JP6538615B2 - Abnormality detection device, abnormality detection method and abnormality detection program - Google Patents

Description

  The present invention relates to an abnormality detection device, an abnormality detection method, and an abnormality detection program.

  In a system composed of a large number of servers and devices such as routers, it is necessary for operation to detect hardware abnormalities such as hard disks and memories of each device. Not only in information and communication equipment but also in industrial machines and automobiles having a large number of sensors, there is a demand for detecting machine abnormalities from sensor data such as temperature and acceleration. In addition to equipments, anomaly detection technology is used, for example, in detection of unauthorized use by analyzing credit card usage, detection of Distributed Denial of Service (DDoS) attacks in information security, and detection of malware. It is done.

  As the simplest method of anomaly detection, a method is conceivable in which an anomaly in data is detected by human being directly viewing the data. However, in order to grasp what kind of tendency a large number of data show when it is abnormal, considerable learning is required, so it is difficult for the human eye to make an abnormal judgment. Even if an abnormality can be detected by human eyes, it depends on a specific trained worker, and if the worker disappears, the abnormality can not be detected. In view of the above, it is necessary to mechanically execute the mechanism of anomaly detection in some way.

  As the simplest method of such mechanical abnormality detection, there is a method of providing a threshold value in the data range and determining an abnormality when the threshold value is exceeded. Although this method may work properly, it is generally difficult to determine a reasonable threshold. This is because increasing the threshold may cause an event that the user originally intended to detect as an anomaly to fail, while decreasing the threshold increases events that are determined to be abnormal although they are not abnormal.

  Therefore, LOF has been proposed as a widely used method as an abnormality detection method for detecting a pattern that has not appeared so far and determining that the pattern is abnormal (for example, see Non-Patent Document 1). LOF is a method of calculating local density in data space.

  Specifically, the LOF outputs a small numerical value indicating the degree of abnormality when newly obtained data is present at a high density location in the space of data obtained so far. In other words, the LOF determines that the newly obtained data is not abnormal if the newly obtained data is data similar to the data obtained so far. On the other hand, when the newly obtained data is present at a low density portion, the numerical value representing the degree of abnormality is largely output. In other words, the LOF determines that the newly obtained data is abnormal if the newly obtained data is not similar to the data obtained so far.

  In addition, there is a method of detecting an abnormality from the fact that the relationship is broken when there is any relationship between data. As this method, a method of analyzing whether or not the correlation between plural types of data is maintained, and finding an abnormality from the result has been proposed. In this method, two sets of data are selected, for example, a function that predicts one from the other by simple regression is constructed, and the correlation is considered to be broken because the predicted value is separated from the observed value by a certain amount or more. There is.

M. Breunig, H. Kriegel, R. Ng, and J. Sander, “LOF: Identifying Density-Based Local Outliers”, SIGMOD, Volume 29 Issue 2, 93-104, 2000

  However, in the LOF, there is a problem in that, when there is a correlation between data, even if the data is data that follows the correlation and is originally normal, data that is out of the data set is detected as abnormal. Specifically, the problems of the prior art will be described with reference to FIGS. 13 to 15 are diagrams for explaining an abnormality detection method according to the prior art. FIGS. 13 to 15 are plots of the sets on the coordinate plane, assuming that the sets of X and Y are given as data.

  In FIG. 13, two-dimensional normal distributions with mean vectors of (3, 3) and covariance matrices of [[1, 0.9], [0.9, 1]] as points for a set of X and Y 200 points (open circles) are plotted according to points. Further, a point Pb located at the upper right is a point of (6.5, 6.5). The upper left point Pr is the point (2, 5).

  In this FIG. 13, points are plotted against a set of X and Y by imaging the case where there is a correlation between data as follows. For example, it is assumed that X and Y represent central processing unit (CPU) usage rates of the application server A and the application server B, respectively. A case where the application server A and the application server B equally receive requests from the web server is taken as an example.

  In this case, when the number of accesses to the web server increases and the requests to the application server increase, it is considered that both X and Y rise. Conversely, if the number of accesses to the web server decreases, it is thought that both X and Y fall. In FIG. 13, white circles are examples of data in a normal state. And, the point Pb is an example in the case of taking a value which did not exist until then while maintaining the correlation. Further, the point Pr is an example in the case where the correlation is broken. In the following, it is assumed that a white circle, which is data of a normal state, is given first, and then, a point Pb and a point Pr are given as abnormality detection target data.

  Among these, since the point Pb maintains the correlation that holds in the normal state, it may be determined that it is not abnormal originally. On the other hand, since the point Pr does not follow the correlation established in the normal state, it may be determined as abnormal. However, since the LOF does not take into consideration the relationship between the data, the points Pb and Pr existing at the points where the density of the white circles is low will both output a large numerical value indicating the degree of abnormality. That is, there is a problem that the point Pb is determined to be abnormal at a point Pb that should not be determined to be abnormal.

  On the other hand, in the method of analyzing whether or not the correlation between plural types of data is maintained and finding an abnormality from the result, as shown in FIG. 14 and FIG. There is a problem that it is difficult to detect an abnormality when a certain relationship is observed.

  For example, the white circles in FIG. 14 have a mean vector of (3, 3) and a covariance matrix of 200 points according to a two-dimensional normal distribution of [[1, 0.99], [0.99, 1]] (data group Rb And a point (data group Rb ') obtained by rotating them counterclockwise by (.pi. / 5). In the example of FIG. 14, there are two relationships between data, and it is difficult to determine which correlation the detected data should be compared with. And in this FIG. 14, the correlation coefficient of the point displayed by the white circle is as small as "0.07." Therefore, even in the method of detecting an abnormality because the relationship is broken, in the example shown in FIG. difficult.

  And in FIG. 15, the normal state shows the image at the time of seeing in data, when it comprises three distant groups. White circles in FIG. 15 are data in a normal state. The point Pg is data as an abnormality determination target. Further, the straight line Lb is obtained by calculating a simple regression line (specifically, having a relationship of “Y = 0.9175X + 0.1081”) only from normal white circles, and plotting it in FIG. In FIG. 15, the lower left white circle group (data group Rc) plots 100 points in which X and Y each have a random distribution according to a normal distribution with an average of “0.5” and a standard deviation of “0.1”. It is The group above the straight line Lb on the right (data group Rd) is a random number that follows the normal distribution with an average "3", a standard deviation "0.1", and an average "4" and a standard deviation "0.1". It is a plot of the 20 points taken. The lower group (data group Re) on the right straight line Lb is a random number that follows the normal distribution with an average "4", a standard deviation "0.1", and an average "3" and a standard deviation "0.1". It is a plot of the 20 points taken. In addition, the correlation coefficient of the white circle has a high value of "0.9231".

