JP2023031591A - Anomaly determination system, anomaly determination program, and anomaly determination method - Google Patents

Abstract

To reduce a false-positive rate while maintaining detection accuracy.SOLUTION: An anomaly determination system which determines an anomaly on a network from analysis target data includes: multiple pieces of detection means; filter processing means which executes filter processing based on filter condition data, on each of results detected by the detection means; feature quantity processing means which acquires feature quantity data from each of the results of the detection means; determination means which determines an anomaly on the network by supplying the feature quantity data to a discriminator equipped with a machine learned learning model; feedback receiving means which receives false-positive feedback for a determination result; and filter condition generation means which generates filter condition data to be set on the filter processing means in accordance with the contents of the false-positive feedback.SELECTED DRAWING: Figure 1

Description

The present invention relates to an anomaly determination system, an anomaly determination program, and an anomaly determination method, and can be applied, for example, to a system that analyzes logs of security devices and detects anomalies such as malware infection and information leakage.

In recent years, cyberattacks, which are increasing and evolving year by year, have become a social problem. Network devices such as proxies and firewalls have traditionally been effective against cyber-attacks, but in recent years, the number of attacks that cannot be prevented by the functions of network devices alone is increasing. Against such attacks, it is important to analyze the logs of network devices to prevent attacks from being overlooked. However, in a company with a large number of employees, the amount of network device logs is enormous, and it is very difficult to analyze them manually. An effective approach is to mechanically narrow down abnormal communication logs for such huge logs.

As one of the anomaly determination methods using log analysis, a method is conceivable in which the behavior and behavior of the attacking communication are used as a detection engine, and logs that match the characteristics are detected as anomalies. However, the characteristics of attacks vary widely depending on the purpose and method, and a single detection engine cannot cover all attacks. In addition, with a single detection engine, erroneous determinations of normal communications that have similar characteristics to attacks as abnormalities cannot be avoided. Therefore, by introducing multiple detection engines and comprehensively judging from the detection results of those multiple engines, adopting a method to detect only the communication that seems to be really abnormal, both the detection rate and the misjudgment rate are improved. can.

In order to comprehensively judge anomalies from the detection results of multiple detection engines, the detection results of each detection engine (for example, anomaly scores of 0 to 100 points) are used as feature quantities, and past abnormal communication logs and normal communication A method of performing machine learning using labeled logs as teacher data is conceivable. Machine learning narrows down abnormal communications by looking at correlations between detection engines, so it is expected to be able to detect abnormal communications from characteristics of attacks that are invisible to the human eye. In machine learning, parameters called hyperparameters are adjusted according to the purpose of reducing oversight of abnormal communication logs or reducing erroneous judgments. In cyberattack detection, it is important to prevent anomalies from being overlooked, so parameters are often set to increase the detection rate of anomalous communication logs during machine learning. In this case, an erroneous determination occurs because even a normal communication log that is close to the characteristic amount of an abnormal communication log is likely to be detected as abnormal. For erroneous judgments, the system user investigates whether the log in which an abnormality was detected is really abnormal, and when the result is an erroneous judgment, feedback is provided to the system, and the system labels the log with the erroneous judgment feedback as normal communication. It is expected that the misjudgment rate will be reduced by retraining the machine learning device. However, since the machine learner learns with an emphasis on anomalies, there are cases in which a single misjudgment feedback does not affect the anomaly detection accuracy of the machine learner. From the system user's point of view, it is desirable that logs that have once been fed back an erroneous judgment will not be detected again, or that the detection score will decrease if the anomaly detection result is displayed with a score indicating the degree of anomaly.

As a method of not presenting logs that have received incorrect judgment feedback to the user, for example, the communication destination FQDN (Fully Qualified Domain Name) of the incorrect judgment log is managed with a white list, and logs that match the conditions are filtered and not displayed to the user. I can think of a way. With this method, erroneous judgment logs do not appear as anomaly detection results. can occur. Also, if the number of false positive feedbacks increases, the false positive rate of false negative logs will decrease. can.

From the above, there is a demand for a method that does not detect anomalies in logs that are fed back erroneous judgments while maintaining anomaly detection accuracy.

As a conventional abnormality determination system, for example, the technology described in Patent Document 1 exists.

The technique described in Patent Literature 1 is a technique aimed at suppressing erroneous determinations and oversights when anomaly detection is performed by multilayering a plurality of anomaly detection means with different detection rules. Then, in the system described in Patent Document 1, a first abnormal communication detection system that blocks communication that matches the rule based on the abnormal communication identification rule, and a normal communication identification rule (determination device that learns the normal state) A second abnormal communication detection system that blocks communication that does not match the rules based on Further, in the system described in Patent Literature 1, for a communication erroneously determined (normal but identified as abnormal by the first abnormality determination system), the abnormality identification rule that identified the communication as abnormal is deleted. Furthermore, in Patent Literature 1, an abnormality identification rule is provided so that the first abnormality determination system identifies an overlooked communication (the correct answer is abnormal, but the second abnormality determination system identifies the communication as normal) as an abnormality. Add As a result, the system described in Patent Literature 1 can suppress both erroneous determinations and oversights.

Japanese Patent Application Laid-Open No. 2019-4260

However, since the first abnormality determination system described in Patent Document 1 performs abnormality detection based on rules, it is easy to determine which rule is the cause of an erroneous determination when an erroneous determination is made. In a system that uses machine learning to comprehensively detect anomalies using multiple target anomaly detection engines, it is difficult to identify the rules of the detection engines that contributed to the detection from the detection results using conventional technology. In addition, in the second abnormality determination system described in Patent Document 1, it is assumed that normal patterns are learned by machine learning and abnormality detection is performed. Compared to the method of learning an abnormal communication pattern, there is a problem that there is generally a large number of erroneous judgments while there is no need to prepare an abnormal communication pattern. Therefore, in Patent Document 1, it is considered necessary to suppress erroneous determination in the second abnormality determination system.

In view of the above problems, an abnormality determination system, an abnormality determination program, and an abnormality determination method capable of reducing the erroneous determination rate while maintaining the detection accuracy are desired.

A first aspect of the present invention provides an anomaly determination system for determining an anomaly on a network from analysis target data collected from one or a plurality of network devices arranged on the network. A plurality of detection means for detecting and filter condition data describing filter conditions for each of the detection means are held, and the detection results of each of the detection means are filtered based on the filter condition data, and each of the Filter processing means for outputting the detection result after the filter processing for the detection means, and feature amount processing means for acquiring feature amount data suitable for machine learning based on the detection results of the respective detection means output by the filter processing means. and determining means for determining an abnormality on the network by supplying the feature amount data to a determining device equipped with a learning model machine-learned based on teacher data, and indicating that the determination result by the determining means is an erroneous determination. and a filter condition generation means for generating the filter condition data to be set in the filter processing means according to the content of the erroneous judgment feedback received by the feedback reception means. .

