JP7192155B1 - Anomaly detection server, anomaly detection system, and anomaly detection method - Google Patents

Abstract

An anomaly detection server, an anomaly detection system, and an anomaly detection method according to an embodiment of the present disclosure are intended to quickly detect network anomalies. An anomaly detection server according to an embodiment of the present disclosure includes an acquisition unit that acquires startup log information, which is log information created at startup, from each of a plurality of communication devices via a network; Exclusion processing unit that excludes the startup log information from the target of abnormality detection when the cause of the communication device startup is not based on an abnormality, and the number of remaining startup log information that was not excluded by the exclusion processing unit is counted every predetermined period of time, an abnormality determination unit determines whether there is an abnormality in the network by comparing the counted number of startup log information with a predetermined threshold value, and the determination result of the abnormality determination unit is output. and an output unit for outputting. [Selection drawing] Fig. 1

Description

The present invention relates to an anomaly detection server, an anomaly detection system, and an anomaly detection method.

Conventionally, there is known a communication analysis method capable of determining the content of an anomaly when an anomaly is detected on a network (for example, Patent Document 1). The communication analysis method described in Patent Literature 1 extracts analysis target information corresponding to condition information for anomaly detection from information generated in a network device, and generates a feature value based on the extracted analysis target information. Then, based on the detection result detected based on the feature amount, the details of the abnormality occurring in the network are determined.

However, in the communication analysis method described in Patent Document 1, it is necessary to newly generate a feature amount for detecting network anomalies, which increases man-hours for detecting network anomalies and causes network anomalies. There is a problem that it is difficult to quickly detect anomalies.

Japanese Patent Application Laid-Open No. 2019-80201

An anomaly detection server, an anomaly detection system, and an anomaly detection method according to an embodiment of the present disclosure aim to quickly detect an anomaly in a network or communication equipment.

An anomaly detection server according to an embodiment of the present disclosure includes an acquisition unit that acquires startup log information, which is log information created at startup, from each of a plurality of communication devices via a network, and the acquired startup log information However, if the cause of the startup of the communication device is not based on an abnormality, an exclusion processing unit that excludes it from the targets of abnormality detection, and the number of remaining startup log information that has not been excluded by the exclusion processing unit is counted every predetermined period. an abnormality determination unit that determines whether there is an abnormality in the network by comparing the counted number of startup log information with a predetermined threshold value; and an output unit that outputs the determination result of the abnormality determination unit. , is characterized by having

In the anomaly detection server according to an embodiment of the present disclosure, the exclusion processing unit may exclude activation log information in which the cause of activation of the communication device is known in advance from the targets of anomaly detection.

In the anomaly detection server according to an embodiment of the present disclosure, the exclusion processing unit performs at least when the communication device is forcibly started, when the firmware of the communication device is changed, or when the mode or band of the communication device is changed. The startup log information created when changed may be excluded from the targets of abnormality detection.

In the anomaly detection server according to an embodiment of the present disclosure, the exclusion processing unit may exclude activation log information created based on the lifestyle habits of the user of the communication device from the targets of anomaly detection.

In the anomaly detection server according to an embodiment of the present disclosure, the exclusion processing unit generates the activation log information based on the lifestyle habits of the user based on the activation log information acquired over a predetermined period of time. The patterns are preferably learned by machine learning.

In the anomaly detection server according to an embodiment of the present disclosure, the anomaly determination unit may determine the presence or absence of an anomaly based on the degree of deviation from the average value.

The anomaly detection server according to an embodiment of the present disclosure may further include a power outage anomaly estimating unit that estimates the presence or absence of an anomaly based on the power outage based on the boot log information acquired when the power outage occurs.

An anomaly detection system according to an embodiment of the present disclosure is an anomaly detection system having a plurality of communication devices and a server connected to the plurality of communication devices via a network, wherein each of the plurality of communication devices is The server has a startup log information creation unit that creates startup log information at startup and a transmission/reception unit that transmits the startup log information, and the server includes an acquisition unit that acquires the startup log information from each of the plurality of communication devices, If the acquired startup log information is not based on an abnormality, the exclusion processing unit that excludes it from the target of abnormality detection, and the remaining startup log information that was not excluded by the exclusion processing unit. an abnormality determination unit that determines whether there is an abnormality in the network by comparing the counted number of startup log information with a predetermined threshold value; and the determination result of the abnormality determination unit. and an output unit for outputting.

