WO2022239235A1 - Feature quantity calculation device, feature quantity calculation method, and feature quantity calculation program - Google Patents

Feature quantity calculation device, feature quantity calculation method, and feature quantity calculation program Download PDF

Info

Publication number
WO2022239235A1
WO2022239235A1 PCT/JP2021/018420 JP2021018420W WO2022239235A1 WO 2022239235 A1 WO2022239235 A1 WO 2022239235A1 JP 2021018420 W JP2021018420 W JP 2021018420W WO 2022239235 A1 WO2022239235 A1 WO 2022239235A1
Authority
WO
WIPO (PCT)
Prior art keywords
nodes
feature amount
unit
graph
feature
Prior art date
Application number
PCT/JP2021/018420
Other languages
French (fr)
Japanese (ja)
Inventor
博 胡
和憲 神谷
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to PCT/JP2021/018420 priority Critical patent/WO2022239235A1/en
Priority to JP2023520722A priority patent/JPWO2022239235A1/ja
Publication of WO2022239235A1 publication Critical patent/WO2022239235A1/en

Links

Images

Definitions

  • the present invention relates to a feature amount calculation device, a feature amount calculation method, and a feature amount calculation program.
  • botnets which are composed of malicious servers hijacked by malicious programs, have various structures, and the shortest distance between malicious servers also varies depending on the structure. In recent years, a technology for detecting the structure of such a botnet has been expected.
  • a feature amount of a graph in which IP hosts are nodes and end-to-end communication between IP hosts is edges is useful information for detecting the structure of a botnet.
  • the present invention has been made in view of the above, and aims to learn high-quality feature quantities from graphs representing communication networks.
  • a feature learning apparatus includes a generation unit that generates a graph representing communication between nodes using communication information between nodes in a network; a selection unit that selects related nodes connected by a path of a predetermined length from among the nodes of the graph that have been selected; a classifying unit that classifies into groups according to, a learning unit that learns a model that represents the feature amount in the graph of each node in the group for each of the classified groups, and each of the selected nodes, and a calculation unit that calculates a feature amount by synthesizing the feature amount estimated using the model learned by each group.
  • FIG. 1 is a schematic diagram illustrating a schematic configuration of a feature amount calculation device.
  • FIG. 2 is a diagram for explaining processing of the feature amount calculation device.
  • FIG. 3 is a diagram for explaining processing of the feature amount calculation device.
  • FIG. 4 is a diagram for explaining processing of the feature amount calculation device.
  • FIG. 5 is a flow chart showing a feature amount calculation processing procedure.
  • FIG. 6 is a diagram illustrating a computer that executes a feature amount calculation program.
  • FIG. 1 is a schematic diagram illustrating a schematic configuration of a feature amount calculation device.
  • 2 to 4 are diagrams for explaining the processing of the feature amount calculation device.
  • the feature amount calculation device 10 is implemented by a general-purpose computer such as a personal computer, and includes an input unit 11 , an output unit 12 , a communication control unit 13 , a storage unit 14 and a control unit 15 .
  • the input unit 11 is implemented using input devices such as a keyboard and a mouse, and inputs various instruction information such as processing start to the control unit 15 in response to input operations by the operator.
  • the output unit 12 is implemented by a display device such as a liquid crystal display, a printing device such as a printer, or the like.
  • the communication control unit 13 is realized by a NIC (Network Interface Card) or the like, and controls communication between an external device such as a server and the control unit 15 via a network.
  • the communication control unit 13 controls communication between a management device or the like that collects and manages network communication information and the control unit 15 .
  • the storage unit 14 is implemented by semiconductor memory devices such as RAM (Random Access Memory) and flash memory, or storage devices such as hard disks and optical disks.
  • the storage unit 14 pre-stores a processing program for operating the feature amount calculation device 10, data used during execution of the processing program, or the like, or temporarily stores the processing each time.
  • the storage unit 14 stores a model 14a or the like that is the processing result of the learning unit, which will be described later.
  • the storage unit 14 may be configured to communicate with the control unit 15 via the communication control unit 13 .
  • the control unit 15 is implemented using a CPU (Central Processing Unit) or the like, and executes a processing program stored in memory. Thereby, the control unit 15 functions as an acquisition unit 15a, a generation unit 15b, a selection unit 15c, a classification unit 15d, a learning unit 15e, a calculation unit 15f, and an extraction unit 15g, as illustrated in FIG. It should be noted that these functional units may be implemented in different hardware, respectively or partially. For example, the learning unit 15e and the calculation unit 15f may be implemented in different hardware. Also, the control unit 15 may include other functional units.