According to the abnormality determination program of the second aspect of the present invention, different computers constituting an abnormality determination system for determining an abnormality on the network from analysis target data collected from one or a plurality of network devices arranged on the network. a plurality of detection means for detecting anomalies from the data to be analyzed from a viewpoint, and filter condition data describing filter conditions for each of the detection means are held; filtering means for performing filtering and outputting detection results after the filtering for each of the detecting means; and feature amounts suitable for machine learning based on the detection results of the respective detecting means output by the filtering means. feature amount processing means for acquiring data; determination means for determining abnormality on the network by supplying the feature amount data to a determination device having a learning model machine-learned based on teacher data; and determination by the determination means. feedback receiving means for receiving erroneous determination feedback indicating that a result is an erroneous determination; and filter condition generating means for generating the filter condition data to be set in the filtering means according to the content of the erroneous determination feedback received by the feedback receiving means. It is characterized by functioning as

A third aspect of the present invention provides an abnormality determination method performed by an abnormality determination system that determines an abnormality on the network from analysis target data collected from one or more network devices arranged on the network, wherein the abnormality determination system , a plurality of detection means, filtering means, feature amount processing means, determination means, feedback reception means, and filter condition generation means, and each of the detection means detects an abnormality from the analysis target data from a different point of view. , the filter processing means holds filter condition data describing filter conditions for each of the detection means, performs filter processing on the detection results of each of the detection means based on the filter condition data, and performs filter processing for each of the detection means The feature amount processing means acquires feature amount data suitable for machine learning based on the detection results of the respective detection means output by the filtering means, and the determination The means supplies the feature amount data to a determiner equipped with a learning model machine-learned based on teacher data to determine an abnormality on the network, and the feedback receiving means determines whether the determination result by the determination means is an erroneous determination. and the filter condition generating means generates the filter condition data to be set in the filtering means according to the content of the erroneous determination feedback received by the feedback receiving means. .

Advantageous Effects of Invention According to the present invention, it is possible to provide an abnormality determination system that reduces an erroneous determination rate while maintaining detection accuracy.

1 is a block diagram showing the overall configuration of an abnormality determination system according to a first embodiment; FIG. 4 is a diagram showing a configuration example of feature amount data according to the first embodiment; FIG. FIG. 7 is a diagram showing a configuration example of a determination result display screen according to the first embodiment; 4 is a diagram showing a configuration example of filter condition generation definition information according to the first embodiment; FIG. 4 is a flowchart showing operations of a detection processing unit according to the first embodiment; 7 is a flowchart showing an example of operations of a feature quantity processing unit, a determination unit (determiner), and a determiner creation unit according to the first embodiment; 8 is a flowchart showing an example of operations of a determination result processing unit and a filter condition generation unit according to the first embodiment; FIG. 11 is a diagram showing a configuration example (part 1) of a determination result display screen displayed by a determination result processing unit according to the second embodiment; FIG. 11 is a diagram showing a configuration example (No. 2) of a determination result display screen displayed by a determination result processing unit according to the second embodiment; FIG. 11 is a diagram showing a configuration example of filter condition generation definition information according to the second embodiment; 9 is a flow chart showing operations of a determination result processing unit and a filter condition generation unit according to the second embodiment; It is the figure which showed about the determination result display screen based on the modification example of 1st Embodiment.

(A) First Embodiment Hereinafter, a first embodiment of an abnormality determination system, an abnormality determination program, and an abnormality determination method according to the present invention will be described in detail with reference to the drawings.

(A-1) Configuration of First Embodiment FIG. 1 is a block diagram showing the overall configuration of an abnormality determination system 1 of this embodiment. Note that the symbols in parentheses in FIG. 1 are symbols used only in the second embodiment, which will be described later.

The abnormality determination system 1 acquires analysis target data (for example, log information of network devices arranged on the network NE; hereinafter also referred to as “analysis target data”) from a network NE that is a detection target, and acquires the acquired analysis target. Based on the data, a process of detecting an abnormality on the network NE (hereinafter referred to as "anomaly detection process") is performed. Here, the abnormality determination system 1 acquires various log information generated on one or a plurality of network devices (for example, proxy servers, firewalls, routers, L4 switches, etc.) placed on the network NE as data to be analyzed. and perform anomaly detection processing based on the acquired log information.

The contents and format of the log information are not limited. In the example of this embodiment, to simplify the explanation, the log information is assumed to be a communication log in a proxy server (not shown) on the network NE. The proxy server in the example of this embodiment relays communication from a communication source client terminal (not shown) to a communication destination (for example, a site on the Internet specified by a predetermined URL) for each communication (for example, communication session) is output as log information.

The log information output by such a proxy server for each communication includes, for example, the FQDN for specifying the host of the communication destination in the communication (hereinafter referred to as "communication destination FQDN"), the data transmitted in the communication amount (hereinafter referred to as "transmission byte count"), a path portion (hereinafter referred to as "URL path") obtained by excluding the FQDN from the URL used at the communication source in the communication, and the like. For example, if the entire URL is "xxx.yyy.jp/a.exe", the "xxx.yyy.jp" part is the communication destination FQDN and the "/a.exe" part is the URL path. In the following description, it is assumed that one piece of log information includes information about one communication (for example, communication from the start to the end of one communication session). The anomaly determination system 1 will be described as a system that detects an anomaly such as a malware infection of a communication source or information leakage based on log information such as an anomaly.

Hereinafter, each item (for example, the above-mentioned "communication destination FQDN", "URL path", "transmission byte count", etc.) constituting the log information is also referred to as a "field".

Next, the internal configuration of the abnormality determination system 1 will be described.

The abnormality determination system 1 has a detection processing unit 10 , a feature amount processing unit 20 , a determination unit 30 , a determination result processing unit 40 , a filter condition generation unit 50 , a determination device generation unit 60 and a control unit 70 . Note that the detection processing unit 10 has a detection engine unit 11 and a filter processing unit 12 .

The abnormality determination system 1 may be constructed by, for example, installing a program (an abnormality determination program according to the embodiment) in a computer, and can be functionally shown as shown in FIG.

The detection engine unit 11 has N (N is an integer equal to or greater than 1) detection engines 111 (111-1 to 111-N). The filtering unit 12 also has N pieces of filter condition data D2 (D2-1 to D2-N). Furthermore, the determination unit 30 has a determination device 31 . Furthermore, the filter condition generator 50 holds filter condition generation definition information 51 .

The detection engine unit 11 manages N detection engines 111 (111-1 to 111-N) that detect anomalies from one viewpoint (different viewpoints) from log information. Each detection engine 111 detects an abnormality in the log information with respect to a predetermined viewpoint, and outputs the detection result. The detection results of the detection engines 111-1 to 111-N are hereinafter referred to as detection results D1-1 to D1-N, respectively.

In this embodiment, it is assumed that each detection engine 111 is given a detection engine name as an identifier. An identifier for each detection engine 111 may be an ID number or a predetermined character string. In this embodiment, it is assumed that each detection engine 111 has a character string (title character string) indicating a criterion (detection method) for the detection engine 111 to detect log information.

In this embodiment, the detection engine name of the detection engine 111-1 is "URL path is suspicious", the detection engine name of the detection engine 111-2 is "executable file download", and the detection engine name of the detection engine 111-3 is be "large upload size".

"URL path is suspicious" means, for example, the detection of a directory structure pattern used by a malicious site. Also, "executable file download" means detection that an executable file (for example, a file with an executable file extension) has been downloaded. A file with an executable format extension is, for example, a file with an executable format extension such as "exe" or "docx" after being downloaded on a computer or on a corresponding application. shall indicate Furthermore, "large upload size" means that the amount of data uploaded from the communication source (client) to the Internet side (data size uploaded in one communication session) is large (for example, whether it is larger than a predetermined size). shall mean the detection of

The filter processing unit 12 generates filter condition data D2 (D2-1 to D2 -N). Then, the filter processing unit 12 filters the detection results D1 (D1-1 to D1-N) based on the filter condition data D2 (D2-1 to D2-N). A completed detection result D3 (D3-1 to D3-N) is output. For example, the filter processing unit 12 performs filtering based on the filter condition data D2-i on the detection result D1-i of the detection engine 111-i (where i is an integer from 1 to N). A processed detection result D3-i is obtained. Details of the filter processing unit 12 will be described later.

