JP6718367B2 - Judgment system, judgment method, and program - Google Patents

Description

The present invention relates to a determination system, a determination method, and a program.

For example, in Patent Document 1, there is a traffic monitoring system that performs monitoring based on a lower limit threshold set for a traffic volume measurement point, and acquires traffic information that periodically acquires traffic information regarding the traffic volume at the measurement point. Traffic monitoring, characterized in that it includes a means and a determination means for determining that a measurement point is in an alarm generation state when a calculated value calculated based on the traffic information acquired by the traffic information acquisition means is lower than a lower limit threshold value. The system is described.

JP, 2009-017393, A

By the way, in the system of Patent Document 1, the traffic variation rate as the determination target value is compared with the determination threshold value, and when the traffic variation rate is lower than the determination threshold value, it is determined to be in an abnormal state.
Therefore, in the system of Patent Document 1, for example, immediately after the change in the usage method of the user, the traffic fluctuation rate after the change in the usage method of the user is compared with the determination threshold set before the change in the usage method of the user. It is determined whether or not the state is abnormal. As a result, immediately after the change in the usage method of the user, there is a possibility that it may be erroneously determined to be in an abnormal state even though it is in a normal state.
Further, in the system of Patent Document 1, for example, immediately after the execution of the switching work in the network system, the traffic variation rate after the execution of the switching work is compared with the determination threshold value set before the execution of the switching work, and an abnormal state occurs. Is determined. As a result, immediately after the switching work is performed, there is a possibility that the normal state may be erroneously determined to be the abnormal state.

It is an object of some aspects of the present invention to provide a determination system, a determination method, and a program capable of suppressing the risk of erroneously determining that the traffic volume of communication data is in an abnormal state. ..

Another object of another aspect of the present invention is to provide a determination system, a determination method, and a program that can achieve the effects described in the embodiments described below.

In order to solve the problems described above, one aspect of the present invention is a learning model acquisition unit that acquires a learning model created by machine learning the traffic volume of past communication data, and the traffic of the past communication data. Traffic amount reference value acquisition unit that acquires a traffic amount reference value that is a reference value of the traffic amount of communication data set based on the amount, and an abnormality determination threshold value that is an outlier of the traffic amount reference value for the learning model. Abnormality determination threshold value acquisition unit to be acquired, determination target traffic amount acquisition unit to acquire the determination target traffic amount that is the traffic amount of the communication data to be determined, and an abnormality determination that is an outlier of the determination target traffic amount with respect to the learning model The determination system includes an abnormality determination target value acquisition unit that acquires a target value, and a determination unit that determines whether or not an abnormal state is present based on the abnormality determination threshold value and the abnormality determination target value.
Further, another aspect of the present invention is that the determination system includes a first step of obtaining a learning model created by machine learning the traffic volume of past communication data, and a traffic volume of the past communication data. A second step of obtaining a traffic amount reference value which is a reference value of the traffic amount of communication data set based on the second step, and a third step of obtaining an abnormality determination threshold value which is an outlier of the traffic amount reference value for the learning model. And a fourth step of acquiring a determination target traffic amount that is the traffic amount of the determination target communication data, and a fifth step of acquiring an abnormality determination target value that is an outlier of the determination target traffic amount with respect to the learning model, A sixth step of determining whether or not an abnormality is present based on the abnormality determination threshold value and the abnormality determination target value.
Further, another aspect of the present invention is based on a first step of acquiring a learning model created by machine learning the traffic volume of past communication data in a computer, and the traffic volume of the past communication data based on the first step. A second step of obtaining a traffic amount reference value which is a reference value of the traffic amount of the communication data set by the above, and a third step of obtaining an abnormality determination threshold value which is an outlier of the traffic amount reference value for the learning model. A fourth step of acquiring a determination target traffic amount that is a traffic amount of the determination target communication data, and a fifth step of acquiring an abnormality determination target value that is an outlier of the determination target traffic amount with respect to the learning model; It is a program for executing a sixth step of judging whether or not it is in an abnormal state based on the abnormality judgment threshold value and the abnormality judgment target value.

According to an embodiment of the present invention, it is possible to suppress the possibility that the traffic volume of communication data is erroneously determined to be in an abnormal state.

The figure which shows an example of the network system to which the determination system of 1st Embodiment was applied. The figure which shows an example of the network system to which the determination system of 1st Embodiment can be applied. The figure which shows the flow of a process etc. in the determination system of 1st Embodiment. The figure which shows an example of the relationship of a connection apparatus, VLAN, and a port. The figure which shows the general abnormality determination method of the traffic volume for determination. The figure which shows an example of a misjudgment. The figure which shows the other example of a misjudgment. The figure which shows the determination by the determination system of 1st Embodiment. The figure which shows the other example of the determination by the determination system of 1st Embodiment. The figure showing the calculation load which calculates a traffic volume standard value, and the calculation load which creates a learning model. The figure which shows an abnormality determination target value. The figure which shows the method of determining whether the abnormality determination target value is abnormal. The figure which compared two abnormality determination thresholds. The figure which shows an example of the calculation method of a traffic volume reference value. The figure which shows the other example of the calculation method of a traffic volume reference value. The figure which shows the relationship between an abnormality determination target value and an abnormality determination threshold value. The figure which shows the other example of the network system to which the determination system of 1st Embodiment can be applied. The flowchart which shows the flow of the whole process by a determination system. The figure which shows an example of the network system to which the determination system of 2nd Embodiment was applied.

An embodiment of the present invention will be described below with reference to the drawings.
[First Embodiment]
A first embodiment of the present invention will be described.
FIG. 1 is a diagram illustrating an example of a network system 200 to which the determination system 100 according to the first embodiment is applied.
In the example illustrated in FIG. 1, the determination system 100 includes a learning model acquisition unit 10, a traffic amount reference value acquisition unit 11, an abnormality determination threshold value acquisition unit 12, a determination target traffic amount acquisition unit 13, and an abnormality determination target value acquisition. It includes a unit 14, a traffic amount reference value calculation unit 20, a determination unit 30, a network analysis unit 40, and an alarm analysis unit 50.
The learning model acquisition unit 10 acquires a learning model created by machine learning the traffic volume of past communication data. In the example shown in FIG. 1, the learning model creation unit 210 is provided outside the determination system 100. The learning model creation unit 210 creates a learning model by machine learning the traffic volume of past communication data. The learning model acquisition unit 10 acquires the learning model from the learning model creation unit 210.