In an anomaly detection method according to an embodiment of the present disclosure, an acquisition unit acquires startup log information, which is log information created at the time of startup, from each of a plurality of communication devices via a network, and an exclusion processing unit , if the acquired startup log information is not based on an abnormality that caused the communication device to start up, it is excluded from the object of abnormality detection, and the counting unit detects the remaining startup log information that has not been excluded by the exclusion processing unit. is counted for each predetermined period, and the abnormality determination unit compares the counted number of startup log information with a predetermined threshold value to determine whether or not there is an abnormality in the network, and the output unit outputs the error determination unit. It is characterized by outputting a judgment result.

According to an anomaly detection server, an anomaly detection system, and an anomaly detection method according to an embodiment of the present disclosure, it is possible to quickly detect an anomaly in a network or communication device.

1 is a schematic configuration diagram of an anomaly detection system according to an embodiment of the present disclosure; FIG. 7 is a graph showing an example of temporal change in the number of boot log information detected using the anomaly detection system according to an embodiment of the present disclosure; 1 is a configuration block diagram of a communication device that configures an anomaly detection system according to an embodiment of the present disclosure; FIG. 6 is an example of a list of startup log information acquired by the server from the communication device in the anomaly detection system according to the embodiment of the present disclosure; 7 is an example of a graph representing the relationship between the number of pieces of boot log information based on a user's lifestyle and time among the boot log information acquired by the server from the communication device in the anomaly detection system according to the embodiment of the present disclosure. 7 is a graph showing an example of a case where the number of acquired boot log information is applied to a normal distribution in the anomaly detection system according to an embodiment of the present disclosure; 7 is an output example of anomaly detection results for each communication device detected using the anomaly detection system according to an embodiment of the present disclosure; 4 is a flowchart for explaining the operation procedure of the anomaly detection system according to an embodiment of the present disclosure; Shows a list of the number of startup log information determined to be abnormal for multiple regions and models detected using the anomaly detection system according to an embodiment of the present disclosure, (a) shows FIG. 10B is a detection result, and (b) is a detection result on another day different from the specific day.

Hereinafter, an anomaly detection server, an anomaly detection system, and an anomaly detection method according to the present invention will be described with reference to the drawings. However, it should be noted that the technical scope of the present invention is not limited to those embodiments, but extends to the invention described in the claims and equivalents thereof.

First, an overview of the anomaly detection system according to the first embodiment of the present disclosure will be described. FIG. 1 shows a schematic configuration diagram of an anomaly detection system 1000 according to an embodiment of the present disclosure. The anomaly detection system 1000 has a plurality of communication devices 20 and an anomaly detection server (hereinafter simply referred to as “server”) 10 connected to the plurality of communication devices 20 via a network 30 .

The multiple communication devices 20 are, for example, a WiFi router 20a, a fixed-telephone communication device 20b, and a broadband router 20c. However, the communication device 20 is not limited to these examples.

A plurality of communication devices 20 communicate with a plurality of terminals 40 . The terminal 40 is, for example, a mobile terminal such as a smart phone, a computer such as a desktop personal computer or a notebook personal computer, a landline telephone, or the like.

When the communication device 20 is activated (rebooted), “activation log information”, which is information indicating that activation has been performed, is created and transmitted to the server 10 . The server 10 can recognize when and which communication device was restarted by collecting the startup log information.

FIG. 2 shows an example of temporal changes in the number of boot log information detected using the anomaly detection system 1000 according to an embodiment of the present disclosure. In the example shown in FIG. 2, the number of startup log information increased sharply around 12:00 on February 2, and it is assumed that some kind of abnormality has occurred. However, when the cause of the restart of the communication device 20 is known, such as when the restart of the communication device 20 is performed by remote control from the server 10 side, it is considered not to be the target of abnormality detection. It is necessary to exclude the count from the number of boot log information detected. The anomaly detection system 1000 according to an embodiment of the present disclosure determines whether or not there is an anomaly in the network 30 or the communication device 20 by analyzing the number of startup log information.