The feature amount processing unit 20 uses the detection results (filter condition data D2-1 to D2-N) by the detection engine unit 11 to generate data representing feature amounts applicable to machine learning processing (hereinafter referred to as "feature amount data"). ) is generated. The format of the feature amount data (for example, vector format, number of dimensions, etc.) is not limited. Here, it is assumed that the feature amount data represents, for example, the detection result of each detection engine 111 as one feature amount. For example, when each detection engine 111 outputs a detection result with a numerical score of 0 to 100 points, the feature amount data may be numerical scores arranged for each detection engine as shown in FIG.

FIG. 2 is a diagram showing a configuration example of feature amount data.

In this embodiment, as shown in FIG. 2, feature amount data is N-dimensional vector data (vector data composed of N parameters). In the following, in the feature amount data, the parameters (parameters constituting the feature amount data) corresponding to the filtered detection results D3-1 to D3-N (detection engines 111-1 to 111-N) are respectively defined as "X1, XN, . . . , XN”. Then, the feature amount data V can be represented by the following equation (1).
V={X1, X2, . . . , XN} (1)

In the following explanation, X1 to XN are parameters representing the degrees of abnormality respectively with numerical values from 0 to 100 (the larger the numerical value, the greater the degree of abnormality). In the example of this embodiment, the detection engines 111-1 to 111-N each output a numerical value of 0 to 100 indicating the degree of abnormality as the detection result, and the filter processing unit 12 performs filtering according to the filter conditions (for example, filter It is assumed that processing such as changing the parameter corresponding to the condition to 0) is performed. In the following description, detection results D1-1 to D1-N (detection results before being filtered by the filtering unit 12) are denoted by Y1 to YN, respectively.

In FIG. 2, one line indicates one feature amount data V (X1, X2, . . . XN). In FIG. 2, each row is given an index (1, 2, 3, . . . ) indicating a time series. In FIG. 2, the index is an identifier associated with an analysis target (log information). In this embodiment, in order to simplify the explanation, it is assumed that the above index (index number) is used as an identifier for managing the analysis target (log information), the feature amount data, and the determination result in association with each other. , other identifiers (eg, other identifiers such as timestamps) may be used.

The determination unit 30 performs comprehensive abnormality determination processing on the feature amount data V supplied from the feature amount processing unit 20 .

Hereinafter, the abnormality determination processing by the determination unit 30 is simply referred to as “determination processing” or “abnormality determination processing”, and the result of the abnormality determination processing by the determination unit 30 is simply “determination result” or “abnormality determination result”. shall be called

The format of the determination result output by the determination unit 30 is not limited. In the example of this embodiment, the determination unit 30, for example, determines normality or abnormality (abnormality or absence of abnormality) as a binary value (for example, either 0 representing normality or 1 representing abnormality). The represented data may be output, or a numerical score (for example, any value from 0 to 100) representing the degree of abnormality may be output. In this embodiment, the determination unit 30 will be described as outputting a value between 0 and 100 representing the degree of abnormality as a determination result (the larger the value, the higher the degree of abnormality).

In this embodiment, the determination unit 30 uses the determiner 31 to perform determination processing. The determination unit 30 outputs a result obtained by inputting the determination device 31 as a determination result. The decision device 31 is based on data (hereinafter referred to as a "teacher data set") including feature data as teacher data and teacher labels (correct data) corresponding to the teacher data (feature data). A determination process is performed using the learning model acquired by the learning process. In this embodiment, the determiner 31 performs learning processing under the control of the determiner generator 60 and acquires a learning model.

When a plurality of teacher data sets are supplied, the determiner 31 performs learning processing based on the supplied teacher data sets to obtain a learning model. Also, when only is supplied, the determiner 31 performs determination processing for using the acquired learning model. The machine learning device applied to the determination device 31 is not limited, but for example, SVM (Support Vector Machine), Random Forest, etc. can be applied.

Although the method of acquiring the teacher label in the teacher data set is not limited, for example, the abnormal teacher label may be applied to the feature data of the log information related to the attack communication that actually occurred in the past. Further, for example, the feature quantity data corresponding to the log information for which the judgment results (Y1, Y2, . (for example, a numerical score judgment result of 0)) may be applied.

The determination result processing section 40 outputs the determination result supplied from the determination section 30 . In addition, the determination result processing unit 40 also performs a process of receiving feedback information input from the operator OP with respect to the output determination result. The means for outputting the determination result and the output data format by the determination result processing unit 40 are not limited. For example, the determination result processing section 40 may output the determination result to another device through communication, or may record the determination result on a predetermined data recording medium. In addition, the determination result processing unit 40 may add data related to the determination result (hereinafter referred to as “related data”) and output the determination result. The related data may include information related to the determination result, such as log information corresponding to the determination result. In this embodiment, the determination result processing unit 40 supplies (transmits by communication) the determination result together with related data to the monitoring terminal TE used by the operator OP.

The configuration of the screen (for example, an operation screen such as a web page; hereinafter referred to as a "determination result display screen") when the determination result processing unit 40 presents the determination result to the monitoring terminal TE is not limited. For example, for each piece of log information determined to be abnormal, a numerical score representing the determination result and detection results (X1 to XN) of each detection engine 111 may be displayed.

FIG. 3 is a diagram showing a configuration example of a determination result display screen.

On the determination result display screen shown in FIG. 3, the index, determination result (numerical score), and detection results (X1 to XN) of each detection engine 111 are displayed in a table format for each piece of log information. In the determination result display screen shown in FIG. 3, one line displays information about one piece of log information.

The log information is composed of information of a plurality of items (these items are hereinafter referred to as "fields").

In addition, the determination result processing unit 40 receives an erroneous determination result from the operator OP (for example, log information determined to be an erroneous determination by the operator OP among the log information determined to be abnormal; hereinafter referred to as an “erroneous determination result”). ) (hereafter referred to as “erroneous judgment feedback”). Note that the log information specified in the erroneous determination feedback is hereinafter referred to as an "erroneous determination log".

In the determination result processing section 40, the method of receiving the erroneous determination result is not limited. For example, the determination result processing unit 40 accepts an operation of specifying erroneous determination log information (log information determined to be erroneous by the operator OP among log information determined to be abnormal) from the operator OP on the determination result display screen. may be made possible. For example, on the determination result display screen, log information corresponding to a row selected by a selection operation (for example, a click operation using a mouse or a selection operation using a pointing device) may be accepted as an erroneous determination log. For example, in the determination result display screen shown in FIG. 3, when a selection operation is performed on a line of log information with an index of 1 (area A101 surrounded by a dashed line), the determination result processing unit 40 erroneously determines the log information. It may be accepted as a log. Similarly, when a row of log information with an index of 2 (area A102 surrounded by a dashed line) is selected, the determination result processing unit 40 may accept the log information as an erroneous determination log.

