JP6783741B2 - Distance measuring device, communication system, creating device and distance measuring program - Google Patents

Description

The present invention relates to a distance measuring device, a communication system, a creating device, and a distance measuring program.

Conventionally, there are methods for detecting external attack communication to a communication network and a computer connected to the communication network, and communication such as an internal attack or information leakage that occurs as a result of the computer being infected with malware or the like. As one of the detection methods, there is a method of analyzing logs output by network devices, computers, and the like. like this. The SIEM (Security Information and Event Management) system is a representative device that collects and analyzes logs and detects malicious communications that cause security problems such as attacks and information leaks from normal communications (beneficial communications). McAfee (registered trademark) SIEM, IBM (registered trademark) QRadar, etc. (see, for example, Non-Patent Documents 1 and 2).

In the detection and analysis of this malicious communication, it is important to compare the list of known character strings / data strings such as blacklists and whitelists with the character strings / data strings appearing in the communication to be inspected to determine the difference. It is a process. It is well known that the difference is expressed by two values of match or mismatch, such as exact match and pattern match represented by a regular expression.

On the other hand, there is a method of quantifying the difference between data and defining it as 0 if it matches, and as a distance that the value increases with each difference. By using such distances, machine learning methods such as clustering by the k-means method, classification and recommendation by the k-nearest neighbor method can be applied to the detection and analysis of malignant communication, and more sophisticated and efficient detection can be performed. , It becomes possible to perform analysis.

For example, the editing distance (Levenshtein distance) is a typical distance between character strings. In information theory, relative entropy (KL information amount) and the like are proposed as distances (see, for example, Non-Patent Document 3). Specifically, the relative entropy KL (P | Q) of the character string P with respect to the character string Q is calculated as follows using the difference in the appearance rate of the characters appearing in the character string.

McAfee, "Security Information and Event Management (SIEM)", [Searched on November 9, 2017], Internet <URL: https://www.mcafee.com/jp/products/siem/index.aspx> IBM, "IBM QRadar Security Intelligence Platform", [Searched on November 9, 2017], Internet <URL: http://www-03.ibm.com/software/products/ja/qradar> Masaru Sugiyama, “Distance estimation between probability distributions: Latest trends in the field of machine learning”, Journal of the Japan Society for Industrial and Applied Mathematics, vol.23, no.3, pp. 439-452, 2013. S.R.Kosaraju, G.MANZINI, “Compression of Low Entropy Strings with Lempel-Ziv Algorithms”, SIAM J. Comput., Vol.29, pp.893-911, 1999.

Malware often makes multiple specific communications. Therefore, if the characteristic character strings and data strings of not only a single communication but also a plurality of communications can be made into a list and the difference from the existing list such as a white list / black list can be determined as a distance, the detection accuracy will be higher. Is thought to be enhanced.

However, at present, there is no method for efficiently finding the distance between character strings and between character string lists. For example, suppose that the distance between character strings between each list is calculated by rounding the edit distance, and the distance between the character strings and the character string list is measured by various arithmetic methods such as averaging. Think about it. However, this measurement method needs to measure the distance at least by multiplying the number of lists N by each other, and the order of the amount of calculation becomes as large as O (N ² ).

On the other hand, for relative entropy, after calculating the appearance rate of each character type of the reference source data string, the appearance rate of the reference source character type corresponding to each character of the target data string may be processed. Therefore, for relative entropy, the amount of calculation O (N) proportional to the number of character string lists N is sufficient. However, relative entropy is not suitable for measuring the distance between character strings because the comparison of the difference is in character units and does not consider the arrangement of characters.

In addition, for the entropy considering the character sequence (Shannon's nth-order entropy), it is necessary to determine the probabilistic model for the character sequence in advance. However, determining this probabilistic model is not easy.

The present invention has been made in view of the above, and provides a distance measuring device, a communication system, a creating device, and a distance measuring program capable of efficiently obtaining a distance between data strings or a data string list. With the goal.

In order to solve the above-mentioned problems and achieve the object, the distance measuring device according to the present invention refers to the data string or data string list to be measured and the data string or data string list of the reference source by k (k). Is an arbitrary natural number) A conversion unit that inputs an unused character code as a divided data string and converts the data string or data string list into one data string, and k in the data string to be measured converted by the conversion unit. The first appearance rate, which is the appearance rate of the combined partial data string that combines the long partial data string and the characters that appear immediately before the partial data string, and the k length immediately after the reference source data string converted by the conversion unit The kth-order experience crossing entropy, which is the sum of the multiplication values of the amount of experience information, which is the logarithm of the second appearance rate, which is the appearance rate of characters known to be partial data strings, is the data string to be measured. Alternatively, it is characterized by having a data string list and a distance calculation unit that calculates the distance between the reference source data string or the data string list.

According to the present invention, the distance between data columns or data column lists can be efficiently determined.

FIG. 1 is a diagram showing an example of the configuration of the distance measuring device according to the first embodiment. FIG. 2 is a flowchart showing a processing procedure of a distance measuring method executed by the distance measuring device shown in FIG. FIG. 3 is a diagram showing an example of the configuration of the communication system according to the second embodiment. FIG. 4 is a flowchart showing a processing procedure of learning processing in the malignant distance measuring device shown in FIG. FIG. 5 is a flowchart showing a processing procedure of inference logic in the malignant distance measuring device shown in FIG. FIG. 6 is a flowchart showing a processing procedure of the detection process in the detection device shown in FIG. FIG. 7 is a diagram showing an example of the configuration of the communication system according to the third embodiment. FIG. 8 is a flowchart showing a processing procedure of learning processing in the malware type distance measuring device shown in FIG. 7. FIG. 9 is a flowchart showing a processing procedure of inference logic in the malware type distance measuring device shown in FIG. 7. FIG. 10 is a flowchart showing a processing procedure of the detection process in the determination device shown in FIG. 7. FIG. 11 is a diagram showing an example of the configuration of the creating device according to the fourth embodiment. FIG. 12 is a flowchart showing a processing procedure of the creation process executed by the creation apparatus shown in FIG. FIG. 13 is a diagram showing an example of a computer in which a distance measuring device, a malignant distance measuring device, a malware type distance measuring device, and a creating device are realized by executing a program.

Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings. The present invention is not limited to this embodiment. Further, in the description of the drawings, the same parts are indicated by the same reference numerals.

In the present embodiment, for two character strings / data strings or a character string list / data string list, two appearances are used by using an appearance rate in consideration of a sequence of characters, which does not require the assumption of a probabilistic model in advance. By calculating the difference in rate, the efficiency of distance measurement is realized. By using this distance, for example, the distance between the character string list constituting the target communication and the character string list constituting the existing malignant communication or the like can be measured, and if the distance is close to some extent, it can be determined to be malignant or the like. Hereinafter, the measurement of the distance between character strings or between character string lists will be described as an example, but this embodiment can be applied to a data string or a data string list in general.