The traffic amount reference value acquisition unit 11 acquires a traffic amount reference value that is a reference value of the traffic amount of communication data set based on the traffic amount of past communication data. In the example shown in FIG. 1, the traffic amount reference value calculation unit 20 is provided inside the determination system 100. The traffic amount reference value calculation unit 20 calculates the traffic amount reference value based on the statistical value of the traffic amount of past communication data. The traffic amount reference value acquisition unit 11 acquires the traffic amount reference value from the traffic amount reference value calculation unit 20.
The abnormality determination threshold acquisition unit 12 acquires an abnormality determination threshold that is an outlier of the traffic amount reference value for the learning model. In the example shown in FIG. 1, the abnormality determination threshold value calculation unit 220 is provided outside the determination system 100. The abnormality determination threshold value calculation unit 220 calculates an abnormality determination threshold value. The abnormality determination threshold acquisition unit 12 acquires the abnormality determination threshold from the abnormality determination threshold calculation unit 220.

The determination target traffic amount acquisition unit 13 acquires the determination target traffic amount, which is the traffic amount of the determination target communication data.
In the example shown in FIG. 1, the traffic volume to be determined is measured at each of the plurality of ports 270-1, 270-2,..., 270-8 included in the network system 200. The network system 200 includes an aggregation switch 280. The determination target traffic amount of each of the plurality of ports 270-1, 270-2,..., 270-8 is acquired by the determination target traffic amount acquisition unit 13 via the aggregation switch 280. The traffic collection server 290 stores the traffic volume to be determined for each of the plurality of ports 270-1, 270-2,..., 270-8.
Further, in the example shown in FIG. 1, the traffic volume of the past communication data of each of the plurality of ports 270-1, 270-2,..., 270-8 is calculated by the learning model creation unit 210 via the aggregation switch 280. To be acquired. The learning model creation unit 210 machine-learns the traffic volume of the past communication data of each of the plurality of ports 270-1, 270-2,..., 270-8, and thereby the plurality of ports 270-1, 270-2. ,..., 270-8 are created as learning models.

The abnormality determination target value acquisition unit 14 acquires an abnormality determination target value that is an outlier of the determination target traffic amount for the learning model. In the example shown in FIG. 1, the abnormality determination target value calculation unit 230 is provided outside the determination system 100. The abnormality determination target value calculation unit 230 calculates an abnormality determination target value. The abnormality determination target value acquisition unit 14 acquires the abnormality determination target value from the abnormality determination target value calculation unit 230.
The determination unit 30 determines whether or not it is in an abnormal state based on the abnormality determination threshold value acquired by the abnormality determination threshold value acquisition unit 12 and the abnormality determination target value acquired by the abnormality determination target value acquisition unit 14. .. Specifically, the determination unit 30 determines that the abnormality determination target value is in the abnormal state when the abnormality determination target value is larger than the abnormality determination threshold value.
In the example shown in FIG. 1, the determination unit 30 determines whether or not the determination target traffic amount of each of the plurality of ports 270-1, 270-2,..., 270-8 is in an abnormal state.

The network analysis unit 40 analyzes the number, position, etc. of the ports determined by the determination unit 30 to be in an abnormal state. In addition, the network analysis unit 40 analyzes the determination result indicating the abnormal state. The determination result of the abnormal state includes, for example, the determination result caused by the user. Further, the determination result of the abnormal state includes, for example, the determination result of the network system 200.
When the determination result indicating the abnormal state is the determination result caused by the user, the network analysis unit 40 analyzes that the usage method of the user has changed, or that switching work or the like has been executed in the network system 200. To do. That is, the network analysis unit 40 analyzes that the network system 200 itself is normal.
When the determination result indicating the abnormal state is the determination result caused by the network system 200, the network analysis unit 40 analyzes that the network system 200 may have an abnormality. In addition, the network analysis unit 40 identifies a place where an abnormality has occurred (suspected place). The suspected portion is specified based on the position of the port determined to be in an abnormal state, the position of the port determined to be in a normal state, the configuration of the network system 200, the traffic flow of communication data, and the like.

The alarm analysis unit 50 matches alarm information (history of issued alarms). Failures include silent failures that cannot raise an alarm and normal failures that can raise an alarm. The alarm analysis unit 50 analyzes whether it is determined that the abnormal state is caused by the silent failure or the abnormal state is caused by the normal failure.
In the example shown in FIG. 1, the network analysis unit 40 and the alarm analysis unit 50 are provided in the determination system 100, but in other examples, the network analysis unit 40 and the alarm analysis unit 50 may be omitted, or the determination system may be omitted. It may be provided outside of 100.

FIG. 2 is a diagram showing an example of a network system 200 to which the determination system 100 of the first embodiment can be applied. In the example illustrated in FIG. 2, the network system 200 includes a first network 200-1, a second network 200-2, and a third network 200-3. The first network 200-1, the second network 200-2, and the third network 200-3 are connected to each other. The first network 200-1 is a network of a first operator, the second network 200-2 is a network of a second operator, and the third network 200-3 is a network of a third operator.
The first network 200-1 includes a plurality of VLANs (Virtual Local Area Networks) and a connection device 260-1 that connects them. The second network 200-2 and the third network 200-3 are configured similarly to the first network 200-1. The second network 200-2 includes a connection device 260-2, and the third network 200-3 includes a connection device 260-3.
By applying the determination system 100 of the first embodiment to the network system 200 illustrated in FIG. 2, the determination unit 30 causes the determination target traffic amount of each of a plurality of ports in the network system 200 to be in an abnormal state. It can be determined whether or not.

FIG. 3 is a diagram showing a flow of processing and the like in the determination system 100 of the first embodiment. In the example illustrated in FIG. 3, the traffic volume of the past communication data of each of the plurality of ports in the connection devices 260-1 and 260-2 is stored in the traffic collection server 290. Also, the traffic volume to be determined is measured at a plurality of ports in the connection devices 260-1 and 260-2.
The decision system 100 first performs traffic collection. Specifically, the determination system 100 collects the traffic volume of past communication data stored in the traffic collection server 290. Further, the determination system 100 collects the determination target traffic volume of a plurality of ports in the connection devices 260-1 and 260-2 via the aggregation switch 280 having the mirror port 280a.
The decision system 100 then performs traffic analysis. Specifically, the determination system 100 acquires a learning model created by machine learning the traffic volume of past communication data. The determination system 100 also calculates a traffic volume reference value based on the traffic volume of past communication data. The determination system 100 also acquires an abnormality determination threshold value that is an outlier of the traffic amount reference value for the learning model. The determination system 100 also acquires an abnormality determination target value that is an outlier of the determination target traffic amount for the learning model. Further, the determination system 100 determines whether each of the plurality of ports in the connection devices 260-1 and 260-2 is in an abnormal state based on the abnormality determination threshold value and the abnormality determination target value.

In the example shown in FIG. 3, the determination system 100 then performs an alarm analysis. Specifically, the determination system 100 analyzes whether it is determined that the abnormal state is caused by the silent failure or whether the abnormal state is determined by the normal failure.
The decision system 100 then performs a network analysis. Specifically, the determination system 100 identifies a location (suspected location) where an abnormality has occurred in the connection devices 260-1 and 260-2. In the example illustrated in FIG. 3, the determination system 100 then executes processing for making the silent failure known.