As a case where the communication device 20 is restarted, there are a case where the cause of the restart is known and a case where the cause of the restart is not found. Cases where the cause of the restart is known include cases where the user intentionally restarts the device by remote control to update the application software that drives the communication device, or when the user does not operate the device after updating the firmware. In some cases, the communication device 20 is restarted. Also, the user may restart the communication device 20 when the communication mode or band is changed. In these cases, the update of the application software, the update of the firmware, etc. are managed by the server 10 or the like, so the cause of the restart of the communication device 20 is known in advance.

Cases in which the cause of the restart of the communication device 20 is unknown include a case in which the restart is performed due to an abnormality in the network or the communication device, and a case in which the restart is performed even if the network or the communication device is operating normally. There are cases where it is presumed that the cause of activation of the communication device is not based on an abnormality. It should be noted that cases in which the cause of the restart is unknown include cases in which it is difficult for the network administrator to grasp the cause of the restart. For example, when an abnormality occurs in a communication device and the communication device automatically stops due to the operation of the built-in watchdog timer, a signal indicating that the watchdog timer has been activated is normally output to the outside of the communication device. Moreover, it is difficult for network administrators to grasp in advance the specifications of the watchdog timers of all communication devices in detail.

As a case where a restart is performed even if the network and communication equipment are operating normally, the user turns off the power of the communication equipment 20 when the terminal 40 is not in use, and turns off the power when the terminal 40 is in use. There is a case to turn ON. Thus, when the user turns on the power of the communication device 20 , an activation log is created and the activation log information is transmitted to the server 10 . For example, the user may turn on the power of the communication device 20 around 9:00 in the morning to use the terminal 40 for work. Also, the user may turn on the terminal of the communication device 20 at home in order to use the terminal 40 at home after returning home. Therefore, in these cases, it is presumed that the temporal change in the number of activation log information items acquired by the server 10 from the communication device 20 has a pattern that reflects the life rhythm of the user. The startup log information created based on the user's lifestyle pattern in this way is not created due to an abnormality in the network or communication equipment, and is therefore not subject to abnormality detection. 20 must be excluded from the startup log information.

The activation log information described above indicates that the cause of activation of the communication device 20 is known in advance, or that the cause of activation of the communication device 20 is presumed not to be based on an abnormality. If the server 10 receives a predetermined number or more of boot log information from the communication device 20 separately from such boot log information, it is presumed that some kind of abnormality has occurred in the network 30 or the communication device 20 .

It is conceivable that the user himself/herself restarts the communication device 20 when some kind of abnormality occurs in the network 30 or the communication device 20 . For example, when a delay occurs in the network or the communication speed drops, the problem may be solved by restarting the communication device 20, so it is considered that the user will attempt restarting.

In addition, unlike the terminal 40, the communication device 20 is generally powered from an outlet in many cases. Therefore, for example, when the power supply is stopped due to a power failure or the like, the communication device 20 stops operating, and then when the power is restored, the communication device 20 is started (restarted).

The anomaly detection system 1000 according to the embodiment of the present disclosure detects such boot log information of unknown cause, and detects an anomaly of the communication device 20 . The server 10 acquires the activation log information from the communication device 20, and determines the number of remaining activation log information after excluding the activation log information for which the cause of the activation of the communication device 20 is not based on an abnormality from the acquired activation log information. By comparing with the reference value of , it is possible to quickly determine whether there is an abnormality in the network 30 or the communication device 20 .

(Communication equipment)
Next, the communication device 20 that configures the anomaly detection system according to the first embodiment of the present disclosure will be described. FIG. 3 shows a configuration block diagram of the communication device 20. As shown in FIG. The communication device 20 has a transmission/reception section 21 , a control section 22 , an activation log information creation section 23 and a storage section 24 .

The transmitting/receiving unit 21 transmits/receives data to/from the server 10 via the network 30 and communicates with the terminal 40 . In particular, the transmission/reception unit 21 transmits boot log information to the server 10 .

