JP7037452B2 - Control device - Google Patents

Description

The present invention relates to a control device.

Conventionally, the influence of an external communication signal on a network has been regarded as a problem. For example, in the technique described in Patent Document 1, whether or not an attempt to access the network is malicious based on the signal strength of the received signal. If it is malicious, the prescribed safety measures are taken.

Special Table 2018-501694

For example, in a network used for international roaming such as SS7 (Common Channel Signaling System No. 7), unlike an Internet network, not only a single signal received by a node device but also a call flow (a signal group including one or more signals). It may be attacked from the outside in units. In order to block such attacks, it is necessary to perform analysis in units of call flows sent and received by the node device. In such an analysis, the call flow is a normal signal group, a signal group related to an attack but a rule for blocking has already been created, or a signal group related to an unknown attack. It is necessary to determine whether it is a signal group for which a new signal cutoff rule needs to be created. Such determination and creation of signal cutoff rules are generally performed manually and require a great deal of steps.

The present invention has been made in view of the above circumstances, and an object of the present invention is to easily determine and create a signal cutoff rule for a signal group received from the outside.

The control device according to one aspect of the present invention includes an extraction unit that extracts a feature amount of a determination target signal group including at least one communication signal from the outside, and a normal signal group including at least one normal communication signal. The determination target signal group is unknown based on the learning data obtained by learning the feature amount of the abnormality signal group including at least one feature amount and an abnormal communication signal and the feature amount of the determination target signal group extracted by the extraction unit. Communication from the outside included in the unknown signal group when the determination unit determines whether or not the signal group is an unknown signal group and the determination unit determines that the determination target signal group is an unknown signal group. It is provided with a rule creation unit for creating a new rule for blocking a signal.

In the control device according to one aspect of the present invention, the determination target signal group is an unknown signal group from the learning data in which the feature amount of the normal signal group and the feature amount of the abnormal signal group are learned and the feature amount of the determination target signal group. It is determined whether or not it is. In this way, by using the learning data in which the feature amount of the known signal group is learned, it is possible to easily and highly accurately determine whether or not the determination target signal group is an unknown signal group. Then, in the case of an unknown signal group, a new rule for blocking the communication signal from the outside included in the unknown signal group is created, so that an irregular signal that has not been learned (for example, a signal related to an attack from the outside) is created. ) Can be easily and surely blocked.

In the above control device, the determination unit derives the certainty that the determination target signal group is an unknown signal group by comparing the feature amount of the determination target signal group with each feature amount of the learning data, and determines the certainty degree. Based on this, it may be determined whether or not the determination target signal group is an unknown signal group. In this way, by comparing the features and deriving the certainty (certainty) that the determination target signal group is an unknown signal group, it is easy to determine whether or not the determination target signal group is an unknown signal group. Moreover, it can be performed with high accuracy.

In the above control device, the determination unit compares the feature amount of the judgment target signal group with each feature amount of the learning data, so that the determination target signal group is a signal group related to the normal signal group. Derived the certainty that the group is a signal group related to the abnormal signal group, and the certainty that the judgment target signal group is an unknown signal group that is neither the signal group related to the normal signal group nor the signal group related to the abnormal signal group. , Whether or not the determination target signal group is an unknown signal group may be determined based on each certainty. In this way, by comparing the features and deriving the certainty (certainty) that the judgment target signal group is each signal group, whether or not the judgment target signal group is an unknown signal group with higher accuracy. Can be determined.

The control device determines whether or not the communication signal from the outside included in the unknown signal group has been received more than a predetermined number of times, and if it has been received more than a predetermined number of times, the unknown signal group is a signal related to an attack from the outside. It may be further provided with an update unit that updates the training data so that the new rule created by the rule creator unit can be activated by identifying the group. Regarding the communication signals of the determination target signal group determined to be an unknown signal group, for example, there are cases where the communication signal is related to an attack from the outside and cases where the communication signal is accidentally transmitted without the intention of the attack. Can be considered. In this regard, when a communication signal for which a new rule is created as an unknown signal group is received more than a predetermined number of times, the communication signal is not an accidentally transmitted communication signal but is related to an attack from the outside. It can be determined that it is a communication signal. Therefore, by identifying the unknown signal group including the communication signal received a predetermined number of times as the signal group related to the attack from the outside and enabling the new rule, the communication signal related to the attack from the outside can be easily obtained. It can be reliably shut off. Further, by performing such control, it is possible to avoid erroneously blocking the communication signal transmitted accidentally.

In the above control device, the extraction unit may extract the feature amount of the determination target signal group based on the name of the communication signal included in the determination target signal group. By extracting the name that uniquely identifies the communication signal as the feature amount, the feature amount of the determination target signal group can be appropriately acquired, and the unknown signal group can be determined with high accuracy.

In the above control device, the extraction unit may extract the feature amount of the determination target signal group based on the transmission / reception timing of the communication signal included in the determination target signal group. This makes it possible to specify whether the signal group is a known signal group or an unknown signal group in consideration of the transmission / reception timing of the communication signal, and the unknown signal group can be determined with high accuracy.

In the above control device, the extraction unit may extract the feature amount of the determination target signal group based on the parameters of the communication signal included in the determination target signal group. This makes it possible to identify whether the signal group is a known signal group or an unknown signal group in consideration of the contents included in the communication signal (for example, routing information, etc.), and the unknown signal group can be made highly accurate. It can be determined.

According to the present invention, it is possible to easily determine and create a signal cutoff rule for a signal group received from the outside.