FIG. 4 illustrates a connection device 260, a plurality of VLANs 250-1, 250-2, 250-3 connected to the connection device 260, and a plurality of ports 270-1, 270-2, 270-3 in the connection device 260. It is a figure which shows an example of a relationship with.
In the example shown in FIG. 4, the VLAN 250-1 is connected to the connection device 260 via the port 270-1. Similarly, the VLANs 250-2 and 250-3 are connected to the connection device 260 via the ports 270-2 and 270-3, respectively. The VLAN 250-1, VLAN 250-2, and VLAN 250-3 are used by users U1, U2, and U3, respectively.
In the example shown in FIG. 4, the determination target traffic volume in the VLAN 250-1 is measured at the port 270-1. Similarly, the traffic volumes subject to determination in the VLAN 250-2 and the VLAN 250-3 are measured at the ports 270-2 and 270-3, respectively.

FIG. 5 is a diagram showing a general abnormality determination method for the traffic volume to be determined. Specifically, FIG. 5A is a diagram showing an example of the relationship between the traffic amount of past communication data and the conventional determination threshold value. The horizontal axis of FIG. 5A indicates time. Similarly, FIG. 5(B), FIG. 5(C), FIG. 5(D), FIG. 6(A), FIG. 6(B), FIG. 6(C), FIG. 7(A), FIG. B), FIG. 8(A), FIG. 8(B), FIG. 9(A), FIG. 9(B), FIG. 10(A), FIG. 10(B), FIG. 10(C), FIG. 10(D). 11(B), 11(C), 12, 13(A), 13(B), 13(C), 14(A), 15(A), 15(C) ) And the horizontal axis of FIG. 16 also indicate time.
The vertical axis of FIG. 5(A) represents the traffic volume. Similarly, FIG. 5(B), FIG. 5(C), FIG. 5(D), FIG. 6(A), FIG. 6(B), FIG. 6(C), FIG. 7(A), FIG. B), FIG. 8(A), FIG. 8(B), FIG. 9(A), FIG. 9(B), FIG. 10(A), FIG. 10(B), FIG. 10(C), FIG. 10(D). , FIG. 11(B), FIG. 11(C), FIG. 12, FIG. 13(A), FIG. 13(B), FIG. 13(C), FIG. 14(A), FIG. 14(B), FIG. ), FIG. 15(B) and FIG. 15(C) also indicate the traffic volume.
In the example shown in FIG. 5(A), when the “traffic amount of past communication data” as shown in FIG. 5(A) is obtained, a general traffic amount based on the “traffic amount of past communication data” is obtained. The “conventional determination threshold value” is calculated by a statistical method. The traffic volume to be judged (not shown) measured at the port is compared with the "conventional judgment threshold value" shown in FIG. 5(A). When the traffic volume to be determined is smaller than the “threshold type determination threshold value” shown in FIG. 5A, it is determined that the traffic volume to be determined is in an abnormal state.
FIG. 5B is a diagram showing the data amount of the “traffic amount of past communication data” necessary for calculating the “conventional determination threshold value” shown in FIG. 5A.

FIG. 5C is a diagram showing another example of the relationship between the traffic volume of past communication data and the conventional determination threshold value. In the example shown in FIG. 5(C), based on the “traffic amount of past communication data” shown in FIG. 5(C), the “conventional determination threshold value” shown in FIG. Is calculated. When the determination target traffic amount is smaller than the “conventional determination threshold value” illustrated in FIG. 5C, the determination target traffic amount is determined to be in an abnormal state.
FIG. 5D is a diagram showing the data amount of the “traffic amount of past communication data” necessary for calculating the “conventional determination threshold value” shown in FIG. 5C.

In the example shown in FIG. 5A, the value of the “conventional determination threshold value” is changed at short time intervals such as one hour. Therefore, the number of calculated "conventional determination threshold values" is large. Further, there is a large amount of "traffic amount of past communication data" required for calculating the "conventional determination threshold value" shown in FIG. 5A (in the example shown in FIG. 5B, the data extraction period ta ~ Tb is long).
On the other hand, in the example shown in FIG. 5C, the value of the “conventional determination threshold value” is changed at a long time interval such as 8 hours. Therefore, the number of calculated “conventional determination threshold values” is small. In addition, the data volume of the “traffic volume of past communication data” required for calculating the “conventional determination threshold value” shown in FIG. 5C is small (in the example shown in FIG. 5D, the data extraction period tc). ~td is short).

FIG. 6 is a diagram showing an example of erroneous determination that can occur in the general abnormality determination method of the determination target traffic amount shown in FIGS. 5(A) and 5(B). FIG. 6A is a diagram showing the traffic volume to be judged, which is measured at the port 270-1 shown in FIG. Similarly, FIG. 6(B) and FIG. 6(C) are diagrams showing the traffic volume to be determined measured at the ports 270-2 and 270-3, respectively.
In the example shown in FIG. 6(A), the usage method of the user U1 shown in FIG. 4 has not changed from before. Therefore, the “traffic amount to be determined” does not become smaller than the “conventional determination threshold value”. As a result, it is determined by a general determination system that it is not in an abnormal state. Also in the example shown in FIG. 6C, the usage method of the user U3 shown in FIG. 4 is the same as before. As a result, it is determined by a general determination system that it is not in an abnormal state.

On the other hand, in the example shown in FIG. 6(B), the usage method of the user U2 shown in FIG. 4 is different from that before. Further, the “traffic volume to be determined” measured at the port 270-2 after the usage method of the user U2 is changed, and the “conventional determination threshold value” calculated before the usage method of the user U2 is compared. To be done. Therefore, in the periods t1 to t2, the “traffic amount to be determined” becomes smaller than the “conventional determination threshold value”. As a result, it is determined by the general determination system that the “abnormal state” is in the period t1 to t2.
In the example shown in FIG. 4 and FIG. 6, no abnormality has occurred in the connection device 260 during the period t1 to t2. Therefore, the determination of “in an abnormal state” in the above-described periods t1 to t2 is an erroneous determination.
For example, even when the traffic volume to be judged fluctuates regularly or irregularly in a short time during the lunch break during the nighttime switching work in the network system, as in the example shown in FIG. 6B, There is a risk of making an erroneous determination by a general determination system.

