JP6725452B2 - Classification device, classification method, and classification program - Google Patents

Description

The present invention relates to a classification device, a classification method, and a classification program.

In recent years, as the quality of data has increased, the number of data has increased, the number of computational resources has increased, or the progress of machine learning algorithms, cases of solving classification problems using deep learning have increased. It is known that deep learning shows high classification performance by performing learning while automatically extracting the characteristics of data based on label information given as teacher data.

For example, the type of security incident that has occurred can be automatically classified by using deep learning based on communication data and the like. In that case, teacher data in which a label indicating the type of incident is attached to communication data or the like is required. The teacher data used for deep learning needs to be labeled with the same granularity classified in the same hierarchy. For example, “DoS attack” and “DoS attack by XXX malware” are labels with different granularity, and cannot be used as they are for deep learning.

Here, the teacher data is prepared by manually assigning a label or acquiring information on a label assigned by a security vendor from a virus check service site such as VirusTotal. The granularity of the label applied by hand may differ depending on the person who performed the label application. When a label given by a security vendor or a SHA-1 hash value is used as a label, the label may have a hierarchical structure with different granularity.

Richard P. Lippmann, "Pattern Classification Using Neural Networks", [online], November 1989, IEEE Communications Magazine, pp.47-64, [May 11, 2017 search], Internet <URL:http:// ieeexplore.ieee.org/abstract/document/41401/> Tom Auld, Andrew W. Moore, Stephen F. Gull, "Bayesian Neural Networks for Internet Traffic Classification", [online], January 2007, IEEE TRANSACTIONS ON NEWRAL NETWORKS, VOL.18, pp.223-239, [2017] May 11, 2012], Internet <URL: http://ieeexplore.ieee.org/abstract/document/4049810/>

However, with the conventional technology, it is difficult to classify the types of security incidents using the teacher data to which labels having a hierarchical structure are added. For example, when classifying security incident types using deep learning, it is difficult to collect a large amount of incident data and give appropriate labels with uniform granularity to each data. On the other hand, when using the teacher data of the coarse-grain label, the teacher data to which the detailed label of the fine grain is given cannot be used for learning. Further, even when a new security incident is discovered, it cannot be added as teacher data unless a label with an appropriate granularity is given.

The present invention has been made in view of the above, and an object of the present invention is to classify the types of security incidents using teacher data to which labels having a hierarchical structure are added.

In order to solve the above-mentioned problems and achieve the object, the classification device according to the present invention includes a coarse classification unit that outputs a label of a first granularity indicating a classification hierarchy to be assigned to data, and a granularity to be assigned to data Outputs a label of a second granularity smaller than the label of the first granularity, and outputs a label of the second granularity from the label of the first granularity, and a sub-classification unit of the first granularity. The acquisition unit for acquiring the teacher data with a label or the teacher data with the label of the second granularity, and the label of the acquired teacher data with the label of the second granularity, And a conversion unit that converts the label to a granularity of 1. The coarse classification unit includes the acquired teacher data to which the acquired label of the first granularity is added and the converted label of the first granularity. The assignment of the label of the first granularity is learned by using the assigned teacher data, and the fine classification unit acquires the acquired teacher data of the label of the second granularity and the coarse classification. The assignment of the label of the second granularity is learned by using the label of the first granularity output by the unit.

According to the present invention, it is possible to classify the types of security incidents using teacher data to which labels having a hierarchical structure are added.

FIG. 1 is a schematic diagram illustrating a schematic configuration of a classification device according to an embodiment of the present invention. FIG. 2 is a diagram illustrating a data structure of label information. FIG. 3 is an explanatory diagram for explaining the processing outline of the classification device. FIG. 4 is an explanatory diagram for explaining label conversion. FIG. 5 is an explanatory diagram for explaining the configuration of the classification device according to another embodiment. FIG. 6 is a flowchart showing the classification processing procedure. FIG. 7 is a diagram illustrating a computer that executes a classification program.

Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings. The present invention is not limited to this embodiment. In the description of the drawings, the same parts are designated by the same reference numerals.

[Classification device configuration]
FIG. 1 is a schematic diagram illustrating a schematic configuration of a classification device. As illustrated in FIG. 1, the classification device 10 is realized by a general-purpose computer such as a personal computer and includes an input unit 11, an output unit 12, a communication control unit 13, a storage unit 14, and a control unit 15.