It is a figure which shows typically the whole structure of the system including the functional block diagram of the rule making apparatus which concerns on this embodiment. It is a figure explaining the process of extracting a feature amount from a received call flow. It is a figure which shows typically the learning model created by machine learning. It is a figure which shows the signal cutoff rule stored in the rule DB. It is a figure which shows the signal cutoff rule stored in the rule DB. It is a flowchart which shows an example of the control process by a rule making apparatus. It is a flowchart which shows the detail of the determination process in the control process. It is a flowchart which shows the detail of the new rule creation process among the control process. It is a flowchart which shows the detail of the validity judgment processing of a new rule among the control processing. It is a figure which shows the hardware configuration of the rule making apparatus.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the description of the drawings, the same reference numerals are used for the same or equivalent elements, and duplicate description is omitted.

FIG. 1 is a diagram schematically showing an overall configuration of a system 1, including a functional block diagram of the rule creating device 10 according to the present embodiment. As shown in FIG. 1, the system 1 includes a rule creating device 10, an SS7 (Common Channel Signaling System No. 7) network 50, an international common line network 100, and an overseas operator network 200. In the system 1, mobile communication is performed between the SS7 network 50 and the overseas business network 200 via the international common line network 100.

The SS7 network 50 is, for example, a network that realizes international roaming of mobile communication. The SS7 network 50 receives a communication signal from the overseas operator network 200 via the international common line network 100, and transmits a communication signal to the overseas operator network 200 via the international common line network 100. The SS7 network 50 includes an STP (Signal Transfer Point) 51, an SS7IDS (Intrusion Detection System) 52, an SS7FW (FireWall) 53, an HLR (Home Location Register) 54, and an MSC (Mobile-services Switching Center) / VLR (Visitor Location). It has a Register) 55, an SGSN (Serving GPRS Support Node) 56, an SMS-C (SMSCenter) 57, and a signal capture device 58. The functions of the HLR201, MSC / VLR202, and SGSN203 described in FIG. 1 for the overseas business network 200 are the same as the functions of the HLR54, MSC / VLR55, and SGSN56 of the SS7 network 50 described above. Omit.

The STP 51 is configured to function as a router and a gateway in the SS7 network 50. The HLR 54 has a database that manages user information such as a mobile phone number and a terminal identification number necessary for mobile communication. The MSC / VLR55 is a mobile communication relay device (mobile communication exchange station), and has a database for managing user information such as a mobile phone number and a terminal identification number required for mobile communication. SGSN56 is one of the nodes constituting the packet network, and is configured to connect to the radio access network in the GPRS environment. The SMS-C57 is configured to relay (transfer) short messages sent and received.

The SS7IDS 52 is configured to function as an intrusion detection system in the SS7 network 50, and is configured to monitor packets flowing on the network and detect unauthorized access and the like. SS7IDS52 has a rule DB60. The rule DB 60 stores a signal cutoff rule 500 (see FIG. 4) that defines whether to pass or cut off a communication signal in units of call flows. The details of the signal cutoff rule 500 will be described later. The SS7FW53 is configured to function as a firewall in the SS7 network 50. SS7FW53 has a rule DB 70. The rule DB 70 stores the same signal cutoff rule 500 as the rule DB 60 described above. The details of the signal cutoff rule 500 will be described later. The SS7IDS 52 and SS7FW 53 may hold a blacklist that defines only the signals to be blocked, instead of (or in addition to) the above-mentioned rules DB 60 and 70.

The signal capture device 58 is configured to collect communication packets transmitted from the STP 51 to each node device (HLR54, MSC / VLR55, SGSN56, and SMS-C57) and communication packets transmitted from each node device to the STP51. be. The signal capture device 58 collects communication packets branched from taps 59a, 59b, 59c provided in front of each of the above-mentioned node devices, for example. The signal capture device 58 may be provided in the SS7FW53, for example, to collect each communication packet.

By collecting each communication packet by the method described above, the signal capture device 58 accumulates communication signals (communication packets) transmitted / received between each node device of the international common line network 100 and the SS7 network 50 in real time. Generate a call flow based on the accumulated communication signal. The call flow is a determination target signal group including at least one communication signal from the international common line network 100 (outside). For example, in the example shown in FIG. 2, the call flow includes a signal A which is a communication signal received from the international common line network 100, and a signal B which is a communication signal transmitted to the international common line network 100 following the signal A. Following the signal B, four signals, a signal C which is a communication signal received from the international common line network 100, and a signal D which is transmitted to the international common line network 100 following the signal C are included. The signal capture device 58 transmits the generated call flow to the input reception unit 11 (described later) of the rule creation device 10.

Next, with reference to FIG. 1, the details of the function of the rule creating device 10 will be described. The rule creation device 10 monitors the call flow (traffic) acquired by the signal capture device 58, automatically estimates unknown traffic that may affect the SS7 network 50, and automatically creates a new blocking rule. It is a device. The rule creation device 10 includes an input reception unit 11, a preprocessing unit 12 (extraction unit), an unknown signal determination unit 13 (determination unit), a machine learning rule DB 14, a threshold value determination DB 15, and a new rule creation unit 16 ( It has a rule creation unit), a new rule input unit 17, and a new rule determination unit 18 (update unit).

The input receiving unit 11 is a function of receiving a call flow (log information of a transmission / reception signal) input to the signal capture device 58. The input receiving unit 11 outputs the received call flow to the preprocessing unit 12. In the following, a call flow received by the input receiving unit 11 and output to the preprocessing unit 12 may be described as a determination target call flow.

The preprocessing unit 12 is a function of extracting the feature amount of the determination target call flow including at least one communication signal from the outside. The feature amount of the call flow to be determined is the feature amount of the call flow to be determined so that the unknown signal determination unit 13 can make a determination (determination of whether or not the call flow to be determined is an unknown signal group. Details will be described later). It shows the characteristics. The feature amount of the call flow may be represented by a vector, for example, or may be represented by a simple numerical value. The preprocessing unit 12 outputs the extracted feature amount to the unknown signal determination unit 13.

