JP7156642B2 - Identification processing device, identification processing program, and identification processing method - Google Patents

Description

The present invention relates to an identification processing apparatus, an identification processing program, and an identification processing method, and can be applied, for example, to processing for identifying the types of devices connected to a network such as the Internet when managing the devices.

2. Description of the Related Art Conventionally, when monitoring or managing devices connected to a network such as the Internet, it is sometimes required to identify the types of those devices. At that time, as a conventional method for identifying a device to be monitored or managed (hereinafter referred to as a "target device"), a method of analyzing traffic data transmitted and received by the target device is suitable (for example, see Patent Documents 1 to 3). ).

In Patent Documents 1 to 3, the feature amount of traffic is statistically calculated from the traffic generated by the target device, and by using the feature amount in a machine learning device, etc., the application used by the target device and the type of device It is described about determining

JP 2012-175338 A JP 2015-050473 A Japanese Patent Application Laid-Open No. 2018-33106

However, the conventional method of identifying target devices by traffic analysis mainly targets devices that generate a large amount of traffic, such as PCs and smartphones, and does not generate such a large amount of traffic, such as IoT (Internet of Things) devices. There was a problem that it was difficult to identify the equipment.

Broadly targeting IoT devices, etc., considering what kind of IoT devices are connected to the network and determining whether they are in a normal state, for example, network switches, wireless LAN access points, routers, remote control It is also necessary to support IoT devices that generate almost no traffic, such as robots that operate automatically unless otherwise specified. Since these IoT devices generate almost no traffic, they are not subject to estimation of applications and devices in the conventional method, or they are not identified (recognized) as different because they do not provide statistically sufficient feature values. There was a high possibility that it would result in false positives.

Therefore, there is a demand for an identification processing apparatus, an identification processing program, and an identification processing method that can accurately identify even a target device that generates a small amount of traffic (for example, an IoT device).

The identification processing apparatus of the first aspect of the present invention comprises: (1) extraction means for acquiring extracted traffic data obtained by extracting traffic data related to a target device based on a predetermined extraction key; (3) acquiring the port scan feature of the target device based on the result of performing port scan processing on the target device; and (4) identification of the target device based on the portscan feature amount acquired by the portscan feature amount acquisition means and the traffic feature amount acquired by the traffic feature amount acquisition means. and device identification processing means for performing processing.

The identification processing program of the second aspect of the present invention comprises: (1) extracting means for acquiring extracted traffic data obtained by extracting traffic data related to a target device based on a predetermined extraction key; and (2) said extracting means (3) a port scan feature of the target device based on the result of performing port scan processing on the target device; (4) based on the portscan feature amount acquired by the portscan feature amount acquisition means and the traffic feature amount acquired by the traffic feature amount acquisition means, the target It is characterized by functioning as device identification processing means for performing device identification processing.

A third aspect of the present invention is an identification processing method performed by an identification processing device, comprising: (1) extraction means, traffic feature amount acquisition means, port scan feature amount acquisition means, and device identification processing means; means obtains extracted traffic data obtained by extracting traffic data related to the target device based on a predetermined extraction key; (4) the port scan feature acquisition means acquires the port scan feature of the target device based on the result of performing port scan processing on the target device; 5) The device identification processing means performs identification processing of the target device based on the port scan feature quantity acquired by the port scan feature quantity acquisition means and the traffic feature quantity acquired by the traffic feature quantity acquisition means. It is characterized by

Provided are an identification processing device, an identification processing program, and an identification processing method capable of accurately identifying even a target device with a small amount of traffic generated.

2 is a block diagram showing the connection configuration of each device and the functional configuration of an identification processing device according to the first and second embodiments; FIG. 4 is a flow chart showing the operation of the identification processing device according to the first embodiment; FIG. 4 is an explanatory diagram showing examples of terms that constitute a port scan feature amount according to the first embodiment; 8 is a flow chart showing the operation of the identification processing device according to the second embodiment;

(A) First Embodiment Hereinafter, a first embodiment of an identification processing apparatus, an identification processing program, and an identification processing method according to the present invention will be described in detail with reference to the drawings.

