JP6845125B2 - Learning equipment, learning methods and learning programs - Google Patents

Description

The present invention relates to a learning device, a learning method and a learning program.

With the advent of the IoT (Internet of Things) era, various devices (IoT devices) are connected to the Internet and are used in various ways. Along with this, security measures for IoT devices such as traffic session abnormality detection systems and intrusion detection systems (IDS) for IoT devices are expected.

As such a technique, for example, there is a technique using a probability density estimator by unsupervised learning such as VAE (Variational Auto Encoder). In this technique, after learning the probability density of normal communication data, communication with a low probability density is detected as an abnormality. Therefore, in this technique, only normal communication data needs to be known, and abnormality detection is possible without learning all malicious data. Therefore, this technology is effective in detecting threats to IoT devices that are still in a transitional period and do not know all the threat information.

Diederik P. Kingma, Max Welling, "Auto-Encoding Variational Bayes", [Searched November 17, 2017], Internet <URL: https://arxiv.org/abs/1312.6114>

However, a probability density estimator such as VAE may not be able to learn accurately when the number of data is biased among the normal communication data to be learned.

In communication data, it often happens that the number of data is biased. For example, since HTTP (Hypertext Transfer Protocol) communication and the like are often used, a large amount of data is collected in a short time. On the other hand, in NTP (Network Time Protocol) communication, which rarely communicates, the number of data is not collected so much. If learning by VAE is performed in such a situation, learning of NTP communication with a small number of data does not proceed, and the probability of occurrence is underestimated, which may cause false detection of normal communication data.

The present invention has been made in view of the above, and a learning device, a learning method, and a learning device capable of accurately learning the probability density of communication data even when the number of data is biased among the communication data to be learned. The purpose is to provide a learning program.

In order to solve the above-mentioned problems and achieve the object, the learning device according to the present invention has a collecting unit that collects a plurality of normal communication data to be learned, and one or a plurality of destinations for the normal communication data. By duplicating the communication data of, the pre-processing unit that equalizes the number of communication data of each destination and the normal communication data processed by the pre-processing unit are learned, and the probability density of the normal communication data is estimated. It is characterized by having a learning unit that updates the parameters of a model representing the characteristics of the probability density of normal communication data.

According to the present invention, even when the number of data is biased among the communication data to be learned, the probability density of the communication data can be learned accurately.

FIG. 1 is a diagram showing an example of the configuration of the detection system according to the first embodiment. FIG. 2 is a diagram for explaining the processing content of the preprocessing unit shown in FIG. FIG. 3 is a flowchart showing a processing procedure of the learning process executed by the learning device shown in FIG. FIG. 4 is a diagram illustrating an application example of the detection system according to the first embodiment. FIG. 5 is a diagram showing a ROC (Receiver Operatorating Characteristic) curve for each detection target according to the learning state by the conventional method. FIG. 6 is a diagram showing ROC curves for each detection target when the model obtained by learning of the learning device shown in FIG. 1 is used. FIG. 7 is a diagram showing ROC curves for each detection target when the model obtained by the learning method according to the second embodiment is used. FIG. 8 is a diagram showing an example of a computer in which a learning device is realized by executing a program.

Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings. The present invention is not limited to this embodiment. Further, in the description of the drawings, the same parts are indicated by the same reference numerals.

[Embodiment 1]
Embodiment 1 of the present invention will be described. FIG. 1 is a diagram showing an example of the configuration of the detection system according to the first embodiment.

As shown in FIG. 1, the detection system 1 according to the embodiment includes a learning device 10 and a detection device 20. The learning device 10 and the detection device 20 are connected via, for example, a network or the like. Further, the learning device 10 and the detection device 20 are connected to an external device via, for example, a network or the like.

The learning device 10 learns a plurality of normal communication data, estimates the probability density, updates the parameters of the model representing the characteristics of the probability density of the normal communication data, and updates the parameters (update parameters) of the updated model. Output to the detection device 20. The learning device 10 has, for example, a VAE as a probability density estimator. The learning device 10 performs preprocessing for aligning the number of communication data of each destination with respect to the communication data to be learned, and then performs learning to estimate the probability density.

The detection device 20 applies the parameters of the model updated by the learning device 10 to estimate the probability density of the communication data (detection target data) to be detected. The detection device 20 has, for example, a VAE as a probability density estimator. Subsequently, the detection device 20 detects the presence or absence of an abnormality in the detection target data based on the estimated probability density. Specifically, the detection device 20 detects that the communication data to be detected is abnormal when the estimated probability density is lower than a predetermined value. The detection device 20 outputs the detection result to an external coping device or the like.

