JP7094512B2 - Abnormal operation detection device, abnormal operation detection method, and program - Google Patents

Description

The present invention relates to an abnormal operation detection device or the like that determines an abnormality of a received operation set using a normal operation set that is a set of two or more normal operations and outputs a determination result.

Conventionally, a device that records and monitors the display screen and operation of a computer and the operation of other devices by multiplexing and recording them together with the moving image of the display screen and saving it as a trail for auditing to record and monitor unauthorized access, operation and operation. There was (see Patent Document 1).

Japanese Unexamined Patent Publication No. 2005-295486

However, in the prior art, it is difficult or complicated to detect an abnormal operation by using the input operation sequence information in the system operation mainly based on the procedure manual.

Further, in the prior art, it is difficult or difficult to detect an abnormal operation in the input operation sequence by using the information of the past normal operation sequence in the system operation mainly based on the procedure manual. It was complicated.

Of the security levels of the general area, access area, and high security area, the security level required for system operation corresponds to the high security area. In high security areas, IT system developers and administrators perform operations. When operating the terminal, it is usually necessary to obtain approval in advance, and the work is carried out according to a predetermined procedure manual.

However, it has been difficult to detect an abnormal operation in the information of the operation sequence according to the procedure manual used at the time of operation. The abnormal operation is, for example, an operation outside the procedure manual, and is, for example, one or more types of operations among operation mistakes, troubleshooting, and unauthorized operations.

In the abnormal operation detection device of the first invention, the judgment source information based on the two or more normal operation sets relating to the two or more normal operation information that specifies the normal operation for the information system during system operation is one of two or more. The judgment source information storage unit stored corresponding to the procedure manual of the above, the reception unit that accepts the operation set having two or more operation information that specifies the operation performed by the inspected person on the information system, and the reception unit. Judgment to acquire anomaly information that is information about anomaly for an operation set by using the judgment source information based on two or more normal operation sets corresponding to the procedure manual for the accepted operation set and the operation set accepted by the reception unit. It is an abnormality operation detection device including a unit and an output unit that outputs abnormality information.

With such a configuration, it is possible to detect an abnormal operation in the system operation performed based on the procedure manual.

Further, in the abnormality operation detection device of the second invention, for the first invention, the judgment unit uses the operation set accepted by the reception unit to determine the procedure manual, and the procedure manual. Abnormality using the normal operation set selection means that acquires two or more normal operation sets corresponding to the procedure manual determined by the determination means from the judgment source information storage unit and the two or more normal operation sets acquired by the normal operation set selection means. It is an abnormal operation detection device provided with a determination means for acquiring information.

With such a configuration, it is possible to easily detect an abnormal operation in the system operation performed based on the procedure manual.

Further, in the abnormality operation detection device of the third invention, the reception unit also accepts the procedure manual identifier for identifying the procedure manual for the first invention, and the determination unit receives the procedure manual identifier received by the reception unit. Abnormal information using the normal operation set selection means that acquires two or more normal operation sets corresponding to the procedure manual identified in (from the judgment source information storage unit) and the two or more normal operation sets acquired by the normal operation set selection means. It is an abnormality operation detection device provided with a determination means for acquiring the above.

With such a configuration, it is possible to detect an abnormal operation in the system operation performed based on the procedure manual.

Further, in the abnormal operation detection device of the fourth invention, for any one of the first to third inventions, the normal operation set and the operation information are events generated by the operation, and the event generated by the information system. It is an abnormal operation detection device that also includes internal event information related to.

With such a configuration, it is possible to detect an abnormal operation with high accuracy in the system operation performed based on the procedure manual.

Further, in the abnormality operation detection device of the fifth invention, the operation set accepted by the reception unit is logged out from the login to the information system by the inspected person for any one of the first to fourth inventions. It is information having operation information of two or more operations performed in one session up to, and the judgment unit applies the entire operation set received by the reception unit to the judgment source information and acquires abnormality information. It is an abnormal operation detection device.

With such a configuration, it is possible to appropriately detect an abnormal operation in the system operation performed based on the procedure manual.

Further, in the abnormality operation detection device of the sixth invention, the operation set received by the reception unit is continuously performed by the inspected person on the information system for any one of the first to fourth inventions. It has continuous operation information that is operation information of two or more operations to be performed, and the judgment unit applies the continuous operation information to two or more normal operation sets of the judgment source information storage unit, and acquires abnormality information. It is an operation detection device.

With such a configuration, it is possible to appropriately detect an abnormal operation in the system operation performed based on the procedure manual.

Further, the abnormal operation detection device of the seventh invention is a rare operation in which one or more rare operation information which is operation information for specifying a rare operation is stored for any one of the first to fourth inventions. The information storage unit is further provided, and the determination unit acquires rare operation existence information regarding the existence of one or more rare operation information of the rare operation information storage unit in the operation set accepted by the reception unit, and the rare operation exists. It is an abnormality operation detection device that acquires abnormality information using information.

With such a configuration, it is possible to appropriately detect an abnormal operation in the system operation performed based on the procedure manual.

Further, in the abnormality operation detection device of the eighth invention, the normal operation set is a normal operation vector composed of two or more normal operation information for any one of the first to seventh inventions, and it is determined. The unit is an abnormality operation detection device that constitutes an input vector from an operation set received by the reception unit and acquires abnormality information by using the input vector and two or more normal operation vectors.

With such a configuration, it is possible to appropriately detect an abnormal operation in the system operation performed based on the procedure manual.

According to the abnormality operation detection device according to the present invention, it is possible to detect an abnormality operation in the system operation performed based on the procedure manual.

Block diagram of abnormality operation detection device A according to the first embodiment A flowchart illustrating an operation example of the abnormality operation detection device A. Flow chart to explain an example of outlier detection processing A flowchart illustrating an example of the new time-series feature detection process. Flow chart explaining an example of the rare feature detection process A flowchart explaining the learning process The first conceptual diagram explaining the process in which the judgment source information is accumulated. Second conceptual diagram explaining the process of accumulating the judgment source information Conceptual diagram explaining the cluster selection process for detecting the same abnormality Conceptual diagram explaining the processing of outlier detection Conceptual diagram explaining the detection process by the new time series feature Conceptual diagram explaining the detection process by the same rare feature The figure which shows the output example of the abnormality information Overview of the computer system Block diagram of the computer system

Hereinafter, embodiments of the abnormality operation detection device and the like will be described with reference to the drawings. In addition, since the components with the same reference numerals perform the same operation in the embodiment, the description may be omitted again.

(Embodiment 1)

In the present embodiment, an abnormal operation detection device that determines an abnormality of a received operation set and outputs a determination result by using a normal operation set that is a set of two or more normal operations of the user will be described. The operation set may include an internal event generated by a user operation. Further, it is preferable that the operation set is a set of operations in one session from login to logout.