  Here, the point Pg shown in FIG. 15 is clearly far away from the three white circle data groups Rc to Rd. However, since the position is close to the straight line Lb of the simple regression line, it can not be determined that the point Pg is broken from the correlation corresponding to the straight line Lb simply by comparing the point Pg and the straight line Lb. That is, although the point Pg exists in a distant place when viewed from data in a normal state, the method P for detecting an abnormality is that the point Pg is detected as an abnormality because the relationship is broken. I can not

  The present invention has been made in view of the above, and provides an abnormality detection apparatus, an abnormality detection method, and an abnormality detection program that can accurately execute abnormality detection of detection target data based on the relationship between data. The purpose is to

  In order to solve the problems described above and to achieve the object, the abnormality detection device according to the present invention represents the deviation of the detection data to be detected from the relationship between the data based on the relationship between the data. Deviation value of the comparison data of the deviation value vector calculation unit that calculates deviation value vector and deviation value vector that represents deviation from the relationship between the comparison data to be compared and deviation value vector of the detection data An abnormality degree calculation unit that calculates the degree of discreteness from the set of value vectors as the degree of abnormality, and an abnormality determination unit that determines that the detected data is abnormal when the degree of discreteness exceeds a predetermined threshold value; Have.

  According to the present invention, abnormality detection of detection target data can be accurately performed based on the relationship between data.

FIG. 1 is a block diagram showing an example of the configuration of the abnormality detection device according to the first embodiment. FIG. 2 is a diagram showing an example of a data configuration of a processing target in the first embodiment. FIG. 3 is a diagram showing an example of the calculation process of the difference value vector performed by the difference value vector calculation unit shown in FIG. FIG. 4 is a diagram showing another example of the calculation process of the difference value vector performed by the difference value vector calculation unit shown in FIG. FIG. 5 is a diagram for explaining abnormality degree calculation processing by the abnormality degree calculation unit shown in FIG. FIG. 6 is a diagram for explaining another example of abnormality degree calculation processing by the abnormality degree calculation unit shown in FIG. FIG. 7 is a flowchart showing the procedure of the abnormality detection process performed by the abnormality detection device shown in FIG. FIG. 8 is a diagram for explaining the abnormality detection process according to the first embodiment. FIG. 9 is a diagram for explaining abnormality degree calculation processing according to the third embodiment. FIG. 10 is a diagram for explaining abnormality degree calculation processing according to the third embodiment. FIG. 11 is a diagram for explaining abnormality degree calculation processing and abnormality determination processing according to the third embodiment. FIG. 12 is a diagram illustrating an example of a computer in which an abnormality detection device is realized by execution of a program. FIG. 13 is a diagram for explaining an abnormality detection method according to the prior art. FIG. 14 is a diagram for explaining an abnormality detection method according to the prior art. FIG. 15 is a view for explaining an abnormality detection method according to the prior art.

  Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings. The present invention is not limited by the embodiment. Further, in the description of the drawings, the same portions are denoted by the same reference numerals.

First Embodiment
First, the first embodiment will be described. In the following embodiments, the configuration of the abnormality detection apparatus according to the first embodiment and the flow of processing by the abnormality detection apparatus will be described.

[Configuration of abnormality detection device]
FIG. 1 is a block diagram showing an example of the configuration of the abnormality detection apparatus 10 according to the first embodiment. As shown in FIG. 1, the abnormality detection device 10 according to the first embodiment includes a communication processing unit 11, a control unit 12, and a storage unit 13.

  The communication processing unit 11 controls communication regarding various information exchanged with the terminal device 20 to be connected. For example, the communication processing unit 11 receives, from the terminal device 20, data to be compared, data to be detected, and a request for abnormality detection processing for data to be detected. Also, for example, the communication processing unit 11 transmits the processing result of the abnormality detection processing to the terminal device 20.

  The control unit 12 has a program defining various processing procedures and the like, and an internal memory for storing required data, and executes various processing by these. For example, the control unit 12 is an electronic circuit such as a CPU or a micro processing unit (MPU). The control unit 12 includes a relationship estimation unit 121, a difference value vector calculation unit 122, an abnormality degree calculation unit 123, and an abnormality determination unit 124.

  The relationship estimation unit 121 estimates the relationship between data, and calculates a parameter indicating the relationship between data. For example, for the given data, although the relationship between the data is given as an equation, the parameter is estimated when the equivalent of the parameter is undecided. Specifically, although it is given that the relationship between data X and data Y is a simple regression "Y = aX + b", relationship estimation is made when "a" and "b" are unknown. The part 121 estimates "a" and "b" based on the given data. In this case, it is desirable that the relationship estimation unit 121 use, for parameter estimation, data in a normal state of the device or the like that has output the data, that is, data that does not include abnormal state data.

  The divergence value vector calculation unit 122 calculates a divergence value vector representing the divergence from the relationship based on the relationship between the data. In the first embodiment, the divergence value vector calculation unit 122 calculates, based on the relationship between data, a divergence value vector representing a divergence from the relationship between data of detection data to be detected. Then, the divergence value vector calculation unit 122 calculates, based on the relationship between the data, a divergence value vector representing the divergence from the relationship between the comparison data to be compared. That is, when there is any relationship between the data, the difference value vector calculation unit 122 calculates a value indicating the difference from the relationship for the detection data and the comparison data. The divergence value vector calculation unit 122 may store the divergence value vector between the data in the divergence value vector storage unit 131 of the storage unit 13 (described later). Further, the difference value vector calculation unit 122 applies a parameter indicating the relationship between the data calculated by the relationship estimation unit 121 to the relationship between the data, and calculates a difference value vector between the data. The relationship between the data may be given in advance.

  The abnormality degree calculation unit 123 calculates the degree of discreteness of the divergence value vector of the detection data from the set of divergence value vectors of the comparison data. Specifically, the abnormality degree calculation unit 123 calculates the degree of discreteness based on the spatial distance, the density, and the like from the set of the divergent value vectors of the comparison data of the divergent value vector of the detected data. The degree of discreteness calculated by the abnormality degree calculating unit 123 is used in the determination in the abnormality determining unit 124 (described later) as the abnormality degree indicating the abnormality. Note that the abnormality degree calculation unit 123 may calculate the degree of discreteness using a divergence value vector stored in the divergence value vector storage unit 131 (described later).

  The abnormality determination unit 124 determines that the detection data is abnormal when the degree of discreteness calculated by the abnormality degree calculation unit 123 exceeds a predetermined threshold. The abnormality determination unit 124 determines that the detection data is normal when the degree of discreteness is equal to or less than a predetermined threshold. The determination result by the abnormality determination unit 124 is output to, for example, the terminal device 20 via the communication processing unit 11 as an abnormality detection result.

