JP4948359B2 - Unauthorized access detection device, unauthorized access detection method and program - Google Patents

Description

  The present invention relates to a technique for analyzing network traffic data for detecting unauthorized access.

There are cases where unauthorized access is detected by performing principal component analysis (Principal Component Analysis, hereinafter also referred to as PCA) on time series data of network traffic.
As conventional time series data analysis of unauthorized access by principal component analysis, for example, there is a technique described in Non-Patent Document 1.
Non-Patent Document 1 discloses a method of extracting network traffic data while shifting it by one unit time of a certain length, forming a matrix, performing principal component analysis, and detecting an abnormality using a feature amount. In this method, as a result of principal component analysis, network traffic data having a feature amount deviating from a feature amount corresponding to a steady state is determined to be abnormal.
In addition, as an example of time-series data analysis of unauthorized access, monitoring changes in the number of packets destined for a specific port in TCP / IP (Transmission Control Protocol / Internet Protocol) and UDP / IP (User Datagram Protocol / Internet Protocol) (For example, Patent Document 1).
JP 2006-314077 A "Unauthorized access analysis system by fixed point observation" IPSJ 2006-CSEC-35

As shown in Non-Patent Document 1, in the detection of unauthorized access using PCA, particularly the detection of worm activity, for example, there is a method of detecting a change in the number of accesses of a specific destination port.
Conventional worms often attempt to infect a specific port, but recent worms connect to various destination ports to perform backdoor activities and try to spread.
Therefore, it is important to always monitor all ports.
However, in the conventional detection of time-series data fluctuation of the number of accesses at the destination port by the PCA, since it takes a long time for one PCA, it is difficult to perform the PCA individually for all the port numbers. there were.
Since the port number is very large as 0 to 65,535, when one port is PCA, for example, Pentium4 (registered trademark) 2.4G takes 0.4 seconds in some implementations, so it takes 7 hours or more for all ports. It takes time. Therefore, it is common to apply time series data of some ports frequently used for unauthorized access to PCA.
However, in view of recent worms accessing various ports as described above, it is necessary to detect changes in all ports simultaneously and in a short time in order to detect worm activity. .

  The main object of the present invention is to solve the above-mentioned problems, and to analyze network traffic data for detecting unauthorized access efficiently and with high accuracy in a short time. And

The unauthorized access detection device according to the present invention is:
A steady-state appearance count counter that inputs steady-state communication log data including a plurality of communication identifiers and counts the number of appearances in the steady-state communication log data for each communication identifier;
Based on the counting result by the steady state appearance frequency counting unit, a communication identifier having a large number of appearances is designated as an individually corresponding communication identifier, a communication identifier having a small number of appearances is designated as a combined correspondence communication identifier,
Input the communication log data of the unauthorized access detection target including a plurality of communication identifiers, and a detection target appearance number counting unit that counts the number of appearances in the communication log data of the unauthorized access detection target for each communication identifier;
Of the number of appearances counted by the detection target appearance number counting unit, an appearance number summing unit for summing up the number of appearances of the communication identifier specified in the summing-compatible communication identifier;
Unauthorized access detection analysis for the communication identifier designated as the individual correspondence communication identifier is performed using the number of appearances of each communication identifier counted by the detection target appearance number counting unit, and the communication designated as the sum correspondence communication identifier. And an unauthorized access detection / analysis unit that performs unauthorized access detection analysis on the identifier using the sum of the appearance counts calculated by the appearance count summation unit.

  In the present invention, since the unauthorized access detection analysis for the combined correspondence communication identifier with a small number of appearances in the steady state is performed using the sum of the number of appearances, the number of unauthorized access detection analyzes can be suppressed, and the unauthorized access detection analysis can be shortened. It can be done efficiently and accurately in time.

Embodiment 1 FIG.
In the present embodiment, in order to solve the above-described problem, attention is focused on reducing the number of times of PCA for capturing fluctuations of all ports.
As a method, PCA is performed individually for ports having a large number of appearances (also referred to as the number of appearances or accesses) in communication log data, and ports having a small number of appearances are summed up by adding the number of appearances. Perform PCA (after merging). This merge reduces the number of PCAs.

  In the occurrence of worms, considering that the number of accesses to ports increases as time passes and the number of accesses to ports increases, even if the number of accesses to ports that rarely occur normally is merged, If the worm is infected, the increase in the number of accesses is based on the expectation that it will appear in the merged result.

FIG. 1 is a diagram illustrating a configuration example of an unauthorized access detection device 100 according to the present embodiment.
The unauthorized access detection device 100 shown in FIG. 1 constitutes a part of an IDS (Intrusion Detection System), for example.

In FIG. 1, a data acquisition unit 101 captures communication log data 150 of a network device (hereinafter referred to as network device log 150 or log 150).
As will be described later, the operation of the unauthorized access detection device 100 includes two stages, a preparation stage and a detection stage, and the data acquisition unit 101 acquires the log 150 in each of the preparation stage and the detection stage.

The port totaling unit 102 receives the network device log 150 acquired by the data acquisition unit 101, and from the network device log 150, each destination port number within the totaling period (hereinafter also simply referred to as a destination port or port). And the count value is output as a port-specific count 151 for each destination port number.
That is, the network device log 150 includes a plurality of destination port numbers (communication identifiers), and the port totaling unit 102 indicates the number of times each destination port number included in the network device log 150 appears in a certain period. Is output as a port-specific count 151.
In the preparation stage, the port totaling unit 102 inputs the steady-state log 150 and counts the number of appearances in the steady-state log 150 for each destination port number. The steady-state log 150 is communication log data for a certain period, and is communication log data that is considered to indicate a normal (average) communication state of a target network.
Further, the port totaling unit 102 inputs the unauthorized access detection target log 150 including a plurality of destination port numbers at the detection stage, and counts the number of appearances in the unauthorized access detection target log 150 for each destination port number. To do.
The port totaling unit 102 is an example of a steady state appearance number counting unit and a detection target appearance number counting unit.

The port area dividing unit 103 divides the port bandwidth with respect to the port-specific count 151 and merges the port-specific count 151. Output.
Further, the merge port count 153 that is the merged port count 151 and the merge port time series data 154 that is the time series data are output.