Further, in the present embodiment, the abnormality detection is based on, for example, outlier detection of log data for each session described later, determination by detection of two or more new continuous operations described later, and detection of rare operations. There may be judgments.

Further, in the present embodiment, the normal operation set corresponds to any one of two or more procedure manuals, and the abnormality is determined by using the normal operation set corresponding to the procedure manual for the accepted operation set. , An abnormality operation detection device that outputs a judgment result will be described.

Further, in the present embodiment, an abnormality operation detection device that determines an abnormality and outputs a determination result by using a machine learning algorithm will be described.

FIG. 1 is a block diagram of the abnormality operation detection device A according to the present embodiment. The abnormality operation detection device A includes a storage unit 1, a reception unit 2, a processing unit 3, and an output unit 4.

The storage unit 1 includes, for example, a determination source information storage unit 11, a rare operation information storage unit 12, and a procedure manual information storage unit 13. The processing unit 3 includes, for example, a learning unit 31 and a determination unit 32.

The determination unit 32 includes, for example, a procedure manual determination unit 321, a normal operation set selection unit 322, and a determination unit 323.

Various types of information are stored in the storage unit 1. The various types of information are, for example, determination source information described later, rare operation information described later, and procedure manual information described later.

The determination source information is stored in the determination source information storage unit 11. Judgment source information is information used for determining anomalies. The determination source information is information based on two or more normal operation sets. The normal operation set is information about two or more normal operation information. Normal operation information is information that identifies normal operation for an information system during system operation. The normal operation information is, for example, a command name. The normal operation information includes, for example, a window identifier (for example, a window title, a window ID, etc.) that identifies the operation target window and information entered by the user on the keyboard (for example, a command name, a command name, and an argument [for example, a database name, etc.). File name, variable name, data, etc.]) and included. The normal operation information includes, for example, information that identifies an internal event generated by a user operation. The internal event is, for example, an event generated by the OS or an event generated by the application.

The judgment source information may be a set of two or more normal operations itself, or may be a learning device described later. The determination source information may be two or more normal operation vectors composed of a normal operation set. Further, the determination source information may include one or more abnormal operation vectors composed of an invalid (abnormal) operation set, in addition to two or more normal operation vectors composed of the normal operation set. The determination source information may be information including two or more normal operation sets and one or more abnormal operation sets.

The normal operation set may be, for example, a normal operation vector which is a vector composed of two or more normal operation information. The normal operation vector is, for example, a vector having the appearance frequency of a word (for example, a command name, a file name, etc.) possessed by two or more normal operation information as an element. The normal operation vector is, for example, information vectorized by using Bag-of-Words for two or more normal operation information. The algorithm for acquiring the normal operation vector from the normal operation set does not matter.

The normal operation set is, for example, two or more normal operation information indicating two or more normal operation sequences. A normal operation set is, for example, an operation log for an information system and two or more normal instruction sequences, for example, "useradd, mkdir, su, passwd, ...", "useradd, passwd, usermod ...". , "Touch, sudo, useradd ...". The information system is a computer, an application on a computer, a computer system, or the like, and is, for example, a bank information system. The instruction sequence is usually a time-series instruction sequence.

The judgment source information may be a learner configured by a machine learning algorithm using two or more normal operation sets. The learning device is, for example, information acquired by the learning unit 31, which will be described later.

Further, each normal operation set corresponds to, for example, a procedure manual. Corresponding to the procedure manual may correspond to the procedure manual identifier that identifies the procedure manual, or may correspond to the file of the procedure manual. The procedure manual is a document used for the operation of the information system and the operation of the information system. The procedure manual may be called a manual. In addition, the procedure manual is, for example, a patch application procedure manual to be referred to when applying a patch to a system, a log acquisition procedure manual to be referred to when acquiring an operation log, and a user addition procedure to be referred to when additionally registering a user. It is a book etc.

Further, it is preferable that each of two or more normal operation sets is grouped and stored corresponding to one or more procedure manuals used for the operation. The process of grouping each of two or more normal operation sets is a process of grouping two or more normal operation vectors, for example, the normal operation vectors are grouped by using the distance between the vectors. Since the processing of such grouping is a Kochi technique, detailed description thereof will be omitted. It is preferable that the processing unit 3 performs such processing.

It is effective to classify the normal operation set for each procedure manual or group of procedure manuals based on the following characteristics of the operation. In other words, in the field of system operation, operations using procedure manuals are often performed thoroughly, and the operation contents are similar. It is effective to use the characteristics, compare the collected operation log (operation set) with the newly operated contents, and detect abnormal operations as described later.

Further, each of two or more normal operation sets may be grouped and stored for each server device to be operated. This is because server devices in companies are often built for each application. When viewed for each server device, the work to be performed is often from several types such as patch application and log acquisition to a dozen or so types. It is effective to group normal operation sets for each server device to be operated by utilizing the characteristics of such system operation, and to detect abnormal operations by using the normal operation set for each group as described later. When grouped by server device, for example, each of two or more normal operation sets corresponds to a server identifier that identifies the server device.

Rare operation information storage unit 12 stores one or more rare operation information. Rare operation information is operation information that identifies a rare operation. The operation information is information related to the operation. The operation information is, for example, an instruction for specifying an operation, an information name used (file name, database name, etc.), an ID for specifying an instruction or information (argument, etc.). The operation information may be an internal event generated by the operation.

Rare operation information is, for example, an instruction for specifying a rare operation. The rare operation information may be, for example, a rarely used information name. The rare operation information is, for example, an ID that specifies an instruction or information (argument, etc.). The rare operation information of the rare operation information storage unit 12 is, for example, information acquired by the processing unit 3 described later from two or more normal operation sets of the determination source information storage unit 11.

The procedure manual information storage unit 13 stores one or more procedure manual information. The procedure manual information is information related to the procedure manual. The procedure manual information may be a procedure manual file or a vector composed of the procedure manual file. The procedure manual information is, for example, a vector whose element is the frequency of appearance of terms contained in the procedure manual file. The procedure manual information is, for example, information (vector) obtained by vectorizing a procedure manual file using Bag-of-Words.

Further, two or more procedure manual information may be grouped in the procedure manual information storage unit 13. That is, two or more similar procedure manual information may be grouped in the procedure manual information storage unit 13. When the procedure manual information is, for example, a vector, a set of clustered vectors constitutes a group. It should be noted that the two or more similar procedure manual information is, for example, two or more procedure manual information corresponding to a vector that is close enough to satisfy a predetermined condition of the distance between the vectors composed of the procedure manual information. Further, since the technique of classifying and grouping a set of vectors is a known technique, the description thereof will be omitted. Further, when the procedure manual information is grouped, a vector representing each group may be stored in the procedure manual information storage unit 13. The vector representing the group is, for example, a vector of the average value of one or more vectors belonging to the group.