[Conventional mathematical background]
First, the conventional mathematical background required in the following explanation will be described. Conventionally, the k-th-order empirical entropy has been devised to use the appearance rate in consideration of the sequence of characters without the need for prior stochastic model setting. This k-th experience entropy extracts all substrings of character length k from the string, and for each extracted substring, the character immediately before (or immediately after) the same substring in the string. It is calculated using the appearance rate. The k-order empirical entropy is calculated as shown in Eq. (2) below (see Non-Patent Document 4 for details).

The 0th-order empirical entropy used in Eq. (2) is calculated as in Eq. (3) below.

Here, 2 or the number of elements of the character set Σ is often used at the base of the logarithm. If p _c = n _c / | T |, it can be seen that the 0th-order empirical entropy has the same form as Shannon's 1st-order entropy (see Equation 1-2).

As an example, the secondary empirical entropy of the string T (T = abcbcbccb) is calculated as follows. The base of the logarithm is 2.

Here, the set of substrings of character length 2 in the character string T is {ab, bc, cb, cc}. First, since the first substring ab is only at the beginning of the line and there is no immediately preceding character, the immediately preceding character concatenated string is ^Tab = (empty). On the other hand, regarding the following substring bc, since the substring with a character length of 3 included at the end includes abc (from the beginning), cbc (from the third character), and cbc (from the fifth character). The preceding character of each is "a, c, c". Therefore, the immediately preceding character concatenated string for the substring bc is T ^bc = acc. Similarly, the immediately preceding character concatenated string for the substring cb is T ^cb = bbc. Further, the immediately preceding character concatenated character string for the substring cc is T ^cc = b.

The 0th-order empirical entropy of each immediately preceding character concatenated character string can be obtained by the following equations (A-1) to (A-4).

H ₀ (T ^ac ) = H ₀ (empty) = 0 ・ ・ ・ (A-1)
H ₀ (T ^bc ) = H ₀ (acc) = 1 ÷ 3 × log (3 ÷ 1) + 2 ÷ 3 × log (3 ÷ 2) = 0.9183 ・ ・ ・ (A-2)
(n _a = 1, n _c = 2, | T _bc | = 3, rounded to the nearest 5 decimal places)
H ₀ (T ^cb ) = H ₀ (bbc) = 2 ÷ 3 × log (3 ÷ 2) +1 ÷ 3 × log (3 ÷ 1) = 0.9183 ・ ・ ・ (A-3)
(n _b = 2, n _c = 1, | T ^cb | = 3, rounded to the nearest 5 decimal places)
H ₀ (T ^cc ) = H ₀ (b) = 0 ・ ・ ・ (A-4)

As mentioned above, | T | = 9, | T ^ac | = 1, | T ^bc | = 3, | T ^cb | = 3, | T ^cc | = 1, so the secondary experience entropy H ₂ (T) ) Can be obtained by the following equation (B-1).

H ₂ (T) = 1 ÷ 9 × H ₀ (T ^ac ) + 3 ÷ 9 × H ₀ (T ^bc ) + 3 ÷ 9 × H ₀ (T ^bc ) + 3 ÷ 9 × H ₀ (T ^cc )
= 0.1111 × 0 + 0.3333 × 0.9183 + 0.3333 × 0.9183 + 0.1111 × 0
= 0.6122 ・ ・ ・ (B-1)

[Mathematical background in this embodiment]
Next, the mathematical background of the present embodiment will be described. The distance measuring method according to the present embodiment makes it possible to measure the difference in distribution in consideration of the sequence of characters by extending the above k-order empirical entropy to the k-th empirical cross entropy.

As a preliminary step, if equations (2) and (3) are written down as one equation, the following equation (4) can be obtained.

In equation (4), p (c, s) is the simultaneous probability that the character c appears immediately before the substring s in the character string T. This p (c, s) is the substring c + s (+ indicates the concatenation process between strings), which is the number of occurrences in the string T divided by the string length | T |. .. Therefore, p (c, s) is equivalent to the appearance rate of the k + 1 long substring c + s. Also, p (c | s) is the conditional probability that the character c appears when the substring immediately after it is known to be s, and the appearance rate of c in the immediately preceding character concatenated string T ^s n _c. Calculated with / | T ^s |.

Further, if the empirical information amount I (c + s) of the character string c + s is defined as in the following equation (5-2), the kth-order empirical entropy is as shown in the equation (5-1). It can also be described as the sum of the amount of experience information of all k + 1 long substrings in the character string T according to the appearance rate. However, p (c + s) is the appearance rate of the k + 1 long substring c + s, which is equivalent to p (c, s).

Therefore, based on the above equation, the k-th-order empirical cross entropy H _k (P, Q) (P, Q is a character string) is defined as the following equation (6).

That is, in the present embodiment, as shown in Eq. (6), the appearance rate of the combined substring that combines the k-length substring and the character that appears immediately before the substring in the character string to be measured. The amount of experience information, which is the logarithm of the first appearance rate, which is the appearance rate of the character c, which is known to be a k-length substring immediately after the reference source character string, and the second appearance rate, which is The k-th-order experience crossing entropy, which is the sum of the multiplication values of, is calculated as the distance between the character string or character string list to be measured and the character string or character string list of the reference source.

However, in the above equation (6), q (c | s) may not always be calculated. That is, in order for q (c | s) to be calculated, at least the substring c + s must be included in the string Q. However, c + s is taken from the string P and often does not appear in the different strings Q.

Therefore, in the present embodiment, in order to solve the above problem, when q (c | s) cannot be calculated, the calculation is performed by lowering the order to the order k'that can be calculated in q. In other words, in the present embodiment, when the join substring is not included in the reference source character string, the degree k is lowered to the order in which the join substring appears in the reference source string. Specifically, in the present embodiment, c + s _k'combined with the character string s _k'consisting of the first k'length of the immediately preceding character c and the substring s is included in the character string Q. We will use the one with the largest k'.

Assuming that this conditional probability is q'(c | s), the k-th-order empirical cross entropy is described by Eq. (7) shown below.

k '= 0 o'clock q (c | s _k'), since s _{k 'is} the empty string, calculates a q (c) instead. If q (c) itself cannot be calculated, that is, if the character c is not included in the character string Q, it is replaced by the means described later in the first embodiment.

[K-order experience KL information amount]
Next, the application of the k-th empirical cross entropy to various amounts of information will be described. First, a case where the k-th-order empirical cross entropy is applied to the KL information amount (Kullback-Leibler divergence: relative entropy) will be described as an example.

