JP5219783B2 - Unauthorized access detection device, unauthorized access detection program, recording medium, and unauthorized access detection method - Google Patents

Description

  The present invention relates to an unauthorized access detection apparatus, an unauthorized access detection program, and an unauthorized access detection method for executing anomaly detection for detecting an access number abnormality using time-series data of the number of accesses as a profile.

As a means for detecting the occurrence of unauthorized access on the network, there is a method of defining and learning the number of accesses in a normal state as a profile and detecting that the observed number of accesses deviates from the profile. This is called anomaly detection. In the analysis of time series data of such a network, the tendency of the number of accesses in a normal state may fluctuate due to a change in equipment. After the change, the profile defined before the change cannot be correctly analyzed, so that the number of accesses in the normal state after the change is generally relearned as a profile. Since the analysis cannot be performed during the relearning period, Patent Document 1 discloses a technique for generating a prediction profile and continuing the analysis in order to shorten the relearning period. If this method is used, for example, the relearning period required for at least one week can be shortened to one day or less.
JP 2008-146157 A, Network Abnormality Determination Device

  In Patent Document 1, only one prediction profile is used after time-series data of the number of accesses in a normal state fluctuates. If the predicted profile is generated larger than the actual measured value, the actual measured value is hidden behind the predicted profile and a detection failure occurs.If the predicted profile is generated smaller, the actual measured value pops out from the predicted profile, resulting in false detection. there were. In addition, since fluctuations in the number of accesses in the normal state within the week are not reflected in the prediction profile, the prediction profile is not appropriate for data with fluctuations within the week, which may affect the accuracy of the analysis. There was a problem.

  An object of the present invention is to provide an unauthorized access detection apparatus that generates a prediction profile that is less likely to cause erroneous detection and that is appropriate even when there is a variation within a week.

The unauthorized access detection device of the present invention
In an unauthorized access detection apparatus that performs anomaly detection for detecting an abnormality in the number of accesses using time-series data of the number of accesses as a profile,
Input normal time-series data consisting of the number of past accesses recognized as normal and modification information used for modification of the normal time-series data, and follow the predetermined generation rules to use the normal information using the modification information. A prediction profile generation unit that generates a plurality of prediction profiles that are candidates for use profiles to be used for detecting an abnormality in the number of future accesses from time-series data;
And a usage profile determination unit that determines, as the usage profile, a prediction profile that matches a predetermined determination criterion from among the plurality of prediction profiles generated by the prediction profile generation unit.

  According to the present invention, it is possible to provide an unauthorized access detection apparatus that generates a prediction profile with less occurrence of erroneous detection.

Embodiment 1 FIG.
The first embodiment will be described with reference to FIGS.

  FIG. 1 is a diagram showing an example of the appearance of an unauthorized access detection device 100 realized by a computer. In FIG. 1, an unauthorized access detection device 100 includes a system unit 830, a display device 813 having a CRT (Cathode / Ray / Tube) or LCD (liquid crystal) display screen, a keyboard 814 (Key / Board: K / B), a mouse. 815, FDD817 (Flexible Disk Drive), compact disk device 818 (CDD: Compact Disk Drive), printer device 819, and the like are provided with hardware resources, and these are connected by cables and signal lines. The system unit 830 is connected to the network.

  FIG. 2 is a diagram illustrating an example of hardware resources of the unauthorized access detection device 100 realized by a computer. In FIG. 2, the unauthorized access detection device 100 includes a CPU 810 (Central Processing Unit: also called a central processing unit or processing device) that executes a program. The CPU 810 is connected to a ROM (Read Only Memory) 811, a RAM (Random Access Memory) 812, a display device 813, a keyboard 814, a mouse 815, a communication board 816, an FDD 817, a CDD 818, a printer device 819, and a magnetic disk device 820 via a bus 825. And control these hardware devices. Instead of the magnetic disk device 820, a storage device such as an optical disk device or a flash memory may be used.

  The RAM 812 is an example of a volatile memory. Storage media such as the ROM 811, the FDD 817, the CDD 818, and the magnetic disk device 820 are examples of nonvolatile memories. These are examples of a storage device or a storage unit, a storage unit, and a buffer. The communication board 816, the keyboard 814, the FDD 817, and the like are examples of an input unit and an input device. The communication board 816, the display device 813, the printer device 819, and the like are examples of an output unit and an output device.

  The communication board 816 is connected to a network such as a LAN (Local Area Network). The communication board 816 may be connected not only to the LAN but also to a WAN (wide area network) such as the Internet or ISDN.

  The magnetic disk device 820 stores an operating system 821 (OS), a window system 822, a program group 823, and a file group 824. The programs in the program group 823 are executed by the CPU 810, the operating system 821, and the window system 822.

  The program group 823 stores a program for executing a function described as “unit” in the description of the embodiment described below. The program is read and executed by the CPU 810.

  In the file group 824, information described as “use profile”, “count 151”, “profile candidate”, “prediction profile”, etc., “determination result of”, “ Information described as “calculation result of”, “selection result of”, “generation result of”, “processing result of”, data, signal values, variable values, parameters, etc. ~ "Database" is stored as each item. The “˜file” and “˜database” are stored in a recording medium such as a disk or a memory. Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 810 via a read / write circuit, and extracted, searched, referenced, compared, and calculated. Used for CPU operations such as calculation, processing, output, printing, and display. Information, data, signal values, variable values, and parameters are temporarily stored in the main memory, cache memory, and buffer memory during the CPU operations of extraction, search, reference, comparison, operation, calculation, processing, output, printing, and display. Is remembered.

  In the description of the embodiments described below, data and signal values are stored in RAM 812 memory, FDD 817 flexible disk, CDD 818 compact disk, magnetic disk device 820 magnetic disk, other optical disks, mini disks, DVD (Digital). -It records on recording media, such as Versatile and Disk. Data and signals are transmitted on-line via the bus 825, signal lines, cables, and other transmission media.

  Further, in the description of the embodiments described below, what is described as “to part” may be “means”, “to circuit”, and “to device”, and “to step” and “to”. “Procedure” and “˜Process” may be used. That is, what is described as “˜unit” may be realized by firmware stored in the ROM 811. Alternatively, it may be implemented only by software, or only by hardware such as elements, devices, substrates, and wirings, by a combination of software and hardware, or by a combination of firmware. Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD. The program is read by the CPU 810 and executed by the CPU 810. That is, the program causes the computer to function as “to part” described below. Alternatively, the procedure or method of “to part” described below is executed by a computer.

