JP6574332B2 - Data analysis system - Google Patents

Description

  The present invention relates to information processing technology. The present invention also relates to a data analysis technique for countermeasures against security breaches in computer systems.

  Cyber attacks that are regarded as criminal acts on the network are increasing. Security breach by cyber attack includes intrusion by unauthorized access using malware or denial of service attacks. Security breaches are very difficult to prevent completely because of sophisticated techniques, clever tricks, and distribution of attack tools.

  General countermeasure techniques against security breach include various security services and security devices such as anti-virus software, firewall servers, proxy servers, and intrusion detection systems. Such a technique is a countermeasure against the entrance of a computer system, but there is a limit only by the countermeasure against the entrance.

  As a realistic measure, attacks are detected based on analysis of computer log data so that actual damage is minimized while allowing intrusion of attacks to the computer system to a certain extent inevitable. It is necessary and effective to take measures.

  Patent Document 1 (Japanese Patent Laid-Open No. 2006-285993) and Non-Patent Document 1 are examples of prior art relating to data analysis for countermeasures against security breaches in computer systems.

  Patent Document 1 describes that as a method for protecting a computer from malware, an event detection system is used to observe a suspicious event from the computer, and when the event satisfies a threshold, a restrictive security policy is applied. .

  In Non-Patent Document 1, resource status such as CPU usage rate of a computer is measured by hardware and software performance counters, and malware is detected using the measured numerical data, or it is detected from a large number of numerical data. For this reason, it is described that narrow down highly effective parameters.

JP 2006-285993 A

The 17th International Symposium on Research in Attacks, Intrusions, and Defenses, 2014/11/18, "Unsupervised Anomaly-Based Malware Detection Using Hardware Features", Adrian Tang, Simha Sethumadhavan, and Salvatore J. Stolfo / Columbia University, New York, USA

  In order to minimize actual damage in security breaches countermeasures for computer systems, it is necessary to quickly detect attacks and malware. However, the conventional technique for detecting an attack or the like based on data analysis has a problem in terms of detection speed and the like.

  A conventional technique such as Patent Document 1 analyzes a large amount of various log data obtained from a computer and a security service. This analysis requires a lot of labor, time, and resources, including an analyst and a computer. The larger the amount of target log data, the more difficult the rapid analysis and detection.

  Further, in the conventional technique such as Patent Document 1, since a suspicious event or a threshold value corresponding thereto is defined in advance and an attack or the like is detected based on the definition, it is difficult to take measures against an unknown attack or the like. There is a problem in terms of detection accuracy.

  Further, the conventional technique such as Non-Patent Document 1 has a problem in terms of detection accuracy because it is difficult to obtain a characteristic characteristic of malware or the like from numerical data that is a measurement value of a resource state.

  The object of the present invention is to reduce the labor, time, and resources required for analysis, and to perform quick and efficient analysis and detection with respect to technology for detecting attacks and the like based on data analysis for countermeasures against security breaches in computer systems. It is possible to provide a technique that can improve detection accuracy, including unknown attacks.

  A typical embodiment of the present invention is a data analysis system having the following configuration.

  A data analysis system according to an embodiment is a data analysis system that analyzes log data collected from a computer in order to detect a security breach of the computer of the management target system, and from the computer of the management target system By collecting log data including numerical data of resource state measurement values of the computer and storing it in the log DB, and analyzing the numerical data of the log data based on rule information, An analysis target determination unit for determining log data to be narrowed down as an analysis target, and an analysis process for detecting the security breach in the log data narrowed down as the analysis target among the log data based on an operation of an analyst And a data analysis unit for outputting analysis data as analysis results, The unit uses the numerical data of the log data to calculate or set a feature amount in a determination target computer and a time zone, and uses the numerical data of the log data to compare A process of calculating or setting a feature value in a computer and a time zone as a reference value and the feature value and the reference value are compared, and if the rule of the rule information is satisfied, it is determined as an abnormal state in which the security breach is suspected And a process of determining the computer, time zone, and log data corresponding to the abnormal state as the analysis target.

  According to a typical embodiment of the present invention, it is possible to reduce the labor, time, and resources required for analysis quickly, with respect to a technique for detecting attacks and the like based on data analysis for countermeasures against security breaches in computer systems. Thus, efficient analysis and detection can be performed, and detection accuracy can be improved including unknown attacks.

It is a figure which shows the structure of the security breach detection system containing the data analysis system of Embodiment 1 of this invention. It is a figure which shows the structure of each system including the data analysis system of Embodiment 1. FIG. FIG. 3 is a diagram showing a processing flow in the data analysis system of the first embodiment. 6 is a diagram illustrating a configuration example of rule information according to Embodiment 1. FIG. 6 is a diagram illustrating an example of numerical data of log data in the first embodiment. FIG. It is a figure which shows the 1st example of the graph display of numerical data. It is a figure which shows the 2nd example of the graph display of numerical data. It is a figure which shows the 3rd example of the graph display of numerical data. It is a figure which shows the 4th example of the graph display of numerical data. FIG. 3 is a diagram illustrating an example of a screen in the data analysis system according to the first embodiment. 6 is a diagram illustrating an example of comparison of a plurality of numerical data in the first embodiment. FIG. It is a figure which shows the structure of the security breach act detection system containing the data analysis system of Embodiment 2 of this invention. It is a figure which shows the structural example of the rule information in the data analysis system of other embodiment of this invention. It is a figure which shows the example of the text data of log data in other embodiment.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. Note that components having the same function are denoted by the same reference symbols throughout the drawings for describing the embodiment, and the repetitive description thereof will be omitted.

(Embodiment 1)
The data analysis system according to the first embodiment of the present invention will be described with reference to FIGS.

[Security breach detection system]
FIG. 1 shows the configuration of a security breach detection system including the data analysis system of the first embodiment. In FIG. 1, the entire system is a security breach detection system. The security breach detection system includes a data analysis system 1, a managed system 2, and an event detection system 3 connected to a network 9.

  The network 9 is a communication network including the Internet and a LAN. The data analysis system 1, the managed system 2, and the event detection system 3 are interconnected via communication on the network 9.

  The management target system 2 includes a plurality of computers 20 as a management target computer group. Examples of the management target system 2 include systems such as a corporate LAN and a Web service. The computer 20 may be a general PC or server. The computer 20 configures various systems and functions according to the management target system 2. Each computer 20 is connected to the network 9. The computer 20 is a target for detecting the security breach by monitoring the occurrence of the security breach by the data analysis system 1 and the event detection system 3.

  The computer 20 may constitute a group. A group is a unit in which one or more computers 20 are grouped into one according to specific requirements such as the same application. In the example of FIG. 1, the plurality of computers 20 are computers 211 to 21m that are a plurality (m) of computers 20 that form a group 41 and computers 221 to 22n that are a plurality (n) of computers 20 that form a group 42. And a computer 231 that is an individual computer 20.

  The group 41 is a Web server group, and includes a plurality of computers 211 to 21m that are a plurality of computers 20 having the role of a Web server. The group 42 is a DB server group, and includes a plurality of computers 221 to 22n that are a plurality of computers 20 having a DB server role.

  As management IDs for each computer 20, the computer 211 is C11, and the computer 212 is C12. As the group management ID, the group 41 is G1, and the group 42 is G2.