This amount of KL information is often used as a distance based on a probability distribution. By applying the above-mentioned k-th-order experience cross entropy to this KL information amount, it can be expanded as the k-th-order experience KL information amount as shown in the following equation (8).

In this way, it is possible to calculate the distance between character strings and between character string lists even by using the kth-order experience KL information amount considering the sequence of characters.

Here, a case where the above-mentioned distance measurement method between character strings is extended to a character string list will be described. In this case, it is easy to perform the following processing on the character string list, convert the character string list into a character string, and then measure the distance.

Specifically, when measuring the order of the empirical cross entropy by the kth order, k unused characters (for example, the NULL character "0x00") are used as the dividing characters at the beginning of the list, between the lists, and at the end of the list. Insert and combine into one string. In the present embodiment, the distance between the character strings is measured using the character strings in which the character string lists are combined into one in this way.

Then, an example of the conversion method to a character string will be described. For example, the conversion in the case of order 2 will be described. The character string list before conversion is, for example, "character string 1, character string 2, ..., Character string n". In this case, insert k unused characters (for example, the NULL character "0x00") at the beginning of the character string 1, between each of the character strings 1, 2, ..., N, and at the end of the character string n. Combine into one string. As a result, the combined string after conversion is "(null) (null) string 1 (null) (null) string 2 (null) (null) ... (null) (null) string n (null) (null) ) ”. Note that (null) (null) is a divided character string consisting of two characters. (null) indicates one character (ASCII value 0).

Then, in the present embodiment, even if there are no unused characters, an unused character (for example, "0xffff") can be generated by treating each character of 1 byte as 2 bytes. Further, in the present embodiment, one character type (for example, a NULL character) having a low appearance rate is escape-sequenced and replaced with two other character types (for example, "\ 0") to divide the one character type into a division character. Can also be used as.

Further, in the present embodiment, the distance of the list P to the list Q is not processed after all the list Ps are concatenated in one column, but the division characters are added to the beginning and the end of each element of the list. In addition, the distance between the character strings may be measured by adding them according to the weights according to the character string length of each element as in the following equation (9).

However, in equation (9), P _i is the i-th element of the list P. | T _i | is the string length of the list element P _i . | T | is the string length (| T | = Σ | T _i |) of the entire list P.

As a result, not only the character string but also the distance between the character string lists can be calculated by using the k-th empirical cross entropy in consideration of the character sequence.

In the above equations (4) to (7), the substring s and the character c immediately before it were used in order to calculate the appearance rate considering the sequence of characters, but instead of the character immediately before. You may use the character immediately after.

[K-order experience JS information amount]
Next, a case where the k-th-order empirical cross entropy is applied to the JS information amount (Jensen-Shannon divergence) will be described as an example. The amount of JS information can be expressed as the following equation (10) and is used as a distance.

In equation (10), M is a character string obtained by combining P and Q, and M / 2 means that the appearance rate is halved.

By applying the k-th-order experience cross entropy, this JS information amount is also defined as the k-th-order experience JS information amount as shown in equations (11-1) to (11-3), like the KL information amount. be able to.

However, in the equations (11-1) to (11-3), when P and Q are character strings, M is composed of the entire character string as one list. This is because if both P and Q are character strings, M is a two-element list. Since M contains all the substrings of P and Q, the k-th experience JS information amount is different from the k-th experience KL information amount, and the information amount of the k-length character string c + s I _m. Can always be calculated. Therefore, when calculating the k-th experience JS information amount, it is not necessary to use the information amount of the shorter character string c + s'instead.

As described above, in the present embodiment, it is not necessary to determine the probabilistic model for the character string in advance, and by using the k-th empirical cross entropy in consideration of the character string shown in the equations (6) and (7). , The distance between character strings can be calculated efficiently. Further, in the present embodiment, the distance between character strings is appropriately calculated by applying the k-th experience cross entropy to the KL information amount and expanding it as the k-th experience KL information amount as in the equation (8). It becomes possible to do. Further, in the present embodiment, the distance between character strings is appropriately calculated by applying the k-th experience cross entropy to the JS information amount and expanding it as the k-th experience JS information amount as in the equation (8). It becomes possible to do.

[Embodiment 1]
Next, the first embodiment will be described. In the first embodiment, for example, a distance device for measuring the distance between a character string or a character string list using the k-th empirical KL information amount will be described.

FIG. 1 is a diagram showing an example of the configuration of the distance measuring device according to the first embodiment. As shown in FIG. 1, the distance measuring device 10 according to the first embodiment includes a conversion unit 11, an appearance number calculation unit 12, an experience information amount calculation unit 13, a distance calculation unit 14, and an experience information amount storage unit 15. .. In the distance measuring device 10, for example, a predetermined program is read into a computer or the like including a ROM (Read Only Memory), RAM (Random Access Memory), CPU (Central Processing Unit), etc., and the CPU executes the predetermined program. It will be realized by.

The distance measuring device 10 accepts the input of a character string or a character list for measuring the distance. In the example of FIG. 1, input of a target character string or character string list as a measurement target and a reference character string or character string list as a reference source is accepted. In addition, the distance measuring device 10 also accepts input of setting information such as order k required for calculating the distance. Then, the distance measuring device 10 measures the distance between the target character string or the character string list and the reference character string or the character string list, and outputs information such as the measured distance.

The conversion unit 11 performs conversion processing on the input target character string or character string list and the reference character string or character string list which is the reference source, and converts the input target character string or character string list into a character string suitable for distance measurement.

The appearance number calculation unit 12 calculates the number of appearances of the k-length sub-character string and the character immediately before the k-length sub-character string for the converted target character string. The appearance number calculation unit 12 calculates the number of appearances of the 0, 1, ..., K long sub-character string and the character immediately before the k-long sub-character string for the converted reference character string. The experience information amount calculation unit 13 calculates the 0, 1, ..., Kth-order experience KL information amount based on the number of appearances of the converted reference character string, and stores the experience information amount storage unit 15.

The distance calculation unit 14 calculates the k-th-order experience cross entropy based on the number of occurrences of the converted target character string and the amount of experience information stored in the experience information amount storage unit 15, and calculates the k-order experience cross entropy, and the target character string or character string list And output as the distance from the reference character string or character string list that is the reference source. The k-th-order experience cross entropy is the first appearance rate of the combined substring that combines the k-length substring and the character that appears immediately before the substring in the character string to be measured converted by the conversion unit 11. The amount of experience information that is the logarithm of the second appearance rate, which is the appearance rate of the character c, which is the appearance rate of the character c, which is known to be the k-length substring immediately after the character string of the reference source converted by the conversion unit 11. Is the sum of the multiplication values of and. When the combined sub data string is not included in the reference source data string converted by the conversion unit 11, the distance calculation unit 14 shifts the order k into the reference source data string converted by the conversion unit 11. Decrease to the order in which the column appears.

