JP6787861B2 - Sorting device - Google Patents

Description

The present invention relates to a classification device.

In recent years, cyber attacks have become more sophisticated, and it has become difficult to completely prevent malware infection only by taking proactive measures such as antivirus software. Therefore, the importance of a method of analyzing communication logs of network devices, detecting malware infection at an early stage, and blocking communication is increasing.

Specifically, many security vendors provide a service called MSS (Managed Security Service) that monitors / analyzes communication logs and provides incident information to customers. MSS operators have specialized operators and analysts stationed in an organization called SOC (Security Operation Center) to monitor / analyze customer logs.

At that time, it is difficult from the viewpoint of cost to manually analyze all the logs in the customer's network. Therefore, "communication logs suspected of being infected with malware" and "normal communication logs" are mechanically classified by a classifier in advance, and analysts analyze only communication logs suspected of being infected with malware. Since the ability to detect new types of malware is the source of MSS's competitiveness, classifier classification can reduce false positives in communication logs suspected of being infected with malware and not miss new types of malware. is important.

Traditionally, such classifiers have been manually created by operators and analysts using a variety of information sources and operated by adding and updating mainly malware-related signatures and whitelist signatures. It is a burden for operators and analysts to add signatures each time a new type of malware appears.

Therefore, a technique for creating a classifier using machine learning is drawing attention. Many of the new types of malware that are created in large numbers every day are not completely new, if the source code is reused and only partially modified, or if it is a variant created by repackaging. There are many. Therefore, the overall characteristics themselves are not much different from known malware, and communication patterns are often similar. Therefore, it is possible to detect a new type of malware by applying machine learning to the communication log, analyzing it, and capturing communication characteristics similar to known malware (see Non-Patent Documents 1 to 4).

Jastin Ma et al., “Beyond Blacklists: Learning to Detect Malicious Web Sites from Suspicious URLs”, KDD'09, 2009 Sho Mizuno, 3 others, "Method of discriminating communications generated by malware-infected hosts", Institute of Electronics, Information and Communication Engineers, 2016, ICSS2015-66, pp.117-122 Florian Tegeler et al., “BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection”, The 8th ACM International Conference on emerging Networking Experiments and Technologies (CoNEXT 2012), Association for Computing Machinery, 2012, pp.349-360 Leyla Bilge et al., “Disclosure: Detection Botnet Command and Control Servers Through Large-Scale NetFlow Analysis”, The 28th Annual Computer Security Applications Conference (ACSAC’12), Association for Computing Machinery, 2012, pp.129-138

However, with conventional technology, it has been difficult to create a highly accurate classifier to detect new types of malware. For example, a classifier created by unsupervised learning (see Non-Patent Document 3) generally has a problem of low accuracy.

Further, when a classifier is created by supervised learning (see Non-Patent Documents 1, 2 and 4), there is a problem that it is difficult to label learning data. Specifically, as the malware evolves, it is necessary to periodically update the communication log with a label indicating the correct answer as learning data to update the classifier. Therefore, in order to create a classifier using machine learning, experts such as SOC analysts analyze the communication log, and it is infected with benign log, which is a communication log issued by a terminal that performs normal communication, or malware. It is necessary to distinguish whether it is a malicious log, which is a communication log issued by the terminal, and manually assign a label. However, at present, due to the burden of labor costs and operating costs for analysis, it is generally the mainstream to create a classifier by manually updating the signature without using machine learning.

Further, in many cases, a communication log including detailed information such as a proxy log is used for the detailed analysis required for giving a label (see Non-Patent Documents 1 and 2). However, it is difficult to obtain a communication log containing detailed information from various communication environments on a global scale in which malware is active because the amount of information is large and it is necessary to install a compatible device. On the other hand, communication logs with a small amount of information such as xFlow (see Non-Patent Documents 3 and 4) can be obtained from various communication environments on a global scale, but since the amount of information is small, labels are given using only those logs. It's difficult to do.

The present invention has been made in view of the above, and an object of the present invention is to create a highly accurate classifier to detect a new type of malware while reducing the labor of labeling.

In order to solve the above-mentioned problems and achieve the object, the classification device according to the present invention emits a benign communication log indicating that it is a communication log emitted by a terminal performing normal communication, and a terminal infected with malware. Integration that integrates all communication logs by converting the format of a malicious communication log indicating that it is a communication log and a communication log that is neither benign nor malignant into a format that includes all items included in all communication logs. Unknown using the unit, a creation unit that creates a classifier that classifies communication logs into either benign or malignant by learning using the integrated all communication logs, and the created classifier. It is characterized by including a classification unit for classifying the communication log of the above into either benign or malignant.

