JP4371981B2 - Abnormal data detection apparatus, abnormal data detection method, and abnormal data detection program - Google Patents

Description

  The present invention relates to an abnormal data detection device, an abnormal data detection method, and an abnormal data detection program for detecting abnormal data in access data input from a communication network.

  In general, as a method for detecting abnormal data in a communication network such as the Internet, a method in which a packet received from a predetermined IP address and port number through a firewall or the like is not allowed to pass. However, there are a variety of attacks that cannot be prevented by this firewall. Among them, there are many attacks aimed at security holes on web servers, that is, bugs and vulnerabilities in software such as operating systems and browsers. For example, if a specific character string is included in an HTTP request, the HTTP request is decrypted and executed, so that software such as CGI (Common Gateway Interface) running on the web server may cause a buffer overflow, etc. Cause unexpected behavior. In order to respond to such attacks that target software vulnerabilities on the web server, an HTTP request sent from the client to the web server is relayed and analyzed in the application layer, and the known attack characteristics are stored in advance. There is a method of defending a web server by blocking session relay when compared with a pattern file and matching (for example, Patent Document 1).

  However, the above-described method has a problem that the web server cannot be protected from an unknown attack that is not stored in the attack pattern file.

  Therefore, in the technical field for detecting abnormal data in access data sent to devices connected to the Internet, such as web servers, the range of values and character types included in the access data are analyzed, and the average value and variance are obtained. Calculate a threshold that is statistically abnormal. Furthermore, based on the threshold value, by establishing whether a certain access data is statistically normal or abnormal, thereby establishing a technique for detecting whether the access data is related to abnormal data. Is required. This technique is expected to be able to detect unknown abnormality data that cannot be detected only from a known abnormality pattern or a normal pattern given in advance (for example, Non-Patent Document 1).

  However, in the above-described technique, when only relying on a statistically calculated threshold value, the ability to determine whether unknown abnormal data is truly abnormal data is not always sufficient. For example, especially for access data evaluated in the vicinity of a threshold value, the accuracy of the judgment tends to be weak. If the threshold value is not set appropriately, specifically, normal data is detected as abnormal. It becomes a member that causes non-detection after detection or abnormal detection that cannot detect abnormal things.

  In order to delete false detection and non-detection of unknown abnormal data, it can be considered to correct the threshold value of whether it is normal or abnormal in the management terminal by judgment based on the knowledge of the administrator or expert . However, in this method, access to devices connected to the Internet is enormous and diverse, and if the amount of alarm log output to the management terminal is too large, it will not be handled by the administrator and will eventually be left unattended. Occurs.

In order to solve this, the inventors have invented a method of appropriately correcting the threshold during operation in the management terminal (for example, Patent Document 2). In the method described in Patent Document 2, it is assumed that there is a possibility of erroneous detection of access data belonging to a predetermined threshold value outside the threshold value that is evaluated as slightly abnormal than the threshold value. The access data belonging to the vicinity of the predetermined threshold value within the threshold value, which is slightly normal than the threshold value, is transferred to the non-detection correction management unit on the assumption that there is a possibility of non-detection.
JP 2002-063084 A Japanese Patent Application No. 2003-318796 ISSN 0919-6072 Information Processing Society of Japan Research Report 2003, No. 74 July 17-18, 2003 Issued by Information Processing Society of Japan p. 91-96 "Unknown attack defense system based on HTTP request analysis" Toru Konno, Masamichi Sasaoka

  However, in the method described in Patent Document 2, since the correction is performed by the management terminal on the premise of the presence of the manager, there is a problem that a burden is imposed on the manager. Furthermore, there has been no means for changing the criteria for judging data anomalies during operation, such as a threshold value. Therefore, when the operation time is long, it is necessary to take measures such as always monitoring on the management terminal in order to appropriately follow the change in the trend of access data, which is a burden and cost. was there.

  Accordingly, an object of the present invention is to provide an abnormal data detection apparatus and an abnormal data detection program that can determine whether or not access data that is not stored in advance is normal access data.

