack 800 Ratio table 900 Classifier 901 Learning unit 902 Prediction unit 903 First determination unit 904 Second determination unit 911 Sampling candidate list 912 Alert list for additional learning

Claims (10)

An analysis apparatus comprising: a processor that executes a program; and a storage device that stores the program,
The processor can access the action history information, the action classification information, and the action sequence information, and the action history information stores a past action history executed by the communication partner with the monitoring target on the monitoring target. The action classification information is information in which the communication partner is associated with the classified action group of the communication partner, and the action sequence information is a time-series action of the communication partner. An action sequence and information that associates the action sequence with included information indicating whether or not the action sequence is a part of another action sequence longer than the action sequence,
The processor is
An acquisition process of acquiring the classification result of the behavior of the communication partner with the monitoring target within the first predetermined period before the occurrence of each alert of the alert group generated in the monitoring target;
A first determination process of determining whether or not a specific communication partner with the monitoring target within the first predetermined period before the occurrence of a specific alert in the alert group exists in the action classification information;
When it is determined by the first determination processing that the specific communication partner does not exist in the behavior classification information, the classification result of the behavior of the specific communication partner and the specific communication partner stored in the behavior history information. Based on the past action history of, a specific action sequence that is a time-series action of the specific communication partner is generated, and using the action sequence information, the specific action sequence is the other action sequence. Second determination processing for determining whether or not it is a part of
When it is determined by the second determination process that the specific action sequence is a part of the other action sequence, a selection process of selecting the action classification result of the specific communication partner,
An output process of outputting a classification result of the behavior of the specific communication partner selected by the selection process,
An analysis device, characterized in that An analysis apparatus comprising: a processor that executes a program; and a storage device that stores the program,
The processor can access the action history information, the action classification information, and the action sequence information, and the action history information stores a past action history executed by the communication partner with the monitoring target on the monitoring target. The action classification information is information in which the communication partner is associated with the classified action group of the communication partner, and the action sequence information is a time-series action of the communication partner. It is information in which the action sequence and the appearance frequency of the action sequence are associated with each other,
The processor is
An acquisition process of acquiring the classification result of the behavior of the communication partner with the monitoring target within the first predetermined period before the occurrence of each alert of the alert group generated in the monitoring target;
A first determination process of determining whether or not a specific communication partner with the monitoring target within the first predetermined period before the occurrence of a specific alert in the alert group exists in the action classification information;
When it is determined by the first determination processing that the specific communication partner does not exist in the behavior classification information, the classification result of the behavior of the specific communication partner and the specific communication partner stored in the behavior history information. Based on the past action history of, a specific action sequence that is a time-series action of the specific communication partner is generated, and using the action sequence information, the appearance frequency of the specific action sequence is a predetermined frequency. A second determination process for determining whether or not:
When the appearance frequency of the specific action sequence is determined to be equal to or lower than the predetermined frequency by the second determination process, a selection process of selecting an action classification result of the specific communication partner,
An output process of outputting a classification result of the behavior of the specific communication partner selected by the selection process,
An analysis device, characterized in that The analysis device according to claim 1, wherein
The action classification information is information in which an action attribute indicating whether the action is a normal action or an abnormal action and an appearance frequency of the action of the communication partner are associated with the action of the communication partner. And
In the second determination process, the processor determines that the action attribute of the specific communication partner is normal and the appearance frequency of the action of the specific communication partner is equal to or lower than a predetermined frequency by the first determination process. If determined, determine whether the particular behavior sequence is part of the other behavior sequence,
An analyzer characterized by the above. The analysis device according to claim 1, wherein
The action sequence information is information in which the action sequence, the appearance frequency of the action sequence, and the included information are associated with each other,
In the second determination process, the processor determines whether or not the appearance frequency of the specific action sequence is equal to or lower than a predetermined frequency when it is determined that the specific action sequence is not a part of the other action sequence. Judge,