The reception unit 2 receives various instructions, information, and the like. The various instructions, information, and the like are, for example, an operation set, a judgment instruction, and a learning instruction. The operation set is information having two or more operation information that specifies the operation performed by the inspected person on the information system. The operation set is, for example, a set of operation information for one session from login to logout, but may be a set of operation information in an amount satisfying a predetermined condition. The operation of the amount satisfying the predetermined amount is the operation in units of one hour, the operation information of the predetermined amount or more, and the like. The person to be inspected is a user who is inspected for whether or not an abnormal operation has been performed.

The judgment instruction is an instruction for making a judgment regarding the abnormality of the operation set. The decision instruction includes an operation set or information that identifies the operation set. The judgment instruction may have a procedure manual identifier. Further, the determination instruction may have a server identifier that identifies the server device.

The learning instruction is an instruction that constitutes a learning device described later by using two or more normal operation sets. The learning instruction may include information that identifies the procedure manual. The information that identifies the procedure manual is, for example, a procedure manual identifier or a group identifier that identifies a group of procedure manuals.

The operation set is information acquired and recorded by a recording unit (not shown) of the information system, which is a set of operations performed by the subject on the information system. It is preferable that the operation set is information having operation information of two or more operations performed by the inspected person with respect to the information system in one session from login to logout. However, the operation set may be information on the operation information of the operation for a part of the period during one session.

Here, acceptance means reception of information transmitted via a wired or wireless communication line, acceptance of information read from a recording medium such as an optical disk, a magnetic disk, or a semiconductor memory, a keyboard, a mouse, a touch panel, or the like. It is a concept that includes acceptance of information input from an input device.

The processing unit 3 performs various processes. The various processes are, for example, processes performed by the learning unit 31 and the determination unit 32.

The learning unit 31 performs learning processing on two or more normal operation sets by a machine learning algorithm to form a learning device.

For example, when the reception unit 2 receives a learning instruction, the learning unit 31 performs learning processing on two or more normal operation sets according to the learning instruction to form a learning device.

When the learning instruction includes information that specifies the procedure manual, the learning unit 31 determines two or more normal operation sets corresponding to the procedure manual specified by the information that specifies the procedure manual. It is preferable to acquire from 11 and perform learning processing on the two or more normal operation sets to form a learning device. Further, the learning unit 31 acquires two or more normal operation sets from the judgment source information storage unit 11 for each one or two or more groups, performs learning processing on the two or more normal operation sets, and is a learning device. It is preferable to configure. By such processing, the learning device can be configured for each procedure manual or for each group.

The machine learning algorithm may be, for example, deep learning, SVM, SVR, decision tree, random forest, or the like.

The learning unit 31 may configure a learning device by performing learning processing using two or more normal operation sets (normal example) and two or more abnormal operation sets (negative example) by a machine learning algorithm. .. In such a case, it is preferable that the negative example is given in advance, but the learning unit 31 may automatically generate it. For example, the learning unit 31 automatically generates one or more vectors whose distance from each of the two or more vectors composed of two or more normal operation sets is equal to or greater than the threshold value. For example, in the learning unit 31, the distance from the vector of the average value of two or more vectors composed of each of two or more normal operation sets (the vector whose element is the average value of the elements of the two or more vectors) is equal to or greater than the threshold value. Automatically generate one or more vectors.

The determination unit 32 acquires abnormality information using the determination source information and the operation set accepted by the reception unit 2. The anomaly information is information regarding anomaly with respect to the operation set received by the reception unit 2. The abnormality information is, for example, information indicating that it is abnormal, information indicating that it is normal, information indicating an abnormal part in the operation set received by the reception unit 2, and the like. The information indicating the abnormal portion is, for example, an abnormal instruction sequence, rare operation information, and information for specifying rare operation information in the operation set received by the reception unit 2. The anomaly information is, for example, a report on anomalies. The anomaly information is, for example, the above-mentioned information regarding the anomaly of each group.

For example, the determination unit 32 constitutes an input vector from the operation set received by the reception unit 2, and acquires abnormality information by using the input vector and two or more normal operation vectors. The input vector may be called an operation set vector.

The determination unit 32 determines, for example, a procedure manual corresponding to the operation set received by the reception unit 2, and acquires abnormality information using two or more normal operation sets corresponding to the procedure manual.

The determination unit 32 applies, for example, the operation set received by the reception unit 2 to the learner by a machine learning algorithm, and acquires abnormality information.

The determination unit 32 determines an abnormality by, for example, one or more of the following methods (1) to (3). Note that (1) is outlier detection, (2) is detection by new time series features, and (3) is detection by rare features.
(1) Outlier detection

Outlier detection is to determine whether or not the entire set of operations for which anomaly is to be determined deviates from the normal set of operations.

The determination unit 32 applies, for example, the entire operation set received by the reception unit 2 to the determination source information, and acquires abnormal information regarding outliers.

The determination unit 32 includes, for example, an operation set vector that is a vector composed of the entire operation set received by the reception unit 2, and each normal operation set vector that is a vector composed of two or more normal operation sets. The distance is acquired, and it is determined whether or not the average value of the distance is equal to or greater than the threshold value. For example, when the average value of the distance is equal to or greater than the threshold value or greater than the threshold value, the determination unit 32 acquires abnormality information indicating that the distance is abnormal, and when the average value of the distance is equal to or less than the threshold value or is less than the threshold value, it is normal. Acquires abnormal information indicating that there is.

Further, the determination unit 32 acquires, for example, the average value of the normal operation set vector composed of two or more normal operation sets, and the distance between the average value and the operation set vector composed of the entire operation set. To determine whether the distance is greater than or equal to the threshold. The determination unit 32 acquires, for example, abnormal information indicating that the distance is abnormal when the distance is equal to or greater than the threshold value or is greater than the threshold value, and abnormal information indicating that the distance is normal when the distance is equal to or less than the threshold value or is less than the threshold value. To get.

The determination unit 32 may, for example, compare the operation set received by the reception unit 2 with the determination source information of the determination source information storage unit 11 to detect outliers by lof. More specifically, the determination unit 32 compares, for example, the operation set vector acquired from the operation set received by the reception unit 2 with each of the two or more normal operation set vectors of the determination source information storage unit 11. Outlier detection by lof may be performed. Since outlier detection by lof is a known technique, the description thereof will be omitted.

Further, the determination unit 32 applies, for example, the entire operation set received by the reception unit 2 to the above-mentioned learning device, and acquires abnormality information by a machine learning algorithm. When the learning device is a learning device that classifies whether it is abnormal or normal, the determination unit 32 applies the entire operation set received by the reception unit 2 to the above-mentioned learning device, and uses a machine learning algorithm. Acquires abnormality information indicating whether it is abnormal or normal.
(2) Detection by new time series features

The detection by the new time-series feature is the detection of anomalies related to the existence of a time-series operation sequence that does not appear in the normal operation set or is unlikely to appear in the operation set for which the abnormality is to be determined.