FIG. 7 is a diagram showing another example of the erroneous determination. In the example shown in FIG. 7A, the switching work in the network system is not executed at 23:00.
On the other hand, in the example shown in FIG. 7B, the switching work within the network system is executed at time 23:00. Further, the “traffic amount to be determined” during the switching work is compared with the “conventional determination threshold” calculated based on the traffic amount of the past communication data when the switching work is not performed. Therefore, the "determination target traffic volume" becomes smaller than the "conventional determination threshold value" at 23:00. As a result, the general determination system determines that it is “in an abnormal state” at 23:00.
In the example shown in FIG. 7B, no abnormality has occurred in the network system itself at 23:00. Therefore, the above-mentioned determination of "abnormal state" at time 23:00 is an erroneous determination.
For example, even when the usage method of the user changes and the “traffic volume to be determined” changes in the short term, there is a possibility that an erroneous determination may be made by a general determination system, as in the example shown in FIG. 7B. ..

FIG. 8 is a diagram showing the determination by the determination system 100 of the first embodiment. In FIGS. 8A and 8B, the “learning model” is a learning model created based on the traffic volume of past communication data after the usage method of the user has changed. The “traffic amount reference value” is a traffic amount reference value calculated based on the traffic amount of past communication data before the usage method of the user changes. The “determination target traffic volume at time t01” is the determination target traffic volume measured after the usage method of the user has changed. The “abnormality determination threshold value at time t01” indicates an outlier of the “traffic amount reference value” for the “learning model at time t01”. The “abnormality determination target value at time t01” indicates an outlier of the “traffic determination target traffic amount at time t01” with respect to the “learning model at time t01”.
In the example illustrated in FIG. 8A, the “abnormality determination target value at time t01” is smaller than the “abnormality determination threshold value at time t01”, and thus the determination unit 30 of the determination system 100 determines “not in an abnormal state”.

As described above, in the general determination system shown in FIG. 6B, the “abnormal state” is present during the period t1 to t2 when the value of the “traffic volume to be determined” drops due to the change in the usage method of the user. Will be erroneously determined.
On the other hand, in the determination system 100 of the first embodiment, as shown in FIG. 8A, even at time t01 when the value of the “determination target traffic amount” drops with the change in the usage method of the user, the “abnormality” occurs. It is not in a state”. Therefore, it is possible to suppress the possibility that the traffic volume of communication data is erroneously determined to be in an abnormal state.

FIG. 8B illustrates an example in which the traffic volume to be determined at time t02 after the user's usage method has changed is as large as that before the user's usage method has changed.
If the network system is normal after the usage method of the user has changed, the value of the “traffic volume to be determined at time t02” needs to drop, as in the “learning model”. However, in the example shown in FIG. 8B, the value of the “traffic volume to be judged at time t02” after the user's usage method changes is a large value as before the user's usage method changes.
Specifically, the “abnormality determination target value at time t02” is larger than the “abnormality determination threshold value at time t02”. Therefore, the determination unit 30 of the determination system 100 determines that it is “in an abnormal state”.

FIG. 9: is a figure which shows the other example of the determination by the determination system 100 of 1st Embodiment. FIG. 9A shows an example before the switching work in the network system at 23:00. FIG. 9B shows an example after execution of the switching work in the network system at time 23:00.
The “learning model” in FIG. 9A is a learning model created based on the traffic volume of past communication data before execution of the switching work. The “learning model” in FIG. 9B is a learning model created based on the traffic volume of past communication data after execution of the switching work. The “traffic amount reference value” in FIGS. 9A and 9B is a traffic amount reference value calculated based on the traffic amount of past communication data before execution of the switching work.
The “traffic target traffic amount at 23:00” in FIG. 9A is the target traffic amount at time 23:00 before the execution of the switching work. “23:00 determination target traffic amount” in FIG. 9B is the determination target traffic amount at time 23:00 after the switching work is performed.
The “23:00 abnormality determination threshold” in FIG. 9A is the “traffic amount reference value” in FIGS. 9A and 9B with respect to the “23:00 learning model” in FIG. 9A. Indicates an outlier. The “23:00 abnormality determination threshold value” in FIG. 9B is the “traffic amount reference value” in FIGS. 9A and 9B with respect to the “23:00 learning model” in FIG. 9B. Indicates an outlier.
“Abnormality judgment target value at 23:00” in FIG. 9(A) is the same as “23:00 judgment target traffic amount” in FIG. 9(A) with respect to “23:00 learning model” in FIG. 9(A). Indicates an outlier. The “23:00 abnormality determination target value” in FIG. 9B corresponds to the “23:00 determination target traffic amount” in FIG. 9B with respect to the “23:00 learning model” in FIG. 9B. Indicates an outlier.

In the example illustrated in FIG. 9A, the “23:00 abnormality determination target value” in FIG. 9A is smaller than the “23:00 abnormality determination threshold” in FIG. The determination unit 30 determines that "it is not in an abnormal state". In the example illustrated in FIG. 9B, the “23:00 abnormality determination target value” in FIG. 9B is smaller than the “23:00 abnormality determination threshold” in FIG. The determination unit 30 determines that "it is not in an abnormal state".
As described above, in the general determination system shown in FIG. 7(B), at the time of 23:00 when the value of the “determination target traffic amount” drops due to the execution of the switching work, it is erroneously determined that “it is in an abnormal state”. It will be judged.
On the other hand, in the determination system 100 of the first embodiment, as shown in FIG. 9B, at the time 23:00 when the value of the “traffic volume to be determined at 23:00” drops as the switching work is performed. Is also determined to be “not in an abnormal state”. Therefore, it is possible to suppress the possibility that the traffic volume of communication data is erroneously determined to be in an abnormal state.

FIG. 10 is a diagram showing a calculation load for calculating a traffic amount reference value based on the traffic amount of past communication data and a calculation load for creating a learning model by machine learning the traffic amount of past communication data. is there.
In the example shown in FIG. 10 to which the determination system 100 of the first embodiment is applied, the traffic amount reference value calculation unit 20 is based on the statistical value of “traffic amount of past communication data” in FIG. , "Traffic amount reference value" of FIG. 10(A) is calculated. Specifically, the traffic volume reference value calculation unit 20 calculates the traffic volume statistics of past communication data over the “data extraction period tA to tB” of FIG. 10B, such as 1 month to 2 months. The "traffic amount reference value" of FIG. 10A is calculated based on the value.
The learning model creation unit 210 performs “learning model at time t001” and “learning model at time t002” in FIG. 10C by machine learning the “traffic amount of past communication data” in FIG. 10C. To create. Specifically, the learning model creation unit 210 uses the past for the “data extraction period tC to tD” in FIG. 10D, which is shorter than the “period tA to tB”, such as the latest two weeks to one month. A learning model is created by machine learning the traffic volume of the communication data.