In order to solve the above-described problem, a first feature of the present invention is a data analysis unit that calculates a feature amount indicating a feature of abnormal data based on a parameter value included in access data input from a connected network segment. A feature amount storage unit that stores and stores the feature amount calculated by the data analysis unit, a statistical information storage unit that stores statistical information including the average value, standard deviation, and number of accesses of the feature amount, and a feature amount storage Statistical processing execution means for generating statistical information including the average value, standard deviation, and number of accesses stored in the means, and updating the statistical information stored in the statistical information storage means, and refer to the statistical information storage means An access determination means for determining the number of past accesses related to the input access data, and data analysis based on the result determined by the access determination means The abnormal data comprises statistical anomaly determining means for comparing the feature amount calculated in the step and the statistical information stored in the statistical information storage means to determine whether the input access data is normal or not. It is a detection device.

  According to the present invention as described above, it is possible to determine whether access data that is not stored in advance is normal access data.

  According to the present invention, it is possible to provide an abnormal data detection apparatus and an abnormal data detection program for determining whether or not access data that is not stored in advance is normal access data.

  Next, embodiments of the present invention will be described with reference to the drawings. In the following description of the drawings, the same or similar parts are denoted by the same or similar reference numerals.

[First Embodiment]
[Abnormal data detection device]
With reference to FIG. 1, an abnormal data detection apparatus 1 according to a first embodiment of the present invention will be described.

  The abnormal data detection apparatus 1 according to the first embodiment of the present invention detects known abnormal data input via a connected network and detects unknown abnormal data. As shown in FIG. 1, the abnormal data detection apparatus 1 includes a data analysis unit 11, an access determination unit 12, a statistical abnormality determination unit 13, a statistical processing execution unit 14, a statistical information table 15, and a feature amount accumulation table 16. ing.

  Specifically, the abnormal data detection apparatus 1 includes a second network segment 3 output from a client computer connected to the first network segment 2 (not shown) input from the first network segment 2 such as the Internet or an intranet. When the access data for a server (Web server) (not shown) connected to is normal access data, the input access data is passed through the second network segment 3. On the other hand, if the input access data is abnormal access data, the abnormal data detection device 1 discards the access data without passing it through the second network segment 3, or the access data is abnormal access data. Additional information indicating that there is a property is attached and passed to the second network segment 3.

  Here, the access data is information based on a communication protocol such as an HTTP request or an SMTP request. The abnormal data detection apparatus 1 is realized, for example, by installing a software program such as an abnormal data detection program in a general computer and executing the software program in the central processing control apparatus.

  As shown in FIG. 2, the abnormal data detection apparatus 1 according to the first embodiment of the present invention includes a central processing control device 101, a ROM (Read Only Memory) 102, a RAM (Random Access Memory) 103, and an input / output interface. 109 are connected via the bus 110. An input device 104, a display device 105, a communication control device 106, a storage device 107, and a removable disk 108 are connected to the input / output interface 109.

  The central processing control device 101 reads out and executes a boot program for starting up the abnormal data detection device 1 from the ROM 102 based on an input signal from the input device 104, and further reads out an operating system stored in the storage device 107. Further, the central processing control device 101 controls various devices based on input signals from the input device 104, the communication control device 106, etc., and reads programs and data stored in the RAM 103, the storage device 107, etc. into the RAM 103. A processing device that loads and implements a series of processes to be described later, such as data calculation or processing, based on a program command read from the RAM 103.

  The input device 104 includes input devices such as a keyboard and a mouse through which an operator inputs various operations. The input device 104 generates an input signal based on the operation of the operator, and inputs via the input / output interface 109 and the bus 110. It is transmitted to the central processing control apparatus 101. The display device 105 is a CRT (Cathode Ray Tube) display, a liquid crystal display, or the like. The display device 105 receives an output signal to be displayed on the display device 105 from the central processing control device 101 via the bus 110 and the input / output interface 109. It is a device that displays the processing result of the control device 101 and the like. The communication control device 106 is a device such as a LAN card or a modem, and is a device that connects the abnormal data detection device 1 to a communication network such as the Internet or a LAN. Data transmitted / received to / from the communication network via the communication control device 106 is transmitted / received to / from the central processing control device 101 via the input / output interface and bus 110 as an input signal or an output signal.

  The storage device 107 is a magnetic disk device, and stores programs and data executed by the central processing control device 101. The removable disk 108 is an optical disk or a flexible disk, and signals read / written by the disk drive are transmitted / received to / from the central processing control apparatus 101 via the input / output interface 109 and the bus 110.