  The storage unit 13 is realized by a semiconductor memory device such as a random access memory (RAM) or a flash memory, or a storage device such as a hard disk or an optical disk, and a processing program for operating the abnormality detection apparatus 10 Data used during the execution of are stored. The storage unit 13 includes a divergence value vector storage unit 131 that stores the divergence value vector calculated by the divergence value vector calculation unit 122.

[Example of data to be processed]
Next, an example of data to be processed in the abnormality detection device 10 will be described. FIG. 2 is a view showing an example of the data configuration of the processing target in the abnormality detection apparatus 10. As shown in FIG.

As shown in FIG. 2, for example, it is assumed that N types of data “X ¹ ” to “X ^N ” are given as detection data. In FIG. 2, “x ⁿ _m ” is an observation value at m of the n-th data. The subscript "m" means the observed point or time. For example, when “X ¹ ” to “X ^N ” indicate user “N” from user “1” and the data element indicates the presence or absence of purchase of the product “m”, data having the same subscript is purchase of the same product Means the presence or absence of Alternatively, if “X ¹ ” to “X ^N ” indicate the CPU utilization of server “1” to server “N” and the data element represents the CPU utilization at time “m”, data with the same subscript is It means that observation time is equal.

[Processing of relationship estimation unit]
The relationship estimating unit 121 estimates the relationship that holds between the "X ^1" - "X ^N", calculates a parameter indicating the relationship between "X ^1" - "X ^N".

  In this case, it is desirable that the relationship estimation unit 121 use, for parameter calculation, data in a normal state of the device or the like that has output the data, that is, data that does not include abnormal state data. Whether the data is normal or not may be determined from the fact that the device was normal. In addition, whether or not the data is in a normal state may be determined by visual recognition based on the fact that the data is not included and the data corresponding to the abnormal value is not included. This is because, in the abnormality detection in the abnormality determination unit 124, an index that “different from normal” is regarded as “abnormal” is used. Furthermore, the sensitivity of abnormality detection can be expected to be improved by estimating the relational expression that holds for data in a normal state using only normal data in the relationship estimation unit 121.

  For example, although the relationship between data is given as a formula, when the thing equivalent to a parameter is undecided, the relationship estimation part 121 estimates this parameter. Specifically, although it is given that the relationship between data X and data Y is a simple regression "Y = aX + b", relationship estimation is made when "a" and "b" are unknown. The part 121 estimates "a" and "b" based on the given data.

In addition, as the relationship between the data, for example, when the multiple regression equation in which ^{one of} “X ¹ ” to “X ^N ” is an objective variable and the rest is an explanatory variable is given as the relationship between the data, Find the regression equation parameters. Further, the relationship estimation unit 121 selects two sets of “X ¹ ” to “X ^N ” as the relationship between data, and sets one as an objective variable for each two sets, and the other as an explanatory variable. If a single regression equation is given, the parameters of this single regression equation are determined.

Alternatively, in the case where each “X ^N ” is series data and an autoregressive equation or a vector autoregression equation for predicting the future from past data is given as the relationship between data, the relationship estimation unit 121 performs this autocorrelation. Parameters of regression equation or vector autoregression equation may be obtained. In the case where the suffixes “1, 2,..., M,...” Have orderness, for example, this is the case where the CPU utilization of the above-mentioned server is data.

  Further, the relationship between data may be modeled by a mixture distribution model, or may be represented by an equation representing a more complicated non-linear relationship. For example, some probability distribution may be used to represent the relationship between data. For example, when the relationship between data is expressed by a mixed distribution model having “K” number of clusters, the relationship estimation unit 121 obtains a parameter of the relational expression shown in equation (1).

In the present embodiment, when the relationship that holds between “X ¹ ” and “X ^N ” is given in advance, the calculation process of the relationship estimation unit 121 can be omitted.

[Process of deviation value vector calculation unit]
Subsequently, the divergence value vector calculation unit 122 calculates the divergence value vector from the relationship established between “X ¹ ” to “X ^N ” and “X ¹ ” to “X ^N ”. FIG. 3 is a diagram illustrating an example of calculation processing of the divergence value vector performed by the divergence value vector calculation unit 122.

In the example shown in FIG. 3, the divergence value vector is calculated for each subscript "m". Further, in this example, data “X ¹ ” to “X ^N ” shown in FIG. 3 are given, and the relationship established between “X ¹ ” to “X ^N ” is “F (X ¹ , X ² ,..., X ^N ) = 0. In this example, it is assumed that the relational expression is a multiple regression that uses any one of “X ¹ ” to “X ^N ” as a target variable and the rest as an explanatory variable.

Specifically, the “deviation value of X ¹ ” in FIG. 3 is estimated using the relationship from the observed value “x ¹ _m ” at the subscript “m” and the data observed at “m” This is the difference between the value of X ^{1 and} the value “F (x ¹ _m , x ² _m ,..., X ^N _m )”. Further, "divergence values of X ^2" is the observed value of the subscript "m" and "x ² _m" from the observed data in the "m", the value of "X ^2" which is estimated using the relationship " _{^{F (x 1 m, x 2}} m, ···, x N m) and "a difference. The difference value vector calculation unit 122 calculates each difference value of “X ¹ ” to “X ^N ” by performing the calculation process shown in FIG. 3. Then, as shown in FIG. 3, the divergence value vector calculation unit 122 outputs, as a divergence value vector, a divergence value calculated from a plurality of types of data having the common subscript “m”.

Also, the relationship between data is not limited to the case where one relationship is given to all data, such as “F (X ¹ , X ² ,..., X ^N ) = 0”, but also data It may be given for a set of For example, in the case where two sets are selected from “X ¹ ” to “X ^N ”, and relevance is given by a single regression equation in which one set is an objective variable and the other set is an explanatory variable. Then, with reference to FIG. 4, the calculation process of the divergence value vector in this case is demonstrated. FIG. 4 is a diagram showing another example of the calculation processing of the divergence value vector performed by the divergence value vector calculation unit 122. As shown in FIG.

As shown in FIG. 4, for example, "divergence values viewed from X ² of X ¹ 'is the observed value of the subscript" m "and" x ¹ _m ", from the observed data in the" m "," X ¹ "and" relationship between ^{X 2} "," the value of ^{"X 1"} which is estimated using the ^{F 12} "" _{^{F 12 (x 1 m, x}} 2 m) ", the difference of a deviation value. The divergence value vector calculation unit 122 calculates “a divergence value viewed from X ^{2 of} X ¹ ” to “a divergence value viewed from X ^N of X ^{N −1} ” by performing the calculation process shown in FIG. 4. Then, as shown in FIG. 4, the divergence value vector calculation unit 122 outputs, as a divergence value vector, divergence values calculated from a plurality of types of data having a common subscript “m”.