In the example shown in FIG. 10 to which the determination system 100 of the first embodiment is applied, the calculation load (the number of calculations) of the traffic amount reference value calculation unit 20 calculates the “traffic amount reference value” of FIG. 10(A). This is a value obtained by dividing the “period tA to tB” of FIG. 10B by the sampling interval of the traffic volume of the past communication data for performing the communication. The calculation load (the number of calculations) of the learning model creation unit 210 is a value obtained by dividing the “period tC to tD” in FIG. 10D by the sampling interval of the traffic volume of the past communication data for creating the learning model. is there. The sampling interval of the traffic amount of the past communication data for calculating the “traffic amount reference value” in FIG. 10A is larger than the sampling interval of the traffic amount of the past communication data for creating the learning model. Set to the value. Therefore, the calculation load (the number of calculations) of the traffic amount reference value calculation unit 20 is smaller than the calculation load (the number of calculations) of the learning model creation unit 210. As a result, it is possible to reduce the calculation load of the traffic amount reference value calculation unit 20. That is, the calculation load of the determination system 100 can be reduced.
In addition, the traffic amount reference value calculation unit 20 uses the “traffic” of FIG. 10A in a time unit (eg, 8 hours) longer than a time unit (eg, 5 minutes) in which the learning model creation unit 210 creates a learning model. "Quantity reference value" is calculated. Specifically, since user traffic usually has a periodicity in units of one day, the traffic amount reference value calculation unit 20 may calculate the “traffic amount reference value” in units of long time, as described above. ..
When the time unit of the learning model is set to 5 minutes, the value of the learning model created by the learning model creating unit 210 becomes a constant value for 5 minutes. If, for example, N times of calculations are required to create a learning model having a constant value for 5 minutes, the number of calculations per unit time for creating the learning model is (N times/5 minutes).
On the other hand, when the time unit of the traffic amount reference value is set to 8 hours, the traffic amount reference value calculated by the traffic amount reference value calculation unit 20 becomes a constant value for 8 hours. If, for example, N times of calculations are required to calculate the traffic volume reference value that becomes a constant value for 8 hours, the number of calculations per unit time for calculating the traffic volume reference value is (N times/8 hours). )become.
That is, the number of calculations per predetermined time for calculating the traffic amount reference value is smaller than the number of calculations per predetermined time for creating the learning model. Therefore, the calculation load of the traffic amount reference value calculation unit 20 can be reduced. That is, the calculation load of the determination system 100 can be reduced.

FIG. 11 is a diagram showing an abnormality determination target value. In the example illustrated in FIG. 11A, the learning model creation unit 210 creates a “learning model” by machine-learning, for example, 14 to 30 pieces of data regarding the traffic volume of past communication data. The determination target traffic amount acquisition unit 13 acquires, for example, the “determination target traffic amount” measured at the port. The abnormality determination target value calculation unit 230 calculates an “abnormality determination target value” that is an outlier of the “determination target traffic amount” for the “learning model”.
In the example illustrated in FIG. 11B, the learning model creation unit 210 performs machine learning on the traffic amount data of, for example, 14 to 30 pieces of communication data at the past time 12:00, so that “12:00 Create a learning model". The learning model creation unit 210 similarly creates a “13:00 learning model”.
In the example illustrated in FIG. 11C, the abnormality determination target value calculation unit 230 uses the “12:00 learning model” and the “12:00 determination target traffic amount” acquired by the determination target traffic amount acquisition unit 13. The "12:00 abnormality determination target value" is calculated based on The abnormality determination target value calculation unit 230 similarly calculates the “13:00 abnormality determination target value”. The abnormality determination target value calculation unit 230 calculates the abnormality determination target value, but does not determine whether the abnormality determination target value is abnormal.

FIG. 12 is a diagram showing a method of determining whether or not the “12:00 abnormality determination target value” is abnormal. In the example shown in FIG. 12, the traffic volume reference value calculation unit 20 sets the “traffic volume reference value” in the time zone including the time 12:00, for example, based on the traffic volume data of less than 14 pieces of past communication data. calculate. The “traffic amount reference value at 12:00” is equal to the “traffic amount reference value” in the time period including the time 12:00.
The abnormality determination threshold value calculation unit 220 calculates the “12:00 abnormality determination threshold value” based on the “12:00 traffic amount reference value” and the “12:00 learning model”. The determination unit 30 compares the “12:00 abnormality determination target value” with the “12:00 abnormality determination threshold”.
In the example shown in FIG. 12, since the “12:00 abnormality determination target value” is equal to or less than the “12:00 abnormality determination threshold”, the determination unit 30 determines that there is no abnormal state at 12:00.

FIG. 13 is a diagram comparing the “12:00 abnormality determination threshold” and the “13:00 abnormality determination threshold”. In the example illustrated in FIG. 13B, the time 12:00 and the time 13:00 are included in the time zone in which the “traffic amount reference value” is a constant value. Therefore, the "12:00 traffic amount reference value" and the "13:00 traffic amount reference value" are equal.
In the example illustrated in FIG. 13A, the value (traffic amount) of the “13:00 learning model” is larger than the value of the “12:00 learning model”. Therefore, in the example shown in FIG. 13C, the “13:00 abnormality determination threshold” is larger than the “12:00 abnormality determination threshold”. As a result, in the example shown in FIG. 13, at time 13:00, it is more difficult to determine that the state is abnormal than at time 12:00.

FIG. 14 is a diagram showing an example of a method of calculating the traffic amount reference value. The horizontal axis of FIG. 14B shows the distribution. Similarly, the horizontal axis of FIG. 15B also shows the distribution.
In the example shown in FIG. 14, the traffic amount reference value is calculated so that the traffic amount reference value in the time zone shown in FIG. Specifically, in the example shown in FIG. 14, the traffic amount reference value calculation unit 20 displays the traffic amount reference value calculation unit 20 in FIG. 14(B) based on the “traffic amount of past communication data” in the time period shown in FIG. 14(A). Calculate the distribution shown. Further, the traffic amount reference value calculation unit 20 calculates the traffic amount of the A percentile (A is a predetermined value) of the distribution shown in FIG. The traffic amount reference value calculation unit 20 calculates the “traffic amount reference value” by multiplying the traffic amount by a coefficient B (B is a value smaller than 1).

FIG. 15 is a diagram showing another example of the method of calculating the traffic volume reference value. In the example shown in FIG. 15, the traffic amount reference value is calculated so that the traffic amount reference value in the time zones shown in FIGS. 15(A) and 15(C) becomes a constant value. Specifically, in the example shown in FIG. 15, the traffic volume of past communication data as shown in FIG. 15A is measured at a measurement point of the traffic volume to be determined such as a port. The traffic amount reference value calculation unit 20 calculates the distribution shown in FIG. 15B based on the “traffic amount of communication data in the past (the number of transmitted packets)” in the time period shown in FIG. The traffic amount reference value calculation unit 20 sets the point at which the appearance rate becomes low (for example, 99.5% or less) as the first provisional value α. Specifically, the traffic amount reference value calculation unit 20 performs the following calculations (1) to (6).
(1) The traffic amount reference value calculation unit 20 calculates the standard deviation σ of the number of transmitted packets.
(2) The traffic amount reference value calculation unit 20 calculates the histogram shown in FIG. 15B with 0.001σ as one class, for example.
(3) The traffic volume reference value calculation unit 20 calculates the appearance probability for each class.
(4) The traffic volume reference value calculation unit 20 adds the appearance probabilities in order from the one with the largest number of transmitted packets, and calculates the maximum value (first provisional value) α of the class exceeding 99.5%, for example.
(5) In order to remove the abnormal value from the graph, the traffic amount reference value calculation unit 20 excludes the transmission packets that are less than 0.4α, and executes the calculations (1) to (4) again.
(6) The traffic amount reference value calculation unit 20 sets the recalculated value to the second provisional value β shown in FIG. 15C, and the second provisional value β is x% (x% is a value smaller than 1 ), the "traffic amount reference value" shown in FIG. 15C is calculated.