According to the present invention, it is possible to create a highly accurate classifier to detect a new type of malware while reducing the labor of labeling.

FIG. 1 is a schematic diagram illustrating a schematic configuration of a classification device according to the present embodiment. FIG. 2 is a diagram illustrating a data structure of learning data. FIG. 3 is a diagram illustrating a data structure of learning data. FIG. 4 is a diagram illustrating integrated learning data. FIG. 5 is an explanatory diagram for explaining the processing of the conversion unit. FIG. 6 is an explanatory diagram for explaining the processing of the conversion unit. FIG. 7 is an explanatory diagram for explaining the processing of the conversion unit. FIG. 8 is a flowchart showing the creation processing procedure. FIG. 9 is a flowchart showing the determination processing procedure. FIG. 10 is an explanatory diagram for explaining the effect of the classification process by the classification device. FIG. 11 is a diagram showing an example of a computer that executes a classification program.

Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings. The present invention is not limited to this embodiment. Further, in the description of the drawings, the same parts are indicated by the same reference numerals.

[Structure of classification device]
FIG. 1 is a schematic diagram illustrating a schematic configuration of a classification device. As illustrated in FIG. 1, the classification device 10 is realized by a general-purpose computer such as a personal computer, and includes an input unit 11, an output unit 12, a communication control unit 13, a storage unit 14, and a control unit 15.

The input unit 11 is realized by using an input device such as a keyboard or a mouse, and inputs various instruction information such as processing start to the control unit 15 in response to an input operation by the operator. The output unit 12 is realized by a display device such as a liquid crystal display, a printing device such as a printer, or the like. The communication control unit 13 is realized by a NIC (Network Interface Card) or the like, and communicates between the control unit 15 and an external device such as a network device or a management server via a telecommunication line such as a LAN (Local Area Network) or the Internet. To control.

The storage unit 14 is realized by a semiconductor memory element such as a RAM (Random Access Memory) or a flash memory (Flash Memory), or a storage device such as a hard disk or an optical disk, and is a classifier 14a or the like created by a classification process described later. It will be remembered. The storage unit 14 may be configured to communicate with the control unit 15 via the communication control unit 13.

The control unit 15 is realized by using a CPU (Central Processing Unit) or the like, and executes a processing program stored in a memory. As a result, as illustrated in FIG. 1, the control unit 15 functions as a learning data acquisition unit 15a, an integration unit 15b, a conversion unit 15c, a creation unit 15d, a test data acquisition unit 15e, a conversion unit 15f, and a classification unit 15g. ..

It should be noted that these functional parts may be implemented in different hardware, respectively or in part. For example, the classification device 10 is a creation device equipped with a learning data acquisition unit 15a, an integration unit 15b, a conversion unit 15c, and a creation unit 15d, and a determination device equipped with a test data acquisition unit 15e, a conversion unit 15f, and a classification unit 15g. It may be separated into and.

The learning data acquisition unit 15a acquires learning data used for learning the classifier 14a, which will be described later, from a network device such as a Proxy server, a management server, or the like. Here, the learning data includes benign behavior data, malignant behavior data, and undetermined data. The benign behavior data means a benign communication log, that is, a communication log generated by a terminal that performs normal communication. The malicious behavior data means a malicious communication log, that is, a communication log generated by a terminal infected with malware. The undetermined data means a communication log that is neither benign behavior data nor malignant behavior data, and is neither benign nor malignant.

The method of acquiring benign behavior data / malignant behavior data / data without judgment is not particularly limited. For example, benign behavior data can be obtained from terminals in the real network that are clearly not infected with malware. In addition, malignant behavior data can be obtained by dynamic analysis in which a known malware sample is operated in a virtual environment. Alternatively, malignant behavior data can be obtained by utilizing a known blacklist.

Further, as the data without judgment, a log of a real network in which both benign behavior data and malignant behavior data may be mixed may be used. In order to be able to detect a new type of malware, it is desirable that the undetermined data includes a communication log that may contain the new type of malware or a communication log that has similarities to the new type of malware. However, a log in which both are not mixed may be used.

Further, as the communication log, for example, communication logs of various formats such as Proxy log, xFlow, and Firewall log are used. Here, the Proxy log is a communication log acquired from the Proxy server, and includes information such as a source IP address, an HTTP method, a URL, and a User Agent.