  • a CPU Central Processing Unit
  • the acquisition unit 15a acquires the collected communication information of the nodes of the network. For example, the acquisition unit 15a obtains flow information and the like of an IP host to be processed in the feature amount calculation process described later from a management device or the like that collects and manages network communication information via the input unit 11 or the communication control unit 13. get.
  • the acquisition unit 15a may cause the storage unit 14 to store the acquired data. Alternatively, the acquisition unit 15a may transfer these pieces of information to the generation unit 15b described below without storing them in the storage unit 14. FIG.
  • the generation unit 15b uses the communication information between the nodes of the network to generate a graph representing the communication between the nodes. For example, as shown in FIG. 2, the generating unit 15b uses the obtained flow information of IP hosts to create a graph in which IP hosts are nodes and communication between IP hosts is edges.
  • FIG. 2 illustrates a communication graph between a malicious (Bot) server and a C&C (Command and Control) server.
  • the selection unit 15c selects related nodes connected by a path of a predetermined length from among the nodes of the generated graph. For example, the selection unit 15c executes Random Walk a predetermined number of times with each node as the starting point, and generates a path of a predetermined length including the node for each node as the starting point.
  • the classification unit 15d classifies the selected nodes within a predetermined distance on the path into groups according to the distance between the nodes. For example, the classification unit 15d classifies the graph shown in FIG. Classify into 3 groups.
  • the learning unit 15e learns a model 14a that represents the feature amount in the graph of each node in each classified group. In this embodiment, the learning unit 15e learns different models 14a for each classified group.
  • the learning unit 15e may further learn the common model 14a for a plurality of groups within a predetermined distance range among the classified groups. For example, among the groups illustrated in FIG. 4A, a plurality of groups with a distance of 2 or less, that is, a group with a distance of 1 and a group with a distance of 2, may learn the common model 14a. In this case, the learning unit 15e may, in principle, allow each group to learn a different model 14a, and select a plurality of groups to learn a common model 14a.
  • the calculation unit 15f calculates the feature amount by synthesizing the feature amount estimated using the model 14a learned in each group for each of the selected nodes. For example, as shown in FIG. 4B, the calculation unit 15f combines all the feature amounts output by the models 14a learned in each group for each node to obtain the feature amount of the node.
  • the extracting unit 15g extracts dimension values with importance levels equal to or greater than a predetermined threshold value from the calculated feature amounts. Specifically, the extraction unit 15g uses the teacher data and the learned model 14a to calculate the degree of importance for each dimension of the feature vector representing the feature amount of each node. For example, the extraction unit 15g calculates the importance of each dimension by Random Forest. Then, as shown in FIG. 4(c), the extracting unit 15g selects only important dimensions whose importance is greater than or equal to a predetermined threshold value, and uses them as the feature amount of the node.
  • the extraction unit 15g outputs the calculated feature amount of each node via the output unit 12.
  • the feature amount of each node calculated by the calculation unit 15f may be output.
  • FIG. 5 is a flow chart showing a feature amount calculation processing procedure. The flowchart of FIG. 5 is started, for example, when an operation input instructing the start of the feature amount calculation process is performed.
  • the generation unit 15b uses the communication information of the nodes of the network acquired by the acquisition unit 15a to generate a graph representing communication between nodes (step S1).
  • the selection unit 15c selects related nodes connected by a path of a predetermined length from among the nodes of the generated graph (step S2).
  • the classification unit 15d classifies nodes within a predetermined distance on the path from the selected node into groups according to the distance between the nodes (step S3).
  • the learning unit 15e learns the model 14a representing the feature amount in the graph of each node in the group for each classified group (step S4).
  • the learning unit 15e learns a different model 14a for each classified group.
  • the learning unit 15e may learn the common model 14a for a plurality of groups within a predetermined distance range among the classified groups.
  • the calculation unit 15f calculates a feature amount for each of the selected nodes by synthesizing the feature amounts estimated using the model 14a learned in each group (step S5).
  • the extraction unit 15g uses the teacher data and the learned model 14a to calculate the degree of importance for each dimension of the feature vector representing the feature amount of each node. Then, the extracting unit 15g extracts only important dimensions whose degrees of importance are equal to or greater than a predetermined threshold value, and uses them as feature amounts of the node (step S6).
  • the extraction unit 15g outputs the feature amount of each node via the output unit 12 (step S7). This completes a series of feature amount calculation processing.