FIG. 2 is a diagram illustrating a process of extracting a feature amount from a received determination target call flow. The preprocessing unit 12 extracts, for example, the feature amount of the determination target call flow based on the name of the communication signal included in the determination target call flow. For example, in the example shown in FIG. 2, the determination target call flow includes a signal A which is a communication signal received from the international common line network 100, and a signal B which is a communication signal transmitted to the international common line network 100 following the signal A. , Signal B is followed by signal C, which is a communication signal received from the international common line network 100, and signal C is followed by signal D, which is transmitted to the international common line network 100. In this case, the preprocessing unit 12 extracts the feature amount of the determination target call flow based on the signal A, the signal B, the signal C, and the signal D, which are the names of the four signals included in the determination target call flow. The preprocessing unit 12 may use the same feature quantity for all the same combination of communication signal names included in the determination target call flow, or the same combination of communication signal names included in the determination target call flow. Even if there are, different feature quantities may be used in different order of transmission and reception.

Further, the preprocessing unit 12 may extract the feature amount of the determination target call flow, for example, based on the transmission / reception timing of the communication signal included in the determination target call flow. For example, in the example shown in FIG. 2, the preprocessing unit 12 transmits the time when the signal B is transmitted as the timing β, the time when the signal C is received as the timing γ, and the signal D as the reference. The time is specified as the timing α. Then, the preprocessing unit 12 extracts the feature amount of the call flow to be determined based on the timings β, γ, and α, which are the transmission / reception timings. In the above description, the difference between the time when the signal A is received and the time when each signal is transmitted and received is defined as the "timing" based on the time when the signal A is received, but the timing is not limited to this, and the preprocessing unit is not limited to this. 12 may simply specify the transmission / reception time of each signal as a “timing”.

Further, the preprocessing unit 12 may extract the feature amount of the determination target call flow, for example, based on the parameters of the communication signal included in the determination target call flow. The communication signal parameter is information that is included in the communication signal and indicates the content of the communication signal, such as information for specifying user information (IMSI, telephone number, etc.), information used for routing, and the like. For example, in the example shown in FIG. 2, the preprocessing unit 12 specifies the parameter X of the signal A and the parameter Z of the signal C, which are the received signals, and extracts the feature amount of the call flow to be determined based on the specified parameters. .. In the above description, the parameters of the signal A and the signal C, which are the received signals, are specified, but the present invention is not limited to this, and the preprocessing unit 12 may specify the parameters of all the signals transmitted and received. , The parameters of only the transmission signal may be specified.

The unknown signal determination unit 13 has a feature amount of a normal call flow (normal signal group) including at least one normal communication signal, and an abnormal call flow (abnormal signal group) including at least one abnormal communication signal. An unknown call flow (unknown signal group) in which the determination target call flow is an unknown call flow based on the learning model (learning data) trained in advance and the feature amount of the determination target call flow extracted by the preprocessing unit 12. It is determined whether or not it is. The normal call flow is a known normal call flow used in mobile communication with the overseas business network 200, and is, for example, a call flow including an incoming call system signal, a call flow including a location registration signal, and a signal related to SMS. Call flow including. The abnormal call flow is a known attack call flow including a signal related to an attack from the outside. The learning model is generated using one or more machine learning techniques such as nearest neighbor, SVM (Sapport Vector Machine), and neural network. The machine learning technique used is not limited to that described above. The unknown signal determination unit 13 determines the determination target call flow by referring to the learning model stored in the machine learning rule DB 14. The unknown signal determination unit 13 may use the log information acquired from the SS7IDS 52 in addition to the call flow information generated by the signal capture device 58 to determine the unknown call flow.

FIG. 3 is a diagram schematically showing a learning model created by machine learning. In the example shown in FIG. 3, a region of the feature amount of each call flow is shown with a certain feature amount A and the feature amount B as two axes. For example, in FIG. 3, the five feature areas indicated by "○" are the feature areas of the normal call flow including the incoming signal, and the four feature areas indicated by "△" are. The area of is the area of the feature amount of the normal call flow including the position registration signal, and the area of the four feature amounts indicated by “□” is the area of the normal call flow including the signal related to SMS. The two feature areas indicated by "☆" are the feature areas of the known attack flow including the signal related to the attack. The type (category) of such a call flow is defined in advance when the learning model is created. Then, as shown in FIG. 3, the range of the feature amount of each type of call flow is estimated so as to surround the feature amount of the same type of call flow. In this way, by performing machine learning, not only the area of the feature amount actually learned but also the area estimated to be the area of the feature amount of the same type of call flow is included, and the call flow for each type is included. The range of features can be defined. The feature amount to be learned by the learning model is, for example, a signal type, a signal transmission / reception timing, a transmission / reception direction, a key signal parameter, and the like.

For example, when the feature amount of the call flow to be determined is the feature amount shown by "call flow A" in FIG. 3, the unknown signal determination unit 13 determines that "call flow A" is a normal call flow including a position registration signal. It is specified that it belongs to the range of features, and it is determined that "call flow A" is not an unknown call flow. Further, for example, when the feature amount of the call flow to be determined is the feature amount shown by "call flow B" in FIG. 3, the unknown signal determination unit 13 knows that "call flow B" includes a signal related to an attack. It is specified that it belongs to the range of the feature amount of the attack call flow of, and it is determined that "call flow B" is not an unknown call flow. On the other hand, for example, when the feature amount of the call flow to be determined is the feature amount shown by "call flow C" in FIG. 3, the unknown signal determination unit 13 determines which known call flow "call flow C" is. It is specified that it does not belong to the range of the feature amount of, and it is determined that "call flow C" is an unknown call flow.