  FIG. 3 is a configuration diagram of the unauthorized access detection device 100 according to the first embodiment. As illustrated in FIG. 3, the unauthorized access detection apparatus 100 includes a data acquisition unit 101, a totaling unit 102, an analysis unit 103, a profile definition unit 104, a prediction profile generation unit 105, and a profile selection unit 106. The analysis unit 103 includes a count processing unit 1031, a profile processing unit 1032, a calculation unit 1033, and a departure confirmation unit 1034. The profile definition unit 104 includes a use profile storage unit 1041, a count storage unit 1042, and a profile candidate storage unit 1043. The prediction profile generation unit 105 includes a difference definition unit 1051 and a difference reflection unit 1052.

  In addition, the profile selection unit 106 and the analysis unit 103 constitute a usage profile determination unit that determines a prediction profile to be used from a plurality of prediction profiles, as will be described later.

In FIG.
(1) The data acquisition unit 101 captures the network device log 150.
(2) The totaling unit 102 outputs the total value under a specific condition in a specific total period as a count 151 from the log 150 of the network device.
(3) The analysis unit 103 receives the profile 152 from the profile definition unit 104 and analyzes whether the count 151 is abnormal with respect to the profile 152 by specific statistical analysis.
(4) The profile definition unit 104 holds a profile that is a set of counts in a normal state.
(5) The prediction profile generation unit 105 generates one or more prediction profiles 154 from the profile 152 and the environment change information 161 such as the average predicted value of the number of accesses after the change in the number of accesses.
(6) The profile selection unit 106 determines an optimal prediction profile from a plurality of analysis results analyzed using a plurality of generated prediction profiles, and the selected prediction profile 156 as a result thereof is sent to the profile definition unit 104. Notice.

(A: Learning action)
FIG. 4 is a sequence showing the learning operation. The learning operation will be described with reference to FIGS. The preparatory operation before the start of detection in the unauthorized access detection device 100 is referred to as “learning”. The data acquisition unit 101 receives network traffic data (for example, the log 150 of the network device for one week) for a period treated as a normal state (S101), and passes it to the aggregation unit 102 (S102). As the network traffic data, for example, an IDS (Intrusion Detection System) log file as shown in FIG. 5 is fetched.

  Next, the totaling unit 102 generates time-series data from the network traffic data (log 150) received from the data acquisition unit 101 (S103). FIG. 6 shows an example of time-series data (conceptual diagram) generated by the counting unit 102. Here, as an example, time-series data of the number of accesses with a destination port of 445 is generated. The totaling unit 102 counts the “number of appearances of access to the destination port 445” in the log during a predetermined totaling time, for example, 5 minutes. If this is performed in order for each total time, time-series data of the number of accesses of the destination port 445 can be generated.

  For example, in the example of the log in FIG. 5, DstPort (destination) 445 is the number of appearances for 3 minutes from “06/04/18, 12:00” for 5 minutes. If this operation is performed every 5 minutes, the time-series data of the access count of the 5-minute count is generated for the destination port 445. Here, the total value = the number of accesses in the total period. If the log data is for one week, it is a period of 60 minutes × 24 hours × 7 days = 1,080 minutes, and if divided by 5 minutes, time-series data of the number of accesses composed of 2016 total values is obtained. FIG. 6 is a graph of the time series data obtained in this way. The horizontal axis represents time (aggregation timing), and the vertical axis represents the number of accesses.

  The time series data of the number of accesses obtained in this way by the totaling unit 102 is handled as data enumerated in the format of the total time, total interval, and total value (number of accesses) like the time series data 157 of FIG. .

  The aggregation unit 102 passes the time series data 157 to the profile definition unit 104 (S104). The profile definition unit 104 stores the time series data 157 as a profile in the usage profile storage unit 1041. Here, as shown in FIG. 8, the current profile 201 is stored (S105).

(B: Detection operation)
FIG. 9 is a sequence showing the detection operation. A detection operation using a profile will be described with reference to FIG. The data acquisition unit 101 newly receives the network device log 150 for five minutes (S201), and passes it to the counting unit 102 (S202).

  The aggregation unit 102 performs aggregation according to the aggregation condition. As the aggregation condition, for example, the number of accesses for 5 minutes of the destination port 445 is aggregated (S203). The result of the aggregation is passed to the analysis unit 103 as “count 151” (S204). For example, in FIG. 5, the destination port 445 has three appearances in 5 minutes from “06/04/18, 12:00”, and the number of appearances = total value corresponds to the number of accesses. FIG. 10 shows the format of the count 151.

  The analysis unit 103 performs the following processing. The count 151 is compared with the profile stored in the usage profile storage unit 1041 of the profile definition unit 104, and whether or not it is statistically abnormal is analyzed (S205). The analysis method includes a 3σ method, a principal component analysis, an AutoRegressive MovingAverage model, and the like. Here, a specific algorithm is used.

  If the count 151 is statistically abnormal, the analysis unit 103 outputs the detection result 153 as abnormal. Otherwise, the detection result 153 is output as normal.

(C: Details of detection operation)
FIG. 11 is a sequence showing details of the detection operation in the analysis unit 103. The details of the detection operation in the analysis unit 103 will be described with reference to FIG. In FIG. 11, a profile 152 is the current profile 201 in the usage profile storage unit 1041, and is input to the profile processing unit 1032 (S2051). The count 151 to be analyzed is input to the count processing unit 1031 (S2052).

  As an example, the algorithm of statistical analysis is a 3σ method.

  In the profile processing unit 1032, time-series data (here, the aggregated value) is obtained from the profile 152 (current profile 201, in this example, one month of March shown in FIG. 8) passed from the usage profile storage unit 1041. And the number of components thereof are calculated (S2053). Time series data are 9, 2, 15,. Since the number of components is totaled every 5 minutes in March, it is 12 × 24 × 31 = 8928, and the value of the total value matches the number of rows recorded. These are input to the calculation unit 1033 (S2054).

  In this example, the count processing unit 1031 extracts only the total value (x) from the format of the count 151 and inputs it to the calculation unit 1033 (S2055). In the example of FIG. 10, x = 3.

The computing unit 1033 calculates the average μ and variance σ ² from the time series data from the profile processing unit 1032 and the number thereof (S2056), and sends the total value x acquired from the count processing unit 1031 to the deviation confirmation unit 1034. Input (S2057).

  The departure confirmation unit 1034 confirms whether μ + 3σ <x (S2058), and outputs the detection result (S2059). If the departure condition is satisfied, it is determined as departure and information indicating abnormality detection is output. When the deviation condition is not satisfied, information indicating normality is output. This is the detection result 153. The detection result 153 is represented by 1 for abnormality detection and 0 for normal detection, for example.