The port area dividing unit 103 designates a destination port number with a large number of appearances as an individual correspondence port (individual correspondence communication identifier) based on the count result for the steady state log 150 by the port totaling unit 102, and a destination with a small number of appearances. Specify the port number as a merge-compatible port (combined-compatible communication identifier).
The individual correspondence port is a port number for which principal component analysis is performed on the number of appearances of a single port number. In other words, in the individual correspondence port, the principal component analysis targets the number of appearances of the individual correspondence port alone. On the other hand, the merge-corresponding port is a port number for which principal component analysis is performed on the sum of the appearance counts of a plurality of port numbers. In other words, in the merge-compatible port, the principal component analysis targets the sum of the appearance counts of a plurality of port numbers specified as the merge-compatible port.
Further, the port area dividing unit 103 adds up the number of appearances of the destination port designated as the merge-compatible port among the number of appearances counted for the unauthorized access detection target log 150 by the port totaling unit 102, The value is output as the merge port count 153.
The port time-series data 152 is time-series data of the number of individual appearances of the individually corresponding ports in the steady-state log 150, and the merge port time-series data 154 is the number of appearances of the merge-compatible ports in the steady-state log 150. It is the time series data of the total value.
The port-specific count 151 ′ is data indicating the number of individual appearances of the individual corresponding port in the unauthorized access detection target log 150, and the merge port count 153 is the appearance of the merge correspondence port in the unauthorized access detection target log 150. It is data indicating the total value of the number of times.
The port area dividing unit 103 is an example of a communication identifier specifying unit and an appearance frequency adding unit.

The analysis unit 104 individually performs PCA on the port-specific count 151 ′ and calculates a feature value (principal component score) 155 for each individually corresponding port.
Also, PCA is performed on the merge port count 153 to calculate the merge-corresponding port feature quantity (principal component score) 156.
In other words, the analysis unit 104 uses the number of appearances of each destination port number (count by port 151 ′) counted by the port-by-port totaling unit 102 for unauthorized access detection analysis for the destination port number designated as the individual corresponding port. The unauthorized access detection analysis for the destination port number designated as the merge-compatible port is performed by using the total number of appearances calculated by the port area dividing unit 103.
The analysis unit 104 is an example of an unauthorized access detection analysis unit.

  The abnormality detection unit 105 detects whether or not the current count feature amount deviates (abnormal) from the steady region in the result of the principal component analysis of the analysis unit 104 (steady state).

  The stationary area data definition unit 106 cooperates with the port area dividing unit 103 to hold the aggregated data (port-specific time series data 152 and merge port time series data 154) in a steady state.

  Next, the operation of the unauthorized access detection device 100 according to this embodiment will be described.

First, the preparation operation of the unauthorized access detection device 100 in the preparation stage before the start of detection will be described with reference to the flowchart of FIG.
The data acquisition unit 101 receives network traffic data for a period to be treated as a steady region, that is, network traffic data in a steady state (for example, the network device log 150 for one week) (S1101), and the data is sent to the port-by-port totaling unit 102 give.
For example, a log file as shown in FIG. 2 is taken in as network traffic data.
In the log file of FIG. 2, the transmission source IP address (SrcIP), the destination IP address (DstIP), the destination port number (DstPort), and the warning number (AlertID) are shown for the packet capture date (Date). .

Next, the port totaling unit 102 counts the number of appearances for each destination port number from the network traffic data (steady state log 150) received from the data acquisition unit 101, and the time series of the number of appearances for each destination port number Data is generated (S1102) (steady state appearance frequency counting step). In this example, time-series data of the number of appearances is generated for each port number in which the destination port is 0 to 65535.
The totaling unit for each port 102, in a predetermined totaling time, for example, 5 minutes, in order, “number of appearances of destination port 0”, “number of appearances of destination port 1”, “number of appearances of destination port 2” in that order. The number of appearances for each port is counted up to “number of appearances of destination port 65535”. If this is performed in order for each aggregation time, time-series data of the number of appearances can be generated for each port.

For example, in the example of the log in FIG. 2, the port number 445 is three, the port number 135 is two, the port number 123 is one, and the port number within 5 minutes from 06/04/18: 12: 00. 1434 appears, and the number of appearances of all other ports is zero.
If this operation is performed every 5 minutes, time series data of 5 minutes is generated for each port.
If the log data is for one week, 60 minutes × 24 hours × 7 days = 108080 minutes, and if divided by 5 minutes, time series data composed of 2016 total values is obtained.

FIG. 3 shows this processing in a flowchart. First, j is an index of the unit of the aggregation period. For example, if log data for one week is given with a total period of 5 minutes from 06/04/18: 12: 00, the result is as follows.
5 minutes from 06/04/18: 12: 00 j = 1
5 minutes from 06/04/18: 12: 05 j = 2
5 minutes from 06/04/18: 12: 10 j = 3
...
5 minutes from 06/04/25: 12: 10 j = 2016
This corresponds to the case where k = 1 and n = 2016 + 1 in FIG.

Next, in the flow, when j = 1, first, when j = 1, the index i corresponding to the port number is set to 0, and the destination port appearing in the log during the aggregation period of j = 1. The number of occurrences of 0 is counted (S303).
Next, the count value is set to Count_0_1 (S304).
Next, i is increased by 1 (S305). This is preparation for counting the number of appearances of the next port number.
Similarly, the number of appearances where the destination port is 1 is counted (S303) and set to Count_1_1 (S304).
When this is repeated until i = 65535 (S302), Count_0_1 to Count_65535_1 are output.
Count — 0 — 1 to Count — 65535 — 1 are the frequency of appearance in the log of each port for 5 minutes from the index j = 1 of the aggregation period, that is, 06/04/18: 12: 00.

The port totaling unit 102 repeats the above operation for j = 1 to j = 2016 (S301).
As a result, time series data of j = 1 to 2016 at each port is generated.
FIG. 4 is an example in which time-series data is generated for each port number from 0 to 65535 (only graphs for DstPort = 0, 10000, and 65535 are shown).
The port totaling unit 102 passes the time series data of each port to the port area dividing unit 103 as port time series data 152. That is, Count_i_j (i = 0 to 65535, j = 1 to 2016) is passed.

  Based on the port-specific time-series data 152 passed, the port area dividing unit 103 divides the average number of accesses into one having a high average and a low one in a steady state, and performs processing for designating individual corresponding ports and merge corresponding ports ( S1103) (communication identifier designation step). This is called port area division processing.