The experience information amount storage unit 15 stores the experience information amount calculated by the experience information amount calculation unit 13.

[Processing of conversion unit]
First, the processing of the conversion unit 11 will be described. The conversion unit 11 inputs k unused character codes as a division character string to the character string or character string list to be measured and the character string or character string list of the reference source, and character strings or characters. Converts a column list into a single string.

For example, when the input is a character string, the conversion unit 11 adds a division character string to the beginning and the end. Further, when the input is a character string list, the conversion unit 11 adds a division character string at the beginning and the end, sandwiches the division character string between the lists, and concatenates them as one character string.

[Processing of appearance number calculation unit]
Next, the processing of the appearance number calculation unit 12 will be described. The appearance number calculation unit 12 calculates the appearance number as follows, for example, by using the sub-character string of i length (0 ≦ i ≦ k, i is an integer) and the character immediately before the sub-character string.

First, the appearance number calculation unit 12 acquires the first (i + 1) character from the character string. Then, the appearance number calculation unit 12 divides the acquired (i + 1) character into the first character c and the subsequent substring s _i , and adds 1 to the variable N [s _i ] [c]. Record by. Next, the appearance number calculation unit 12 shifts by one character, acquires the (i + 1) character, and similarly records the appearance number N. The appearance number calculation unit 12 executes this process until the end of the character string. Then, the appearance number calculation unit 12 calculates the appearance number N [s _i ] = Σ _c N [s _i ] [c] of each substring s _i .

Even when i = 0 length, the appearance number calculation unit 12 can execute the same calculation process by associating the sub-character string s _i with the empty character string “”. Hereinafter, the number of appearances (array) related to the converted target character string is Np, and the number of appearances (array) related to the converted reference character string is Nq. The appearance number calculation unit 12 calculates the target character string appearance number Np for the k length, and calculates the reference character string appearance number Nq for 0, 1, ..., K length.

[Processing of experience information amount calculation unit]
Next, the processing of the experience information amount calculation unit 13 will be described. The experience information amount calculation unit 13 calculates all the experience information amounts from the 0th to the kth order based on the reference character string appearance number Nq. The experience information amount calculation unit 13 calculates the experience information amount I [c + s _i ] of the _i- th order (0 ≦ i ≦ k, i is an integer) using the following equation (12). Equation (12) is based on Equation (5-2).

The experience information amount calculation unit 13 stores the i-order experience information amount I [c + s _i ] in the experience information amount storage unit 15 using the character string c + s _i as a key. The experience information amount calculation unit 13 can similarly calculate and store the i-order experience information amount I [c + s _i ] by making s _i correspond to an empty string even in the case of the 0th order.

[Processing of distance calculation unit]
Next, the processing of the distance calculation unit 14 will be described. The distance calculation unit 14 calculates the k-th-order experience cross entropy as the distance between the character string or character string list to be measured and the character string or character string list of the reference source. In the first embodiment, the distance calculation unit 14 calculates the k-th experience KL information amount based on the number of appearances of the target character string and the experience information amount, and outputs it as a distance.

First, the distance calculation unit 14 sets the value d for the substring c + s (c is the immediately preceding character and s is the k-length substring) of the converted target character string as shown in the following equation (13). calculate. Note that c is the immediately preceding character and s is the k-length substring. The value d corresponds to p (c, s) × logq (c | s) in Eq. (6).

Here, in the equation (13), Np is the number of occurrences in the converted target character string as described above, and I is the amount of experience information acquired from the experience information amount storage unit 15. | T _P | is the character length obtained by removing the division character string from the converted target character string.

The sum of the values d calculated for all the substrings from Eq. (6) is the kth-order experience KL information amount. Therefore, the distance calculation unit 14 calculates this value d with all the sub-character strings. Then, the distance calculation unit 14 obtains the sum of all the calculated values d as the k-th experience KL information amount, and outputs the obtained k-th experience KL information amount as the distance.

[Structure of experience information storage unit]
Next, the configuration of the experience information amount storage unit 15 will be described. The experience information amount storage unit 15 is configured as a data structure containing the amount of experience information corresponding to the character string, using the character string as an index. When an inquiry is made using a character string as a key, the experience information amount storage unit 15 performs a prefix match between the character string to be inquired and the index, and sends the amount of information corresponding to the index having the longest character string length to the inquiry source. return.

The data structure of the empirical information amount storage unit 15 can be configured by using, for example, a tri-tree algorithm. The tri-tree algorithm is known to have an average calculation amount of O (logN) for the registered index number N, and can perform a high-speed search.

If the inquired key does not match the index at all, the experience information amount storage unit 15 returns the value to the inquiring source based on the method determined by the preset or the like. For example, the experience information amount storage unit 15 returns a specified value (value of 0 or more). Further, for example, the experience information amount storage unit 15 returns log | T _Q |. | T _Q | is the character length obtained by removing the partition character string from the converted reference character string. Of course, the experience information amount storage unit 15 may return the value by using another method.

[Processing procedure of distance measurement method]
Next, the distance measuring method executed by the distance measuring device 10 will be described. FIG. 2 is a flowchart showing a processing procedure of the distance measuring method executed by the distance measuring device 10 shown in FIG.

In the distance measuring device 10, first, the conversion unit 11 converts each of the target character string or character string list that has received the input and the reference character string or character string list into a character string suitable for distance measurement. Perform the process (step S11). The conversion unit 11 inserts a k-length division character string at the beginning, between lists, and at the end, sandwiches the division character string between the lists, and concatenates them as one character string to convert the converted target character string and the converted reference character string. Generate.

Then, the appearance number calculation unit 12 calculates the number of appearances of the k-length sub-character string and the character immediately before the k-length sub-character string with respect to the converted target character string, and with respect to the converted reference character string. , 0,1, ..., Performs the appearance number calculation process for calculating the number of appearances of the k-length sub-character string and the character immediately before the k-length sub-character string (step S12).

Subsequently, the experience information amount calculation unit 13 calculates all the experience information amounts from the 0th to the kth order based on the number of appearances of the converted reference character string, and calculates the experience information amount to be stored in the experience information amount storage unit 15. Perform the process (step S13).

Then, the distance calculation unit 14 performs a distance calculation process for calculating a distance or the like based on the number of appearances of the converted target character string and the amount of experience information stored in the experience information amount storage unit 15 (step S14). .. It is sufficient that the distance measuring device 10 executes the conversion process for the reference character string or the character string list, the appearance number calculation process, and the experience information amount calculation process when the input of the reference character string or the character string list is received.

