JP7283315B2 - Anomaly detection device, anomaly detection program, and anomaly detection method - Google Patents

Description

The present invention relates to an anomaly detection device, an anomaly detection program, and an anomaly detection method, and can be applied, for example, to an anomaly detection device that analyzes logs of network devices, detects suspicious logs and communications, and visually displays the detection results. .

Cyberattacks, which are increasing and evolving year by year, have become a social problem. Network devices such as proxies and firewalls have traditionally been effective against cyber-attacks, but in recent years there has been an increase in attacks that cannot be prevented by the functions of network devices alone. Against such attacks, it is important to analyze the logs of network devices and prevent detection omissions of attacks. However, in companies with a large number of employees, the amount of network device logs is enormous, and it is extremely difficult to analyze them manually. An approach using machine learning is effective for such huge logs.

In machine learning, the characteristics of suspicious communications are extracted from past logs of network equipment, and the characteristics are learned by a machine learning machine. A learned machine learning device (hereinafter referred to as a “classifier”) classifies and outputs whether it is an abnormal communication that resembles characteristics of past suspicious communication or a normal communication that is not. By applying the current enormous amount of logs to the classifier, it is possible to narrow down only the logs classified as abnormal communications, so the investigator's log investigation work can be made more efficient.

However, machine learning has the aspect that even if it is classified as an anomaly, the cause cannot be explained (it is a black box), and there are many false positives that classify normal communication as an anomaly. The former uses a decision tree-based machine learner to obtain the features that contributed to the classification, so it is possible to infer the cause from this information. The latter can adjust the number of logs to be classified as abnormal by devising the parameters given to the machine learning device, but it is necessary to allow a certain amount of false positives to prevent detection omissions, and there are more than a certain number of logs to be investigated. It will be.

From the above, there is a need for a method of efficiently investigating the logs classified as abnormal. In cyberattacks in particular, even among those classified as abnormal, there are those that are highly urgent and those that are not. For example, in the cyber kill chain, which categorizes cyberattacks according to their progress, the more advanced the stage, the higher the urgency. Therefore, by preferentially displaying logs with high urgency among those classified as abnormal to the investigator, it is possible to prioritize the logs to be investigated, thereby improving the efficiency of the investigation work. Here, the stages of the cyber kill chain include the “reconnaissance stage” to select the attack target, the “delivery stage” to download malware, etc., and the “remote operation stage” to communicate with the C&C (Command & Response) server after infection. exists.

For example, Patent Literature 1 discloses a technique related to a GUI (Graphical User Interface) that displays anomaly detection results of multiple security products and network devices in a computing system. In Patent Document 1, based on negative results (serious security events, anomalies, vulnerabilities, and threats) detected by security products and network devices, if there are any negative results, they are colored red, and if there are no negative results, By displaying it in green, you can intuitively know if the computing system needs to be investigated.

In addition, Patent Document 2 discloses a technique related to a system that presents an analyst with countermeasures against attack activities detected using detection rules. In Patent Literature 2, past attack activities and countermeasures against attack activities are accumulated. For the currently detected attack activity, similar attack activities are acquired from the accumulated past information, and the content of countermeasures against the attack activity is acquired and presented to the analyst. Here, the past attack activities and countermeasure contents are given importance levels, and when there are multiple similar attack activities and countermeasure contents, they are presented in descending order of importance. The technology described in Patent Literature 2 prioritizes and presents attack activities and their countermeasures, so analysts can easily know in what order and how to investigate the detected attack activities. be able to.

Patent No. 5869676 JP 2019-28891 A

However, in Patent Literature 1, although it is possible to know that there is an abnormality in the computing system, it is not possible to know from the GUI which log should be investigated first. In addition, it is also not possible to know the factors that have resulted in negative results from the GUI.

On the other hand, in Patent Document 2, for each log (communication) of detected attack activity, the analyst must manually assign the details of the attack activity and the corresponding importance level, and the details of the countermeasure and the corresponding importance level. The problem is an increase in the work man-hours of the investigator.

From the above, an anomaly detection device, an anomaly detection program, and an anomaly detection device that intuitively presents factors classified as anomalies and their priorities to an investigator and reduces the work man-hours of an analyst for creating information necessary for presentation. An anomaly detection method is desired.