Here, details of the port area division processing will be described.
First, the port area dividing unit 103 calculates the average μ _i and the variance σ ² _i for each received time-series data of each port.
For example, for port number 0, the following calculation is performed.
μ ₀ = ΣCount — ₀ — j [j = 1 to 2016] / 2016
σ ² ₀ = Σ (Count_0_j−μ ₀ ) ² [j = 1 to 2016] / 2016
Similarly, the port area dividing unit 103 obtains (μ ₀ , σ ² ₀ )... (Μ ₆₅₅₃₅ , σ ² ₆₅₅₃₅ ).

Next, the port area dividing unit 103 sorts the port numbers based on the average μ in descending order of the number of accesses on average.
As a result, the histogram of FIG. 5 is obtained (the port numbers of FIG. 4 and FIG. 5 do not match). In this example, the average number of accesses is 1,000 for the destination port 445 of (1) and 700 or more for the destination port 135 and destination port 139, but only about 0 to 1 for the other destination ports of (2). Absent.
In the histogram sorted in this way, a group having a large number of accesses as shown in (1) is an individually corresponding port that is a target for PCA. On the contrary, as in (2), a group with a small or almost no normal access number is set as a merge-corresponding port which is the object of merging all the access numbers in this group.

  Next, the port area dividing unit 103 merges the appearance counts of the merge-compatible ports, and generates merge port time-series data 154 that is time-series data of the appearance count after the merge (S1104).

The merge is shown as follows.
Assume that a set of port numbers to be merged as in the group (2) is MergePort = {0 to 65535, | 445, 135, 139}. Here, for the sake of easy understanding, it is assumed that there is almost no access (about 0 to 1 access).
MergeCount_j = ΣCount_i_j
i = {excluding 0 to 65535, | 445, 135, 139}
Is calculated as
In this example, merging is performed for each j from j = 1 to 2016. This is represented by a flow in FIG. 6, where k = 1 and n = 2017.
That is, the result of this process is MergeCount_j [j = 1 to 2016].
By merging MergeCount_j from j to 1 in time series, time-series data of merged data is generated as shown in FIG.

The port area dividing unit 103 passes the merge port time-series data 154 that is time-series data merged with the port-specific time-series data 152 that is time-series data of a single port number to the stationary area data defining unit 106.
In this example, the port-specific time-series data 152 is time-series data of Count_445_j, Count_135_j, and Count_139_j [j = 1 to 2016].
In this example, the merge port time-series data 154 is MergeCount_j [j = 1 to 2016].

The stationary area data definition unit 106 stores the port-specific time series data 152 and the merge port time series data 154 received from the port area division unit 103 (S1105).
This is the preparation operation before the start of detection.

  Next, the detection operation of the unauthorized access detection device 100 in the detection stage will be described with reference to the flowchart of FIG.

The data acquisition unit 101 receives the log 150 of the network device for 5 minutes (S1201), and passes it to the port totaling unit 102.
The network device log 150 received for five minutes by the data acquisition unit 101 is a log for unauthorized access detection.

The port totaling unit 102 counts the number of appearances in the log for each destination port (S1202) (detection target appearance count counting step), and passes it to the port area dividing unit 103 as a port specific count 151.
This processing is equivalent to setting k = 2017 and n = 2018 in the processing of FIG. 3, and Count_i_2017 [i = 0 to 65537] obtained as a result is the port-specific count 151.

  Next, the port area dividing unit 103 performs the following two processes ((1) process for individual correspondence port and (2) process for merge correspondence port).

The port area dividing unit 103 performs (1) port processing for individual port numbers 445, 135, and 139, which are individual port ports that are individually subjected to PCA determined in the preparatory operation before detection. The total number of corresponding port numbers passed from the separate total unit 102 is used.
That is, Count_445_2017, Count_135_2017, and Count_139_2017 are output to the analysis unit 104 as port counts 151 ′.

Further, the port area dividing unit 103 performs (2) processing for merge-compatible ports, for the port numbers corresponding to the merge-compatible ports determined in the pre-detection preparatory operation, in the same manner as the pre-detection preparatory operation. The total number of the corresponding port numbers passed is added (S1203) (appearance count summing step).
That is, MergeCount_2017 = ΣCount_i_2017
i = {excluding 0 to 65535, | 445, 135, 139}
Calculate
Next, the port area dividing unit 103 outputs MergeCount_2017 to the analysis unit 104 as the merge port count 153.

  The analysis unit 104 performs the following two processes ((1) processing for individual correspondence ports and (2) processing for merge correspondence ports), and counts by port 151 ′, merge port count 153, port time series data 152, and A principal component analysis (unauthorized access detection analysis) is performed using the merge port time series data 154 (S1204) (unauthorized access detection analysis step).

First, (1) as processing for an individually corresponding port, the analysis unit 104 extracts time-series data 152 for each port corresponding to the port number 445 from the steady-state area data definition unit 106. That is, Count_445_j [j = 1 to 2016] is extracted.
Next, the analysis unit 104 adds Count — 445 — 2017 to the end of the time series data. That is, Count_445_j [j = 1 to 2017] is generated.
Then, the analysis unit 104 performs a sliding window type PCA on the time series data to calculate a feature quantity 155.
The feature quantity 155 is sent to the abnormality detection unit 105. The same processing is performed for the port numbers 135 and 139.

(2) As processing for the merge-compatible port, the analysis unit 104 extracts merge port time-series data 154 corresponding to the merge data from the steady-state area data definition unit 106. That is, MergeCount_j [j = 1 to 2016] is taken out.
Next, the analysis unit 104 adds MergeCount_2017 to the end of the time series data. That is, MergeCount_j [j = 1 to 2017] is generated.
Then, the analysis unit 104 performs the sliding window method PCA on the time-series data to calculate the feature quantity 156.
The feature quantity 156 is sent to the abnormality detection unit 105.

  The abnormality detection unit 105 performs the following processing ((1) processing for individual correspondence port and (2) processing for merge correspondence port) to detect abnormality (S1205).

The abnormality detection unit 105 performs (1) the processing for the individual corresponding port with respect to the feature amount corresponding to Count_445_j [j = 1 to 2016] in the feature amount corresponding to the port number 445. It is determined whether or not there is a divergence. If there is a deviation, it is determined as abnormal.
If it is not determined to be abnormal, the steady-state data definition unit treats Count_445_j [j = 1 to 2017] as time-series data at the normal time and prepares for the determination of the next aggregated data.
Similarly, the same processing is performed for the port numbers 135 and 139.