[Effect of Embodiment 1]
In the present embodiment, the k-th-order empirical cross entropy considering the sequence of characters is calculated as the distance between character strings or between character string lists. The k-th-order experience cross entropy is the first appearance rate of the combined substring that combines the k-length substring and the character that appears immediately before the substring in the character string to be measured converted by the conversion unit 11. The amount of experience information that is the logarithm of the second appearance rate, which is the appearance rate of the character c, which is the appearance rate of the character c, which is known to be the k-length substring immediately after the character string of the reference source converted by the conversion unit 11. Is the sum of the multiplication values of and.

For example, for a list of m character strings and a list of n character strings, in order to obtain the distance between the character string lists, each character string between the character string lists is combined and measured, and the distance between them is measured. There is a method of processing (such as averaging). However, this method requires at least (m × n) distance calculations, and the amount of calculation is as large as O (N ² ). On the other hand, in the first embodiment, since the list part as the empirical information amount can be ordered by log, the calculation amount is O (NlogN), which is much larger than the calculation amount O (N ² ) by the above-mentioned method. To less. Therefore, according to the present embodiment, the distance between the character strings or the character string lists can be efficiently obtained.

Further, in the first embodiment, since the k-th empirical cross entropy is calculated without using the probability model, the distance between the target character string and the reference character string does not need to be determined in advance for the probability model regarding the sequence of characters. Can be calculated.

Further, in the first embodiment, before the distance calculation, the target character string or the character string list and the reference character string or the character string list which is the reference source are combined into one concatenated character string suitable for the distance measurement. It can be transformed and the calculation of k-th empirical cross entropy can be performed appropriately.

[Embodiment 2]
Next, the second embodiment will be described. In the second embodiment, a communication system for detecting malignant communication from a communication log will be described using a distance measuring unit 10'having the same function as the distance measuring device 10 shown in FIG.

[Communication system configuration]
FIG. 3 is a diagram showing an example of the configuration of the communication system according to the second embodiment. As shown in FIG. 3, the communication system 201 according to the second embodiment has a malignant distance measuring device 210 and a detecting device 220.

The malignant distance measuring device 210 has a distance measuring unit 10'having the same function as the distance measuring device 10 shown in FIG. The malignant distance measuring device 210 learns the malignant communication log as teacher data, and calculates the malignant distance which is the distance between the learned malignant log and the communication log which is the detection target data.

When the malignant distance calculated by the malignant distance measuring device 210 is equal to or less than a predetermined distance, the detection device 220 detects that the malignant communication is included in the communication log of the distance measurement target. Although the malignant distance measuring device 210 and the detecting device 220 are shown as separate devices in FIG. 3, of course, the same device may be provided with the functions of the malignant distance measuring device 210 and the detecting device 220.

[Configuration of malignant distance measuring device]
Next, the malignant distance measuring device 210 will be described. As shown in FIG. 3, the malignant distance measuring device 210 has a distance measuring unit 10', a learning unit 211, and an inference unit 212.

The learning unit 211 causes the distance measuring unit 10'to learn the malignant communication log and the benign communication log as teacher data, and obtains the amount of experience information of the benign communication log and the malignant communication log as the experience of the character string or the character string list of the reference source. As the amount of information, it is stored in the experience information amount storage unit 15.

The inference unit 212 causes the distance measurement unit 10'to calculate the distance between the communication log to be detected and the malignant communication log, which is the teacher data, based on the amount of experience information of the benign communication log and the malignant communication log. The inference unit 212 determines the amount of experience information of the malignant log stored in the experience information amount storage unit 15, and the number of occurrences of the k-long partial character string and the character immediately before the k-long partial character string in the communication log to be detected. , And let the distance measuring unit 10'calculate the malignant distance. The order k is set in advance.

[Processing of learning department]
Next, the processing of the learning unit 211 will be described. The learning unit 211 accepts the input of the malignant communication log and the benign communication log which are teacher data. Here, the communication log treats one line as one list of the character string list.

First, the learning unit 211 performs preprocessing such as deletion of unnecessary character strings and unification of log formats for each teacher data as appropriate. The learning unit 211 may, for example, reduce the same log line that appears many times as unnecessary character string deletion. Similar to the first embodiment, the learning unit 211 causes the distance measuring unit 10'to process the preprocessed teacher data as a character string list of the reference source, and stores the kth-order experience information amount as the experience information amount storage unit 15. To store in.

[Processing of inference part]
Next, the processing of the inference unit 212 will be described. The inference unit 212 performs preprocessing on the communication log, which is the data to be detected, in the same manner as the learning unit 211.

Subsequently, the inference unit 212 removes a log similar to the benign communication log given as the teacher data from the communication log of the previously detected detection target data. For example, the inference unit 212 may simply determine that the same log as the benign communication destination domain is a log similar to the benign communication log. Further, the inference unit 212 causes the distance measurement unit 10'to execute the same processing as in the first embodiment to measure the distance between the communication log which is the detection target data and the benign communication log which is the teacher data, and measures the distance. A log having a distance of a predetermined distance or less may be determined to be a log similar to a benign communication log.

The inference unit 212 causes the distance measurement unit 10'to measure the malignant distance between the communication log, which is the detection target data from which the benign communication log has been removed, and the malignant communication log, which is the teacher data. This malignant distance is calculated by having the distance measuring unit 10'perform the same processing as in the first embodiment and using the amount of experience information stored in the experience information amount storage unit 15 of the distance measuring unit 10'.

The inference unit 212 outputs the measured malignant distance to the detection device 220. When the malignant distance output from the malignant distance measuring device 210 is equal to or less than a predetermined distance, the detection device 220 detects that the malignant communication is included in the communication log which is the detection target data.

The inference unit 212 divides the communication log, which is the detection target data, according to the source IP address (each terminal), each unit time, etc., instead of inferring the communication log which is the detection target data in a batch. Then, the malignant distance may be measured for each divided communication log. For example, when the inference unit 212 divides the communication log, which is the detection target data, for each terminal, the detection device 220 can detect the terminal whose malignant distance is equal to or less than a predetermined value as a malware-infected terminal.

[Processing procedure of learning process]
Next, the processing procedure of the learning process in the malignant distance measuring device 210 will be described. FIG. 4 is a flowchart showing a processing procedure of the learning process in the malignant distance measuring device 210 shown in FIG.