  Each computer 20 includes a CPU, memory, disk, communication interface device, input / output interface device, hardware such as a bus, and software such as an OS and a server program.

  The event detection system 3 includes various security services, security devices, and the like that perform entry countermeasures for the computer 20 of the management target system 2. The event detection system 3 has a function of detecting an event by monitoring a communication log or the like of the management target system 2. In the example of FIG. 1, the event detection system 3 includes an antivirus system 31, a proxy system 32, a firewall system 33, and an intrusion detection system 34.

  The anti-virus system 31 is a system configured by general software and hardware such as a server device, a program, and a knowledge DB. The anti-virus system 31 performs processing for detecting that a malicious program such as a computer virus or malware has entered the computer 20, processing for removing the malicious program that has entered the computer 20, or the like. The components of the antivirus system 31 may be arranged inside the computer 20 or may be arranged outside.

  The proxy system 32 is similarly configured by a server device, a program, and the like. The proxy system 32 is arranged at the boundary between an internal network such as a company and an external network such as the Internet. The proxy system 32 performs relay for providing high-speed access and secure communication when connecting from the internal network to the external network.

  The firewall system 33 is similarly configured by a server device, a program, and the like. The firewall system 33 is arranged at the boundary between the internal network and the external network or at the boundary between networks in the enterprise. The firewall system 33 controls communication from the inside to the outside and communication from the outside to the inside, and performs unauthorized communication blocking, maintaining safety of the internal network, and the like.

  The intrusion detection system 34 is similarly configured by a server device, a program, and the like. The intrusion detection system 34 is an intrusion detection system (Intrusion Detection System) or an intrusion prevention system (Intrusion Prevention System). The intrusion detection system 34 monitors communication on the network and detects or prevents unauthorized intrusion into the network by a malicious attacker.

  The data analysis system 1 is a system that detects a security breach of the managed system 2 based on data analysis in cooperation with the event detection system 3. The data analysis system 1 is configured by hardware such as a server system 10 and software. The server system 10 that is the data analysis system 1 includes a data collection unit 11, an analysis target determination unit 12, a data analysis unit 13, and the like, and includes a log DB 50, an analysis DB 60, rule information 70, and the like.

  The data collection unit 11 collects log data to be analysis candidates and stores it in the log DB 50. The collected log data includes numerical data to be processed by the analysis target determination unit 12. The data collection unit 11 collects the log data 101 from the management target computer group of the management target system 2 and stores it in the log DB 50. The log data 101 includes numerical data that is a measurement value of the resource state of the computer 20 and text data. The data collection unit 11 collects log data 102 from the event detection system 3 and stores it in the log DB 50. The log data 102 includes event data of events detected by the event detection system 3.

  The analysis target determination unit 12 performs a process of determining and narrowing down the analysis target from the analysis candidates. The analysis target determination unit 12 performs processing for determining normality or abnormality based on the rule information 70 for numerical data corresponding to the resource state measurement value in the log data of the log DB 50. The analysis target determination unit 12 narrows down the computers 20 and time zones associated with the numerical data determined to be abnormal as analysis targets. The analysis target determination unit 12 calculates or sets a feature amount or a reference value from numerical data, and compares it with a threshold value of the rule information 70 to determine whether or not there is an abnormality. Abnormality refers to a state in which attacks or malwares are suspected of being invaded. The analysis target determination unit 12 stores analysis target information in the analysis DB 60 including the computer 20 narrowed down as an analysis target, time zone information, and log data identification information related thereto. The analysis target determination unit 12 displays information including the analysis target information on the screen.

  The data analysis unit 13 analyzes log data narrowed down as an analysis target among the log data of the log DB 50 based on an operation of an analyst who is a user, and stores the analysis data as an analysis result in the analysis DB 60. The data analysis unit 13 displays information including analysis data on the screen.

[Data analysis system]
FIG. 2 shows the configuration of each system such as the data analysis system 1. Each computer 20 of the management target system 2, for example, the computer 211 of the group 41, has a resource state measuring unit 200. The resource state measurement unit 200 measures the resource state such as the CPU usage rate and the memory usage amount of the computer 20 and outputs log data 101 including the resource state measurement value 201.

  As a means for transmitting / receiving the log data 101 including the resource state measurement unit 200 and the resource state measurement value 201, an existing performance counter, resource monitor, or a predetermined command system provided in a general computer or OS is used. be able to.

  Each security service of the event detection system 3, for example, the anti-virus system 31 includes an event detection unit 300. The event detection unit 300 monitors the computer 20 of the management target system 2 and detects an event. The event detection unit 300 detects, for example, that the computer 211 has accessed the network 9 or downloaded a program from the network 9 as an event, and records event data 202 of the event. The event detection unit 300 outputs log data 102 including event data 202.

  The data analysis system 1 includes a data collection unit 11, an analysis target determination unit 12, a data analysis unit 13, an input / output unit 14, and a setting unit 15. The server system 10 implements each processing unit such as the data collection unit 11 by software program processing based on predetermined hardware. The log DB 50 stores log data 51 and log data 52. The analysis DB 60 stores target information 61 and analysis data 62.

  The data collection unit 11 collects and acquires the log data 101 from each computer 20 of the management target system 2 through the network 9 and stores it as log data 51 in the log DB 50. Further, the data collection unit 11 collects and acquires the log data 102 from each security service of the event detection system 3 through the network 9 and stores the log data 102 in the log DB 50 as the log data 52 in association with the log data 51.

  The analysis target determination unit 12 targets the numerical data of the resource state measurement value among the log data 51 and the log data 52 of the log DB 50, and uses the rules described in the rule information 70 to determine the computer 20 and the time corresponding to the abnormality. Judge the band. The analysis target determination unit 12 stores the computer 20 and the time zone determined to be abnormal as analysis targets, and stores the analysis target information as target information 61 in the analysis DB 60. The target information 61 includes identification information of the computer 20 to be analyzed, time zone information, and identification information of log data related to them.

  The data analysis unit 13 performs processing for analyzing the log data in the log DB 50 based on the operation of the analyst. The data analysis unit 13 analyzes the log data narrowed down as an analysis target in accordance with the target information 61 out of the entire log data 51 and log data 52 of the log DB 50, and analyzes the analysis data 62 that is the analysis result into the analysis DB 60. To store. The log data to be analyzed is log data corresponding to the computer 20 and the time zone determined to be abnormal among the log data 51 and the log data 52. Of these, the log data 52 includes event data of suspicious events.

  The analysis target determination unit 12 narrows down the log data of the log DB 50 to the analysis target log data indicated by the target information 61. The amount of log data to be analyzed is smaller than the total amount of log data. The analyst can efficiently detect attacks, malware, and the like by analyzing the suspicious computer 20 to be analyzed and the log data of the time zone.

  Note that the analyst can perform analysis by referring to other log data in the log DB 50 as needed in addition to the log data to be analyzed indicated by the target information 61. In this case, the amount of data to be referred to increases and the time required for the analysis also increases, but more detailed analysis is possible instead.

  The input / output unit 14 performs input and output processing of data and information based on an operation of an analyst who is a user. The input / output unit 14 provides a screen serving as a user interface. The analyst accesses the server system 10 from a terminal and displays a screen provided by the input / output unit 14 on the terminal. The analyst can check and set various information related to the data analysis system 1 and perform data analysis work on the screen.