A first aspect of the present invention is an anomaly detection device that analyzes a log and displays an anomaly detection result, comprising: (1) a feature/category correspondence list in which features are extracted from the log and the features and categories are associated with each other; (2) a detection result display unit that displays the anomaly detection results of the log in units of categories; 3) a control unit that requests the log analysis unit to analyze the log and the detection result display unit to display the abnormality detection result; (4) the feature/category correspondence list; (5) drawing and displaying an input screen for associating the features with the categories of the category list, and inputting the category corresponding to the features ; (6) the log analysis unit converts the features extracted from the log into feature quantities and analyzes them by machine learning; (7) The machine learning device used in the machine learning creates a classifier that learns the features and outputs the probability of being abnormal, and outputs the importance of the features that contribute to the classification of the classifier. (8) The log analysis unit estimates the category using the feature/category correspondence list, the feature amount of the log, and the importance of the feature.

The anomaly detection program of the second aspect of the present invention analyzes a log and causes a computer installed in an anomaly detection device that displays an anomaly detection result to: (1) extract features from the log, and associate the features with categories; a log analysis unit that analyzes the log using the attached feature/category correspondence list, classifies it into one of the categories, and outputs the classification result; and (2) displaying the anomaly detection result of the log for each category. a detection result display unit; (3) a control unit that requests the log analysis unit to analyze the log and the detection result display unit to display the abnormality detection result; and (4) the feature/category correspondence list. , a category list in which one or more categories are described, and a storage unit that holds the classification results; (6) the log analysis unit converts the features extracted from the log into feature quantities, and (7) the machine learning device used in the machine learning creates a classifier that learns the features and outputs a probability of being abnormal, and contributes to the classification of the classifier; (8) the log analysis unit estimates the category using the feature/category correspondence list, the feature amount of the log, and the feature importance; It is characterized by

A third aspect of the present invention is an anomaly detection method used in an anomaly detection device that analyzes a log and displays an anomaly detection result, wherein: (1) a log analysis unit extracts features from the log; The log is analyzed using a feature/category correspondence list in which categories are associated with each other, the log is classified into one of the categories, and the classification result is output; (3) the control unit requests the log analysis unit to analyze the log, requests the detection result display unit to display the abnormality detection result, (4) the storage unit, holding the feature/category correspondence list, a category list in which one or more categories are described, and the classification result ; (6) the log analysis unit converts the features extracted from the log into feature amounts; (7) the machine learning device used in the machine learning creates a classifier that learns the features and outputs the probability of being abnormal, and contributes to the classification of the classifier (8) the log analysis unit estimates the category using the feature/category correspondence list, the feature amount of the log, and the importance of the feature; characterized by

According to the present invention, factors classified as abnormal and their priorities are intuitively presented to the investigator, and man-hours required for analysts to create information required for presentation can be reduced.

It is a block diagram which shows the internal structure of the abnormality detection result display apparatus which concerns on embodiment. FIG. 5 is an explanatory diagram showing an example of a feature list analyzed by a log analysis unit according to the embodiment; FIG. 5 is an explanatory diagram showing an example of an interface for inputting a cyber kill chain category corresponding to each feature used in the input unit according to the embodiment; 6 is a flow chart showing a feature operation (feature/category correspondence list creation operation) of the abnormality detection result display device according to the embodiment. FIG. 4 is an explanatory diagram showing an example of a feature/category correspondence list in which cyber kill chain categories are associated with respective features according to the embodiment; 5 is a flow chart showing characteristic operations (learning and classification operations of a machine learning device) of the anomaly detection result display device according to the embodiment. FIG. 10 is an explanatory diagram showing an example of a feature importance list indicating the importance of features of a classifier created by the log analysis unit according to the embodiment; 4 is a flow chart showing a characteristic operation (operation for displaying an abnormality detection result) of the abnormality detection result display device according to the embodiment; FIG. 7 is an explanatory diagram showing an example of detection results by category displayed on a detection result display unit according to the embodiment; FIG. 11 is an explanatory diagram showing an example of a category list defining categories and their order numbers according to another embodiment; FIG. 11 is an explanatory diagram showing an example of a hierarchical category detection result according to another embodiment; FIG. 11 is an explanatory diagram (part 1) showing an example of a drill-down function of detection results displayed on the detection result display unit in another embodiment; FIG. 12 is an explanatory diagram (part 2) showing an example of a drill-down function of detection results displayed on the detection result display section in another embodiment;

(A) Main Embodiments An embodiment of an abnormality detection device, an abnormality detection program, and an abnormality detection method according to the present invention will be described in detail below with reference to the drawings.