The determiner creation unit 60 controls learning processing by the determiner 31 . The determiner creation unit 60 accumulates a teacher data set, supplies the accumulated teacher data set to the determiner 31 to execute learning processing (machine learning processing), and holds a learning model necessary for determination in the determiner 31. Let The teacher data set held by the determiner creation unit 60 may be a teacher data set based on a teacher label (feedback on the determination result output by the abnormality determination system 1) given by the operator OP (monitoring terminal TE). , a log created artificially by a user or a designer (for example, a log that can occur in a specific type of network device within a certain period of time). Specifically, for example, the determiner creation unit 60 converts feature amount data based on log information of past actual offensive communications (for example, log information processed by the abnormality determination system 1 in the past) into teacher data. Then, a teacher data set is held in which a teacher label (correct label) of a judgment result indicating an abnormality (for example, a value fed back by an operator or a predetermined value indicating an abnormality) is assigned to the teacher data. may In addition, for example, the determiner creation unit 60 generates feature amount data of log information of normal communication that actually occurred in the past (for example, log information in which parameters are equal to or less than a certain value in any detection engine 111). is used as teacher data, and a teacher data set with a teacher label (correct label) of a judgment result indicating normality (for example, a value fed back by an operator or a predetermined value indicating normality) is attached to the teacher data. You may make it

The timing at which the teacher data set is supplied to the determiner generator 60 is also not limited. For example, the determination result processing unit 40 may receive the training data set manually by the operator OP (monitoring terminal TE), or the determination result processing unit 40 may receive the training data set based on the operation of the operator OP (monitoring terminal TE). It is also possible to receive and accumulate such feedback (a teacher label for the determination result and a teacher data set including feature amount data corresponding to the teacher label).

Also, the timing at which the determiner creating unit 60 causes the determiner 31 to perform learning processing is not limited. For example, the determiner creation unit 60 may cause the determiner 31 to perform the learning process only when the abnormality determination system 1 starts operating, or may cause the determiner 31 to perform the learning process at regular or irregular intervals. You may do so. For example, the determiner creation unit 60 may cause the determiner 31 to perform the learning process at the timing when a certain amount of accumulated learning data sets is added.

Next, a detailed configuration of the filter condition generator 50 will be described.

The filter condition generation unit 50 selects the detection engine 111 that contributed to the erroneous judgment based on the log information fed back to the erroneous judgment and the information related to the log information (the detection result of each detection engine 111, the numerical score of the judgment result, etc.). A process (filter condition generation process) for generating filter condition data D2 to be applied to the detection result of is performed.

The filter condition generation unit 50 first determines which detection engine 111 has detected an abnormality in the log information based on the feature amount data of the log information fed back as an erroneous determination. Next, the filter condition generation unit 50 acquires the entry of the detection engine 111 from the filter condition generation definition information 51, acquires the field value of the log from the field name described in the field column, and describes it in the value condition column. Create a filter condition with a conditional expression in . The filter condition generating unit 50 requests the detection engine 111 unit to add the generated filter condition to the corresponding filter condition list of the detection engine 111 . The filter condition generation unit 50 generates feature amount data corresponding to log information designated as an erroneous determination log (for example, log information selected as an erroneous determination log on the determination result display screen; hereinafter referred to as "designated log information"). , generates a filter condition for excluding the detection result of the detection engine 111 that detected the specified log information as abnormal (for example, changing it to a value corresponding to the detection result that it is not abnormal), and generates a filter condition for the detection engine 111 is reflected in the filter condition data D2 corresponding to .

FIG. 4 is a diagram showing a configuration example of the filter condition generation definition information 51. As shown in FIG.

As shown in FIG. 4, in the filter condition generation definition information 51, one entry (information defining conditions for generating a filter) is described in one line. As shown in FIG. 4, in the filter condition generation definition information 51, for each entry, a "detection engine name" for identifying the detection engine 111, a "field name" indicating an item to be inspected by the detection engine in the log information, and "Value condition" information is registered. In this specification, the filter condition generation definition information 51 is shown in a tabular form as shown in FIG. 4 to simplify the explanation, but the format of the filter condition generation definition information 51 is not limited. For example, the filter condition generation definition information 51 may have a format in which filter condition generation rules are set by JSON (Javascript Object Notation), XML (eXtensible Markup Language), or the like.

The "value condition" item indicates an extraction condition to be applied to the field name item. For example, if the item specified by the field name is in character string format (e.g., path, communication destination FQDN, file extension, etc.), the specified log information and field name items are "Match" is set to indicate that matching log information is to be extracted. Also, for example, if the item specified by the field name is in a numerical format (e.g., the number of bytes sent, etc.), the value condition is to extract log information that is less than or equal to the value of the item of the field name of the specified log information. or "greater than or equal to" indicating that the log information equal to or greater than the value of the field name item of the specified log information is to be extracted.

In FIG. 1, the detection engine names of the entries on the 1st to 3rd lines are "URL path is suspicious", "executable file download", and "upload size is large", respectively.

The filter processing unit 12 searches the detection engine 111 that generates the filter condition from the detection engine name column of the filter condition generation definition information 51, acquires the value of the field of the misjudgment log from the field name column, and sets the value condition. This is done by applying the conditional expression described in the column.

In this case, the entry in the first row has the detection engine name "URL path is suspect", the field name "URL path", and the value condition "match". In this case, in the entry on the first line, for the detection engine 111 (in this case, the detection engine 111-1) "the URL path is suspicious", log information that matches the value of the URL path field of the misjudgment log indicates that a filter condition is generated to filter the .

In the entry on the second line, the detection engine name is "executable file download", two field names, "communication destination FQDN" and "path file extension" are set, and the value condition is "match". It has become. In this case, the entry in the second line indicates that a filter condition will be generated to filter the false positive logs with matching values in both the Destination FQDN and Path File Extension fields. there is

Furthermore, the entry in the third line has the detection engine name "large upload size", the field name "number of bytes sent", and the value condition "less than or equal to". In this case, the entry on the third line means that a filter condition for filtering log information equal to or less than the value of the number of bytes sent field of the erroneous determination log is generated.

As described above, in the abnormality determination system 1, the detection results of the plurality of detection engines 111 are collected as feature amount data, and the determination unit 30 (determiner 31) that learns the abnormality pattern comprehensively determines whether or not there is an abnormality. judge and output. Then, the abnormality determination system 1 generates a filter condition for processing not to detect an erroneous determination log (for example, processing for changing the abnormality detection result to normal) for the detection engine 111 that contributed to the abnormality detection at the time of the erroneous determination feedback. provide a mechanism to Specifically, in the abnormality determination system 1, the filter condition generation unit 50 generates filter condition generation definition information 51 describing what kind of filter condition each detection engine 111 should generate for the erroneous determination log. When there is erroneous determination feedback, the filter condition generation definition information 51 is referenced to generate filter conditions (filter condition data D2) for each detection engine 111 .

(A-2) Operation of First Embodiment Next, the operation (abnormality determination method according to the embodiment) of the abnormality determination system 1 of the first embodiment having the configuration as described above will be described.

First, details of the operation of the detection processing unit 10 will be described with reference to FIG.

FIG. 5 is a flow chart showing the operation of the detection processing unit 10. As shown in FIG.

The detection processing unit 10 performs the processing of the flowchart of FIG. 5 at the timing according to the control of the control unit 70 .

In the detection processing unit 10, when log information to be analyzed is supplied (S101), detection processing is performed on the log information by the detection engines 111 (111-1 to 111-N) of the detection engine unit 11, and detection results are obtained. D1 (D1-1 to D1-N) is acquired (S102).

Each detection engine 111 (111-1 to 111-N) outputs log information judged to be abnormal from the viewpoint of respective abnormality detection and its numerical score. Here, in each detection engine 111, the viewpoint of anomaly detection is not limited. is abnormally large”. A detailed description of the detailed configuration of each detection engine 111 is omitted because conventional technology can be applied.