(A-1) Configuration of First Embodiment FIG. 1 is an explanatory diagram showing an example of a connection configuration of an identification processing device 10 according to this embodiment. Note that the symbols in parentheses in FIG. 1 are symbols used only in the second embodiment.

The identification processing device 10 performs identification processing regarding the target device 20 connected to the network 30 . It is assumed that one or more arbitrary target devices 20 are connected to the network 30 . In the following description, it is assumed that M units (M is an integer equal to or greater than 1) of target devices 20 (20-1 to 20-M) are connected to the network 30. FIG.

The target device 20 is a computer (for example, a PC, a tablet, a smart phone, etc.), an IoT device, or the like that can be connected to the network 30 .

Next, the internal configuration of the identification processing device 10 will be described.

As shown in FIG. 1 , the identification processing device 10 has a device estimation target input unit 11 , an estimation target flow extraction unit 12 , a feature value generation unit 13 , a port scan unit 14 and a device identification unit 15 .

The identification processing device 10 may be configured partially or wholly by software. For example, the identification processing device 10 may be configured by installing programs (including the identification processing program according to the embodiment) in a computer having a memory and a processor.

The device estimation target input unit 11 performs processing for receiving input of information (hereinafter referred to as “network information”) indicating a range on the network targeted for identification processing (range on the network to which the target device 20 is connected). conduct.

The specific form of the network information is not limited as long as it can indicate the range on the network that is the target of the identification process (the range on the network where the target device 20 exists). For example, "192.168.0.0/24, 192.168.1.0/24, ...") or a list of IP addresses (for example, "192.168.0.1, 192.168.0. 2, . Here, it is assumed that the network information received by the device estimation target input unit 11 is in the form of a network address. Here, as an example, it is assumed that the network information received by the device estimation target input unit 11 is information indicating one network address "192.168.0.0/24". The "/24" portion of "192.168.0.0/24" indicates the subnet mask length. Therefore, of "192.168.0.0/24", "192.168.0" (upper 24 bits) indicates the network part, and "0" (lower 8 bits) follows the network part. indicates the host part. Therefore, the range of IP addresses indicated by the network address "192.168.0.0/24" is "192.168.0.1" to "192.168.0.254".

Here, it is assumed that the network 30 is a network whose network address is "192.168.0.0/24". That is, the IP addresses of the target devices 20-1 to 20-M are one of "192.168.0.1" to "192.168.0.254", respectively.

Hereinafter, the IP address indicated by the network information received by the device estimation target input unit 11 will be referred to as a "target address". For example, if the network information received by the device estimation target input unit 11 is information of one network address "192.168.0.0/24", the target address indicated by the network information is " 192.168.0.1” to “192.168.0.254”.

The estimation target flow extraction unit 12 acquires traffic data related to target addresses (for example, packets whose source or destination is one of the target addresses), and extracts the acquired traffic data using a predetermined key (hereinafter referred to as “extraction (referred to as "key"), extracting (dividing) and obtaining traffic data for each extraction key (hereinafter referred to as "extracted traffic data"). The estimation target flow extraction unit 12 supplies each acquired extracted traffic data to the feature amount generation unit 13 . The configuration of the extraction keys used in the estimation target flow extraction unit 12 is not limited. In the example of this embodiment, it is assumed that 5 tuples (combination of source IP address, source port number, destination IP address, destination port number, and protocol number) are applied as extraction keys. If the extraction key is 5 tuples, each extracted traffic data will be the traffic data of one flow identified by 5 tuples. The estimation target flow extraction unit 12 adds extraction key information to each extracted traffic data, and supplies the extracted traffic data to the feature amount generation unit 13 .

The feature quantity generation unit 13 aggregates the extracted traffic data extracted by the estimation target flow extraction unit 12 and performs a process of extracting a feature quantity for each extraction key (hereinafter referred to as “traffic feature quantity FT”).

The port scanning unit 14 performs a port scan (for example, a process of recording responses obtained by accessing a predetermined port in a predetermined procedure) for each target address, and aggregates the results of the port scan for each target address. The feature amount information (hereinafter referred to as "port scan feature amount FP") is extracted. The port scan unit 14 performs, for example, a process of collecting information such as information on empty ports and information such as prompts obtained as responses during communication as a port scan.