  Here, the case where the statistical analysis algorithm by the arithmetic unit 1033 is 3σ has been described. However, in another statistical analysis algorithm, the input count 151 is converted into a form suitable for the other statistical analysis algorithm by the count processing unit 1031. The profile 152 is preprocessed in a form suitable for the other statistical analysis algorithm by the profile processing unit 1032 and processed by the other statistical analysis algorithm by the arithmetic unit 1033, and the result is deviated. The confirmation unit 1034 determines whether the profile deviates. The processing of these components varies depending on the algorithm of statistical analysis, but the basic role is as described above.

In this operation as well, after 06/04/18, 12:05, logs are taken every 5 minutes and the deviation is confirmed against the count 151 counted every 5 minutes. In that case, the profile is the same in every operation. That is, profile analysis (calculation of average μ and variance σ ² ) uses the first calculation and performs deviation determination for each aggregate value X. The above is the abnormality detection operation using the profile.

  FIG. 8 described above shows the internal state of the profile definition unit 104 while the analysis is continued. The profile definition unit 104 receives the count 151 every time it is aggregated, and accumulates it in the count accumulation unit 1042 (accumulation count 202). For example, when the analysis is performed for one month in April, the time series data of all the number of accesses in April is held in the count accumulation unit 1042 by continuously accumulating the count 151. . If no detection occurs in April, the time series data is stored in the profile candidate accumulation unit 1043 as the April profile 203. The time series data stored in the profile candidate accumulation unit 1043 is used for generating a prediction profile, as will be described later.

  Next, a description will be given of an analysis when the time-series data of the number of accesses in a normal state fluctuates, for example, the number of computers on the monitored network fluctuates due to equipment change or the like.

  For example, when the number of computers equipped with Windows (registered trademark) increases, the access of the destination port 445 used by the communication of Windows (registered trademark) also increases. If the same profile of the destination port 445 as before the increase of the computers is used, there is a possibility that the increase in the access of the normal destination port 445 is analyzed as an abnormality in the analysis after the increase of the computers. This is because the access of the destination port 445 has increased after the increase in the number of computers, and the analysis unit 103 determines that it is statistically abnormal because it is increasing when compared with the profile currently used. .

  Taking FIG. 12 as an example, there is a facility change at “5/1 (Thursday), 00:00”, and the number of accesses to the destination port 445 is increased compared to April. The number of accesses in April is not abnormal (not unauthorized access) for the current usage profile (time series data in March), but it has increased in May than in April. 103 is determined to be abnormal when compared with the currently used profile.

  Here, it is assumed that the number of computers has increased from 10 to 100 due to the equipment change. As an example, when the 3σ method is used as an analysis algorithm, before the number of computers increased, it was “average 10 accesses / 5 minutes, standard deviation 2”, but the number of computers increased. Assume that the standard deviation is 10 "for 100 accesses / 5 minutes. Based on the profile before the increase of computers, the range of normal access is (10 + 3 × σ) / 5 min, σ = 2, and the average access count after computer increase is compared with 100/5 min Then, it is judged as abnormal.

  In this way, when the number of accesses increases due to non-illegal access such as a change in equipment, it should not be detected as abnormal. Therefore, in this case, it is necessary to change the profile itself to a profile that takes into account the increase in computers.

  For example, in 5/1 (Thu), it is assumed that the number of computers to be monitored increases from 10 to 100 as equipment change. In this case, it is assumed that the average number of accesses of the destination port 445 per month increases in proportion to the increase in the number of computers, and the prediction of the average number of accesses is known in advance outside this system. In this way, when the average access count after the equipment change is predicted, a prediction profile is generated using the predicted value of the average access count.

(D: Prediction profile generation operation)
FIG. 13 is a sequence showing a process of generating a prediction profile. The generation of the prediction profile will be described with reference to FIG. The difference definition unit 1051 receives in advance, as environment change information 161 (an example of modification information), an estimated value of the average access count addressed to the destination port 445 in May at 0/1 (Thursday) at 0 o'clock (S301). For example, the environment change information 161 is input from an input device such as a keyboard. In this case, it is assumed that the average number of accesses, which is a predicted value, is 100.

(Operation of prediction profile generation unit 105)
The difference definition unit 1051 of the prediction profile generation unit 105 receives the April profile 203 (an example of normal time series data) stored in the profile candidate accumulation unit 1043 of the profile definition unit 104 (S302), and obtains an average value. (S303). As shown in FIG. 3, the April profile 203 is passed as a profile 152. Here, it is assumed that the average value in April is 10 (10/5 minutes). Next, a difference Δ (100−10 = 90) between the average value and the predicted number of accesses in May is obtained (S304). This is designated as a difference 10551. The difference defining unit 1051 passes the difference 10551 to the difference reflecting unit 1052 (S305).

(Operation of the difference reflection unit 1052)
As shown in FIG. 14, the difference reflection unit 1052 of the prediction profile generation unit 105 adds Δ (90) that is the difference 10551 to the count of all count times of the April profile 203 to obtain a predicted profile after change. Generate (S306). In FIG. 14, in the format of the April profile 203, data obtained by adding Δ to each total value is generated as a prediction profile.

  Here, in order to generate a plurality of profiles, the difference reflection unit 1052 prepares 0.5 * Δ to 2.0 * Δ obtained by calculating Δ in increments of 0.1 from 0.5 times to 2.0 times. A profile obtained by adding these to the April profile 203 is generated as a plurality of profiles (an example of a predetermined generation rule). For example, in FIG. 15, the prediction profile 1 is obtained by adding 0.5 * Δ to the profile 203 in April.

  FIG. 16 is a flowchart showing a process for generating 0.5 * Δ to 2.0 * Δ. In this flowchart, the case of j = 1 corresponds to the generation of 0.5 * Δ (Δ1), and the case of j = 16 corresponds to the generation of 2.0 * Δ (Δ16).

  FIG. 17 is a flowchart illustrating a process for generating the prediction profiles 1 to 16. Ci is the total value of the profile 203 in April, and since it is 30 days by totaling 5 minutes, the number of data is 8640. In this flowchart, X (i, 1) (i is 1 to 8640) output when j = 1 is the generation of the prediction profile 1, and X (i, 16) output when j = 16. (I is 1 to 8640) corresponds to the prediction profile 16. “A total time, a total interval, and a value obtained by adding Δj to the corresponding total value” of the April profile 203 are stored in Prof_j. FIG. 18 is a diagram illustrating an example of Prof_1.