The detection results D1-1 to D1-N are subjected to filter conditions based on the filter condition data D2-1 to D2-N in the filter processing unit 12, respectively, and are filtered when they match the filter conditions (S103). .

The filter processing unit 12 applies filter conditions to the detection results D1-1 to D1-N, and obtains filtered detection results D3-1 to D3-N as a result of filtering as necessary. Note that if the log information does not match the filter conditions, the detection results D1-1 to D1-N are not particularly filtered. N has the same content.

When the filtering process for all the detection engines 111 is completed and the acquisition of the filtered detection results D3-1 to D3-N is completed (S104), the detection processing unit 10 acquires the acquired filtered detection result D3-1. ˜D3-N are output (supplied to the feature amount processing unit 20). At this time, the detection processing unit 10 adds log information or the like to be analyzed to the filtered detection results D3-1 to D3-N, and supplies them to the feature amount processing unit 20. FIG.

Next, details of operations of the feature amount processing unit 20, the determination unit 30 (determination device 31), and the determination device creation unit 60 will be described with reference to FIG.

FIG. 6 is a flow chart showing an example of operations of the feature amount processing unit 20, the determination unit 30 (determination unit 31), and the determination unit creation unit 60. FIG.

The feature amount processing unit 20, the determining unit 30 (determining device 31), and the determining device creating unit 60 perform the processing according to the flowchart of FIG. process. The control timing of the learning process or the determination process in the control unit 70 is not limited. For example, the control unit 70 may determine that the learning process is to be performed periodically (for example, once a day) by scheduling, or if there is an erroneous determination feedback from the operator OP (monitoring terminal TE). It may be determined that the learning process is to be performed at this timing. Further, for example, the control unit 70 may determine that the output of the detection results (filtered detection results D3-1 to D3-N) from the detection processing unit 10 triggers the determination process, If feature data is a collection of detection results (filtered detection results D3-1 to D3-N) for a certain period for each source IP address, the detection results for the required period are accumulated (for example, judgment At the timing when the detection results are stored in the unit 30 or the control unit 70, it may be determined that the determination process is to be performed on the stored detection results.

When the filtered detection results D3-1 to D3-N are supplied, the feature amount processing unit 20 generates feature amount data based on the filtered detection results D3-1 to D3-N, and the determining unit 30 (S201).

Here, the determination unit 30 (determiner 31) determines whether or not to execute the learning process according to the control of the control unit 70 (S202). When executing the determination process, the process proceeds to step S205, which will be described later.

When executing the learning process, the determination unit 30 holds the accumulated teacher data set (S203), causes the determiner 31 to execute the machine learning process using the held teacher data set, and acquires a new learning model. (S204).

When executing the determination process, the determination unit 30 sets the supplied feature amount data in the determination unit 31 to perform the determination process, and supplies the determination result to the determination result processing unit 40 (S205).

Next, details of operations of the determination result processing unit 40 and the filter condition generation unit 50 will be described with reference to FIG.

FIG. 7 is a flow chart showing an example of operations of the determination result processing unit 40 and the filter condition generation unit 50. As shown in FIG.

The determination result processing unit 40 presents the determination result supplied from the determination unit 30 (determiner 31) as a determination result display screen to the monitoring terminal TE used by the operator OP (S301).

Then, the determination result processing unit 40 causes the monitoring terminal TE used by the operator OP to display a determination result display screen including the information of the determination result, and receives feedback of the erroneous determination log (an operation of designating the erroneous determination log) from the operator OP. (S302). At this time, the determination result processing unit 40 outputs (displays on the determination result display screen) only the abnormal determination result (for example, the determination result that the numerical value of the determination result is a constant value abnormality). At this time, the control unit 70 transmits related data such as an erroneous determination log related to the erroneous determination feedback (for example, feature amount data corresponding to the erroneous determination log) from the determination result processing unit 40 to the filter condition generation unit 50. , and requests the filter condition generator 50 to generate a filter condition.

As for means for the judgment result processing unit 40 to notify the operator OP of the judgment result and receive the erroneous judgment feedback (designation of erroneous judgment log, etc.), presentation of the judgment result display screen as described above (for example, using a web page). It is not limited to presenting an operation screen that has been used), and erroneous determination feedback may be received from the operator OP by sending/receiving mail or sending/receiving various messages. The operator OP investigates whether or not the log information determined to be abnormal is actually caused by the abnormality, and if it is determined that the result is an erroneous determination, the log information is sent to the determination result processing unit 40 as an erroneous determination log. Judgment feedback can be provided.

For example, in the determination result display screen as shown in FIG. : 1) is obtained as the information of the erroneous determination feedback.

Next, when receiving the false determination log, the filter condition generation unit 50 filters based on the feature amount data (X1, X2, . . . , XN) corresponding to the false determination log fed back as the false determination log. An entry (detection engine 111) for which a condition is to be generated is selected (S303).

For example, the filter condition generation unit 50 determines that the detection engine 111 having a detection result value greater than 0 in the feature amount data corresponding to the erroneous determination log is detected as being abnormal, and the filter condition is generated. The entry may be selected as the detection engine 111 that is different.

For example, log information and feature amount data (X1 to XN) corresponding to the first row of the judgment result (index: 1 judgment result) on the judgment result display screen shown in FIG. 3 are acquired as incorrect judgment feedback information. Assume the case. In this case, if X1=60 and X2 to XN are all 0 in the feature amount data corresponding to the erroneous determination log, only the detection result of the detection engine 111-1 related to X1 indicates an abnormality, and the others are normal. It can be judged that the In this case, the filter condition generator 50 selects the entry corresponding to the detection engine 111-1 as the entry (detection engine 111) for which the filter condition is to be generated. Here, it is assumed that the entry corresponding to the detection engine 111-1 is the entry (detection engine name: URL path is suspicious) on the first line shown in FIG.

Next, the filter condition generation unit 50 acquires the entry of the detection engine 111 selected as a filter condition generation target from the filter condition generation definition information 51, and filters corresponding to the detection engine 111 selected based on the acquired entry. Conditions are generated (S304).

At this time, the filter condition generator 50 acquires the value of the field corresponding to the field name of the acquired entry from the misjudgment log, and feeds it back to the filter condition data D2 based on the value of the field and the value condition of the acquired entry. Generate a filter condition that

The filter condition generation unit 50 notifies the detection engine unit 11 (filter processing unit 12) of the generated filter conditions. At this time, the filter condition generator 50 notifies the identifier of the selected detection engine 111 (for example, the ID of the detection engine 111 such as the name of the detection engine) together with the generated filter condition.

The filter processing unit 12 additionally updates the filter condition supplied from the filter condition generation unit 50 to the corresponding filter condition data D2 (S305).

For example, in the judgment result display screen as shown in FIG. 3 in step S302, the judgment result in the first row (the judgment result with index: 1) is selected, and in step S303, the filter condition generation definition information 51 shown in FIG. , the entry in the first row (the entry corresponding to the detection engine 111-1) is selected. In this case, the entry has a field name of "URL path" and a value condition of "match". In this case, the filter condition generation unit 50 determines that the determination result is normal instead of abnormal when log information whose URL path matches "/a.exe", which is the value in the false determination log, is supplied (for example, , 0) is generated and updated so as to be additionally registered in the filter condition data D2-1 corresponding to the detection engine 111-1.