The device identification unit 15 integrates the traffic feature amount FT obtained from the feature amount generation unit 13 and the port scan feature amount FP obtained from the port scan unit 14 (hereinafter referred to as “integrated feature amount FI”). called), and based on the integrated feature amount FI for each target address, a process of identifying the device corresponding to the target address is performed.

The method of classification (category) when the device identification unit 15 identifies the target device 20 is not limited. For example, the device identification unit 15 performs identification processing to classify the target device 20 by the type of device (device) (eg, client PC, server, router, switch, wireless LAN access point, IoT device, etc.). good too. In addition, after identifying the type of the target device 20, the device identification unit 15 may identify the target device 20 by a further subdivided classification. For example, when the device identification unit 15 identifies a certain target device 20 as a client PC, the device identification unit 15 may also perform processing to identify an application installed in the client PC. In addition, when the device identification unit 15 identifies a certain target device 20 as being an IoT device, the device identification unit 15 may further identify the type of device of the IoT device (for example, the type of device such as a sensor or camera). .

(A-2) Operation of First Embodiment Next, the operation of the identification processing apparatus (identification processing method according to the embodiment) of the first embodiment having the configuration as described above will be described.

First, it is assumed that network information is input to the device estimation target input unit 11 (S101). When network information is supplied to the device estimation target input unit 11 , the network information is supplied from the device estimation target input unit 11 to the estimation target flow extraction unit 12 and the port scan unit 14 .

Here, it is assumed that one network address "192.168.0.0/24" is input as network information and the target addresses are 192.168.0.1 to 192.168.0.254. .

When network information is supplied, the estimation target flow extraction unit 12 acquires traffic data for each target address indicated by the network information, acquires extracted traffic data for each extraction key from the acquired traffic data, and extracts each extracted traffic. The data is supplied to the feature quantity generation unit 13 (S102).

The estimation target flow extraction unit 12 acquires traffic data for each target address (192.168.0.1 to 192.168.0.254). The method by which the estimation target flow extraction unit 12 acquires traffic data for each target address (for example, a method for acquiring traffic data by monitoring traffic at each target address) is not limited. For example, the estimation target flow extraction unit 12 extracts data of traffic transmitted and received at each target address (for example, packet itself, or statistical data based on transmitted and received packets) may be acquired. The estimation target flow extraction unit 12 then divides the acquired traffic data for each extraction key to acquire extracted traffic data.

Next, the feature quantity generation unit 13 processes each extracted traffic data and extracts the traffic feature quantity FT for each extraction key (S103).

For example, the feature quantity generation unit 13 may acquire a value obtained by statistically processing the extracted traffic data (aggregated value) as the traffic feature quantity FT for each extraction key. In the example of this embodiment, the feature quantity generation unit 13 generates statistical values (extracted traffic Statistical value obtained from the data) is generated as the traffic feature quantity FT. Below, the packet size quartiles (first quartile to fourth quartile) are respectively packet size 25% value, packet size 50% value PS2, packet size 75% value, packet size 100 shall be called % value. Also, hereinafter, the packet size 25% value, the packet size 50% value, the packet size 75% value, and the packet size 100% value are represented as PS1, PS2, PS3, and PS4, respectively. Furthermore, in the following, the quartile values of the packet arrival interval (first quartile value to fourth quartile value) are defined as 25% packet arrival interval value, 50% packet arrival interval value, 75% packet arrival interval value, respectively. % value shall be referred to as 100% value of packet arrival interval. Furthermore, hereinafter, the 25% value of the packet arrival interval, the 50% value of the packet arrival interval, the 75% value of the packet arrival interval, and the 100% value of the packet arrival interval are denoted by PR1, PR2, PR3, and PR4, respectively. Here, it is assumed that the traffic feature quantity FT is expressed in a format such as the following (1) formula. Specifically, for example, if PS1 = 20, PS2 = 1000, PS3 = 1250, PS4 = 1500, PR1 = 4, PR2 = 15, PR3 = 20, PR4 = 250, the traffic feature quantity FT is as follows (2 ) can be expressed as
Traffic feature FT
=[PS1, PS2, PS3, PS4, PR1, PR2, PR3, PR4] (1)
Traffic feature FT
=[PS1, PS2, PS3, PS4, PR1, PR2, PR3, PR4]
= [20, 1000, 1250, 1500, 4, 15, 20, 250] (2)

As described above, the feature amount generation unit 13 acquires the traffic feature amount FT for each flow (for each extraction key). is added and supplied to the device identification unit 15 .