  • the generation unit 15b uses communication information between nodes of the network to generate a graph representing communication between nodes. Further, the selection unit 15c selects related nodes connected by a path of a predetermined length from among the nodes of the generated graph. In addition, the classification unit 15d classifies nodes within a predetermined distance on the path from the selected node into groups according to the distance between the nodes. Also, the learning unit 15e learns the model 14a representing the feature amount in the graph of each node in the group for each classified group. Then, the calculation unit 15f calculates a feature amount by synthesizing the feature amount estimated using the model 14a learned in each group for each of the selected nodes.
  • the feature amount calculation device 10 divides the teacher data according to the distance between nodes, learns the similarity between nodes at each distance, and synthesizes the feature amounts of each node learned at each different distance. By doing so, the feature amount of each node is calculated. As a result, it is possible to calculate the feature amount of a node by taking into consideration the difference due to the distance of the contexts of adjacent nodes. Therefore, the feature amount calculation device 10 can learn high-quality feature amounts from the graph representing the communication network.
  • the learning unit 15e learns a different model 14a for each classified group.
  • the feature amount calculation device 10 can learn the model 14a with higher accuracy.
  • the learning unit 15e learns the common model 14a for a plurality of groups within a predetermined distance range among the classified groups.
  • the feature amount calculation device 10 can efficiently learn the model 14a.
  • the extraction unit 15g uses the teacher data and the learned model 14a to calculate the degree of importance for each dimension of the feature vector representing the feature amount of each node. Then, the extracting unit 15g extracts the dimension value of the degree of importance equal to or higher than a predetermined threshold value from the calculated feature amount. As a result, the feature amount calculation device 10 can efficiently calculate high-quality feature amounts of each node.
  • the feature quantity calculation device 10 can be implemented by installing a feature quantity calculation program for executing the feature quantity calculation process as package software or online software in a desired computer.
  • the information processing apparatus can function as the feature amount calculation apparatus 10 by causing the information processing apparatus to execute the above feature amount calculation program.
  • information processing devices include mobile communication terminals such as smartphones, mobile phones and PHS (Personal Handyphone Systems), and slate terminals such as PDAs (Personal Digital Assistants).
  • the functions of the feature amount calculation device 10 may be implemented in a cloud server.
  • FIG. 6 is a diagram showing an example of a computer that executes a feature amount calculation program.
  • Computer 1000 includes, for example, memory 1010 , CPU 1020 , hard disk drive interface 1030 , disk drive interface 1040 , serial port interface 1050 , video adapter 1060 and network interface 1070 . These units are connected by a bus 1080 .
  • the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012 .
  • the ROM 1011 stores a boot program such as BIOS (Basic Input Output System).
  • BIOS Basic Input Output System
  • Hard disk drive interface 1030 is connected to hard disk drive 1031 .
  • Disk drive interface 1040 is connected to disk drive 1041 .
  • a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1041, for example.
  • a mouse 1051 and a keyboard 1052 are connected to the serial port interface 1050, for example.
  • a display 1061 is connected to the video adapter 1060 .
  • the hard disk drive 1031 stores an OS 1091, application programs 1092, program modules 1093 and program data 1094, for example. Each piece of information described in the above embodiment is stored in the hard disk drive 1031 or the memory 1010, for example.
  • the feature amount calculation program is stored in the hard disk drive 1031 as a program module 1093 in which commands to be executed by the computer 1000 are described, for example.
  • the hard disk drive 1031 stores a program module 1093 that describes each process executed by the feature amount calculation apparatus 10 described in the above embodiment.
  • Data used for information processing by the feature amount calculation program is stored as program data 1094 in the hard disk drive 1031, for example. Then, the CPU 1020 reads out the program module 1093 and the program data 1094 stored in the hard disk drive 1031 to the RAM 1012 as necessary, and executes each procedure described above.
  • program modules 1093 and program data 1094 related to the feature amount calculation program are not limited to being stored in the hard disk drive 1031, but are stored in a removable storage medium, for example, and are stored by the CPU 1020 via the disk drive 1041 or the like. may be read out.
