WO2022176128A1 - 分析装置、分析システム、分析方法、および、分析プログラム - Google Patents
分析装置、分析システム、分析方法、および、分析プログラム Download PDFInfo
- Publication number
- WO2022176128A1 WO2022176128A1 PCT/JP2021/006186 JP2021006186W WO2022176128A1 WO 2022176128 A1 WO2022176128 A1 WO 2022176128A1 JP 2021006186 W JP2021006186 W JP 2021006186W WO 2022176128 A1 WO2022176128 A1 WO 2022176128A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- normal communication
- model
- communication model
- cluster
- sensor
- Prior art date
Links
- 238000004458 analytical method Methods 0.000 title claims description 18
- 238000004891 communication Methods 0.000 claims abstract description 357
- 238000004364 calculation method Methods 0.000 claims description 25
- 238000012544 monitoring process Methods 0.000 claims description 18
- 238000000034 method Methods 0.000 description 37
- 238000012545 processing Methods 0.000 description 33
- 238000010586 diagram Methods 0.000 description 13
- 230000005540 biological transmission Effects 0.000 description 11
- 230000000694 effects Effects 0.000 description 7
- 230000006399 behavior Effects 0.000 description 6
- 230000010365 information processing Effects 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 239000000470 constituent Substances 0.000 description 1
- 230000001186 cumulative effect Effects 0.000 description 1
- 230000005484 gravity Effects 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012946 outsourcing Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/16—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Definitions
- the present invention relates to an analysis device, an analysis system, an analysis method, and an analysis program.
- a network traffic sensor learns a normal communication model that indicates normal communication using the number of packets sent and the number of destination IP addresses in communication from an IoT device as feature quantities. Then, the sensor uses the learned normal communication model to detect abnormal communication behavior caused by, for example, malware infection of the IoT device.
- the normal distribution is used for each model of target IoT device to learn various feature values during normal communication.
- the sensor starts learning a normal communication model using various feature values of the communication of the IoT device, and when it determines that the communication behavior has stabilized, it ends learning the normal communication model (see Patent Document 1). . Then, the sensor detects an abnormality in the communication of the IoT device using the learned normal communication model.
- a sensor when a sensor detects an abnormality in IoT device communication based on a normal communication model, it investigates the detection alert information. Then, when the detected communication is found to be normal communication, the sensor administrator or the like updates the normal communication model in order to prevent the recurrence of overdetection.
- the administrator may not be able to update the normal communication model appropriately, and over-detection may occur again.
- an object of the present invention is to solve the above-described problems and to support the application of an appropriate normal communication model in sensors.
- the present invention provides a normal traffic sensor used for monitoring the communication of an IoT (Internet of Things) device, which indicates the characteristics of normal communication of the IoT device, from each network traffic sensor that monitors the communication of the IoT device.
- an acquiring unit that acquires a communication model, clusters a group of normal communication models related to the same feature value from among the group of normal communication models that have been acquired, and uses the clustering result to determine a cluster that has the largest number of normal communication models.
- a calculation unit that calculates a group cluster and calculates an average model of a group of normal communication models belonging to the majority cluster; It is characterized by comprising a notification unit for notifying of belonging information indicating whether or not the model belongs and the average model.
- FIG. 1 is a diagram illustrating an outline of a system including an analysis device (server) of this embodiment.
- FIG. 2 is a diagram illustrating a configuration example of a server.
- FIG. 3 is a diagram showing a configuration example of a sensor.
- FIG. 4 is a diagram for explaining the generation of normal communication models and the definition of differences between normal communication models.
- FIG. 5 is a diagram illustrating success and failure in learning a normal communication model.
- FIG. 6 is a diagram illustrating an example of the processing procedure of the learning phase of the system when the sensor has successfully learned the normal communication model.
- FIG. 7 is a diagram illustrating an example of the processing procedure of the learning phase of the system when the sensor fails to learn the normal communication model.
- FIG. 1 is a diagram illustrating an outline of a system including an analysis device (server) of this embodiment.
- FIG. 2 is a diagram illustrating a configuration example of a server.
- FIG. 3 is a diagram showing a configuration example of a sensor.
- FIG. 8 is a diagram illustrating an example of a processing procedure in the operation phase of the system.
- FIG. 9 is a diagram illustrating an example of the processing procedure of the learning phase of the system when the sensor has successfully learned the normal communication model.
- FIG. 10 is a diagram illustrating an example of the processing procedure of the learning phase of the system when the sensor fails to learn the normal communication model.
- FIG. 11 is a diagram illustrating an example of a processing procedure in the operation phase of the system.
- FIG. 12 is a diagram showing a configuration example of a computer that executes an analysis program.
- An analysis system (system) 1 includes a plurality of network traffic sensors (sensors) 20 and a server 100 .
- the sensor 20 has a normal communication model that indicates the characteristics of normal communication for each model of IoT (Internet of Things) device and for each feature amount.
- the feature quantities used in this normal communication model are, for example, the number of packets sent per hour, the number of destination IP addresses, the port number, the number of bytes of packets, etc., in the communication of the IoT device.