The determination unit 32 applies the continuous operation information to two or more normal operation sets of the determination source information storage unit 11 and acquires abnormality information. The continuous operation information is operation information of two or more operations that are continuous in time. The continuous operation information has two or more operation information.

The determination unit 32 acquires, for example, one or two or more operation information which is information of two or three or more continuous operation sequences from the operation set received by the reception unit 2, and the acquired operation information stores the determination source information. It detects whether or not it is included in two or more normal operation sets of unit 11. Then, the determination unit 32 acquires, for example, the number of appearances or the appearance ratio of new continuous operation information that is not included in the two or more normal operation sets of the determination source information storage unit 11. Then, for example, when the number of appearances or the appearance ratio is equal to or greater than the threshold value or greater than the threshold value, the determination unit 32 acquires abnormality information indicating that it is abnormal, and when it is below the threshold value or smaller than the threshold value, it indicates that it is normal. Get anomaly information. The determination unit 32 may acquire, for example, a value calculated by using an increase function having the number of appearances or the appearance ratio as a parameter as an abnormal score. The abnormal score is an example of abnormal information. Further, the appearance ratio of new continuous operation information is, for example, "the number of appearances of new continuous operation information in the operation set received by the reception unit 2 / the continuous operation information in the operation set received by the reception unit 2". It is calculated by "number".
(3) Detection by rare features

The detection by the rare feature is the detection of anomalies related to the existence of operations that do not appear in the normal operation set or are unlikely to appear in the operation set to be determined for the anomaly.

The determination unit 32 acquires the rare operation existence information regarding the existence of one or more rare operation information of the rare operation information storage unit 12 in the operation set received by the reception unit 2, and uses the rare operation existence information to make an abnormality. Get information. The rare operation existence information is, for example, the content rate of the rare operation information (the number of rare operation information / the number of operation information), the existence number of the rare operation information, whether or not the rare operation information exists, and the like.

The procedure manual determination means 321 determines the procedure manual using the operation set received by the reception unit 2. For example, the procedure manual determining means 321 constitutes a vector from the operation set received by the reception unit 2, and calculates the distance between the vector and each of two or more procedure manual information which is a vector of the procedure manual information storage unit 13. , The procedure manual corresponding to the procedure manual information with the shortest distance is determined as the procedure manual to be adopted. For example, the procedure manual determining means 321 constitutes a vector from the operation set received by the reception unit 2, calculates the distance between the vector and the vector of each group stored in the procedure manual information storage unit 13, and calculates the distance. The procedure manual corresponding to the smallest group is determined as the procedure manual to be adopted.

The procedure manual determination means 321 may determine the procedure manual by acquiring the procedure manual identifier received by the reception unit 2.

The normal operation set selection means 322 acquires two or more normal operation sets corresponding to the procedure manual determined by the procedure manual determination means 321 from the determination source information storage unit 11. In such cases, the normal operation set corresponds to the procedure manual. The normal operation set selection means 322 acquires, for example, two or more normal operation sets paired with the procedure manual identifier acquired by the procedure manual determination means 321 from the determination source information storage unit 11. Further, the normal operation set selection means 322 may acquire two or more normal operation sets paired with the server identifier included in the determination instruction received by the reception unit 2 from the determination source information storage unit 11.

The determination means 323 acquires abnormality information using two or more normal operation sets acquired by the normal operation set selection means 322. The determination means 323 does not have the procedure manual determination means 321 and the normal operation set selection means 322, and the abnormality information may be acquired by using all the normal operation sets.

Since the process of acquiring the abnormality information by the determination means 323 using two or more normal operation sets is described above, the description thereof will be omitted again. The process in which the determination means 323 acquires abnormality information using two or more normal operation sets is, for example, the above-mentioned (1) outlier detection, (2) detection by a new time series feature, and (3) a rare feature. It is a detection by.

The output unit 4 outputs the abnormality information acquired by the determination unit 32. Here, the output means display on a display, projection using a projector, printing by a printer, sound output, transmission to an external device, storage on a recording medium, storage on another processing device, another program, or the like. It is a concept that includes delivery of processing results.

The storage unit 1, the determination source information storage unit 11, the rare operation information storage unit 12, and the procedure manual information storage unit 13 are preferably non-volatile recording media, but can also be realized by a volatile recording medium.

The process in which information is stored in the storage unit 1 or the like does not matter. For example, the information may be stored in the storage unit 1 or the like via the recording medium, or the information transmitted via the communication line or the like may be stored in the storage unit 1 or the like. Alternatively, the information input via the input device may be stored in the storage unit 1 or the like.

The processing unit 3, the learning unit 31, the determination unit 32, the procedure manual determination unit 321, the normal operation set selection unit 322, and the determination unit 323 can usually be realized from an MPU, a memory, or the like. The processing procedure of the processing unit 3 is usually realized by software, and the software is recorded in a recording medium such as ROM. However, it may be realized by hardware (dedicated circuit).

The output unit 4 may or may not include an output device such as a display or a speaker. The output unit 4 may be realized by the driver software of the output device, the driver software of the output device, the output device, or the like.

Next, an operation example of the abnormality operation detection device A will be described with reference to the flowchart of FIG.

(Step S201) The reception unit 2 determines whether or not the determination instruction has been accepted. If the determination instruction is accepted, the process goes to step S202, and if the determination instruction is not accepted, the process proceeds to step S208.

(Step S202) The determination unit 32 acquires an operation set corresponding to the determination instruction in step S201. The determination unit 32 acquires, for example, the operation set of the determination instruction.

(Step S203) The determination unit 32 performs outlier detection processing on the operation set acquired in step S202. An example of outlier detection processing will be described with reference to the flowchart of FIG.

(Step S204) The determination unit 32 performs detection processing based on the new time series feature on the operation set acquired in step S202. An example of the new time-series feature detection process will be described with reference to the flowchart of FIG.

(Step S205) The determination unit 32 performs detection processing based on the rare feature on the operation set acquired in step S202. An example of the rare feature detection process will be described with reference to the flowchart of FIG.

(Step S206) The processing unit 3 configures abnormality information to be output using one or more abnormality information among the abnormality information acquired in step S203, step S204, and step S205.

(Step S207) The output unit 4 outputs the abnormality information configured in step S206. Return to step S201.

(Step S208) The reception unit 2 determines whether or not the learning instruction has been received. If the learning instruction is accepted, the process goes to step S209, and if the learning instruction is not accepted, the process returns to step S201.

(Step S209) The learning unit 31 performs a learning process. Return to step S201. The learning process will be described with reference to the flowchart of FIG.

In the flowchart of FIG. 2, the process ends when the power is turned off or an interrupt for the end of the process occurs.

