JP6606050B2 - Detection device, detection method, and detection program - Google Patents

Description

  The present invention relates to a detection device, a detection method, and a detection program.

  With the arrival of the IoT (Internet of Things) era, various devices (IoT devices) are connected to the Internet and used in various ways. Accordingly, security measures such as an abnormality detection system and an intrusion detection system (IDS, Intrusion Detection System) for IoT devices are expected.

  For example, a technique for detecting an abnormality in an IoT device by unsupervised learning using a variational auto encoder (see Non-Patent Document 1) is disclosed (see Non-Patent Document 2). In abnormality detection using unsupervised learning, it is determined that an abnormality is detected when a feature different from the normal state is extracted by learning a feature in a normal state. According to this technique, an abnormality can be detected without learning an abnormal state, which is effective in detecting a threat of an IoT device for which threat information is not fully known.

Diederik P. Kingma, Max Welling, “Auto-Encoding Variational Bayes”, [online], May 2014, [October 11, 2016 search], Internet <URL: https://arxiv.org/pdf/1312.6114 v10.pdf> Jinwon An, Sungzoon Cho, “Variational Autoencoder based Anomaly Detection using Reconstruction Probability”, [online], December 2015, SNU Data Mining Center, [October 31, 2016 search], Internet <URL: http: // dm .snu.ac.kr / static / docs / TR / SNUDM-TR-2015-03.pdf>

  However, in abnormal detection using unsupervised learning, when an abnormal state partially shares a feature with a normal state, the abnormal state may be erroneously detected as a normal state. In this case, even if the abnormal state becomes known, it cannot be re-learned so that the abnormal state sharing characteristics with the normal state can be correctly detected as abnormal.

  The present invention has been made in view of the above, and an object of the present invention is to prevent erroneous detection of an abnormal state that partially shares characteristics with a normal state in abnormal detection using unsupervised learning. .

  In order to solve the above-described problems and achieve the object, the detection device according to the present invention includes an acquisition unit that acquires data of a target device, and a learning unit that learns a model representing the characteristics of data in a known normal state And from the learned model, an excluding unit that excludes a part representing the characteristic of the data in the normal state in common with the characteristic of the data in the known abnormal state, and the part is excluded from the acquired data. And a determination unit that determines an abnormal state when a feature different from the known normal state data based on the model is extracted.

  ADVANTAGE OF THE INVENTION According to this invention, in the abnormality detection using unsupervised learning, the false detection of the abnormal state which shares a characteristic partially with a normal state can be prevented.

FIG. 1 is a schematic view illustrating a schematic configuration of a system including a detection device according to an embodiment of the invention. FIG. 2 is an explanatory diagram for explaining an outline of processing of the detection device. FIG. 3 is an explanatory diagram for explaining an outline of processing of the detection device. FIG. 4 is an explanatory diagram for explaining an outline of processing of the detection device. FIG. 5 is a schematic view illustrating a schematic configuration of the detection device. FIG. 6 is an explanatory diagram for explaining the variational auto encoder. FIG. 7 is a flowchart showing a detection processing procedure. FIG. 8 is an explanatory diagram for explaining the variational auto encoder. FIG. 9 is an explanatory diagram for explaining the embodiment. FIG. 10 is an explanatory diagram for explaining the embodiment. FIG. 11 is a diagram illustrating a computer that executes a detection program.

  Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings. In addition, this invention is not limited by this embodiment. Moreover, in description of drawing, the same code | symbol is attached | subjected and shown to the same part.

[System configuration]
FIG. 1 is a schematic view illustrating a schematic configuration of a system including a detection device according to this embodiment. As illustrated in FIG. 1, the detection apparatus 1 is connected to a number of IoT devices 2 via a network 3. The detection apparatus 1 acquires time-series data such as traffic information and device log information from the IoT device 2 and learns the characteristics of data in a normal state as an unsupervised learner. In addition, the detection device 1 determines that the state is abnormal when a feature different from the learned normal feature is extracted from the data acquired from the IoT device 2 that is the target of abnormality detection. An abnormality of the device 2 is detected.