(A-1) Configuration of Embodiment First, the outline of this embodiment will be described. In this embodiment, logs classified as abnormal are displayed according to the degree of progress of the cyber kill chain. In this embodiment, for each feature of the log to be learned by the machine learning machine, it is defined in advance which stage of the cyber kill chain the feature appears in, and is classified as an anomaly based on the defined information and the importance information of the classifier. Estimate and display the classification factor (progress of the cyber kill chain) of the logs that have been detected. Details are described below.

FIG. 1 is a block diagram showing the internal configuration of the abnormality detection result display device according to the embodiment.

In FIG. 1 , the abnormality detection result display device 10 has a log analysis unit 11 , an input unit 12 , a control unit 13 , a storage unit 14 and a detection result display unit 15 .

For example, the abnormality detection result display device 10 may be constructed by installing a program in a computer having a processor, memory, and the like. Further, the abnormality detection result display device 10 may be partially or wholly configured using hardware (for example, a dedicated semiconductor chip, an electric circuit, or the like).

The log analysis unit 11 extracts features from the network device log (the network device log 20 in FIG. 1), learns the extracted features as learning data with a machine learning device, and creates a classifier for normal/abnormal classification. have the means. Although the network device log 20 to be used is not limited, for example, proxy or firewall logs are used. The method of extracting features from the log is not limited, but for example, a method of extracting features according to a predetermined rule, a method of extracting features using another machine learning device, a combination thereof, and the like are conceivable.

Extracted features include, for example, proxy log download and upload sizes, destination host character strings that are used as they are, download sizes that are relatively larger than other logs (abnormal), and destination hosts that are rarely used. It is possible to think of things such as those that do not appear (rare) that are used after being converted into qualitative variables by rules or machine learning. The log analysis unit 11 saves the names that can identify the extracted features in the storage unit 14 as a feature list (feature list L in FIG. 1) as shown in FIG.

The machine learning device used by the log analysis unit 11 is a learning device that obtains the degree of importance of features that contributed to the creation of the classifier, and uses, for example, a decision tree-based learning device. Depending on the machine learning device to be used, it is necessary to assign a label indicating whether the learning data is abnormal or normal before learning. Although the method of labeling the learning data is not limited, for example, when an investigator judges whether a log investigated is truly normal or abnormal, a method of labeling the information is conceivable. The log analysis unit 11 saves the classifier learned by the machine learning device and the feature importance list (feature importance list N in FIG. 7 to be described later) in the storage unit 14 .

In addition, the log analysis unit 11 applies the features of the network device log 20 to a classifier to perform normal/abnormal classification. It has a means of estimating which category of kill chain it belongs to. Here, the content output by the classifier is not limited. For example, depending on the machine learning device (or how to give the parameters of the machine learning device), instead of classifying whether it is normal or abnormal, there are those that output the probability of being abnormal, and that probability may be output. The log analysis unit 11 saves the classification result and category estimation result in the storage unit 14 .

The input unit 12 has means for providing an investigator with an input interface for setting which category of the cyber kill chain each characteristic of the log to be given to the machine learning device corresponds to. For example, a screen (input screen 30) as shown in FIG. 3 is displayed. On the input screen 30 in FIG. 3, input boxes 31 (31-1 to 31-3) are drawn for each feature (each feature in the feature list L in FIG. 2) in which the category of the cyber kill chain can be entered. Enter the category corresponding to . The input unit 12 stores the input correspondence relationship between the features and the categories as a feature/category correspondence list M in the storage unit 14 .

The control unit 13 instructs the log analysis unit 11 to perform machine learning or to classify log anomalies using a classifier, and instructs the detection result display unit 15 to display anomaly detection results. have the means to In addition, the control unit 13 has a means for receiving an anomaly detection result display request from an investigator.

The storage unit 14 has means for storing various types of information (feature list L, feature/category correspondence list M, feature importance list N, etc.).

The detection result display unit 15 has a means for displaying to the investigator results for each cyber kill chain category based on the log anomaly classification results and category estimation results.

(A-2) Operation of Embodiment Next, the operation of the abnormality detection result display device 10 according to the embodiment having the configuration as described above will be described.