Although not particularly specified in FIG. 4, it may be considered that the relationship between data holds for only some combinations. For example, correlation coefficient is large between “X ¹ ” and “X ² ”, while correlation coefficient is small between “X ¹ ” and “X ³ ”. It is a case that is not recognized. In such a case, the divergence value vector calculation unit 122 may calculate the divergence value only for those for which the relationship is recognized.

Further, when the relationship between data is expressed by the mixed distribution model represented by equation (1), the divergence value vector calculation unit 122 determines the degree of belonging to each cluster defined by the following equation (2). Calculate m _k ". The larger the degree of attribution, the higher the degree of attribution to the cluster, that is, the closer to the center point of the cluster. In other words, it can be said that the greater the degree of attribution, the smaller the degree of deviation from that cluster.

In this case, the divergence value vector calculation unit 122 sets “(m ₁ , m ₂ ,..., M _K )” as the divergence value vector with respect to the degree of attribution “m _k ” calculated using equation (2). Ask for Alternatively, the divergence value vector calculation unit 122 may use a negative value vector such as “−logΣπ ^k P (x | θ ^k )” as the divergence value vector with respect to the degree of membership “m _k ” calculated using equation (2). The log likelihood of may be calculated. In this case, the divergence value vector is one-dimensional.

  By performing the calculation processing as described above, the divergence value vector calculation unit 122 calculates the divergence value vector representing the divergence from the relationship between the detection data and the comparison data based on the relationship between the data. Do. Generally, a plurality of comparison data exist. Of course, the comparison data may be one.

[Processing of abnormality degree calculation unit]
Next, the process of the abnormality degree calculator 123 will be described. The abnormality degree calculation unit 123 calculates the degree of discreteness using the divergence value vector calculated from the detection data and the divergence value vector calculated from the comparison data by the divergence value vector calculation unit 122.

  Specifically, the abnormality degree calculation unit 123 calculates how far apart the deviation value vector of the detection data is from the set of the deviation value vectors of the comparison data. In this case, using the k-NN (k-nearest neighbor method) method, for example, the anomalous degree calculating unit 123 determines how far away the divergence value vector of the detection data is from the set of divergence value vectors of comparison data. Calculate if A case where the abnormality degree calculator 123 calculates the degree of discreteness using the k-NN method will be described with reference to FIG.

  FIG. 5 is a diagram for explaining abnormality degree calculation processing by the abnormality degree calculation unit 123. As shown in FIG. FIG. 5 is a diagram in which each divergence value vector calculated by the divergence value vector calculation unit 122 from the comparison data and the detection data is plotted with respect to the dimensions 1 to 3 of the divergence value vector. In FIG. 5, a white circle data group R1 located near the origin corresponds to the divergence value vector calculated from the comparison data. The point P1 corresponds to the divergence value vector calculated from the detection data (see (1) in FIG. 5). In the k-NN method, the distance to the k-th closest point Pk as calculated from the point P1 corresponding to the deviation value of the detection data is calculated as the abnormality degree (discrete degree) (see (2) in FIG. 5). Here, "k" is a parameter and is set using heuristics.

  Further, the abnormality degree calculating unit 123 may calculate how much the spatially separated position of the difference value vector of the detection data exists from the set of difference value vectors of the comparison data. In this case, the abnormality degree calculation unit 123 calculates, for example, how far the divergence value vector of the detected data is spatially separated from the set of the divergence value vectors of the comparison data using the LOF.

  FIG. 6 is a diagram for explaining another example of abnormality degree calculation processing by the abnormality degree calculation unit 123. As shown in FIG. LOF is a method of calculating local density in space. The white circle data group R1 in FIG. 6 is a group of points corresponding to the divergence value vector of the comparison data, and the point P1 is a point corresponding to the divergence value vector calculated from the detection data ((1) in FIG. 6). reference).

  Specifically, the average of the distances to the points Pk close to the k-th point from the deviation value (point P1) of the detected data is the points to the point Pm near the m-th points from the k-th point Pk A value divided by the average of the distances is calculated as an abnormality (discrete degree) (see (2) in FIG. 6). For example, if the point P1 corresponding to the divergence value vector of the detection data is at a high density position of the data group R1, the average of the distance from the point P1 to the point Pk closest to the kth becomes small, and the point Pk Since the distance from the point to point Pm also decreases, the degree of discreteness decreases. On the other hand, when the point P1 is at a position where the density of the data group R1 is low, the average of the distance from the point P1 to the point Pk closest to the k-th becomes large, so the degree of discreteness decreases. Note that “k” and “m” are parameters and are set using heuristics.

Further, by limiting the comparison data to data in a normal state, it is possible to enhance the abnormality detection accuracy of the abnormality determination unit 124 described later. The definition of "normal state data" is as described above. In addition, when only data in a normal state is used as comparison data, it should be noted that the divergence value vector is spatially concentrated locally. For example, when the divergence value vector is calculated using the method described in FIGS. 5 and 6, the divergence value vector is spatially concentrated near the origin. When the divergence value vector is defined as (m ₁ , m ₂ ,..., M _K ) with respect to the degree of membership “m _k ” shown in the equation (2), the divergence value vector is spatially Concentrate on K clusters.

  Also, detection data and comparison data may be provided separately. For example, the CPU usage rates of a plurality of servers for a specific past one day are delivered to the abnormality detection apparatus 10 as comparison data, and the detection data is sequentially delivered when the abnormality detection apparatus 10 is operated. In such a case, it is not efficient in terms of computational resources to recalculate the difference value vector of the comparison data each time the data to be detected arrives. Therefore, the difference value vector storage unit 131 of the storage unit 13 stores the difference value vector of the comparison data so that the difference value of the comparison data does not need to be recalculated in such a case. When the divergence value vector storage unit 131 is used, the abnormality degree calculation unit 123 compares the divergence value vector of the detection data with the divergence value vector stored in the divergence value vector storage unit 131.

  Also in the case where the divergence value vector storage unit 131 is used, the abnormality detection accuracy can be enhanced by storing only the divergence value vector calculated from the data in the normal state as the comparison data.

[Process of abnormality determination unit]
The abnormality determination unit 124 determines that the detection data is abnormal when the degree of discreteness calculated by the abnormality degree calculation unit 123 exceeds a predetermined threshold. The abnormality determination unit 124 determines that the detection data is normal when the degree of discreteness is equal to or less than a predetermined threshold.