The control unit 22 controls the operation of the communication device 20 by executing a program stored in the storage unit 24 by a processor such as a CPU.

The activation log information creation unit 23 creates activation log information when the communication device 20 is activated. Details of the activation log information will be described later.

The storage unit 24 is a storage device such as a semiconductor memory. The storage unit 24 stores programs for controlling the communication device 20 .

(anomaly detection server)
Next, an anomaly detection server according to an embodiment of the present disclosure will be described. As shown in FIG. 1, the anomaly detection server 10 has a control unit 11, a transmission/reception unit 6, a storage unit 7, a timer unit 8, a display unit 9, and an output unit 5, which are connected to a bus. 12 are connected.

The transmitting/receiving unit 6 transmits/receives data to/from the communication device 20 via the network 30 . In particular, the transmission/reception unit 6 acquires boot log information from the communication device 20 .

The storage unit 7 is a storage device such as a semiconductor memory or hard disk. The storage unit 7 stores the startup log information received from the communication device 20 . Furthermore, the storage unit 7 stores programs for controlling the server 10 .

The clock unit 8 is a module that outputs the current time. The date and time when the transmission/reception unit 6 received the activation log information from the communication device 20 may be set based on the current time obtained from the clock unit 8 and stored in the storage unit 7 together with the activation log information.

The display unit 9 is a display device such as a liquid crystal display device or an organic EL display device. The display unit 9 displays the abnormality detection result of the communication device 20 and the network 30 output from the output unit 5 .

The output unit 5 may output the abnormality detection result of the communication device 20 or the network 30 via the transmission/reception unit 6 to the communication device 20 or a device for notifying the network administrator or the like of the abnormality detection.

The control unit 11 has an acquisition unit 1, an exclusion processing unit 2, a counting unit 3, and an abnormality determination unit 4, which are stored in the storage unit 7 by a processor such as a CPU provided in the server 10. It is realized by executing the program

The acquisition unit 1 acquires startup log information, which is log information created at the time of startup, from each of the plurality of communication devices 20 via the network 30 . The activation log information may include the identification number of the communication device that transmitted the activation log information, and information about the cause if the cause of the restart of the communication device 20 is known. For example, when the communication device 20 is restarted by remote control for updating application software, or when the communication device 20 is restarted after updating the firmware or when the communication mode or band is changed, the Information about the cause may be included in the boot log information.

FIG. 4 shows an example of a list 100 of startup log information acquired by the server 10 from the communication device 20 in the anomaly detection system 1000 according to an embodiment of the present disclosure. The startup log information list 100 may include information on sections 101 , IDs 102 , communication device types 103 , acquisition times 104 , restart causes 105 , exclusion target flags 106 , and integrated values 107 .

The interval 101 indicates the number of the interval of one day when the acquisition of the activation log information is totaled every 30 minutes, for example. In the example shown in FIG. 4, the section 101 for 30 minutes from 0:00:00 (00:00:00) on a certain day is defined as "section 1", and the section 101 for the next 30 minutes is defined as "section 2". It shows an example of However, the period for aggregating boot log information is not limited to 30 minutes, and may be set to any period.

ID102 is the identification number of the acquired activation log information. For example, when the first activation log information is obtained at time "00:00:05", the ID 102 of the activation log information may be "0001". A consecutive number may be assigned to the ID 102 of the activation log information acquired thereafter. For example, in the example shown in FIG. 4, a total of 210 pieces of activation log information have been acquired in the section 101 of "1".

The communication device type 103 may indicate the type of communication device that has transmitted the activation log information. For example, in the example shown in FIG. 4, the startup log information is obtained from the WiFi router 20a first (ID "0001"), and the startup log information is obtained from the fixed telephone communication device 20b second (ID "0002"). , and the third (ID "0003") shows an example of acquiring startup log information from the broadband (BB) router 20c. model identification number, information about the position where the communication device 20 is installed, etc. may be included in the activation log information and acquired.

The acquisition time 104 may be set based on the current time acquired from the clock unit 8 when the transmission/reception unit 6 receives the activation log information from the communication device 20 .

