JP6249505B1 - Feature extraction apparatus and program - Google Patents

Abstract

A feature extraction apparatus and program for appropriately and automatically extracting features from data including a plurality of variables. A feature extraction apparatus extracts features of a record including N columns (where N is an integer equal to or greater than 2). The feature extraction apparatus 10 has a function of acquiring a plurality of records and a function of generating a column set for all combinations of M columns (where M is an integer satisfying 2 ≦ M ≦ N). (Column set generation function) and a function for determining the number of features related to each column set for each record (however, the number of features is a combination of the data values of all the columns included in the column set of the record) And a function for outputting the number of features in association with each record. [Selection] Figure 3

Description

  The present invention relates to a feature extraction apparatus that extracts data features.

  Techniques for classifying data are known. For example, a process of classifying a large amount of data into normal data and abnormal data is performed. Examples of such a method are described in Patent Document 1 and Patent Document 2, respectively.

JP 2012-138044 A Japanese Patent No. 5976366

  However, in the conventional technique, there is a problem that when a data including a plurality of variables is classified, a reference feature has to be manually determined.

  For example, when handling a large amount of data, it is difficult in terms of labor to refer to all of the data, so it is necessary to omit a part of the data and determine the criteria, and the sorting work Adequacy matters. Furthermore, for example, when a set of data includes a large number of variable values, the number of combinations of variables to be examined for characteristic correlation becomes enormous, and it is difficult to comprehensively consider all combinations. is there.

  The present invention has been made to solve such a problem, and an object of the present invention is to provide a feature extraction apparatus and program for appropriately and automatically extracting features from data including a plurality of variables. To do.

In order to solve the above-described problem, a feature extraction device according to the present invention is a feature extraction device that extracts features of a record including N columns (where N is an integer of 2 or more),
A function of acquiring a plurality of the records;
A column set generation function for generating a column set for all combinations of M (where M is an integer satisfying 2 ≦ M ≦ N) out of the N columns;
For each of the records, a function for determining the number of features related to each of the column sets, wherein the number of features is a value obtained by combining the data values of all the columns included in the column set of the record, A function for determining the number of features representing the frequency in the column set;
A function of associating and outputting the number of features to each of the records.
According to a specific aspect, the column group generation function is executed for at least all M satisfying 2 ≦ M ≦ L for a predetermined upper limit number of columns L (where L is an integer satisfying 2 ≦ L ≦ N). Is done.
According to a particular aspect,
A function that converts the data value of each column of each record to a numeric value,
For each column, the function to normalize the numerical value of each record,
A function that normalizes the number of features in each record for each column set,
Is further provided.
According to a specific aspect, the feature extraction device determines, for each column set, whether each record is an abnormal record using a predetermined abnormality determination rule based on the number of features of each record. It further has a function.
According to a specific aspect, the feature extraction device is configured based on a numerical value or a feature number of each record for a determination target pair consisting of a total of two columns or column sets selected from all columns and column sets. And an abnormality determination function for determining whether each record is an abnormal record using a predetermined abnormality determination rule.
According to a particular aspect,
The abnormality determination function is
When the judgment target pair is composed of two column sets, it is not executed,
If the judgment target pair consists of a column and a column set, and the column set does not include the column, it is not executed.
If the determination target pair includes a column and the data value of the column is the same for all the records, it is not executed.
If the judgment target pair includes a column set and the number of features of the column set is the same for all the records, the determination is not performed.
According to a specific aspect, the abnormality determination function is executed using the same abnormality determination rule regardless of a column and a column set constituting the determination target pair.
According to a particular aspect,
The feature extraction device generates an image indicating a position of each record in an orthogonal coordinate system having a total of two columns or column sets selected from all columns and column sets as axes. A generation function,
The feature extraction apparatus executes the image generation function for all combinations of columns and column combinations.
The program according to the present invention causes a computer to function as the above-described feature extraction device.

  According to the feature extraction apparatus and program according to the present invention, the number of features is comprehensively determined for combinations of record columns, so that the feature of the record can be appropriately and automatically extracted.

It is a figure which shows the example of positioning of the feature extraction apparatus which concerns on Embodiment 1 of this invention. It is a figure which shows the example of a structure of the feature extraction apparatus of FIG. It is a figure which shows the example of a structure of the data which the feature extraction apparatus of FIG. 1 handles. It is a figure which shows another example of a structure of the data which the feature extraction apparatus of FIG. 1 handles. It is a flowchart which shows the example of the flow of the feature extraction process of the feature extraction apparatus of FIG. 10 is a flowchart illustrating an example of a flow of abnormality determination processing of the feature extraction device according to the second embodiment.