Next, an example of the outlier detection process in step S203 will be described with reference to the flowchart of FIG.

(Step S301) The determination unit 32 substitutes 1 for the counter i.

(Step S302) The determination unit 32 determines whether or not the i-th normal operation set exists in the determination source information storage unit 11. If the i-th normal operation set exists, go to step S303, and if it does not exist, go to step S305.

(Step S303) The determination unit 32 acquires the i-th normal operation set from the determination source information storage unit 11 and acquires the vector from the i-th normal operation set. It should be noted that such a vector is a normal operation vector.

(Step S304) The determination unit 32 increments the counter i by 1. Return to step S302.

(Step S305) The determination unit 32 acquires the operation set vector from the operation set acquired in step S202.

(Step S306) The determination unit 32 determines whether or not the operation set vector acquired in step S305 is an outlier with respect to two or more normal operation vectors acquired in step S303. If there are outliers, go to step S307, and if there are no outliers, go to step S308. Whether or not it is an outlier is acquired by, for example, lof.

(Step S307) The determination unit 32 substitutes a value indicating “abnormality” into the variable “first abnormality information”. Return to higher-level processing. It should be noted that such a value indicates that the operation set to be inspected is an outlier.

(Step S308) The determination unit 32 substitutes a value indicating “normal” into the variable “first abnormality information”. Return to higher-level processing. It should be noted that such a value indicates that the operation set to be inspected is not an outlier.

Next, an example of the new time-series feature detection process in step S204 will be described with reference to the flowchart of FIG.

(Step S401) The determination unit 32 substitutes 1 for the counter i.

(Step S402) The determination unit 32 determines whether or not the i-th continuous operation information exists in the operation set acquired in step S202. If the i-th continuous operation information exists, the process goes to step S403, and if the i-th continuous operation information does not exist, the process goes to step S406.

(Step S403) The determination unit 32 acquires the i-th continuous operation information from the operation set acquired in step S202. The determination unit 32 is, for example, from an operation set that is a sequence of two or more operation information, while shifting the current operation information, n (n is a natural number of 2 or 3 or more) of continuous operation information. Acquires continuous operation information that is a column. The shift interval is usually 1, but may be n or the like.

(Step S404) The determination unit 32 acquires the number of occurrences of the i-th continuous operation information acquired in step S403 in two or more normal operation sets of the determination source information storage unit 11.

(Step S405) The determination unit 32 increments the counter i by 1. Return to step S402.

(Step S406) The determination unit 32 acquires the second abnormality information by using the number of appearances of the continuous operation information acquired in step S404. Return to higher-level processing.

The determination unit 32 acquires, for example, the number of continuous operation information in which the number of appearances acquired in step S404 is equal to or less than the first threshold value or less than the first threshold value (for example, 0), and the number is the second. When it is equal to or larger than the threshold value or larger than the second threshold value, a value indicating "abnormality" is assigned to the variable "second abnormality information". Further, the determination unit 32 acquires, for example, the number of continuous operation information in which the number of occurrences acquired in step S404 is equal to or less than the first threshold value or less than the first threshold value (for example, 0), and the number is the second. When it is below the threshold value or below the second threshold value, a value indicating "normal" is assigned to the variable "second abnormality information".

Further, the determination unit 32 acquires, for example, the number of continuous operation information for which the number of occurrences acquired in step S404 is equal to or less than the first threshold value or less than the first threshold value (for example, 0), and the number is used to obtain the number of continuous operation information. The ratio in the operation set to be inspected is acquired, and when the ratio is equal to or larger than the second threshold value or larger than the second threshold value, a value indicating "abnormality" is assigned to the variable "second abnormality information". Further, the determination unit 32 acquires, for example, the ratio of continuous operation information in which the number of appearances acquired in step S404 is equal to or less than the first threshold value or less than the first threshold value (for example, 0), and the ratio is second. When it is below the threshold value or below the second threshold value, a value indicating "normal" is assigned to the variable "second abnormality information".

Next, the rare feature detection process in step S205 will be described with reference to the flowchart of FIG.

(Step S501) The determination unit 32 performs an initialization process. The initialization process includes a process of substituting 0 for the variable "number of rare operations".

(Step S502) The determination unit 32 acquires the number of appearances of each element in the acquired operation set (operation set to be inspected). The element is usually operation information.

(Step S503) The determination unit 32 substitutes 1 for the counter i.

(Step S504) The determination unit 32 determines whether or not the i-th element exists in the acquired operation set (operation set to be inspected). If the i-th element exists, the process goes to step S505, and if the i-th element does not exist, the process goes to step S509.

(Step S505) The determination unit 32 acquires the i-th element in the acquired operation set (operation set to be inspected).

(Step S506) The determination unit 32 determines whether or not the i-th element acquired in step S505 is rare operation information. If the i-th element is rare operation information, the process goes to step S507, and if the i-th element is not the rare operation information, the process goes to step S508. Whether or not the i-th element is the rare operation information is determined by, for example, whether or not the i-th element exists in the rare operation information storage unit 12. That is, when the i-th element exists in the rare operation information storage unit 12, the determination unit 32 determines that the i-th element is the rare operation information. Further, the determination unit 32 calculates the number or ratio in which the i-th element exists in two or more normal operation sets of the determination source information storage unit 11, and when the number or ratio is equal to or less than the threshold value or smaller than the threshold value, the i-th element is the i-th element. Judge that the element of is rare operation information.

(Step S507) The determination unit 32 increments the variable “number of rare operations” by 1.

(Step S508) The determination unit 32 increments the counter i by 1. Return to step S504.

(Step S509) The determination unit 32 determines whether or not the value of the variable “number of rare operations” satisfies the condition. If the condition is satisfied, the process goes to step S510, and if the condition is not satisfied, the process goes to step S511. Here, the determination unit 32 determines whether or not the value of the variable "rare operation count" is large enough to satisfy a predetermined condition.

(Step S510) The determination unit 32 substitutes a value indicating “abnormality” into the variable “third abnormality information”. Return to higher-level processing. When the variable "third anomaly information" is a value indicating that it is "abnormal", it indicates that many rare operations have been performed.

(Step S511) The determination unit 32 substitutes a value indicating “normal” into the variable “third abnormality information”. Return to higher-level processing.

Next, the learning process of step S209 will be described with reference to the flowchart of FIG.

(Step S601) The learning unit 31 substitutes 1 for the counter i.

(Step S602) The learning unit 31 determines whether or not the i-th normal operation set exists. If the i-th normal operation set exists, the process goes to step S603, and if the i-th normal operation set does not exist, the process goes to step S605.

(Step S603) The learning unit 31 constitutes a normal operation vector from the i-th normal operation set.

(Step S604) The learning unit 31 increments the counter i by 1. Return to step S602.