Among the operations of the anomaly detection result display device 10 (feature operations of the present embodiment), the operations of associating each feature of the log with the category of the cyber kill chain and creating a feature/category correspondence list M are shown in FIG. The learning and classification operations of the machine learning device will be described with reference to FIG. 6, and the operation of displaying the abnormality detection result on the detection result display unit 15 will be described with reference to FIG.

(A-2-1) Feature/Category Correspondence List Creation Operation FIG. 4 is a flowchart showing a feature operation (feature/category correspondence list creation operation) of the abnormality detection result display device according to the embodiment.

Upon receiving an input request from an investigator, the input unit 12 acquires the feature list L of the network device log 20 from the storage unit 14 (S101).

Also, the input unit 12 acquires the category list of the cyber kill chain from the storage unit 14 (S102). Here, the acquired cyber kill chain category (a list in which categories such as delivery and remote control are described) may be used when making a selection in the input box 31 of the input screen 30 . Also, this process may be omitted, but in that case, the investigator must directly input the cyber kill chain category in the input box 31 . Note that the category list here may be, for example, the category list O in FIG. 10 described later, or another category list in which the order number is omitted from the category list O. FIG.

Next, using the acquired feature list L, the input unit 12 draws and displays the input screen 30 (described above in FIG. 3) for inputting the cyber kill chain category corresponding to the feature (S103).

The input unit 12 transitions to a state in which the investigator waits for completion of the input (selection) operation of the cyber kill chain category on the input screen 30 (S104). The input unit 12 performs the following processing upon receiving input completion (for example, pressing an input completion button (not shown)).

Based on the input information, the input unit 12 creates a feature/category correspondence list M (FIG. 5) in which categories are associated with features, and stores it in the storage unit 14 (S105).

(A-2-2) Learning and Classification Operations of Machine Learner FIG. 6 is a flow chart showing characteristic operations (learning and classification operations of the machine learner) of the anomaly detection result display device according to the embodiment.

The log analysis unit 11 performs the following processing according to a request (learning or classification) from the control unit 13 (S201).

First, the learning process (S201 to S205) will be described. The control unit 13 requests the log analysis unit 11 to perform learning, but at the same time notifies the log analysis unit 11 of the target period of the network device log 20 to be learned.

The log analysis unit 11 acquires a log for a specified period from the network device log 20 (S202), then extracts features from the log and creates learning data (S203). Here, the log analysis unit 11 saves the extracted feature list L in the storage unit 14 .

Next, the log analysis unit 11 causes a machine learning device to learn the learning data and creates a classifier (S204).

Finally, the log analysis unit 11 saves the created classifier and the feature importance list N (FIG. 7) indicating the importance of the features of the classifier in the storage unit 14 .

Next, the classification operation (S206-S210) will be described. The control unit 13 requests the log analysis unit 11 to classify normality/abnormality. At this time, the control unit 13 notifies the log analysis unit 11 of the target period of the network device log 20 to be classified.

The log analysis unit 11 acquires the log for the designated period from the network device log 20 (S206), and extracts features from the log (S207).

Next, the log analysis unit 11 acquires a classifier from the storage unit 14 and classifies each log as normal/abnormal (S208).

Next, the log analysis unit 11 estimates which category of the cyber kill chain each log classified as abnormal belongs to (S209). For this purpose, the log analysis unit 11 first acquires the feature/category correspondence list M from the storage unit 14 . Next, based on the information in the feature/category correspondence list M, the log analysis unit 11 multiplies the feature quantity and the feature importance for each category by using the following formula (1): The sum of the sums is calculated as the category score. Here, formula (1) represents a formula for calculating the score of the delivery category, and scores of other categories (for example, reconnaissance category score, remote operation category score, etc.) are calculated in a similar manner.

Then, the log analysis unit 11 obtains the category with the maximum category score using the following equation (2), and uses it as an estimation result.

Finally, the log analysis unit 11 saves the abnormal classification result (in the case of the probability that the output of the classifier is abnormal, its value) and the category estimation result in the storage unit 14 .

(A-2-3) Abnormality Detection Result Display Operation FIG. 8 is a flowchart showing a characteristic operation (operation for displaying an abnormality detection result) of the abnormality detection result display device according to the embodiment.

First, when receiving a detection result display request from an investigator, the control unit 13 requests the detection result display unit 15 to display the detection result of the abnormality log. At this time, the control unit 13 notifies the detection result display unit 15 of the log period for displaying the results.