Embodiments of the present invention will be described below with reference to the accompanying drawings.
Embodiment 1 FIG.
FIG. 1 shows an example of positioning of the feature extraction apparatus 10 according to Embodiment 1 of the present invention. The feature extraction device 10 extracts features from the data and outputs the extracted features in association with the original data. The output data and features can be used by other devices (for example, the abnormality detection device 20).

  FIG. 2 shows an example of the configuration of the feature extraction apparatus 10. The feature extraction apparatus 10 has a configuration as a known computer, and includes a calculation unit 11 that performs a calculation and a storage unit 12 that stores information. Further, although not particularly illustrated, the feature extraction apparatus 10 includes an input unit that receives a user operation, an output unit that outputs information, and a communication unit that inputs and outputs information to an external communication network.

  The storage unit 12 stores input data and features that the feature extraction device 10 extracts for the data. The storage unit 12 stores a program (not shown). When the computing means 11 of the computer executes this program, the computer functions as the feature extracting device 10. That is, this program causes a computer to function as the feature extraction device 10 described in this specification.

  FIG. 3 shows an example of the structure of data handled by the feature extraction apparatus of FIG. This example represents, for example, a communication record of a specific computer, but the present invention is applicable to general data. Note that the examples of FIGS. 3 and 4 are in a state where normalization processing described later is not performed.

  The number of features is associated with each of the records R1 to R5 formed by the data. The record includes a plurality of columns, and has a variable value (data value) corresponding to each column. In FIG. 3, as an example of the column, a column representing “time” and a column representing “IP address” are shown. In this specification, the number of columns included in one record may be represented by N (where N is an integer of 2 or more). In the example of FIG. 3, N = 2. The feature extraction device 10 extracts the feature of each record R1 to R5.

  The number of features is determined for each combination of record and column set. A column set is a set consisting of one or more columns. That is, it can be said that the column set is a set having columns as elements. In the example of FIG. 3, as the column set 30, a column set {time} consisting only of “time”, a column set {IP address} consisting only of “IP address”, and a column consisting of “time” and “IP address”. A set {time, IP address} is generated. As is clear from this example, in this specification, the name “column set” is used even if it consists of only a single column, but the {} symbol is attached to the column set for distinction. Further, the number of features described later is represented by n {} for each column set.

In the present specification, the number of columns constituting the column set may be represented by M (where M is an integer and M ≦ N). When N columns exist in total, a maximum of _N C _M column groups each including _M columns can be defined. In the example of FIG. 3, since the number of columns is N = 2, a maximum of two sets of columns (M = 1) consisting of a single column can be defined, and a column set consisting of two columns (M = 2). ) Can be defined at most. That is, in the example of FIG. 3, it can be said that all column sets that can be configured from a given column are defined.

  The number of features represents the frequency in the column set of values obtained by combining the data values of all the columns included in the column set of the record. For example, for the column set {time}, the data value “2016-03-01 18:20:53” appears in two records (records R1 and R2), so “2016-03-01 18:20:53” The value of the feature number “n {time}” of the record having the data value is “2”. For the column set {time, IP address} consisting of “time” and “IP address”, the combination of “2016-03-01 18:20:56” and “91.205.189.15” has two records (R4 and R5 ), The feature number “n {time, IP address}” of those records is “2”. Thus, since the frequency can be defined for each column set, the number of features can also be determined for each column set.

  FIG. 4 shows another example of the data configuration. In this example, the number of columns N = 3. The column set is defined for all integers M satisfying 1 ≦ M ≦ N = 3, and is 7 in total. The number of features may be an integer value that matches the frequency as shown in FIGS. 3 and 4, but may be any number as long as it is a numerical value that represents the frequency (for example, a normal value as described later). It may be a numerical value).

The operation of the feature extraction apparatus 10 configured as described above will be described below.
FIG. 5 is a flowchart illustrating an example of the flow of feature extraction processing of the feature extraction apparatus 10. First, the feature extraction apparatus 10 acquires a plurality of records representing data (step S1). Acquisition of a record may be performed by, for example, input processing via a network, or data stored in advance in the storage unit 12 may be read.