On the other hand, the port scanning unit 14 performs a port scan for each target address, and acquires information obtained by aggregating the results of the port scanning for each target address and forming a feature quantity as a port scan feature quantity FP (S104).

Note that the process of acquiring the traffic feature amount FT (the process of the estimation target flow extraction unit 12 and the feature amount generation unit 13; the process of steps S102 and S103) and the process of acquiring the port scan feature amount FP (the port scan unit (processing of step S104) may be executed serially as shown in the flowchart of FIG. 2, or may be executed in parallel.

The specific processing contents of the port scan performed by the port scan unit 14 are not limited. For example, the port scanning unit 14, as a port scanning process, obtains the availability status of a predetermined TCP port, authentication information (for example, information on a permitted authentication method) for a predetermined service (for example, SSH (Secure Shell), etc.). may be confirmed.

In the example of this embodiment, the contents of port scanning performed by the port scanning unit 14 will be described with reference to FIG.

In the example of this embodiment, the port scanning unit 14 scans TCP port 80 (HTTP: Hypertext Transfer Protocol), port 443 (HTTPS: HTTP over TLS/SSL), and port 22 (SSH: Secure Shell). ), check the availability of port 23 (Telnet) (check whether it is available), and check authentication information for SSH (TCP port number 22) (password authentication permission status (enabled or not) (valid or invalid), and the permission status of certificate authentication (valid or invalid)). The items of the port scan performed by the port scan unit 14 are not limited to the contents shown in FIG. For example, the number of ports for which the port scan unit 14 checks availability may be increased from the example of FIG. Further, the method of port scanning performed by the port scanning unit 14 is not limited to the above example, and various port scanning processes can be applied.

Here, it is assumed that the port scan unit 14 performs port scan processing for the six items shown in FIG. 3 (identifiers of these items are hereinafter referred to as "F1" to "F6"). FIG. 3 shows the port scan contents and set values (output values) for items F1 to F6.

As shown in FIG. 3, items F1 to F4 are items related to TCP port availability. Items F1 to F4 are items indicating confirmation of the availability (availability or nonavailability) of TCP ports 80, 443, 22, and 23, respectively. Items F1 to F4 are set to "0" when the relevant port is not available, and are set to "1" when the relevant port is available.

As shown in FIG. 3, item F5 indicates whether or not password authentication is permitted (password This item indicates whether the authentication is valid or invalid). In item F5, "1" is set when SSH password authentication is enabled (permitted), and "0" is set when SSH password authentication is disabled (not permitted). be done.

Furthermore, as shown in FIG. 3, item F6 indicates whether or not certificate authentication is permitted (for example, a character string output with a prompt) when SSH (TCP port 22) is accessed. This item indicates whether the certificate authentication is valid or invalid). In item F6, "1" is set when SSH certificate authentication is valid (permitted), and "0" is set when SSH certificate authentication is invalid (not permitted). is set.

Here, it is assumed that the port scanning unit 14 expresses the port scanning feature quantity FP based on the above-described port scanning processing of F1 to F6 in a format such as the following equation (3). Specifically, for example, if F1 = 1, F2 = 1, F3 = 0, F4 = 0, F5 = 0, and F6 = 1, the port scan feature amount FP can be expressed by the following equation (4). can be done.
Port scan feature quantity FP = [F1, F2, F3, F4, F5, F6] (3)
Port scan feature quantity FP = [F1, F2, F3, F4, F5, F6]
=[1,1,0,0,0,1] (4)

As described above, the port scanning unit 14 acquires the port scanning feature amount FP based on the port scanning result, and stores the port scanning feature amount FP as time information (information on the time when the port scanning was performed) and the IP address ( (target address for which port scanning was performed) is added, and supplied to the device identification unit 15 .