  Here, with reference to FIGS. 2-4, the process outline | summary of the detection apparatus 1 of this embodiment is demonstrated. As illustrated in FIG. 2, the detection device 1 learns the distribution of data in a normal state and determines data having a distribution different from the distribution in the normal state as an abnormal state. Therefore, as illustrated in FIG. 3, if the distribution of the known abnormal state data is in common with a part of the learned normal state data distribution, it is determined that the state is abnormal. I can't. In addition, the distribution of abnormal state data shared with the normal state cannot be learned separately from the distribution of normal state data.

  Therefore, as illustrated in FIG. 4, the detection device 1 according to the present embodiment obtains a distribution in which a common part with an abnormal state is excluded from a normal state distribution. As a result, the detection apparatus 1 feeds back a known abnormal state to a model representing a normal state, and prevents an abnormal state sharing characteristics with the normal state from being erroneously determined as a normal state.

[Configuration of detection device]
FIG. 5 is a schematic view illustrating a schematic configuration of the detection apparatus 1. As illustrated in FIG. 5, the detection device 1 is realized by a general-purpose computer such as a personal computer, and includes an input unit 11, an output unit 12, a communication control unit 13, a storage unit 14, and a control unit 15.

  The input unit 11 is realized by using an input device such as a keyboard or a mouse, and inputs various instruction information such as processing start to the control unit 15 in response to an input operation by the operator. The output unit 12 is realized by a display device such as a liquid crystal display or a printing device such as a printer.

  The communication control unit 13 is realized by a NIC (Network Interface Card) or the like, and controls communication between an external device such as the IoT device 2 and the control unit 15 via a telecommunication line such as a LAN (Local Area Network) or the Internet. To do.

  The storage unit 14 is realized by a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk, and is a model of a normal state specified by a detection process described later. Parameters are stored. The storage unit 14 may be configured to communicate with the control unit 15 via the communication control unit 13.

  In the present embodiment, the storage unit 14 stores log data 14a and model parameters 14b. The log data 14a includes data on the normal state of the IoT device 2 in the past and data on a known abnormal state. The known abnormal state means, for example, an abnormal state that may occur when infected with known threat information, or an abnormal state that could not be detected in the past. The model parameter 14b includes a model parameter that is learned by a detection process, which will be described later, and represents a characteristic of a normal state.

  The controller 15 is implemented using a CPU (Central Processing Unit) or the like, and executes a processing program stored in a memory. Thereby, the control part 15 functions as the acquisition part 15a, the learning part 15b, the exclusion part 15c, and the determination part 15d so that it may illustrate in FIG.

  The acquisition unit 15a acquires data of the target device. Specifically, the acquisition unit 15a acquires time-series data such as traffic information and device log information from the IoT device 2 that is a target of detection processing described later. The acquired normal state data and known abnormal state data of the IoT device are stored in the log data 14 a of the storage unit 14.

  The learning unit 15b learns a model representing the characteristics of data in a known normal state. For example, the learning unit 15b is realized by an unsupervised learning device such as a variational auto encoder. The model parameters learned here are stored in the model parameters 14b of the storage unit 14.

  Specifically, the learning unit 15b learns the input data by optimizing the model parameters so as to minimize the loss function L shown in the following equation (1).

  Here, the first term of the above formula (1) is referred to as “reconstruction loss” (hereinafter also referred to as “recross”). This first term estimates the distance between the observed data x and the probability distribution of the data x estimated from the probability distribution of the latent variable z that generates the data x and reestimated from the probability distribution of the latent variable z. To express. In other words, it represents the distance between the observed data x and the data x restored after compressing the information of the data x into the latent variable z. That is, the value is small when the feature of the data x is extracted with high accuracy by the latent variable z. Therefore, the smaller the value is, the better the learning index is.