Further, xFlow (NetFlow) is network flow information. xFlowow is supported by network equipment from many vendors as an industry flow measurement standard. xFlow includes a source IP address, a destination IP address, a source port number, a destination port number, a protocol, and the like. Since xFlow has a smaller amount of information than Proxy logs and the like, it can be obtained from a large-scale network equivalent to ISP, but detailed analysis cannot be performed.

The Firewall log is a communication log acquired from the Firewall, and includes information such as a source IP address, a destination IP address, a source port number, a destination port number, a protocol, a date and time, and a packet size.

Each or part of the benign behavior data, the malignant behavior data, and the undetermined data may be communication logs in different formats. In order to obtain a classifier suitable for various environments while reducing the labor of labeling, for example, communication logs such as Proxy logs containing detailed information are used for benign behavior data and malignant behavior data, and no judgment is made. It is desirable to use a communication log such as xFlow which is not labeled but contains wide area information for the data. The benign behavior data, the malignant behavior data, and the undetermined data may all be communication logs containing detailed information such as a proxy log in the same format. In this embodiment, a Proxy log is used as benign behavior data and malignant behavior data, and xFlow is used as non-judgment data.

2 and 3 are diagrams illustrating the data structure of the learning data. FIG. 2 illustrates benign behavior data or malignant behavior data using Proxy logs. FIG. 2 exemplifies three benign behavior data of Log1 to Log3 and one malignant behavior data of Log4. Further, in the learning data shown in FIG. 2, a label indicating benign or malignant is given to the acquired Proxy log. For example, the malignant behavior data of Log4 is given a "malignant" label, the source IP address is "30.30.30.30", the HTTP method is "GET", and the URL is "http://malware.co. It is shown that jp / ”and the HTTP User Agent are“ <well known> ”.

Further, FIG. 3 illustrates undetermined data using xFlow. In FIG. 3, for example, in the data without determination of LogA, the source IP address is “20.20.20.20”, the destination IP address is “4.4.4.4”, and the destination port number is “80”. , The protocol is "TCP", etc.

The integration unit 15b includes a benign communication log indicating that the communication log is issued by a terminal that performs normal communication, a malicious communication log indicating that the communication log is issued by a terminal infected with malware, and a benign or malignant communication log. Convert the format with the communication log that is neither of them to the format that includes all the items included in all communication logs, and integrate all communication logs. Specifically, the integration unit 15b unifies the format of all learning data by combining the items included in the benign behavior data, the malignant behavior data, and the non-judgment data, and is used for all learning. Integrate data.

FIG. 4 is a diagram illustrating integrated learning data. As shown in FIG. 4, the integration unit 15b combines all the items included in the benign behavior data, the malignant behavior data, and the undetermined data. In the example shown in FIG. 4, items that do not include a value corresponding to each data are indicated by "-". For example, LogA is undetermined data using xFlow, and since there are no values corresponding to URL, HTTP Method, HTTP User Agent, HTTP Status Code, and label, the value of each item is indicated by "-". There is.

Returning to the description of FIG. The conversion unit 15c extracts the feature amount of the integrated learning data and converts it into a feature vector in preparation for using the integrated learning data for the processing of the creation unit 15d described later. First, the conversion unit 15c extracts a feature amount, which is a combination of learning points of view, from the integrated learning data. The method for extracting the feature amount is not particularly limited. It may be done manually, or a method of automatically extracting features and performing machine learning such as deep learning may be applied.

Here, machine learning is to learn the pattern of the extracted features and create a model for classifying the target. In the classification device 10 of the present embodiment, in order to classify benign / malignant, for example, the host name of the URL, the destination port number, the length of the path, whether the domain name is an IP address, the Country Code, the communication time interval, etc. Is extracted as a feature quantity.

Next, the conversion unit 15c converts the extracted feature amount into a feature vector. Specifically, the conversion unit 15c converts the feature quantity into a feature vector by using a method such as Bag-of-Words or N-gram. In the present embodiment, the conversion unit 15c uses the Bag-of-Words method to consider all the patterns existing in each feature amount as one element, and 0 / whether or not each element appears in the communication log. By representing by 1, the feature quantity is converted into a feature vector.

Here, FIGS. 5 to 7 are explanatory views for explaining the processing of the conversion unit 15c. FIG. 5 illustrates the features extracted from the learning data illustrated in FIG. In the example shown in FIG. 5, the source IP address, the destination IP address, the destination port number, the domain name, the number of numbers in the domain name, and the like are extracted as feature quantities.