(Step S605) The learning unit 31 substitutes 1 for the counter j.

(Step S606) The learning unit 31 determines whether or not the j-th abnormal operation set exists. If the j-th abnormal operation set exists, the process goes to step S603, and if the j-th abnormal operation set does not exist, the process goes to step S605.

(Step S607) The learning unit 31 constitutes an abnormal operation vector from the j-th abnormal operation set.

(Step S608) The learning unit 31 increments the counter j by 1. Return to step S602.

(Step S609) The learning unit 31 configures a learning device for performing learning processing using two or more normal operation vectors and one or more abnormal operation vectors and determining whether or not the operation set is normal.

(Step S610) The learning unit 31 stores the learning device configured in step S609 in the determination source information storage unit 11. Return to higher-level processing.

In the flowchart of FIG. 6, it is preferable that the learning unit 31 configures and stores a learning device for each procedure manual, each group of procedure manuals, or each server device.

Hereinafter, a specific operation example of the abnormality operation detection device A in the present embodiment will be described. First, two specific examples (Specific Example 1 and Specific Example 2) in which the determination source information is stored in the determination source information storage unit 11 will be described. Next, the process of selecting a cluster for detecting an abnormality will be described with reference to Specific Example 3. Next, each abnormality detection of outlier detection, new time-series feature detection, and rare feature detection will be described with reference to Specific Example 4, Specific Example 5, and Specific Example 6.
(Specific example 1)

A specific example 1 in which the determination source information is stored in the determination source information storage unit 11 will be described with reference to FIG. 7. In Specific Example 1, it is assumed that the user has performed various normal operations for system operation until the user logs in to the server device using the terminal device and logs out. It is assumed that the user has performed the work based on the procedure manual.

Then, in a terminal device (not shown), it is assumed that the operation information (window title and keyboard input) of the normal operation input by the user based on the procedure manual is recorded and the log data is accumulated. Then, it is assumed that the log data and the server identifier are transmitted from the terminal device to the abnormality operation detection device A. The log data is a normal operation set, and is an operation set for one session (from login to logout). Further, it is assumed that the server identifier is a server device that constitutes a system operated by the user and is stored in the terminal device.

Next, the reception unit 2 of the abnormal operation detection device A receives the normal operation set and the server identifier from the terminal device.

Next, the processing unit 3 of the abnormal operation detection device A vectorizes the normal operation set using, for example, Bag-of-Words, constitutes the normal operation set vector, associates it with the server identifier, and determines the determination source. It is stored in the information storage unit 11.

Further, the processing unit 3 clusters two or more normal operation set vectors corresponding to each server identifier. Then, as a result of such clustering, it is assumed that two or more normal operation set vectors corresponding to each server identifier are grouped for each procedure manual.

The log data, the server identifier, and the procedure manual identifier may be transmitted from the terminal device to the abnormality operation detection device A. In such a case, the reception unit 2 of the abnormal operation detection device A receives the normal operation set, the server identifier, and the procedure manual identifier from the terminal device. Then, the processing unit 3 vectorizes the normal operation set using, for example, Bag-of-Words, constitutes the normal operation set vector, and uses the received normal operation set vector as the received server identifier and procedure manual identifier. In association with and, it is stored in the determination source information storage unit 11.

It is assumed that the above processing has been performed for the operations of a large number of users. Then, two or more normal operation set vectors are accumulated in the determination source information storage unit 11 of the abnormal operation detection device A. The normal operation set vector is an example of the judgment source information.

The outline of the process of the above specific example 1 is shown in FIG. In FIG. 7, a word appearance frequency matrix is performed for a normal operation set by Bag-of-Words. For example, a normal operation set in which the operation information “ls” is “3” and “ping” is “2”. A vector is constructed. In addition, clustering corresponding to the server identifier and the procedure manual identifier is performed for the normal operation set vector. Further, in FIG. 7, one user operates on one server device based on a plurality of procedure manuals, but one user operates on a plurality of server devices based on a plurality of procedure manuals. May be performed, a plurality of users may perform an operation on one server device, or a plurality of users may perform one operation.
(Specific example 2)

A specific example 2 in which the determination source information is stored in the determination source information storage unit 11 will be described with reference to FIG. In the specific example 2, it is assumed that two or more procedure manual information is stored in the procedure manual information storage unit 13. Here, the procedure manual information is, for example, a file in which an operation procedure is described.

Then, the processing unit 3 vectorizes each of the two or more procedure manual information by, for example, Bag-of-Words. Then, the processing unit 3 clusters the acquired vector of the procedure manual, generates a set of similar procedure manuals, and creates the clustered vector of the procedure manual (for example, associated with the group identifier of the procedure manual). It is stored in the procedure manual information storage unit 13. The algorithm for vectorizing the procedure manual information does not matter.

Further, in the second embodiment, it is assumed that the user performs various normal operations for the system operation until the user logs in to the server device using the terminal device and logs out. It is assumed that the user has performed the work based on a certain procedure manual.

Then, in a terminal device (not shown), it is assumed that the operation information (window title and keyboard input) of the normal operation input by the user based on the procedure manual is recorded and the log data is accumulated. Then, it is assumed that the log data is transmitted from the terminal device to the abnormality operation detection device A. The log data is a normal operation set, and is an operation set for one session (from login to logout).

Next, the reception unit 2 of the abnormal operation detection device A receives the normal operation set from the terminal device.

Next, the processing unit 3 of the abnormal operation detection device A vectorizes the normal operation set using, for example, Bag-of-Words, constitutes the normal operation set vector, and stores it in the judgment source information storage unit 11. ..

Next, the processing unit 3 determines a set of procedure manual vectors corresponding to the acquired normal operation set vector from the acquired normal operation set vector and the set of the procedure manual vectors of the procedure manual information storage unit 13. For example, the processing unit 3 acquires a representative vector which is a representative value of the vector of the procedure manual for each group of the procedure manual, and associates it with the representative vector closest to the normal operation set vector. The representative vector is, for example, a set of elements consisting of the average value of each element of each vector in the procedure manual.

It is assumed that the above processing has been performed for a large number of user operations. Then, two or more normal operation set vectors are accumulated in the determination source information storage unit 11 of the abnormal operation detection device A in correspondence with the procedure manual.

The outline of the process of the above specific example 1 is shown in FIG. In FIG. 8, the vector is constructed from the procedure manual information, and the vector is constructed from the normal operation set (log data). In addition, the vectors of the procedure manual are clustered. Furthermore, a set of vectors in a clustered procedure manual is associated with a set of normal operation set vectors.
(Specific example 3)

A specific example 3 for explaining the cluster selection process for abnormality detection will be described with reference to FIG. In Specific Example 3, it is assumed that the subject performs various operations based on the procedure manual A during the period from logging in to the server device using the terminal device and logging out for system operation.