  • the program module 1093 and program data 1094 related to the feature amount calculation program are stored in another computer connected via a network such as LAN (Local Area Network) or WAN (Wide Area Network), and the network interface 1070 is may be read by CPU 1020 via a network such as LAN (Local Area Network) or WAN (Wide Area Network), and the network interface 1070 is may be read by CPU 1020 via a network such as LAN (Local Area Network) or WAN (Wide Area Network), and the network interface 1070 is may be read by CPU 1020 via a network such as LAN (Local Area Network) or WAN (Wide Area Network), and the network interface 1070 is may be read by CPU 1020 via
  • REFERENCE SIGNS LIST 10 feature amount calculation device 11 input unit 12 output unit 13 communication control unit 14 storage unit 14a model 15 control unit 15a acquisition unit 15b generation unit 15c selection unit 15d classification unit 15e learning unit 15f calculation unit 15g extraction unit

Abstract

In the present invention, a generation unit (15b) generates, using communication information between network nodes, a graph that represents communication between the nodes. A selection unit (15c) selects associated nodes, among the nodes of the generated graph, that are connected by a path having a prescribed length. A classification unit (15d) classifies the selected nodes that are within a prescribed distance on the path into a group that corresponds to the node-to-node distance. A learning unit (15e) learns, for each of the classified groups, a model (14a) that represents a feature quantity in the graph of the nodes within the group. A calculation unit (15f) synthesizes, for each of the selected nodes, feature quantities estimated using the model (14a) that has been learned for each group, thereby calculating a feature quantity.

Description

特徴量算出装置、特徴量算出方法および特徴量算出プログラムFeature quantity calculation device, feature quantity calculation method, and feature quantity calculation program
 本発明は、特徴量算出装置、特徴量算出方法および特徴量算出プログラムに関する。 The present invention relates to a feature amount calculation device, a feature amount calculation method, and a feature amount calculation program.
 悪意のあるプログラムによって乗っ取られた悪性サーバで構成されるボットネットと呼ばれるネットワークの構造は多様であり、悪性サーバ間の最短距離も、構造に応じて多様である。近年、このようなボットネットの構造を検知する技術が期待されている。IPホストをノードとし、IPホスト間のエンドツーエンド通信をエッジとするグラフの特徴量は、ボットネットの構造を検知するために有用な情報となる。 Networks called botnets, which are composed of malicious servers hijacked by malicious programs, have various structures, and the shortest distance between malicious servers also varies depending on the structure. In recent years, a technology for detecting the structure of such a botnet has been expected. A feature amount of a graph in which IP hosts are nodes and end-to-end communication between IP hosts is edges is useful information for detecting the structure of a botnet.
 そこで、ネットワークフロー情報からなる通信グラフからノードの特徴量を学習するgraph embeddingと呼ばれる技術が知られている。例えば、グラフからノードのパスを生成し、パス上の所定ホップ数以内のノード間の類似性を学習することができる(非特許文献1参照)。 Therefore, a technique called graphembedding is known, which learns node features from a communication graph consisting of network flow information. For example, it is possible to generate a node path from a graph and learn the similarity between nodes within a predetermined number of hops on the path (see Non-Patent Document 1).
 しかしながら、従来の技術では、質の高い特徴量を学習することが困難である。例えば、あるノードに着目した場合に、一定距離内の隣接ノードが持つコンテキストが距離によって異なるため、コンテキストが異なるノードを同時に学習することにより、得られた特徴量の質が低下するという問題がある。 However, with conventional technology, it is difficult to learn high-quality feature values. For example, when focusing on a certain node, the contexts of adjacent nodes within a certain distance differ depending on the distance, so learning nodes with different contexts at the same time can lead to a problem of degraded feature values. .
 本発明は、上記に鑑みてなされたものであって、通信ネットワークを表すグラフから質の高い特徴量を学習することを目的とする。 The present invention has been made in view of the above, and aims to learn high-quality feature quantities from graphs representing communication networks.
 上述した課題を解決し、目的を達成するために、本発明に係る特徴量学習装置は、ネットワークのノード間の通信情報を用いて、ノード間の通信を表すグラフを生成する生成部と、生成された前記グラフのノードのうち、所定長のパスで接続された関連するノードを選択する選択部と、選択された前記ノードに対して、パス上の所定距離内のノード同士をノード間の距離に応じたグループに分類する分類部と、分類された前記グループごとに、グループ内の各ノードの前記グラフでの特徴量を表すモデルを学習する学習部と、選択された前記ノードのそれぞれについて、各グループで学習されたモデルを用いて推定された特徴量を合成することにより、特徴量を算出する算出部と、を有することを特徴とする。 In order to solve the above-described problems and achieve the object, a feature learning apparatus according to the present invention includes a generation unit that generates a graph representing communication between nodes using communication information between nodes in a network; a selection unit that selects related nodes connected by a path of a predetermined length from among the nodes of the graph that have been selected; a classifying unit that classifies into groups according to, a learning unit that learns a model that represents the feature amount in the graph of each node in the group for each of the classified groups, and each of the selected nodes, and a calculation unit that calculates a feature amount by synthesizing the feature amount estimated using the model learned by each group.