In the malignant distance measuring device 210, first, the learning unit 211 performs preprocessing such as deletion of unnecessary character strings and unification of log formats for each teacher data that has received input (step S21). Then, the learning unit 211 causes the distance measurement unit 10'to calculate the amount of experience information for each teacher data, and performs the experience information amount calculation process to be stored in the experience information amount storage unit 15 (step S22).

[Processing procedure for inference processing]
Next, the processing procedure of the inference processing in the malignant distance measuring device 210 will be described. FIG. 5 is a flowchart showing a processing procedure of inference logic in the malignant distance measuring device 210 shown in FIG.

In the inference process, the inference unit 212 performs preprocessing such as unnecessary character string deletion, format shaping, and division on the communication log which is the detection target data (step S23). Then, the inference unit 212 performs a removal process of removing a log similar to the benign communication log which is the teacher data from the communication log which is the detection target data (step S24).

Subsequently, the inference unit 212 performs a distance measurement process for causing the distance measurement unit 10'to measure the malignant distance between the communication log, which is the detection target data from which the benign communication log has been removed, and the malignant communication log, which is the teacher data. Step S25), the measured malignant distance is output to the detection device 220.

[Processing procedure for detection processing]
Next, the processing procedure of the detection process in the detection device 220 will be described. FIG. 6 is a flowchart showing a processing procedure of the detection process in the detection device 220 shown in FIG.

As shown in FIG. 6, first, the detection device 220 receives the input of the malignant distance by the malignant distance measuring device 210 (step S26). Then, when the malignant distance is equal to or less than a predetermined distance, the detection device 220 performs a detection process for detecting that the malignant communication is included in the communication log which is the detection target data (step S27), and the malignant communication is included. The detection result showing the communication log is output to the coping device.

[Effect of Embodiment 2]
As described above, according to the communication system 201 of the second embodiment, the blacklist and the target communication log are individually compared one by one, whereas the malware communication can be compared collectively, so that the comparison process is performed. It has the effect of increasing the speed and improving the detection accuracy.

[Embodiment 3]
Next, the third embodiment will be described. In the third embodiment, a communication system for determining the malware that causes the malicious communication included in the communication log will be described using the distance measuring unit 10'.

[Communication system configuration]
FIG. 7 is a diagram showing an example of the configuration of the communication system according to the third embodiment. As shown in FIG. 7, the communication system 301 according to the third embodiment includes a malware type distance measuring device 310 and a determining device 320.

The malware type distance measuring device 310 has a distance measuring unit 10'. The malware type distance measuring device 310 learns the malicious communication log for each malware type as teacher data, and calculates the malware distance which is the distance between the learned malicious communication log for each malware type and the communication log which is the detection target data. ..

The determination device 320 determines the malware type corresponding to the distance with the shortest malware distance calculated by the malware type distance measuring device 310 as the malware for malicious communication in the communication log to be detected. In FIG. 7, the malware type distance measuring device 310 and the determining device 320 are shown as separate devices, but of course, the same device may be provided with the functions of the malware type distance measuring device 310 and the determining device 320. ..

[Malware type distance measuring device configuration]
Next, the malware type distance measuring device 310 will be described. As shown in FIG. 7, the malware type distance measuring device 310 includes a distance measuring unit 10', a learning unit 311 and an inference unit 312.

The learning unit 311 causes the distance measuring unit 10'to learn the malignant communication log sorted for each malware type as teacher data, and obtains the amount of experience information obtained for each malware type as a reference source character string or character string list. The amount of experience information is stored in the experience information amount storage unit 15.

The inference unit 312 causes the distance measurement unit 10'to calculate the malware distance, which is the distance between the communication log, which is the detection target data, and the malicious communication log of each malware type learned as the teacher data. The inference unit 312 stores the experience information amount of the malicious log for each malware type stored in the experience information amount storage unit 15 in the distance measurement unit 10, the k-length partial character string in the communication log to be detected, and the k-length partial character. Based on the number of appearances of the character immediately before the column, the malware distance is calculated for each malware type. The order k is set in advance.

[Processing of learning department]
Next, the processing of the learning unit 311 will be described. The learning unit 311 accepts the input of the malicious communication log sorted according to the malware type which is the teacher data. Here, the communication log treats one line as one list of the character string list.

First, the learning unit 311 performs preprocessing such as deletion of unnecessary character strings and unification of the log format for each teacher data, as in the case of the learning unit 211. The learning unit 311 may delete unnecessary character strings, for example, reduce the same log line that appears many times. The learning unit 311 causes the distance measuring unit 10'to execute the same processing as in the first embodiment, processes the preprocessed teacher data as a character string list of the reference source, and processes the kth-order experience information amount as the experience information. It is stored in the quantity storage unit 15. The k-order experience information amount is accumulated in the experience information amount storage unit 15 for each malware type.

[Processing of inference part]
Next, the processing of the inference unit 312 will be described. The inference unit 312 performs preprocessing on the communication log, which is the detection target data, in the same manner as the learning unit 311.

Subsequently, the inference unit 312 causes the distance measurement unit 10'to execute the same processing as in the first embodiment, and detects the detection target based on the amount of experience information for each malware type accumulated in the experience information amount storage unit 15. The malware distance between the communication log, which is data, and the malicious communication log of each malware type is calculated for each malware type. The inference unit 312 outputs the measured malware distance to the determination device 320.

[Processing of judgment device]
The determination device 320 determines the malware type corresponding to the distance with the shortest malware distance output from the malware type distance measuring device 210 as the malware for malicious communication in the communication log to be detected. The determination device 320 outputs the determination result to the coping device or the like. As a determination result, the determination device 320 may output the distance together with the malware type name, or may output a plurality of malware type names in order of proximity or within a specific distance.

[Processing procedure of learning process]
Next, the processing procedure of the learning process in the malware type distance measuring device 310 will be described. FIG. 8 is a flowchart showing a processing procedure of the learning process in the malware type distance measuring device 310 shown in FIG. 7.

In the malware type distance measuring device 310, first, the learning unit 311 performs preprocessing such as deletion of unnecessary character strings and unification of log formats for each teacher data that has received input (step S31). Then, the learning unit 311 causes the distance measurement unit 10'to calculate the amount of experience information for the teacher data for each malware type, and stores the amount of experience information for each type of malware in the experience information amount storage unit 15. Process (step S32).

[Processing procedure for inference processing]
Next, the processing procedure of the inference processing in the malware type distance measuring device 310 will be described. FIG. 9 is a flowchart showing a processing procedure of inference logic in the malware type distance measuring device 310 shown in FIG. 7.

In the inference process, the inference unit 312 performs preprocessing such as deletion of unnecessary character strings, formatting, and division of the communication log which is the data to be detected (step S33). Subsequently, the inference unit 312 causes the distance measurement unit 10'to measure the malware distance between the communication log, which is the detection target data, and the malignant communication log of each malware type learned as the teacher data for each malware. (Step S34), and the measured malware distance is output to the determination device 320.