Then, it is assumed that the terminal device records the operation information (window title and keyboard input) of the operation input by the subject based on the procedure manual A, and accumulates the log data. Then, it is assumed that a determination instruction including log data is transmitted from the terminal device to the abnormality operation detection device A. The log data is an operation set to be inspected, and is an operation set for one session (from login to logout). Further, the server identifier is a server device that constitutes a system operated by the user.

Next, the reception unit 2 of the abnormal operation detection device A receives a determination instruction including an operation set from the terminal device.

The determination unit 32 acquires an operation set corresponding to the determination instruction. Next, the determination unit 32 constructs an operation set vector from the operation set using, for example, Bag-of-Words.

Next, the procedure manual determination means 321 of the determination unit 32 uses the operation set vector to determine the vector group of the procedure manual A, which is the vector group closest to the operation set vector. That is, the procedure manual determination means 321 determines the procedure manual A.

Next, the normal operation set selection means 322 acquires two or more normal operation sets corresponding to the procedure manual A from the determination source information storage unit 11. That is, the normal operation set selection means 322 acquires the log information according to the procedure manual A.

FIG. 9 is a diagram showing the concept of the process of the above specific example 3.
(Specific example 4)

A specific example 4 for explaining the outlier detection process will be described with reference to FIG.

The determination unit 32 acquires, for example, a normal operation set vector from each of two or more normal operation sets corresponding to the procedure manual A acquired in the specific example 3. It is assumed that the two or more normal operation set vectors (which may be called learning data) are 1001 in FIG. Note that 1001 in FIG. 10 is a normal log group.

Next, the determination unit 32 acquires the operation set vector from the operation set received from the terminal device. It is assumed that the operation set vector is 1002 in FIG. Note that 1002 in FIG. 10 is a new log.

Then, the determination unit 32 compares the operation set vector 1002 with the two or more normal operation set vectors 1001 and detects outliers by lof, and determines that the operation set vector 1002 is an outlier. ..

Next, the determination unit 32 substitutes a value indicating "abnormality" into the variable "first abnormality information".
(Specific example 5)

A specific example 5 for explaining the detection process by the new time series feature will be described with reference to FIG. In the specific example 5, for example, the determination unit 32 features-extracts the log data in one session and converts it into time-series data by bigram. Then, the determination unit 32 counts the number of features in the time series that do not exist in the past learning data, and detects an abnormality based on whether or not the threshold value is exceeded.

The determination unit 32 acquires, for example, two or more normal operation sets corresponding to the procedure manual A acquired in the specific example 3.

Next, the determination unit 32 acquires continuous operation information, which is two operation information, from the operation set, which is a new log received from the terminal device, while shifting the operation information one by one. Then, the determination unit 32 determines whether or not each continuous operation information appears in two or more normal operation sets. In FIG. 11, the continuous operation information of "E → B" in the operation set, which is a new log, does not appear in two or more normal operation sets.

Next, the determination unit 32 calculates the number of continuous operation information that did not appear in the two or more normal operation sets.

Next, the determination unit 32 determines whether or not the number of continuous operation information that does not appear in the two or more normal operation sets is equal to or greater than the threshold value. Here, it is assumed that the determination unit 32 determines that the value is less than the threshold value.

Next, the determination unit 32 substitutes a value indicating "normal" into the variable "second abnormality information".
(Specific example 6)

A specific example 6 for explaining the detection process based on the rare feature will be described with reference to FIG. In the specific example 6, for example, the determination unit 32 extracts the log data in one session, and determines whether or not the content rate of the feature having a number equal to or less than the threshold value A in the past learning data exceeds the threshold value B. It is assumed that an abnormality is detected. The feature here is operation information.

First, the determination unit 32 acquires a large amount of information on each set of operation information and the number of occurrences from two or more normal operation sets corresponding to the procedure manual A acquired in the specific example 3. Then, the determination unit 32 stores the operation information (here, “Z”) whose number of appearances is equal to or less than the threshold value A as the rare operation information in the rare operation information storage unit 12.

Next, the determination unit 32 acquires each of two or more operation information in order from the operation set which is a new log received from the terminal device. Then, the determination unit 32 determines whether or not the rare operation information storage unit 12 exists for each of the two or more operation information, and the operation information corresponding to the rare operation information existing in the rare operation information storage unit 12. Calculate the percentage (content rate).

Next, the determination unit 32 determines whether or not the content rate is equal to or higher than the threshold value B or larger than the threshold value B. Here, the determination unit 32 determines that the content rate is equal to or higher than the threshold value B or larger than the threshold value B, and substitutes a value indicating "abnormality" into the variable "third abnormality information".

Then, the processing unit 3 obtains, for example, the first abnormality information and the third abnormality information determined to be "abnormal" among the acquired first abnormality information, second abnormality information, and third abnormality information. It is assumed that the abnormal information to be output is configured by using.

Next, the output unit 4 outputs the configured abnormality information. An example of such an output is shown in FIG. In FIG. 13, it is clearly shown that the new log is an outlier and that the rare feature (Z) in the new log is.

As described above, according to the present embodiment, abnormal operations can be detected in system operation. As a result, the labor of the auditor can be reduced.

Further, according to the present embodiment, a part having a high degree of abnormality in one log can be identified, and a reduction in the amount of audit can be expected in general.

In this embodiment, the anomaly was detected mainly by using the log data in one session. However, for example, the abnormality operation detection device A may receive operation information in real time from the terminal device operated by the subject, and may perform a process of detecting an abnormality in the accumulated two or more operation information. The trigger for starting the process of detecting the abnormality by the abnormality operation detection device A is when the amount of two or more received operation information becomes large enough to satisfy a predetermined condition, or the operation time of the subject is increased. It is preferable that the length becomes long enough to satisfy a predetermined condition.

Further, the processing in the present embodiment may be realized by software. Then, this software may be distributed by software download or the like. Further, this software may be recorded on a recording medium such as a CD-ROM and disseminated. It should be noted that this also applies to other embodiments herein. The software that realizes the information processing device in this embodiment is the following program. That is, in this program, for example, the judgment source information based on the two or more normal operation sets relating to the two or more normal operation information that specifies the normal operation for the information system during system operation is included in one of the two or more procedure manuals. A reception unit that accepts an operation set having two or more operation information that specifies an operation performed by the inspected person on the information system, and a reception unit that can access the judgment source information storage unit that is stored correspondingly. Abnormal information that is information about anomalies with respect to the operation set using the judgment source information based on two or more normal operation sets corresponding to the procedure manual for the operation set accepted by the unit and the operation set received by the reception unit. It is a program for functioning as a determination unit for acquiring the above and an output unit for outputting the abnormality information.