In the detection device 20, for example, a predetermined program is read into a computer or the like including a ROM (Read Only Memory), a RAM (Random Access Memory), a CPU (Central Processing Unit), and the CPU executes the predetermined program. It is realized by doing. Further, the detection device 20 has a communication interface for transmitting and receiving various information with other devices connected via a network or the like. For example, the detection device 20 has a NIC (Network Interface Card) or the like, and communicates with other devices via a telecommunication line such as a LAN (Local Area Network) or the Internet.

[Configuration of learning device]
Next, the configuration of the learning device 10 will be described. As shown in FIG. 1, the learning device 10 has a collecting unit 11, a preprocessing unit 12, and a learning unit 13.

The learning device 10 is realized, for example, by reading a predetermined program into a computer or the like including a ROM, RAM, CPU, etc., and executing the predetermined program by the CPU. Further, the learning device 10 has a communication interface for transmitting and receiving various information with other devices connected via a network or the like. For example, the learning device 10 has a NIC or the like and communicates with another device via a telecommunication line such as a LAN or the Internet.

The collecting unit 11 collects a plurality of normal communication data (learning target data) to be learned. For example, the collecting unit 11 collects a normal traffic session to be learned via the network.

In this case, the number of data may be biased among the communication data collected by the collecting unit 11. Specifically, since communication is often used for HTTP communication, the collecting unit 11 can collect normal HTTP communication data. On the other hand, since the management FTP communication is used infrequently, the collecting unit 11 may be able to obtain only a small amount of normal FTP communication data. As described above, there may be a bias in the number of data among the data of the learning target data collected by the collecting unit 11. In the learning device 10, even if the number of data is biased, the preprocessing unit 12 (described later) can accurately detect an abnormality by performing preprocessing for aligning the number of communication data of each destination before learning. Get the model.

The pre-processing unit 12 performs pre-processing to equalize the number of communication data of each destination by duplicating the communication data of one or a plurality of destinations with respect to the normal communication data. In other words, the preprocessing unit 12 performs preprocessing for the learning target data so that the number of communication data of each destination is the same, and the communication data of the destination is duplicated for the destination with a small number of communication data. FIG. 2 is a diagram for explaining the processing content of the preprocessing unit 12 shown in FIG.

For example, a case where the learning target data is the data D1 shown in FIG. 2 will be described as an example. The data D1 has 1000 data HTTP communication (80 port), 500 data DNS (Domain Name System) communication (53 port), and 10000 data MQTT (Message Queueing Telemetry Transport) communication (1883 port). As for this data D1, MQTT communication has the largest number of data.

Therefore, the preprocessing unit 12 duplicates the number of data of HTTP communication and DNS communication other than MQTT communication so as to be the same as the number of data of MQTT communication. That is, the preprocessing unit 12 duplicates the HTTP communication and multiplyes it by 10 (see (1) in FIG. 2). Then, the preprocessing unit 12 duplicates the DNS communication and multiplyes it by 20 (see (2) in FIG. 2).

As a result, the preprocessing unit 12 obtains data D1'in which the number of data for HTTP communication and DNS communication is 10000, which is the same as the number of data for MQTT communication. The preprocessing unit 12 outputs the obtained data D1'as learning target data to the learning unit 13.

The learning unit 13 learns about the learning target data processed by the preprocessing unit 12, estimates the probability density of the learning target data, and updates the parameters of the model representing the characteristics of the probability density of the learning target data. For example, the learning unit 13 learns the data D1'input from the preprocessing unit 12 as the learning target data. The learning unit 13 has a VAE 131 as a probability density estimator. The VAE 131 is an arithmetic unit that outputs an estimated value of the probability density of this data when it receives an input of input data to be estimated.

Specifically, VAE131 accepts an input of a data point _{x i,} and outputs the anomaly score corresponding to the data (score) (degree of abnormality). Assuming that the estimated value of the probability density is p (x _i ), the anomaly score is an approximation of _{-logp (x i).} As described above, the higher the value of the anomaly score output by VAE131, the higher the degree of abnormality of this communication data.

The learning unit 13 has a VAE 131 that performs such an operation, learns a plurality of input learning target data, and outputs an anomaly score of each learning target data. Then, the learning unit 13 updates the model parameters of the VAE 131 according to the learning result. The model parameters updated by the learning unit 13 are output to the detection device 20.

[Processing procedure of learning process]
Next, the processing procedure of the learning process executed by the learning device 10 will be described. FIG. 3 is a flowchart showing a processing procedure of the learning process executed by the learning device 10 shown in FIG.