  The setting unit 15 performs processing for setting setting information including the rule information 70 based on a user operation through the input / output unit 14. The user can confirm the contents of the rule information 70 on the screen and set individual rules. The rule information 70 is setting information including a data analysis rule that is a rule referred to in the analysis target determination process in the analysis target determination unit 12.

[Processing flow]
FIG. 3 shows a processing flow in the data analysis system of the first embodiment. Hereinafter, steps S1 to S9 in FIG. 3 will be described in order.

  (S1) In S1, the rule information 70 and the like are set in advance. The user uses the setting unit 15 to set and confirm each rule that is the content of the rule information 70. After S1, the processes of S2 and S3 are executed in parallel at predetermined timings.

  As the rule information 70, default rule information may be set and provided in advance by a business operator. Further, the latest rule information may be provided through the network 9 as the service of the operator, and the rule information 70 may be automatically updated.

  (S <b> 2) In S <b> 2, the data collection unit 11 collects the log data 101 from each of the plurality of computers 20 in the management target computer group of the management target system 2 through the network 9 and stores the log data 101 as the log data 51 in the log DB 50. . The log data 101 includes numerical data of the resource state measurement value 201 in FIG. 2 and text data.

  (S3) Further, the data collection unit 11 collects the log data 102 from each security service of the event detection system 3 and stores it in the log DB 50 as the log data 52. The log data 102 includes the event data 202 of FIG.

  In S <b> 2 and S <b> 3, the data collection unit 11 stores the date and time according to the collection timing, and the log data for each computer 20 in the log DB 50.

  (S4) From the log data collected in the log DB 50 up to S3, the analysis target determination unit 12 uses the numerical data corresponding to the resource state measurement value of the current time zone in the log data of the computer 20 focused on as the determination target. , Calculate or set a feature value for determination. The analysis target determination unit 12 uses the current data, that is, the numerical data of the time zone acquired at the latest collection timing, among the time-series numerical data of the determination target computer 20 as a determination feature amount.

  Various methods and details of the calculation or setting of the feature amount in S4 are possible. In the first embodiment, as a first method, the analysis target determination unit 12 sets time-series numerical data itself of a computer 20 focused on as a determination target as a feature amount of the computer 20. The analysis target determination unit 12 uses, for example, numerical data such as a CPU usage rate, a memory usage amount, a disk usage amount, and the number of httpd processes as a feature amount.

  In another embodiment, as a second method, the analysis target determination unit 12 may calculate a feature amount by applying a predetermined calculation to numerical data. An example of the second method is as follows. The analysis target determination unit 12 calculates a change amount at each time point in time-series numerical data of the computer 20 focused on as a determination target, and extracts a portion where the change amount exceeds a predetermined threshold. That is, the analysis target determination unit 12 extracts a portion where the numerical value is suddenly changed in a numerical data graph, a portion where the numerical change is conspicuous compared with other portions, and the like. The analysis target determination unit 12 uses the extracted numerical data as a feature amount.

  (S5) Moreover, the analysis object determination part 12 determines from the numerical data corresponding to the resource state measurement value of one or more computers 20 to which attention is paid as a comparison object among the log data collected in the log DB 50 up to S3. Calculate or set the feature value to be used as a reference value.

  Various methods and details of the calculation or setting of the reference value in S5 are possible. In the first embodiment, numerical data of the current time zone is compared between a plurality of computers 20 as the first method, and the current time zone and the past time in the same computer 20 as the second method. Compare numerical data with the band.

  An example of the first method is as follows. The analysis object determination unit 12 compares the numerical data of the current time zone in each of a plurality of computers 20 to be compared, for example, the computers 211 to 21m of the group G1, with respect to the computer 20 that is focused as a determination object, for example, the computer 211. Then, a statistical value such as an average is calculated, and the statistical value is used as a feature value of a reference value in the computer 20 to be compared.

  For example, for the computers 211 to 21m in the group 41 corresponding to the Web server group, the analysis target determination unit 12 determines the average CPU usage rate, the average memory usage, the average disk usage, and the average number of httpd processes. The average value of numerical data such as, is calculated, and each is used as a reference value.

  In the first method, the plurality of computers 20 to be compared may be all the computers 20 to be managed, or may be computers 20 in a specific group or arbitrarily designated computers 20. This definition can be set in the rule information 70. Further, with respect to one or more computers 20 to be compared, both the case of including the computer 20 to be determined and the case of not including it are possible. This definition can be set in the rule information 70. In the first embodiment, according to the rule, as in the former case, the comparison target computer 20 is defined to include the determination target computer 20. For example, the determination target is the computer 211, the comparison target is the group G1, and the average value or the like in the computers 211 to 21m of the comparison target group G1 is calculated. In the latter definition, an average value or the like is calculated in the computers 212 to 21m of the group G1 to be compared, excluding the computer 211 to be determined.

  An example of the second method is as follows. The analysis target determination unit 12 refers to the numerical data of the past time zone as the comparison target with respect to the numerical data of the current time zone as the determination target in the log data of the computer 20 focused on as the determination target. The analysis target determination unit 12 calculates a statistical value such as an average from the numerical data of one or more past time zones to be compared, and sets the statistical value as a feature value of the reference value.

  For example, for the computer 211 to be determined, the analysis target determination unit 12 sets the CPU usage rate in the time period from 8:00 to 10 minutes on Monday as the numerical value of the current time period as the characteristic amount to be determined. On the other hand, the analysis target determination unit 12 refers to the CPU usage rate in the time period from 8:00 to 10 minutes on Monday in the past month as numerical data of the past time period that is the comparison target, and averages them. The value is a feature value of the reference value.

  Note that, in the second method, it is possible to both include and not include the log data in the time zone to be determined in the log data in the time zone to be compared. This definition can be set in the rule information 70. In the first embodiment, according to the rule, the definition does not include the determination target time zone in the comparison target time zone, as in the latter case.

  When the average value is used as the reference value, if the average value is μ, and the numerical data of each of the plurality (k) of computers 20 in a certain time zone are X1, X2,..., Xk, μ = (X1 + X2 + ... + Xk) / K.

  The method for calculating and determining the feature amount is not limited to the above example, and various methods can be applied. For example, a method of narrowing down highly effective parameters by Fisher score described in Non-Patent Document 1, correction of numerical data by linear correction, and the like can be applied.

  (S6) The analysis target determination unit 12 refers to one or more rules from the rule information 70 for the analysis target determination process. In the first embodiment, all the rules described in the rule information 70 are applied. An example of the contents of the rule information 70 is shown in FIG. In the rule of the rule information 70, conditions such as a threshold are set in accordance with the feature quantity to be determined and the reference value to be compared. An example of the rule is whether or not the deviation of the determination target feature amount with respect to the comparison target reference value exceeds a predetermined threshold. If it exceeds, it is determined to be abnormal. The deviation is the difference between the numerical value belonging to the population and the average value of the population. As an example of the threshold value, there is a standard deviation in a numerical group to be compared. Conditions such as a threshold value for determination can be set by the rule information 70, and various types can be applied.