Further, the unknown signal determination unit 13 compares the feature amount of the determination target call flow with each feature amount of the learning model to ensure that the determination target call flow is a normal call flow and the determination target call flow is an abnormal call. Derivation of certainty that is a flow and certainty that the call flow to be judged is an unknown call flow that is neither a normal call flow nor an abnormal call flow, and the call flow to be judged is an unknown call flow based on each certainty. It may be determined whether or not. The conviction here is a value indicating such plausibility (reliability), and is represented by, for example, "%". The unknown signal determination unit 13 may determine that the determination target call flow is an unknown call flow, for example, when the certainty degree of the unknown call flow is the highest among the certainty levels.

Further, the unknown signal determination unit 13 does not derive the certainty of the normal call flow and the certainty of the known abnormal call flow, but merely determines the certainty that the call flow to be determined is an unknown call flow. It may be derived and it may be determined whether or not the call flow to be determined is an unknown call flow based on the certainty. The unknown signal determination unit 13 determines that the determination target call flow is an unknown call flow, for example, when the certainty that the determination target call flow is an unknown call flow is a predetermined value or more (for example, 80% or more). May be good. In this case, the unknown signal determination unit 13 may make the above-mentioned determination by referring to the threshold value of the certainty degree stored in the threshold value determination DB 15.

When the unknown signal determination unit 13 determines that the determination target call flow is an unknown call flow, the unknown signal determination unit 13 outputs a new rule creation request to the new rule creation unit 16. The new rule creation request includes information (estimated label) indicating that the judgment target call flow is an unknown call flow and the feature amount of the judgment target call flow. In addition, when the certainty of the normal call flow is derived for the call flow to be determined, the information for identifying the normal call flow with the highest certainty (that is, similar) among the normal call flows is also new. Included in the rule creation request. In the following, it is assumed that the new rule creation request includes the above-mentioned estimation label, the feature amount of the judgment mode call flow, and the information (ID) that identifies the most reliable (similar) normal call flow. explain.

The new rule creation unit 16 creates a new rule for blocking the communication signal from the outside included in the unknown call flow when the determination target call flow is determined by the unknown signal determination unit 13 to be an unknown call flow. do. The new rule creation unit 16 is based on the information input from the unknown signal determination unit 13 and the information acquired by referring to the signal cutoff rule 500 (see FIG. 4) stored in the machine learning rule DB 14. Create a new rule. In the following, it will be described that the machine learning rule DB 14 stores the same signal cutoff rule 500 as the signal cutoff rule 500 stored in the rule DB 60 and the rule DB 70, but the present invention is not limited to this, and these signal cutoffs are described. Rule 500 may be partially different from each other.

As shown in FIG. 4, in the signal cutoff rule, for each call flow, for example, an ID, a classification, a call classification, a signal name, a timing, a parameter, and a FW state are associated with each other. The ID is information that uniquely identifies the rule. Classification is information indicating whether the call flow is "normal" or "known attack (abnormal)". The call classification is information indicating a detailed type of call flow such as "location registration system", "incoming system", and "SMS system". The signal name, timing, and parameter are the name, transmission / reception timing, and parameter of the communication signal included in the call flow, respectively. The FW state is information indicating whether to pass or block the communication signal included in the call flow. For example, for the known attack with ID: 4 in FIG. 4, among the three signals (signal name: reception E-transmission F-reception X), the signal that is blocked by the reception X, which is the last specified reception signal. Is.

First, the new rule creation unit 16 acquires information on a normal call flow that is most similar (highly certain) to the determination target call flow, which is included in the new rule creation request. For example, in the case where the signal cutoff rule 500 supported in FIG. 4 is used, if the new rule creation request includes "ID: 1" that specifies a similar normal call flow, the new rule creation unit 16 will perform. With reference to the signal cutoff rule 500, it is specified that a similar normal call flow is a normal call flow including a location registration signal (normal call flow of "ID: 1" shown in FIG. 4).

Subsequently, the new rule creation unit 16 specifies the name of the communication signal included in the specified and similar normal call flow. In the example shown in FIG. 4, the new rule creation unit 16 specifies "receive A-transmission B-receive C-transmission D" which is the name of four communication signals included in the normal call flow including the location registration signal. do. Then, the new rule creation unit 16 selects a communication signal that is a difference between the communication signal included in the similar normal call flow and the determination target call flow (that is, the unknown call flow) and is not included in the similar normal call flow. Extract. For example, when the determination target call flow includes three communication signals "receive A-transmit B-receive Z", the new rule creation unit 16 is a communication signal that is a difference and is not included in the normal call flow. A certain "reception Z" is extracted, and a new rule is created so that the "reception Z" is blocked (blocked). The new rule creation unit 16 outputs the created new rule to the new rule input unit 17.

The new rule input unit 17 writes the new rule created by the new rule creation unit 16 into the signal cutoff rule 500 of the machine learning rule DB 14, the rule DB 60, and the rule DB 70. As shown in FIG. 4, the new rule input unit 17 assigns a new ID: 7 to the new rule, and sets the signal name to "reception A-transmission B-reception Z". At this point, whether or not the determination target call flow (that is, unknown call flow) is blocked (that is, whether or not it is an abnormal call flow) has not been determined by the new rule determination unit 18 (details will be described later). Therefore, as shown in FIG. 4, the information of the classification and the FW state (whether to pass or block) in the new rule has not been input, and the new rule has not been activated yet.