- the senor 20 learns a normal communication model for each feature value of communication for each model of the monitored IoT device, and uses the learned normal communication model to determine whether the communication of the monitored IoT device is normal. monitor what
- the sensor 20 learns a normal communication model regarding the number of destination IPs (the number of destination IP addresses) in the communication of the IoT device of model A, and uses the learned normal communication model to determine whether the communication of the IoT device of model A is normal. Monitor whether or not
- the server 100 acquires the normal communication model of the IoT device from each sensor 20. Then, the server 100 clusters the obtained normal communication model group so that mutually similar models belong to the same cluster.
- the server 100 clusters the obtained normal communication model group regarding the number of destination IPs of IoT devices of model A into clusters 1, 2, and 3 shown in FIG. Then, the server 100 calculates the cluster (majority cluster) to which the largest number of normal communication model groups belong among these clusters.
- the server 100 notifies each of the sensors 20 from which the normal communication model was obtained whether the normal communication model obtained from the sensor 20 belongs to the majority cluster.
- the server 100 also calculates the average model of the normal communication model group belonging to the majority cluster, and notifies each of the sensors 20 of the calculated average model.
- the server 100 can notify each sensor 20 whether or not the normal communication model held by the sensor 20 is appropriate. Also, the server 100 can notify each sensor 20 of an appropriate normal communication model.
- the server 100 includes a communication section 110 , a storage section 120 and a control section 130 .
- the communication unit 110 is an interface for data communication with an external device (for example, the sensor 20) via a network.
- the storage unit 120 stores data referred to when the control unit 130 executes various processes and data generated by the control unit 130 .
- the storage unit 120 stores the normal communication model acquired from each sensor 20 and the cluster information generated by the control unit 130 (the result of clustering the normal communication model group, the information indicating the majority cluster, etc.). do.
- the storage unit 120 stores information on the normal communication model applied by each sensor 20 .
- Control unit 130 controls the entire server 100.
- Control unit 130 includes acquisition unit 131 , calculation unit 132 , determination unit 133 , and notification unit 134 .
- the acquisition unit 131 acquires from the sensor 20 a normal communication model that is used by the sensor 20 to monitor communication of IoT devices.
- the normal communication model for example, as indicated by reference numeral 401 in "(2) Generation of normal communication model" in FIG. be.
- the normal communication model includes identification information of the model of the target IoT device, feature values used for calculating statistical values (for example, src_pkts (the number of transmitted IP packets)), and the distribution type of statistical values. (eg, normal (normal distribution)), parameters (eg, mean and standard deviation), and other information.
- src_pkts the number of transmitted IP packets
- distribution type of statistical values e.g, normal (normal distribution)
- parameters eg, mean and standard deviation
- the calculation unit 132 clusters a group of normal communication models related to the same model and the same feature amount among the normal communication models acquired by the acquisition unit 131 . For example, when the acquisition unit 131 acquires a new normal communication model, the calculation unit 132 clusters a group of normal communication models including the normal communication model and related to the same model and the same feature amount as the normal communication model.
- the calculation unit 132 calculates the majority cluster, which is the cluster with the largest number of normal communication models belonging to the cluster, based on the above clustering results. Further, the calculation unit 132 calculates the average model of the normal communication model group belonging to the majority cluster. For example, the calculation unit 132 calculates the normal communication model corresponding to the center of gravity of the normal communication model group belonging to the majority cluster as the average model.
- the calculation unit 132 clusters the normal communication model group, for example, KL divergence is used. For example, as shown in "(3) Definition of differences between normal communication models" in FIG. (KL divergence. See formula (1)). Then, the calculation unit 132 performs clustering so that mutually similar normal communication model groups belong to the same cluster.
- the calculation unit 132 when the acquisition unit 131 acquires the normal communication model after the parameter update from the sensor 20, the calculation unit 132 includes the normal communication model after the parameter update, and calculates the The normal communication model group is clustered again. Then, the calculation unit 132 recalculates the majority cluster using the above clustering result. Further, the calculation unit 132 recalculates the average model of the normal communication model group belonging to the majority cluster after recalculation.
- the determination unit 133 determines whether the normal communication model acquired by the acquisition unit 131 belongs to the majority cluster calculated by the calculation unit 132 .
- the notification unit 134 transmits information indicating the result of determination by the determination unit 133 (attribution information to the majority cluster) and the average model of the group of normal communication models belonging to the majority cluster calculated by the calculation unit 132, The sensor 20 from which the normal communication model was obtained is notified.
- the determination unit 133 determines whether each normal communication model acquired from each sensor 20 belongs to the recalculation majority cluster. Then, when the determination unit 133 determines that any normal communication model does not belong to the majority cluster after recalculation, the notification unit 134 notifies the sensor 20 from which the normal communication model was acquired that Notify that the normal communication model is out of the majority cluster and the average model after recalculation.
- the sensor 20 includes a communication section 21 , a storage section 22 and a control section 23 .
- the communication unit 21 is an interface for performing data communication with an external device (for example, IoT device, server 100) via a network.
- the storage unit 22 stores data referred to when the control unit 23 executes various processes and data generated by the control unit 23.
- the storage unit 22 stores the normal communication model generated by the control unit 23 and the average model received from the server 100 .
- the control unit 23 includes a learning unit 231 , a monitoring unit 232 , a transmission/reception unit 233 , a determination unit 234 and a model management unit 235 .
- the learning unit 231 is based on the characteristic amount of the communication data of the monitored IoT device acquired via the communication unit 21 (for example, the number of packets sent per hour, the IP address of the communication destination, the port number, the number of bytes in the packet, etc.). , to learn the normal communication model.