(E: Operation for selecting the optimal prediction profile)
FIG. 19 is a sequence showing the selection operation of the optimum prediction profile. The operation of the unauthorized access detection device after 5/1 (Thursday) 00:05 will be described with reference to FIG. At 5/1, 00:05, the data acquisition unit 101 receives the network device log 150 (5 minutes) (S401), and outputs it to the counting unit 0102 (S402). The totaling unit 102 totals the number of accesses for 5 minutes of the destination port 445 (S403), and outputs it as a count 151 (S404). The profile processing unit 1032 of the analysis unit 103 receives a plurality of prediction profiles from the difference reflection unit 1052 (S405).

  The analysis unit 103 analyzes the count 151 (corresponding to i = 1 in FIG. 20) using a plurality of prediction profiles 154 (j = 1 to 16 in FIG. 20) received from the prediction profile generation unit 105. In this example, the prediction profiles are 16 prediction profiles 1 to 16.

First, analysis is performed using the prediction profile of the prediction profile 1 using the statistical analysis algorithm used in the analysis unit 103. Next, it analyzes using the prediction profile 2 (S406). The contents are the same as those in the detection operation of FIG. That is, in S406-1 of FIG. 19, the calculation unit 1033 performs statistical processing on the prediction profiles 1 to 16, and calculates the average μ and the variance σ ² for each. In S <b> 406-2, the departure confirmation unit 1034 determines whether the value of the count 151 is abnormal for the prediction profiles 1 to 16 using the expression “μ + 3σ <x”. In this way, the analysis using the prediction profile 16 is repeated.

  The result of each analysis (R (j, i) in FIG. 20) is sent to the profile selection unit 106 as the analysis result 155 based on the prediction profile (S407) and stored in the profile selection unit 106. The above is the analysis for the count 151 of 5/1 (Thursday) 0:00. This is performed for the count of the number of accesses per day until 5/1 (Thursday) 23:59:59. Assume that the accumulated analysis result 155 is R (j, i) (j = 1 to 16, i = 1 to 288). j means prediction profiles 1 to 16, and i is an aggregate value of 5/1 (Thu) 00:05 to an aggregate value of 5/2 (Thu) 00:00 (5/1 (Thu) 23:59:59 288 counts (per day).

(Selection operation of profile selection unit 106)
At 5/2 (Thursday) 00:00, the profile selection unit 106 selects an appropriate profile using R (j, i) stored in itself (S408). The profile selection unit 106 determines that the predicted profile that has been detected during the day of analysis is not appropriate as a profile and deletes it. FIG. 20 shows a process in which the profile selection unit 106 deletes a profile. FIG. 20 is a process of determining whether or not the count 151 every five minutes is abnormal when a certain prediction profile is targeted, in the loop that goes from S37 to S34 and goes back to S34. R (j, i) is the analysis result 155 (abnormality = 1 or normal = 0). For example, when the prediction profile 1 is used, the analysis result 155 at 5/1 (Thursday) 0:00 is R The analysis result of (1,1), 5/2 (Thursday) 0:00 is R (1,288). Prof_j is the prediction profile, and j is the number of the prediction profile. That is, the prediction profile 1 is Prof_1.

  As a result of this processing, for example, when abnormality detection occurs in the analysis using the prediction profiles 1 to 9 in FIG. 20, the prediction profiles 1 to 9 are deleted (S39). The reason for deleting is that the predicted profile in which the abnormality detection has occurred is not appropriate because it is smaller than the actually measured value as the profile.

  The profile selection unit 106 uses (determines) a profile that employs the smallest n * Δ among the remaining prediction profiles as a prediction profile thereafter (an example of a predetermined determination criterion). In FIG. 15, the prediction profile 10 is adopted.

  The remaining prediction profile is a size that does not cause detection, but if it is too large, the actual measurement value will be hidden and will not be detected, so the smallest prediction profile among the remaining prediction profiles is appropriate. leave.

  In FIG. 3, as described above, the selected prediction profile 156 (in this example, the prediction profile 10) is transferred from the profile selection unit 106 to the profile definition unit 104, and overwritten and saved in the use profile storage unit 1041 as a new use profile. This new usage profile is used for analysis (detection) after 5/2 (Thu) 00:05. If there is no abnormality detection in May, the data for May of the count 151 stored in the count storage unit 1042 is stored as profile candidates in the profile candidate storage unit 1043. The May profile candidate is overwritten in the usage profile storage unit 1041 as a usage profile. That is, for the analysis in June, the May count 151 in which no abnormality was detected is used as the usage profile.

  In the first embodiment, the description has been made on the assumption that the number of accesses after fluctuation increases. However, even when the number of accesses decreases, a plurality of reduced prediction profiles are generated by the same method, and the same method is used. An optimal prediction profile can be selected. That is, in this case, the difference 10551 only takes a negative value, and can be dealt with only by performing the same operation for each unit.

  As described above, in the first embodiment, when the number of accesses in a normal state fluctuates due to equipment fluctuations, if the average number of accesses after fluctuation is known in advance, the current profile can be obtained by using this. Are compared with the average value, and a difference is obtained. The difference is multiplied by a plurality of ratios and reflected in the current profile to generate a plurality of prediction profiles. By analyzing the data for one day after the change of equipment using a plurality of prediction profiles and selecting an appropriate prediction profile, it is possible to reduce false detections and omissions in subsequent analysis. Further, in the generation of a prediction profile, a prediction profile reflecting a tendency such as a periodic variation of the current profile can be generated by adding a difference Δ to the current profile.

Embodiment 2. FIG.
Next, a second embodiment will be described with reference to FIGS. In the first embodiment, when the expected average number of accesses in May is known in advance, a prediction profile is generated using this. In the second embodiment, an embodiment in which the predicted average access count is not known will be described.

  If the average number of accesses after the equipment change cannot be predicted, the environment change according to the first embodiment is observed by observing data on one day (a day of the week) after the equipment change (in this example, data for one day on May 1). Data corresponding to the information 161 is calculated, and a prediction profile is generated using a difference from data on the same day of the week before the equipment change.

(A: Learning operation for one day on May 1)
After the equipment change on 5/1 (Thursday), learning will be conducted for only one day on 5/1 (Thursday). This operation is the learning operation shown in the first embodiment. In the second embodiment, when the counting unit 102 passes the time series data 157 to the profile definition unit 104, the profile definition unit 104 uses the time series data 157. Is stored in the count storage unit 1042. That is, in this case, the time series data 157 is stored in the count storage unit 1042 in S105 in FIG.