For the cause of restart 105, if the cause of the restart is known in advance, the cause is recorded, and if it does not correspond to the known cause, the column is left blank (indicated as "---" in FIG. 4). may be For example, if the WiFi router 20a is restarted by remote operation immediately before the startup log information with the ID "0001" is acquired from the WiFi router 20a, the cause 105 of the restart may be "restart by remote operation". . Also, if the firmware is updated before the activation log information of ID "0003" is acquired from the BB router 20c, it is presumed that the user has restarted the BB router 20c. The cause 105 may be "restart after firmware update". If the cause of the restart is not known in advance, it is assumed that the communication device is restarted based on the user's normal lifestyle (the cause of the restart of the communication device 20 is not based on an abnormality). It is presumed that this includes cases where communication equipment malfunctions and is restarted.

(Method of excluding startup log information not subject to anomaly detection)
If the acquired activation log information does not indicate that the communication device 20 was activated due to an abnormality, the exclusion processing unit 2 excludes the acquired activation log information from the targets of abnormality detection. The exclusion processing unit 2 may exclude activation log information for which the cause of activation of the communication device 20 is known in advance. As shown in FIG. 1, the exclusion processing section 2 may include a first exclusion processing section 2a and a second exclusion processing section 2b.

The first exclusion processing unit 2a is created at least when the communication device 20 is forcibly activated, when the firmware of the communication device 20 is changed, or when the mode or band of the communication device 20 is changed. You may exclude the startup log information. As described above, since the cause of the creation of these boot log information is known, it can be determined that they are not caused by network anomalies. are excluded from However, any boot log information for which the cause of creation is known may be excluded from the targets of anomaly detection.

In this manner, the exclusion processing unit 2 excludes the acquired boot log information from the target of abnormality detection when the boot log information is the boot log information in which the cause of the boot is known in advance. For example, as shown in FIG. 4, the boot log information with the IDs "0001" and "0003" is the boot log information to be excluded by setting the exclusion target flag 106 because the cause of the reboot is known. may be specified.

From the boot log information aggregated within a predetermined period as described above, the boot log information whose cause is known is excluded. and boot log information created when the communication device is restarted based on the user's lifestyle habits (assuming that the cause of the communication device 20 being restarted is not based on an abnormality). estimated startup log information).

Therefore, the second exclusion processing unit 2b may exclude activation log information created based on the lifestyle habits of the user of the communication device 20. FIG.

FIG. 5 shows the relationship between the number of pieces of boot log information based on the user's lifestyle habits and time among the boot log information acquired by the server 10 from the communication device 20 in the anomaly detection system according to an embodiment of the present disclosure. Here is an example graph. A curve Lw represents the temporal change in the number of startup log information on weekdays, and a curve Lh represents the temporal change in the number of startup log information on holidays.

On weekdays, as indicated by the curve Lw, it is thought that the user often turns on the power of the communication device 20 around 9:00 in order to use the terminal 40 for work, so the number of activation log information shows a first peak P1 around 9:00 am. In addition, since it is considered that the user often turns on the terminal of the communication device 20 at home in order to use the terminal 40 at home after returning home, the number of boot log information peaks at around 18:00 P2. indicates

On the other hand, on holidays, as indicated by curve Lh, the user activates the communication device 20 to operate the terminal 40 later than on weekdays, and the number of activation log information increases more smoothly than curve Lw. Thus, the activation log information created based on the user's lifestyle habits is considered to exhibit different changes on weekdays and holidays.

The exclusion processing unit 2 may learn, by machine learning, the temporal pattern of the activation log information created based on the user's lifestyle, based on the activation log information acquired over a predetermined period. By adopting such a configuration, the number of startup log information for each weekday and holiday is collected over a predetermined period, and the number of startup log information that is normally expected to be created by machine learning and statistical processing. can be estimated.

As described above, the remaining (residual) boot log information excluded by the first exclusion processing unit 2a and the second exclusion processing unit 2b from the boot log information acquired over a predetermined period is the network or communication device information. It can be determined that the information is boot log information created due to an abnormality.