  The second term of the above formula (1) is called KL divergence. This second term represents the distance between the conditional probability distribution q (z | x) that generates the latent variable z from the observed data x and the prior probability distribution p (z) that does not depend on the data x.

  Therefore, minimizing the loss function L expressed by the sum of the above two distances means minimizing the two distances at the same time, and obtains a probability distribution of the latent variable z that does not depend on the data x as much as possible. Means that.

  The excluding unit 15c excludes from the learned model a portion that represents a characteristic of data in a normal state that is common to a characteristic of data in a known abnormal state. Specifically, the exclusion unit 15c adds a regularization term to the loss function of the known abnormal state data and minimizes it, so that the data of the normal state common to the abnormal state data features can be obtained. Exclude features that represent features.

Here, the loss function _Lab of the data in a known abnormal state is defined by adding a regularization term shown in the second term on the right side as shown in the following equation (2). Here, a and N are parameters. Further, the regularization term means a term introduced to inhibit learning.

  Further, the first term and the second term on the right side of the above formula (2) can be rewritten as the following formula (3).

FIG. 6 is a graph illustrating the functional form of the above equation (3). As shown in FIG. 6, the function f (x) diverges when x, that is, Reclose is a or less, and inhibits the minimization of Reclose. On the other hand, if the Recloss is greater than a is equal to f (x) approximately x, loss function _{L ab} of regularization term with it can be seen that behaves like a loss function L. In other words, the loss function L _ab means a loss function L in which learning with a Reclose of a or less is inhibited.

Therefore, exclusion unit 15c, the data of the abnormal state, Recloss by the performing learning to minimize loss function L _ab as not less a, from the feature data of the normal state, the abnormal state Exclude parts in common with features. This means that the distance between the feature of the data in the normal state and the portion representing the feature shared with the abnormal state is larger than the predetermined value a. That is, as illustrated in FIG. 4, this means that the distribution of data in an abnormal state is excluded from the distribution of data in a normal state.

  Returning to the description of FIG. The determination unit 15d has a feature different from the feature of the known normal state data based on the model in which the portion representing the feature of the normal state data common to the feature of the abnormal state data is excluded from the acquired data. Is extracted, an abnormal state is determined. Moreover, the determination part 15d outputs an alarm etc. to the output part 12, when it determines with an abnormal state. For example, the determination unit 15d controls the output unit 12 so as to issue an alarm or display an error message. As a result, it becomes easy to detect anomalies of a large number of IoT devices 2 connected to the network 3.

[Detection processing]
Next, with reference to FIG. 7, the detection process by the detection apparatus 1 which concerns on this embodiment is demonstrated. FIG. 7 is a flowchart showing a detection processing procedure. The flowchart in FIG. 7 is started, for example, at a timing when there is an operation input instructing the start of the detection process.

  The acquisition unit 15a acquires the data of the target device and stores it in the storage unit 14 as log data 14a (step S1). Next, the learning unit 15b learns normal state data from the log data 14a stored in the storage unit 14, and specifies model parameters of the model representing the characteristics of the normal state data (step S2). ). Moreover, the exclusion part 15c excludes the part which is common with the characteristic of the data of a known abnormal state from the learned model (step S3). At that time, the exclusion unit 15c adds the regularization term to the loss function of the known abnormal state data and minimizes it, thereby expressing the characteristics of the normal state data shared with the abnormal state data. Exclude parts.

  In addition, the acquisition unit 15a acquires the latest data (step S4), and the determination unit 15d extracts the characteristics of the acquired data. When this characteristic is not different from the characteristic of the normal state data based on the model from which the part common to the characteristic of the abnormal state data is excluded (step S5, No), the determination unit 15d performs the process in step S4. To return. On the other hand, when the feature is different from the feature of the data in the normal state (step S5, Yes), the determination unit 15d determines that the data is in an abnormal state (step S6). Thereby, a series of detection processing ends.