Further, FIG. 6 illustrates each element of the feature vector converted from the feature quantity. In the example shown in FIG. 6, among the feature quantities illustrated in FIG. 5, for example, for the destination IP address, each of the six existing patterns "1.1.1.1" to "6.6.6.6". Is regarded as one element of the feature vector. Then, the case where each element appears in each communication log is represented by 1, and the case where each element does not appear is represented by 0. Similarly, each of the three patterns "80", "2323", and "8080" in which the destination port number exists is regarded as one element of the feature vector, the element appearing in each communication log is 1, and the case where it does not appear is 0. It is represented by. In this way, the conversion unit 15c sets the feature amount for which there is no corresponding data to 0. As a result, the feature amount for which there is no corresponding data does not affect the classification performed by weighting the feature amount and its combination.

In addition, the conversion unit 15c converts a label indicating benign or malignant of the learning data into a numerical label. For example, the label indicating benign is 0, the label indicating malignant is 1, and the label is quantified. FIG. 7 illustrates a feature vector converted from a feature quantity and a numerical label converted from a label. In FIG. 7, for example, with respect to the feature vector of Log1, 1 is assigned to the element whose destination IP address corresponds to “1.1.1.1”. Further, in this Log1, the label is set to 0 indicating benignity. In FIG. 7, the label of the undetermined data to which the label is not attached is represented by “−”.

Returning to the description of FIG. The creation unit 15d creates a classifier 14a that classifies the communication log into either benign or malignant by performing learning using the integrated all communication logs. Specifically, the creation unit 15d classifies the communication log with either a label indicating benign or a label indicating malignant, and a communication log without a label. Learn to label with the vessel 14a.

That is, the creation unit 15d performs semi-supervised learning using the feature vector and the numerical label converted by the conversion unit 15c, and creates a model showing the degree of benign or malignantness of the communication log as the classifier 14a. Further, the creating unit 15d stores the created classifier 14a in the storage unit 14.

Here, the algorithm for semi-supervised learning is not particularly limited. For example, TSVM (Transductive Support Vector Machine), semi-teacher Logistic Regression, Label Promotion, semi-teacher GMM (Gaussian Mixture Model), Self-training and the like are applied.

Similar to the learning data acquisition unit 15a, the test data acquisition unit 15e acquires test data to be processed by the classification unit 15g, which will be described later, from a network device such as a Proxy server, a management server, or the like. For the test data, use the communication log for which you want to determine whether it is a benign communication log or a malicious communication log. As the communication log used here, a communication log having the same format as the benign behavior data, the malignant behavior data, and the undetermined data may be used, or a communication log having a different format may be used. It is also possible to use the same communication log as the data without judgment as the test data. Further, the test data acquisition unit 15e may be the same functional unit as the learning data acquisition unit 15a.

Similar to the conversion unit 15c described above, the conversion unit 15f extracts the feature amount of the test data and converts it into a feature vector in preparation for use in the processing of the classification unit 15g described later. The conversion unit 15f may be the same functional unit as the conversion unit 15c.

The classification unit 15g classifies the unknown communication log into either benign or malignant using the created classifier 14a. Specifically, when the classification unit 15g substitutes the feature vector converted by the conversion unit 15f into the classifier 14a and the score indicating the degree of benign or malignancy of the communication log output by the classifier 14a is higher than a predetermined threshold value. In addition, it is judged to be benign or malignant.

[Classification process]
Next, the classification process by the classification device 10 according to the present embodiment will be described with reference to FIGS. 8 and 9. The classification process includes a creation process and a determination process. FIG. 8 is a flowchart showing the creation processing procedure. The flowchart of FIG. 8 is started, for example, at the timing when there is an operation input instructing the start of the creation process.

First, the learning data acquisition unit 15a receives the input of the learning data via the input unit 11 or the communication control unit 13 (step S1). Next, the integration unit 15b unifies the format of all the data and integrates the data by combining the items of the benign behavior data, the malignant behavior data, and the non-judgment data, which are the input training data. (Step S2).

Next, the conversion unit 15c extracts the feature amount of the learning data whose format is integrated (step S3). Further, the conversion unit 15c converts the extracted feature amount into a feature vector (step S4).

Further, the creation unit 15d performs learning using the feature vector converted by the conversion unit 15c, and creates a model showing the degree of benign or malignantness of the communication log as the classifier 14a (step S5). As a result, a series of creation processes is completed.