The input unit 11 is realized by using an input device such as a keyboard and a mouse, and inputs various instruction information such as processing start to the control unit 15 in response to an input operation by an operator. The output unit 12 is realized by a display device such as a liquid crystal display and a printing device such as a printer.

The communication control unit 13 is realized by a NIC (Network Interface Card) or the like, and controls communication between the control unit 15 and an external device such as an IoT device 2 via a telecommunication line such as a LAN (Local Area Network) or the Internet. To do.

The storage unit 14 is realized by a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory (Flash Memory), or a storage device such as a hard disk or an optical disk, and is a model in a normal state specified by a classification process described later. Parameters and the like are stored. The storage unit 14 may be configured to communicate with the control unit 15 via the communication control unit 13.

In the present embodiment, the storage unit 14 stores the label information 14a. The label information 14a is information indicating the label given to the data classified by the classification device 10 and the granularity indicating the classification hierarchy of each label. The label information 14a is constructed by referring to STIX (Structured Threat Information eXpression) which is a technical specification for describing, for example, an index characterizing a cyber attack effective for detection in cyber attack countermeasures promoted by the US government. To be done.

FIG. 2 is a diagram illustrating a data structure of the label information 14a. FIG. 2 exemplifies a hierarchical label when classifying network logs of communication performed by malware. In the example shown in FIG. 2, DoS, ransomware, and trojans are Tier 1 coarse-grained labels. Further, for example, DoS malware 1 and DoS malware 2 are labels of layer 2 having a finer granularity than DoS of layer 1.

Returning to the description of FIG. The control unit 15 is realized by using a CPU (Central Processing Unit) or the like, and executes a processing program stored in the memory. As a result, the control unit 15 functions as a rough classification unit 15a, a fine classification unit 15b, an acquisition unit 15c, and a conversion unit 15d, as illustrated in FIG. Note that these functional units may be implemented in hardware that is different from each other or in part.

The rough classification unit 15a outputs a label of the first granularity that represents a classification hierarchy to be added to the data. Further, the fine classification unit 15b outputs the label of the second granularity in which the granularity given to the data is finer than the label of the first granularity, and outputs the label of the second fine granularity from the label of the first granularity. .. The label of the first granularity is, for example, the label of layer 1 illustrated in FIG. 2, and the label of the second granularity is the label of layer 2. Hereinafter, the label of the first grain size is also referred to as a coarse grain label, and the label of the second grain size is also referred to as a fine grain label or a detailed label.

Here, the coarse classification unit 15a and the fine classification unit 15b will be described with reference to FIG. FIG. 3 is an explanatory diagram for explaining a processing outline of the classification device 10. As illustrated in FIG. 3, the classification device 10 according to the present exemplary embodiment includes a coarse classification unit 15a that outputs a coarse-grained label and a fine classification unit that outputs a fine-grained label among the two-layer hierarchical labels. And 15b are combined.

The rough classifying unit 15a is configured similarly to a conventional classifying device that handles labels of a single layer, and when data x is input, "DoS" or the like that is added to the data x via a hidden layer (hidden). The label y having a coarse grain size is output. The subclassification unit 15b outputs a detailed granular label z such as "DoS malware 1" to be added to the input data x via hidden. Further, the fine classification unit 15b outputs the fine-grained detailed label z from the inputted coarse-grained label y via the hidden.

The coarse classification unit 15a and the fine classification unit 15b perform deep learning using, as teacher data, data to which hierarchical labels with different granularities are added, as described later. As a result, the classification device 10 can output the detailed label z given to the input data x with high accuracy. In this way, by expanding the error function optimized by deep learning, it becomes possible to improve the classification performance of the classification device 10.

The method of deep learning of the rough classification unit 15a and the fine classification unit 15b is not limited, and for example, advanced semi-supervised learning using a variational auto encoder or the like may be applied.

Returning to the description of FIG. The acquisition unit 15c acquires the teacher data with the label of the first granularity or the teacher data with the label of the second granularity. For example, the acquisition unit 15c acquires, via the input unit 11 or the communication control unit 13, data to which a hierarchical label is attached as teacher data.

The conversion unit 15d converts the acquired label of the teacher data to which the label of the second granularity is given to the label of the first granularity. Specifically, the conversion unit 15d converts the hierarchical label into a vector format having the number of layers of elements.

FIG. 4 is an explanatory diagram for explaining label conversion. As illustrated in FIG. 4, the conversion unit 15d refers to the label information 14a, and converts, for example, a two-layer hierarchical label that is manually assigned and does not have uniform granularity into a vector having two elements. For example, the conversion unit 15d converts “DoS malware 1” into (DoS, DoS malware 1).