- the learned normal communication model is stored in the storage unit 22 .
- a learning example of a normal communication model will be described with reference to FIG.
- learning (generating) a normal communication model regarding the number of transmission packets of an IoT device of model A will be described.
- the learning unit 231 counts the statistics of the communication data of the model A IoT device ((1)). For example, the learning unit 231 counts the number of packets transmitted from the model A IoT device per hour.
- the learning unit 231 generates a normal communication model based on the result of counting the statistics of the communication data of the IoT device of model A obtained in (1) ((2)). For example, the learning unit 231 obtains statistical values of the frequency of appearance of the number of packets transmitted per hour based on the number of packets transmitted per hour of the IoT device of model A obtained in (1), and the statistics are indicated by reference numerals 401 and 402. Generate a normal communication model.
- the learning unit 231 may fail to learn the normal communication model. For example, if a temporary change occurs in communication behavior during the learning period of the normal communication model, the learning unit 231 cannot learn the normal communication model. In other words, the learning unit 231 may fail to learn the normal communication model. In this case, the transmitter/receiver 233 notifies the server 100 that the sensor 20 has failed to learn the normal communication model.
- the monitoring unit 232 uses the normal communication model or the average model in the storage unit 22 to monitor communication of the monitored IoT device. For example, the monitoring unit 232 uses the normal communication model to monitor whether the communication of the monitored IoT device is normal. Note that the monitoring unit 232 may monitor communication by combining a normal communication model and an abnormal communication model (a model showing characteristics of abnormal communication) when monitoring the communication of the IoT device.
- an abnormal communication model a model showing characteristics of abnormal communication
- the transmission/reception unit 233 transmits and receives various data to and from the server 100 .
- the transmission/reception unit 233 sends the new normal communication model or the updated normal communication model to the server 100. Send.
- the transmitting/receiving unit 233 transmits information to the effect that learning of the normal communication model has failed to the server 100 .
- This information is, for example, information indicating whether the learning unit 231 has failed to learn a normal communication model for which feature amount of which model of IoT device.
- the transmitting/receiving unit 233 also receives from the server 100 a notification as to whether or not the normal communication model being applied by its own sensor 20 belongs to the majority cluster (attribution information to the majority cluster).
- the transmitting/receiving unit 233 also receives from the server 100 the average model of the normal communication model group belonging to the majority cluster.
- the determination unit 234 determines whether or not to change the normal communication model being applied by its own sensor 20.
- the determination unit 234 determines that the currently applied normal communication model belongs to the majority cluster. It is determined that the normal communication model is applied as it is.
- the normal communication model is updated or the average model received from the server 100 is applied. . Whether to update the normal communication model or apply the average model is determined, for example, by an instruction input by the administrator of the sensor 20 or the like.
- the model management unit 235 manages the normal communication model applied by the monitoring unit 232. For example, when an administrator or the like of the sensor 20 inputs an instruction to update the normal communication model via the communication unit 21, the model management unit 235 causes the learning unit 231 to learn the normal communication model again. . Then, the model management unit 235 changes the normal communication model applied by the monitoring unit 232 to the re-learned normal communication model.
- the model management unit 235 applies Change normal communication model to average model.
- the learning unit 231 connects to the IoT device of model A ((1): device connection), and learns a normal communication model based on the feature amount of the communication data of the IoT device ((2): learning).
- the learning unit 231 can generate a normal communication model ( (3): Generation of normal communication model). That is, the learning unit 231 succeeds in learning the normal communication model.
- the learning unit 231 can generate a normal communication model. Can not. In other words, the learning unit 231 fails to learn the normal communication model.
- the processing procedure of the system 1 is divided into (1) learning phase and (2) operation phase.
- the learning phase is, for example, a phase in which a new sensor 20 is added to the system 1 and a normal communication model learned by the sensor 20 is added to the server 100 .
- the operation phase is a phase in which the normal communication model is updated in the existing sensors 20 in the system 1 and the updated normal communication model is added to the server 100 .
- the sensor 20 acquires communication data of the IoT device (model A IoT device).
- the sensor 20 learns a normal communication model for the number of packets sent by the IoT device of model A by performing statistical processing on the feature values of the acquired communication data.
- the sensor 20 After successfully learning the normal communication model, the sensor 20 transmits the learned normal communication model (determination target model) to the server 100 .
- the server 100 clusters a group of normal communication models for the number of packets sent by IoT devices of model A, including the determination target model sent from the sensor 20 . Then, the server 100 uses the clustering result to calculate the majority cluster, and calculates the average model of the normal communication model group belonging to the majority cluster.
- the server 100 notifies the sensor 20 of the following contents according to the clustering result of the normal communication model group.
- the administrator of the sensor 20 can confirm that there is no problem in applying the normal communication model learned by the sensor 20.
- the server 100 determines that the determination target model does not belong to the majority cluster, it notifies the sensor 20 from which the determination target model was acquired that the determination target model does not belong to the majority cluster. Notify attribution information.
- the sensor 20 can acquire an appropriate normal communication model (average model).
- the sensor 20 acquires communication data of the IoT device (model A IoT device).
- the sensor 20 learns a normal communication model for the number of packets sent by the IoT device of model A by performing statistical processing on the feature values of the acquired communication data.