FIG. 9 is a flowchart showing the determination processing procedure. The flowchart of FIG. 9 is started, for example, at the timing when there is an operation input instructing the start of the determination process.

First, the test data acquisition unit 15e receives the input of the test data to be processed via the input unit 11 or the communication control unit 13 (step S11). Next, the conversion unit 15f extracts the feature amount of the test data (step S12). Further, the conversion unit 15f converts the extracted feature amount into a feature vector (step S13).

Next, the classification unit 15g substitutes the feature vector converted by the conversion unit 15f into the classifier 14a (step S14). The classifier 14a calculates and outputs a score indicating the degree of benign or malignantness of the communication log (step S15). Then, when the score output by the classifier 14a is higher than the predetermined threshold value, the classification unit 15g determines that it is benign or malignant (step S16). As a result, a series of determination processes is completed.

As described above, in the classification device 10 of the present embodiment, the integrated unit 15b has a benign communication log indicating that it is a communication log issued by a terminal performing normal communication, and a communication emitted by a terminal infected with malware. The format of the malicious communication log indicating that it is a log and the communication log that is neither benign nor malicious is converted into a format that includes all items included in all communication logs, and all communication logs are integrated. In addition, the creation unit 15d learns using the integrated benign communication log, the malignant communication log, and the non-nign communication log, and classifies the communication log into either benign or malignant classifier 14a. create. In addition, the classification unit 15g classifies the unknown communication log into either benign or malignant using the created classifier 14a.

As a result, the classification device 10 can create the classifier 14a by using the data without determination as the learning data in addition to the known benign behavior data and malignant behavior data. Conventionally, in order to create a highly accurate classifier, it has been necessary to prepare a large amount of labeled communication logs and update the classifier. On the other hand, according to the classification device 10 of the present embodiment, as communication logs used for updating the classifier, a communication log with a small amount of labels (beneficial behavior data and malignant behavior data) and a large amount of labels are added. Since it is possible to train at the same time using the communication log (data without judgment) that has not been performed, it is possible to easily prepare the training data and create a highly accurate classifier 14a while reducing the trouble of labeling. It becomes.

Here, FIG. 10 is an explanatory diagram for explaining the effect of the classification process by the classification device 10. As shown in FIG. 10A, when benign behavior data and malignant behavior data are used as training data and no judgment data is used, benign behavior data or malignant behavior data is considered benign in a sparse region. It is difficult to estimate the threshold that is the boundary with malignancy. Therefore, it is difficult to judge whether the test data to be classified is benign / malignant.

On the other hand, in the classification device 10 of the present embodiment, in addition to the benign behavior data and the malignant behavior data, the data without determination is used as the learning data. As a result, as shown in FIG. 10B, in a region where the benign behavior data or the malignant behavior data is sparse, information on features such as data distribution can be obtained from the undetermined data. Therefore, the accuracy of classification can be improved.

The test data to be classified may be used as learning data. In this case, as shown in FIG. 10 (c), by treating the test data as the undetermined data shown in FIG. 10 (b), the distribution of the data in the region where the benign behavior data or the malignant behavior data is sparse. Information on such features can be obtained from the test data.

Further, the classification device 10 of the present embodiment can learn by using the communication log of a different format as the learning data regardless of the format of the communication log. The installation status of network devices differs depending on the network environment, and the format of communication logs that can be acquired from the actual network varies. Since the information contained in the communication logs of each format is different, it is necessary to correlate the communication logs of multiple formats from various aspects in order to find traces of cyber attacks. In conventional machine learning, a classifier could not be created unless the learning data formats were the same. On the other hand, the classification device 10 of the present embodiment can create a classifier using communication logs of different formats.

In this way, the classification device 10 can obtain information related to a new type of malware that could not be obtained only from the labeled communication log from the unlabeled communication log. Therefore, it is possible to perform classification processing corresponding to a new type of malware.

Further, since the communication log without a label can be used as the newly added learning data, it is possible to save the trouble of analyzing and assigning a label by an expert such as an SOC analyst. Therefore, the load on updating the classifier 14a can be reduced.

Therefore, according to the classification device 10 of the present embodiment, the burden of labeling the learning data is reduced, and a communication log having a different format is used as the learning data to create a highly accurate classifier to create a new type of malware. Can be detected.