(B: Prediction profile generation operation)
FIG. 21 is a diagram illustrating an operation of generating a prediction profile in the second embodiment. The prediction profile generation operation will be described with reference to FIG.

  The profile definition unit 104 is an average value of the daily count of 5/1 (Thursday) from the time series data 157 (288 data for 5/1 day) stored in the count storage unit 1042. μthr 304 (an example of modification information) is calculated and passed to the difference definition unit 1051 of the prediction profile generation unit 105 (S501).

(Difference definition unit 1051)
Next, the difference definition unit 1051 in the prediction profile generation unit 105 receives the April profile 203 (an example of normal time series data) stored in the profile candidate accumulation unit 1043 from the profile definition unit 104 (S502), 4 The Thursday count 301, which is the Thursday count in the month, is extracted to obtain the average value μ ′ thr 303 (average value of the access counts of 4/3 (Thu), 10 (Thu), 17 (Thu), 24 (Thu)) (S503).
further,
Δ = μthr304−μ′thr303
Is calculated (S504). This process is shown in FIG.
The difference defining unit 1051 passes this Δ as the difference 10551 to the difference reflecting unit 1052 (S505).

(Difference reflection unit 1052)
As shown in FIG. 23, the difference reflection unit 1052 in the prediction profile generation unit 105 adds Δ which is the difference 10551 received from the difference definition unit 1051 to the count of all times of the profile 203 in April, and after the change, A prediction profile is generated (S506).

  The prediction profile generation (predetermined generation rule) by the difference reflection unit 1052 is the same as in the first embodiment. That is, in order to generate a plurality of prediction profiles, 0.5 * Δ to 2.0 * Δ calculated from 0.1 to 0.5 times from Δ to 0.5 times is prepared, and the April profile 203 is prepared. Are added to these as a plurality of prediction profiles. These are designated as prediction profile 1 to prediction profile 16. As described above, the method for generating a plurality of prediction profiles using Δ and the April profile 203 is the same as that in the first embodiment.

(C: Selection of optimal prediction profile)
FIG. 24 is a diagram illustrating an operation of selecting an optimal prediction profile in the second embodiment. The optimal prediction profile selection operation will be described with reference to FIG. Unlike the first embodiment, in the first embodiment, 5/1 day's worth of data (i = 1 to 288) to be detected has already been acquired.

  The analysis unit 103 acquires the count 151 for 5/1 day from the count storage unit 1042 (S601), and acquires the prediction profiles 1 to 16 from the difference reflection unit 1052 (S602). The analysis unit 103 determines each prediction profile 1 for the aggregated value every 5 minutes with respect to the count of 5/1 (Thursday) in the accumulation count 202 stored in the count accumulation unit 1042 of the profile definition unit 104. The analysis (abnormality detection) is performed using ~ 16 (S603).

  That is, using the statistical analysis algorithm used in the analysis unit 103, all the counts every 5 minutes of 5/1 (tree) are analyzed using the prediction profile 1. Next, the same analysis is performed using the prediction profile 2. In this way, the analysis using the prediction profile 16 is repeated.

  Each analysis result R (j, i) is sent to the profile selection unit 106 as an analysis result 155 using the prediction profiles 1 to 16 and stored in the profile selection unit 106.

  At 02:00 on 5/2 (Thursday), the profile selection unit 106 selects an appropriate profile using the analysis results for 5/1 (Thursday) accumulated in itself (S604). . The selection method is the same as the selection performed by the profile selection unit 106 in the first embodiment. The selected prediction profile is overwritten in the usage profile storage unit 1041 (S605).

  In the second embodiment, as described in the first embodiment, the description has been made on the assumption that the number of accesses after the fluctuation increases. Profiles can be generated and optimal prediction profiles can be selected in the same way. That is, in this case, the difference 10551 only takes a negative value, and can be dealt with only by performing the same operation for each unit.

  As described above, in the second embodiment, when the time-series data of the number of accesses in the normal state fluctuates due to the fluctuation of the equipment, if the average number of accesses after the fluctuation is unknown, Learn the day data, find the average of the current profile counts for the days of the week learned, find these differences, multiply this difference by multiple ratios, and reflect in the current profile to generate multiple prediction profiles To do. By analyzing the data for one day after the change of equipment using a plurality of prediction profiles and selecting an appropriate prediction profile, it is possible to reduce false detections and omissions in subsequent analysis. Further, in the generation of a prediction profile, a prediction profile reflecting a tendency such as a periodic variation of the current profile can be generated by adding a difference Δ to the current profile.

Embodiment 3 FIG.
(Parameter input from outside the device)
In the third embodiment, a numerical value such as 0.5 times multiplied by the difference Δ is input as a parameter from the outside. In the first and second embodiments, when preparing a plurality of profiles, Δ is specified in increments of 0.1 from 0.5 to 2.0 times as an example, but other multiples and increments may be used. It is realized by a method of giving parameters from outside the device. In FIG. 25, a parameter 10551 is given by a maximum magnification value 10552, a minimum magnification value 10553, a generated number 10554, and a step size 10555. The maximum magnification value 10552 corresponds to 2.0 in the first embodiment, and the minimum magnification value 10553 corresponds to 0.5. The step size 10555 corresponds to 0.1. When the step size is not given, the generation number 10554 is given instead, and the difference defining unit 1051 calculates the following, and uses the result as the step size instead.
That is,
Step width = (maximum magnification value−maximum magnification value) / number of generations.

Embodiment 4 FIG.
(Analysis days are m days)
In the first embodiment and the second embodiment, in the selection of a plurality of generated prediction profiles, the analysis is performed for one day using the plurality of prediction profiles, the prediction profile in which the abnormality is detected is deleted, and the abnormality is not detected. The smallest prediction profile was selected. In the fourth embodiment, the analysis period for selection is m days, and the detected prediction profile is deleted during that period, and the smallest prediction profile is selected among the prediction profiles that were not detected.

Embodiment 5 FIG.
(Add only to business hours)
In Embodiments 1 and 2, a prediction profile is generated by adding n * Δ to the entire current profile. However, if it is known that there is no change before and after the profile change on Saturdays, Sundays and nights, and there is only a change in business hours on weekdays, only n * Δ is added to the business hours part on weekdays in the profile. Also good. For example, as shown in FIG. 26, if the number of weekday accesses is large, the number of accesses is small at night, the number of accesses is small on Saturdays and Sundays, The prediction profile is generated by adding n * Δ only during the hour (for example, from 9 o'clock to 17 o'clock) and not adding the others.

  As described above, in the fifth embodiment, it is possible to generate an appropriate prediction profile that takes into account fluctuations in business hours.