- the sensor 20 transmits information to the server 100 to the effect that learning of the normal communication model has failed.
- the information is, for example, information indicating that learning of the normal communication model regarding the number of packets transmitted by the model A IoT device has failed.
- the server 100 clusters the normal communication model group for the number of transmitted packets of the IoT devices of model A, calculates the majority cluster using the clustering result, and calculates the number of normal communication model groups belonging to the majority cluster. Calculate the average model.
- the server 100 transmits the average model calculated in (4) to the sensor 20 .
- the sensor 20 can acquire an appropriate normal communication model (average model).
- the sensor 20B updates the parameters of the normal communication model for the number of packets sent by the model A IoT device.
- the sensor 20B transmits the updated normal communication model to the server 100.
- the server 100 clusters again the normal communication model group of the number of transmitted packets of the IoT devices of model A, including the updated normal communication model transmitted from the sensor 20B.
- the server 100 also uses the clustering result to recalculate the majority cluster, and recalculates the average model of the normal communication model group belonging to the majority cluster.
- the server 100 assigns the normal communication model to the sensor 20 (for example, the sensor 20A) from which the normal communication Notify that the communication model is out of the majority cluster.
- the server 100 notifies the calculated average model of the majority cluster to the sensor 20 (for example, the sensor 20A) from which the normal communication model was obtained.
- the notification to the effect that the normal communication model has deviated from the majority cluster may include information indicating how much the normal communication model has deviated from the majority cluster.
- the learning unit 231 learns a normal communication model (S11). After completing the learning of the normal communication model, the sensor 20 determines whether or not to permit cooperation with the server 100 (S12). For example, when the sensor 20 receives an input from the administrator of the sensor 20 to the effect that cooperation with the server 100 is permitted, the sensor 20 determines that cooperation with the server 100 is permitted (Yes in S12). Then, the transmitter/receiver 233 of the sensor 20 transmits the authentication information of the server 100 and the normal communication model learned in S11 to the server 100 (S13).
- the learning unit 231 of the sensor 20 learns the normal communication model by the sensor 20 alone (S24).
- the acquisition unit 131 of the server 100 receives the server authentication information and the normal communication model from the sensor 20, it registers the cooperation permission information of the sensor 20 in the storage unit 120 (S14). Then, the calculation unit 132 of the server 100 clusters the normal communication model group including the normal communication model transmitted in S13 (S15). The calculation unit 132 also calculates the majority cluster using the clustering result, and calculates the average model of the majority cluster. Furthermore, the determination unit 133 determines whether the normal communication model transmitted in S13 belongs to the majority cluster.
- the notification unit 134 of the server 100 sends the result of determination by the determination unit 133 (attribution information of the normal communication model to the majority cluster) to the sensor 20 that is the transmission source of the normal communication model transmitted in S13. and the average model are transmitted (S16).
- the transmitting/receiving unit 233 of the sensor 20 receives from the server 100 the information on belonging to the majority cluster and the average model regarding the normal communication model transmitted in S13 (S17: acquire information from the server). After that, the determination unit 234 determines whether or not to use the average model based on the belonging information to the majority cluster received in S17 (S18).
- the determination unit 234 determines to use the average model (Yes in S18). . Then, the model management unit 235 changes the normal communication model applied by the monitoring unit 232 to the average model (S19: apply the average model). After that, the process proceeds to S21.
- the determination unit 234 determines not to use the average model (No in S18). Then, the model management unit 235 sets the normal communication model to be applied by the monitoring unit 232 to the normal communication model learned in S11 (S20: apply the learned normal communication model). After that, the process proceeds to S21.
- the transmission/reception unit 233 transmits the application information of the normal communication model to the server 100 (S21).
- This normal communication model application information is, for example, information indicating whether the sensor 20 applies the normal communication model learned by the sensor 20 or the average model.
- the sensor 20 transmits application information of the normal communication model including the learned normal communication model.
- the acquiring unit 131 of the server 100 acquires the normal communication model information (the normal communication model applied by each sensor 20) of the storage unit 120 based on the application information of the normal communication model transmitted from the sensor 20 in S21. information) is updated (S22). After that, the process proceeds to S41 in FIG. The processing of S41 in FIG. 11 will be described later.
- the administrator of the sensor 20 can know whether the normal communication model learned by the sensor 20 is appropriate. Also, if the normal communication model learned by the sensor 20 is not appropriate, an appropriate normal communication model (average model) can be acquired.
- the learning unit 231 learns a normal communication model (S31).
- the sensor 20 determines whether or not to permit cooperation with the server 100 (S32). For example, when the sensor 20 receives an input from the administrator of the sensor 20 to the effect that cooperation with the server 100 is permitted, the sensor 20 determines that cooperation with the server 100 is permitted (Yes in S32).
- this normal communication model learning failure information is information indicating which model of IoT device and which feature value related to which normal communication model learning has failed.
- the sensor 20 detects an abnormality of the IoT device by another means, for example (S40).
- the acquisition unit 131 of the server 100 receives the server authentication information and the normal communication model from the sensor 20, it registers the cooperation permission information of the sensor 20 in the storage unit 120 (S34). After that, the notification unit 134 reads out the average model of the normal communication model of the model and the feature quantity indicated in the learning failure information of the normal communication model from the storage unit 120, and transmits it to the sensor 20 (S35).