[program]
It is also possible to create a program in which the processing executed by the classification device 10 according to the above embodiment is described in a language that can be executed by a computer. In one embodiment, the classification device 10 can be implemented by installing a classification program that executes the above classification process as package software or online software on a desired computer. For example, by causing the information processing device to execute the above classification program, the information processing device can function as the classification device 10. The information processing device referred to here includes a desktop type or notebook type personal computer. In addition, the information processing device includes smartphones, mobile communication terminals such as mobile phones and PHS (Personal Handyphone System), and slate terminals such as PDAs (Personal Digital Assistants).

Further, the classification device 10 can be implemented as a server device in which the terminal device used by the user is a client and the service related to the above classification process is provided to the client. For example, the classification device 10 is implemented as a server device that provides a classification processing service that inputs learning data and unknown data and outputs a benign / malignant determination result of the unknown data. In this case, the classification device 10 may be implemented as a Web server, or may be implemented as a cloud that provides services related to the above classification processing by outsourcing. An example of a computer that executes a classification program that realizes the same functions as the classification device 10 will be described below.

FIG. 11 is a diagram showing an example of a computer that executes a classification program. The computer 1000 has, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. Each of these parts is connected by a bus 1080.

The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012. The ROM 1011 stores, for example, a boot program such as a BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1031. The disk drive interface 1040 is connected to the disk drive 1041. A removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1041. For example, a mouse 1051 and a keyboard 1052 are connected to the serial port interface 1050. For example, a display 1061 is connected to the video adapter 1060.

Here, the hard disk drive 1031 stores, for example, the OS 1091, the application program 1092, the program module 1093, and the program data 1094. Various information tables such as the classifier 14a described in the above embodiment are stored in, for example, the hard disk drive 1031 or the memory 1010.

Further, the classification program is stored in the hard disk drive 1031 as, for example, a program module 1093 in which a command executed by the computer 1000 is described. Specifically, the program module 1093 in which each process executed by the classification device 10 described in the above embodiment is described is stored in the hard disk drive 1031.

Further, the data used for information processing by the classification program is stored as program data 1094 in, for example, the hard disk drive 1031. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the hard disk drive 1031 into the RAM 1012 as needed, and executes each of the above-described procedures.

The program module 1093 and program data 1094 related to the classification program are not limited to the case where they are stored in the hard disk drive 1031. For example, they are stored in a removable storage medium and read by the CPU 1020 via the disk drive 1041 or the like. May be done. Alternatively, the program module 1093 and the program data 1094 related to the classification program are stored in another computer connected via a network such as a LAN or WAN (Wide Area Network), and read by the CPU 1020 via the network interface 1070. You may.

Although the embodiment to which the invention made by the present inventor is applied has been described above, the present invention is not limited by the description and the drawings which form a part of the disclosure of the present invention according to the present embodiment. That is, all other embodiments, examples, operational techniques, and the like made by those skilled in the art based on the present embodiment are included in the scope of the present invention.

10 Classification device 11 Input unit 12 Output unit 13 Communication control unit 14 Storage unit 14a Classifier 15 Control unit 15a Learning data acquisition unit 15b Integration unit 15c Conversion unit 15d Creation unit 15e Test data acquisition unit 15f Conversion unit 15g Classification unit

Claims (4)

A benign communication log indicating that the communication log is issued by a terminal that performs normal communication, a malicious communication log indicating that the communication log is issued by a terminal infected with malware, and a communication log that is neither benign nor malignant. The integrated part that integrates all communication logs by converting the format of and to a format that includes all items included in all communication logs,
With a conversion unit that converts the integrated feature quantity of all communication logs into a feature vector and converts the label indicating benign or the label indicating malignancy attached to the communication log into a numerical label. ,
Learning is performed using the feature vector, the communication log to which the numerical label is attached, and the communication log to which the numerical label is not attached, and a label for classifying the communication log as benign or malignant is given. And the creator that creates the classifier
A classifier that classifies unknown communication logs or communication logs that are neither benign nor malignant used by the creator into either benign or malignant using the created classifier.
A classification device characterized by comprising. The classification device according to claim 1, wherein the classification unit determines that the classifier is benign or malignant when the score indicating the degree of benign or malignant output is higher than a predetermined threshold value. The classification device according to claim 1, wherein each or a part of the benign communication log, the malicious communication log, and the non-nign communication log integrated by the integration unit are communication logs of different formats. The classification device according to claim 1, wherein the classification unit classifies each terminal that emits a communication log into either a normal terminal that performs normal communication or an infected terminal that is infected with malware.

Images