[Judgment processing procedure]
Next, the processing procedure of the determination process in the determination device 320 will be described. FIG. 10 is a flowchart showing a processing procedure of the detection process in the determination device 320 shown in FIG.

As shown in FIG. 10, first, the determination device 320 receives the input of the malware distance by the malware type distance measuring device 310 (step S35). Then, the determination device 320 determines the malware type corresponding to the distance with the shortest malware distance output from the malware type distance measuring device 310 as the malware of the malicious communication of the communication log to be detected. Perform (step S36), and output the determination result to the coping device or the like.

[Effect of Embodiment 3]
Most malware often communicates multiple times. Therefore, as described in the third embodiment, it is possible to improve the determination accuracy of the malware type determination by the efficient comparison processing of the multiple times communication. Further, according to the third embodiment, it is possible to determine and output similar communication even if the communication is unknown malware, and it is also possible to carry out analysis and countermeasures as a variant malware thereof. It will be possible.

[Embodiment 4]
Next, the fourth embodiment will be described. In the fourth embodiment, the distance measuring unit 10'according to the first embodiment is used to measure the distance between the malicious communication logs for each malware type, and the malware-related is based on the distance between the malicious communication logs for each malware type. A device for generating a map or a related graph (phylogenetic tree) will be described.

[Configuration of creation device]
FIG. 11 is a diagram showing an example of the configuration of the creating device according to the fourth embodiment. As shown in FIG. 11, the creation device 410 according to the fourth embodiment has an inter-malware distance measurement unit 411, a creation unit 412, and a distance measurement unit 10'.

The inter-malware distance measuring unit 411 causes the distance measuring unit 10'to measure the distance between the malicious communication logs for each malware type, and measures the distance between the malware, which is the distance between the measured communication logs for each malware type. It is stored in the distance storage unit 415. Further, the inter-malware distance measuring unit 411 performs preprocessing such as deleting unnecessary character strings and formatting the malicious communication log for each malware type, as in the second and third embodiments, and then communicates for each type. Measure the distance between logs.

The creation unit 412 creates a related map and a related graph using the inter-malware distance stored in the inter-malware distance storage unit 415. The creation unit 412 uses the distance between malware to create a malware-related map that maps the relationship between malware, or a related graph that associates malware.

Here, regarding the amount of k-th experience KL information, generally KL _k (P | Q) ≠ KL _k (Q | P), and two values appear as the distance between malware. For this reason, the creation unit 412 performs various processes such as an average, a minimum value, or a maximum value on the k-th experience KL information amount, and then uses it as the distance between malware. Alternatively, since the k-th experience JS information amount is JS _k (P | Q) = JS _k (Q | P), the creation unit 412 may use this k-th experience JS information amount as the distance between malware. ..

Here, methods such as multidimensional scaling (MDS) and isomap are known as methods using distance for creating related maps. Therefore, the creation unit 412 creates a related map by using a method such as MDS or isomap. In addition, the creation unit 412 creates a relational graph by using a hierarchical clustering method in which the relational graphs are associated with each other in order from the one having the closest distance.

[Processing procedure of creation process]
Next, the processing procedure of the creation process executed by the creation device 410 will be described. FIG. 12 is a flowchart showing a processing procedure of the creation process executed by the creation device 410 shown in FIG.

As shown in FIG. 12, in the creation device 10, the inter-malware distance measurement unit 411 performs preprocessing such as deletion of unnecessary character strings and format shaping for each communication log (step S51). Subsequently, the inter-malware distance measurement unit 411 performs a distance measurement process for causing the distance measurement unit 10'to measure the distance between the malicious communication logs for each malware type (step S52). The inter-malware distance measurement unit 411 stores the inter-malware distance, which is the distance between the measured communication logs for each malware type, in the inter-malware distance storage unit 415.

The creation unit 412 performs a creation process of creating a malware-related map and a relation graph using the malware-to-malware distance stored in the malware-to-malware distance storage unit 415 (step S53). The creation unit 412 outputs the created malware-related map and related graph to the coping device.

[Effect of Embodiment 4]
Malware is rarely created completely new, and is mostly created by modifying existing malware and malware creation tools, and communication patterns are often similar to those of existing ones. Therefore, in the fourth embodiment, by generating a related map and a related graph of malware based on communication, it is possible to contribute to anti-malware measures such as estimating the malware creation system.

[System configuration, etc.]
Each component of each of the illustrated devices is a functional concept and does not necessarily have to be physically configured as shown in the figure. That is, the specific form of distribution / integration of each device is not limited to the one shown in the figure, and all or part of the device is functionally or physically distributed in arbitrary units according to various loads and usage conditions. It can be integrated and configured. Further, each processing function performed by each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

Further, among the processes described in the present embodiment, all or part of the processes described as being automatically performed can be manually performed, or the processes described as being manually performed. It is also possible to automatically perform all or part of the above by a known method. In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the above document and drawings can be arbitrarily changed unless otherwise specified.

[program]
FIG. 13 is a diagram showing an example of a computer in which a distance measuring device 10, a malignant distance measuring device 210, a malware type distance measuring device 310, and a creating device 410 are realized by executing a program. The computer 1000 has, for example, a memory 1010 and a CPU 1020. The computer 1000 also has a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. Each of these parts is connected by a bus 1080.

Memory 1010 includes ROM 1011 and RAM 1012. The ROM 1011 stores, for example, a boot program such as a BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090. The disk drive interface 1040 is connected to the disk drive 1100. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100. The serial port interface 1050 is connected to, for example, a mouse 1110 and a keyboard 1120. The video adapter 1060 is connected to, for example, the display 1130.

The hard disk drive 1090 stores, for example, an OS (Operating System) 1091, an application program 1092, a program module 1093, and program data 1094. That is, the program that defines each process of the distance measuring device 10, the malignant distance measuring device 210, the malware type distance measuring device 310, and the creating device 410 is implemented as a program module 1093 in which a code that can be executed by a computer is described. The program module 1093 is stored in, for example, the hard disk drive 1090. For example, a program module 1093 for executing a process similar to the functional configuration in the distance measuring device 10, the malignant distance measuring device 210, the malware type distance measuring device 310, and the creating device 410 is stored in the hard disk drive 1090. The hard disk drive 1090 may be replaced by an SSD (Solid State Drive).

Further, the setting data used in the processing of the above-described embodiment is stored as program data 1094 in, for example, a memory 1010 or a hard disk drive 1090. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1090 into the RAM 1012 as needed, and executes the program.