- the transmitter/receiver 233 of the sensor 20 receives the average model from the server 100 (S36: information acquisition from the server). After that, the model management unit 235 applies the average model received in S36 as the normal communication model used by the monitoring unit 232 (S37). Then, the transmission/reception unit 233 transmits application information of the normal communication model to the server 100 (S38).
- the acquisition unit 131 of the server 100 updates the normal communication model information in the storage unit 120 based on the normal communication model application information transmitted from the sensor 20 in S38 (S39). After that, the process proceeds to S41 in FIG. The processing of S41 in FIG. 11 will be described later.
- the system 1 can acquire an appropriate normal communication model (average model) even if the sensor 20 fails to learn the normal communication model.
- the calculation unit 132 receives the updated normal communication model and the updated normal communication model.
- the normal communication model group regarding the same model and the same feature value is clustered again.
- the calculation unit 132 calculates the majority cluster again using the clustering result.
- the calculation unit 132 also calculates the average model of the majority cluster again.
- the determination unit 133 of the server 100 determines whether or not there is a normal communication model outside the majority cluster as a result of the processing of S42 (S43).
- the process returns to S41.
- the notification unit 134 sends the sensor 20, which is the transmission source of the normal communication model that is out of the majority cluster, The membership information to the majority cluster and the average model are transmitted (S44). After that, the process proceeds to S45.
- the belonging information to the majority cluster transmitted in S44 is information indicating that the normal communication model applied by the sensor 20 is out of the majority cluster. Also, the belonging information to the majority cluster may include a value indicating how far the normal communication model deviates from the majority cluster. Since the processing of S45 to S50 is the same as the processing of S17 to S22 in FIG. 9, the description thereof is omitted.
- the administrator of the sensor 20 can know whether or not the normal communication model learned by the sensor 20 is no longer appropriate. Also, when the normal communication model learned by the sensor 20 is no longer appropriate, the sensor 20 can acquire an appropriate normal communication model (average model).
- the server 100 sends the majority cluster belonging information and the average model However, it is not limited to this.
- the notification unit 134 of the server 100 notifies the majority cluster belonging information to the sensor 20 from which the normal communication model belonging to the majority cluster was acquired, and obtains the normal communication model that does not belong to the majority cluster.
- the original sensor 20 may be informed of the majority cluster membership information and mean model.
- the notification unit 134 of the server 100 may not notify the average model to the sensor 20 from which the normal communication model belonging to the majority cluster was acquired.
- the notification unit 134 of the server 100 notifies the sensor 20 of the belonging information of the majority cluster, but is not limited to this. For example, the notification unit 134 notifies the sensor 20 that if the normal communication model learned by the sensor 20 belongs to the majority cluster, there is no problem in applying the normal communication model. If it does not belong, it may notify that the normal communication model needs to be re-learned or updated.
- each constituent element of each part shown in the figure is functionally conceptual, and does not necessarily need to be physically configured as shown in the figure.
- the specific form of distribution and integration of each device is not limited to the illustrated one, and all or part of them can be functionally or physically distributed and integrated in arbitrary units according to various loads and usage conditions. Can be integrated and configured.
- all or any part of each processing function performed by each device can be implemented by a CPU and a program executed by the CPU, or implemented as hardware based on wired logic.
- the server 100 described above can be implemented by installing a program on a desired computer as package software or online software.
- the information processing device can function as the server 100 by causing the information processing device to execute the above program.
- the information processing apparatus referred to here includes a desktop or notebook personal computer.
- information processing devices include mobile communication terminals such as smartphones, mobile phones and PHS (Personal Handyphone Systems), and terminals such as PDAs (Personal Digital Assistants).
- the server 100 can also be implemented as a server device that uses a terminal device used by a user as a client and provides the client with services related to the above processing.
- the server device may be implemented as a web server, or may be implemented as a cloud that provides services related to the above processing by outsourcing.
- FIG. 12 is a diagram showing an example of a computer that executes an analysis program.
- the computer 1000 has a memory 1010 and a CPU 1020, for example.
- Computer 1000 also has hard disk drive interface 1030 , disk drive interface 1040 , serial port interface 1050 , video adapter 1060 and network interface 1070 . These units are connected by a bus 1080 .
- the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012 .
- the ROM 1011 stores a boot program such as BIOS (Basic Input Output System).
- BIOS Basic Input Output System
- Hard disk drive interface 1030 is connected to hard disk drive 1090 .
- a disk drive interface 1040 is connected to the disk drive 1100 .
- a removable storage medium such as a magnetic disk or optical disk is inserted into the disk drive 1100 .
- Serial port interface 1050 is connected to mouse 1110 and keyboard 1120, for example.
- Video adapter 1060 is connected to display 1130, for example.
- the hard disk drive 1090 stores, for example, an OS 1091, application programs 1092, program modules 1093, and program data 1094. That is, the program that defines each process executed by the server 100 is implemented as a program module 1093 in which computer-executable code is described.
- Program modules 1093 are stored, for example, on hard disk drive 1090 .
- the hard disk drive 1090 stores a program module 1093 for executing processing similar to the functional configuration in the server 100 .
- the hard disk drive 1090 may be replaced by an SSD (Solid State Drive).