It is assumed that the numerical data as feature quantities is X, the average is μ, the deviation is (X−μ), the variance is σ ² , and the standard deviation is σ. The variance (σ ² ) is a value obtained by dividing the sum of squared deviation values by the number of numerical data (k), and σ ² = Σ (X−μ) ² / k.

  As an example of the first method, the CPU usage rate, which is the feature amount in the current time zone of the computer 211 to be determined, is assumed to be X1. An average value of the CPU usage rate, which is a reference value in the same time zone of the computers 211 to 21m of the group G1 to be compared, is defined as μ1. The standard deviation of the CPU usage rate in the group G1 to be compared is assumed to be σ1. The condition is whether or not the deviation (X1−μ1) exceeds the standard deviation (σ1) that is a threshold, that is, (X1−μ1)> σ1.

  As an example of the second method, it is assumed that the CPU usage rate, which is the feature amount in the current time zone (T1 in FIG. 11) of the computer 211 to be determined, is X1. An average value of CPU usage rates in a plurality of past time zones (T2 to Tp in FIG. 11), which is a reference value to be compared by the same computer 211, is μ2. The standard deviation in the comparison target is σ2. The condition is whether the deviation (X1−μ2) exceeds the standard deviation (σ2) that is a threshold, that is, (X1−μ2)> σ2.

  (S7) The analysis target determination unit 12 refers to the feature quantity of the determination target obtained in S4, the feature quantity that is the reference value of the comparison target obtained in S5, and conditions such as a threshold in the rule obtained in S6. Then, they are compared to determine whether or not there is an abnormality. The analysis target determination unit 12 determines whether the determination target is abnormal depending on whether the determination target computer 20 and the time zone feature amount satisfy the feature amount that is the reference target computer 20 and time zone reference value. It is determined whether or not. For example, when the deviation between the feature value of S4 and the average value that is the reference value of S5 exceeds the standard deviation that is the threshold value of S6, the analysis target determination unit 12 determines that the rule condition is satisfied. As a result, the analysis target determination unit 12 determines that the determination target computer 20 in S4 and the log data in the time zone are abnormal.

  As a result of the determination in S7, if any rule of the rule information 70 is satisfied and there is an abnormality (S7-Y), the process proceeds to S8, and none of the rules is satisfied and an abnormality is satisfied. If there is not (S7-N), the processing in FIG. 3 is terminated.

  (S8) The analysis target determination unit 12 determines the computer 20 and the time zone determined to be abnormal in S7 and the log data related thereto as the analysis target, and sets the target information 61 including the information on the analysis target to the analysis DB 60 To store. Further, the analysis target determination unit 12 displays information including the target information 61 on the screen viewed by the user through the processing of the input / output unit 14.

  (S9) Next, the data analysis unit 13 determines log data to be analyzed in accordance with the target information 61 determined in S8. The data analysis unit 13 reads the log data to be analyzed indicated by the target information 61 from the log DB 50. The data analysis unit 13 performs analysis processing on the log data to be analyzed based on the operation of the analyst on the screen, and stores the analysis data 62 that is the analysis result in the analysis DB 60. The data analysis unit 13 displays information including the analysis result on the screen through the input / output unit 14.

  The analyst analyzes the log data of a specific computer and time zone that has been narrowed down as an analysis target and log data including event data corresponding to it, and there is evidence of any kind of security breach, such as an attack or malware. Analyze whether there is any. As a result, a security breach can be detected.

  It should be noted that various known analysis methods can be applied as the analysis method of S9. For example, a method in which an analyst directly refers to a related log, a general rule-based analysis method, a correlation analysis method using logs of a plurality of security services, and the like are applicable.

  As a result of S7 and S8, for example, the computer 211 determines that the time zone corresponding to the date and time “2015/01/10 10:05:00” is abnormal, that is, there is a suspicion that some kind of attack has occurred. Is done. Therefore, in S9, the analyst does not analyze the huge amount of log data acquired from the management target computer group or the event detection system 3, but analyzes corresponding to the specific computer 211 and time zone narrowed down in S8. Analyze the target log data. This log data includes logs and events related to the specific computer 211. As a result, the analyst can efficiently detect a security breach. After S9, the process of FIG. 3 is terminated.

[Rule information]
FIG. 4 shows a configuration example of the rule information 70 in the data analysis system of the first embodiment. The rule information table of FIG. 4 includes “ID”, “rule name”, “condition”, “determination target and period”, and “comparison target and period” as columns. “ID” indicates a unique number for identifying the rule. “Rule name” indicates the name of the rule. “Condition” indicates a condition for determination in the rule, and includes a threshold or the like as the condition.

  The “determination target and period” indicates information defining the determination target computer 20 and the time zone. The “comparison target and period” indicates information defining the computer 20 to be compared and the time zone. Each "period" indicates information that defines a period for sampling numerical data for calculating or setting a feature quantity to be determined and a feature quantity to be used as a reference value for comparison applied in the rule. .

  The rows indicated by ID = 1 to 3 are examples of rules defined for each assumed malware and attack. The rule of “malware A” with ID = 1 is for each computer 20 in all the computers 20 of the management target system 2 as the computer 20 to be determined. Further, the time zone to be determined is the current time zone for each computer 20. The current time zone is the latest time zone corresponding to the latest collection timing.

  The determination target feature amount is time-series numerical data in the determination target computer 20 and the time zone. The comparison target computer 20 is the same computer 20 as the determination target. The time zone to be compared is a past time zone in the same computer 20. The past time zone is, in particular, the same time zone on the same day of the week as the current time zone in the most recent one month period. The feature quantity used as the reference value for comparison is the average value of the numerical data in the past time zone to be compared.

  The condition of ID = 1 is “* ¥ CU + 10% AND * ¥ MU + 10% AND * ¥ DU + 10%”. “* ¥” indicates an arbitrary computer 20. “CU” indicates the CPU usage rate. “* ¥ CU” indicates the CPU usage rate of one arbitrary computer 20. “+ 10%” indicates a threshold value. “* ¥ CU + 10%” indicates that the CPU usage rate in the current time zone of the computer 20 to be judged is a threshold value of plus 10% with respect to the average value of CPU usage rates in the past time zone, which is the reference value to be compared. The condition of exceeding is shown. Similarly, “* ¥ MU + 10%” indicates a condition regarding the memory usage. “* ¥ DU + 10%” similarly indicates a condition related to the disk usage. The condition of ID = 1 is defined by AND (logical product) of three conditions for each type of resource state measurement value. When the condition of ID = 1 is satisfied, the determination target computer 20 and the time zone are determined to be abnormal.

  The rule of “malware B” with ID = 2 is an example in which the determination threshold and the comparison target are the same as those of the rule of “malware A”, and the condition thresholds are different. The condition is “* ¥ CU + 5% AND * ¥ MU + 5% AND * ¥ DU + 20%”.

  The rule of “DDoS attack” with ID = 3 is the computers 211 to 21m that are the plurality of computers 20 in the Web server group that is the group G1, as the computers 20 to be determined. The time zone to be determined is the current time zone. “WG” indicates a group G1 which is a Web server group. This rule has a group unit as a determination target, and there is no definition of a comparison target.