The counting unit 3 counts the number of remaining boot log information not excluded by the first exclusion processing unit 2a and the second exclusion processing unit 2b of the exclusion processing unit 2 for each predetermined period. For example, in FIG. 4, in the section "1", the boot log information with the ID "0001" is the boot log information for which the cause of the restart is known in advance, so it is excluded from the targets of abnormality detection, and is accumulated. It is not included in the value, and the integrated value 107 becomes "0". On the other hand, since the boot log information with the ID "0002" is the boot log information for which the cause of the restart is not known in advance, it is included in the target of abnormality detection, so that the integrated value 107 is "1". . Further, since the boot log information with the ID "0003" is the boot log information for which the cause of the restart is known in advance, it is excluded from the targets of abnormality detection and is not included in the integrated value, and the integrated value 107 is "1" remains.

Thereafter, in the same way, the startup log information that is the target of abnormality detection is accumulated every predetermined period. In the example shown in FIG. 4, 210 pieces of boot log information are acquired in section "1", and the number of remaining boot log information not excluded by the first exclusion processing unit 2a and the second exclusion processing unit 2b is , is the number of startup log information to be detected as an abnormality, and an example of 38 is shown in FIG. Note that in the next section "2", integration may be started after resetting the initial value of the integrated value to "0". Note that the integrated value may be obtained by integrating for each type of communication device in a predetermined period.

Let St be the total number of activation log information acquired from the plurality of communication devices 20 by the server 10 in a predetermined period, and S1 and S2 be the activation log information excluded by the first exclusion processing unit 2a and the second exclusion processing unit 2b, respectively. , the number Sa of boot log information to be subjected to abnormality detection is calculated by Sa=St-S1-S2.

The abnormality determination unit 4 determines whether or not there is an abnormality in the network or communication equipment by comparing the number of pieces of boot log information counted as described above with a predetermined threshold value.

For example, in the example shown in FIG. 4, the number of pieces of boot log information to be aggregated for anomaly detection in section "1" is 38. From the 210 pieces of information, the first exclusion processing unit 2a and the second exclusion processing unit 2b exclude the activation log information whose cause of activation of the communication device is not based on an abnormality.

FIG. 6 shows a graph showing an example of a case where the number of acquired boot log information is applied to a normal distribution in the anomaly detection system according to an embodiment of the present disclosure. The horizontal axis is the number of boot log information items to be detected for anomalies, and the vertical axis is the probability distribution. FIG. 6 shows an example in which the average value is 20 and the standard deviation σ is 5. In the above example, the number of boot log information items to be detected for anomalies is 38, and if the threshold is 35, which is the upper limit of the range from the average value to 3σ, the numerical value of 38 exceeds the threshold. can be judged to be abnormal. In this way, the abnormality determination unit 4 may determine whether there is an abnormality based on the degree of deviation from the average value.

The output unit 5 outputs the determination result of the abnormality determination unit 4 . For example, the output unit 5 outputs the determination result of the abnormality determination unit 4 to the display unit 9 . FIG. 7 shows an output example of anomaly detection results for each communication device detected using the anomaly detection system according to an embodiment of the present disclosure. As an example, the total number of service failure occurrences as of 11:00 on March 11, 2022 is shown. A table 200 showing the number of service failure occurrences shows a service name 201, the number of failure occurrences 202 in WiFi routers, the number of failure occurrences 203 in fixed telephone communication devices, and the number of failure occurrences 204 in BB routers.

By referring to the table 200, the administrator of the network 30 can quickly grasp which communication device has an abnormality.

Next, an abnormality detection method according to an embodiment of the present disclosure will be described. FIG. 8 shows a flowchart for explaining the operation procedure of the anomaly detection system according to an embodiment of the present disclosure.

First, in step S<b>101 , the acquisition unit 1 (see FIG. 1 ) acquires activation log information, which is log information created at the time of activation, from each of the plurality of communication devices 20 via the network 30 .