- the data used in the processes of the above-described embodiments are stored as program data 1094 in the memory 1010 or the hard disk drive 1090, for example. Then, the CPU 1020 reads out the program modules 1093 and program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 as necessary and executes them.
- the program modules 1093 and program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored in a removable storage medium, for example, and read by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program modules 1093 and program data 1094 may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). Program modules 1093 and program data 1094 may then be read by CPU 1020 through network interface 1070 from other computers.
- LAN Local Area Network
- WAN Wide Area Network
Landscapes
- Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Medical Informatics (AREA)
- Artificial Intelligence (AREA)
- Environmental & Geological Engineering (AREA)
- Databases & Information Systems (AREA)
- Evolutionary Computation (AREA)
- Mathematical Analysis (AREA)
- Algebra (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Probability & Statistics with Applications (AREA)
- Pure & Applied Mathematics (AREA)
- Computing Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Telephonic Communication Services (AREA)
Abstract
Description
まず、図1を用いて、本実施形態の分析装置(サーバ)を含む分析システムの概要を説明する。分析システム(システム)1は、複数のネットワークトラフィックセンサ(センサ)20と、サーバ100とを備える。
[サーバ]
次に、図2を用いて、サーバ100の構成例を説明する。サーバ100は、通信部110と、記憶部120と、制御部130とを備える。通信部110は、ネットワーク経由で外部装置(例えば、センサ20)とのデータ通信を行う際のインタフェースである。
次に、図3を用いて、センサ20の構成例を説明する。センサ20は、通信部21と、記憶部22と、制御部23とを備える。通信部21は、ネットワーク経由で外部装置(例えば、IoTデバイス、サーバ100)とのデータ通信を行う際のインタフェースである。
ここで、学習部231における正常通信モデルの学習の成功と失敗について、図5を用いて説明する。ここでは、正常通信モデルの学習に用いられる特徴量が、IoTデバイスの通信における時間ごとの宛先IPアドレス数である場合を例に説明する。また、学習された正常通信モデルにおいて、特徴量の値は正規分布をとるものとして説明する。
[概要]
次に、システム1の処理手順の例を説明する。システム1の処理手順は、(1)学習フェーズおよび(2)運用フェーズに分けられる。(1)学習フェーズは、例えば、システム1内に新規のセンサ20が追加され、当該センサ20において学習された正常通信モデルをサーバ100に追加するフェーズである。(2)運用フェーズは、システム1内の既存のセンサ20において正常通信モデルの更新が行われ、更新後の正常通信モデルをサーバ100に追加するフェーズである。
まず、図6を用いて(1)学習フェーズにおける、システム1の処理手順の例を説明する。ここでは、センサ20が正常通信モデルの学習に成功した場合のシステム1の処理手順の例を説明する。
次に、図7を用いて(1)学習フェーズにおいて、センサ20が正常通信モデルの学習に失敗した場合のシステム1の処理手順の例を説明する。
次に、図8を用いて、(2)運用フェーズにおける、システム1の処理手順の例を説明する。ここでは、図8に示すセンサ20Bが、機種AのIoTデバイスの送信パケット数の正常通信モデルのパラメータを更新した場合を例に説明する。
[詳細]
次に、図9、図10、図11を用いて、システム1の処理手順の例を詳細に説明する。
図9を用いて、センサ20が正常通信モデルの学習に成功した場合における、学習フェーズの処理手順の例を説明する。
次に、図10を用いて、センサ20が正常通信モデルの学習に失敗した場合における、学習フェーズの処理手順の例を説明する。
図11を用いて、運用フェーズの処理手順の例を説明する。まず、サーバ100が、配下のセンサ20で正常通信モデルのパラメータの変更が行われたことを検知すると(S41)、算出部132は、正常通信モデル群を再度クラスタリングする(S42)。
なお、前記した実施形態において、サーバ100は、正常通信モデルが多数派クラスタに属するか否かにかかわらず、当該正常通信モデルの取得元のセンサ20に対し、多数派クラスタの帰属情報および平均モデルを通知することとしたが、これに限定されない。
また、図示した各部の各構成要素は機能概念的なものであり、必ずしも物理的に図示のように構成されていることを要しない。すなわち、各装置の分散・統合の具体的形態は図示のものに限られず、その全部又は一部を、各種の負荷や使用状況等に応じて、任意の単位で機能的又は物理的に分散・統合して構成することができる。さらに、各装置にて行われる各処理機能は、その全部又は任意の一部が、CPU及び当該CPUにて実行されるプログラムにて実現され、あるいは、ワイヤードロジックによるハードウェアとして実現され得る。
前記したサーバ100は、パッケージソフトウェアやオンラインソフトウェアとしてプログラムを所望のコンピュータにインストールさせることによって実装できる。例えば、上記のプログラムを情報処理装置に実行させることにより、情報処理装置をサーバ100として機能させることができる。ここで言う情報処理装置には、デスクトップ型又はノート型のパーソナルコンピュータが含まれる。また、その他にも、情報処理装置にはスマートフォン、携帯電話機やPHS(Personal Handyphone System)等の移動体通信端末、さらには、PDA(Personal Digital Assistant)等の端末等がその範疇に含まれる。
20 センサ
21,110 通信部
22,120 記憶部
23,130 制御部
100 サーバ
131 取得部
132 算出部