  Next, the feature extraction apparatus 10 digitizes the record (step S2). Any numerical method may be used. For example, the frequency of data values is calculated for each column, and numerical values (for example, non-negative integers or positive integers) are assigned in ascending order of frequency. Alternatively, it may be performed by assigning numerical values in alphabetical order (dictionary order) of data values. Alternatively, the time may be converted to the number of seconds, or the IP address may be a 4-byte long numerical value.

  This process can be omitted for data that is originally a numerical value (for example, records A and C in FIG. 4). Further, depending on how to use the extracted features (specifications of the abnormality detection device 20 and the like), the entire step S2 may be omitted. Even if the data value is not a numerical value, it is possible to determine the number of features by the method described above.

  Next, the feature extraction apparatus 10 generates a column set (step S3, column set generation function). An example of a generated column set is shown as column set 30 in FIGS. The process of step S3 may be executed before step S1, or may be executed in parallel with steps S1 and S2.

Next, the feature extraction apparatus 10 determines the number of features related to each column set for each record (step S4). That is, for each record, the frequency in the column set of the value obtained by combining the data values of all the columns included in the column set of the record is calculated. 3 and 4 can be said to be examples at the time when step S4 is completed.
In addition, you may comprise so that the process of step S2 may be performed after the process of step S4.

Next, the feature extraction apparatus 10 normalizes the numerical value (data value) and the number of features of each record for each column and column set (step S5). Any normalization method may be used. For example, a linear mapping function that converts the minimum data value in the column to 0 and the maximum data value in the column to 1 can be used. For example, for a certain column or column set, the data value or feature number x _i (where i is an index representing a record) is normalized to (x _i −x _min ) / (x _max −x _min ). Here, x _max and x _min are the maximum value and the minimum value of the data value or the number of features in the column or column set, respectively. With respect to the column “C” in FIG. 4, the data values of the records R11, R12, R13, and R14 are 1, 2, 3, and 4, respectively. / 3, 2/3, and 1. Note that step S5 may be omitted depending on how to use the extracted features (specifications of the abnormality detection device 20 and the like). Further, normalization need not be performed for all columns and column sets, but may be performed for only some columns or column sets.

  Next, the feature extraction apparatus 10 associates and outputs the number of features to each record (step S6). In this way, the information shown in FIG. 3 or FIG. 4 (however, further normalized information) is output.

  The output record and the number of features can be used as appropriate, but can be used for an abnormality detection process by the abnormality detection device 20, for example. For example, the abnormality detection device 20 accepts input of a plurality of records and the number of features associated with each record, and based on these, determines whether each record is abnormal data.

  If, for example, a communication record (such as that shown in FIG. 3) in a specific computer is used as the record, an abnormal communication record can be detected, and damage caused by malware or the like can be suppressed.

  As described above, according to the feature extraction apparatus 10 according to Embodiment 1 of the present invention, features can be appropriately and automatically extracted from data including columns representing a plurality of variables. Need not be determined manually.

  For example, if only the record is input in the abnormality detection process by the abnormality detection device 20, there is a possibility that the correlation between the columns may not be properly considered, and the accuracy of abnormality determination is limited. On the other hand, since the feature extraction apparatus 10 outputs the number of features associated with each column set for each record, the abnormality determination can be performed in consideration of the correlation with respect to the combination of columns represented by each column set. Will improve.

  In addition, even when handling a large amount of data, it is easy to output the number of features for all data, and therefore it is not necessary to select only a part of the data. Furthermore, even if the record includes a large number of columns, the number of features can be output comprehensively for all combinations of columns whose correlations to be considered should be examined.

  A record must be defined using a plurality of columns. For example, character string data (such as a proxy server log) in which one record is composed of only a single column is inappropriate.

  In addition, especially when it is desired to detect an ATP attack, the real-time property of abnormality detection processing is emphasized. In this case, a large number of records recorded for a long time are not processed at a time, but in units of seconds. It is preferable to perform the processing by dividing the data in units of minutes and limiting the number of records to be appropriately processed.

  Further, an upper limit may be set for the number of columns according to the processing capability of the computer constituting the feature extraction apparatus 10.

Embodiment 2. FIG.
In the second embodiment, the feature extraction device also functions as an abnormality detection device. That is, the feature extraction device according to the second embodiment has a function of extracting the feature of a record as in the feature extraction device 10 in the first embodiment, and records and records as in the abnormality detection device 20 in the first embodiment. A function is provided for determining whether each record is an abnormal record based on the extracted features.