  Here, the threshold that is the reference of the determination is a preset one. Alternatively, when there is test data, a specific data in the test data, that is, an abnormality degree in data when an abnormality occurs may be set as a threshold. Alternatively, it may be considered that the degree of abnormality in the test data follows an appropriate probability distribution, and a value such as the top 5% or the top 1% may be set as the threshold. The determination result by the abnormality determination unit 124 is output to, for example, the terminal device 20 via the communication processing unit 11 as an abnormality detection result.

[Flow of anomaly detection processing]
Next, the abnormality detection process performed by the abnormality detection device 10 will be described. FIG. 7 is a flowchart showing the procedure of the abnormality detection process performed by the abnormality detection apparatus 10.

  First, in the abnormality detection device 10, the relationship estimation unit 121 performs a relationship estimation process of estimating the relationship between the data with respect to the input data, and calculating a parameter indicating the relationship between the data (see FIG. Step S1). The relationship estimation unit 121 uses, for parameter estimation, data of a normal state of the device or the like that has output the data, that is, data that does not include abnormal state data. This step S1 can be omitted if the relationship established between the data is given in advance.

  Then, the divergence value vector calculation unit 122 executes the divergence value vector calculation processing for calculating the divergence value vector between the data in the set of detection data to be detected and the comparison data based on the relationship between the data. (Step S2). Here, when the comparison data is given in advance, the difference value vector calculation unit 122 calculates a difference value vector between data in the set of comparison data, and stores the difference value vector in the difference value vector storage unit 131.

  Subsequently, the abnormality degree calculation unit 123 performs abnormality degree calculation processing for calculating the degree of discreteness of the deviation value vector of the detection data from the set of deviation value vectors of the comparison data as the abnormality degree (step S3). When the difference value vector of the comparison data is calculated in advance and stored in the difference value vector storage unit 131, the abnormality degree calculation unit 123 reads out the difference value vector of the comparison data from the difference value vector storage unit 131, Obtain a set of divergence value vectors of comparison data.

  Then, the abnormality determination unit 124 performs abnormality determination processing to determine whether the detected data is abnormal based on the discrete degree calculated by the abnormality degree calculation unit 123 (step S4). In this case, the abnormality determination unit 124 determines that the detection data is abnormal when the degree of discreteness calculated by the abnormality degree calculation unit 123 exceeds a predetermined threshold. On the other hand, the abnormality determination unit 124 determines that the detection data is normal when the degree of discreteness is equal to or less than a predetermined threshold. The abnormality determination unit 124 outputs the determination result as the abnormality detection result to the terminal device 20 via the communication processing unit 11, and ends the abnormality detection process.

[Specific example of abnormality detection processing]
FIG. 8 is a diagram for explaining the abnormality detection process according to the first embodiment. FIG. 8 is a plot of the set on the coordinate plane, given the set of X and Y as data. The white circles in FIG. 8 correspond to comparison data in a normal state. In addition, the point Pb is an example in the case where the correlation is maintained and a value which has not existed until then is taken. The point Pr is an example when the correlation is broken. Moreover, based on the comparison data (white circle in FIG. 8) that is normal, a simple regression “Y = aX + b” indicated by a straight line Lt is given as the relationship between X and Y.

  The point Pb shown in FIG. 8 is assumed to be normal because it is located on the straight line Lt and maintains the correlation established when it is normal. Here, in the LOF conventionally used, the relationship between the data is not taken into consideration, and the point Pb and the point Pr existing at the point where the density of the white circles is low are detected as abnormal.

  On the other hand, in the first embodiment, the difference value vector between data in the set of detection data and the difference value vector between data in the set of comparison data are calculated based on the relationship between the data, An abnormality determination is performed with the degree of discrepancies from the set of deviation value vectors of comparison data as the deviation value vector of detection data as the abnormality degree.

  For example, the case where point Pb is detection data is taken as an example. Since this point Pb is located on the straight line Lt, it can be said that "X, Y" shown at the point Pb has a relationship of "Y = aX + b" shown by the straight line Lt. Therefore, for "X, Y" shown at this point Pb, the divergence value vector for "Y = aX + b" shown by straight line Lt is calculated, and the divergence value vector of the comparison data (white circle) of the divergence value vector that is normal. When the discrete degree from the set of is calculated, it becomes almost 0, and it can be detected that the point Pb is normal.

  On the other hand, the case where point Pr is detection data will be described. Since this point Pr is far from the straight line Lt, it can be said that "X, Y" shown at the point Pr does not have the relationship of "Y = aX + b". Therefore, the divergence value vector for "Y = aX + b" indicated by straight line Lt of "X, Y" shown at this point Pr is calculated, and the divergence value vector of the comparison data (white circle) which is normal for that divergence value vector. If we calculate the degree of discreteness from the set of, the value becomes large and we can detect that Pr is anomalous.

  Thus, the anomaly detection apparatus 10 introduces the concept of a divergence value vector, and based on the spatial distance and density of the divergence value vector of the data to be detected and the set of divergence value vectors of comparison data that is normal. The discreteness degree (abnormality degree) is calculated to determine the presence or absence of abnormality in the detected data. Therefore, when there is a correlation between the data, the abnormality detection device 10 is normal when the data (for example, the point Pb) which is on the correlation but deviates from the set of comparison data and can be assumed to be normal is normal. Can be detected.

  Also, as shown in FIG. 14 and FIG. 15, even in the case where complex relationships between data are not found to be mere correlations, the accuracy of abnormality detection can be achieved by the concept of the difference value vector from the relationship between the data. It can be done well.

[Effect of Embodiment 1]
As described above, in the first embodiment, the concept of the difference value vector is introduced, and a set of difference value vectors of detected data and a set of difference value vectors of comparison data that are normal calculated based on the relationship between data. To calculate the degree of abnormality (the degree of abnormality) based on the spatial distance and density of the object and to determine the presence or absence of the abnormality in the detection data, accurately execute the abnormality detection of the detection target data based on the relationship between the data be able to.

Second Embodiment
Next, the second embodiment will be described. In the second embodiment, the Mahalanobis distance based on the difference value vector of the detection data and the comparison data is calculated as the discrete degree, and the presence or absence of abnormality is determined. The abnormality detection apparatus according to the second embodiment has the same configuration as the abnormality detection apparatus 10 shown in FIG.

  In the second embodiment, as in the first embodiment, the divergence value vector calculation unit 122 calculates the divergence value vector between data in the set of detection data to be detected based on the relationship between the data. Then, the divergence value vector calculation unit 122 calculates a divergence value vector between data in the set of comparison data. As in the first embodiment, when the comparison data is given in advance, the divergence value vector calculation unit 122 calculates the divergence value vector between the data in the set of comparison data, and calculates the divergence value vector storage unit. It may be stored in 131.