Next, the device identification unit 15 uses the traffic feature amount FT supplied from the feature amount generation unit 13 and the port scan feature amount FP supplied from the port scan unit 14 as keys (hereinafter referred to as " (referred to as "concatenated key information"), and an integrated feature quantity FI is generated and held (S105). At this time, the device identification unit 15 adds and holds a target address (a target address corresponding to the concatenated port scan feature quantity FP) when generating the integrated feature quantity FI.

For example, the device identification unit 15 searches for a port scan feature FP that matches the time information added to each traffic feature FT and the IP address (for example, either the source IP address or the destination IP address of the extraction key). Then, if there is a corresponding port scan feature quantity FP, the traffic feature quantity FT and the port scan feature quantity FP are concatenated (associated) to generate an integrated feature quantity FI. Then, the device identification unit 15 adds an IP address (target address corresponding to the concatenated port scan feature amount FP) to the generated integrated feature amount FI and holds it. Note that the device identification unit 15 may regard the supplied traffic feature amount FT and port scan feature amount FP as data of the same time information, and process the time information by abstracting it from the concatenated key information.

For example, when the traffic feature quantity FT shown in the formula (2) and the port scan feature quantity FP shown in the formula (4) are concatenated to generate the integrated feature quantity FI, the contents are as shown in the following formula (5). .
integrated feature quantity FI=traffic feature quantity FT|port scan feature quantity FP
=[F1, F2, F3, F4, F5, F6, PS1, PS2,
PS3, PS4, PR1, PR2, PR3, PR4]
=[20,1000,1250,1500,4,15,20,250
1, 1, 0, 0, 0, 1] (5)

Next, the device identification unit 15 performs processing for identifying the target device 20 corresponding to the target address added to the integrated feature quantity FI based on each integrated feature quantity FI (S106). Note that, when a plurality of integrated feature amounts FI are obtained for one target address, the device identification unit 15 may perform identification processing of the target address based on the plurality of integrated feature amounts FI. good.

The logic of the process by which the device identification unit 15 identifies the target device 20 corresponding to the target address based on the obtained integrated feature quantity FI is not limited. For example, the device identification unit 15 registers in advance an identification result corresponding to the pattern of the integrated feature quantity FI (hereinafter, data of a combination of the registered pattern and the identification result is referred to as a “registered pattern”). The integrated feature quantity FI thus obtained may be collated (matched) with the registered contents so as to correspond to the matching registered pattern. In addition, the logic used for the device identification unit 15 may be a method using a machine learning device such as a neural network or SVM (Support Vector Machine) in addition to the above-described predetermined simple logic. can be For example, in the device identification unit 15, a machine learning device (not shown) receives a correct answer (correct identification result) corresponding to the pattern of the integrated feature quantity FI in advance and learns it, and based on the learning model, a newly input integrated feature It is determined to which device the quantity FI has the closest feature amount, and the device is identified as the closest device.

(A-3) Effects of First Embodiment According to the first embodiment, the following effects can be obtained.

In the identification processing device 10 of the first embodiment, the port scanning unit 14 is provided, and the target device 20 is identified using the integrated feature amount FI obtained by integrating the traffic feature amount FT and the port scan feature amount FP. As a result, even if the target device 20 is an IoT device that generates little or no traffic, it is possible to obtain an identification result with higher accuracy than in the past.

In addition, in the identification processing device 10 of the first embodiment, even if the target devices 20 have similar traffic trends and the identification processing using only the traffic feature amount FT causes an erroneous detection, This has the effect of reducing erroneous detection and enabling more accurate identification.

(B) Second Embodiment Hereinafter, a second embodiment of the identification processing apparatus, identification processing program, and identification processing method according to the present invention will be described in detail with reference to the drawings.

(B-1) Configuration of Second Embodiment The identification processing apparatus 10A of the second embodiment can also be shown using FIG.

In FIG. 1, symbols in parentheses are symbols used only in the second embodiment.

In the identification processing device 10A of the second embodiment, the estimation target flow extraction unit 12, the feature amount generation unit 13, and the port scan unit 14 are configured as follows. , which is different from the first embodiment.