  In particular, the feature extraction apparatus according to the second embodiment performs two-axis selection and performs abnormality determination based on two-dimensional data. That is, a total of two columns or column sets are selected from the columns and column sets that constitute the acquired data (hereinafter, a pair consisting of the two columns or column sets specified here is referred to as “determination target pair”. It is determined whether or not the record is an abnormal record based on the data value (numerical value) of the determination target pair of each record. In other words, it can be said that the feature extraction device detects an abnormal vector from a plurality of two-dimensional vectors. It is assumed that all records input in Embodiment 2 are digitized.

  FIG. 6 is a flowchart illustrating an example of a flow of abnormality determination processing of the feature extraction device according to the second embodiment. The process of FIG. 6 is started after the process of FIG. 5 is completed, for example.

  First, the feature extraction device acquires a plurality of records and the number of features associated with each record (step S11). It is assumed that the record and the number of features are configured according to the process of FIG. Note that when the process of FIG. 6 is performed subsequent to the process of FIG. 5, Step S <b> 6 and Step S <b> 11 can be omitted.

Next, the feature extraction device generates a determination target pair (step S12). The judgment target pairs are all pairs composed of a total of two columns or column sets, for example. In the example of FIG. 4, since the number of columns is N = 3 and the number of column sets is 7, the total number of columns and column sets is 10, and the number of determination target pairs generated is ₁₀ C _2. It becomes a piece.

  Next, the feature extraction apparatus performs abnormality determination for each determination target pair (step S13, abnormality determination function). If the method of abnormality determination is a method of determining whether each record is an abnormal record using a predetermined abnormality determination rule based on the numerical value of each column of each record or the number of features of each column set, Any thing is acceptable. For example, the method described in Patent Document 2 may be used.

  In the second embodiment, the feature extraction apparatus uses the same abnormality determination rule in step S13 regardless of the columns and column sets that constitute the determination target pair. For example, the determination described in Patent Document 2 for both a determination target pair including column A and column set {A, B} and a determination target pair including column C and column set {A, C}. Use rules. In this way, it is not necessary to set the abnormality determination rules individually, so that the labor for studying the rules can be reduced.

  Next, the feature extraction apparatus outputs a determination result (step S14). For example, a record that is determined to be an abnormal record for any of the determination target pairs is output in association with information indicating that it is an abnormal record. In addition, information indicating that it is a normal record (or not an abnormal record) may be output in association with a record determined to be a normal record for any determination target pair.

  As described above, according to the feature extraction apparatus according to the second embodiment, it is possible to effectively use the large number of features determined according to the first embodiment and perform more appropriate abnormality determination.

In the second embodiment, the following modifications can be made.
In the second embodiment, the abnormality determination function is executed for all determination target pairs, but this may be omitted for some determination target pairs. In particular, with respect to a determination target pair that is unlikely to be able to detect an abnormality appropriately, if the abnormality determination is omitted, the processing speed can be expected to be improved, which is efficient.

  For example, when the determination target pair includes two column sets, the abnormality determination function may not be executed. That is, the abnormality determination function is executed only when at least one of the determination target pairs is a column. In the example of FIG. 4, the abnormality determination is omitted for the determination target pair including the column set {A} and the column set {B}.

  Further, for example, when the determination target pair includes a column and a column set and the column set does not include the column, the abnormality determination function may not be executed. In the example of FIG. 4, considering a determination target pair consisting of column A and column set {B, C}, column A is not included in the column set {B, C}. Omitted.

  Further, for example, when the determination target pair includes a column and the data value of the column is the same for all the records, the abnormality determination function may not be executed. Similarly, when the determination target pair includes a column set and the number of features of the column set is the same for all records, the abnormality determination function may not be executed. In the example of FIG. 4, the column set {A}, the column set {B, C}, and the column set {A, B, C} have the same feature numbers for all the records. Abnormality determination is omitted for a pair of determination targets including or.

The following two methods are conceivable as methods for omitting these abnormality determinations. As a first method, a determination target pair is not generated for a combination that does not execute abnormality determination. In other words, this is a method that excludes step S12.
As a second method, a determination target pair is generated in step S12 and excluded from the determination process in the abnormality determination process in step S13.
Either method can be expected to improve processing efficiency by excluding combinations that are not subject to abnormality determination.