In addition, as a process for the merge-compatible port, the abnormality detection unit 105 sets the feature amount corresponding to MergeCount_2017 to MergeCount_j [j = 1 to 2016] in the feature amount corresponding to the time-series data of the merged port. It is determined whether or not there is a deviation from the corresponding feature amount. If there is a deviation, it is determined as abnormal.
If it is not determined to be abnormal, the steady-state data definition unit treats MergeCount_j [j = 1 to 2017] as time-series data at the normal time and prepares for the determination of the next aggregated data.

When an abnormality is detected in the time-series data of the merge-compatible port, it is necessary to examine the port where the number of appearances has actually increased.
For this purpose, as shown in FIG. 8, a histogram of the number of appearances of merge-compatible ports at the detected timing is generated, and a port with an increased number of appearances is found from the merge-compatible ports.
For example, when an abnormality is determined at j = 2017, a histogram of the number of accesses of merge-compatible ports at j = 2017 is created.
In FIG. 8, since the port 5555 has increased, it is determined that an abnormality has occurred at this port number.
As a method of finding a port having an increased number of accesses, Count_i_2017 (excluding i = 0 to 65535 | 445, 135, 139) in the merge-compatible port is sorted in descending order, and the port caused by i of the largest Count_i_2017 is used. to decide. In this example, i = 5555.

  Merge-compatible ports originally have no individual access count or are very small, so if a large number of ports are added, even if a worm occurs on one port, the effect is significant even during the merge port count. It may appear.

  As described above, in the unauthorized access detection apparatus according to the present embodiment, it is possible to reduce the number of PCAs by merging the access numbers for ports with a small number of accesses.

  As described above, in this embodiment, a port having a large number of accesses is divided from a port having a small number of accesses, and the port having a large number of accesses is analyzed by PCA of a sliding window independently for the time series data. An unauthorized access detection apparatus has been described in which the PCA of the sliding window is analyzed with respect to the result of adding the series data, thereby reducing the number of PCA processes and the calculation time.

Embodiment 2. FIG.
Next, a dividing method in the port area dividing unit 103 will be described.
In the first embodiment, three port numbers 445, 135, and 139 having a large number of accesses are set as individually corresponding ports, and it is assumed that all the remaining ports have a very small number of accesses or 0.
That is, in the first embodiment, only one merge-compatible port is provided, and all ports other than the individual-compatible ports are classified as a single merge-compatible port.
However, in reality, the total number of accesses of 65,536-3 = 65,533 ports is not necessarily 1 or 0. If the total number of accesses of 65,533 ports is added, one total time There is also a possibility of exceeding 10,000.
Here, it is assumed that a worm is generated in one port and the number of accesses increases from 1 to 100. However, the merged data is about 10,100, and this value may not be regarded as an increase. In other words, there is a possibility of being caught as an error range.

Therefore, in this embodiment, in order to catch the increase in the number of accesses due to the worm, the merge-compatible ports are divided into a plurality of groups so that the merge result of one group becomes small.
Specifically, N is the number of PCAs that can be implemented simultaneously in terms of performance in the unauthorized access detection apparatus 100. Let M be the number of known ports used for unauthorized access (statistically about 10 according to past Internet survey results).
The port area dividing unit 103 designates M ports as individually corresponding ports in descending order of the number of accesses, in accordance with the result of counting the steady state log 150 by the port counting unit 102.
K = N−M is an upper limit value at which merged time-series data can be processed by the PCA, and is the number of divisions of merge-compatible ports.
For this reason, the port area dividing unit 103 specifies ports other than the M individual corresponding ports as merge corresponding ports and classifies the merge corresponding ports into K groups.

In the present embodiment, in the histogram sorted as shown in FIG. 5, the remainder excluding the top M ports (individually supported ports) that perform PCA independently is simply divided as (65536-M) / K. To do.
That is, for example, when N = 30 and M = 10, since K = 20, (65536-10) / 20≈3276.
In other words, in the histogram, the top 11 and subsequent ports are classified into 20 groups of 3276 ports, the number of accesses is merged for each group, and MergeCount_j is generated in each group.

The operation of each component of the unauthorized access detection device 100 when the unit (group) to be merged is determined is to perform the same processing as that of the data to be merged in the first embodiment for each merge unit.
That is, in the preparatory operation before the start of detection, the port area dividing unit 103 adds up the appearance counts of the ports classified into a common group for each group of merge-compatible ports with respect to the steady state log 150. Therefore, the merge port time series data 154 is generated for the number of groups (20 in the above example).
As for the detection operation, there are 20 merge port counts 153, and the same processing as in the first embodiment is performed for each. That is, the port area dividing unit 103 adds up the number of appearances of ports classified into a common group for each group of merge-compatible ports in the unauthorized access detection target log 150. Therefore, the merge port count 153 is generated by the number of groups (20 in the above example). And the analysis part 104 performs a principal component analysis about the merge corresponding | compatible port using the merge port count 153 and the merge port time series data 154 for every group.

  As described above, in this embodiment, since the merge-compatible ports are classified into a plurality of groups, the number of merged appearances of each group is smaller than in the case of a single merge-compatible port, so It becomes easy to detect the increase in the number of times, and the accuracy of abnormality detection is improved.

  As described above, in the present embodiment, the number of PCAs is reduced by reducing the number of PCAs to be monitored, and the processing efficiency is improved. ), The method of merging the ports sorted by the average number of accesses by dividing them by a fixed number from the top.

Embodiment 3 FIG.
In the second embodiment, a fixed number (for example, 3276) is divided from the sorted higher rank in the merge-compatible port, whereas in the third embodiment, the totaling result for the steady state log 150 by the port-based totaling unit 102 For each port, except for M ports (individually supported ports) that perform PCA independently, the ports are randomly arranged, and 3276 are divided from the first port arranged randomly.
In the second embodiment, there is a possibility that MergeCount_j becomes larger as the sorted higher-order merge unit. However, in this embodiment, since grouping is performed at random, there is no bias in MergeCount_j for each group.

  In this embodiment as well, the detection operation is as described in the first embodiment, and the port area dividing unit 103 sets a common group for each group of merge-compatible ports with respect to the unauthorized access detection target log 150. Add up the number of occurrences of the classified ports. And the analysis part 104 performs a principal component analysis about the merge corresponding | compatible port using the merge port count 153 and the merge port time series data 154 for every group.