Embodiment 6 FIG.
(Delete prediction profile when d> k)
In the first and second embodiments, Prof_j is deleted when d> 0 in the flow of FIG. 20 in the selection of the prediction profile (S39), but the branch of d> 0 is d> k. k is a parameter given to the profile selection unit 106. For example, if k = 10, the profile is used and deleted when detection is performed 10 times or more. In this way, deletion is performed when the number of times an abnormality is detected exceeds a threshold value.

Embodiment 7 FIG.
(Generate forecast profile by average ratio)
In the first embodiment, the difference defining unit 1051 calculates the difference between the average value of the current profile and the predicted value of the average value as the difference 10551. In the second embodiment, the difference defining unit 1051 calculates the difference 10551 as the difference between the average value of Thursday of the current profile and the average value of 5/1 (Thu). In the seventh embodiment, the difference between these average values may not be calculated as the difference 10551, but the ratio may be obtained as the difference 10551.

That is, in the first embodiment,
Δ = “Predicted value of average value” / “Average value of current profile on Thursday”
In the second embodiment,
Δ = “average value of 5/1 (Thu)” / “average value of current profile on Thursday”
It is.

  In this case, “Xij = Ci + Δj” in FIG. 17 is changed to “Xij = Ci * Δj”.

Embodiment 8 FIG.
(Prediction profile correction)
In the first embodiment and the second embodiment, in the selection of a plurality of generated prediction profiles, one day analysis is performed using a plurality of prediction profiles, and the abnormality-detected prediction profile is deleted. In the eighth embodiment, the prediction profile is corrected when abnormality detection does not occur in all the prediction profiles. In the first and second embodiments, a plurality of prediction profiles are generated by preparing 0.5 * Δ to 2.0 * Δ in which Δ is calculated in increments of 0.1 from 0.5 to 2.0. However, the fact that abnormality detection does not occur means that the predicted profile generated by these is larger than the actually measured value. Therefore, a new prediction profile is generated with 0.05 * Δ to 0.45 * Δ as a difference, with the multiplication factor Δ multiplied by 1/10 of the lowest 0.5, and it is tried to detect with these prediction profiles. .

  In the case where the above is not detected, a new prediction profile is generated with a difference of 0.005 * Δ to 0.045 * Δ in increments of 1/10 of 0.05 (an example of a predetermined correction rule), Try to detect with these prediction profiles and repeat.

  That is, in the eighth embodiment, when the difference used in the generation of the prediction profile is large, the prediction profile is regenerated using the smaller difference, and the prediction profile is regenerated until it is detected ( An example of a predetermined correction rule) is to select an optimal prediction profile. In Embodiment 8, taking Embodiments 1 and 2 as an example, the difference for regenerating a prediction profile is set to 1/10 of 0.05, but other ratios and the number of generations may be used.

  As described above, in the eighth embodiment, when a plurality of first generated prediction profiles are not appropriate, it is possible to create and select a plurality of prediction profiles.

Embodiment 9 FIG.
(Algorithm used for selection)
In the first and second embodiments, the statistical analysis algorithm used for detection is used as it is as the analysis algorithm for selecting the prediction profile. In the ninth embodiment, another statistical analysis algorithm may be applied to select a prediction profile. For example, when 3σ (detection when average + 3σ is exceeded) is used for detection, in selecting a prediction profile, this is set to 1σ (detection when average + σ is exceeded), analysis is performed, and selection is determined. Also good. As another example, for example, PCA (Principal Component Analysis) using a sliding window disclosed in Japanese Patent Application Laid-Open No. 2008-146157 may be applied to perform analysis to determine selection.

Embodiment 10 FIG.
(Reflect the average number of accesses every hour)
In the second embodiment, the average value of daily accesses (average of 5/1 (Thursday)) of the number of accesses observed every day after the equipment change is obtained, and the average value of the same day of the week in the April profile is obtained. The difference was reflected in the entire April profile. In the tenth embodiment, an average value of the number of accesses observed every day after the equipment change (an aggregate value of 5 minutes) is obtained, and every hour of the day of the same day of the week in the April profile ( An average value (of 5 minutes of total values) is obtained, and each hourly difference is reflected in the same time zone of the April profile.

Specifically, the processing is as follows. The average value of the number of accesses observed every 5/1 (Thu) every hour (of the aggregate value of 5 minutes) is expressed as follows.
μthr — 0 — 1 (5/1 (Thursday) 0:00 to 1 o'clock average number of accesses for 5 minutes),
μthr_1_2 (5/1 (Thu) 1 to 2 o'clock average access count for 5 minutes),
...
μthr — 23 — 24 (5/1 (Thu) 5 minutes average access count from 23:00 to 24:00),
In FIG. 22, the average value every hour from Thursday count 301 to Thursday in April is expressed as follows.
μ'thr — 0 — 1 (average number of accesses for 5 minutes from 0 o'clock to 1 o'clock on Thursday in April),
μ'thr_1_2 (average number of accesses for 5 minutes from 1 o'clock to 2 o'clock on Thursday in April),
...
μ'thr_23_24 (average number of accesses for 5 minutes from 23:00 to 24:00 on Thursday in April),

Then calculate:
Δ_0_1 = μthr — 0_1−μ′thr — 0_1,
Δ_1_2 = μthr_1_2−μ′thr_1_2,
...
Δ — 23 — 24 = μthr — 23 — 24−μ′thr — 23 — 24,

Each Δ is applied to the April profile 203. Here, n = 0.5.
Total value of 5 minutes each from 0:00 to 1:00 on April 1 + n * Δ_0_1,
Total value of 5 minutes each from 1 to 2 on April 1 + n * Δ_1_2,
...
Total value of 5 minutes each from 23:00 to 24:00 on April 1 + n * Δ_23_24,
Total value of 5 minutes each from 0:00 to 1:00 on April 2, + n * Δ_0_1,
Total values for 5 minutes each from 1 am to 2 pm on April 2, + n * Δ_1_2,
...
Total value for each 5 minutes from 23:00 to 24:00 on April 2, + n * Δ_23_24,
Thereafter, the same applies to the data on April 30.

  If the above calculation is performed, it is possible to generate a prediction profile that reflects the hourly difference in the number of accesses between Thursday of April and Thursday in April in the same time zone of the entire April profile.

  If the above calculation is performed while changing n in increments of 0.1 from 0.5 to 2.0, 16 prediction profiles can be generated as in the second embodiment.