Then, assuming that the difference value vectors of the comparison data follow the multidimensional normal distribution, the abnormality degree calculation unit 123 calculates an average and a covariance matrix of the difference value vectors. Subsequently, the abnormality degree calculation unit 123 calculates the Mahalanobis distance defined by the equation (3), and outputs this Mahalanobis distance as a discrete degree (abnormality degree).

The abnormality determination unit 124 determines that the detection data is abnormal when the Mahalanobis distance calculated by the abnormality degree calculation unit 123 exceeds a certain threshold. On the other hand, the abnormality determination unit 124 determines that the detection data is normal when the Mahalanobis distance calculated by the abnormality degree calculation unit 123 is equal to or less than a certain threshold. In the second embodiment, it is assumed that the divergence value vector of the comparison data conforms to the multidimensional normal distribution, and in this case, the Mahalanobis distance of the divergence value vector approximates to the x-square distribution. The threshold can be determined on the basis of this. Such a method is called Hotelling's T ² test (see "Takeuchi Uchi, Statistical Dictionary P112, Toyo Keizai Shimbun, 1989").

[Effect of Embodiment 2]
As described above, in the second embodiment, the Mahalanobis distance is calculated as the degree of discreteness, and the presence or absence of abnormality is determined based on the comparison result of the calculated Mahalanobis distance and a predetermined threshold. Since the Mahalanobis distance is calculated based on the difference value vector of the detection data and the comparison data based on the relationship between the data, in the second embodiment, the relationship between the data is the same as the first embodiment. It is possible to accurately execute abnormality detection of detection target data based on.

Third Embodiment
Next, the third embodiment will be described. The abnormality detection device according to the third embodiment has the same configuration as the abnormality detection device 10 shown in FIG.

  Further, as in the first embodiment, the divergence value vector calculation unit 122 calculates the divergence value vector between data in the set of detection data to be detected based on the relationship between the data. Then, the divergence value vector calculation unit 122 calculates a divergence value vector between data in the set of comparison data. As in the first embodiment, when the comparison data is given in advance, the divergence value vector calculation unit 122 calculates the divergence value vector between the data in the set of comparison data, and calculates the divergence value vector storage unit. It may be stored in 131. Therefore, next, the process of the abnormality degree calculator 123 will be described.

[Processing of abnormality degree calculation unit]
In the third embodiment, the abnormality degree calculation unit 123 is further abbreviated as One-class Support Vector Machine (hereinafter referred to as "One-class SVM". For details, see "B. Scholkopf, JC Platt, J. Shawe-Taylor, AJ. Based on the concept of “Smola, and RC Williamson,“ Estimating the Support of High-Dimensional Distribution ”, Neural Computation, 13 (7): 1443-1471, 2001. Estimate the area that contains

  Concretely, with reference to FIG. 9, the process which calculates | requires a discrete degree (abnormality degree) is demonstrated. FIG. 9 is a diagram for explaining abnormality degree calculation processing according to the third embodiment. FIG. 9 is a map of deviation value vectors of data in a predetermined high-dimensional space.

  Based on the One-class SVM, the degree-of-abnormality calculation unit 123 maps the difference value vector of the comparison data, which is normal data, to a high-dimensional space (dimension 1 and dimension 2 of φ in FIG. 9). Then, the abnormality degree calculation unit 123 obtains a plane (hyperplane) such that the distance (margin) from the origin of the point corresponding to the difference value vector of the mapped comparison data is maximized. This plane is shown as a hyperplane Le in the example of FIG. The hyperplane Le corresponds to the boundary of the set of divergence value vectors of comparison data that is normal, and in fact, the point indicating the divergence value vector of the mapped comparison data is on the origin side of the hyperplane Le It is not located.

  Subsequently, the abnormality degree calculation unit 123 maps the difference value vector of the detection target data into the same high-dimensional space as the high-dimensional space mapped to the comparison data. For example, as shown in FIG. 9, each point indicating the difference value vector of the mapped detection data is divided into a group R2 on the origin side and a group R3 not on the origin side when viewed from the hyperplane Le. The degree-of-abnormality calculation unit 123 calculates the degree of discreteness (degree of abnormality) based on whether the point corresponding to the difference value vector of the mapped detection data is on the origin side as viewed from the hyperplane Le.

Therefore, the calculation process in the abnormality degree calculation unit 123 will be described with reference to FIG. FIG. 10 is a diagram for explaining abnormality degree calculation processing according to the third embodiment. First, the difference value vector of the comparison data is set to “e ₁ , e ₂ ,..., E _M ”. With respect to the difference value vector of the comparison data, a minimization problem is solved in which the equation G (see equation (A) shown in FIG. 10) is minimized under the conditions shown in equations (B) and (C). The symbol "<,>" represents an inner product.

This problem, as hyperplane, the distance of each data ( "phi (vector e _m)", when the "d _m", and attempts to find a hyperplane that maximizes the smallest d _m. In other words And we try to find the hyperplane parameters "vector w" and "p" which maximize the distance to the data closest to the hyperplane.

  This minimization problem can be solved by Lagrange's undetermined multiplier method which minimizes “L” shown in the following equation (4). The first line of the equation (4) is G itself, and the second line of the equation (4) reflects the constraint shown in the equation (B) of FIG. 10, and the third line of the equation (4) 10 reflects the constraint shown in the equation (C) of FIG.

FIG. 11 is a diagram for explaining abnormality degree calculation processing and abnormality determination processing according to the third embodiment. The abnormality degree calculation unit 123 calculates the abnormality degree with respect to the deviation value vector “e ′” of the detection data by the expression f (e ′) shown in FIG. 11 when the deviation value vector of the abnormality data is “e ′”. . Formula f (e ') is (4) by applying the parameter obtained by the formula, and that the mapping divergence value vector of the comparison data to "e _m' in high-dimensional space, divergence value vector of the detection data" e '" To calculate the degree of anomaly based on the distance between the point mapped to the high-dimensional space. Whether the point corresponding to the difference value vector of the mapped detection data is on the origin side with respect to the hyperplane Le or not by performing calculation using this equation f (e ′) Can be determined.

  As described above, according to the above-described One-class SVM, the abnormality degree calculation unit 123 determines whether the point indicating the difference value vector of the mapped detection data is on the origin side as viewed from the plane (for example, the hyperplane Le) or Using the equation f (e '), it is calculated whether or not it is on the origin side as viewed from the plane.