In the selection process, the processor selects the action classification result of the specific communication partner when the appearance frequency of the specific action sequence is determined to be equal to or lower than the predetermined frequency by the second determination process,
An analyzer characterized by the above. The analysis device according to claim 1, wherein
In the first determination process, when it is determined that the specific communication partner does not exist in the behavior classification information, the processor determines the specific communication partner and the classification result of the behavior of the specific communication partner. Register in association with the action classification information,
An analyzer characterized by the above. The analysis device according to claim 1, wherein
In the second determination process, the processor registers the specific action sequence in the action sequence information when the specific action sequence does not exist in the action sequence information,
An analyzer characterized by the above. The analysis device according to claim 1, wherein
The processor is capable of accessing feature amount information that stores a feature amount indicating the behavior of the monitoring target,
The processor is
A classification result of the behavior of the communication partner based on a combination of the feature amount in the second predetermined period before the first predetermined period and a classification result of the behavior of the communication partner in the second predetermined period. Execute a learning process to generate a predictive classifier,
In the acquisition process, the processor acquires a feature amount indicating the behavior of the monitoring target within the first predetermined period from the feature amount information, and the acquired feature amount is used as a classifier generated by the learning process. By giving the classification result of the behavior of the communication partner,
An analyzer characterized by the above. The analysis device according to claim 7, wherein
In the learning process, the processor determines a classification result of the behavior of the specific communication partner selected by the selection process, and a behavior of the monitoring target corresponding to the classification result and within the first predetermined period. Re-learning the classifier based on the indicated feature amount,
An analyzer characterized by the above. The analysis device according to claim 8, wherein
In the learning process, the processor is
A calculation process of collecting the classification results of the behaviors of the specific communication partners by classification result as an addition target classification result, and calculating a ratio indicating the number of each classification result with respect to the total number of the addition target classification results,
A determination process of determining whether or not the difference between each of the ratios and a predetermined target ratio is within an allowable range,
When the difference between each of the ratios and the predetermined target ratio is within an allowable range, the additional target classification result corresponds to the additional target classification result, and the monitoring target of the monitoring target within the first predetermined period is A re-learning process for re-learning the classification result based on the feature amount indicating the behavior,
When the difference between any one of the ratios and the predetermined target ratio is within the allowable range, the action classification result of the specific communication partner not selected by the selection process is added to the addition target classification result. And a recalculation process for recalculating the respective ratios,
An analysis device, characterized in that An analysis method executed by an analysis device having a processor that executes a program and a storage device that stores the program,
The processor can access the action history information, the action classification information, and the action sequence information, and the action history information stores a past action history executed by the communication partner with the monitoring target on the monitoring target. The action classification information is information in which the communication partner is associated with the classified action group of the communication partner, and the action sequence information is a time-series action of the communication partner. An action sequence and information that associates the action sequence with included information indicating whether or not the action sequence is a part of another action sequence longer than the action sequence,
The processor is
An acquisition process of acquiring the classification result of the behavior of the communication partner with the monitoring target within the first predetermined period before the occurrence of each alert of the alert group generated in the monitoring target;
A first determination process of determining whether or not a specific communication partner with the monitoring target within the first predetermined period before the occurrence of a specific alert in the alert group exists in the action classification information;
When it is determined by the first determination processing that the specific communication partner does not exist in the behavior classification information, the classification result of the behavior of the specific communication partner and the specific communication partner stored in the behavior history information. Based on the past action history of, a specific action sequence that is a time-series action of the specific communication partner is generated, and using the action sequence information, the specific action sequence is the other action sequence. Second determination processing for determining whether or not it is a part of
When it is determined by the second determination process that the specific action sequence is a part of the other action sequence, a selection process of selecting the action classification result of the specific communication partner,
An output process of outputting a classification result of the behavior of the specific communication partner selected by the selection process,
An analysis method characterized by executing.

Images