FIG. 16 is a diagram showing the relationship between the abnormality determination target value and the abnormality determination threshold value. The vertical axis of FIG. 16 indicates the abnormality determination target value and the abnormality determination threshold value. In the example shown in FIG. 16, the determination unit 30 determines whether or not the abnormality determination target value is larger than the abnormality determination threshold value at predetermined time intervals.
In the example illustrated in FIG. 16, at time t1, the determination unit 30 first determines that the abnormality determination target value is larger than the abnormality determination threshold value. An abnormality notification unit (not shown) of the network system 200 to which the determination system 100 of the first embodiment is applied executes a warning.
At time t3 when the determination after Xa times (for example, twice) is performed by the determination unit 30, the determination unit 30 outputs an alert to the log. Similarly, the determination unit 30 outputs an alert to the log every Xb times (for example, 6 times) of determinations, that is, at times t9 and t15.
At time t21, when the determination unit 30 continuously determines that the abnormality determination target value is equal to or less than the abnormality determination threshold value for Xc times (for example, 5 times), the abnormality notification unit determines that the network system 200 is restored.

FIG. 17 is a diagram showing another example of the network system 200 to which the determination system 100 of the first embodiment can be applied. In the example illustrated in FIG. 17, the network system 200 includes connection devices 260-1 and 260-2. The connection device 260-1 connects the VLANs 250-1, 250-2 and 250-3, and the connection device 260-2 connects the VLANs 250-4, 250-5 and 250-6. The connection device 260-1 has ports 270-1, 270-2, 270-3, 270-4, and the connection device 260-2 has ports 270-5, 270-6, 270-7, 270-8. ..
In the example illustrated in FIG. 17, the determination unit 30 determines that the traffic volume to be determined for port 270-1 is in an abnormal state and the traffic volume to be determined for ports 270-2, 270-3, 270-4 is not in an abnormal state. judge. The network analysis unit 40 analyzes that the abnormal state of the traffic volume to be determined for the port 270-1 is caused by the user U1. In addition, the network analysis unit 40 analyzes that the connection device 260-1 is in a normal state.
Further, in the example illustrated in FIG. 17, the determination unit 30 determines that the determination target traffic amount of the ports 270-5, 270-6, 270-7, 270-8 is in an abnormal state. The network analysis unit 40 analyzes that the connection device 260-2 is in an abnormal state.
Specifically, when a silent failure occurs in the connection devices 260-1 and 260-2, the ports 270-1 to 270-4 in the connection device 260-1 and the port 270- in the connection device 260-2. The determination unit 30 determines whether each of 5 to 270-8 is in an abnormal state. Thereby, the network analysis unit 40 can analyze which port 270-1 to 270-8 is in an abnormal state. Further, the alarm analysis unit 50 can analyze whether it is determined to be in an abnormal state due to a silent failure, or whether it is determined to be in an abnormal state due to a normal failure. ..

That is, in the example illustrated in FIG. 17, the traffic volume to be determined is the traffic volume to be determined in the network system 200 including the plurality of VLANs 250-1 to 250-6 and the connection devices 260-1 and 260-2 that connect them. It is the traffic volume of communication data. Further, the network analysis unit 40 analyzes whether the cause of the abnormal state is in each of the VLANs 250-1 to 250-6 or in the connection devices 260-1 and 260-2.
Further, in the example illustrated in FIG. 17, the traffic volume to be determined is the traffic volume of the communication data to be determined in each of the plurality of ports 270-1 to 270-8 included in the network system 200. The determination unit 30 also determines whether or not the determination target traffic volume in each of the plurality of ports 270-1 to 270-8 is in an abnormal state.

FIG. 18 is a flowchart showing the flow of the overall processing by the determination system 100.
(Step S101) The learning model acquisition unit 10 acquires a learning model created by machine learning the traffic volume of past communication data.
(Step S102) The traffic volume reference value acquisition unit 11 acquires a traffic volume reference value that is a reference value of the traffic volume of communication data set based on the traffic volume of past communication data.
(Step S103) The abnormality determination threshold acquisition unit 12 acquires an abnormality determination threshold that is an outlier of the traffic amount reference value for the learning model.
(Step S104) The determination target traffic amount acquisition unit 13 acquires the determination target traffic amount, which is the traffic amount of the determination target communication data.
(Step S105) The abnormality determination target value acquisition unit 14 acquires an abnormality determination target value that is an outlier of the determination target traffic amount for the learning model.
(Steps S106, S107, S108) The determination unit 30 determines whether or not the state is abnormal based on the abnormality determination threshold value and the abnormality determination target value.
Specifically, the determination unit 30 determines whether the abnormality determination target value is larger than the abnormality determination threshold value (step S106). When the abnormality determination target value is larger than the abnormality determination threshold value, the determination unit 30 determines that it is in an abnormal state (step S107). When the abnormality determination target value is less than or equal to the abnormality determination threshold value, the determination unit 30 determines that it is not in an abnormal state (step S108).

[Summary of First Embodiment]
As described above, the determination system 100 sets the learning model acquisition unit 10 that acquires a learning model created by machine learning the traffic volume of past communication data and the traffic volume of past communication data. Traffic amount reference value acquisition unit 11 that acquires a traffic amount reference value that is a traffic amount reference value of the communication data that has been transmitted, and an abnormality determination threshold value that acquires an abnormality determination threshold value that is an outlier of the traffic amount reference value for the learning model Abnormality for acquiring the abnormality determination target value that is an outlier of the determination target traffic amount with respect to the learning model, and the determination target traffic amount acquisition unit 13 that acquires the determination target traffic amount that is the traffic amount of the determination target communication data The determination target value acquisition unit 14 and the determination unit 30 that determines whether or not the state is abnormal based on the abnormality determination threshold value and the abnormality determination target value.
Further, in the determination system 100, the determination unit 30 determines that the abnormality determination target value is in an abnormal state when the abnormality determination target value is larger than the abnormality determination threshold value.
Further, the determination system 100 further includes a traffic amount reference value calculation unit 20 that calculates a traffic amount reference value based on a statistical value of the traffic amount of past communication data, and the traffic amount reference value acquisition unit 11 uses the traffic amount reference value. The traffic volume reference value calculated by the value calculation unit 20 is acquired.
As a result, the determination system 100 can suppress the possibility of being erroneously determined to be in an abnormal state.