The program module 1093 and the program data 1094 are not limited to those stored in the hard disk drive 1090, but may be stored in, for example, a removable storage medium and read by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program module 1093 and the program data 1094 may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). Then, the program module 1093 and the program data 1094 may be read by the CPU 1020 from another computer via the network interface 1070.

Although the embodiment to which the invention made by the present inventor is applied has been described above, the present invention is not limited by the description and the drawings which form a part of the disclosure of the present invention according to the present embodiment. That is, all other embodiments, examples, operational techniques, and the like made by those skilled in the art based on the present embodiment are included in the scope of the present invention.

10 Distance measuring device 11 Conversion unit 12 Appearance number calculation unit 13 Experience information amount calculation unit 14 Distance calculation unit 15 Experience information amount storage unit 201,301 Communication system 210 Malignant distance measurement device 211,311 Learning unit 212,312 Reasoning unit 220 Detection Device 310 Maltese type distance measurement device 320 Judgment device 410 Creation device 411 Inter-malware distance measurement unit 412 Creation unit

Claims (8)

For the data string or data column list to be measured and the data string or data string list of the reference source, enter k (k is an arbitrary natural number) unused character codes as the partitioned data string to enter the data string or data string. A conversion unit that converts a data string list into one data string,
The first appearance rate, which is the appearance rate of the combined partial data string obtained by combining the k-length partial data string and the character appearing immediately before the partial data string in the data string to be measured converted by the conversion unit, and the conversion. The sum of the multiplication values of the amount of empirical information, which is the logarithm of the second appearance rate, which is the appearance rate of characters that are known to be the k-length partial data string immediately after the data string of the reference source converted by the part. A distance calculation unit that calculates the k-th-order empirical intersection entropy as the distance between the data string or data string list to be measured and the data string or data string list of the reference source.
A distance measuring device characterized by having. The distance measuring device according to claim 1, wherein the distance calculating unit calculates the k-th empirical cross entropy using the following equation (1).

When the combined sub data string is not included in the reference source data string converted by the conversion unit, the distance calculation unit transfers the order k into the reference source data string converted by the conversion unit. The distance measuring device according to claim 1 or 2, wherein the partial data string is lowered to the order in which it appears. When the input is a data string, the conversion unit adds the division data string to the beginning and the end, and when the input is a data string list, the division data string is added to the beginning and the end. The distance measuring device according to any one of claims 1 to 3, wherein a divided data string is sandwiched between lists and connected as one data string. A malignant distance measuring device that measures the distance between the communication log to be detected and the malignant communication log, and a detection device that detects that the communication log contains malignant communication based on the distance measured by the malignant distance measuring device. It is a communication system that has
The malignant distance measuring device
For the data string or data column list to be measured and the data string or data string list of the reference source, enter k (k is an arbitrary natural number) unused character codes as the partitioned data string to enter the data string or data string. A conversion unit that converts a data string list into one data string,
The first appearance rate, which is the appearance rate of the combined partial data string obtained by combining the k-length partial data string and the character appearing immediately before the partial data string in the data string to be measured converted by the conversion unit, and the conversion. The sum of the multiplication values of the amount of empirical information, which is the logarithm of the second appearance rate, which is the appearance rate of characters that are known to be the k-length partial data string immediately after the data string of the reference source converted by the part. In the distance calculation unit and the distance measurement unit, which calculates the k-th empirical intersection entropy as the distance between the data string or data string list to be measured and the data string or data string list of the reference source. , A learning unit that learns the malignant communication log and the benign communication log as teacher data, and accumulates the amount of experience information of the benign communication log and the malignant communication log as the amount of experience information of the data string or data string list of the reference source.
An inference unit that causes the distance measurement unit to calculate the distance between the communication log to be detected and the malignant communication log that is the teacher data based on the amount of experience information of the benign communication log and the malignant communication log.
Have,
The detection device is a communication system characterized in that when the distance between the communication log to be detected and the malicious communication log is less than or equal to a predetermined distance, the detection device detects that the communication log to be detected includes malicious communication. .. A malware type distance measuring device that measures the distance between the communication log to be detected and the malignant communication log, and a determination device that determines the malware that causes the malignant communication contained in the communication log based on the distance measured by the distance measuring device. , Which is a communication system having
The malware type distance measuring device is
For the data string or data column list to be measured and the data string or data string list of the reference source, enter k (k is an arbitrary natural number) unused character codes as the partitioned data string to enter the data string or data string. A conversion unit that converts a data string list into one data string,
The first appearance rate, which is the appearance rate of the combined partial data string obtained by combining the k-length partial data string and the character appearing immediately before the partial data string in the data string to be measured converted by the conversion unit, and the conversion. The sum of the multiplication values of the amount of experience information, which is the logarithm of the second appearance rate, which is the appearance rate of characters that are known to be the k-length partial data string immediately after the data string of the reference source converted by the part. A distance calculation unit that calculates the k-th-order empirical intersection entropy as the distance between the data string or data string list to be measured and the data string or data string list of the reference source.
The distance measuring unit is made to learn the malignant communication log sorted for each malware type as teacher data, and the amount of experience information obtained for each type of malware is used as the amount of experience information in the data string or data string list of the reference source. Learning department to accumulate and
An inference unit that causes the distance measurement unit to calculate the distance between the communication log to be detected and the malicious communication log of each malware type for each malware type based on the amount of experience information for each malware type.
Have,
The determination device is a communication system characterized in that the malware type corresponding to the distance inferred by the inference unit with the shortest distance is determined as the malware causing the malicious communication included in the communication log to be detected. For the data string or data column list to be measured and the data string or data string list of the reference source, enter k (k is an arbitrary natural number) unused character codes as the partitioned data string to enter the data string or data string. A conversion unit that converts a data string list into a single data string, and a conversion unit that converts malicious communication logs for each type of malware.
The first appearance rate, which is the appearance rate of the combined partial data string obtained by combining the k-length partial data string and the character appearing immediately before the partial data string in the data string to be measured converted by the conversion unit, and the conversion. The sum of the multiplication values of the amount of empirical information, which is the logarithm of the second appearance rate, which is the appearance rate of characters that are known to be the k-length partial data string immediately after the data string of the reference source converted by the part. It is a distance calculation unit that calculates the k-th-order experience crossing entropy as the distance between the data string or data string list to be measured and the data string or data string list of the reference source, and is for each malware type. Distance calculation unit that calculates the distance between malicious communication logs of
A malware-related map that maps the relationship between malware using the distance between malicious communication logs for each type of malware, or a creator that creates a related graph that associates malware.
A production device characterized by having. A distance measuring program for operating a computer as a distance measuring device according to any one of claims 1 to 4.

Images