 本発明によれば、通信ネットワークを表すグラフから質の高い特徴量を学習することが可能となる。 According to the present invention, it is possible to learn high-quality feature quantities from graphs representing communication networks.
図1は、特徴量算出装置の概略構成を例示する模式図である。FIG. 1 is a schematic diagram illustrating a schematic configuration of a feature amount calculation device. 図2は、特徴量算出装置の処理を説明するための図である。FIG. 2 is a diagram for explaining processing of the feature amount calculation device. 図3は、特徴量算出装置の処理を説明するための図である。FIG. 3 is a diagram for explaining processing of the feature amount calculation device. 図4は、特徴量算出装置の処理を説明するための図である。FIG. 4 is a diagram for explaining processing of the feature amount calculation device. 図5は、特徴量算出処理手順を示すフローチャートである。FIG. 5 is a flow chart showing a feature amount calculation processing procedure. 図6は、特徴量算出プログラムを実行するコンピュータを例示する図である。FIG. 6 is a diagram illustrating a computer that executes a feature amount calculation program.
 以下、図面を参照して、本発明の一実施形態を詳細に説明する。なお、この実施形態により本発明が限定されるものではない。また、図面の記載において、同一部分には同一の符号を付して示している。 An embodiment of the present invention will be described in detail below with reference to the drawings. It should be noted that the present invention is not limited by this embodiment. Moreover, in the description of the drawings, the same parts are denoted by the same reference numerals.
[特徴量算出装置の構成]
 図1は、特徴量算出装置の概略構成を例示する模式図である。また、図2~図4は、特徴量算出装置の処理を説明するための図である。まず、図1に例示するように、特徴量算出装置10は、パソコン等の汎用コンピュータで実現され、入力部11、出力部12、通信制御部13、記憶部14、および制御部15を備える。 [Configuration of Feature Amount Calculation Device]
FIG. 1 is a schematic diagram illustrating a schematic configuration of a feature amount calculation device. 2 to 4 are diagrams for explaining the processing of the feature amount calculation device. First, as exemplified in FIG. 1 , the feature amount calculation device 10 is implemented by a general-purpose computer such as a personal computer, and includes an input unit 11 , an output unit 12 , a communication control unit 13 , a storage unit 14 and a control unit 15 .
 入力部11は、キーボードやマウス等の入力デバイスを用いて実現され、操作者による入力操作に対応して、制御部15に対して処理開始などの各種指示情報を入力する。出力部12は、液晶ディスプレイなどの表示装置、プリンター等の印刷装置等によって実現される。 The input unit 11 is implemented using input devices such as a keyboard and a mouse, and inputs various instruction information such as processing start to the control unit 15 in response to input operations by the operator. The output unit 12 is implemented by a display device such as a liquid crystal display, a printing device such as a printer, or the like.
 通信制御部13は、NIC(Network Interface Card)等で実現され、ネットワークを介したサーバ等の外部の装置と制御部15との通信を制御する。例えば、通信制御部13は、ネットワークの通信情報を収集し管理する管理装置等と制御部15との通信を制御する。 The communication control unit 13 is realized by a NIC (Network Interface Card) or the like, and controls communication between an external device such as a server and the control unit 15 via a network. For example, the communication control unit 13 controls communication between a management device or the like that collects and manages network communication information and the control unit 15 .
 記憶部14は、RAM(Random Access Memory)、フラッシュメモリ(Flash Memory)等の半導体メモリ素子、または、ハードディスク、光ディスク等の記憶装置によって実現される。記憶部14には、特徴量算出装置10を動作させる処理プログラムや、処理プログラムの実行中に使用されるデータなどが予め記憶され、あるいは処理の都度一時的に記憶される。例えば、記憶部14は、後述する学習部の処理結果のモデル14a等を記憶する。なお、記憶部14は、通信制御部13を介して制御部15と通信する構成でもよい。 The storage unit 14 is implemented by semiconductor memory devices such as RAM (Random Access Memory) and flash memory, or storage devices such as hard disks and optical disks. The storage unit 14 pre-stores a processing program for operating the feature amount calculation device 10, data used during execution of the processing program, or the like, or temporarily stores the processing each time. For example, the storage unit 14 stores a model 14a or the like that is the processing result of the learning unit, which will be described later. Note that the storage unit 14 may be configured to communicate with the control unit 15 via the communication control unit 13 .