  As described above, in this embodiment, the port area dividing unit 103 randomly selects a destination port from a plurality of destination ports designated as merge-compatible ports, and sequentially classifies them into groups from the selected destination port. , The deviation in the number of appearances between groups is reduced, which makes it easier to detect an increase in the number of appearances and improves the accuracy of abnormality detection.

  As described above, in the present embodiment, the number of PCAs is reduced by reducing the number of PCAs to be monitored, and the processing efficiency is improved. ) Explained the method of merging randomly selected ports with a fixed number.

Embodiment 4 FIG.
In the present embodiment, for the port numbers sorted by the average number of accesses as shown in FIG. 9, the merge correspondence that merges with the individually corresponding ports that perform PCA independently at the ratio of the upper ports to the total number of accesses. A method for determining a port will be described.

In the present embodiment, the port area dividing unit 103 adds the number of accesses from the upper ports of the number of accesses for the totaled result for the steady state log 150 by the port-by-port totaling unit 102, and the total number of accesses The stage at which a certain ratio is reached is determined as the boundary between the individual corresponding port and the merge corresponding port.
For example, if the total number of port accesses included in (1) in FIG. 9 corresponds to 90% of the total, the remaining ports (2) can be regarded as ports with low traffic. Perform a merge.
In this case, the number of ports included in (1) needs to be N-1 at the maximum (N is the number of PCAs that can be processed in parallel by the unauthorized access detection apparatus 100).

  In this embodiment as well, the detection operation is as described in the first embodiment, and the port area dividing unit 103 sets a common group for each group of merge-compatible ports with respect to the unauthorized access detection target log 150. Add up the number of occurrences of the classified ports. And the analysis part 104 performs a principal component analysis about the merge corresponding | compatible port using the merge port count 153 and the merge port time series data 154 for every group.

As described above, in the present embodiment, the port area dividing unit 103 designates the individual port corresponding to the port number in descending order of the appearance number based on the counting result for the log 150 in the steady state by the port totaling unit 102, When the total value of the number of appearances of the destination port number designated as the individual correspondence port becomes a predetermined ratio (for example, 90%) with respect to the total number of appearances of the destination port number in the steady state log 150, the individual correspondence port Specify a destination port number not specified in the port as a merge-compatible port.
For this reason, the number of appearances of each port number designated as a merge-compatible port becomes small, and it becomes easy to detect an increase in the number of appearances in the merge-compatible port, and the accuracy of abnormality detection is improved.

  As described above, according to the present embodiment, the number of PCAs is reduced and the processing efficiency is improved by collecting the ports to be monitored. Explained.

Embodiment 5 FIG.
In the present embodiment, for the totaling result for the log 150 in the steady state by the port totaling unit 102, the difference between the sorted ports is calculated, and the individual difference is handled when the difference becomes smaller than a certain value. Determined as the boundary between the port and the merge-enabled port.
However, if there is a small difference in the number of accesses between two ports that are in the upper rank by accident, a determination is made erroneously, so a condition is also set for the number of accesses.
For example, the boundary is determined when the number of accesses is 10 or less and the difference between the number of access of the sorted adjacent port number (port number designated as the individual corresponding port most recently) is 2 or less.
As illustrated in FIG. 10, the method according to the present embodiment has a large difference in the traffic volume at the higher port (area (1) in FIG. 10). This is based on an empirical expectation that the difference becomes smaller (the difference converges) (region (2) in FIG. 10).
In FIG. 10, the ports included in the area (1) are the individually corresponding ports, and the ports included in the area (2) are the merge corresponding ports.

  In this embodiment as well, the detection operation is as described in the first embodiment, and the port area dividing unit 103 sets a common group for each group of merge-compatible ports with respect to the unauthorized access detection target log 150. Add up the number of occurrences of the classified ports. And the analysis part 104 performs a principal component analysis about the merge corresponding | compatible port using the merge port count 153 and the merge port time series data 154 for every group.

As described above, according to the present embodiment, the port number is designated as the individual corresponding port in order from the destination port number with the most appearances based on the counting result for the steady state log 150 by the port totaling unit 102, and the individual corresponding port is designated most recently. A destination port number whose difference from the number of appearances of the destination port number is a predetermined number or less (for example, 2 or less) and a destination port number whose appearance count is smaller than the destination port number are designated as merge-compatible ports.
Even with such a method, the number of appearances of each port number designated as a merge-compatible port becomes small, and it becomes easy to detect an increase in the number of appearances in a merge-compatible port, and the accuracy of abnormality detection is improved.

  As described above, in this embodiment, the number of PCAs is reduced by reducing the number of PCA to be monitored, and the processing efficiency is improved. However, as a method of grouping, the difference between adjacent ports sorted by the average number of accesses is calculated. As described above, when the difference becomes smaller than a certain value, the method of determining the boundary between the port that performs PCA individually and the port that is merged into one is described.

Embodiment 6 FIG.
In the present embodiment, the upper limit of MergeCount_j is determined so that the increase in the number of accesses when a worm is generated is not buried in the time series data in MergeCount_j. As the means, worm simulation data is used.
In other words, in this embodiment, the port area dividing unit 103 divides the merge-compatible ports into a plurality of groups, but at the time of the division, each group is used by using simulation data for simulating the influence of unauthorized access. The upper limit of the total number of appearances in is calculated, and the number of groups to be divided is determined.

Literature C.I. C. Zou, L.M. Gao, W.H. Grong, and D.G. Towsley, “Monitoring and Early Warning for Internet Worms”, In Proceedings of 10th ACM Conference on Computers and Communications Security (CCS'03), 2003.
According to the following formula, the time change of the total number of infected hosts is expressed by the following formula.
I _t = (1 + α) I _t−1 − (α / N) I ² _t−1
Z _t = m / 2 ³² ηI _t-1
N: total number of vulnerable hosts, I _t : total number of infected hosts at time t, α: infection rate, Z _t : influence of worms on the number of accesses observed at time t, m: number of monitored hosts, η: Average number of accesses per unit time from the worm.

According to an example, when the average number of accesses at intervals of 30 minutes over one week is examined, about 60,000 ports out of all the ports have 0 accesses, and about 5,000 ports have 1 to 1 accesses. 3. The 60,000 ports with 0 access can be easily detected from the worm even if they are grouped (the number of accesses is 0 even if all are grouped, so the number of accesses from the worm is sharp. ).
For ports with 1 to 3 access counts, the worm access count must be added within the range that is not buried (even if the access count is 1 to 3 ports, adding 5,000 ports will increase the access count). 5,000 to 15,000).
Therefore, the simulation data of the number of worm accesses is used as an index for adding the port areas.