When only the coarse label is given and the detailed label is unknown, the conversion unit 15d sets the value of the unknown detailed label to * or null, such as (DoS,*) or (DoS,null). And In the example shown in FIG. 4, for example, a "Trojan horse", which is a coarse-grained label of Layer 1, is converted into a vector of (Trojan horse, *). Accordingly, when the label of the teacher data acquired by the acquisition unit 15c is the detailed label of the layer 2, the conversion unit 15d refers to the label information 14a and converts the label to the coarse label of the layer 1.

In addition, when classifying the network log of the communication performed by the malware using the malware sample ID represented by the SHA-1 hash value or the like as a label, the conversion unit 15d optimizes based on the malware sample ID. Convert to a hierarchical label of a different hierarchy. At that time, the conversion unit 15d sets the value of the layer more detailed than necessary or the value of the layer with low reliability to * or null.

Then, the rough classification unit 15a uses the acquired teacher data with the label of the first granularity and the acquired teacher data with the label of the converted first granularity Learn how to label. In addition, the fine classification unit 15b uses the acquired teacher data to which the detailed label of the second granularity has been added and the label of the first granularity output from the coarse classification unit 15a to obtain the details of the second granularity. Learn how to label.

In other words, when the teacher data to which the coarse-grained label is attached is input, the coarse classification unit 15a learns to attach the coarse-grained label. In addition, when the teacher data to which the detailed label with the fine granularity is added is input, the conversion unit 15d converts the detailed label into the label with the coarse granularity, so that the coarse classification unit 15a learns to give the coarse label. To do. Further, the fine classification unit 15b learns to give a detailed label by using the teacher data to which the detailed label having a fine granularity is given and the coarse label outputted from the coarse classification unit 15a. In this way, the classification device 10 can learn to assign a detailed label by using all the teacher data of the teacher data to which the coarse-grained label is attached and the teacher data to which the fine-grained detailed label is attached. Becomes

The class of labels handled by the classification device 10 may be three or more. Here, the configuration of the classification device in that case will be described with reference to FIG. In that case, the classification device 10 further includes a coarse classification unit 15α that outputs a label having a coarser granularity than the first granularity, which is given to the data, and the coarse classification unit 15α is connected to the coarse classification unit 15a.

FIG. 5 exemplifies a case where the classification device 10 handles labels of three layers. As shown in FIG. 5, a coarse classification unit 15a that outputs coarse-grained labels of layer 1 is connected to a coarse classification unit 15α that is configured similarly to the coarse classification unit 15a and that outputs coarser-grained labels than in layer 1. ing. As a result, the classification device 10 can handle the three-level labels of the detailed label, the coarse label, and the coarser label.

When the classifying device 10 handles labels of four layers, a new coarse classifying unit that is configured similarly to the coarse classifying unit 15a and the coarse classifying unit 15α and outputs the label with the coarsest grain size is connected to the coarse classifying unit 15α. It In this way, when the number of label hierarchies handled by the classifying device 10 increases, a new rough classifying unit that is configured similarly to the coarse classifying unit 15a and outputs the coarsest granularity label is connected to the classifying device 10. This can be realized. As a result, the classification device 10 can learn to give detailed labels with the finest granularity using various teacher data.

[Classification process]
Next, with reference to FIG. 6, a classification process by the classification device 10 according to the present embodiment will be described. FIG. 6 is a flowchart showing the classification processing procedure. The flowchart of FIG. 6 is started, for example, at the timing when there is an operation input instructing the start of the classification process.

First, the acquisition unit 15c acquires, via the input unit 11 or the communication control unit 13, teacher data to which a coarse-grain label is attached or teacher data to which a fine-grain label is attached (step S1).

Next, the conversion unit 15d converts the hierarchical label attached to the teacher data to a vector format having the number of layers of elements, so that a detailed label is attached to the acquired teacher data. Converts the detailed label into a coarse-grained label (step S2).

When the acquisition unit 15c acquires the teacher data to which the coarse-grained label is attached (step S3, Yes), the coarse classification unit 15a learns to attach the coarse label (step S4). Further, when the acquisition unit 15c acquires the teacher data to which the detailed label has been added (step S3, No), the rough classification unit 15a learns the rough label addition and the fine classification unit 15b adds the detailed label. Learn (step S5). This completes the series of classification processes.