  In the second embodiment, the feature extraction apparatus may include a function (image generation function) for generating an image indicating the relationship between the records. For example, for each determination target pair, an image indicating the position of each record is generated in an orthogonal coordinate system with the columns or column sets constituting the pair as axes. That is, one two-dimensional graph image is generated for each judgment target pair, and in each image, one symbol (graphic or point) for each record is plotted at a position corresponding to each record. . Further, the feature extraction device may output the generated image.

  Furthermore, in an image, about an abnormal record, you may display the mark which shows that it is an abnormal record. For example, a red circle may be displayed around a point indicating an abnormal record. In this way, the user of the feature extraction device can easily grasp the status of the abnormal record.

  Note that the image generation function may be executed for all determination target pairs, or may be omitted for some determination target pairs as in the abnormality determination function.

  In the second embodiment, the same abnormality determination rule is used regardless of the columns and column sets constituting the determination target pair (different abnormality determination rules may be used depending on conditions other than the determination target pair. ). For this reason, it is preferable to execute step S5 to normalize the data value and the number of features. As a modification, different abnormality determination rules may be used depending on the column or column set. In that case, step S5 may be omitted.

  Further, in the second embodiment, the determination target pair is two-dimensional, but when a three-dimensional or higher vector abnormality determination algorithm is used, a determination target set including a total of three or more columns or column sets is generated. May be used.

  The abnormality determination function can also be executed without generating a determination target pair. For example, the feature extraction device may determine whether each record is an abnormal record using a predetermined abnormality determination rule based on the number of features of each record for each column set. As an abnormality determination rule in this case, a rule may be used in which a record having an exceptionally large number of features and a record having an exceptionally small number of features are determined as abnormal records. In the example of the column set {A} in FIG. 4, the number of features is all five, and no exceptionally large or small feature number appears, but only one of the number of features of the column set {A} is 14. A record having a value of 14.01 may be determined as an abnormal record if it is a large value of 01 and the other feature number is a small value within the range of 0 to 0.03. Conversely, if only one of the number of features of the column set {A} is a small value of 0.02, and the other number of features is a large value within the range of 14.00 to 23.00, 0 is assumed. A record having a value of .02 may be determined as an abnormal record. Those skilled in the art can appropriately design an algorithm for realizing such a determination method. For example, a deviation value of each feature number in the column set is calculated, and when an absolute value obtained by subtracting 50 from the deviation value exceeds a predetermined threshold, a record having the feature number may be determined as an abnormal record.

  By using such a determination method, it is possible to perform abnormality determination focusing on the dependency relationship of the variables of each column belonging to the column set. In general, when the variables are independent of each other (there are no dependencies between the variables) and appear only as a specific pattern, the record containing the pattern may be an abnormal record However, according to such a determination method, since the number of features of records including those patterns is large, it is appropriately determined as an abnormal record. Conversely, if there are generally dependencies between these variables and only a small number of records appear independently, the record containing that pattern is likely to be an abnormal record. According to such a determination method, since the number of features of records including those patterns becomes small, it is appropriately determined that the record is an abnormal record.

Furthermore, the following modifications can be made in the first and second embodiments.
If necessary, the data may be preprocessed. In the case of time-series data, sorting is performed in advance on a fine-grained column (for example, a column representing date and time) before preprocessing. For example, the fraction may be rounded and this value may be input to the feature extraction device as a record to be processed. Alternatively, a difference between original records (original data) may be acquired, and this difference may be input to the feature extraction apparatus as a record to be processed. Alternatively, a moving average for each column of the original record may be calculated, and this moving average may be input to the feature extraction apparatus as a record to be processed. You may use the difference of the moving average for every column of the original record. Based on the original record, change point emphasis function such as change point scoring based on two-stage learning is calculated (for example, Kenji Yamanishi “abnormality detection by data mining”, Kyoritsu Publishing, 2009), and the value should be processed You may input into a feature extraction apparatus as a record. The phrase “may be input to the feature extraction apparatus as a record to be processed” may add a column to the original record or replace the column of the original record. A combination of these may be used.

  Of the column set, those having the same feature number for all records may be deleted. For example, in the example of FIG. 4, the column set {A}, the column set {B, C}, and the column set {A, B, C} may be deleted. The timing of deletion may be immediately after step S5, for example.