Further, the new rule input unit 17 identifies by the new rule determination unit 18 that the determination target call flow (that is, the unknown call flow) is an attack call flow (abnormal call flow) related to an attack from the outside, and determines that the determination target call. When it is determined to block the flow (details will be described later), as shown in FIG. 5, the FW state of the new rule is set to "block", and the normal call flow classification similar to the call classification (in this example). "Position registration system") is input, and the state of the signal cutoff rule 500 of the machine learning rule DB 14, the rule DB 60, and the rule DB 70 is updated. As a result, the new rule created by the new rule creation unit 16 is activated. In this case, since a new rule is registered and a known abnormal call flow is added, the learning model is relearned in the machine learning rule DB 14. When the new rule input unit 17 determines that the determination target call flow is not blocked by the new rule determination unit 18, the new rule may be deleted from the signal cutoff rule 500, and the determination can be made again later. A new rule may be left in the signal cutoff rule 500 so as to be.

The new rule determination unit 18 determines whether or not a communication signal from the outside included in the determination target call flow (that is, an unknown call flow) in which the new rule is created has been received more than a predetermined number of times in a predetermined time, for example, and determines whether or not the communication signal has been received more than a predetermined number of times in a predetermined time. When the unknown call flow is received more than a predetermined number of times, the unknown call flow is identified as an attack call flow (abnormal call flow) related to an attack from the outside. The new rule determination unit 18 receives a communication signal in real time from the signal capture device 58, and by referring to the signal cutoff rule 500 of the machine learning rule DB 14, the new rule determination unit 18 is included in the determination target call flow in which the new rule is created from the outside. It is determined whether or not the communication signal of is received more than a predetermined number of times in a predetermined time. The new rule determination unit 18 does not set a time condition, and simply identifies the unknown call flow as an attack call flow when the communication signal included in the determination target call flow is received more than a predetermined number of times. May be good. The new rule determination unit 18 outputs the determination result to the new rule input unit 17.

Next, the control process by the rule creating device 10 will be described with reference to FIGS. 6 to 9.

FIG. 6 is a flowchart showing an example of control processing by the rule creating device 10. As shown in FIG. 6, the rule creation device 10 first receives the determination target call flow input by the signal capture device 58 (step S1). Subsequently, the rule creating device 10 extracts the feature amount of the determination mode call flow (step S2). Specifically, the preprocessing unit 12 of the rule creating device 10 is included in the name of the communication signal included in the determination target call flow, the transmission / reception timing of the communication signal included in the determination target call flow, and the determination target call flow. The feature amount of the call flow to be determined is extracted based on the parameters of the communication signal and the like. The preprocessing unit 12 may extract the feature amount from one or two of the name of the communication signal, the transmission / reception timing, and the parameter, or may extract the feature amount from the others.

Subsequently, the rule creating device 10 determines whether or not the determination target call flow is an unknown call flow based on the extracted feature amount of the determination target call flow (step S3). The determination process performed by the unknown signal determination unit 13 of the rule creating device 10 will be described later with reference to FIG. 7.

If it is determined in step S3 that the call flow to be determined is not an unknown call flow, the control process ends. On the other hand, when it is determined in step S3 that the call flow to be determined is an unknown call flow, the rule creation device 10 sets a new rule for blocking the communication signal from the outside included in the unknown call flow. Create (step S4). The new rule creation process (partly including the DB update process by the new rule input unit 17) performed by the new rule creation unit 16 of the rule creation device 10 will be described later with reference to FIG.

Subsequently, the rule creation device 10 determines the validity of the new rule (whether the unknown call flow is an attack call flow and should be blocked) (step S5). The validity determination process of the new rule performed by the new rule determination unit 18 of the rule creation device 10 will be described later with reference to FIG. Finally, the rule creation device 10 updates the states of the machine learning rule DB 14, the rule DB 60, and the signal cutoff rule 500 of the rule DB 70 so that the new rule is activated (step S6). The above is the control process by the rule creating device 10.

FIG. 7 is a flowchart showing the details of the determination process performed by the unknown signal determination unit 13 among the control processes described with reference to FIG. As shown in FIG. 7, the unknown signal determination unit 13 first derives the certainty that the determination target call flow belongs to each category from the feature amount of the determination target call flow and each feature amount of the learning model. (Step S31). Each category includes, for example, a normal call flow including an incoming signal, a normal call flow including a location registration signal, a normal call flow including a signal related to SMS, a known attack flow including a signal related to an attack, and an unknown call. Flow etc.

Then, the unknown signal determination unit 13 determines whether or not the certainty that the determination target call flow is an unknown call flow is a predetermined value or more (for example, 80% or more) (step S32). If it is determined in step S32 that the certainty of the unknown call flow is not equal to or higher than a predetermined value, the unknown signal determination unit 13 determines that the determination target call flow is not an unknown call flow (step S34). On the other hand, if it is determined in step S32 that the certainty of the unknown call flow is equal to or higher than a predetermined value, the unknown signal determination unit 13 determines that the determination target call flow is an unknown call flow (step). S33). The above is the details of the determination process performed by the unknown signal determination unit 13.

FIG. 8 is a flowchart showing the details of the new rule creation process performed by the new rule creation unit 16 and the new rule input unit 17 among the control processes described with reference to FIG. As shown in FIG. 8, the new rule creation unit 16 first acquires information on a normal call flow that is most similar (highly certain) to the determination target call flow (step S41). Subsequently, the new rule creation unit 16 is a communication signal that is a difference between the communication signal included in the similar normal call flow and the determination target call flow (that is, the unknown call flow) and is not included in the similar normal call flow. Is extracted (step S42).

Subsequently, the new rule creation unit 16 creates a new rule so that the extracted difference signal included in the determination target call flow is blocked (blocked) (step S43). Finally, the new rule input unit 17 writes the new rule created by the new rule creation unit 16 into the signal blocking rule 500 of the machine learning rule DB 14, the rule DB 60, and the rule DB 70, and updates each rule DB (step). S44). The above is the details of the new rule creation process performed by the new rule creation unit 16 and the new rule input unit 17.