In the identification processing device 10 of the first embodiment, the process of acquiring the traffic feature amount FT (the process of the estimation target flow extraction unit 12 and the feature amount generation unit 13; the process of steps S102 and S103), the port scan feature amount A configuration has been described in which the process of acquiring the FP (the process of the port scan unit 14; the process of step S104) is executed in parallel. On the other hand, in the identification processing device 10A of the second embodiment, first, only the traffic feature amount FT is extracted, and identification processing is performed based only on the traffic feature amount FT. Only when there is a target device 20 (target address) for which only a detection accuracy of is obtained (the number of false detections is greater than a predetermined number), the port scan feature quantity FP is further acquired, and identification processing based on the integrated feature quantity FI is performed.

For example, there is a tendency for the accuracy to be low when identifying a target address (target device 20) for which only a small amount of traffic (for example, the total number of packets transmitted and received or the total amount of data) has occurred. Therefore, in the identification processing device 10A of the second embodiment, when there is a target address (target device 20) for which traffic volume is less than the threshold, port scan processing is performed on at least the target address to It is assumed that the scan feature amount FP is acquired and identification processing is performed based on the integrated feature amount FI.

Specifically, in the identification processing device 10A of the second embodiment, first, the estimation target flow extraction unit 12A and the feature amount generation unit 13A acquire the traffic feature amount FT. Identification processing is performed for each target address (each target device 20) based only on the feature amount FT.

Regarding the logic (method) for the device identification unit 15A to perform identification processing for each target address (each target device 20) based only on the traffic feature quantity FT, similar to the identification processing based on the integrated feature quantity FI described above, A prescribed simple logic (for example, identification processing based on the result of matching with the registered pattern described above) or identification processing using a machine learning device can be applied.

(B-2) Operation of Second Embodiment Next, the operation (identification processing method according to the embodiment) of the identification processing apparatus 10A of the second embodiment having the configuration as described above will be described.

First, in the identification processing device 10A of the second embodiment, the processing of steps S201 to S203 (the processing of accepting input of network information and acquiring the traffic feature amount FT) is the processing of S101 to S103 of the first embodiment. Since it is the same as , detailed description is omitted.

Next, the device identification unit 15A performs identification processing for each target address based only on the traffic feature amount FT (S204).

Next, the device identification unit 15A inquires of the feature amount generation unit 13 to confirm whether or not there is a target address for which the amount of traffic generated is less than or equal to the threshold (S205). It should be noted that the confirmation of the presence or absence of the target address that generated only the traffic amount equal to or less than the threshold is performed in the process of the feature amount generation unit 13 generating the traffic feature amount FT, and the result is reported to the device identification unit 15A. can be

If there is no target address for which the amount of traffic generated is less than or equal to the threshold, the device identification unit 15A terminates the process. In this case, the device identification unit 15A uses the result of identification processing based only on the traffic feature amount FT as the final result.

On the other hand, if there is a target address for which the traffic volume is less than or equal to the threshold, the device identification unit 15A controls the port scan unit 14 to perform a port scan and The process of generating the port scan feature quantity FP is executed (S206).

Then, the device identification unit 15A generates an integrated feature amount FI based on the traffic feature amount FT obtained from the feature amount generation unit 13 and the port scan feature amount FP obtained from the port scan unit 14 (S207).

Then, based on the generated integrated feature quantity FI, the device identification unit 15A performs identification processing on the target addresses for which only the traffic volume equal to or less than the threshold occurs (S208), and ends the processing. In this case, the device identification unit 15A treats the identification processing result based on the integrated feature amount FI as the final result for the target addresses that generated only the traffic amount equal to or less than the threshold, and treats the other target addresses as the traffic feature amount FT. Treat the result of the identification process based on only as the final result.

(B-3) Effects of Second Embodiment According to the second embodiment, the following effects can be obtained.

In the second embodiment, the port scan is performed only for the target device 20 (target address) for which only the traffic feature quantity FT can provide detection accuracy equal to or lower than a predetermined value (the number of false detections is greater than a predetermined value). As a result, in the second embodiment, it is possible to suppress traffic due to port scanning generated by the port scanning unit 14 (reduce the load on the network 30). As a result, when the second embodiment is applied, the load on a network with a low bit rate such as a factory network can be reduced.