 制御部15は、CPU(Central Processing Unit)等を用いて実現され、メモリに記憶された処理プログラムを実行する。これにより、制御部15は、図1に例示するように、取得部15a、生成部15b、選択部15c、分類部15d、学習部15e、算出部15fおよび抽出部15gとして機能する。なお、これらの機能部は、それぞれあるいは一部が異なるハードウェアに実装されてもよい。例えば、学習部15eと算出部15fとは異なるハードウェアに実装されてもよい。また、制御部15は、その他の機能部を備えてもよい。 The control unit 15 is implemented using a CPU (Central Processing Unit) or the like, and executes a processing program stored in memory. Thereby, the control unit 15 functions as an acquisition unit 15a, a generation unit 15b, a selection unit 15c, a classification unit 15d, a learning unit 15e, a calculation unit 15f, and an extraction unit 15g, as illustrated in FIG. It should be noted that these functional units may be implemented in different hardware, respectively or partially. For example, the learning unit 15e and the calculation unit 15f may be implemented in different hardware. Also, the control unit 15 may include other functional units.
 取得部15aは、収集されたネットワークのノードの通信情報を取得する。例えば、取得部15aは、後述する特徴量算出処理の処理対象のIPホストのフロー情報等を、入力部11あるいは通信制御部13を介して、ネットワークの通信情報を収集し管理する管理装置等から取得する。なお、取得部15aは、取得したデータを記憶部14に記憶させてもよい。あるいは、取得部15aは、これらの情報を記憶部14に記憶させずに、以下に説明する生成部15bに転送してもよい。 The acquisition unit 15a acquires the collected communication information of the nodes of the network. For example, the acquisition unit 15a obtains flow information and the like of an IP host to be processed in the feature amount calculation process described later from a management device or the like that collects and manages network communication information via the input unit 11 or the communication control unit 13. get. The acquisition unit 15a may cause the storage unit 14 to store the acquired data. Alternatively, the acquisition unit 15a may transfer these pieces of information to the generation unit 15b described below without storing them in the storage unit 14. FIG.
 生成部15bは、ネットワークのノード間の通信情報を用いて、ノード間の通信を表すグラフを生成する。例えば、生成部15bは、図2に示すように、取得したIPホストのフロー情報を用いて、IPホストをノードとし、IPホスト間の通信をエッジとするグラフを作成する。図2には、悪性(Bot)サーバとC&C(Command and Control)サーバとの通信グラフが例示されている。 The generation unit 15b uses the communication information between the nodes of the network to generate a graph representing the communication between the nodes. For example, as shown in FIG. 2, the generating unit 15b uses the obtained flow information of IP hosts to create a graph in which IP hosts are nodes and communication between IP hosts is edges. FIG. 2 illustrates a communication graph between a malicious (Bot) server and a C&C (Command and Control) server.
 選択部15cは、生成されたグラフのノードのうち、所定長のパスで接続された関連するノードを選択する。例えば、選択部15cは、各ノードを起点としてRandom Walkを所定回数実行し、起点としたノードごとに、ノードを含む所定長のパスを生成する。 The selection unit 15c selects related nodes connected by a path of a predetermined length from among the nodes of the generated graph. For example, the selection unit 15c executes Random Walk a predetermined number of times with each node as the starting point, and generates a path of a predetermined length including the node for each node as the starting point.
 分類部15dは、選択されたノードに対して、パス上の所定距離内のノード同士をノード間の距離に応じたグループに分類する。例えば、分類部15dは、図2に示したグラフについて、図3に示すように、ノードペアA-Cを距離1のグループに、ノードペアA-Bを距離2のグループに、ノードペアA-Eを距離3のグループに分類する。 The classification unit 15d classifies the selected nodes within a predetermined distance on the path into groups according to the distance between the nodes. For example, the classification unit 15d classifies the graph shown in FIG. Classify into 3 groups.
 学習部15eは、図4(a)に示すように、分類されたグループごとに、グループ内の各ノードのグラフでの特徴量を表すモデル14aを学習する。本実施形態では、学習部15eは、分類されたグループごとに異なるモデル14aを学習する。 As shown in FIG. 4(a), the learning unit 15e learns a model 14a that represents the feature amount in the graph of each node in each classified group. In this embodiment, the learning unit 15e learns different models 14a for each classified group.
 学習部15eは、さらに、分類されたグループのうち、所定の距離の範囲の複数のグループについて、共通のモデル14aを学習してもよい。例えば、図4(a)に例示したグループのうち、距離2以下の複数のグループ、すなわち、距離1のグループと距離2のグループとにおいて、共通のモデル14aを学習するようにしてもよい。この場合に、学習部15eは、原則として各グループが異なるモデル14aを学習することとし、共通のモデル14aを学習する複数のグループを選択できるようにしてもよい。 The learning unit 15e may further learn the common model 14a for a plurality of groups within a predetermined distance range among the classified groups. For example, among the groups illustrated in FIG. 4A, a plurality of groups with a distance of 2 or less, that is, a group with a distance of 1 and a group with a distance of 2, may learn the common model 14a. In this case, the learning unit 15e may, in principle, allow each group to learn a different model 14a, and select a plurality of groups to learn a common model 14a.