As shown in FIG. 3, in the learning device 10, the collecting unit 11 collects the learning target data (step S11), and outputs the collected learning target data to the preprocessing unit 12. The preprocessing unit 12 performs preprocessing for equalizing the number of communication data of each destination by duplicating the communication data of one or a plurality of destinations with respect to the normal communication data (step S12).

Then, the learning unit 13 learns the learning target data preprocessed by the preprocessing unit 12 using VAE131, estimates the probability density of the learning target data, and features the probability density of the learning target data. A learning process for updating the parameters of the model representing the above is performed (step S13). Subsequently, the learning unit 13 performs an output process of outputting the updated model parameters to the detection device 20 (step S14). The detection device 20 applies the parameters of the model updated by the learning device 10 to estimate the probability density of the detection target data, and detects the presence or absence of an abnormality in the detection target data based on the probability density.

[Example]
For example, the detection system 1 according to the first embodiment can be applied to the abnormality detection of the IoT device. FIG. 4 is a diagram illustrating an application example of the detection system 1 according to the first embodiment. As shown in FIG. 4, the detection system 1 is provided on the network 3 to which a plurality of IoT devices 2 are connected. In this case, the detection system 1 collects the traffic session information sent and received by the IoT device 2, learns the probability density of the normal traffic session, and detects the abnormal traffic session.

The above preprocessing is applied to the learning of the probability density of the normal traffic session, and the learning is performed accurately even when the number of data is biased between the traffic session data. Further, the above detection process is applied to detect an abnormal traffic session, probability density estimation is performed by applying the model parameters learned in the learning process, and highly accurate abnormality detection is performed.

[Evaluation experiment]
Next, the results of evaluation of the actual traffic session data between IoT devices by the conventional method and the method according to the first embodiment are shown. For example, the learning target communication data is MQTT communication of normal 21053 data and camera streaming of normal 1107 data. After learning the learning target data having a bias in the number of data by using the conventional method, the detection rate for various communication data by the detection device 20 using the model obtained by this learning was obtained. On the other hand, after learning the same learning target data with the learning device 10, the detection rate for various communication data by the detection device 20 using the model obtained by this learning was obtained. The AUC (Area Under Curve) value is obtained as the detection rate.

First, the result of evaluation using the conventional method will be described. The conventional method is a method of estimating the probability density of the learning target data as it is without executing the preprocessing shown in the first embodiment.

FIG. 5 is a diagram showing ROC curves for each detection target according to the learning state by the conventional method. FIG. 5A is an ROC curve of the detection result for malware (mirai bot) which is abnormal data. FIG. 5B is a ROC curve of the detection result for MQTT communication which is normal data. FIG. 5C is an ROC curve of the detection result for camera streaming which is normal data.

When detection is performed using the conventional method, as shown in FIG. 5 (a), the malicious communication of malware has a high accuracy of 0.9998, which means that the detection has been successful. I understand. Further, regarding the normal MQTT communication, as shown in FIG. 5 (b), the AUC value is 0.4746, which is not detected as abnormal data and shows normal behavior. Therefore, it can be seen that the detection of normal MQTT communication is successful in the conventional method. It is considered that this is because the MQTT communication has a large number of data to be learned, so that the learning of the probability density estimation can be performed accurately.

On the other hand, as shown in FIG. 5 (c), although the camera streaming of normal data is normal, the AUC value is as high as 0.9712. It is considered that this is a false detection as a result of the learning of the probability density estimation of the few normal data not progressing.

Therefore, in the conventional method, when the number of data of the training target data is biased, the learning does not proceed for the learning target data with a small number of data, and even in the detection using the trained model, the data of the type with a small number of data is used. Could not detect correctly.

Next, the result of evaluation using the learning result of the learning device 10 according to the first embodiment will be described. The first embodiment is a method of executing the pre-processing for aligning the number of communication data of each destination described above, and learning the probability density estimation for the learning target data after the pre-processing.

FIG. 6 is a diagram showing ROC curves for each detection target when the model obtained by learning of the learning device 10 shown in FIG. 1 is used. FIG. 6A is an ROC curve of the detection result for malware (mirai bot) which is abnormal data. FIG. 6B is a ROC curve of the detection result for MQTT communication which is normal data. FIG. 6C is an ROC curve of the detection result for camera streaming which is normal data.

When detection is performed using the model by the learning device 10, as shown in FIG. 6A, the malicious communication of malware has a high accuracy of AUC value of 1.0, and the detection is successful. You can see that there is. Further, for normal MQTT communication, as shown in FIG. 6B, the AUC value is 0.3864, which is not detected as abnormal data and shows correct behavior. Further, as shown in FIG. 6 (c), the camera streaming of the normal data has an AUC value of 0.2787 even though the number of data to be learned is small, and is not detected as abnormal data. Show correct behavior.