  The condition of ID = 3 is “WG ¥ CU> 90% AND WG ¥ MU> 90% AND WG ¥ PCH> 200”. “WG ¥ CU” indicates the CPU usage rate of the group G1, for example, indicates the CPU usage rate of one of the computers 20. “WG ¥ CU> 90%” indicates a condition that the CPU usage rate of the group G1 exceeds the threshold value of 90%. Similarly, “WG ¥ MU> 90%” indicates a condition that the memory usage of the group G1 exceeds 90%. “WG ¥ PCH> 200” indicates a condition that the number of httpd processes in the group G1 exceeds 200. “PCH” indicates “process-count-httpd”, that is, the number of httpd processes. The condition of ID = 3 is defined by AND of three conditions.

  The rule of “same group abnormal operation (WG)” with ID = 11 is an example in which an abnormality is determined by comparing numerical data in the current time zone between a plurality of computers 20 included in the same group. This rule is each computer 20 in the computers 211 to 21m included in the group G1 that is the Web server group as the computer 20 to be determined. The time zone to be determined is the current time zone. The feature quantity to be determined is the time-series numerical data itself in the current time zone.

  The computers 20 to be compared are computers 211 to 21m, which are a plurality of computers 20 constituting the group G1. In the case of this rule, the plurality of computers 20 in the group G1 to be compared includes a computer 20 to be determined, for example, a computer 211. The time zone to be compared is also the current time zone. The feature quantity serving as a reference value to be compared is an average value of the numerical data of the group G1 in the current time zone.

  The condition of ID = 11 is “WG ¥ CU + 20% OR WG ¥ MU + 20% OR WG ¥ DU + 20%”. This condition is defined by OR (logical sum) of three conditions. “WG ¥ CU + 20%” indicates that the CPU usage rate in the current time zone of the determination target computer 20 is a threshold value plus 20% with respect to the average value of the CPU usage rate of the comparison target group G1. Indicates the condition of exceeding.

  The rule of ID = 11 is a rule that the CPU usage rate exceeds the reference value plus 20%, the memory usage exceeds the reference value plus 20%, or the disk usage exceeds the reference value plus 20%. is there. When this rule is satisfied, it is determined that the determination target computer 20 and the time zone are abnormal.

  ID = 11 is an example of a rule related to the group G1 as an example of comparison between a plurality of computers 20. The rules can be similarly defined for other groups such as the group G2 and a plurality of arbitrarily designated computers.

  The rule of “same machine abnormal operation (CPU)” with ID = 12 is an example in which, for each identical computer 20, the abnormality is determined by comparing the numerical data in the current time zone with the numerical data in the past time zone. is there. The computer 20 to be determined is each computer 20 in all the computers 20 of the management target computer group. The time zone to be determined is the current time zone. The determination target feature amount is the determination target computer and time-series numerical data itself.

  The comparison target computer 20 is the same computer 20 as the determination target. The time zone to be compared is a past time zone. The past time zone is the same time zone on the same day of the week as in the rule of ID = 1. The feature quantity serving as a reference value to be compared is an average value in the numerical data in the past time zone.

  The condition of ID = 12 is “CU + 30%”. This condition is that the CPU usage rate in the current time zone of the computer 20 to be judged exceeds 30% of the average CPU usage rate in the past time zone, which is the reference value. When this condition is satisfied, the determination target computer 20 and the time zone are determined to be abnormal.

  ID = 12 is an example of a rule for comparing the CPU usage rate as an item of the resource state measurement value between the present and the past. In addition to this, rules can be similarly defined for other items such as memory usage and the number of server processes such as the number of httpd processes. A desired time zone can also be set for the past time zone to be compared.

  As another example of the rule information 70, a rule configured by combining a rule for comparison between a plurality of computers 20 such as ID = 11 and a rule for comparison between the present and the past such as ID = 112 is also possible. It is. For example, a rule based on an AND condition of these two rules or a rule based on an OR condition is possible. Alternatively, the analysis target determination unit 12 may determine an abnormal state by determining a predetermined AND condition or OR condition for a plurality of rules described in the rule information 70.

  In addition, when a plurality of rules are set in the rule information 70, it may be set by the user through the setting unit 15 which rule is used each time. In this case, the table of the rule information 70 in FIG. 4 is provided with a flag item for setting whether to use it by ON / OFF or the like.

[Log data]
FIG. 5 shows an example of numerical data in the log data obtained from the computer 20 of the management target system 2. The log data table of FIG. 5 includes “date and time”, “computer C11”, and “group G1 (WG)” as columns. Although not shown, information is similarly managed for other computers and groups. The upper table in FIG. 5 shows an information part related to the computer C11 which is the computer 211 in FIG. 1, and the lower table in FIG. 5 shows an information part related to the group G1 which is the group 41 in FIG. The numerical data to be processed by the analysis target determination unit 12 is numerical data represented by numerical values such as a CPU usage rate in the collected log data as shown in FIG.

  The “date and time” column indicates a collection timing and a time zone. For example, the line “2015/01/10 10:00:00” indicates that the collection timing is 10:00:00 on January 10, 2015, and the corresponding time zone is “2015/01/10 10 1 minute until "00:00".

  The “computer C11” column and the “group G1” column have “CPU usage rate”, “memory usage”, “disk usage”, and “httpd process count” as detailed items related to the resource state measurement value. Each item in the “Computer C11” column stores a numerical value of each collected resource state measurement value. Each item in the “Group G1” column stores an average value calculated based on the collected numerical values of the computers 20.

  In the example of FIG. 5, the measurement interval and collection timing of the numerical data of the resource state measurement values are both every minute, and one numerical data is stored every minute in the log data table. This unit time is not limited to 1 minute, and a shorter time or a longer time such as 10 seconds or 5 minutes can be set. The user can set this unit time through the setting unit 15. The unit time can be set within a time limit range in which the resource state can be measured and collected. The data collection unit 11 collects log data including numerical data at a collection timing corresponding to the set unit time, and stores it in the log data table as numerical data for each unit time.

  The data collection unit 11 may acquire a plurality of numerical data for a plurality of measurements from the computer 20 at a collection timing corresponding to the set unit time, or 1 of the plurality of numerical data. Two numerical data may be acquired. Further, the resource state measuring unit 200 of the computer 20 may calculate an average value or the like of a plurality of numerical data and provide the numerical data such as the average value to the data collecting unit 11.

  Further, the determination target in the analysis target determination unit 12 and the time zone for comparison can be set by the rule information 70. This time zone may be set to, for example, 1 minute according to the time unit of measurement and collection, or may be set to, for example, 10 minutes, 1 hour, etc. by being larger than the time unit of measurement and collection. The user can set the size of this time zone in the rule information 70 through the setting unit 15. The analysis target determination unit 12 performs the analysis target determination process for each set time zone or at the date and time specified in the setting.

[Numeric data graph]
6 to 9 show examples of graph display related to time-series numerical data corresponding to log data as shown in FIG. 6 shows the CPU usage rate, FIG. 7 shows the memory usage, FIG. 8 shows the disk usage, and FIG. 9 shows the respective graphs regarding the number of httpd processes. The data analysis system 1 has a function of creating a graph of numerical data of each resource state measurement value of log data and displaying the graph on the screen through the input / output unit 14.