As described above, in the classification device 10 of the present embodiment, the coarse classification unit 15a outputs the first coarse-grained label indicating the classification hierarchy to be given to the data. Further, the fine classification unit 15b outputs the detailed label of the second granularity finer than the first granularity given to the data, and also outputs the detailed label of the second granularity from the first coarse granularity label. In addition, the acquisition unit 15c acquires the teacher data to which the first coarse-grained label is attached or the teacher data to which the second fine-grained label is attached.

In addition, the conversion unit 15d converts the acquired label of the teacher data to which the detailed label of the second granularity is added to the label of the first coarse particle. The coarse classification unit 15a uses the acquired teacher data to which the first coarse-grained label has been added and the converted teacher data to which the first coarse-grained label has been added to obtain the first coarseness of the first coarseness. Learn to apply coarse labels. Further, the fine classification unit 15b uses the acquired teacher data to which the detailed label of the second granularity is added and the first coarse label of the first granularity output by the coarse classification unit 15a. Learn to give detailed labels.

In this case, since the rough classification unit 15a learns using a large amount of teacher data, the accuracy is improved. Further, since the fine classification unit 15b uses the coarse-grained label in addition to the data to be classified, the precision is improved. Further, the teacher data to which the coarse-grained label is attached is used for learning the addition of the detailed label without being wasted.

In this way, the classification device 10 can learn to assign detailed labels by using all the teacher data to which hierarchical labels with different granularity are assigned. As a result, it is possible to learn a wider range of information of labels as teacher data regardless of the granularity of labels, so that the classification performance is improved.

Further, it becomes possible to narrow down the cause of the security incident and learn by using the teacher data to which the abstract label is given within the range found at that time. Even if different labels are assigned to the same malware for each security vendor, it is possible to learn using teacher data with different labels. In this way, the classification processing of the classification device 10 according to the present embodiment can classify the types of security incidents using the teacher data to which the label having the hierarchical structure is added.

Furthermore, a coarse classification unit 15α for outputting a coarser-grained label to be added to the data may be provided, and the coarse classification unit 15α may be connected to the coarse classification unit 15a. This allows the classification device 10 to handle labels in three layers. As described above, the classification device 10 can learn to assign a detailed label with the finest granularity by using teacher data to which various labels having a multi-layered structure are assigned.

[Example]

Next, with respect to the classification device 10 of the present embodiment and a conventional classification device that handles labels of a single layer, an experiment was conducted under the following conditions to measure the classification accuracy. Here, the conventional classification device outputs a fine-grained detailed label to be added to the data input via hidden. The input data is image data of handwritten numbers, and the detailed labels are labels of 10 types of numbers 1, 2,... Further, the coarse-grained labels handled by the classification device 10 of the present embodiment are two types of even-numbered or odd-numbered labels.

To each of the classification device 10 of the present embodiment and the conventional classification device, 300 pieces of teacher data with detailed labels are input, and 9700 pieces of teacher data with coarse labels are input to the classification device 10 of the present embodiment. Then, we learned how to give detailed labels. Then, 10,000 unlearned unknown data were input to each of the classification device 10 of the present embodiment and the conventional classification device. As a result, the classification accuracy of the conventional classification device was 82%. On the other hand, the classification accuracy of the classification device 10 of the present embodiment was 87%, and it was confirmed that the classification accuracy was improved by about 5%.

[program]
It is also possible to create a program in which the processing executed by the classification device 10 according to the above embodiment is described in a computer-executable language. As one embodiment, the classification device 10 can be implemented by installing a classification program that executes the above classification processing as package software or online software in a desired computer. For example, by causing the information processing device to execute the above classification program, the information processing device can be caused to function as the classification device 10. The information processing apparatus referred to here includes a desktop or notebook personal computer. Further, in addition to the above, the information processing apparatus includes a mobile communication terminal such as a smartphone, a mobile phone or a PHS (Personal Handyphone System), and a slate terminal such as a PDA (Personal Digital Assistants) in its category.

The classification device 10 can also be implemented as a server device that uses a terminal device used by a user as a client and provides the client with the service related to the classification process. For example, the classification device 10 is implemented as a server device that provides a classification processing service that inputs teacher data and unknown data and outputs a label to be added to unknown data. In this case, the classification device 10 may be implemented as a Web server, or may be implemented as a cloud that provides the services related to the above classification processing by outsourcing. An example of a computer that executes a classification program that realizes the same function as the classification device 10 will be described below.

FIG. 7 is a diagram illustrating an example of a computer that executes a classification program. The computer 1000 has, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.