  In the example of FIGS. 3 and 4, a column set including M columns is generated for all integers M satisfying 1 ≦ M ≦ N with respect to the number N of columns. However, it is not always necessary to generate a column set for every integer M. For at least one of the integers M satisfying 2 ≦ M ≦ N, it is only necessary to generate a column set for all combinations of M columns. For example, in the example of FIG. 4, a column set may be generated only for M = 2 (in this case, the generated column sets are {A, B}, {A, C}, {B, C } Only three).

  Alternatively, for a predetermined upper limit number of columns L (where L is an integer satisfying 2 ≦ L ≦ N), a column set may be generated for all M satisfying 2 ≦ M ≦ L. Does not prevent generating a column set for M = 1). In this way, it is possible to efficiently generate a column set and extract features while suppressing the amount of calculation. Note that L may be stored in advance by the feature extraction apparatus, or an input of an arbitrary value may be accepted.

  Further, after determining or calculating the number of features, the number of features may be updated according to a specific condition before performing abnormality determination. For example, when it is known that variables corresponding to a plurality of columns are independent from each other, the number of features of the column set including those columns may be replaced with the product of the probabilities of each column instead of the frequency. . For example, in the example of FIG. 4, when it is found that the column A and the column B are independent from each other, the number of features of the column set {A, B} is expressed as the occurrence probability of the data value in the column A, It is good also as a product with the appearance probability of the data value in column B.

  This will be described with reference to the record R11 in FIG. 4. The appearance probability of the data value “1” in the column A is 0.5 (that is, the value appears in only 5 out of all 10 records), and the column B The appearance probability of the data value “X” is 0.4 (that is, the value appears for only 4 out of all 10 records). Therefore, if it is known that the column A and the column B are independent from each other, the number of features of the column set {A, B} of the record R11 may be 0.5 × 0.4 = 0.2. Good. In this way, even if variables that are originally independent of each other are accidentally biased, it is possible to perform appropriate abnormality determination while ignoring the accidental bias.

  In Embodiments 1 and 2, the range of normalized data values and feature numbers is [0, 1], but may be normalized to other ranges. For example, it may be [-1, 1], [-0.5, 0.5], or [0, 100].

  10 feature extraction device, 30 column set, S3 column set generation function, S13 abnormality determination function.

Claims (9)

A feature extraction device that extracts features of a record including N columns (where N is an integer of 2 or more),
A function of acquiring a plurality of the records;
A column set generation function for generating a column set for all combinations of M (where M is an integer satisfying 2 ≦ M ≦ N) out of the N columns;
For each of the records, a function for determining the number of features related to each of the column sets, wherein the number of features is a value obtained by combining the data values of all the columns included in the column set of the record, A function for determining the number of features representing the frequency in the column set;
A feature extraction device comprising a function of associating and outputting the number of features to each of the records.   The column set generation function is executed for at least all M satisfying 2 ≦ M ≦ L for a predetermined upper limit column number L (where L is an integer satisfying 2 ≦ L ≦ N). The device described. A function that converts the data value of each column of each record to a numeric value,
For each column, the function to normalize the numerical value of each record,
A function that normalizes the number of features in each record for each column set,
The apparatus according to claim 1, further comprising:   The feature extraction device further includes an abnormality determination function for determining whether each record is an abnormal record using a predetermined abnormality determination rule based on the number of features of each record for each column set. The apparatus as described in any one of 1-3.   The feature extraction apparatus selects a predetermined abnormality determination rule based on a numerical value or a feature number of each record for a determination target pair consisting of a total of two columns or column sets selected from all columns and column sets. The apparatus as described in any one of Claims 1-4 further provided with the abnormality determination function which uses and determines whether each record is an abnormal record. The abnormality determination function is
When the judgment target pair is composed of two column sets, it is not executed,
If the judgment target pair consists of a column and a column set, and the column set does not include the column, it is not executed.
If the determination target pair includes a column and the data value of the column is the same for all the records, it is not executed.
If the judgment target pair includes a column set, and the number of features of the column set is the same for all records, it is not executed.
The apparatus according to claim 5.   The apparatus according to claim 5 or 6, wherein the abnormality determination function is executed using the same abnormality determination rule regardless of a column and a column set constituting the determination target pair. The feature extraction device generates an image indicating a position of each record in an orthogonal coordinate system having a total of two columns or column sets selected from all columns and column sets as axes. A generation function,
The feature extraction device executes the image generation function for all combinations of two columns and columns.
The device according to claim 1.   A program that causes a computer to function as the feature extraction device according to any one of claims 1 to 8.

Images