  6A shows the CPU usage rate related to the computer C11 in FIG. 1, FIG. 6B shows the CPU usage rate related to the computer C12 in FIG. 1, and FIG. 6C shows the CPU usage rate related to the computer C13 not shown. In (a), the solid line represents the numerical data of the computer C11 that is the computer 20 to be determined, and the broken line represents the average value in the group G1 that is the computer 20 to be compared. For example, looking at the CPU usage rate in the time zone corresponding to the time point 601, the CPU usage rate of the computer C11 is about 2% larger than the average value of the group G1. At other times, the CPU usage rate of the computer C11 is close to the average value.

  For example, when a comparison is made between a plurality of computers 20 as in the rule of ID = 11 in FIG. 4, the CPU usage rate of the computer C11 in the time zone corresponding to the time point 601 is a deviation from the average value that is a reference value. However, when the threshold value of the condition is exceeded, it is determined that the computer C11 and the time zone are abnormal.

  In FIG. 7, (a) to (c) show the memory usage related to the computers C11, C12, and C13 as in FIG. In (a), for example, looking at the time zone corresponding to the time point 701, the memory usage of the computer C11 is about 0.5 MB larger than the average value of the group G1.

  In FIG. 8, (a) to (c) show the disk usage related to the computers C11, C12, and C13 as in FIG. In (a), for example, in the time zone corresponding to the time point 801, the disk usage of the computer C11 is about 700 Kbps larger than the average value of the group G1.

  9, (a) to (c) show the number of httpd processes related to the computers C11, C12, and C13 as in FIG. In (a), for example, in the time zone corresponding to the time point 901, the number of httpd processes of the computer C11 is about 80 larger than the average value of the group G1.

  The memory usage in FIG. 7, the disk usage in FIG. 8, and the number of httpd processes in FIG. 9 can be compared among a plurality of computers 20 as with the CPU usage rate in FIG.

[Example of analysis target judgment processing]
An example of the analysis target determination process in S7 of FIG. 3 is as follows. The analysis target determination unit 12 determines the analysis target based on the rule information 70 of FIG. 4 and the numerical data of the log data of FIG. In the numerical data as of “2015/01/10 10:05:00” in the table of FIG. 5, for each item such as the CPU usage rate, the numerical data of the computer C11 is set as the feature quantity to be determined, and the group G1 average The value is a feature value that is a reference value to be compared. As a rule, the analysis target determination unit 12 performs a comparison determination for each computer 20 and for each item between the plurality of computers 20 in the group G1 in the same time zone.

  First, as for the CPU usage rate, the average value of the group G1 is 4.0777, while the numerical value of the computer C11 is 5.9. When the “same group abnormal operation (WG)” rule of ID = 11 in FIG. 4 is used, the condition is “WG ¥ CU + 20% OR WG ¥ MU + 20% OR WG ¥ DU + 20%”. As for “WG ¥ CU + 20%”, the average value of 4.0777 plus 20% is 4.893, and the numerical value of computer C11 5.9 exceeds this value. Therefore, since the condition “WG ¥ CU + 20%” is satisfied and the condition of the rule of ID = 11 is satisfied, the computer C11 and the time zone are determined to be abnormal. The same determination is made for the memory usage and the like. Similar determinations are made for other computers.

[Screen example]
FIG. 10 shows an example of a screen provided by the input / output unit 14 of the data analysis system 1. The screen example of FIG. 10 includes a “managed system” column 501, a “rule setting” column 502, and an “analysis target information” column 503.

  A column 501 displays information on the management target system 2. In the column 501, information including the management target group and the identification information of the computer 20 is displayed as an example. In the column 501, the user can set the management target group and the computer 20 with a setting change button or the like. Further, the user can set a log data collection target, a narrowing target, and the like in the column 501.

  A column 502 displays the contents of the rule corresponding to the rule information 70. The column 502 displays the contents of the rule information 70 as shown in FIG. 4 in a table format as an example. In the field 502, the user can set the contents of the rule with a setting change button or the like. The user can select and set a rule to be applied in the field 502.

  A column 503 displays analysis target information corresponding to the target information 61. The column 503 displays, for example, information on the computer 20 that is determined to be abnormal as a result of the analysis target determination and narrowed down as an analysis target, time zone information, and identification information of log data related to the information. . In the column 503, the user can perform analysis by changing to a screen for analyzing log data to be analyzed by an “analyze” button or the like. In addition, the user selects the analysis target individually from the analysis target information displayed in the column 503, and transitions to the screen for analyzing the log data of the individual analysis target by using the “analyze” button or the like. You can also

  In this example, the first row of the table in the column 503 is a computer C12, a time zone T1, and log data L21 of the group G1 as analysis targets. Similarly, information related to a plurality of pieces of log data to be analyzed is displayed in order from the second row.

[Example of comparing multiple numeric data]
As a supplement, FIG. 11 shows an example of comparison of a plurality of numerical data in the analysis object determination process or rule. The vertical direction indicates, for example, a plurality of computers 20 in the group G1. The horizontal direction indicates a time zone with the left as the time axis and the right as the past. The time zone T1 indicates the latest time zone. Each frame shows log data in the corresponding computer and time zone. L11 and the like indicate identification information of log data.

  The first method of S5 in FIG. 3 compares numerical data among a plurality of computers 20 in the same time zone. For example, the computer C11 is a determination target, and the group G1 is a comparison target.

  In the second method of S5 in FIG. 3 described above, the same computer 20 compares numerical data between the current time zone and the past time. For example, in the computer C11, the time zone T1 is a determination target, and the time zones T2, T3,..., Tp are comparison targets.

[Effects]
As described above, according to the data analysis system 1 of the first embodiment, when an attack or the like is detected based on the data analysis for the security breach countermeasure of the computer 20 of the management target system 2, it is necessary for the analysis. Therefore, time and resources can be reduced, rapid and efficient analysis and detection can be performed, and detection accuracy including unknown attacks can be increased.

  In general, it is known that the value of a resource state such as a CPU usage rate or its characteristic amount fluctuates when it is subjected to a security breach, such as when it is infected with malware or under a denial of service attack. Therefore, in the first embodiment, in consideration of the suggestion and possibility of a security breach, a condition regarding the numerical data of the resource state is set as a rule, and analysis target determination is performed. As a result, the log data corresponding to the computer 20 or the time zone in which a security breach is suspected can be narrowed down as an analysis target. This enables analysts to quickly and efficiently analyze log data and detect attacks, etc., with less effort, time, and resources compared to conventional techniques that require analysis of large amounts of various log data. Can do.

  In particular, since the data analysis system 1 according to the first embodiment can perform comparison determination between a plurality of computers 20 and comparison determination between current and past time zones based on rule settings, it is unknown. It is easy to deal with security breaches.

  In the first embodiment, since the processing target in the analysis target determination process is limited to numerical data, rapid analysis and detection are possible.

(Embodiment 2)
A data analysis system according to the second embodiment of the present invention will be described with reference to FIG. The basic configuration of the second embodiment is the same as the configuration of the first embodiment. In the following, the configuration of the second embodiment different from that of the first embodiment will be described.