In the above equation, assuming that the worm is a CodeRed type, the parameters are as follows.
Total number of infected hosts at time t−1 I _t−1 = 50,000, number of monitored hosts m = 1
Average number of accesses from worms per 30 minutes η = 1,071
Therefore, the number of packets Z _t from the worm from time (t−1) to _t is
Z _t = 1/2 ³² × 1071 × 50,000 = 8,171 (time interval is 30 minutes).

At this time, it is assumed that the number of accesses for each port is added until the number of accesses in the port area reaches 8,000.
Here, when one of the added ports is infected, the number of worm accesses 8171 is added, so the number of accesses is about twice as a whole. In this case, since the number of accesses is clearly changed, the worm can be detected with high accuracy.
Therefore, to monitor 5,000 ports with 3 accesses, 8,000 / 3 is equal to 2,666, so two ports of 5,000 ports are 2,666 and 2,334. It is sufficient to divide the area and PCA each.
With this method, it is possible to detect a worm by applying two merged port areas to PCA without applying 5,000 pieces of time-series data of the access number of 5,000 ports individually to PCA. .

As described above, in the present embodiment, the port area dividing unit 103 determines the individual corresponding port by the method described in any of the first to fifth embodiments, and for the merge corresponding port, Z _t = 8 described above. , 171, the upper limit of the sum of the access counts of each group of merge-compatible ports is determined to be 8,000. Then, each port is classified into a plurality of groups with a value (2,666) obtained by dividing this 8,000 by the number of accesses (3 accesses) assumed for each port of the merge-compatible ports as the upper limit of the number of ports in each group. .
As a method of classifying into groups, for example, as shown in the second embodiment, the higher port numbers sorted by the average number of accesses may be sorted in order, or randomly arranged as shown in the third embodiment. The port numbers may be classified in the order of appearance.

In the above example, CodeRed was used, but there is a worm that shows a more moderate increase in the number of accesses.
In that case, the parameter is changed based on the type of worm to be detected. For example, η is reduced. When η = 100, Z _t = 817. In this case, 5,000 ports are divided so that the total number becomes 800. In order to monitor 5000 ports with 3 accesses, the total number of accesses does not exceed 800 if 800/3 accesses = 267 ports. Therefore, for example, it is divided into 5000/267 = 18 port areas (groups). As a result, even if infection occurs in the merged port area, the number of accesses twice the normal number is observed.

Also, if it is not twice as usual, it can be detected by PCA, and it can be detected experimentally even by 1.5 times or less by the parameter tuning method at the time of detection by PCA.
Assuming 1.5 times as a guide, if η = 100, Z _t = 817, so merging is possible until the total number of accesses reaches 1,600.
That is, even if a worm is generated, 1,600 + 817≈1,600 * 1.5.
In this case, since 1,600 / 3 access = 533 ports, 5000/533 = 9, and 9 port division (division into 9 groups) is sufficient.

  In this embodiment as well, the detection operation is as described in the first embodiment, and the port area dividing unit 103 sets a common group for each group of merge-compatible ports with respect to the unauthorized access detection target log 150. Add up the number of occurrences of the classified ports. And the analysis part 104 performs a principal component analysis about the merge corresponding | compatible port using the merge port count 153 and the merge port time series data 154 for every group.

As described above, in the embodiment, it is possible to determine a port area to be divided on the assumption of a worm diffusion state.
In the method according to this embodiment, the merge-compatible ports are divided based on the simulation data so that the increase in the number of accesses is not buried even if the number of accesses is increased due to the worm. When the number of accesses increases due to worms at the port, it is possible to accurately detect an abnormality.

  As described above, in the present embodiment, the number of PCAs is reduced by reducing the number of PCA to be monitored, and the processing efficiency is improved. However, as a method of the aggregation, an increase in access when a worm occurs is not buried by merging of ports. In order to achieve this, a method has been described in which the merging unit of ports that are not buried is determined using simulation data of worm generation.

Embodiment 7 FIG.
The embodiments so far have dealt with tabulation by destination port number.
In the embodiment, the present invention is applied to aggregation by IP address instead of the destination port number.

If the IP address is class B, for example, there are 65,534 hosts per network address.
For example, when the transmission source tries to monitor the number of accesses by PCA for all hosts of one network address with class B, the number of monitoring becomes 65,534 and the same problem as the port number arises.
Therefore, in the present embodiment, the processing aggregated for each port in the first to sixth embodiments is replaced with the aggregation for each IP address.
When counting is performed for each SrcIP address (source IP address), it is only necessary to replace the port processing of Embodiments 1 to 6 with the SrcIP address.
As a result, it is possible to reduce the number of PCAs by individually performing PCA on SrcIP addresses that are frequently used for communication, and merging SrcIP addresses that have almost no communication.
Similarly, for DstIP addresses (destination IP addresses), PCA may be performed by individually merging DstIP addresses that are frequently used for communication and merging DstIP addresses that are rarely used for communication.
Further, the methods described in the first to sixth embodiments may be applied to combinations of destination port numbers, transmission source IP addresses, and destination IP addresses.
Further, although not described in the log file shown in FIG. 2, when the transmission source port number is described in the log file, the method described in the first to sixth embodiments is applied to the transmission source port number. May be.

  As described above, in the present embodiment, the method of applying the method described in Embodiments 1 to 6 to the detection of the change in the number of accesses for each SrcIP address or DstIP address has been described.

Finally, a hardware configuration example of the unauthorized access detection device 100 shown in the first to seventh embodiments will be described.
FIG. 13 is a diagram illustrating an example of hardware resources of the unauthorized access detection device 100 illustrated in the first to seventh embodiments.
13 is merely an example of the hardware configuration of the unauthorized access detection device 100, and the hardware configuration of the unauthorized access detection device 100 is not limited to the configuration illustrated in FIG. There may be.