[Process of abnormality determination unit]
Then, in the third embodiment, when the point indicating the deviation value vector of the mapped detection data is on the origin side as viewed from the plane, the abnormality determination unit 124 determines that the detection data is abnormal. On the other hand, when the point indicating the difference value vector of the mapped detection data is not on the origin side as viewed from the plane, the abnormality determination unit 124 determines that the point is normal. For example, the abnormality determination unit 124 determines that the detection data is abnormal for the group R2 on the origin side as viewed from the hyperplane Le among the points indicating the difference value vector of the mapped detection data illustrated in FIG. 9. judge. On the other hand, the abnormality determination unit 124 determines that the detection data is normal for the group R3 which is not on the origin side as viewed from the hyperplane Le (see the frame B1 in FIG. 9).

  Here, the abnormality determination unit 124 determines the degree of abnormality obtained by the equation (e ′) for the detection data, and the parameter (ρ tilda) corresponding to the hyperplane obtained by the above-described undetermined multiplier method (equation (4)) The presence or absence of abnormality of detection data is determined by comparing. That is, as shown in FIG. 11, when the abnormality degree f (e ′) of the detection data is smaller than the parameter (チ ル tilde) from the equation (4), the abnormality determination unit 124 determines that the detection data is a hyperplane. It is determined that the detected data is abnormal by determining that it is closer to the origin than Le. On the other hand, when the degree of abnormality f (e ′) of the detection data is larger than the parameter (ρ tilde), the abnormality determination unit 124 determines that the detection data is not on the origin side with respect to the hyperplane Le. Determine that it is normal.

[Effect of Third Embodiment]
As described above, in the third embodiment, the difference value vector of the comparison data is mapped to the high-dimensional space to obtain a hyperplane at which the distance from the origin is maximized. Then, in the third embodiment, when the divergence value vector of the detection data is mapped to the high-dimensional space, based on whether or not the point corresponding to the mapped divergence value vector is on the origin side with respect to the hyperplane. The degree of abnormality is calculated to determine the presence or absence of an abnormality. That is, also in the third embodiment, as in the first embodiment, the distance between the difference value vector of the detected data and the set of difference value vectors of the comparison data which is normal, calculated based on the relationship between the data. Since the presence or absence of abnormality of detection data is determined by this, abnormality detection of detection object data based on the relationship between data can be performed accurately.

[About the system configuration of the embodiment]
Each component of the abnormality detection device 10 illustrated in FIG. 1 is functionally conceptual, and does not necessarily have to be physically configured as illustrated. That is, the specific form of the distribution and integration of the functions of the abnormality detection apparatus 10 is not limited to that illustrated, but all or a part thereof may be functionally or physically in any unit depending on various loads, usage conditions, etc. Can be distributed or integrated.

  In addition, each process performed in the abnormality detection apparatus 10 may be realized by all or any part of a CPU (Central Processing Unit) and a program analyzed and executed by the CPU. Further, each process performed in the abnormality detection apparatus 10 may be realized as hardware by wired logic.

  Further, among the processes described in the embodiment, all or part of the processes described as being automatically performed can be manually performed. Alternatively, all or part of the processing described as being performed manually may be performed automatically by a known method. In addition, the information including the above-described and illustrated processing procedures, control procedures, specific names, various data and parameters can be appropriately changed unless otherwise specified.

[program]
FIG. 12 is a diagram illustrating an example of a computer in which the abnormality detection device 10 is realized by executing a program. The computer 1000 includes, for example, a memory 1010 and a CPU 1020. The computer 1000 also includes a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012. The ROM 1011 stores, for example, a boot program such as a BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090. Disk drive interface 1040 is connected to disk drive 1100. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100. The serial port interface 1050 is connected to, for example, a mouse 1110 and a keyboard 1120. The video adapter 1060 is connected to, for example, the display 1130.

  The hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, a program that defines each process of the abnormality detection apparatus 10 is implemented as a program module 1093 in which a code executable by the computer 1000 is described. The program module 1093 is stored, for example, in the hard disk drive 1090. For example, the hard disk drive 1090 stores a program module 1093 for executing the same processing as the functional configuration of the abnormality detection apparatus 10. The hard disk drive 1090 may be replaced by a solid state drive (SSD).

  The setting data used in the process of the above-described embodiment is stored as program data 1094 in, for example, the memory 1010 or the hard disk drive 1090. Then, the CPU 1020 reads out the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 as needed, and executes them.

  The program module 1093 and the program data 1094 are not limited to being stored in the hard disk drive 1090, and may be stored in, for example, a removable storage medium and read by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program module 1093 and the program data 1094 may be stored in another computer connected via a network (LAN, WAN, etc.). The program module 1093 and the program data 1094 may be read by the CPU 1020 from another computer via the network interface 1070.

  Although the embodiment to which the invention made by the inventor is applied has been described above, the present invention is not limited by the description and the drawings that form a part of the disclosure of the present invention according to the present embodiment. That is, all other embodiments, examples, operation techniques and the like made by those skilled in the art based on the present embodiment are included in the scope of the present invention.

DESCRIPTION OF SYMBOLS 10 abnormality detection apparatus 11 communication processing part 12 control part 13 memory | storage part 121 relationship estimation part 122 difference value vector calculation part 123 abnormality degree calculation part 124 abnormality determination part 131 difference value vector storage part

Claims (14)