 算出部15fは、選択されたノードのそれぞれについて、各グループで学習されたモデル14aを用いて推定された特徴量を合成することにより、特徴量を算出する。例えば、算出部15fは、図4(b)に示すように、ノードごとに、各グループで学習された各モデル14aが出力する特徴量のすべてを結合して、当該ノードの特徴量とする。 The calculation unit 15f calculates the feature amount by synthesizing the feature amount estimated using the model 14a learned in each group for each of the selected nodes. For example, as shown in FIG. 4B, the calculation unit 15f combines all the feature amounts output by the models 14a learned in each group for each node to obtain the feature amount of the node.
 抽出部15gは、算出された特徴量のうち、所定のしきい値以上の重要度の次元の値を抽出する。具体的には、抽出部15gは、教師データと学習されたモデル14aとを用いて、各ノードの特徴量を表す特徴ベクトルの次元ごとの重要度を算出する。例えば、抽出部15gは、Random Forestにより、各次元の重要度を算出する。そして、抽出部15gは、図4(c)に示すように、重要度が所定のしきい値以上の重要な次元のみを選択して、当該ノードの特徴量とする。 The extracting unit 15g extracts dimension values with importance levels equal to or greater than a predetermined threshold value from the calculated feature amounts. Specifically, the extraction unit 15g uses the teacher data and the learned model 14a to calculate the degree of importance for each dimension of the feature vector representing the feature amount of each node. For example, the extraction unit 15g calculates the importance of each dimension by Random Forest. Then, as shown in FIG. 4(c), the extracting unit 15g selects only important dimensions whose importance is greater than or equal to a predetermined threshold value, and uses them as the feature amount of the node.
 また、抽出部15gは、出力部12を介して、算出された各ノードの特徴量を出力する。なお、抽出部15gに変えて、あるいは抽出部15gに加えて、算出部15fが算出した各ノードの特徴量を出力してもよい。 In addition, the extraction unit 15g outputs the calculated feature amount of each node via the output unit 12. In place of the extraction unit 15g, or in addition to the extraction unit 15g, the feature amount of each node calculated by the calculation unit 15f may be output.
[特徴量算出処理]
 次に、図5を参照して、本実施形態に係る特徴量算出装置10による特徴量算出処理について説明する。図5は、特徴量算出処理手順を示すフローチャートである。図5のフローチャートは、例えば、特徴量算出処理の開始を指示する操作入力があったタイミングで開始される。 [Feature amount calculation process]
Next, with reference to FIG. 5, feature amount calculation processing by the feature amount calculation device 10 according to the present embodiment will be described. FIG. 5 is a flow chart showing a feature amount calculation processing procedure. The flowchart of FIG. 5 is started, for example, when an operation input instructing the start of the feature amount calculation process is performed.
 まず、取得部15aが取得したネットワークのノードの通信情報を用いて、生成部15bがノード間の通信を表すグラフを生成する(ステップS1)。 First, using the communication information of the nodes of the network acquired by the acquisition unit 15a, the generation unit 15b generates a graph representing communication between nodes (step S1).
 また、選択部15cが、生成されたグラフのノードのうち、所定長のパスで接続された関連するノードを選択する(ステップS2)。また、分類部15dが、選択されたノードに対して、パス上の所定距離内のノード同士をノード間の距離に応じたグループに分類する(ステップS3)。 Also, the selection unit 15c selects related nodes connected by a path of a predetermined length from among the nodes of the generated graph (step S2). In addition, the classification unit 15d classifies nodes within a predetermined distance on the path from the selected node into groups according to the distance between the nodes (step S3).
 次に、学習部15eが、分類されたグループごとに、グループ内の各ノードのグラフでの特徴量を表すモデル14aを学習する(ステップS4)。 Next, the learning unit 15e learns the model 14a representing the feature amount in the graph of each node in the group for each classified group (step S4).
 その際に、学習部15eは、分類されたグループごとに異なるモデル14aを学習する。あるいは、学習部15eは、分類されたグループのうち、所定の距離の範囲の複数のグループについて、共通のモデル14aを学習してもよい。 At that time, the learning unit 15e learns a different model 14a for each classified group. Alternatively, the learning unit 15e may learn the common model 14a for a plurality of groups within a predetermined distance range among the classified groups.