  FIG. 12 shows the configuration of a security breach detection system including the data analysis system of the second embodiment. The network 9 of the first embodiment is shown as the Internet 91 and the LAN 92 in the second embodiment. A plurality of computers 20 that are managed computer groups of the managed system 2 are connected to the LAN 92. The managed system 2 has a load distribution device 80. The load balancer 80 is connected to the LAN 92. Each computer 20 is connected to the load balancer 80 through a LAN 92. The data analysis system 1 is connected to the LAN 92 of the management target system 2.

  The event detection system 3 includes server devices for each security service. The server device is connected to the Internet 91 and is connected to the LAN 92 of the management target system 2 through the load balancer 80. The event detection system 3 performs processing as an entrance countermeasure for ensuring the security of the managed system 2.

  The load distribution device 80 performs processing for distributing the load to the plurality of computers 20 of the management target system 2. For example, the load balancer 80 equalizes the loads on the computers 20 by leveling external access to the computers 211 to 21m of the group 41 that is the Web server group. As a result, the CPU usage rate of these computers 20 is leveled as a resource state. The computers 211 to 21m have similar hardware and software performance.

  The data analysis system 1 sets the content of the rule information 70 according to the load distribution state by the load distribution device 80. The data analysis system 1 refers to the load distribution information 801 indicating the load distribution state from the load distribution apparatus 80. The data analysis system 1 sets a correction coefficient 802 as the content of the rule information 70 according to the load distribution state indicated by the load distribution information 801. Alternatively, the analyst refers to the load distribution information 801 of the load distribution apparatus 80 and uses the setting unit 15 to set the correction coefficient 802 as the content of the rule information 70.

  The correction coefficient 802 is a coefficient for correcting the resource state measurement value for each computer 20 in order to equalize the resource states of the plurality of computers 20 for the analysis target determination process. The correction coefficient 802 is reflected on the resource state measurement value described in the condition of the rule information 70 by multiplication or the like.

  First, the case where the load and resource states of the plurality of computers 20 are leveled by the load balancer 80 is as follows. The load balancer 80 distributes communication to the computers 20 group according to the load distribution setting state for the computers 20 to be managed, and leveles the load status. By this load distribution, the load is concentrated on a specific computer 20 so that the resource state measurement value and its feature amount do not differ greatly among the plurality of computers 20.

  In this case, there is no need to set the correction coefficient 802. In other words, the correction coefficient 802 may be set to “1” in all the computers 20. The rule information 70 may have the same setting as in the first embodiment. The analysis target determination unit 12 can suitably realize analysis target determination processing including comparison determination between a plurality of computers 20.

  In addition, when the load distribution state by the load distribution apparatus 80 is uneven in load and resource state among the plurality of computers 20, it is as follows. As a load distribution state by the load distribution device 80, for example, it is assumed that the load is a ratio of 1: 2 in the two computers 20 of the computer 211 and the computer 212 in the group 41. In this case, the resource state measurement values of the two computers 20, for example, the CPU usage rate are likely to be a ratio of 1: 2.

  In this case, the data analysis system 1 and the analyst set the correction coefficient 802 as follows so that the comparison determination between the plurality of computers 20 can be suitably realized in the analysis target determination process, and the rule information 70 Correct the contents of. The data analysis system 1 sets the correction coefficient 802 so that the ratio of the resource state measurement value between the computers 20 becomes 1: 1 in the description of the condition of each rule in the rule information 70. In the case of the above example, the correction coefficient of the computer 211 is set to “1” and the correction coefficient of the computer 212 is set to “0.5”.

  The analysis target determination unit 12 applies the corrected rule of the rule information 70 during the analysis target determination process. The analysis target determination unit 12 refers to the numerical data of the resource state measurement values leveled between the plurality of computers 20 according to the rule. For example, in the rule of ID = 11 in FIG. 4, the numerical value data of the CPU usage rate of each computer 20 in the group G1 is referred to as “WG ¥ CU”. In this case, by multiplying the CPU usage rate of the computer 212 by “0.5”, the CPU usage rate of the computer 211 is leveled so as to be the same level.

  Therefore, even when the load of each of the plurality of computers 20 is different depending on the load distribution state, the comparison determination between the plurality of computers 20 is preferable as in the case where the loads of the plurality of computers 20 are leveled. Can be realized. The analyst has less time to set the rule information 70.

  As a modification of the second embodiment, the data analysis system 1 may be connected to the Internet 91. Further, the event detection system 3 and the data analysis system 1 may be integrated into one.

(Other embodiments)
The following is mentioned as a data analysis system of other embodiment.

  In the management target system 2, a security service or a security device that is a component of the event detection system 3 may be provided. The event detection system 3 may collect resource state measurement values from the management target system 2, and the data analysis system 1 may collect log data including the resource state measurement values from the event detection system 3. The event detection system 3 may include a resource state measurement unit, and the resource state measurement unit may measure the resource state of each computer of the managed system 2.

  As another embodiment, the data analysis unit 13 cooperates with the analysis target determination unit 12 and automatically presents the log data of the analysis target narrowed down by the target information 61 to the analyst, and the analyst performs analysis accordingly. I do. The data analysis system 1 may determine the order and priority of analysis targets based on the target information 61 obtained by the analysis target determination unit 12, rearrange the contents of log data accordingly, and present them to the analyst. . For example, the analysis target determination unit 12 outputs a plurality of analyzes according to the suspicion based on the contents of the rule information 70, the event data, and the like when outputting information on a plurality of analysis targets determined to be abnormal to the screen. Rank and output the target. For example, in the column 503 of the screen in FIG. 10, information on a plurality of analysis targets is displayed in an order corresponding to suspicion or the like. Thereby, the analyst can perform analysis work in the order of suspicion etc. with respect to a plurality of log data to be analyzed, and can easily detect an attack or the like.

  As another embodiment, the data analysis system 1 may perform analysis target determination processing using text data included in log data. The data analysis system 1 may perform the analysis target determination process using a combination of numerical data and text data included in the log data.

  Hereinafter, as a data analysis system 1 according to another embodiment, a configuration example in a case where an analysis target determination process is performed using text data included in log data will be described. Hereafter, the part of the structure different from Embodiment 1 in other embodiment is demonstrated.

  FIG. 13 shows a configuration example of the rule information 70 according to another embodiment. The rows indicated by ID = 21 and 22 show examples of rules for performing analysis target determination processing using text data. In the line of ID = 21, the rule name is “authentication error per unit time”, and the condition is “* ¥ HTTP_STATUS = 401 AND INTERVAL = 10 min AND COUNT> 3 AND GOURPBY user”. Is the current time zone for all computers, for each computer.

  Under the condition of ID = 21, “HTTP_STATUS = 401” indicates the HTTP status code of the Web server. “* ¥ HTTP_STATUS = 401” indicates a condition that the HTTP status code is 401, that is, the authentication has failed when accessing a Web page that requires authentication. “INTERVAL = 10 min” indicates a condition that the time is within the latest 10 minutes. “COUNT> 3” indicates a condition that the condition is met at least three times. “AND GOURPBY user” indicates a condition for determining whether or not the condition is met for each user. ID = 21 is a condition obtained by ANDing these conditions. Therefore, the condition of ID = 21 indicates a condition that the same user has failed authentication three or more times in the last 10 minutes. This rule corresponds to, for example, an external attacker detecting an attack called a brute force attack in which all possible combinations of user name and password are attempted and illegal login is attempted as one of cryptanalysis methods. It is.