  In the storage device 107 of the abnormal data detection apparatus 1 according to the first embodiment of the present invention, an abnormal data detection program is stored, and a statistical information table 15 and a feature amount accumulation table 16 are stored. Further, when the abnormal data detection program is read and executed by the central processing control device 101 of the abnormal data detection device 1, the data analysis unit 11, the access determination unit 12, the statistical abnormality determination unit 13, and the statistical processing execution unit 14 are executed. It is mounted on the abnormal data detection device 1.

  When the access data is input from the connected first network segment 2, the data analysis unit 11 indicates the characteristics of the abnormal data for each parameter identifier based on the parameter value included in the input access data. The feature amount is calculated. Further, the data analysis unit 11 outputs the calculated feature value together with the access data.

  For example, the data analysis unit 11 analyzes the access data of the HTTP request as shown in FIG. 3 and calculates the feature value of the parameter value. When the access data illustrated in FIG. 3 is input and analyzed, the data analysis unit 11 cuts out a numerical value “123” as the parameter value of the variable “P” that is the CGI variable name 1. Further, “user” that is an ASCII character is extracted as the parameter value of the variable “Q” that is the CGI variable name 2, and “456” that is a numerical value is extracted as the parameter value of the variable “R” that is the CGI variable name 3.

  When the value of each CGI variable name is cut out, the data analysis unit 11 calculates a feature amount based on the cut out value.

  The access determination unit 12 reads the statistical information table 15 and determines the number of past accesses associated with the parameter identifier included in the input access data.

  Here, a combination of a CGI name and a CGI variable name is used as a parameter identifier. Specifically, when the access determination unit 12 inputs the access data and the feature amount output from the data analysis unit 11, the CGI variable that is an identifier of a parameter included in the access data to be determined in the statistical information table 15 And the access count of the statistical information associated with the combination of the CGI name is referred to, and it is determined whether or not the parameter identifier has been accessed in the past. In addition, the access determination unit 12 outputs a determination result as to whether or not there is an access together with access data and a feature amount.

  The statistical abnormality determination unit 13 compares the feature amount calculated by the data analysis unit 11 with the statistical information stored in the statistical information table 15 based on the result determined by the access determination unit 12 and is input. It is determined whether or not the access data is normal.

First, statistical abnormality determination unit 13, the access data from the access determination unit 12, entering the characteristic amount and the determination result, when it is determined that the access is not present for this parameter identifier in the past by the access judging unit 12, the data When the feature amount calculated by the analysis unit 11 is “0”, the parameter value is determined to be normal, and when the feature amount is not “0”, the parameter value is determined to be abnormal.

Further, when it is determined that access exists for past identifier for this parameter in the access judging unit 12, utilizing a statistically abnormal threshold can be considered the statistical distribution based on the feature amount of the access data is calculated It is then determined whether the access data is normal. For example, when the feature amount obtained for the parameter value is within the range of f (x) in Expression 1, it is determined that the parameter value is normal, and when it is out of the range, the parameter value is determined.

  The average value μ and the standard deviation σ in Equation 1 are determined as shown in FIG. 7 by taking statistics of the feature amount of the access data. The threshold coefficient A is a value set by the statistical processing execution unit 14. The threshold coefficient A is a value determined according to each parameter value for “numerical value”, “metacharacter”, and “binary code” in the abnormal data detection apparatus 1 according to the first embodiment of the present invention. . Specifically, a value of about 2 to 11 is practically preferable, but is not limited to this, and the best value is set.

  When it is determined that all parameter values included in the access data are normal, the statistical abnormality determination unit 13 determines that the access data is normal access data. Further, it is determined that access data including an abnormal parameter value is abnormal access data.

  When the feature amount calculated by the data analysis unit 11 is stored in the feature amount accumulation table 16, the statistical processing execution unit 14 stores the average value, standard deviation, and number of accesses of the feature amount stored in the feature amount accumulation table 16. Generate statistical information including The statistical processing execution unit 14 recalculates and updates the statistical information stored in the statistical information table 15 for each parameter identifier using the generated statistical information.

  The statistical information table 15 stores statistical information including the average value of the feature amount, the standard deviation, and the number of accesses using the parameter identifier as a key. The statistical information table 15 is updated under the control of the statistical processing execution unit 14 every time a new access is added to the feature amount accumulation table 16.

  For example, as shown in FIG. 4, the statistical information table 15 stores statistical information for parameter identifiers that are combinations of CGI names and CGI variable names. In the example shown in FIG. 4A, the statistical information table 15 describes pointer variables corresponding to statistical information for combinations of CGI names and CGI variable names.