  As described above, in the detection device 1 of the present embodiment, the acquisition unit 15a acquires the data of the target device. Further, the learning unit 15b learns a model representing the characteristics of data in a known normal state. Further, the exclusion unit 15c excludes from the learned model a portion that represents the characteristics of data in a normal state that is common to the characteristics of data in a known abnormal state. Then, the determination unit 15d determines that the state is abnormal when a feature different from the feature of the known normal state data is extracted from the acquired data.

  Accordingly, the detection apparatus 1 feeds back a known abnormal state to a model representing a normal state, and prevents an abnormal state sharing characteristics with the normal state from being erroneously determined as a normal state. Can do. For example, the accuracy of abnormality detection can be improved by learning using data of a known abnormal state such as log data 14a infected with known threat information or log data 14a that has failed to be detected in the past. As described above, in the abnormality detection using the unsupervised learning, it is possible to prevent the erroneous detection of the abnormal state partially sharing the characteristics with the normal state. Therefore, the threat to the IoT device 2 can be detected with high accuracy.

[Example]

  Next, an embodiment in which the learning unit 15b of the detection device 1 is realized by a variational auto encoder will be described with reference to FIGS. As illustrated in FIG. 8, the variational auto-encoder learns the pixel position distribution of each numeric image when MNIST, which is a standard handwritten numeric image data set, is input as an unsupervised learner. Output the reconstructed data of each number.

  In the present embodiment, the detection device 1 is caused to learn handwritten numerals from 0 to 9 excluding 1 and 7 as normal data. In this case, the detection apparatus 1 must determine the unlearned handwritten numerals 1 and 7 as abnormal data.

  FIG. 9 is a diagram showing the relationship between the number of learnings, that is, the number of epochs, and the restructuring loss, which is an index representing the degree of learning, when only conventional normal state data is learned. However, the final epoch number was 50. In this case, as illustrated in FIG. 9, it cannot be said that the restructuring loss is significantly larger for the numbers 1 and 7 than the other numbers. Means that This can be considered that 1 and 7 have simple shapes and partially share characteristics with other numbers that mean a normal state.

  On the other hand, FIG. 10 is a diagram illustrating the relationship between the number of epochs and the restructuring loss in the detection apparatus 1 of the present embodiment. However, the final epoch number was 50, a = 120 in the above formula (2), and N = 15. In this case, as illustrated in FIG. 10, it can be seen that Reconstruction loss for 1 and 7 is significantly larger than other numbers and is not learned. This means that the abnormality has been successfully detected. In particular, the Reconstruction loss of 1 and 7 is approximately a = 120, and it can be seen that the regularization term functions as expected.

  In addition, it can be seen that the numerical values other than 1 and 7 are learning to the same extent as the conventional learning of only normal data, although the learning convergence speed is slightly slow. That is, it can be seen that the normal state can be reconstructed also by the normal state feature from which the features common to the known abnormal state are excluded. This means that the normal state can be correctly identified by the normal state feature from which the features common to the known abnormal state are excluded. As described above, it has been confirmed that the detection apparatus 1 of the above embodiment can prevent erroneous detection even when the data in a known abnormal state shares part of the characteristics with the data in the normal state.

[program]
It is also possible to create a program in which processing executed by the detection apparatus 1 according to the above embodiment is described in a language that can be executed by a computer. As one embodiment, the detection apparatus 1 can be implemented by installing a detection program that executes the above-described detection processing as package software or online software on a desired computer. For example, the information processing apparatus can function as the detection apparatus 1 by causing the information processing apparatus to execute the above detection program. The information processing apparatus referred to here includes a desktop or notebook personal computer. In addition, the information processing apparatus includes mobile communication terminals such as smartphones, mobile phones and PHS (Personal Handyphone System), and slate terminals such as PDA (Personal Digital Assistants). In addition, the terminal device used by the user can be a client, and the client can be implemented as a server device that provides services related to the detection processing to the client. For example, the detection device 1 is implemented as a server device that provides a detection processing service that receives time-series data of the IoT device 2 and outputs an abnormality detection result. In this case, the detection apparatus 1 may be implemented as a Web server, or may be implemented as a cloud that provides a service related to the detection process described above by outsourcing. Below, an example of the computer which performs the detection program which implement | achieves the function similar to the detection apparatus 1 is demonstrated.