The detection result display unit 15 acquires the classification result of logs classified as abnormal during the designated period (S301). Further, the detection result display unit 15 acquires the category estimation result of the log classified as abnormal from the storage unit 14 (S302).

Next, the detection result display unit 15 draws the detection results for each category (S303). Although specific drawing contents are not limited, for example, as shown in FIG. 9, drawing contents may be considered in which each log is plotted with the horizontal axis representing the degree of progress of the cyber kill chain and the vertical axis representing the degree of abnormality of the log.

Finally, the detection result display unit 15 displays the drawing result to the researcher (S304).

(A-3) Effects of Embodiment According to this embodiment, the following effects are obtained.

The anomaly detection result display device 10 analyzes the logs of network devices and displays the anomaly detection results. is used to estimate the degree of progress of the cyber kill chain for logs classified as anomalies and to display them by degree of progress.

By displaying the progress of the cyber kill chain, investigators can understand and prioritize the urgency of the logs to be investigated. Therefore, the efficiency of the investigation work can be improved. In addition, the investigator's workload to display the results can be reduced by simply associating each feature of machine learning with the category of the cyber kill chain.

(B) Other Embodiments The present invention is not limited to the above-described embodiments, and modified embodiments as exemplified below can also be mentioned.

(B-1) In the above embodiment, the anomaly detection result is displayed by the degree of progress of the cyber kill chain, but the present invention is not limited to this. For example, by enabling the investigator to freely define categories in the input section, such as detection of terminal setting errors and failures, and by associating log features with the defined categories, anomaly detection results can be obtained for arbitrary category units. can be displayed.

(B-2) In the above embodiment, as a method of estimating categories, the score of each category is calculated and the category with the maximum score is used as the estimation result, but the method is not limited to this. For example, when categories are ordered, such as in the cyber kill chain stage, a category list O (FIG. 10) defining categories and their order numbers can be created. Then, a method of obtaining the expected value of the order number of the category by the following expression (3) using the score of each category obtained by the above expression (1) and using the calculation result as the estimation result is also conceivable.

When the expected value is used, the result can be expressed as a continuous value, so the detection result screen can be plotted more finely, and the log that should be investigated with higher priority can be clarified.

(B-3) In the above embodiment, the categories are treated in the same way, but a method of hierarchically defining the categories and subdividing and displaying the detection results is also conceivable. For example, for the delivery category in the cyber kill chain, subcategories such as abnormal download size and rare download extension are defined, and the subcategories and log features are associated. Then, the abnormality detection result display device 10 calculates the score of the abnormality log subcategory using the equations (1) and (2), and hierarchically displays the detection results on the detection result screen as shown in FIG. 11 . This makes it possible for the investigator to prioritize the investigation logs more efficiently.

In order to define categories hierarchically, for example, an input box field for entering a subcategory is provided on the input screen 30 displayed in the input unit 12, and the input result is stored in the storage unit 14 as hierarchical information of the category. Good to save.

(B-4) As a modification of the above-described embodiment, it is also possible to add another step of action to the log of each network device classified as anomaly and drill down to display other information in the anomaly detection result display. be done. For example, as shown in FIG. 12, when you mouse over a plotted log on the anomaly detection result display screen, the past log anomaly classification results for the source IP address (terminal) of the log are displayed in chronological order. For example, as shown in 13, the characteristics and categories that have caused the log to be classified as abnormal are displayed in the form of pie charts. By presenting additional information in this way, the investigator's prioritization of the investigation log can be made more efficient.

(B-5) In the above embodiment, one classifier was created using all the features extracted from the network device log and normal/abnormal classification was performed. A method of creating a classifier and classifying anomalies may be used.

10... Abnormality detection result display device 11... Log analysis unit 12... Input unit 13... Control unit 14... Storage unit 15... Detection result display unit 20... Network device log 30... Input screen 31... Input Box, L... feature list, M... category correspondence list, N... feature importance list, O... category list.