  For example, a pointer variable stored as statistical information 2b associated with CGI name b and CGI variable name 2 is associated with statistical information 2b shown in FIG. The statistical information 2b shown in FIG. 4B stores “average value” and “standard deviation” obtained based on the feature amount for “numerical value”, “metacharacter”, and “binary code”. Yes. Further, the statistical information 2 b stores “access count” for the identifier of the parameter which is a combination of the CGI name and the CGI variable name. The statistical information is updated by the statistical processing execution unit 14 every time a new feature amount is accumulated in the feature amount accumulation table 16.

  The feature amount accumulation table 16 accumulates and stores feature amounts calculated by the data analysis unit 11 using parameter identifiers as keys.

  Specifically, as shown in FIG. 5 as an example, the feature amount accumulation table 16 shows the feature amount obtained from the value (parameter) of the CGI variable name included in the packet data input as access data to the Web server. It is stored as a feature value for the CGI variable name. FIG. 5 shows the feature values obtained for the “numerical value”, “metacharacter”, and “binary code” of the CGI variables when the first to fourth packet data shown in FIG. 6 are input as the access data. is there. The “metacharacter” is a character having a special meaning in a communication protocol such as HTTP.

  FIG. 6A shows the first packet data, and the value of “Q” in the CGI variable name 2 is the numerical value “12345”. FIG. 6B shows the second packet data, and the value of “Q” in the CGI variable name 2 is the ASCII character “abcde”. Further, FIG. 6C shows the third packet data, and the value of “Q” in the CGI variable name 2 is the metacharacter “” ′; ”. Further, FIG. 6D shows the fourth packet data, and the “Q” value of the CGI variable name 2 is the binary code “ΔΔΔΔ”. Note that this “Δ” virtually illustrates the binary code. Here, “cgi-bin / phf” is “CGI name b”.

  Thus, using the value of “Q” that is CGI variable name 2 included in the first to fourth packet data, the total number of “numerical value”, “metacharacter”, and “binary code” in the parameter value is calculated. The feature value is stored in the feature value accumulation table 16 as a feature value.

  For example, the number including “numerical value” in the parameter value “Q” of the first packet data is “5”, and does not include “metacharacter” and “binary code”. Therefore, the feature amounts of the first packet data are “5, 0, 0”, respectively. Since the parameter value of “Q” of the second packet data does not include any of “numerical value”, “metacharacter”, and “binary code”, the feature amount of the second packet data is “ 0, 0, 0 ". Similarly, since the third packet data includes three “metacharacters”, the feature amount is “0, 3, 0”, and the fourth packet data includes four “binary codes”. The feature amounts are “0, 0, 4” and are stored in the feature amount storage table 16 as shown in FIG.

  Note that the statistical information 2b shown in FIG. 4B is generated based on the feature amount stored in the feature amount storage table 16 shown in FIG. For example, the “average value” of “numerical values” is obtained by dividing “5”, which is the sum of the “numerical value” feature amounts of the first to fourth packet data, by the access count “4”. Also, the “average value” for “metacharacter” and “binary code” is also obtained by dividing the total of the feature quantities of “metacharacter” and “binary code” of the first to fourth packet data by the number of accesses “4”. Looking for. The “standard deviation” is obtained by using the feature values and average values of the first to fourth packet data.

[Abnormal data detection processing]
Next, the abnormal data detection process in the abnormal data detection apparatus 1 according to the first embodiment of the present invention will be described with reference to the flowchart shown in FIG.

  When access data is input to the data analysis unit 11 of the abnormal data detection device 1 via the network segment 2 connected to the abnormal data detection device 1 (S001), the data analysis unit 11 analyzes the access data. The feature amount is calculated and output together with the input access data (S002).

  The access data is HTTP request access data as shown in FIG. The feature amount is calculated by obtaining the number of each character type of “numerical value”, “metacharacter”, and “binary code” of the data as shown in FIG.

  When the access determination unit 12 inputs the feature amount calculated based on the access data together with the access data from the data analysis unit 11 (S003), the access determination unit 12 regards the access data input together with the feature amount from the data analysis unit 11. For the CGI name and the CGI variable name included in the access data, it is determined whether or not it has been accessed in the past by referring to the access count of the statistical information table 15, and the presence / absence of access is output together with the access data and the feature amount as a determination result (S004). The determination process in step S004 will be described in detail later.