As described above, as a result of evaluation using the model by the learning device 10 according to the first embodiment, it is possible to detect abnormal communication data normally and reduce false detections for normal communication data. Do you get it.

[Effect of Embodiment 1]
As described above, in the first embodiment, the normal communication data is preprocessed by duplicating the communication data of one or more destinations to equalize the number of communication data of each destination, and the preprocessing is performed. Training is performed on the training target data, the probability density of the training target data is estimated, and the parameters of the model representing the characteristics of the probability density of the training target data are updated. Therefore, according to the first embodiment, the state where the number of data is biased among the data to be learned can be eliminated, and the learning process for estimating the probability density can be accurately advanced. As a result, according to the first embodiment, by using the model obtained by this learning process, it is possible to reduce false positives and improve the detection accuracy.

[Embodiment 2]
Next, the second embodiment will be described. The learning device according to the second embodiment has the same configuration as the learning device shown in FIG.

In the second embodiment, the preprocessing unit duplicates the communication data in order to make the number of communication data of each destination uniform with respect to the learning target data, and performs preprocessing for adding noise when the communication data is duplicated. At this time, the preprocessing unit adds applicable noise to each dimension when duplicating the communication data.

For example, when the feature A which is an order of 100 and the feature B which is an order of 0.01 appear in the communication data, the preprocessing unit adds the noise of the order 1 as the noise corresponding to the feature A. , The noise on the order of 0.0001 is added as the noise corresponding to the feature B. Further, the preprocessing unit adds noise whose generation position is changed in each communication data as noise to be added to each duplicated communication data. In other words, the pre-processing unit disperses the noise added to each duplicated communication data. In this case, the preprocessing unit generates, for example, noise of the order corresponding to each feature according to a predetermined rule, and generates noise so that the generation position varies among each communication data, and each communication duplicated. Add to data.

The learning device according to the second embodiment performs the same processing as in step S11 shown in FIG. 3, and then duplicates the communication data for the destination communication data having a small number of communication data, and also causes noise when the communication data is duplicated. Perform pretreatment to add. Then, the learning device according to the second embodiment performs the same processing as in steps S13 and S14.

In the first embodiment, the communication data of the destination is duplicated for the destination with a small number of communication data so that the number of communication data of each destination is the same. Therefore, the same data is used for this destination at the time of learning by the learning unit 13. Will appear more than once. Here, in VAE131, learning may become unstable if the same data is learned many times. In the second embodiment, noise is added when the communication data is duplicated to eliminate the bias in the number of data between the data and to stabilize the learning.

[Evaluation experiment]
The result of actually evaluating the traffic session data between IoT devices by the method according to the second embodiment is shown. Similar to the evaluation experiment for the first embodiment, the learning target communication data is MQTT communication of normal 21053 data and camera streaming of normal 1107 data. This learning target data was trained using VAE after preprocessing to add noise when duplicating the communication data, and the detection rate for various communication data by the detection device using the model obtained by this learning was obtained. .. The AUC value is obtained as the detection rate.

FIG. 7 is a diagram showing ROC curves for each detection target when the model obtained by the learning method according to the second embodiment is used. FIG. 7A is an ROC curve of the detection result for malware (mirai bot) which is abnormal data. FIG. 7B is a ROC curve of the detection result for MQTT communication which is normal data. FIG. 7C is an ROC curve of the detection result for camera streaming which is normal data.

When detection is performed using the model obtained by the learning method according to the second embodiment, the malicious communication of malware has a high accuracy of 0.9999 as shown in FIG. 7A. It can be seen that the detection was successful. Further, for normal MQTT communication, as shown in FIG. 7 (b), the AUC value is 0.3706, which is not detected as abnormal data and shows correct behavior. Further, as shown in FIG. 7 (c), the camera streaming of normal data has an AUC value of 0.3134 and is not detected as abnormal data even though the number of data to be learned is small. Show correct behavior.

As a result of evaluation using the model obtained by the learning method according to the second embodiment in this way, as in the first embodiment, the abnormal communication data can be detected normally and is normal. It was found that false positives for various communication data can be reduced.

[Effect of Embodiment 2]
As described above, in the second embodiment, the communication data is duplicated with respect to the learning target data in order to make the number of communication data of each destination uniform, and the preprocessing for adding noise at the time of duplicating the communication data is performed and the preprocessing is performed. We are learning about the data to be learned. Therefore, according to the second embodiment, the state in which the number of data is biased among the data to be learned can be eliminated, and the learning can be stabilized. Therefore, the same effect as that of the first embodiment can be obtained. Play.