  In the line of ID = 22, the rule name is “data transmission”, the condition is “* ¥ METHOD = POST”, and the determination target and the time zone are all computers, every computer, and the current time zone. In this condition, “METHOD” indicates the type of request to the Web server. “* ¥ METHOD = POST” indicates a condition that a POST method request to the Web server, that is, data is transmitted from the client to the server. Therefore, the condition of ID = 22 indicates a condition that data is transmitted using the POST method. This rule is a rule corresponding to detecting that a terminal infected with malware or the like is transmitting some data to the attacker's server.

  As in the above example, rules in other embodiments are described by logic including character strings or text.

  FIG. 14 shows an example of text data in log data obtained from the computer 20 of the management target system 2 in another embodiment. The log data table of FIG. 14 has “text log” as a column. In this example, the “text log” uses an apache log. apache is a Web server. The text that is the value of the “text log” column is composed of a plurality of items that are divided by white space characters. Multiple items are in order from "Remote Host Name", "Client Identifier", "Authentication User Name", "Time", "Request First Line", "Response Status", "Number of Bytes Sent" Become. This example is an example of a text log of the computer C11. In the log from 10:00:00 to 5 seconds, the response status is 401 due to access by the GET method.

  In the case of the log in FIG. 14, the analysis target determination unit 12 performs an analysis target determination process based on the rule information 70 in FIG. 13. Thereby, for example, since the condition of ID = 21 is satisfied, it is determined that the computer C11 and the time zone are suspected of being attacked, and the corresponding log data is determined as an analysis target. In the determination using the text data in other embodiments, the comparison between a plurality of computers and the comparison with the past time zone can be similarly applied similarly to the determination using the numerical data in the first embodiment. is there.

  In another embodiment, the flow in FIG. 3 is as follows. In S2 and S3, log data including text data is collected. In S4, the analysis target determination unit 12 sets the text data in the determination target computer and the time zone as the feature amount using the text data of the log data. In S <b> 5, the analysis target determination unit 12 sets text data in the comparison target computer and time zone as a reference value using text data in the log data. In S <b> 6, the analysis target determination unit 12 refers to the rule including the text from the rule information 70. In S7, the analysis target determination unit 12 compares the text corresponding to the feature amount in S4 with the text corresponding to the reference value in S5, and determines that the security breach is suspected when the rule in S6 is satisfied. . In S8, the analysis target determination unit 12 determines a computer, a time zone, and log data corresponding to the abnormal state as analysis targets.

  Although the present invention has been specifically described above based on the embodiments, the present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the scope of the invention.

  The present invention can be used in a system that performs computer monitoring and measurement, log data recording, collection, analysis, and the like.

  DESCRIPTION OF SYMBOLS 1 ... Data analysis system, 2 ... Management object system, 3 ... Event detection system, 9 ... Network, 10 ... Server system, 11 ... Data collection part, 12 ... Analysis object determination part, 13 ... Data analysis part, 14 ... Input / output , 15 ... setting unit, 20, 211 to 21m, 221 to 22n, 231 ... computer, 31 ... antivirus system, 32 ... proxy system, 33 ... firewall system, 34 ... intrusion detection system, 41 ... group, 42 ... group 50 ... log DB, 51 ... log data, 52 ... log data, 60 ... analysis DB, 61 ... target information, 62 ... analysis data, 70 ... rule information, 200 ... resource state measurement unit, 300 ... event detection unit.

Claims (7)

A data analysis system including a server for analyzing log data of the computer in order to detect a security breach to the computer of the managed system,
The server
At least one of the managed system including a plurality of computers, and an anti-virus system, a proxy system, a firewall system, or an intrusion detection system that monitors the computers of the managed system, detects an event, and outputs the event data Connected to the event detection system, including
Collect log data including numerical data and text data of resource state measurement values from the computer of the managed system and store them in a log DB; collect the event data from the event detection system and associate it with the log data A data collection unit stored in the log DB;
An analysis target determination unit that determines log data to be narrowed down as an analysis target by analyzing the numerical data and text data of the log data based on rule information, respectively,
Based on the operation of the analyst, the log data narrowed down as the analysis target among the log data is analyzed to add the event data associated with the log data to detect the security breach. , A data analysis unit that outputs analysis data as analysis results,
Based on the operation of the analyst, and a setting unit for setting a rule of the rule information,
The analysis target determination unit
Using the numerical data and text data of the log data, processing to calculate or set a feature amount in a determination target computer and time zone;
Using the numerical data and text data of the log data, a process for calculating or setting a feature value in a computer to be compared and a time zone as a reference value;
If comparing the reference value and the feature amount, satisfies the rules of the rule information, a process of determining, as the abnormal state security violations is suspected,
Processing for determining the computer, time zone, and log data corresponding to the abnormal state as the analysis target;
A process of storing analysis target information in an analysis DB including identification information of the computer, time zone, and log data narrowed down as the analysis target, and displaying a screen including the analysis target information to the analyst; , And
The numerical data of the resource state measurement value includes at least one of CPU usage rate, memory usage amount, disk usage amount, or number of server processes,
The rule information includes the rules, including the abnormal state determining conditions when the deviation between the reference value and the feature amount exceeds a threshold value,
The data analysis unit refers to the analysis target information of the analysis DB, reads the log data narrowed down as the analysis target, performs the analysis process,
The server, among the computers of said plurality of computers, if there is a bias in the load or resource state, with respect to the rules of the rule information to allow comparison of load or resource state of each computer and leveling Set the correction factor for
Data analysis system. The data analysis system according to claim 1,
The analysis target determination unit
Calculating or setting a feature amount in a first time zone corresponding to the first computer to be determined and the current time zone;
Calculating or setting one or more second computers to be compared and a statistical value of a feature value in the first time zone as the reference value;
Data analysis system. The data analysis system according to claim 1,
The analysis target determination unit
Calculating or setting a feature amount in a first time zone corresponding to the first computer to be determined and the current time zone;
Calculating or setting a statistical value of a feature value in a second time zone corresponding to the first computer to be compared and one or more past time zones as the reference value;
Data analysis system. The data analysis system according to claim 1,
The analysis target determination unit directly sets the numerical data in the determination target computer and the time zone as the feature amount, and sets the numerical data in one or more computers and time zones of the management target system to be compared. An average value is calculated and set as the reference value.
Data analysis system. The data analysis system according to claim 1,
The analysis target determination unit calculates a change amount in a plurality of time-series numerical values in the numerical data in the determination target computer and time zone, and the change amount is large based on a comparison between the change amount and a threshold value. Extract a location and set the numerical value of the location as the feature amount.
Data analysis system. The data analysis system according to claim 1,
A load balancer for balancing the load of the plurality of computers and leveling the resource state of each computer is connected to the plurality of computers of the managed system,
The server acquires load distribution information indicating a load distribution state from the load distribution apparatus, and sets the correction coefficient using the load distribution information.
Data analysis system. The data analysis system according to claim 1,
For the log data narrowed down as the analysis target, the server determines the order or priority of the analysis target according to the suspected abnormal state, and the log data rearranged according to the order or priority is the log data Display on screen,
Data analysis system.

Images