  When the statistical abnormality determination unit 13 receives the access determination result and the access data from the access determination unit 12, the statistical abnormality determination unit 13 determines whether the parameter values of all the CGI variables included in the access data are normal. (S005). For example, in the case of the access data shown in FIG. 3, it is determined whether or not all the parameter values of the CGI name variables 1 to 3 are “normal”.

  When all the CGI variables included in the access data are “normal”, the statistical abnormality determination unit 13 determines that the access data is “normal” (S006). On the other hand, if at least one CGI variable determined to be “abnormal” is included in the access data, the statistical abnormality determination unit 13 determines that the access data is “abnormal” (S007).

  In step S006, when the statistical abnormality determination unit 13 determines that the input access data is “normal”, the statistical abnormality determination unit 13 stores the feature amount calculated in step S002 and stores the feature amount accumulation table. 16 is updated. (S008).

  When the feature amount accumulation table 16 is updated in step S008, the statistical processing execution unit 14 reads the feature amount accumulation table 16, recalculates the statistical information, and stores the calculated statistical information in the statistical information table 15 (S109). ).

[Determination process]
Next, the determination process in step S004 will be described using the flowchart shown in FIG.

  When the access data and the feature quantity are input from the data analysis unit 11, the access determination unit 12 selects one CGI variable name included in the access data (S101).

  Subsequently, the access determination unit 12 refers to the access count of the statistical information table 15 for the statistical information identified by the parameter identifier that is a combination of the selected CGI name and the CGI variable name, and whether the access has been made in the past. It is determined whether or not (S102).

If the combination of the selected CGI name and CGI variable name has not been accessed in the past in step S102 (NO in S102 ) , the statistical abnormality determination unit 13 is calculated in step S002 shown in FIG. It is determined whether or not the feature amount is “0” (S103). In the above-described example, feature quantities are calculated for “numerical values”, “metacharacters”, and “binary codes”. When feature quantities are calculated for a plurality of character types in this way, all feature quantities are “ In the case of “0”, the feature amount is set to “0”.

  When the feature amount calculated in step S002 is “0”, the statistical abnormality determination unit 13 determines that the parameter value of the target CGI variable name is “normal” (S104). On the other hand, when the feature amount is not “0”, the statistical abnormality determination unit 13 determines that the parameter value of the CGI variable name is “abnormal” (S105).

  Specifically, in FIG. 5, since the feature value of the parameter value “numerical value” of the first packet data is not “0”, the parameter value is determined to be “abnormal”. For the second packet data, since the feature values for the parameter values of “numerical value”, “metacharacter”, and “binary code” are all “0”, the parameter value is determined to be “normal”. Further, the parameter values of the third and fourth packet data are determined as “abnormal”.

Also, if it was the past access (YES in S102), statistical abnormality determination unit 13, the feature amount calculated in the step S002 defined for the combination of the CGI name and CGI variable name selected at step S102 It is determined whether it is within the range (S106). Specifically, when the standard deviation calculated for the feature amount calculated in step S002 is within the threshold range shown in FIG. 7, the statistical abnormality determination unit 13 determines that it is within the specified range.

  When it is determined that the calculated feature value is within the specified range, the statistical abnormality determination unit 13 determines that the value of the CGI variable name is “normal” (S107), and is determined not to be within the specified range. If it is determined that the value of the CGI variable name is “abnormal” (S108).

  When “normal” or “abnormal” is not determined for all CGI variables, the process returns to step S101 (NO in S109), and when determination processing is performed for all CGI variable name values (YES in S109), The determination process is terminated (S110).

  The abnormal data detection apparatus 1 according to the first embodiment described above, for the access data including the CGI name and the CGI variable name that appears for the first time, calculates the feature amount based on the value using the CGI name and the CGI variable name as an identifier. Calculation is performed, and normality or abnormality is determined based on the calculated feature amount. Thus, by detecting access data that is not stored in advance, an unknown attack can be detected.

[Second Embodiment]
Next, an abnormal data detection apparatus 1a according to the second embodiment of the present invention will be described.

  As shown in FIG. 10, the abnormal data detection device 1a according to the second embodiment is different from the abnormal data detection device 1 according to the first embodiment in that an access determination unit is used instead of the access determination unit 12. 17 is different. In addition, about the same structure as the abnormal data detection apparatus 1 which concerns on 1st Embodiment, the same number is attached | subjected and description is abbreviate | omitted.

  The access determination unit 17 includes a CGI determination unit 17a and a CGI variable determination unit 17b.