Further, FIG. 14 shows the appearance of a computer that executes the program described in the present specification to realize the abnormality operation detection device A and the like in the various embodiments described above. The above-described embodiment can be realized by computer hardware and a computer program executed on the computer hardware. FIG. 14 is an overview view of the computer system 300, and FIG. 15 is a block diagram of the system 300.

In FIG. 14, the computer system 300 includes a computer 301 including a CD-ROM drive, a keyboard 302, a mouse 303, and a monitor 304.

In FIG. 15, in addition to the CD-ROM drive 3012, the computer 301 includes an MPU 3013, a bus 3014 connected to the MPU 3013, a CD-ROM drive 3012, a ROM 3015 for storing a program such as a boot-up program, and an MPU 3013. Includes a RAM 3016 for temporarily storing application program instructions and providing temporary storage space, and a hard disk 3017 for storing application programs, system programs, and data. Although not shown here, the computer 301 may further include a network card that provides a connection to the LAN.

Even if the program for causing the computer system 300 to execute the functions of the abnormal operation detection device A and the like according to the above-described embodiment is stored in the CD-ROM 3101, inserted into the CD-ROM drive 3012, and further transferred to the hard disk 3017. good. Alternatively, the program may be transmitted to the computer 301 via a network (not shown) and stored in the hard disk 3017. The program is loaded into RAM 3016 at run time. The program may be loaded directly from the CD-ROM3101 or the network.

The program does not necessarily have to include an operating system (OS), a third-party program, or the like that causes the computer 301 to execute the functions of the abnormality operation detection device A or the like according to the above-described embodiment. The program need only include a portion of the instruction that calls the appropriate function (module) in a controlled manner to obtain the desired result. It is well known how the computer system 300 works, and detailed description thereof will be omitted.

In the above program, in the step of transmitting information and the step of receiving information, the processing performed by the hardware, for example, the processing performed by the modem or the interface card in the transmission step (only performed by the hardware). Processing) is not included.

Further, the number of computers that execute the above program may be singular or plural. That is, centralized processing may be performed, or distributed processing may be performed.

Further, it goes without saying that in each of the above embodiments, the two or more communication means existing in one device may be physically realized by one medium.

It goes without saying that the present invention is not limited to the above embodiments, and various modifications can be made, and these are also included in the scope of the present invention.

As described above, the abnormality operation detection device according to the present invention has an effect of being able to detect an abnormality operation in system operation, and is useful as such.

A Abnormal operation detection device 1 Storage unit 2 Reception unit 3 Processing unit 4 Output unit 11 Judgment source information storage unit 12 Rare operation information storage unit 13 Procedure manual information storage unit 31 Learning unit 32 Judgment unit 321 Procedure manual determination means 322 Normal operation set Selection means 323 Judgment means

Claims (11)

Information during system operation Judgment source information based on two or more normal operation sets related to two or more normal operation information that identifies normal operation for the system is stored corresponding to one of the two or more procedure manuals. Information storage unit and
A reception unit that accepts an operation set that has two or more operation information that identifies the operation performed by the inspector on the information system.
It is information about anomaly with respect to the operation set by using the judgment source information based on two or more normal operation sets corresponding to the procedure manual for the operation set received by the reception unit and the operation set received by the reception unit. Judgment unit to acquire abnormal information and
An abnormality operation detection device including an output unit that outputs the abnormality information. The judgment unit
Using the operation set received by the reception unit, the procedure manual determination means for determining the procedure manual and the procedure manual determination means.
A normal operation set selection means for acquiring two or more normal operation sets corresponding to the procedure manual determined by the procedure manual determination means from the determination source information storage unit, and a normal operation set selection means.
The abnormality operation detection device according to claim 1, further comprising a determination means for acquiring abnormality information using two or more normal operation sets acquired by the normal operation set selection means. The reception department
It also accepts runbook identifiers that identify runbooks,
The judgment unit
A normal operation set selection means for acquiring two or more normal operation sets corresponding to the procedure manual identified by the procedure manual identifier received by the reception unit from the determination source information storage unit.
The abnormality operation detection device according to claim 1, further comprising a determination means for acquiring abnormality information using two or more normal operation sets acquired by the normal operation set selection means. The abnormal operation detection device according to any one of claims 1 to 3, wherein the normal operation set and the operation information are events generated by an operation and include internal event information regarding an event generated by an information system. The operation set accepted by the reception unit is
Information having operation information of two or more operations performed by the inspected person with respect to the information system during one session from login to logout.
The judgment unit
The abnormality operation detection device according to any one of claims 1 to 4, wherein the entire operation set received by the reception unit is applied to the determination source information to acquire abnormality information. The operation set accepted by the reception unit is
It has continuous operation information which is operation information of two or more consecutive operations performed by the inspected person on the information system.
The judgment unit
The abnormality operation detection device according to any one of claims 1 to 4, wherein the continuous operation information is applied to two or more normal operation sets of the determination source information storage unit to acquire abnormality information. It further includes a rare operation information storage unit that stores one or more rare operation information that is operation information that identifies a rare operation.
The judgment unit
A claim for acquiring rare operation existence information regarding the existence of one or more rare operation information of the rare operation information storage unit in the operation set received by the reception unit, and acquiring abnormal information using the rare operation existence information. The abnormality operation detection device according to any one of items 1 to 4. The normal operation set is
It is a normal operation vector composed of two or more normal operation information.
The judgment unit
6. Abnormal operation detection device. The judgment source information is
It is a learning device configured by a machine learning algorithm using the above two or more normal operation sets.
The judgment unit
The abnormality operation detection device according to any one of claims 1 to 8, wherein the operation set received by the reception unit is applied to the learning device by a machine learning algorithm to acquire abnormality information. Information during system operation Judgment source information based on two or more normal operation sets related to two or more normal operation information that identifies normal operation for the system is stored corresponding to one of the two or more procedure manuals. It is an abnormal operation detection method realized by an information storage unit, a reception unit, a judgment unit, and an output unit.
A reception step in which the reception unit receives an operation set having two or more operation information that specifies an operation performed by the inspected person on the information system.
The judgment unit uses the judgment source information based on two or more normal operation sets corresponding to the procedure manual for the operation set received in the reception step, and the operation set received in the reception step. Judgment step to acquire anomaly information, which is information about anomaly with respect to
An abnormality operation detection method in which the output unit includes an output step for outputting the abnormality information. Information during system operation Judgment source information based on two or more normal operation sets related to two or more normal operation information that identifies normal operation for the system is stored corresponding to one of the two or more procedure manuals. A computer that can access the information storage
A reception unit that accepts an operation set that has two or more operation information that identifies the operation performed by the inspector on the information system.
It is information about anomaly with respect to the operation set by using the judgment source information based on two or more normal operation sets corresponding to the procedure manual for the operation set received by the reception unit and the operation set received by the reception unit. Judgment unit to acquire abnormal information and
A program for functioning as an output unit that outputs the abnormality information.

Images