Next, in step S102, the exclusion processing unit 2 determines whether or not the activation log information acquired by the acquisition unit 1 is the activation log information for which the cause of activation is known in advance. Here, the startup log information for which the cause of the startup is known in advance is, for example, (1) startup log information created when the communication device is forcibly started, and (2) the firmware of the communication device is (3) boot log information created when the mode or band of the communication device is changed;

If the exclusion processing unit 2 determines in step S102 that the activation log information acquired by the acquisition unit 1 is activation log information for which the cause of activation is known in advance, then in step S103, the first exclusion processing is performed. The part 2a excludes it from the target of abnormality detection.

On the other hand, if the exclusion processing unit 2 determines in step S102 that the activation log information acquired by the acquisition unit 1 is not the activation log information for which the cause of activation is known in advance, the exclusion processing in step S103 is Not done.

Next, in step S104, the second exclusion processing unit 2b excludes activation log information based on lifestyle habits.

Next, in step S105, the counting unit 3 counts the number of remaining boot log information not excluded by the first exclusion processing unit 2a and the second exclusion processing unit 2b for each predetermined period.

Next, in step S106, the abnormality determination unit 4 determines whether or not the counted number of boot log information is greater than a predetermined threshold.

In step S106, when the abnormality determination unit 4 determines that the counted number of boot log information is larger than the predetermined threshold value, in step S107, it determines that there is an abnormality.

On the other hand, in step S106, if the abnormality determination unit 4 determines that the counted number of startup log information is less than the predetermined threshold value, in step S108, it determines that there is no abnormality.

Next, in step S<b>109 , the output unit 5 outputs the determination result of the abnormality determination unit 4 .

(Analysis of startup log information based on power failure)
When a power failure occurs in the area where the communication device 20 is installed, the communication device 20 stops operating and is restarted after the power failure is restored. Therefore, it is conceivable that the number of start-up log information items increases along with the power outage in the area where the power outage occurred. Therefore, the server 10 may further include a power outage abnormality estimating unit 13 (see FIG. 1) that estimates the presence or absence of an abnormality based on the power outage based on the startup log information acquired when the power outage occurs.

Even if the communication device 20 is restarted due to a power failure, it is conceivable that no abnormality will occur in the network 30 or the communication device 20 . However, users of the communication device 20 are expected to be affected in some way by the occurrence of a power outage. Therefore, it is preferable that the power outage abnormality estimation unit 13 estimates whether or not the increase in the startup log information is caused by the power outage, and if the power outage is the cause, causes the output unit 5 to output that effect. With such a configuration, the user can understand that the restart of the communication device 20 is based on a power failure.

If there is a characteristic change in the number of boot log information due to a power failure, the power failure anomaly estimating unit 13 determines that the current increase in the boot log information is due to the power failure, based on the data of the temporal change in the past boot log information. You can judge. By adopting such a configuration, it is possible to quickly determine whether or not an increase in boot log information is due to a power failure before receiving information about a power failure from outside the server 10 .

On the other hand, if the power outage information can be acquired in real time from the power company or the like, the power outage abnormality estimating unit 13 determines whether the increase in the boot log information is due to the power outage based on the acquired information related to the power outage. You can judge whether For example, comparing an area where an increase in boot log information occurred with an area where a power outage occurred, and if the two areas match, it can be determined that the increase in boot log information is due to the power outage. can.

(Method of Identifying Area and Model of Abnormality)
In the above example, the method of determining abnormality in a network in which a plurality of communication devices are installed in a predetermined area has been described. However, network failures may be caused by an abnormality in the network itself or by an abnormality in a particular type of communication device, and it is preferable to separate the two. Therefore, by detecting anomalies in networks in which multiple communication devices are installed over multiple regions, it is possible to determine whether the cause of anomalies is due to a network in a specific region or to a specific type of communication device. A method for determining is described.

9A and 9B show lists of the number of startup log information determined to be abnormal for multiple regions and models detected using the anomaly detection system 1000 according to an embodiment of the present disclosure. show. FIG. 9(a) shows detection results on a specific day, and FIG. 9(b) shows detection results on another day different from the specific day. In FIGS. 9A and 9B, the case where the multiple regions are Tokyo, Osaka, and Hokkaido, and the multiple models are WiFi routers, fixed telephone communication devices, and BB routers will be described as an example.