Thereafter, when log information whose URL path matches "/a.exe" is supplied to the detection engine 111-1, the detection result D1-1 will have a value indicating abnormality (a value of 1 or more; 60), the filter processing unit 12 (filter condition data D2-1) filters to a value indicating normality (for example, 0) and outputs it as a filtered detection result D3-1. .

(A-3) Effects of First Embodiment According to the first embodiment, the following effects can be obtained.

In the abnormality determination system 1 of the first embodiment, the determination result processing unit 40 receives erroneous determination feedback from the operator OP (monitoring terminal TE), and the filter condition generation unit 50 generates an erroneous determination based on the filter condition generation definition information 51. is generated, and set in the detection processing unit 10 (filter processing unit 12).

As a result, the abnormality determination system 1 prevents the detection engine 111, which is the target of the erroneous determination feedback, from outputting the log information of the erroneous determination feedback as an abnormality (the filter processing unit 12 filters the log information into a normal value). It is possible to suppress erroneous determinations due to detection reasons related to the detection engine 111 .

Further, in the anomaly determination system 1, additional filter conditions are not generated for the detection engine 111 that does not contribute to anomaly detection for log information that has been erroneously determined in the past. It is possible to suppress the oversight of detection and maintain detection accuracy.

Furthermore, in the abnormality determination system 1, the filter condition generation definition information 51 generates a filter condition only for the detection engine 111 that contributed to the erroneous determination, so it is possible to perform an accurate whitelist type filter for erroneous determination logs. For example, in the anomaly determination system 1, when an anomaly is detected due to the detection of an execution file download from a malicious site, the detection engine 111 that detects the malicious site and the detection engine that downloads the execution file are associated with the reason for the erroneous determination. A whitelist filter is applied to 111, and the whitelist filter is not applied to the detection engine 111 that detects falsification or hijacking of a legitimate website that is not related to an erroneous determination reason. By doing so, in the abnormality determination system 1, it is possible to suppress abnormality detection due to an erroneously determined abnormality detection reason, and to maintain detection accuracy for other reasons.
(B) Second Embodiment Hereinafter, a second embodiment of an abnormality determination system, an abnormality determination program, and an abnormality determination method according to the present invention will be described in detail with reference to the drawings.

(B-1) Configuration of Second Embodiment The abnormality determination system 1A of the second embodiment can also be shown using FIG. 1 described above.

In FIG. 1, the symbols in parentheses are symbols used only in the second embodiment.

Below, difference with 1st Embodiment is demonstrated about the abnormality determination system 1A of 2nd Embodiment.

As shown in FIG. 1, in the abnormality determination system 1A of the second embodiment, a determination result processing unit 40 and a filter condition generation unit 50 (filter condition generation definition information 51) are configured so that the determination result processing unit 40A and the filter condition generation It differs from the first embodiment in that it is replaced with a section 50A (filter condition generation definition information 51A).

The determination result processing unit 40A of the second embodiment can receive erroneous determination feedback specifying the values of the fields that make up the log information from the operator OP instead of the units of log information. is different from The method by which the judgment result processing unit 40A accepts the erroneous judgment feedback specifying the values of the fields that make up the log information is not limited. may be applied.

8 and 9 are diagrams showing configuration examples of the determination result display screen displayed by the determination result processing unit 40A in the second embodiment.

In the determination result display screen of the first embodiment, it was possible to accept selection in log information units (row units), but in the determination result display screen of the second embodiment, the log information field values ( field name and its value) can be accepted.

In the erroneous determination result display screen of the second embodiment, the method of receiving input of the field name and its value is not limited, but for example, an operation screen (GUI) as shown in FIG. 8 is applied. may

In the determination result display screen shown in FIG. 8, an object OB201 capable of receiving field name input, a text box type object OB202 capable of receiving field value input (field value selected in object OB201), And a button-type object OB203 is arranged for receiving feedback on an erroneous determination based on the field name designated by the object OB201 and the value input by the object OB202.

In the object OB201, for example, an object (GUI) in the form of a list box or the like may accept a field name selection input, or input a field name corresponding to the cell selected in the table displayed thereon. You may make it Further, for example, on the determination result display screen, a field name corresponding to the selected cell (row) may be automatically entered in the object OB201. For example, the determination result display screen shown in FIG. 8 shows a state in which the cell of the communication destination FQDN of the log information (the cell of the communication destination FQDN with index: 1) is selected (highlighted), and the object OB201 is selected (highlighted). The field name (communication destination FQDN) of the specified field is entered. Specifically, for example, in the judgment result display screen shown in FIG. 8, the value (xxx.yyy.zzz) of the selected field is automatically entered in the object OB202. Note that the object OB202 may also accept free text editing by the operator OP.

Then, as shown in FIG. 8, when the button of the object OB 203 is pressed with "communication destination FQDN" specified as the field name and "xxx.yyy.zzz" specified as the field value, the determination result processing unit 40A , field name “communication destination FQDN” and field value “xxx.yyy.zzz”.

Furthermore, in the object OB202 of the determination result display screen of the second embodiment, as shown in FIG. 9, text description using wildcards may be allowed.

For example, in FIG. 9, the object OB202 has a text description with "*.yyy.zzz" and "*" as wildcards. In this case, "*" means that any character string of 0 or more characters is applicable (replaceable). For example, if the FQDN of the communication destination that is fed back with an erroneous judgment is "*.yyy.zzz", the end of the communication destination FQDN such as "aaa.yyy.zzz" or "ttt.yyy.zzz" is "yyy.zzz" It is synonymous with specifying all log information. For example, on the determination result display screen shown in FIG. 9, if only a part of the character string in any cell is selected by a mouse drag operation or the like, the unselected part is displayed in the object OB202 as described above. may be replaced with a display using a wild card. For example, in FIG. 9, only "yyy.zzz" of "xxx.yyy.zzz" is selected (highlighted) for the cell of the communication destination FQDN with index: 1. The portion of "xxx." which was not displayed is replaced with a wild card "*" and displayed (automatically displayed).

As described above, the operator OP can feed back erroneous determinations of field values in a wildcard format as shown in FIG. The wildcard format misjudgment feedback, for example, when multiple failures are detected for communication destination FQDNs with different host names, by giving misjudgment feedback to a common domain name. It can be used when you want to collectively give feedback on misjudgments of other different host names that may occur.

As described above, when the determination result processing unit 40A receives erroneous determination feedback for a field value (field name and its value), it notifies the filter condition generation unit 50A of the received information (field name and its value), Request the creation of a condition.

The filter condition generation unit 50A applies the information (the field name and its value) notified from the determination result processing unit 40A to the filter condition generation definition information 51A to generate a filter condition for each detection engine 111, and the filter processing unit 12 to notify.

FIG. 10 is a diagram showing a configuration example of filter condition generation definition information 51A according to the second embodiment.

As shown in FIG. 10, the filter condition generation definition information 51A also consists of field name, detection engine name, and value condition items for each entry. It differs from the first embodiment in that That is, the filter condition generation definition information 51A is feedback condition generation definition information with field names as keys.

When the filter condition generation unit 50A receives the information of the erroneous determination feedback (field name and its value) from the determination result processing unit 40A, the filter condition generation unit 50A selects an entry that matches the field name of the erroneous determination feedback information from the filter condition generation definition information 51A. Search and get the detection engine name and value condition of the entry. Then, the filter condition generator 50A generates a filter condition based on the detection engine name of the detected entry, the value condition, and the erroneous determination feedback value.

In FIG. 10, the field names of the entries on the first to third lines are "URL path", "communication destination FQDN", and "URL path", respectively.