Based on the relationship between the data, the difference between the observed value of the detected data to be detected and the value estimated from the observed value based on the relationship between the data represented by the multiple regression equation A divergence value representing a divergence that is the difference between the representing value value vector representing, the observation value of the comparison data to be compared, and the value estimated from the observation value based on the relationship between the data represented by the multiple regression equation A deviation value vector calculation unit that calculates a vector,
An abnormality degree calculation unit that calculates the degree of discreteness of the deviation value vector of the detection data from the set of the deviation value vectors of the comparison data as the degree of abnormality.
An abnormality determination unit that determines that the detection data is abnormal when the degree of discreteness exceeds a predetermined threshold;
An abnormality detection device characterized by having.   Based on the relationship between the data, the difference between the observed value of the detected data to be detected and the value estimated from the observed value based on the relationship between the data represented by the simple regression equation A divergence value representing a divergence that is the difference between the representing value value vector representing, the observation value of the comparison data to be compared, and the value estimated from the observation value based on the relationship between the data represented by the simple regression equation A deviation value vector calculation unit that calculates a vector,
  An abnormality degree calculation unit that calculates the degree of discreteness of the deviation value vector of the detection data from the set of the deviation value vectors of the comparison data as the degree of abnormality.
An abnormality determination unit that determines that the detection data is abnormal when the degree of discreteness exceeds a predetermined threshold;
  An abnormality detection device characterized by having.   Based on the relationship between the data, the difference between the observed value of the detected data to be detected and the value estimated from the observed value based on the relationship between the data represented by the autoregressive equation A divergence value representing a divergence that is the difference between the representing value value vector representing, the observed value of the comparison data to be compared, and the value estimated from the observed value based on the relationship between the data represented by the autoregressive equation A deviation value vector calculation unit that calculates a vector,
  An abnormality degree calculation unit that calculates the degree of discreteness of the deviation value vector of the detection data from the set of the deviation value vectors of the comparison data as the degree of abnormality.
An abnormality determination unit that determines that the detection data is abnormal when the degree of discreteness exceeds a predetermined threshold;
  An abnormality detection device characterized by having. The apparatus further includes a divergence value vector storage unit that stores the divergence value vector calculated by the divergence value vector calculation unit,
The abnormality detection device according to any one of claims 1 to 3, wherein the abnormality degree calculation unit calculates the degree of discreteness using a divergence value vector stored in the divergence value vector storage unit. The information processing apparatus further includes a relationship estimation unit that estimates a relationship between the data and calculates a parameter indicating the relationship between the data,
The said difference value vector calculation part is characterized by applying the parameter which shows the relationship between the said data which the said relationship estimation part calculated to the relationship between the said data, and calculating the said difference value vector. The abnormality detection device according to any one of 1 to 4 . The abnormality degree calculating unit, wherein the said deviation value vector of the detection data, from the set of divergence value vector of the comparative data, based on the spatial distance and density, and calculates the discrete degree The abnormality detection device according to any one of Items 1 to 5 . The abnormality degree calculation unit calculates an average of the difference value vectors of the comparison data and a covariance matrix of the difference value vectors of the comparison data, and calculates a difference value vector of the detection data and a difference value vector of the comparison data. 6. The Mahalanobis distance determined based on the average of R and the covariance matrix of the difference value vector of the comparison data is calculated as the degree of discreteness according to any one of claims 1 to 5 . Abnormality detection device. The abnormality degree calculation unit obtains a plane where the distance from the origin at a point corresponding to the mapped difference value vector is maximized when the difference value vector of the comparison data is mapped to the high dimensional space, and When the difference value vector is mapped to the high-dimensional space, the degree of discreteness is calculated based on whether or not a point corresponding to the mapped difference value vector is on the origin side as viewed from the plane. The abnormality detection device according to any one of claims 1 to 5 . An anomaly detection method executed by an anomaly detection apparatus that detects the presence or absence of an anomaly with respect to a set of detection data to be detected,
Based on the relationship between the data, the difference between the observed value of the detected data to be detected and the value estimated from the observed value based on the relationship between the data represented by the multiple regression equation A divergence value representing a divergence that is the difference between the representing value value vector representing, the observation value of the comparison data to be compared, and the value estimated from the observation value based on the relationship between the data represented by the multiple regression equation Calculating a vector, and
Calculating the degree of discrepancies of the deviation value vector of the detection data from the set of the deviation value vectors of the comparison data as a degree indicating an abnormality;
Determining that the detection data is abnormal if the degree of discreteness exceeds a predetermined threshold;
An abnormality detection method characterized by including:   An anomaly detection method executed by an anomaly detection apparatus that detects the presence or absence of an anomaly with respect to a set of detection data to be detected,
  Based on the relationship between the data, the difference between the observed value of the detected data to be detected and the value estimated from the observed value based on the relationship between the data represented by the simple regression equation A divergence value representing a divergence that is the difference between the representing value value vector representing, the observation value of the comparison data to be compared, and the value estimated from the observation value based on the relationship between the data represented by the simple regression equation Calculating a vector, and
  Calculating the degree of discrepancies of the deviation value vector of the detection data from the set of the deviation value vectors of the comparison data as a degree indicating an abnormality;
Determining that the detection data is abnormal if the degree of discreteness exceeds a predetermined threshold;
  An abnormality detection method characterized by including:   An anomaly detection method executed by an anomaly detection apparatus that detects the presence or absence of an anomaly with respect to a set of detection data to be detected,
  Based on the relationship between the data, the difference between the observed value of the detected data to be detected and the value estimated from the observed value based on the relationship between the data represented by the autoregressive equation A divergence value representing a divergence that is the difference between the representing value value vector representing, the observed value of the comparison data to be compared, and the value estimated from the observed value based on the relationship between the data represented by the autoregressive equation Calculating a vector, and
  Calculating the degree of discrepancies of the deviation value vector of the detection data from the set of the deviation value vectors of the comparison data as a degree indicating an abnormality;
Determining that the detection data is abnormal if the degree of discreteness exceeds a predetermined threshold;
  An abnormality detection method characterized by including: Based on the relationship between the data, the difference between the observed value of the detected data to be detected and the value estimated from the observed value based on the relationship between the data represented by the multiple regression equation A divergence value representing a divergence that is the difference between the representing value value vector representing, the observation value of the comparison data to be compared, and the value estimated from the observation value based on the relationship between the data represented by the multiple regression equation Calculating a vector, and
Calculating the degree of discrepancies of the deviation value vector of the detection data from the set of the deviation value vectors of the comparison data as a degree indicating an abnormality;
Determining that the detection data is abnormal if the degree of discreteness exceeds a predetermined threshold;
An anomaly detection program to make a computer execute.   Based on the relationship between the data, the difference between the observed value of the detected data to be detected and the value estimated from the observed value based on the relationship between the data represented by the simple regression equation A divergence value representing a divergence that is the difference between the representing value value vector representing, the observation value of the comparison data to be compared, and the value estimated from the observation value based on the relationship between the data represented by the simple regression equation Calculating a vector, and
  Calculating the degree of discrepancies of the deviation value vector of the detection data from the set of the deviation value vectors of the comparison data as a degree indicating an abnormality;
Determining that the detection data is abnormal if the degree of discreteness exceeds a predetermined threshold;
  An anomaly detection program to make a computer execute.   Based on the relationship between the data, the difference between the observed value of the detected data to be detected and the value estimated from the observed value based on the relationship between the data represented by the autoregressive equation A divergence value representing a divergence that is the difference between the representing value value vector representing, the observed value of the comparison data to be compared, and the value estimated from the observed value based on the relationship between the data represented by the autoregressive equation Calculating a vector, and
  Calculating the degree of discrepancies of the deviation value vector of the detection data from the set of deviation value vectors of the comparison data as a degree indicating an abnormality;
Determining that the detection data is abnormal if the degree of discreteness exceeds a predetermined threshold;
  An anomaly detection program to make a computer execute.

Images