In FIG. 9(a), it is the WiFi router that has a large number of startup log information determined to be abnormal, regardless of the area where the network exists. Therefore, in this case, it is presumed that an abnormality has occurred in the WiFi router.

On the other hand, in FIG. 9B, Osaka has the largest number of startup log information determined to be abnormal, regardless of the model of the communication device. Therefore, in this case, it is presumed that an abnormality has occurred in the network installed in Osaka.

As described above, according to the present invention, anomalies in networks or communication equipment can be detected quickly by the above-described actions, so it contributes to the construction of reliable and sustainable infrastructure, and contributes to the development of SDGs Goal 9 "Industry and technological innovation." We can contribute to the achievement of "Let's build a foundation".

1 acquisition unit 2 exclusion processing unit 2a first exclusion processing unit 2b second exclusion processing unit 3 counting unit 4 abnormality determination unit 5 output unit 6 transmission/reception unit 7 storage unit 8 timer unit 9 display unit 10 server 11 control unit 12 bus 13 power outage Anomaly estimation unit 20 communication device 30 network 40 terminal 1000 anomaly detection system

Claims (9)

an acquisition unit that acquires startup log information, which is log information created at startup, from each of a plurality of communication devices via a network;
an exclusion processing unit that excludes the acquired activation log information from an abnormality detection target when the cause of activation of the communication device is not based on an abnormality;
a counting unit that counts the number of remaining boot log information not excluded by the exclusion processing unit for each predetermined period;
an abnormality determination unit that determines whether or not there is an abnormality in the network by comparing the counted number of boot log information with a predetermined threshold;
an output unit that outputs the determination result of the abnormality determination unit;
An anomaly detection server characterized by having: 2. The abnormality detection server according to claim 1, wherein said exclusion processing unit excludes activation log information in which a cause of activation of the communication device is known in advance from an abnormality detection target. The exclusion processing unit at least stores activation log information created when the communication device is forcibly activated, when the firmware of the communication device is changed, or when the mode or band of the communication device is changed. 3. The anomaly detection server according to claim 1, which is excluded from anomaly detection targets. The anomaly detection server according to any one of claims 1 to 3, wherein the exclusion processing unit excludes boot log information created based on lifestyle habits of a communication device user from anomaly detection targets. 5. The exclusion processing unit, based on the activation log information acquired over a predetermined period, learns the temporal pattern of the activation log information created based on the lifestyle habits of the user by machine learning. The described anomaly detection server. The anomaly detection server according to any one of claims 1 to 5, wherein said anomaly judgment unit judges the presence or absence of an anomaly based on the degree of deviation from an average value. 7. The anomaly detection server according to any one of claims 1 to 6, further comprising a power outage anomaly estimating unit for estimating presence/absence of an anomaly due to a power outage based on startup log information acquired when a power outage occurs. An anomaly detection system having a plurality of communication devices and a server connected to the plurality of communication devices via a network,
Each of the plurality of communication devices,
a startup log information creation unit that creates startup log information at startup;
a transmitting/receiving unit that transmits the boot log information,
The server is
an acquisition unit that acquires the activation log information from each of the plurality of communication devices;
an exclusion processing unit that excludes the acquired activation log information from an abnormality detection target when the cause of activation of the communication device is not based on an abnormality;
a counting unit that counts the number of remaining boot log information not excluded by the exclusion processing unit for each predetermined period;
an abnormality determination unit that determines whether or not there is an abnormality in the network by comparing the counted number of boot log information with a predetermined threshold;
an output unit that outputs the determination result of the abnormality determination unit;
An anomaly detection system characterized by: an acquisition unit acquires startup log information, which is log information created at startup, from each of a plurality of communication devices via a network;
The exclusion processing unit excludes the acquired activation log information from an abnormality detection target when the cause of activation of the communication device is not based on an abnormality,
a counting unit counting the number of remaining boot log information not excluded by the exclusion processing unit for each predetermined period;
The abnormality determination unit determines whether or not there is an abnormality in the network by comparing the counted number of startup log information with a predetermined threshold,
The output unit outputs the judgment result of the abnormality judgment unit,
An anomaly detection method characterized by:

Images