In FIG. 13, the unauthorized access detection device 100 includes a CPU 911 (also referred to as a central processing unit, a central processing unit, a processing unit, a processing unit, a microprocessor, a microcomputer, and a processor) that executes a program.
The CPU 911 is connected to, for example, a ROM (Read Only Memory) 913, a RAM (Random Access Memory) 914, a communication board 915, a display device 901, a keyboard 902, a mouse 903, and a magnetic disk device 920 via a bus 912. Control hardware devices.
Further, the CPU 911 may be connected to an FDD 904 (Flexible Disk Drive), a compact disk device 905 (CDD), a printer device 906, and a scanner device 907. Further, instead of the magnetic disk device 920, a storage device such as an optical disk device or a memory card (registered trademark) read / write device may be used.
The RAM 914 is an example of a volatile memory. The storage media of the ROM 913, the FDD 904, the CDD 905, and the magnetic disk device 920 are an example of a nonvolatile memory. These are examples of the storage device.
A communication board 915, a keyboard 902, a mouse 903, a scanner device 907, an FDD 904, and the like are examples of input devices.
The communication board 915, the display device 901, the printer device 906, and the like are examples of output devices.

The communication board 915 is connected to a LAN (Local Area Network), the Internet, a WAN (Wide Area Network), etc., for example.
Further, the communication board 915 receives the communication log data of the network device via the LAN or the like.

  The magnetic disk device 920 stores an operating system 921 (OS), a window system 922, a program group 923, and a file group 924. The programs in the program group 923 are executed by the CPU 911, the operating system 921, and the window system 922.

The ROM 913 stores a BIOS (Basic Input Output System) program, and the magnetic disk device 920 stores a boot program.
When the unauthorized access detection device 100 is activated, the BIOS program in the ROM 913 and the boot program in the magnetic disk device 920 are executed, and the operating system 921 is activated by the BIOS program and the boot program.

  The program group 923 stores programs for executing the functions described as “˜units” in the description of the first to seventh embodiments. The program is read and executed by the CPU 911.

In the file group 924, in the description of the first to seventh embodiments, “determination of”, “counting of”, “counting of”, “comparison of”, “updating of”, and “setting of” are set. ”,“ Specify ”,“ Selection ”, etc. Information, data, signal values, variable values, and parameters that indicate the results of the processing are listed as“ ~ file ”and“ ~ database ”items. It is remembered.
The “˜file” and “˜database” are stored in a recording medium such as a disk or a memory. Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit, and extracted, searched, referenced, compared, and calculated. Used for CPU operations such as calculation, processing, editing, output, printing, and display.
Information, data, signal values, variable values, and parameters are stored in the main memory, registers, cache memory, and buffers during the CPU operations of extraction, search, reference, comparison, calculation, processing, editing, output, printing, and display. It is temporarily stored in a memory or the like.
In addition, the arrows in the flowcharts described in the first to seventh embodiments mainly indicate input / output of data and signals, and the data and signal values are the RAM 914 memory, the FDD 904 flexible disk, the CDD 905 compact disk, and the magnetic field. Recording is performed on a recording medium such as a magnetic disk of the disk device 920, other optical disks, mini disks, DVDs, and the like. Data and signals are transmitted online via a bus 912, signal lines, cables, or other transmission media.

  In addition, what is described as “to part” in the description of the first to seventh embodiments may be “to circuit”, “to apparatus”, “to device”, and “to step”, It may be “˜procedure” or “˜processing”. That is, what is described as “˜unit” may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented only by software, or only by hardware such as elements, devices, substrates, and wirings, by a combination of software and hardware, or by a combination of firmware. Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD. The program is read by the CPU 911 and executed by the CPU 911. That is, the program causes the computer to function as “to part” in the first to seventh embodiments. Alternatively, the computer executes the procedure and method of “to part” in the first to seventh embodiments.

  As described above, the unauthorized access detection device 100 shown in the first to seventh embodiments includes a CPU as a processing device, a memory as a storage device, a magnetic disk, a keyboard as an input device, a mouse, a communication board, and a display device as an output device, A computer including a communication board or the like, and implements the functions indicated as “˜units” as described above using these processing devices, storage devices, input devices, and output devices.

The figure which shows the structural example of the unauthorized access detection apparatus which concerns on Embodiment 1-7. FIG. 3 is a diagram illustrating an example of a log of a network device according to the first embodiment. FIG. 4 is a flowchart showing an operation example of a port-by-port totaling unit according to Embodiment 1; The figure which shows the example of the time series data of the access number according to port which concerns on Embodiment 1. FIG. FIG. 3 is a diagram showing an example of port area division according to the first embodiment. FIG. 4 is a flowchart showing an operation example of a port area dividing unit according to the first embodiment. The figure which shows the example of the time series data of the merged access number which concerns on Embodiment 1. FIG. FIG. 6 is a diagram showing an example of detecting an increase in the number of accesses in a merge-compatible port according to the first embodiment. FIG. 10 is a diagram illustrating an example of port area division according to the fourth embodiment. FIG. 10 shows an example of port area division according to the fifth embodiment. The flowchart figure which shows the operation example in the preparation stage of the unauthorized access detection apparatus which concerns on Embodiment 1-7. The flowchart figure which shows the operation example in the detection stage of the unauthorized access detection apparatus which concerns on Embodiment 1-7. The figure which shows the hardware structural example of the unauthorized access detection apparatus which concerns on Embodiment 1-7.

Explanation of symbols

  100 unauthorized access detection device, 101 data acquisition unit, 102 port totaling unit, 103 port area division unit, 104 analysis unit, 105 anomaly detection unit, 106 stationary area data definition unit, 150 network device log, 151 port count 152 Time series data by port, 153 Merge port count, 154 Merge port time series data.

Claims (13)