The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012. The ROM 1011 stores, for example, a boot program such as a BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1031. The disk drive interface 1040 is connected to the disk drive 1041. A removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1041. A mouse 1051 and a keyboard 1052 are connected to the serial port interface 1050, for example. A display 1061 is connected to the video adapter 1060, for example.

Here, the hard disk drive 1031 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. Each table described in the above embodiment is stored in, for example, the hard disk drive 1031 or the memory 1010.

The classification program is stored in the hard disk drive 1031 as a program module 1093 in which a command executed by the computer 1000 is described. Specifically, the program module 1093 in which each process executed by the classification device 10 described in the above embodiment is described is stored in the hard disk drive 1031.

Data used for information processing by the classification program is stored as program data 1094 in, for example, the hard disk drive 1031. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the hard disk drive 1031 into the RAM 1012 as necessary, and executes the above-described procedures.

The program module 1093 and the program data 1094 related to the classification program are not limited to being stored in the hard disk drive 1031 and may be stored in a removable storage medium and read by the CPU 1020 via the disk drive 1041 or the like. May be done. Alternatively, the program module 1093 and the program data 1094 related to the classification program are stored in another computer connected via a network such as LAN or WAN (Wide Area Network) and read by the CPU 1020 via the network interface 1070. May be.

Although the embodiments to which the invention made by the present inventor has been applied have been described above, the present invention is not limited to the description and the drawings that form part of the disclosure of the present invention according to the present embodiment. That is, all other embodiments, examples, operation techniques, and the like made by those skilled in the art based on this embodiment are included in the scope of the present invention.

10 Classification Device 11 Input Section 12 Output Section 13 Communication Control Section 14 Storage Section 14a Label Information 15 Control Section 15a Coarse Classification Section 15b Fine Classification Section 15c Acquisition Section 15d Conversion Section

Claims (4)

A coarse classification unit that outputs a first granularity label that represents a classification hierarchy to be assigned to data;
A sub-classification unit that outputs a label of a second granularity in which the granularity given to the data is finer than the label of the first granularity, and outputs the label of the second granularity from the label of the first granularity;
An acquisition unit for acquiring the teacher data to which the label of the first granularity is attached or the teacher data to which the label of the second granularity is attached,
A conversion unit that converts the acquired label of the teacher data to which the label of the second granularity is added to the label of the first granularity,
The rough classification unit uses the acquired teacher data to which the label of the first granularity has been acquired and the converted teacher data to which the label of the first granularity has been converted to obtain the first granularity. Learn how to label
The fine classification unit uses the acquired teacher data to which the label of the second granularity is added and the label of the first granularity output from the coarse classification unit, and uses the label of the second granularity. A classifying device characterized by learning the assignment of. Further, a second coarse classifying unit which outputs a label having a coarser granularity than the first granularity, which is given to the data, is provided, and the second coarse classifying unit is connected to the coarse classifying unit. The classification device according to claim 1. A classification method executed by a classification device,
A rough classification step of outputting a first granularity label representing a classification hierarchy to be given to the data;
A sub-classification step of outputting a label of a second granularity in which the granularity given to the data is finer than the label of the first granularity, and outputting the label of the second granularity from the label of the first granularity;
An acquisition step of acquiring the teacher data with the label of the first granularity or the teacher data with the label of the second granularity;
A conversion step of converting the acquired label of the teacher data to which the label of the second granularity is given to the label of the first granularity,
In the rough classification step, using the acquired teacher data with the label of the first granularity and the acquired teacher data with the label of the first granularity, the first granularity is used. Learn how to label
In the fine classification step, using the acquired teacher data to which the label of the second granularity is given and the label of the first granularity output in the rough classification step, A classification method characterized by learning the assignment of labels. A coarse classification step of outputting a label of a first granularity representing a classification hierarchy given to the data;
A sub-classification step of outputting a label of a second granularity in which the granularity given to the data is finer than the label of the first granularity, and outputting the label of the second granularity from the label of the first granularity;
An acquisition step of acquiring the teacher data with the label of the first granularity or the teacher data with the label of the second granularity;
A conversion step of converting the acquired label of the teacher data to which the label of the second granularity is given to the label of the first granularity,
In the rough classification step, using the acquired teacher data with the label of the first granularity and the converted teacher data with the label of the first granularity, the first granularity is used. Learn how to label
In the fine classification step, using the acquired teacher data to which the label of the second granularity is given and the label of the first granularity output in the rough classification step, A classification program characterized by causing a computer to execute a process of learning labeling.

Images