  The CGI determination unit 17a determines whether or not statistical information corresponding to the CGI name and the CGI variable included in the input access data exists in the statistical information table 15.

  When the CGI variable determination unit 17b determines that the statistical information is present in the CGI determination unit 17a, the CGI variable determination unit 17b reads the statistical information table 15 and stores past CGI names and CGI variables associated with the input access data. Determine the number of accesses.

  If the CGI determination unit 17a determines that the statistical information of the corresponding parameter identifier does not exist, the statistical abnormality determination unit 13 determines that the access data including the parameter value is abnormal.

  The abnormal data detection device 1a accumulates statistical information in the statistical information table 15 as a learning mode until actual operation is started. Therefore, for example, the abnormal data detection device 1a does not detect abnormal data in the initial stage of operation, and there is a certain number of accesses in the learning mode until certain statistical information is accumulated in the statistical information table 15, or predetermined Until the statistical information is accumulated in the statistical information table 15 in the learning mode after the elapse of time, it is used within a limited range such as in the company, and only the statistical information is accumulated without detecting abnormal data. Is preferred. This is because at the initial stage of operation, the statistical information table 15 is not configured, and it is not possible to properly detect an abnormality in the input access data, and there is a high possibility of erroneous detection. The abnormal data detection device 1a has sufficient statistical information to detect an abnormality in the access data in the statistical information table 15 when, for example, a certain number of access data is input or when a predetermined time has elapsed. If it is determined that has been accumulated, the learning mode is terminated. Further, when the abnormal data detection device 1a finishes the learning mode, the abnormal data detection device 1a starts detecting an abnormality in the input access data.

  FIG. 11 is a flowchart for explaining abnormal data detection processing in the abnormal data detection apparatus 1a according to the second embodiment. In addition, the same number is attached | subjected about the step which performs the same process as the flowchart shown in FIG.

  11 differs from the flowchart shown in FIG. 8 in that when the CGI determination unit 17a inputs the feature amount calculated by the data analysis unit 11 in step S002 together with the access data (S201), the CGI determination unit 17a accesses the feature amount. It is determined whether or not the statistical information table 15 includes a combination of a CGI name and a CGI variable name, which are parameter identifiers included in the data (S202).

  When the CGI determination unit 17a determines that the parameter identifier included in the access data input from the data analysis unit 11 exists in the statistical information table 15 (YES in S202), the process proceeds to step S004, and the identifier of this parameter Whether the parameter value for is “normal” or “abnormal” is determined. The processing in step S004 is the processing shown in FIG.

  On the other hand, when the CGI determination unit 17a determines that the identifier of the parameter included in the access data input from the data analysis unit 11 does not exist in the statistical information table 15 (YES in S202), the process proceeds to step S007. The statistical abnormality determination unit 13 determines that the input access data is “abnormal”.

  The abnormal data detection apparatus 1a according to the second embodiment described above can follow the addition of the CGI name in the Web server by adding and updating the contents of the statistical information table. In addition, the processing speed can be improved by setting only the access data including the CGI name stored in advance in the statistical information table as the object of determination. Furthermore, an increase in the false detection rate can be suppressed, and the detection rate of abnormal access data can be improved.

  In each of the above-described embodiments, statistical information is created for three parameters “numerical value”, “metacharacter”, and “binary code” as parameters of the CGI variable name, but “ASCII characters” may be added.

  As described above, the first and second embodiments of the present invention have been described. However, it should not be understood that the description and drawings constituting a part of this disclosure limit the present invention. From this disclosure, various alternative embodiments, examples, and operational techniques will be apparent to those skilled in the art.

  It goes without saying that the present invention includes various embodiments not described herein. Therefore, the technical scope of the present invention is defined only by the invention specifying matters according to the scope of claims reasonable from the above description.