  As shown in FIG. 11, the computer 1000 that executes the detection program includes, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface. 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1031. The disk drive interface 1040 is connected to the disk drive 1041. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1041. For example, a mouse 1051 and a keyboard 1052 are connected to the serial port interface 1050. For example, a display 1061 is connected to the video adapter 1060.

  Here, as shown in FIG. 11, the hard disk drive 1031 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. Each table described in the above embodiment is stored in the hard disk drive 1031 or the memory 1010, for example.

  Further, the detection program is stored in the hard disk drive 1031 as a program module 1093 in which a command executed by the computer 1000 is described, for example. Specifically, a program module 1093 describing each process executed by the detection apparatus 1 described in the above embodiment is stored in the hard disk drive 1031.

  Data used for information processing by the detection program is stored as program data 1094, for example, in the hard disk drive 1031. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the hard disk drive 1031 to the RAM 1012 as necessary, and executes the above-described procedures.

  Note that the program module 1093 and the program data 1094 related to the detection program are not limited to being stored in the hard disk drive 1031, but are stored in a removable storage medium and read by the CPU 1020 via the disk drive 1041 or the like. May be. Alternatively, the program module 1093 and the program data 1094 related to the detection program are stored in another computer connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network), and are transmitted via the network interface 1070. It may be read by the CPU 1020.

  As mentioned above, although embodiment which applied the invention made | formed by this inventor was described, this invention is not limited with the description and drawing which make a part of indication of this invention by this embodiment. That is, other embodiments, examples, operational techniques, and the like made by those skilled in the art based on this embodiment are all included in the scope of the present invention.

DESCRIPTION OF SYMBOLS 1 Detection apparatus 11 Input part 12 Output part 13 Communication control part 14 Storage part 15 Control part 15a Acquisition part 15b Learning part 15c Exclusion part 15d Determination part

Claims (4)

An acquisition unit for acquiring data of the target device;
A learning unit that learns a model representing characteristics of data in a known normal state;
An excluded unit that excludes from the learned model a portion that represents the characteristics of the data in the normal state in common with the characteristics of the data in the known abnormal state;
A determination unit that determines an abnormal state when a feature different from the feature of the known normal state data based on the model from which the portion is excluded is extracted from the acquired data;
A detection device comprising:   The exclusion unit adds the regularization term to the loss function of the known abnormal state data and minimizes the normal state data feature in common with the abnormal state data feature. The detection device according to claim 1, wherein a portion to be expressed is excluded. A detection method executed by a detection device,
An acquisition process for acquiring data of the target device;
A learning process for learning a model representing characteristics of data in a known normal state;
An exclusion step of excluding from the learned model a portion representing the characteristics of the normal state data in common with the characteristics of the known abnormal state data;
A determination step of determining an abnormal state when a feature different from a feature of known normal state data based on the model from which the portion is excluded is extracted from the acquired data;
The detection method characterized by including. On the computer,
An acquisition step of acquiring data of the target device;
A learning step for learning a model representing characteristics of data in a known normal state;
An exclusion step of excluding from the learned model a portion representing the characteristics of the data in the normal state in common with the characteristics of the data in a known abnormal state;
A determination step of determining an abnormal state when a feature different from the feature of the known normal state data based on the model from which the portion is excluded is extracted from the acquired data;
A detection program characterized by causing

Images