133,234 判定部
134 通知部
231 学習部
232 監視部
233 送受信部
235 モデル管理部
Claims (8)
- IoT(Internet of Things)デバイスの通信を監視する各ネットワークトラフィックセンサから、前記通信の監視に用いられる、当該IoTデバイスの正常な通信の特徴を示す正常通信モデルを取得する取得部と、
取得した前記正常通信モデル群のうち、同じ特徴量に関する正常通信モデル群をクラスタリングし、クラスタリングの結果を用いて、正常通信モデルの数が最も多いクラスタである多数派クラスタを算出し、前記多数派クラスタに属する正常通信モデル群の平均モデルを算出する算出部と、
前記正常通信モデルの取得元のネットワークトラフィックセンサに対し、当該正常通信モデルが前記多数派クラスタに属するか否かを示す帰属情報および前記平均モデルを通知する通知部と
を備えることを特徴とする分析装置。 - 前記通知部は、
前記多数派クラスタに属する正常通信モデルの取得元のネットワークトラフィックセンサに対し、前記帰属情報を通知し、前記多数派クラスタに属しない正常通信モデルの取得元のネットワークトラフィックセンサに対し、前記帰属情報および前記平均モデルを通知する
ことを特徴とする請求項1に記載の分析装置。 - 前記取得部が、前記ネットワークトラフィックセンサから、パラメータ更新後の前記正常通信モデルを取得した場合、
前記算出部は、
前記パラメータ更新後の正常通信モデルを含む、当該正常通信モデルの特徴量と同じ特徴量に関する正常通信モデル群を、再度、クラスタリングすることにより、前記多数派クラスタを再算出し、再算出後の前記多数派クラスタに属する正常通信モデル群の平均モデルを再算出し、
前記通知部は、
いずれかの正常通信モデルが、再算出後の前記多数派クラスタから外れた場合、当該正常通信モデルの取得元のネットワークトラフィックセンサに対し、当該正常通信モデルが前記多数派クラスタから外れた旨を示す帰属情報および再算出後の前記平均モデルを通知する
ことを特徴とする請求項1に記載の分析装置。 - 前記取得部が、前記ネットワークトラフィックセンサからIoTデバイスの正常通信モデルの学習に失敗した旨の通知を取得した場合、
前記通知部は、
当該ネットワークトラフィックセンサに対し、前記学習に失敗した正常通信モデルの特徴量と同じ特徴量に関する正常通信モデル群の多数派クラスタの平均モデルを通知する
ことを特徴とする請求項1に記載の分析装置。 - 前記特徴量は、
IoTデバイスの通信における、時間あたりの送信パケット数、宛先IPアドレス数、宛先ポート番号、および、パケットのバイト数のうち、少なくともいずれか1つを含む
ことを特徴とする請求項1に記載の分析装置。 - ネットワークトラフィックセンサと、前記ネットワークトラフィックセンサにおいて学習された正常通信モデルの分析を行う分析装置とを備える分析システムであって、
前記ネットワークトラフィックセンサは、
IoTデバイスの通信の正常な通信の特徴を示す正常通信モデルの学習を行う学習部と、
前記学習された正常通信モデルまたは前記分析装置から通知された正常通信モデルを用いて前記IoTデバイスの通信の監視を行う監視部とを備え、
前記分析装置は、
IoT(Internet of Things)デバイスの通信を監視する各ネットワークトラフィックセンサから、前記通信の監視に用いられる、当該IoTデバイスの正常な通信の特徴を示す正常通信モデルを取得する取得部と、
取得した前記正常通信モデル群のうち、同じ特徴量に関する正常通信モデル群をクラスタリングし、クラスタリングの結果を用いて、正常通信モデルの数が最も多いクラスタである多数派クラスタを算出し、前記多数派クラスタに属する正常通信モデル群の平均モデルを算出する算出部と、
前記正常通信モデルの取得元のネットワークトラフィックセンサに対し、当該正常通信モデルが前記多数派クラスタに属するか否かを示す帰属情報および前記平均モデルを通知する通知部と
を備えることを特徴とする分析システム。 - 分析装置により実行される分析方法であって、
IoT(Internet of Things)デバイスの通信を監視する各ネットワークトラフィックセンサから、前記通信の監視に用いられる、当該IoTデバイスの正常な通信の特徴を示す正常通信モデルを取得する工程と、
取得した前記正常通信モデル群のうち、同じ特徴量に関する正常通信モデル群をクラスタリングし、クラスタリングの結果を用いて、正常通信モデルの数が最も多いクラスタである多数派クラスタを算出し、前記多数派クラスタに属する正常通信モデル群の平均モデルを算出する工程と、
前記正常通信モデルの取得元のネットワークトラフィックセンサに対し、当該正常通信モデルが前記多数派クラスタに属するか否かを示す帰属情報および前記平均モデルを通知する工程と
を含むことを特徴とする分析方法。 - IoT(Internet of Things)デバイスの通信を監視する各ネットワークトラフィックセンサから、前記通信の監視に用いられる、当該IoTデバイスの正常な通信の特徴を示す正常通信モデルを取得する工程と、
取得した前記正常通信モデル群のうち、同じ特徴量に関する正常通信モデル群をクラスタリングし、クラスタリングの結果を用いて、正常通信モデルの数が最も多いクラスタである多数派クラスタを算出し、前記多数派クラスタに属する正常通信モデル群の平均モデルを算出する工程と、
前記正常通信モデルの取得元のネットワークトラフィックセンサに対し、当該正常通信モデルが前記多数派クラスタに属するか否かを示す帰属情報および前記平均モデルを通知する工程と
をコンピュータに実行させるための分析プログラム。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US18/276,644 US20240129202A1 (en) | 2021-02-18 | 2021-02-18 | Analysis device, analysis system, analysis method, and analysis program |
JP2023500242A JPWO2022176128A1 (ja) | 2021-02-18 | 2021-02-18 | |
PCT/JP2021/006186 WO2022176128A1 (ja) | 2021-02-18 | 2021-02-18 | 分析装置、分析システム、分析方法、および、分析プログラム |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2021/006186 WO2022176128A1 (ja) | 2021-02-18 | 2021-02-18 | 分析装置、分析システム、分析方法、および、分析プログラム |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022176128A1 true WO2022176128A1 (ja) | 2022-08-25 |
Family
ID=82930395
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2021/006186 WO2022176128A1 (ja) | 2021-02-18 | 2021-02-18 | 分析装置、分析システム、分析方法、および、分析プログラム |
Country Status (3)
Country | Link |
---|---|
US (1) | US20240129202A1 (ja) |
JP (1) | JPWO2022176128A1 (ja) |