It is a block block diagram of the abnormal data detection apparatus which concerns on the 1st Embodiment of this invention. It is a block diagram of the abnormal data detection apparatus which concerns on the 1st Embodiment of this invention. It is an example of the access data which the abnormal data detection apparatus which concerns on the 1st Embodiment of this invention inputs. It is an example of the statistical information table memorize | stored with the abnormal data detection apparatus which concerns on the 1st Embodiment of this invention. It is an example of the feature-value accumulation data memorize | stored with the abnormal data detection apparatus which concerns on the 1st Embodiment of this invention. It is an example of the access data which the abnormal data detection apparatus which concerns on the 1st Embodiment of this invention inputs. It is an example of the feature-value used for abnormality determination with the abnormality data which concerns on the 1st Embodiment of this invention. It is a flowchart explaining the abnormal data detection process in the abnormal data detection apparatus which concerns on the 1st Embodiment of this invention. It is a flowchart explaining the determination process in the abnormal data detection apparatus which concerns on the 1st Embodiment of this invention. It is a block block diagram of the abnormal data detection apparatus which concerns on the 2nd Embodiment of this invention. It is a flowchart explaining the abnormal data detection process in the abnormal data detection apparatus which concerns on the 2nd Embodiment of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1, 1a ... Abnormal data detection apparatus 2 ... 1st network segment 3 ... 2nd network segment 11 ... Data analysis part 12 ... Access determination part 13 ... Statistical abnormality determination part 14 ... Statistical process execution part 15 ... Statistical information table 16 ... Feature value accumulation table 101 ... Central processing control device 102 ... ROM
103 ... RAM
104 ... Input device 105 ... Display device 106 ... Communication control device 107 ... Storage device 108 ... Removable disk 109 ... Input / output interface 110 ... Bus

Claims (3)

When access data is input from a connected network segment, based on a parameter value included in the access data, a data analysis unit that calculates a feature amount indicating a feature of abnormal data for each CGI variable name;
Feature quantity storage means for storing and storing feature quantities calculated by the data analysis means;
Statistical information storage means for storing statistical information including the average value of the feature amount, the standard deviation, and the number of accesses of the CGI variable ;
Statistical processing for generating statistical information including an average value and standard deviation of the feature amount stored in the feature amount storage unit and the number of accesses to the CGI variable, and updating the statistical information stored in the statistical information storage unit Execution means;
Access determining means for determining a past access count of a CGI variable related to the input access data with reference to the statistical information storage means ;
When the access determination means determines that the CGI variable has been accessed in the past, the feature amount calculated by the data analysis means is compared with a specified range based on the statistical information stored in the statistical information storage means Then, it is determined whether or not the access data is normal, and if the access determination unit determines that the CGI variable has not been accessed in the past, is the feature amount calculated by the data analysis unit zero? Statistical abnormality determination means for determining whether or not the parameter value is normal when it is 0, and determining that the parameter value is abnormal when it is not 0;
An abnormal data detection device comprising: When access data is input from the connected network segment, based on the parameter value included in the access data, a feature amount indicating the characteristic of abnormal data is calculated for each CGI variable name,
Generating statistical information including an average value of the feature quantity stored in the feature quantity storage means for storing and storing the feature quantity calculated by the data analysis means, a standard deviation, and the number of accesses of the CGI variable; Updating the statistical information stored in the statistical information storage means for storing statistical information including the average value of the quantity, the standard deviation, and the number of accesses of the CGI variable ;
Determining the number of past accesses of the CGI variable related to the input access data with reference to the statistical information storage means ;
If it is determined that the CGI variable has been accessed in the past, whether the access data is normal by comparing the calculated feature amount with a specified range based on the statistical information stored in the statistical information storage means Determine whether or not
When it is determined that the CGI variable has not been accessed in the past, it is determined whether or not the calculated feature value is 0. If it is 0, it is determined that the parameter value is normal, and if it is not 0, the parameter Determining that the value is abnormal
An abnormal data detection method characterized by the above. When access data is input from a connected network segment, a feature amount indicating a feature of abnormal data for each CGI variable name is calculated based on a parameter value included in the access data;
Generating statistical information including an average value of the feature quantity stored in the feature quantity storage means for storing and storing the feature quantity calculated by the data analysis means, a standard deviation, and the number of accesses of the CGI variable; Updating the statistical information stored in the statistical information storage means for storing statistical information including the average value of the quantity, the standard deviation, and the number of accesses of the CGI variable ;
Determining a past access count of a CGI variable related to the input access data with reference to the statistical information storage means ;
If it is determined that the CGI variable has been accessed in the past, whether the access data is normal by comparing the calculated feature quantity with a specified range based on the statistical information stored in the statistical information storage means Determining whether or not,
When it is determined that the CGI variable has not been accessed in the past, it is determined whether or not the calculated feature value is 0. If it is 0, it is determined that the parameter value is normal, and if it is not 0, the parameter Determining that the value is abnormal;
An abnormal data detection program for causing a computer to execute.

Images