  In the above example, Δ was generated every hour, but divided into time zones such as 0 o'clock to 6 o'clock, 6 o'clock to 12 o'clock, 12 o'clock to 18 o'clock, and 18 o'clock to 24 o'clock. A similar process may be applied by obtaining an average value of Alternatively, the same processing may be performed every time zone that is smaller than one hour, for example, every 30 minutes.

  As described above, the tenth embodiment can reflect a minute difference for each time after the number of accesses is changed.

Embodiment 11 FIG.
(1 week observation)
In the second embodiment, the average value of the number of accesses observed every day after the facility change is obtained, the average value of the same day of the week in the April profile is obtained, and the difference is reflected in the entire April profile. . In this embodiment, the average value for each day of the number of accesses observed on the 7th after the equipment change is obtained, the average value for the same day in the April profile is obtained, the difference between the average values for the same day is obtained, The difference is reflected for each day of the April profile.

Specifically, the processing is as follows.
The average daily number of accesses observed from 5/1 (Thu) to 5/7 (Wed) is expressed as follows.
μthr (average number of accesses per day of 5/1 (Thu)),
μfri (5/2 (Friday) average daily access),
...
μwed (average daily access on 5/7 (Wednesday)),
The average value of the day of each day of the week is represented as follows from the April profile 203 of FIG.
μ'thr (Average number of accesses per day on Thursday in April),
μ'fri (average number of accesses per day on Friday, April),
...
μ'wed (average daily access on Wednesday in April),

Then calculate:
Δ_thr = μthr−μ′thr,
Δ_fri = μfri−μ′fri,
...
Δ_wed = μwed−μ′wed,

Each Δ is applied to each day of the week in the profile 203 in April. Here, n = 0.5.
Total value for each 5 minutes on each Thursday in April + n * Δ_thr,
Aggregate value of each 5 minutes on each Friday of April + n * Δ_fri,
...
Total value for each 5 minutes on each Wednesday in April + n * Δ_wed,

  If the above calculation is performed, the difference in the number of accesses between each day of the week from 5/1 (Thursday) to 5/7 (Wednesday) and each day of April is reflected on the same day of the April profile as a whole. A prediction profile can be generated. In the first embodiment, the average difference in the number of accesses per day is reflected, but according to the present embodiment 12, the observation period is 7 days, but the difference in each day of the week after the equipment change is It can be reflected in the profile.

Embodiment 12 FIG.
In the first and second embodiments, analysis is performed using a profile for each unit such as March or April as a profile. As other forms of analysis, there are cases in which profiles are separately provided for business hours and other cases, or analysis is performed by dividing profiles for every hour or by day of the week.

  For example, when the business hour and other profiles are separately provided, the analysis of the number of accesses in the business hour confirms the deviation using the business hour profile.

When there are separate profiles for business hours and other cases, and there is an average predicted value μ ′ after the change in the number of accesses due to equipment changes, it is as follows. The average value μ of the business hour and other access count profiles is obtained, and the difference between these average values is Δ = μ′−μ, and Δ is reflected in the business hour profile and the non-business hour profile. Thus, each prediction profile is generated. If there is no average predicted value after the change in the number of accesses due to equipment changes, the following is done. One day after the equipment change, the number of business hours and other accesses was observed, and the average value μ′b of the business hours access and the average value μ′nb other than the business hours were obtained, respectively. For the average value μb of the profile and the average value μnb other than business hours,
Δb = μ′b−μb, Δnb = μ′nb−μnb
Ask for. By reflecting Δb in the profile for the current business hour and Δnb in the profile other than business hour, it is possible to generate a business hour and other predicted profiles.

  If there is a profile every hour, if there is an average predicted value μ ′ after the change in the number of accesses due to equipment changes, add all the profiles every hour to obtain the average value μ, and these average values Each prediction profile is generated by setting Δ = μ′−μ and reflecting Δ in the profile every other hour. If there is no average predicted value after the change in the number of accesses due to equipment changes, the following is done. On the first day after the equipment change, the number of accesses every hour is observed, and an average value (μ′i, i = 0 to 23) every hour is obtained. Next, the average value (μi, i = 0 to 23) of the current profile every hour is obtained. By obtaining Δi = μ′i−μi (i = 0 to 23) and reflecting Δi in the current hourly profile, a prediction profile for each time can be generated. Here, i = 0 indicates 0 and i = 23 indicates 23:00.

  When there is a profile for each day of the week, if there is an average predicted value μ 'after fluctuations in the number of accesses due to equipment changes, add all the profiles for each day to obtain the average value μ, and calculate the difference between these average values. Each prediction profile is generated by setting Δ = μ′−μ and reflecting Δ in the profile for each day of the week. If there is no average predicted value after the change in the number of accesses due to equipment changes, the following is done. On the first day after the equipment change, the number of accesses is observed to obtain the average value μ ′ for the day. The daily average μ of the profile of the day corresponding to the observed day of the week is obtained. The difference between these average values is Δ = μ′−μ. By reflecting this Δ on the profile of each day of the week, a predicted profile of each day of the week can be generated.

  A plurality of prediction profiles generated as described above can be generated by multiplying Δ by a factor as in the first and second embodiments, and selection of the generated prediction profile performs the same processing as in the first and second embodiments. Can be selected.

  In the twelfth embodiment, even if the profile is divided into business hours and other times, by time, by day of the week, etc., there are cases where there is an average predicted value after fluctuation of the number of accesses due to equipment change, and there is no It is possible to generate an appropriate prediction profile by applying the ideas of forms 1 and 2.

  Although the unauthorized access detection device 100 has been described in the above embodiment, the unauthorized access detection device 100 can also be understood as an embodiment of an “unauthorized access detection method” performed by each component of the unauthorized access detection device 100. The unauthorized access detection device 100 can also be understood as an embodiment of an “unauthorized access detection program” that causes a computer to execute the function of “˜ part”. Furthermore, it can be understood as an embodiment of a computer-executable “recording medium” in which an “unauthorized access detection program” is recorded.

  In the above embodiment, when anomaly detection of time-series data of the number of accesses to the network changes the trend of the number of accesses in a normal state, in order to shorten the relearning period of the changed number of normal accesses In analysis using a prediction profile, unauthorized access detection provided with a prediction profile generation unit 105 that generates a plurality of prediction profiles, and a use profile determination unit that performs analysis using a plurality of prediction profiles and selects an optimal prediction profile The apparatus 100 has been described.

  In the above embodiment, the prediction profile generation unit 105 obtains a difference between the average access number of the prediction obtained after fluctuation obtained in advance and the average access number of the current profile, multiplies this displacement by a plurality of magnifications, The unauthorized access detection apparatus 100 that generates a plurality of predicted profiles reflecting the current profile trend by reflecting the profile has been described.