FIG. 9 is a flowchart showing the details of the validity determination process of the new rule performed by the new rule determination unit 18 among the control processes described with reference to FIG. As shown in FIG. 9, in the new rule determination unit 18, first, the communication signal from the outside (specifically, the signal of the difference decided to be cut off) included in the unknown call flow is sent a predetermined number of times within a predetermined time. It is determined whether or not the above is received (step S51). When it is determined in step S51 that the signal has not been received more than a predetermined number of times, the new rule determination unit 18 determines that the communication signal from the outside included in the unknown call flow is not a signal related to an attack (for example, it is accidentally transmitted). It is determined that the signal is a quasi-normal system), and the new rule is determined to be invalid (step S54). On the other hand, if it is determined in step S51 that the signal has been received more than a predetermined number of times, the new rule determination unit 18 identifies the unknown call flow as an attack call flow related to an attack from the outside (step S52). , It is determined that the new rule is valid (step S53). The above is the details of the validity determination process of the new rule performed by the new rule determination unit 18.

Next, the operation and effect of the rule creating device 10 according to the present embodiment will be described.

The rule creating device 10 according to the present embodiment has a preprocessing unit 12 for extracting a feature amount of a determination target call flow including at least one communication signal from the outside, and a normal call including at least one normal communication signal. Judgment target based on the learning model in which the feature amount of the flow and the feature amount of the abnormal call flow including at least one abnormal communication signal are learned, and the feature amount of the judgment target call flow extracted by the preprocessing unit 12. When the unknown signal determination unit 13 for determining whether or not the call flow is an unknown call flow, which is an unknown signal group, and the unknown signal determination unit 13 determine that the determination target call flow is an unknown call flow, A new rule creating unit 16 for creating a new rule for blocking a communication signal from the outside included in an unknown call flow is provided.

In such a rule creating device 10, the determination target call flow is an unknown call from the learning model in which the feature amount of a plurality of types of normal call flow and the feature amount of the abnormal call flow are learned and the feature amount of the determination target call flow. Whether or not it is a flow is determined. In this way, by using the learning model in which the features of the known call flow are learned, it is possible to easily and accurately determine whether or not the call flow to be determined is an unknown call flow. Then, in the case of an unknown call flow, a new rule that blocks the communication signal from the outside included in the unknown call flow is automatically created, so that an irregular signal that has not been learned (for example, an attack from the outside) can be detected. The signal) can be easily and surely cut off.

The unknown signal determination unit 13 derives a certainty degree that the determination target call flow is an unknown call flow by comparing the feature amount of the determination target call flow with each feature amount of the learning data, and makes a determination based on the certainty degree. Determine if the target call flow is an unknown call flow. In this way, by comparing the features and deriving the certainty (certainty) that the judgment target call flow is an unknown call flow, it is easy to determine whether or not the judgment target call flow is an unknown call flow. Moreover, it can be performed with high accuracy.

The unknown signal determination unit 13 compares the feature amount of the determination target call flow with each feature amount of the learning model to determine the certainty that the determination target call flow is a signal group related to the normal call flow and the determination target call flow. Derived the certainty that the call flow is a signal group related to the abnormal call flow, and the certainty that the call flow to be judged is an unknown call flow, which is neither the signal group related to the normal call flow nor the signal group related to the abnormal call flow. It is determined whether or not the call flow to be determined is an unknown call flow based on the certainty level. In this way, by comparing the features and deriving the certainty (certainty) that the judgment target call flow is various call flows, whether or not the judgment target call flow is an unknown call flow with higher accuracy. Can be determined.

The rule creating device 10 determines whether or not the communication signal from the outside included in the unknown call flow has been received a predetermined number of times or more, and if the communication signal has been received a predetermined number of times or more, the unknown call flow is involved in an attack from the outside. A new learning model that updates the learning model so that the new rule created by the new rule creation unit 16 is activated according to the determination result of the new rule determination unit 18 that identifies the call flow and the new rule determination unit 18. It is provided with a rule input unit 17. Regarding the communication signal of the judgment target call flow determined to be an unknown call flow, for example, there are cases where it is a communication signal related to an attack from the outside and a case where it is a communication signal accidentally transmitted without the intention of the attack. Can be considered. In this regard, when a communication signal for which a new rule is created as an unknown call flow is received more than a predetermined number of times, the communication signal is not an accidentally transmitted communication signal but is related to an attack from the outside. It can be determined that it is a communication signal. Therefore, by specifying that the unknown call flow including the communication signal received a predetermined number of times is the call flow related to the attack from the outside and enabling the new rule, the communication signal related to the attack from the outside can be easily made. It can be reliably shut off.

The preprocessing unit 12 may extract the feature amount of the determination target call flow based on the name of the communication signal included in the determination target call flow. By extracting the name that uniquely identifies the communication signal as the feature amount, the feature amount of the call flow to be determined is appropriately acquired, and whether or not the call flow to be determined is an unknown call flow is determined with high accuracy. Can be done.

The preprocessing unit 12 may extract the feature amount of the determination target call flow based on the transmission / reception timing of the communication signal included in the determination target call flow. This makes it possible to specify whether the call flow is a known call flow or an unknown call flow in consideration of the transmission / reception timing of the communication signal, and it is highly possible to determine whether the call flow to be determined is an unknown call flow. It can be judged with accuracy.

The preprocessing unit 12 may extract the feature amount of the determination target call flow based on the parameters of the communication signal included in the determination target call flow. This makes it possible to specify whether the call flow is a known call flow or an unknown call flow in consideration of the content contained in the communication signal (for example, routing information, etc.), and the call flow to be determined is an unknown call. Whether or not it is a flow can be determined with high accuracy.