In this case, the entry in the first row has the field name "URL path", the detection engine name "URL path is suspect", and the value condition "match". In this case, the entry in the first line indicates that a filter condition is generated to filter log information that matches the false positive feedback value in the URL path, which is the false positive feedback field name.

In the entry on the second line, the field name is "communication destination FQDN", the detection engine name is "communication destination domain is suspicious", and the value condition is "partial match (domain name)". In this case, in the entry on the second line, the log information that partially matches the value of the misjudgment feedback (the character string of the domain name part of the communication destination FQDN matches) in the communication destination FQDN, which is the field name of the misjudgment feedback. It shows that a filtering filter condition is generated. Here, the domain name is a character string obtained by excluding the host name from the FQDN. For example, if the FQDN is "host1.xxx.yyy.zzz", "host1" is the host name and "xxx.yyy.zzz" is the domain name.

Furthermore, the entry in the third line has a field name of "URL path", a detection engine name of "suspect download file name", and a value condition of "partial match (file name)". In this case, the entry in the third line filters log information that partially matches the value of the false positive feedback in the URL path, which is the field name of the false positive feedback (the character string of the file name part of the URL path matches). It shows that the filter condition is generated. Here, the file name is assumed to be a character string of the file name excluding the notation of the directory from the URL path.

Here, the detection engine name of the detection engine 111-1 is "suspicious URL path", the detection engine name of the detection engine 111-2 is "suspicious destination domain", and the detection engine name of the detection engine 111-3 is "suspicious". Assume that "download file name is suspicious".

(B-2) Operation of Second Embodiment Next, the operation (abnormality determination method according to the embodiment) of the abnormality determination system 1A of the second embodiment having the configuration as described above will be described with respect to that of the first embodiment. Only differences between

The second embodiment differs from the first embodiment only in the operations of the determination result processing unit 40A and the filter condition generation unit 50A.

Next, details of operations of the determination result processing unit 40A and the filter condition generation unit 50A will be described with reference to FIG.

FIG. 11 is a flow chart showing an example of operations of the determination result processing unit 40A and the filter condition generation unit 50A.

The determination result processing unit 40A presents the determination result supplied from the determination unit 30 (determiner 31) as a determination result display screen to the monitoring terminal TE used by the operator OP (S401), and inputs information on erroneous determination feedback (error Input of the field name and its value related to determination) is received (S402). At this time, the determination result processing unit 40A presents a determination result display screen as shown in FIGS. 8 and 9, and receives input of incorrect determination feedback information, unlike in the first embodiment. When the determination result processing unit 40A receives information input of incorrect determination feedback, it notifies the information (field name and its value) to the filter condition generation unit 50A and requests update of the filter condition.

When the erroneous determination feedback information (field name and its value) is supplied, the filter condition generation unit 50A searches the filter condition generation definition information 51A for an entry matching the field name of the erroneous determination feedback information and selects it ( S403).

Next, the filter condition generation unit 50A acquires the selected entry information (detection engine name and value condition) from the filter condition generation definition information 51A, and generates a filter condition for each acquired entry (S404).

The filter condition generation unit 50A notifies the detection engine unit 11 (filter processing unit 12) of the generated filter conditions. At this time, the filter condition generation unit 50A notifies the generated filter condition and the identifier of the selected detection engine 111 (for example, the ID of the detection engine 111 such as the detection engine name) to request update of the filter condition. Then, the filter processing unit 12 additionally updates the filter condition supplied from the filter condition generation unit 50A to the corresponding filter condition data D2 (S405).

For example, in the judgment result display screen shown in FIG. 9 in step S402, it is assumed that the field name of the erroneous judgment feedback is "communication destination FQDN" and the field value is "*.yyy.zzz".

In this case, in step S403, the second line entry (field name: communication destination FQDN) is selected in the filter condition generation definition information 51 shown in FIG. In this entry, the field name is "communication destination FQDN" and the value condition is "partial match (domain name)".

Therefore, in this case, the filter condition generation unit 50A creates a log in which the domain name (a part of the communication destination FQDN) that constitutes the communication destination FQDN matches the field value "*.yyy.zzz" that was fed back as an erroneous judgment. Generates a filter condition that sets a value (for example, 0) as normal rather than abnormal when the information is supplied, and adds it to the filter condition data D2-2 corresponding to the detection engine 111-2. Update to register.

Henceforth, when the detection engine 111-2 is supplied with log information in which the end of the domain name of the communication destination FQDN matches "yyy.zzz", the detection result D1-2 is set to a value indicating abnormality (a value of 1 or more). ), the filter processing unit 12 (filter condition data D2-1) filters to a value (for example, 0) indicating normality, and is output as a filtered detection result D3-2.

(B-3) Effects of Second Embodiment According to the second embodiment, the following effects can be obtained.

In the abnormality determination system 1A of the second embodiment, when the determination result processing unit 40A receives false determination feedback from the operator OP (monitoring terminal TE), the value of the log information field (field name and its value) is specified. accept. Then, in the abnormality determination system 1A, the filter condition generation unit 50A generates filter conditions based on the filter condition generation definition information 51A having the field name as a key.

As a result, in the abnormality determination system 1A, even if it is not possible to determine whether or not an erroneous determination has been made for the entire log information, it is possible to designate an item that can be determined to be normal for each field and provide erroneous determination feedback. Thus, in the second embodiment, for example, even an operator OP who has little log monitoring experience can utilize the abnormality determination system 1A. In addition, since the abnormality determination system 1A can receive erroneous determination feedback in a wildcard format, for example, by providing erroneous determination feedback of the domain name of the FQDN, for example, similar FQDNs with different host names can be collectively erroneously identified. Judgment feedback can be provided. As described above, in the abnormality determination system 1A, filter conditions are generated based on erroneous determination feedback specifying field values of log information. A filter condition (filter condition data D2) is additionally generated only for . Therefore, in the anomaly determination system 1A, for example, for a detection engine 111 that is not desirable to filter certain log information (for example, a detection engine 111 that detects falsification of a legitimate website as described above), the filter condition is not generated, it is possible to suppress deterioration in detection accuracy.

(C) Other Embodiments The present invention is not limited to the above-described embodiments, and modified embodiments such as those illustrated below can be exemplified.

(C-1) The determination result display screen displayed by the determination result processing unit 40 of the first embodiment was configured to accept erroneous determination feedback in log information units (row units). You may make it receive a judgment feedback. For example, on the determination result display screen, as shown in FIG. 12, erroneous determination feedback may be received for each log information detection engine 111 unit.

FIG. 12 is a diagram showing a modified example of the determination result display screen according to the second embodiment.

In FIG. 12, for each piece of log information (each row), a check box CB, which is an object for accepting selection of the cell, is placed in the cell of the detection result for each detection engine 111 (detection results X1 to XN for each detection engine 111). It is

The operator OP, who has been presented with the judgment result display screen as shown in FIG. Then, on the determination result display screen of FIG. 12, it is possible to accept an operation (operation to turn on the check) for the check box CB of the cell corresponding to the combination of the log information and the detection engine 111 determined to be erroneously determined by the operator OP. can. For example, on the determination result operation screen shown in FIG. The check box CB of the detection result (X2) of -2 is checked. On the determination result operation screen shown in FIG. 12, when the button OB301 is operated with one or more check boxes CB checked, log information (index) corresponding to the cell with the check box CB ON is displayed. False positive feedback specifying a combination of detection engines 111 can be received.