  In the above embodiment, the prediction profile generation unit 105 observes the changed number of normal accesses for one day, obtains a difference based on the observed day of the week and the current profile day of the week, and adds a plurality of magnifications to the difference. The unauthorized access detection apparatus 100 that generates a plurality of predicted profiles reflecting the current profile tendency by applying the above to the current profile has been described.

1 shows an example of the appearance of an unauthorized access detection device 100 according to Embodiment 1. 2 is a hardware configuration of the unauthorized access detection device 100 according to the first embodiment. 1 is a block diagram of an unauthorized access detection device 100 according to Embodiment 1. FIG. The learning sequence in the first embodiment. An example of the log 150 in the first embodiment. FIG. 3 is a conceptual diagram of time-series data generated by a counting unit 102 according to the first embodiment. FIG. 6 shows time-series data 157 in the first embodiment. FIG. 3 is a diagram illustrating an internal configuration of a profile definition unit 104 according to the first embodiment. 3 is a sequence of detection operations in the first embodiment. An example of the count 151 in the first embodiment. 5 is a detailed sequence of a detection operation in the first embodiment. The figure which shows the access number fluctuation | variation in the case of the equipment change in Embodiment 1. FIG. The sequence of the prediction profile generation in Embodiment 1. FIG. FIG. 6 illustrates generation of a prediction profile in the first embodiment. FIG. 6 is a diagram for explaining a plurality of prediction profiles generated in the first embodiment. FIG. 5 is a flowchart of generation of change in the first embodiment. FIG. 5 is a flowchart for generating a prediction profile in the first embodiment. FIG. 5 is a diagram showing a prediction profile 1 generated in the first embodiment. 5 is a sequence for selecting an optimal prediction profile according to the first embodiment. 5 is a flowchart of selection of a prediction profile in the first embodiment. The sequence of the prediction profile generation in Embodiment 2. FIG. 10 is a diagram for explaining generation of average values μ and μ ′ in the second embodiment. FIG. 10 is a diagram for explaining generation of a prediction profile in the second embodiment. A sequence for generating a prediction profile in the second embodiment. FIG. 10 is a diagram for explaining input of parameters in the third embodiment. FIG. 10 is a diagram for explaining input of parameters in the fifth embodiment.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 100 Unauthorized access detection apparatus, 101 Data acquisition part, 102 Total part, 103 Analysis part, 1031 Count processing part, 1032 Profile processing part, 1033 Operation part, 1034 Deviation confirmation part, 104 Profile definition part, 1041 Usage profile storage part, 1042 Count accumulation unit, 1043 Profile candidate accumulation unit, 105 Prediction profile generation unit, 1051 Difference definition unit, 1052 Difference reflection unit, 106 Profile selection unit.

Claims (9)

In an unauthorized access detection apparatus that performs anomaly detection for detecting an abnormality in the number of accesses using time-series data of the number of accesses as a profile,
Input normal time-series data consisting of the number of past accesses recognized as normal and modification information used for modification of the normal time-series data, and follow the predetermined generation rules to use the normal information using the modification information. A prediction profile generation unit that generates a plurality of prediction profiles that are candidates for use profiles to be used for detecting an abnormality in the number of future accesses from time-series data;
An unauthorized access detection, comprising: a usage profile determination unit that determines, as the usage profile, a prediction profile that matches a predetermined determination criterion from among the plurality of prediction profiles generated by the prediction profile generation unit apparatus. The prediction profile generation unit
Input the predicted value of the average access count after the change when the detection target equipment for detecting the access count is changed as the modification information, calculate the average access count of the normal time series data, and calculate the average access count The unauthorized access detection apparatus according to claim 1, wherein the plurality of prediction profiles are generated on the basis of the prediction value input as. The prediction profile generation unit
The average number of accesses in the one day calculated based on the observation result of observing the number of accesses after the change of the detection target equipment for detecting the number of accesses for one day on a certain day is input as the modification information and the normal time The average access count for the same day of the week in the series data is calculated, and the plurality of prediction profiles are generated based on the calculated average access count and the input average access count. The unauthorized access detection device according to 1. The usage profile determination unit, as the predetermined determination criteria,
It is determined whether an abnormality is detected by an abnormality detection process for the number of accesses using the prediction profile for each prediction profile of the plurality of prediction profiles for a certain period included in the period of the prediction profile. The unauthorized access detection apparatus according to claim 1, wherein the usage profile is determined based on a detection result. The prediction profile generation unit
As a result of the determination by the use profile determination unit, when no abnormality is detected for any of the prediction profiles, the prediction profiles of the plurality of prediction profiles are corrected based on a predetermined correction rule,
The usage profile determination unit
Whether or not an abnormality is detected by the abnormality detection process for the number of accesses using the corrected prediction profile for each of the corrected prediction profiles is determined again according to the predetermined determination criterion, and based on the detection result of the abnormality 5. The unauthorized access detection apparatus according to claim 4, wherein a usage profile is determined. The usage profile determination unit
6. The fraud according to claim 1, wherein time series data currently used as a profile is switched to the determined usage profile, and an abnormality in the number of accesses is detected using the usage profile. Access detection device. Computer
Input normal time-series data consisting of the number of past accesses recognized as normal and modification information used for modification of the normal time-series data, and follow the predetermined generation rules to use the normal information using the modification information. A prediction profile generation unit that generates a plurality of prediction profiles that are candidates for use profiles to be used for detecting an abnormality in the number of future accesses from time-series data;
An unauthorized access detection program for functioning as a usage profile determination unit that determines, as the usage profile, a prediction profile that matches a predetermined determination criterion from among the plurality of prediction profiles generated by the prediction profile generation unit.   A computer-readable recording medium on which the unauthorized access detection program according to claim 7 is recorded. In an unauthorized access detection method performed by an unauthorized access detection device that performs anomaly detection for detecting an abnormality in the number of accesses using time-series data of the number of accesses as a profile,
(1) The prediction profile generation unit
Input normal time-series data consisting of the number of past accesses recognized as normal and modification information used for modification of the normal time-series data, and follow the predetermined generation rules to use the normal information using the modification information. Generate multiple prediction profiles that are candidates for usage profiles to be used to detect anomalies in the number of future accesses from time series data,
(2) The usage profile determination unit
An unauthorized access detection method comprising: determining, as the usage profile, a prediction profile that matches a predetermined determination criterion from among the plurality of prediction profiles generated by the prediction profile generation unit.

Images