Finally, the hardware configuration of the rule creating device 10 will be described with reference to FIG. The above-mentioned rule creating device 10 may be physically configured as a computer device including a processor 1001, a memory 1002, a storage 1003, a communication device 1004, an input device 1005, an output device 1006, a bus 1007, and the like.

In the following description, the word "device" can be read as a circuit, a device, a unit, or the like. The hardware configuration of the rule creating device 10 may be configured to include one or more of the devices shown in the figure, or may be configured not to include some of the devices.

For each function in the rule creating device 10, the processor 1001 performs an operation by loading predetermined software (program) on hardware such as the processor 1001 and the memory 1002, and the communication device 1004 communicates with the memory 1002 and the storage. It is realized by controlling the reading and / or writing of data in 1003.

Processor 1001 operates, for example, an operating system to control the entire computer. The processor 1001 may be configured by a central processing unit (CPU) including an interface with a peripheral device, a control device, an arithmetic unit, a register, and the like. For example, the control function of the switch control unit 105 of the rule creating device 10 may be realized by the processor 1001.

Further, the processor 1001 reads a program (program code), a software module and data from the storage 1003 and / or the communication device 1004 into the memory 1002, and executes various processes according to these. As the program, a program that causes a computer to execute at least a part of the operations described in the above-described embodiment is used. For example, the control function of the unknown signal determination unit 13 of the rule creating device 10 may be realized by a control program stored in the memory 1002 and operated by the processor 1001, or may be realized in the same manner for other functional blocks. good. Although it has been described that the various processes described above are executed by one processor 1001, they may be executed simultaneously or sequentially by two or more processors 1001. Processor 1001 may be mounted on one or more chips. The program may be transmitted from the network via a telecommunication line.

The memory 1002 is a computer-readable recording medium, and is composed of at least one such as a ROM (Read Only Memory), an EPROM (Erasable Programmable ROM), an EEPROM (Electrically Erasable Programmable ROM), and a RAM (Random Access Memory). May be done. The memory 1002 may be referred to as a register, a cache, a main memory (main storage device), or the like. The memory 1002 can store a program (program code), a software module, or the like that can be executed to implement the wireless communication method according to the embodiment of the present invention.

The storage 1003 is a computer-readable recording medium, for example, an optical disk such as a CD-ROM (Compact Disc ROM), a hard disk drive, a flexible disk, an optical magnetic disk (for example, a compact disk, a digital versatile disk, a Blu-ray). It may consist of at least one (registered trademark) disk), smart card, flash memory (eg, card, stick, key drive), floppy (registered trademark) disk, magnetic strip, and the like. The storage 1003 may be referred to as an auxiliary storage device. The storage medium described above may be, for example, a database, server or other suitable medium containing memory 1002 and / or storage 1003.

The communication device 1004 is hardware (transmission / reception device) for communicating between computers via a wired and / or wireless network, and is also referred to as, for example, a network device, a network controller, a network card, a communication module, or the like.

The input device 1005 is an input device (for example, a keyboard, a mouse, a microphone, a switch, a button, a sensor, etc.) that receives an input from the outside. The output device 1006 is an output device (for example, a display, a speaker, an LED lamp, etc.) that outputs to the outside. The input device 1005 and the output device 1006 may have an integrated configuration (for example, a touch panel).

Further, each device such as the processor 1001 and the memory 1002 is connected by a bus 1007 for communicating information. The bus 1007 may be composed of a single bus or may be composed of different buses between the devices.

Further, the rule creating device 10 includes hardware such as a microprocessor, a digital signal processor (DSP: Digital Signal Processor), an ASIC (Application Specific Integrated Circuit), a PLD (Programmable Logic Device), and an FPGA (Field Programmable Gate Array). It may be configured by, and a part or all of each functional block may be realized by the hardware. For example, the processor 1001 may be implemented on at least one of these hardware.

Although the present embodiment has been described in detail above, it is clear to those skilled in the art that the present embodiment is not limited to the embodiment described in the present specification. This embodiment can be implemented as an amendment or modification without departing from the spirit and scope of the present invention as determined by the description of the scope of claims. Therefore, the description of the present specification is for the purpose of illustration and does not have any limiting meaning to the present embodiment.

For example, although the rule creating device 10 is provided as a device different from the SS7IDS 52 and SS7FW53, the present invention is not limited to this, and the rule creating device 10 may be included in the SS7IDS 52 or SS7FW53 (that is, the rule creating device 10). May be a program included in SS7IDS52 or SS7FW53).

Each aspect / embodiment described herein includes LTE (Long Term Evolution), LTE-A (LTE-Advanced), SUPER 3G, IMT-Advanced, 4G, 5G, FRA (Future Radio Access), W-CDMA. (Registered Trademarks), GSM (Registered Trademarks), CDMA2000, UMB (Ultra Mobile Broad-band), IEEE 802.11 (Wi-Fi), IEEE 802.16 (WiMAX), IEEE 802.20, UWB (Ultra-Wide) Band), WiMAX®, and other systems that utilize suitable systems and / or extended next-generation systems based on them may be applied.

The processing procedures, sequences, flowcharts, and the like of each aspect / embodiment described in the present specification may be rearranged in order as long as there is no contradiction. For example, the methods described herein present elements of various steps in an exemplary order and are not limited to the particular order presented.

The input / output information and the like may be stored in a specific place (for example, a memory) or may be managed by a management table. Information to be input / output may be overwritten, updated, or added. The output information and the like may be deleted. The input information or the like may be transmitted to another device.

The determination may be made by a value represented by 1 bit (0 or 1), by a boolean value (Boolean: true or false), or by comparing numerical values (for example, a predetermined value). It may be done by comparison with the value).