In the determination system 100, the traffic amount reference value calculation unit 20 calculates the traffic amount reference value based on the statistical value of the traffic amount of the past communication data over the first period tA to tB, and the learning model is It is created by machine-learning the traffic volume of past communication data over the second period tC to tD shorter than the period tA to tB of 1, and is used to calculate the traffic volume of past communication data for calculating the traffic volume reference value. The first calculation load, which is a value obtained by dividing the first period tA to tB by the sampling interval, determines the second period tC to tD by the sampling interval of the traffic volume of the past communication data for creating the learning model. It is smaller than the second calculation load that is the divided value.
Further, in the determination system 100, the traffic amount reference value calculation unit 20 calculates the traffic amount reference value in a time unit longer than the time unit in which the learning model is created, and the traffic amount reference value per predetermined time for calculating the traffic amount reference value. Is less than the number of calculations per predetermined time for creating the learning model.
Thereby, the determination system 100 can reduce the calculation load of the traffic amount reference value calculation unit 20 as compared with the case where the first calculation load is larger than the second calculation load.

In the determination system 100, the determination target traffic volume is the traffic volume of the communication data to be determined in the network system including the plurality of VLANs and the connection device that connects the plurality of VLANs. It further includes a network analysis unit 40 that analyzes whether the cause of the state is in each VLAN or in the connected device.
Accordingly, the determination system 100 can accurately analyze whether the cause of the abnormal state is in each VLAN or in the connected device.

Further, in the determination system 100, the determination target traffic amount is the traffic amount of the determination target communication data in each of the plurality of ports included in the network system, and the determination unit 30 determines the determination target traffic amount in each of the plurality of ports. Is abnormal.
Accordingly, the determination system 100 can accurately determine whether or not the determination target traffic volume of the port in the network system is in the abnormal state.

Further, in the determination system 100, the determination target traffic volume acquisition unit acquires the determination target traffic volume from the aggregation switch included in the network system, and the learning model uses the traffic volume of the past communication data acquired from the aggregation switch as a machine. Created by learning.
Accordingly, the determination system 100 can accurately determine whether the determination target traffic volume acquired from the aggregation switch in the network system is in an abnormal state.
The above is the description of the first embodiment.

[Second Embodiment]
FIG. 19 is a diagram illustrating an example of a network system 200 to which the determination system 100 according to the second embodiment is applied. The determination system 100 of the second embodiment can achieve the same effects as the determination system 100 of the first embodiment described above, except for the points described below.
In the example shown in FIG. 1 to which the determination system 100 of the first embodiment is applied, the traffic amount reference value calculation unit 20 is provided inside the determination system 100. On the other hand, in the example shown in FIG. 19 to which the determination system 100 of the second embodiment is applied, the traffic amount reference value calculation unit 240 having the same function as the traffic amount reference value calculation unit 20 shown in FIG. It is provided outside 100.
The determination system 100 of the second embodiment can reduce the calculation load of the determination system 100 as compared with the determination system 100 of the first embodiment.

[Modification]
Although the embodiments of the present invention have been described in detail above with reference to the drawings, the specific configuration is not limited to the above-described embodiments, and includes a design and the like within a range not departing from the gist of the present invention. For example, the configurations described in the above-described first and second embodiments can be arbitrarily combined. Further, for example, each configuration described in the above-described first and second embodiments can be omitted if it is unnecessary to exert a specific function. In addition, for example, the configurations described in the above-described first and second embodiments can be arbitrarily separated and provided in a separate device.

In order to realize the functions of the learning model acquisition unit 10, the traffic amount reference value acquisition unit 11, the abnormality determination threshold value acquisition unit 12, the determination target traffic amount acquisition unit 13, the abnormality determination target value acquisition unit 14, and the determination unit 30 described above. This program is recorded in a computer-readable recording medium, and the program recorded in this recording medium is read into a computer system and executed to execute the learning model acquisition unit 10, the traffic amount reference value acquisition unit 11, the abnormality determination threshold value. The processes of the acquisition unit 12, the determination target traffic amount acquisition unit 13, the abnormality determination target value acquisition unit 14, and the determination unit 30 may be performed. Here, “reading and executing a program recorded on a recording medium in a computer system” includes installing the program in the computer system. The "computer system" here includes an OS and hardware such as peripheral devices. Further, the “computer system” may include a plurality of computer devices connected via the Internet, a WAN, a LAN, a network including a communication line such as a dedicated line. Further, the "computer-readable recording medium" refers to a portable medium such as a flexible disk, a magneto-optical disk, a ROM, a CD-ROM, or a storage device such as a hard disk built in a computer system. As described above, the recording medium storing the program may be a non-transitory recording medium such as a CD-ROM. The recording medium also includes a recording medium provided inside or outside accessible from the distribution server to distribute the program. The code of the program stored in the recording medium of the distribution server may be different from the code of the program in a format executable by the terminal device. That is, the format stored in the distribution server does not matter as long as it is downloaded from the distribution server and can be installed in a form executable by the terminal device. Note that the program may be divided into a plurality of programs and downloaded at different timings, and then combined by the terminal device, or the distribution server that distributes each of the divided programs may be different. Further, the "computer-readable recording medium" holds a program for a certain period of time, such as a volatile memory (RAM) inside a computer system that serves as a server or a client when the program is transmitted via a network. It also includes things. Further, the program may be for realizing a part of the functions described above. Further, it may be a so-called difference file (difference program) that can realize the functions described above in combination with a program already recorded in the computer system.

10... Learning model acquisition unit, 11... Traffic amount reference value acquisition unit, 12... Abnormality determination threshold value acquisition unit, 13... Judgment target traffic amount acquisition unit, 14... Abnormality determination target value acquisition unit, 20... Traffic amount reference value calculation unit , 30... Judgment unit, 40... Network analysis unit, 50... Alarm analysis unit, 100... Judgment system, 200... Network system, 200-1, 200-2, 200-3... Network, 210... Learning model creation unit, 220 ...Abnormality determination threshold value calculation unit, 230... Abnormality determination target value calculation unit, 240... Traffic amount reference value calculation unit, 250-1, 250-2, 250-3, 250-4, 250-5, 250-6... VLAN , 260, 260-1, 260-2, 260-3... Connection device, 270-1, 270-2, 270-3, 270-4, 270-5, 270-6, 270-7, 270-8... Port, 280... Aggregation switch, 280a... Mirror port, 290... Traffic collection server

Claims (10)