WO (1) | WO2022176128A1 (ja) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2015108898A (ja) * | 2013-12-03 | 2015-06-11 | 日本電信電話株式会社 | 異常検知システム及び異常検知方法 |
JP2020187616A (ja) * | 2019-05-16 | 2020-11-19 | 三菱電機株式会社 | プラント監視モデル作成装置、プラント監視モデル作成方法およびプラント監視モデル作成プログラム |
WO2020250319A1 (ja) * | 2019-06-11 | 2020-12-17 | 日本電信電話株式会社 | 制御装置、制御方法及び制御プログラム |
-
2021
- 2021-02-18 US US18/276,644 patent/US20240129202A1/en active Pending
- 2021-02-18 JP JP2023500242A patent/JPWO2022176128A1/ja active Pending
- 2021-02-18 WO PCT/JP2021/006186 patent/WO2022176128A1/ja active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2015108898A (ja) * | 2013-12-03 | 2015-06-11 | 日本電信電話株式会社 | 異常検知システム及び異常検知方法 |
JP2020187616A (ja) * | 2019-05-16 | 2020-11-19 | 三菱電機株式会社 | プラント監視モデル作成装置、プラント監視モデル作成方法およびプラント監視モデル作成プログラム |
WO2020250319A1 (ja) * | 2019-06-11 | 2020-12-17 | 日本電信電話株式会社 | 制御装置、制御方法及び制御プログラム |
Also Published As
Publication number | Publication date |
---|---|
JPWO2022176128A1 (ja) | 2022-08-25 |
US20240129202A1 (en) | 2024-04-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109791633B (zh) | 使用基于云的机器学习的静态和动态设备简档信誉 | |
CN111835794B (zh) | 防火墙策略控制方法、装置、电子设备及存储介质 | |
US9888025B2 (en) | Method and system for providing an efficient asset management and verification service | |
US9384114B2 (en) | Group server performance correction via actions to server subset | |
EP3776307B1 (en) | Distributed system for adaptive protection against web-service-targeted vulnerability scanners | |
US6557035B1 (en) | Rules-based method of and system for optimizing server hardware capacity and performance | |
US10686807B2 (en) | Intrusion detection system | |
US11818014B2 (en) | Multi-baseline unsupervised security-incident and network behavioral anomaly detection in cloud-based compute environments | |
US10592266B1 (en) | Dynamic consolidation of virtual machines | |
CN112534432A (zh) | 不熟悉威胁场景的实时缓解 | |
US10944655B2 (en) | Data verification based upgrades in time series system | |
US20090070425A1 (en) | Data processing system, method of updating a configuration file and computer program product | |
CN110998535B (zh) | 经由对应用操作请求的分析来恢复应用功能 | |
US20230185918A1 (en) | Achieving minimum trustworthiness in distributed workloads | |
US10176069B2 (en) | Quorum based aggregator detection and repair | |
WO2023197453A1 (zh) | 一种故障诊断方法、装置、设备及存储介质 | |
US10977113B2 (en) | System and method for fault identification, logging, and remediation | |
US11765195B2 (en) | Distributed network-level probabilistic attack graph generation | |
JP2020102671A (ja) | 検知装置、検知方法、および、検知プログラム | |
WO2022176128A1 (ja) | 分析装置、分析システム、分析方法、および、分析プログラム | |
AU2019277439B2 (en) | Abnormality detection apparatus, abnormality detection method, and abnormality detection program | |
CN115086172B (zh) | 一种数据网关插件更新方法、装置、电子设备及存储介质 | |
CN110521233B (zh) | 标识中断的方法、接入点、远程配置的方法、系统和介质 | |
US20210382807A1 (en) | Machine learning based application sizing engine for intelligent infrastructure orchestration | |
KR102180105B1 (ko) | 장치에 설치된 소프트웨어에 대한 악성 소프트웨어 판단 방법 및 장치 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21926563 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2023500242 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 18276644 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 21926563 Country of ref document: EP Kind code of ref document: A1 |