A steady-state appearance count counter that inputs steady-state communication log data including a plurality of communication identifiers and counts the number of appearances in the steady-state communication log data for each communication identifier;
Based on the counting result by the steady state appearance frequency counting unit, a communication identifier having a large number of appearances is designated as an individually corresponding communication identifier, a communication identifier having a small number of appearances is designated as a combined correspondence communication identifier,
Input the communication log data of the unauthorized access detection target including a plurality of communication identifiers, and a detection target appearance number counting unit that counts the number of appearances in the communication log data of the unauthorized access detection target for each communication identifier;
Of the number of appearances counted by the detection target appearance number counting unit, an appearance number summing unit for summing up the number of appearances of the communication identifier specified in the summing-compatible communication identifier;
Unauthorized access detection analysis for the communication identifier designated as the individual correspondence communication identifier is performed using the number of appearances of each communication identifier counted by the detection target appearance number counting unit, and the communication designated as the sum correspondence communication identifier. An unauthorized access detection and analysis device, comprising: an unauthorized access detection and analysis unit that performs unauthorized access detection and analysis for an identifier using a sum of appearance counts calculated by the appearance count summation unit. The communication identifier designating unit
Classifying a plurality of communication identifiers designated by the summing correspondence identifier into each of two or more groups;
The appearance frequency summing unit is:
For each group of summing correspondence identifiers, sum the number of occurrences of communication identifiers classified into a common group,
The unauthorized access detection analysis unit
The unauthorized access detection analysis for the communication identifier designated as the total correspondence identifier is performed for each group of the total correspondence identifier using a total value of the number of appearances of the communication identifier classified into a common group. The unauthorized access detection device according to claim 1. The unauthorized access detection analysis unit
It is possible to process multiple unauthorized access detection analysis in parallel,
The communication identifier designating unit
Classifying the plurality of communication identifiers designated as the total correspondence identifiers into a number of groups determined from the number of parallel processes of unauthorized access detection analysis by the unauthorized access detection analysis unit and the number of individual correspondence communication identifiers. The unauthorized access detection device according to claim 2, wherein: The communication identifier designating unit
The unauthorized access detection apparatus according to claim 2 or 3, wherein among the plurality of communication identifiers specified as the summing correspondence identifier, the communication identifiers are classified into groups in descending order of appearance frequency. The communication identifier designating unit
The unauthorized access detection device according to claim 2 or 3, wherein a communication identifier is randomly selected from a plurality of communication identifiers designated as the summing correspondence identifier, and is classified into a group in order from the selected communication identifier. . The communication identifier designating unit
Based on the counting result by the steady state appearance number counting unit, the communication identifiers are specified in order from the communication identifier having the highest number of appearances, and the total number of appearances of the communication identifier specified in the individual corresponding communication identifier is the steady state. A communication identifier that is not designated as the individual correspondence communication identifier is designated as the total correspondence communication identifier when a predetermined ratio is reached with respect to the total number of occurrences of the communication identifier in the communication log data in the state. The unauthorized access detection device according to claim 1 or 2. The communication identifier designating unit
Based on the counting result by the steady state appearance number counting unit, the communication identifiers are specified in order from the communication identifier having the highest number of appearances, and the difference from the number of appearances of the communication identifier most recently specified as the individual correspondence communication identifier is predetermined. The unauthorized access detection device according to claim 1 or 2, wherein a communication identifier that is equal to or less than a number and a communication identifier that is less frequently appearing than the communication identifier are designated as the combined correspondence communication identifier. The communication identifier designating unit
3. The unauthorized access detection apparatus according to claim 2, wherein the number of groups of the combined correspondence identifiers is determined using simulation data for simulating the influence of unauthorized access. The steady state appearance number counting unit is
As a communication identifier, input steady state communication log data including a plurality of destination port numbers, count the number of appearances in the steady state communication log data for each destination port number,
The communication identifier designating unit
Based on the counting result by the steady state appearance number counting unit, a destination port number with a large number of appearances is designated as an individually corresponding communication identifier, a destination port number with a small number of appearances is designated as a combined correspondence communication identifier,
The detection target appearance number counting unit is
The communication log data for unauthorized access detection including a plurality of destination port numbers is input as a communication identifier, and the number of appearances in the communication log data for unauthorized access detection is counted for each destination port number. The unauthorized access detection apparatus according to any one of claims 1 to 8. The steady state appearance number counting unit is
As a communication identifier, input steady state communication log data including a plurality of source addresses, and count the number of appearances in the steady state communication log data for each source address,
The communication identifier designating unit
Based on the counting result by the steady state appearance number counting unit, specify a source address with a large number of appearances as an individually corresponding communication identifier, specify a source address with a small number of appearances as a combined correspondence communication identifier,
The detection target appearance number counting unit is
The communication log data targeted for unauthorized access detection including a plurality of transmission source addresses is input as a communication identifier, and the number of appearances in the communication log data targeted for unauthorized access detection is counted for each transmission address. The unauthorized access detection apparatus according to any one of claims 1 to 8. The unauthorized access detection analysis unit
The unauthorized access detection apparatus according to any one of claims 1 to 10, wherein as the unauthorized access detection analysis, a principal component analysis is performed with respect to a temporal variation in the number of appearances of a communication identifier. The computer inputs steady state communication log data including a plurality of communication identifiers, and counts the number of appearances in the steady state communication log data for each communication identifier,
A communication identifier designating step in which a computer designates a communication identifier having a large number of appearances as an individually corresponding communication identifier, and designates a communication identifier having a small number of appearances as a combined correspondence communication identifier based on the counting result of the steady state appearance number counting step; ,
A computer that inputs unauthorized access detection target communication log data including a plurality of communication identifiers and counts the number of occurrences in the unauthorized access detection target communication log data for each communication identifier;
An appearance number summing step in which the computer sums the number of appearances of the communication identifier specified in the summing correspondence communication identifier among the number of appearances counted in the detection target appearance number counting step;
The computer performs an unauthorized access detection analysis for the communication identifier designated by the individual correspondence communication identifier using the number of appearances of each communication identifier counted in the detection target appearance number counting step, and designated as the sum correspondence correspondence communication identifier. And an unauthorized access detection analysis step for performing unauthorized access detection analysis on the communication identifier using the sum of the appearance counts calculated in the appearance count summation step. Steady state appearance number counting processing for inputting steady state communication log data including a plurality of communication identifiers and counting the number of appearances in the steady state communication log data for each communication identifier;
Based on the counting result of the steady state appearance number counting process, a communication identifier having a large number of appearances is designated as an individually corresponding communication identifier, and a communication identifier having a small number of appearances is designated as a combined correspondence communication identifier; and
Input the communication log data of the unauthorized access detection target including a plurality of communication identifiers, and the detection target appearance count processing for counting the number of appearances in the communication log data of the unauthorized access detection target for each communication identifier;
Of the number of appearances counted by the detection target appearance number counting process, an appearance number summing process for summing up the number of appearances of the communication identifier specified in the summing-compatible communication identifier;
The unauthorized access detection analysis for the communication identifier designated by the individual correspondence communication identifier is performed using the number of appearances of each communication identifier counted by the detection target appearance number counting process, and the communication designated by the addition correspondence communication identifier. A program for causing a computer to execute an unauthorized access detection analysis process for performing an unauthorized access detection analysis for an identifier by using a sum value of the appearance counts calculated by the appearance count summation process.

Images