In this case, the determination result processing unit 40 associates information including the identifier of the detection engine 111 (for example, the name of the detection engine) with the log information (index) in which the check box CB is turned on as false determination feedback information. Information is acquired and supplied to the filter condition generation unit 50 .

Then, the filter condition generation unit 50 acquires the entry of the detection engine name specified in the erroneous determination feedback from the filter condition generation definition information 51 . Then, the filter condition generation unit 50 generates a filter condition for the detection engine related to the erroneous judgment feedback based on the acquired entry and the log information corresponding to the entry specified in the erroneous judgment feedback, and notifies the filter processing unit 12 of it. do.

By applying the erroneous determination feedback as described above in the determination result processing unit 40, it is possible to reflect the cause of the erroneous determination feedback of the operator OP, so that it is possible to more accurately select the detection engine that needs to generate the filter condition. Furthermore, it is possible to enhance the effect of suppressing erroneous determination and suppressing deterioration of detection accuracy.

(C-2) In the abnormality determination systems 1 and 1A of the above embodiments, the detection processing unit 10 (filter processing unit 12) resets the set filter conditions (filter condition data D2-1 to D2-N). A means (hereinafter referred to as "reset means") for executing the process (hereinafter referred to as "reset process") may be provided.

For example, if there is a detection engine 111 that detects falsification of a legitimate site, the filter condition for filtering logs containing the communication destination FQDN of the log detected by this detection engine 111 is set from the filter processing unit 12 (filter condition data D2). By deleting it, it is possible to detect other anomaly detection reasons triggered by "authorized site defacement". When the filter condition is deleted using such a condition as a trigger, the detection processing unit 10 may store in advance the name of the detection engine that triggers the deletion of the filter condition and the information of the “condition for deleting the filter condition”. .

For example, in the example of the detection engine 111 that detects "falsification of a legitimate site", the "condition for deleting a filter condition" is a filter condition that matches the communication destination FQDN of the log detected by the detection engine 111. Conditions such as deleting an entry in a filter condition list apply.

When a detection engine that triggers deletion of a filter condition is detected, the detection engine unit 11 deletes the filter conditions of other detection engines from the filter condition list according to the conditions for deleting the filter condition of the detection engine.

As another method for resetting the filter conditions (filter condition data D2) of the filter processing unit 12, filter condition generation time information (information on the time when the filter condition was added) is added to each filter condition data D2, Filter conditions may be deleted over time. Specifically, for example, when adding a filter condition to each filter condition data D2, the filter processing unit 12 adds filter condition generation time information (information on the time when the filter condition was added), It is also possible to manage the lifetime (period from the time when the filter condition is added until the reset process) for each filter condition of D2, and delete the filter condition whose lifetime has passed since the creation date and time.

In the abnormality determination systems 1 and 1A, when the filter conditions are periodically reset by the resetting means as described above, the operator OP is periodically notified of the determination result that was fed back as an erroneous determination in the past. It is possible to prevent oversight of an event that was judged to be an erroneous judgment at a past point in time but changes abnormally with the passage of time.

Reference Signs List 1... Abnormality determination system 10... Detection processing unit 11... Detection engine unit 111, 111-1 to 111-N... Detection engine 12... Filter processing unit 20... Feature amount processing unit 30... Judging unit 31 Determination device 40 Determination result processing unit 50 Filter condition generation unit 51 Filter condition generation definition information 60 Determination device creation unit 70 Control unit D1, D1-1 to D1-N Detection result , D2, D2-1 to D2-N... filter condition data, D3, D3-1 to D3-N... filtered detection result, NE... network, OP... operator, TE... monitoring terminal

Claims (7)

In an abnormality determination system that determines an abnormality on the network from analysis target data collected from one or more network devices arranged on the network,
a plurality of detection means for detecting anomalies from the analysis target data from different viewpoints;
Filter condition data describing filter conditions for each of the detection means is held, detection results of each of the detection means are subjected to filter processing based on the filter condition data, and detection is performed for each of the detection means after the filter processing. filtering means for outputting results;
feature amount processing means for acquiring feature amount data suitable for machine learning based on the detection results of the respective detection means output by the filtering means;
determining means for determining an abnormality on the network by supplying the feature data to a determining device having a learning model machine-learned based on teacher data;
feedback receiving means for receiving erroneous determination feedback indicating that the determination result by the determining means is an erroneous determination;
and filter condition generation means for generating the filter condition data to be set in the filter processing means according to the contents of the erroneous judgment feedback received by the feedback reception means. The feedback receiving means receives the erroneous determination feedback specifying the analysis target data,
The filter condition generation means holds filter condition generation definition information describing a filter condition generation rule for each of the detection means, and performs any of the detections based on the detection result of each of the detection means related to the erroneous judgment feedback. 2. The abnormality determination system according to claim 1, wherein said filter condition generation rule of means is selected, and said filter condition data to be set in said filter processing means is generated according to said selected filter condition generation rule. 3. The abnormality determination system according to claim 2, wherein each of said filter condition generation rules describes at least item names of items of said analysis target data and conditions for values of said items. The feedback receiving means receives an item name and its value of the item of the analysis target data as the content of the erroneous determination feedback,
The filter condition generation means holds filter condition generation definition information describing a filter condition generation rule for each item, selects the filter condition generation rule corresponding to the item related to the erroneous determination feedback, and selects the filter condition generation rule. 2. The abnormality determination system according to claim 1, wherein said filter condition data to be set in said filter processing means is generated according to said filter condition generation rule. 5. The abnormality determination system according to claim 4, wherein each of said filter condition generation rules describes at least an identifier of said detection means and a condition for a value of said item related to said data to be analyzed. . A computer that constitutes an abnormality determination system that determines an abnormality on the network from analysis target data collected from one or more network devices arranged on the network,
a plurality of detection means for detecting anomalies from the analysis target data from different viewpoints;
Filter condition data describing filter conditions for each of the detection means is held, detection results of each of the detection means are subjected to filter processing based on the filter condition data, and detection is performed for each of the detection means after the filter processing. filtering means for outputting results;
feature amount processing means for acquiring feature amount data suitable for machine learning based on the detection results of the respective detection means output by the filtering means;
determining means for determining an abnormality on the network by supplying the feature data to a determining device having a learning model machine-learned based on teacher data;
feedback receiving means for receiving erroneous determination feedback indicating that the determination result by the determining means is an erroneous determination;
An abnormality determination program functioning as filter condition generation means for generating the filter condition data to be set in the filter processing means according to the content of the erroneous determination feedback received by the feedback reception means. In the above determination method performed by an abnormality determination system that determines an abnormality on the network from analysis target data collected from one or more network devices arranged on the network,
The abnormality determination system includes a plurality of detection means, filtering means, feature amount processing means, determination means, feedback reception means, and filter condition generation means,
each of the detection means detects an abnormality from the analysis target data from a different point of view,
The filter processing means holds filter condition data describing filter conditions for each of the detection means, performs filter processing on detection results of each of the detection means based on the filter condition data, and performs filter processing on each of the detection means. Outputting the detection result after the filtering process,
The feature amount processing means acquires feature amount data suitable for machine learning based on the detection results of the respective detection means output by the filtering means,
The determination means supplies the feature amount data to a determination device having a learning model machine-learned based on teacher data to determine an abnormality on the network;
The feedback receiving means receives erroneous determination feedback indicating that the determination result by the determining means is an erroneous determination,
The abnormality determination method, wherein the filter condition generation means generates the filter condition data to be set in the filter processing means according to the content of the erroneous determination feedback received by the feedback reception means.

Images