Each aspect / embodiment described in the present specification may be used alone, in combination, or may be switched and used according to the execution. Further, the notification of predetermined information (for example, the notification of "being X") is not limited to the explicit one, but is performed implicitly (for example, the notification of the predetermined information is not performed). May be good.

Software, whether referred to as software, firmware, middleware, microcode, hardware description language, or other names, is an instruction, instruction set, code, code segment, program code, program, subprogram, software module. , Applications, software applications, software packages, routines, subroutines, objects, executable files, execution threads, procedures, features, etc. should be broadly interpreted.

Further, software, instructions, and the like may be transmitted and received via a transmission medium. For example, the software may use wired technology such as coaxial cable, fiber optic cable, twisted pair and digital subscriber line (DSL) and / or wireless technology such as infrared, wireless and microwave to website, server, or other. When transmitted from a remote source, these wired and / or wireless technologies are included within the definition of transmission medium.

The information, signals, etc. described herein may be represented using any of a variety of different techniques. For example, data, instructions, commands, information, signals, bits, symbols, chips, etc. that may be referred to throughout the above description are voltages, currents, electromagnetic waves, magnetic fields or magnetic particles, light fields or photons, or any of these. It may be represented by a combination of.

The terms described herein and / or the terms necessary for understanding the present specification may be replaced with terms having the same or similar meanings.

Further, the information, parameters, etc. described in the present specification may be represented by an absolute value, a relative value from a predetermined value, or another corresponding information. ..

The user terminal may be a mobile communication terminal, a subscriber station, a mobile unit, a subscriber unit, a wireless unit, a remote unit, a mobile device, a wireless device, a wireless communication device, a remote device, a mobile subscriber station, an access terminal, etc. It may also be referred to as a mobile device, wireless device, remote device, handset, user agent, mobile client, client, or some other suitable term.

As used herein, the terms "determining" and "determining" may include a wide variety of actions. "Judgment", "decision" is, for example, calculating, computing, processing, deriving, investigating, looking up (eg, table, database or another). It may include searching in the data structure), considering that the confirmation (ascertaining) is "judgment" and "decision". Also, "judgment" and "decision" are receiving (for example, receiving information), transmitting (for example, transmitting information), input (input), output (output), and access. It may include (for example, accessing data in memory) to be regarded as "judgment" or "decision". In addition, "judgment" and "decision" are considered to be "judgment" and "decision" when the things such as solving, selecting, choosing, establishing, and comparing are regarded as "judgment" and "decision". Can include. That is, "judgment" and "decision" may include considering some action as "judgment" and "decision".

The phrase "based on" as used herein does not mean "based on" unless otherwise stated. In other words, the statement "based on" means both "based only" and "at least based on".

As used herein by designations such as "first", "second", etc., any reference to that element does not generally limit the quantity or order of those elements. These designations can be used herein as a convenient way to distinguish between two or more elements. Thus, references to the first and second elements do not mean that only two elements can be adopted there, or that the first element must somehow precede the second element.

As long as "include", "including", and variations thereof are used herein or within the scope of the claims, these terms are similar to the term "comprising". In addition, it is intended to be inclusive. Moreover, the term "or" as used herein or in the claims is intended to be non-exclusive.

In the present specification, a plurality of devices shall be included unless the device has only one device apparently in context or technically.

The entire disclosure is intended to include more than one, unless the context clearly indicates the singular.

10 ... Rule creation device (control device), 12 ... Pre-processing unit (extraction unit), 13 ... Unknown signal determination unit (judgment unit), 16 ... New rule creation unit (rule creation unit), 17 ... New rule input unit ( Update unit), 18 ... New rule determination unit (update unit).

Claims (7)

An extraction unit that extracts the feature amount of the judgment target signal group including at least one communication signal from the outside, and
The learning data obtained by learning the feature amount of the normal signal group including at least one normal communication signal and the feature amount of the abnormal signal group including at least one abnormal communication signal, and the determination extracted by the extraction unit. A determination unit for determining whether or not the determination target signal group is an unknown signal group based on the feature amount of the target signal group, and a determination unit.
When the determination unit determines that the determination target signal group is the unknown signal group, the rule creation unit creates a new rule for blocking the communication signal from the outside included in the unknown signal group. , A control device. The determination unit derives the certainty that the determination target signal group is the unknown signal group by comparing the feature amount of the determination target signal group with each feature amount of the learning data, and determines the certainty degree. The control device according to claim 1, wherein the determination target signal group is determined based on whether or not the determination target signal group is the unknown signal group. By comparing the feature amount of the determination target signal group with each feature amount of the learning data, the determination unit determines the certainty that the determination target signal group is a signal group related to the normal signal group, and the determination target. The certainty that the signal group is the signal group related to the abnormal signal group, and the determination target signal group is neither the signal group related to the normal signal group nor the signal group related to the abnormal signal group, but the unknown signal group. The control device according to claim 2, wherein a certain certainty degree is derived, and it is determined whether or not the determination target signal group is the unknown signal group based on each certainty degree. It is determined whether or not the communication signal from the outside included in the unknown signal group has been received a predetermined number of times or more, and if the communication signal has been received a predetermined number of times or more, the unknown signal group is a signal group related to an attack from the outside. The control device according to any one of claims 1 to 3, further comprising an update unit for updating the learning data so that the new rule created by the rule creation unit is activated. The control device according to any one of claims 1 to 4, wherein the extraction unit extracts a feature amount of the determination target signal group based on the name of the communication signal included in the determination target signal group. The control device according to any one of claims 1 to 5, wherein the extraction unit extracts a feature amount of the determination target signal group based on a transmission / reception timing of a communication signal included in the determination target signal group. The control device according to any one of claims 1 to 6, wherein the extraction unit extracts a feature amount of the determination target signal group based on a parameter of a communication signal included in the determination target signal group.

Images