Claims (10)

An anomaly detection device that analyzes logs and displays anomaly detection results,
a log analysis unit that extracts features from the log, analyzes the log using a feature/category correspondence list that associates the feature with a category, classifies the log into one of the categories, and outputs a classification result;
a detection result display unit that displays the anomaly detection result of the log for each category;
a control unit that requests the log analysis unit to analyze the log and the detection result display unit to display the abnormality detection result;
a storage unit that holds the feature/category correspondence list, a category list in which one or more categories are described, and the classification result ;
an input unit that draws and displays an input screen for associating the features with the categories of the category list, and saves an input result in which a category corresponding to the features is input as the feature/category correspondence list;
The log analysis unit converts the feature extracted from the log into a feature amount and analyzes it by machine learning,
The machine learning device used in the machine learning can create a classifier that learns the features and outputs the probability of being abnormal, and can output the importance of the features that contribute to the classification of the classifier. can be,
The log analysis unit estimates the category using the feature/category correspondence list, the feature quantity of the log, and the importance of the feature.
An anomaly detection device characterized by: In the method for estimating the category, for each feature associated with the category, a value obtained by multiplying each feature amount of the log and the importance of the corresponding feature and summing them is used as the score of the category, 2. The anomaly detection device according to claim 1 , wherein the category with the highest category score is used as the estimation result. The method of estimating the category assigns an order number to the categories having an order relationship, and multiplies each feature value of the log by the importance of the corresponding feature for each feature associated with the category. The result of calculating the expected value of the order number of the category obtained by multiplying the order number of the category and the score of the corresponding category and taking the sum is the estimation result. The abnormality detection device according to claim 1 , characterized in that: The detection result display unit plots the analysis result of the log on a graph centered on the category and the anomaly probability output by the classifier using the log category estimation result and the anomaly probability. The abnormality detection device according to any one of claims 1 to 3 , characterized in that: The input unit further draws and displays the input screen on which the categories can be hierarchically defined, and stores hierarchical information of the categories input on the input screen in the storage unit,
The log analysis unit estimates the category of the log using the hierarchical information,
4. Any one of claims 1 to 3 , wherein the detection result display unit draws the categories hierarchically using the hierarchical information, and plots the log analysis results on the corresponding categories. An anomaly detection device as described. 1. The detection result display unit displays the log analysis results in chronological order, using past log analysis results, and category transitions from the past to the present for each terminal. 4. The abnormality detection device according to any one of 3 . 7. The anomaly detection device according to claim 6 , wherein the time-series display of the log analysis results from the past to the present is displayed by moving a mouse over a plotted portion of the log analysis results. The anomaly detection device according to any one of claims 1 to 7 , wherein the category is a cyber kill chain category. A computer installed in an anomaly detection device that analyzes logs and displays anomaly detection results
a log analysis unit that extracts features from the log, analyzes the log using a feature/category correspondence list that associates the feature with a category, classifies the log into one of the categories, and outputs a classification result;
a detection result display unit that displays the anomaly detection result of the log by category;
a control unit that requests the log analysis unit to analyze the log and the detection result display unit to display the abnormality detection result;
a storage unit that holds the feature/category correspondence list, a category list in which one or more categories are described, and the classification result ;
Rendering and displaying an input screen for associating the features with the categories of the category list, and functioning as an input unit that saves an input result in which the category corresponding to the feature is entered as the feature/category correspondence list,
The log analysis unit converts the feature extracted from the log into a feature amount and analyzes it by machine learning,
The machine learning device used in the machine learning can create a classifier that learns the features and outputs the probability of being abnormal, and can output the importance of the features that contribute to the classification of the classifier. can be,
The log analysis unit estimates the category using the feature/category correspondence list, the feature quantity of the log, and the importance of the feature.
An anomaly detection program characterized by: An anomaly detection method used in an anomaly detection device that analyzes logs and displays anomaly detection results,
A log analysis unit extracts features from the log, analyzes the log using a feature/category correspondence list in which the features and categories are associated, classifies into one of the categories, and outputs the classification result;
a detection result display unit displaying the anomaly detection result of the log by category;
A control unit requests the log analysis unit to analyze the log, requests the detection result display unit to display the abnormality detection result,
a storage unit holding the feature/category correspondence list, a category list in which one or more categories are described, and the classification results ;
An input unit draws and displays an input screen for associating the features with categories of the category list, and saves an input result in which categories corresponding to the features are entered as the feature/category correspondence list,
The log analysis unit converts the feature extracted from the log into a feature amount and analyzes it by machine learning,
The machine learning device used in the machine learning can create a classifier that learns the features and outputs the probability of being abnormal, and can output the importance of the features that contribute to the classification of the classifier. can be,
The log analysis unit estimates the category using the feature/category correspondence list, the feature quantity of the log, and the importance of the feature.
An anomaly detection method characterized by:

Images