(C) Other Embodiments The present invention is not limited to the above-described embodiments, and modified embodiments such as those illustrated below can be exemplified.

(C-1) In the estimation target flow extraction units 12 and 12A of the above-described embodiments, an example of using 5 tuples as an extraction key has been described. may be used. In the estimation target flow extracting units 12 and 12A, the combination of the source IP address and the destination IP address is used as the extraction key instead of 5 tuples to extract the extraction traffic data. The amount of calculation can be reduced according to the number of connection partners. When using a combination of a source IP address and a destination IP address as an extraction key, this is not the calculation of an unspecified number of flows for the connection destination of one target device 20, but the number of flows for one connection destination for one target device 20. This is because it is good for calculating statistics.

Alternatively, the estimation target flow extraction units 12 and 12A may use only the source IP address as the extraction key. In this case, the estimation target flow extraction units 12 and 12A acquire the traffic feature quantity FT based on the extracted traffic data for all flows for each source IP address. As a result, the estimation target flow extracting units 12 and 12A can reduce the amount of calculation according to the number of target devices 20 regardless of the size of the flow.

DESCRIPTION OF SYMBOLS 10... Identification processing apparatus, 11... Device estimation target input part, 12... Estimation target flow extraction part, 13... Feature amount generation part, 14... Port scan part, 15... Device identification part, 20, 20-1 to 20-M ... target device, 30 ... network.

Claims (8)

extraction means for acquiring extracted traffic data obtained by extracting traffic data related to a target device based on a predetermined extraction key;
a traffic feature amount acquisition means for extracting a traffic feature amount for each divided traffic data based on the classified data extracted by the extraction means;
a port scan feature quantity acquiring means for acquiring a port scan feature quantity of the target device based on a result of performing port scan processing on the target device;
device identification processing means for performing identification processing of the target device based on the port scan feature quantity acquired by the port scan feature quantity acquisition means and the traffic feature quantity acquired by the traffic feature quantity acquisition means; An identification processor characterized by: 2. The identification processing apparatus according to claim 1, wherein said device identification processing means performs identification processing for said target device based on an integrated feature amount obtained by integrating said port scan feature amount and said traffic feature amount. 3. The identification processing apparatus according to claim 2, wherein the device identification processing means uses a machine learning model to perform identification processing for the target device based on integrated features. 4. The identification processing apparatus according to any one of claims 1 to 3, wherein said extraction means applies 5 tuples as said extraction key. 4. The identification processing apparatus according to claim 1, wherein said extraction means uses a combination of a source address and a destination address as said extraction key. 4. The identification processing apparatus according to any one of claims 1 to 3, wherein said extraction means uses a source address as said extraction key. the computer,
extraction means for acquiring extracted traffic data obtained by extracting traffic data related to a target device based on a predetermined extraction key;
a traffic feature amount acquisition means for extracting a traffic feature amount for each divided traffic data based on the classified data extracted by the extraction means;
a port scan feature quantity acquiring means for acquiring a port scan feature quantity of the target device based on a result of performing port scan processing on the target device;
Based on the port scan feature quantity acquired by the port scan feature quantity acquisition means and the traffic feature quantity acquired by the traffic feature quantity acquisition means, it functions as device identification processing means for performing identification processing of the target device. An identification processing program characterized by: In the identification processing method performed by the identification processing device,
having extraction means, traffic feature amount acquisition means, port scan feature amount acquisition means, and device identification processing means,
The extracting means acquires extracted traffic data obtained by extracting traffic data related to the target device based on a predetermined extraction key,
The traffic feature amount acquisition means extracts a traffic feature amount for each divided traffic data based on the classified data extracted by the extraction means,
The port scan feature amount acquiring means acquires the port scan feature amount of the target device based on the result of performing port scan processing on the target device,
The device identification processing means performs identification processing of the target device based on the port scan feature quantity acquired by the port scan feature quantity acquisition means and the traffic feature quantity acquired by the traffic feature quantity acquisition means. Characterized identification processing method.

Images