[System configuration, etc.]
Each component of each of the illustrated devices is a functional concept and does not necessarily have to be physically configured as shown in the figure. That is, the specific form of distribution / integration of each device is not limited to the one shown in the figure, and all or part of the device is functionally or physically distributed in arbitrary units according to various loads and usage conditions. Can be integrated and configured. Further, each processing function performed by each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

Further, among the processes described in the present embodiment, all or part of the processes described as being automatically performed can be manually performed, or the processes described as being manually performed. It is also possible to automatically perform all or part of the above by a known method. In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the above document and drawings can be arbitrarily changed unless otherwise specified.

[program]
FIG. 8 is a diagram showing an example of a computer in which the learning device 10 is realized by executing a program. The computer 1000 has, for example, a memory 1010 and a CPU 1020. The computer 1000 also has a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. Each of these parts is connected by a bus 1080.

Memory 1010 includes ROM 1011 and RAM 1012. The ROM 1011 stores, for example, a boot program such as a BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090. The disk drive interface 1040 is connected to the disk drive 1100. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100. The serial port interface 1050 is connected to, for example, a mouse 1110 and a keyboard 1120. The video adapter 1060 is connected to, for example, the display 1130.

The hard disk drive 1090 stores, for example, an OS (Operating System) 1091, an application program 1092, a program module 1093, and program data 1094. That is, the program that defines each process of the learning device 10 is implemented as a program module 1093 in which a code that can be executed by a computer is described. The program module 1093 is stored in, for example, the hard disk drive 1090. For example, a program module 1093 for executing a process similar to the functional configuration in the learning device 10 is stored in the hard disk drive 1090. The hard disk drive 1090 may be replaced by an SSD (Solid State Drive).

Further, the setting data used in the processing of the above-described embodiment is stored as program data 1094 in, for example, a memory 1010 or a hard disk drive 1090. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1090 into the RAM 1012 as needed, and executes the program.

The program module 1093 and the program data 1094 are not limited to those stored in the hard disk drive 1090, but may be stored in, for example, a removable storage medium and read by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program module 1093 and the program data 1094 may be stored in another computer connected via a network (LAN, WAN (Wide Area Network), etc.). Then, the program module 1093 and the program data 1094 may be read by the CPU 1020 from another computer via the network interface 1070.

Although the embodiment to which the invention made by the present inventor is applied has been described above, the present invention is not limited by the description and the drawings which form a part of the disclosure of the present invention according to the present embodiment. That is, other embodiments, examples, operational techniques, and the like made by those skilled in the art based on the present embodiment are all included in the scope of the present invention.

1 Detection system 2 IoT equipment 3 Network 10 Learning device 11 Collection unit 12 Preprocessing unit 13 Learning unit 20 Detection device 131 VAE

Claims (4)

A collection unit that collects multiple normal communication data to be learned by receiving normal communication data from multiple external communication devices.
For a protocol with a small number of communication data, a preprocessing unit that duplicates the communication data of the protocol with a small number of communication data so that the number of communication data of each protocol is uniform with respect to the normal communication data.
A learning unit that learns about the normal communication data processed by the preprocessing unit, estimates the probability density of the normal communication data, and updates the parameters of the model representing the characteristics of the probability density of the normal communication data. When,
A learning device characterized by having. The learning device according to claim 1, wherein the preprocessing unit adds noise when duplicating the communication data. A learning method performed by a learning device,
A collection process that collects multiple normal communication data to be learned by receiving normal communication data from multiple external communication devices.
For a protocol having a small number of communication data, a preprocessing step of adding a copy of the communication data of the protocol having a small number of communication data so that the number of communication data of each protocol is the same as that of the normal communication data.
A learning step of learning about the normal communication data processed in the preprocessing step, estimating the probability density of the normal communication data, and updating the parameters of the model representing the characteristics of the probability density of the normal communication data. When,
A learning method characterized by including. A collection step that collects multiple normal communication data to be learned by receiving normal communication data from multiple external communication devices,
For a protocol having a small number of communication data, a preprocessing step of adding a copy of the communication data of the protocol having a small number of communication data so that the number of communication data of each protocol is the same as that of the normal communication data.
A learning step in which learning is performed on the normal communication data processed in the preprocessing step, the probability density of the normal communication data is estimated, and the parameters of the model representing the characteristics of the probability density of the normal communication data are updated. When,
A learning program that lets a computer run.

Images