A learning model acquisition unit that acquires a learning model created by machine learning the traffic volume of past communication data,
A traffic amount reference value acquisition unit that acquires a traffic amount reference value that is a reference value of the traffic amount of the communication data set based on the traffic amount of the past communication data,
An abnormality determination threshold value acquisition unit that acquires an abnormality determination threshold value that is an outlier of the traffic amount reference value for the learning model,
A determination target traffic amount acquisition unit that acquires a determination target traffic amount that is the traffic amount of the determination target communication data,
An abnormality determination target value acquisition unit that acquires an abnormality determination target value that is an outlier of the determination target traffic amount for the learning model,
A determination unit that determines whether or not an abnormality state is based on the abnormality determination threshold value and the abnormality determination target value,
A traffic amount reference value calculation unit that calculates the traffic amount reference value based on a statistical value of the traffic amount of the past communication data,
Equipped with
The traffic amount reference value acquisition unit acquires the traffic amount reference value calculated by the traffic amount reference value calculation unit,
Judgment system. The traffic amount reference value calculation unit calculates the traffic amount reference value based on a statistical value of the traffic amount of the past communication data over a first period,
The learning model is created by machine learning the traffic volume of the past communication data over a second period that is shorter than the first period,
The first calculation load, which is a value obtained by dividing the first period by the sampling interval of the traffic volume of the past communication data for calculating the traffic volume reference value,
Smaller than a second calculation load which is a value obtained by dividing the second period by a sampling interval of the traffic volume of the past communication data for creating the learning model,
The determination system according to claim 1. The traffic amount reference value calculation unit calculates the traffic amount reference value in a time unit longer than a time unit in which the learning model is created,
The number of calculations per predetermined time for calculating the traffic amount reference value is less than the number of calculations per predetermined time for creating the learning model,
The determination system according to claim 1 or 2. A learning model acquisition unit that acquires a learning model created by machine learning the traffic volume of past communication data,
A traffic amount reference value acquisition unit that acquires a traffic amount reference value that is a reference value of the traffic amount of the communication data set based on the traffic amount of the past communication data,
An abnormality determination threshold value acquisition unit that acquires an abnormality determination threshold value that is an outlier of the traffic amount reference value for the learning model,
A determination target traffic amount acquisition unit that acquires a determination target traffic amount that is the traffic amount of the determination target communication data,
An abnormality determination target value acquisition unit that acquires an abnormality determination target value that is an outlier of the determination target traffic amount for the learning model,
A determination unit that determines whether or not an abnormality state is based on the abnormality determination threshold value and the abnormality determination target value,
Equipped with
The determination target traffic amount is a traffic amount of the determination target communication data in a network system including a plurality of VLANs (Virtual Local Area Networks) and a connection device that connects the plurality of VLANs,
The network analysis unit further analyzes whether the cause of the abnormal state is in each VLAN or in the connection device.
Determine constant system. The determination target traffic amount is the traffic amount of the determination target communication data in each of a plurality of ports included in the network system,
The determination unit determines whether or not the determination target traffic amount in each of the plurality of ports is in the abnormal state,
The determination system according to claim 4. The determination target traffic volume acquisition unit acquires the determination target traffic volume from an aggregation switch included in the network system,
The learning model is created by machine learning the traffic volume of the past communication data acquired from the aggregation switch,
The determination system according to claim 4 or claim 5. The judgment system
A first step of acquiring a learning model created by machine learning the traffic volume of past communication data;
A second step of obtaining a traffic amount reference value which is a reference value of the traffic amount of the communication data set based on the traffic amount of the past communication data;
A third step of acquiring an abnormality determination threshold value that is an outlier of the traffic amount reference value for the learning model;
A fourth step of acquiring the traffic volume to be judged, which is the traffic volume of the communication data to be judged,
A fifth step of acquiring an abnormality determination target value that is an outlier of the determination target traffic amount for the learning model;
A sixth step of determining whether or not there is an abnormal state based on the abnormality determination threshold value and the abnormality determination target value,
A seventh step of calculating the traffic amount reference value based on a statistical value of the traffic amount of the past communication data;
Only including,
In the fifth step, the traffic volume reference value calculated in the seventh step is acquired.
Judgment method. The judgment system
A first step of acquiring a learning model created by machine learning the traffic volume of past communication data;
A second step of obtaining a traffic amount reference value which is a reference value of the traffic amount of the communication data set based on the traffic amount of the past communication data;
A third step of acquiring an abnormality determination threshold value that is an outlier of the traffic amount reference value for the learning model;
A fourth step of acquiring the traffic volume to be judged, which is the traffic volume of the communication data to be judged,
A fifth step of acquiring an abnormality determination target value that is an outlier of the determination target traffic amount for the learning model;
A sixth step of determining whether or not there is an abnormal state based on the abnormality determination threshold value and the abnormality determination target value,
Only including,
The determination target traffic amount is a traffic amount of the determination target communication data in a network system including a plurality of VLANs (Virtual Local Area Networks) and a connection device that connects the plurality of VLANs,
The method further includes a seventh step of analyzing whether the cause of the abnormal state is in each VLAN or in the connected device.
Judgment method. On the computer,
A first step of acquiring a learning model created by machine learning the traffic volume of past communication data;
A second step of obtaining a traffic amount reference value which is a reference value of the traffic amount of the communication data set based on the traffic amount of the past communication data;
A third step of acquiring an abnormality determination threshold value that is an outlier of the traffic amount reference value for the learning model;
A fourth step of acquiring the traffic volume to be judged, which is the traffic volume of the communication data to be judged,
A fifth step of acquiring an abnormality determination target value that is an outlier of the determination target traffic amount for the learning model;
A sixth step of determining whether or not there is an abnormal state based on the abnormality determination threshold value and the abnormality determination target value,
A seventh step of calculating the traffic amount reference value based on a statistical value of the traffic amount of the past communication data;
Was executed,
In the fifth step, a program for acquiring the traffic volume reference value calculated in the seventh step . On the computer,
A first step of acquiring a learning model created by machine learning the traffic volume of past communication data;
A second step of obtaining a traffic amount reference value which is a reference value of the traffic amount of the communication data set based on the traffic amount of the past communication data;
A third step of acquiring an abnormality determination threshold value that is an outlier of the traffic amount reference value for the learning model;
A fourth step of acquiring the traffic volume to be judged, which is the traffic volume of the communication data to be judged,
A fifth step of acquiring an abnormality determination target value that is an outlier of the determination target traffic amount for the learning model;
A sixth step of determining whether or not there is an abnormal state based on the abnormality determination threshold value and the abnormality determination target value,
Run
The determination target traffic amount is a traffic amount of the determination target communication data in a network system including a plurality of VLANs (Virtual Local Area Networks) and a connection device that connects the plurality of VLANs,
The cause of the abnormal state, or found within each VLAN, or because the program further execute a seventh step of analyzing whether there in the connecting device.

Images