 そして、算出部15fが、選択されたノードのそれぞれについて、各グループで学習されたモデル14aを用いて推定された特徴量を合成することにより、特徴量を算出する(ステップS5)。 Then, the calculation unit 15f calculates a feature amount for each of the selected nodes by synthesizing the feature amounts estimated using the model 14a learned in each group (step S5).
 また、抽出部15gは、教師データと学習されたモデル14aとを用いて、各ノードの特徴量を表す特徴ベクトルの次元ごとの重要度を算出する。そして、抽出部15gは、重要度が所定のしきい値以上の重要な次元のみを抽出して、当該ノードの特徴量とする(ステップS6)。 Also, the extraction unit 15g uses the teacher data and the learned model 14a to calculate the degree of importance for each dimension of the feature vector representing the feature amount of each node. Then, the extracting unit 15g extracts only important dimensions whose degrees of importance are equal to or greater than a predetermined threshold value, and uses them as feature amounts of the node (step S6).
 また、抽出部15gが、出力部12を介して、各ノードの特徴量を出力する(ステップS7)。これにより、一連の特徴量算出処理が終了する。 Also, the extraction unit 15g outputs the feature amount of each node via the output unit 12 (step S7). This completes a series of feature amount calculation processing.
 以上、説明したように、特徴量算出装置10において、生成部15bが、ネットワークのノード間の通信情報を用いて、ノード間の通信を表すグラフを生成する。また、選択部15cが、生成されたグラフのノードのうち、所定長のパスで接続された関連するノードを選択する。また、分類部15dが、選択されたノードに対して、パス上の所定距離内のノード同士をノード間の距離に応じたグループに分類する。また、学習部15eが、分類されたグループごとに、グループ内の各ノードのグラフでの特徴量を表すモデル14aを学習する。そして、算出部15fが、選択されたノードのそれぞれについて、各グループで学習されたモデル14aを用いて推定された特徴量を合成することにより、特徴量を算出する。 As described above, in the feature amount calculation device 10, the generation unit 15b uses communication information between nodes of the network to generate a graph representing communication between nodes. Further, the selection unit 15c selects related nodes connected by a path of a predetermined length from among the nodes of the generated graph. In addition, the classification unit 15d classifies nodes within a predetermined distance on the path from the selected node into groups according to the distance between the nodes. Also, the learning unit 15e learns the model 14a representing the feature amount in the graph of each node in the group for each classified group. Then, the calculation unit 15f calculates a feature amount by synthesizing the feature amount estimated using the model 14a learned in each group for each of the selected nodes.
 このように特徴量算出装置10は、ノード間の距離に応じて教師データを分割し、それぞれの距離のノード間の類似性を学習し、異なる距離のそれぞれで学習した各ノードの特徴量を合成することにより、各ノードの特徴量を算出する。これにより、隣接ノードの持つコンテキストの距離による違いを考慮して、ノードの特徴量を算出することができる。したがって、特徴量算出装置10は、通信ネットワークを表すグラフから質の高い特徴量を学習することが可能となる。 In this way, the feature amount calculation device 10 divides the teacher data according to the distance between nodes, learns the similarity between nodes at each distance, and synthesizes the feature amounts of each node learned at each different distance. By doing so, the feature amount of each node is calculated. As a result, it is possible to calculate the feature amount of a node by taking into consideration the difference due to the distance of the contexts of adjacent nodes. Therefore, the feature amount calculation device 10 can learn high-quality feature amounts from the graph representing the communication network.
 また、学習部15eが、分類されたグループごとに異なるモデル14aを学習する。これにより、特徴量算出装置10は、モデル14a学習がより高精度に可能となる。 Also, the learning unit 15e learns a different model 14a for each classified group. As a result, the feature amount calculation device 10 can learn the model 14a with higher accuracy.
 また、学習部15eは、分類されたグループのうち、所定の距離の範囲の複数のグループについて、共通のモデル14aを学習する。これにより、特徴量算出装置10は、モデル14aの学習が高効率に可能となる。 In addition, the learning unit 15e learns the common model 14a for a plurality of groups within a predetermined distance range among the classified groups. As a result, the feature amount calculation device 10 can efficiently learn the model 14a.
 また、抽出部15gは、教師データと学習されたモデル14aとを用いて、各ノードの特徴量を表す特徴ベクトルの次元ごとの重要度を算出する。そして、抽出部15gが、算出された特徴量のうち、所定のしきい値以上の重要度の次元の値を抽出する。これにより、特徴量算出装置10は、各ノードの質の高い特徴量を効率よく算出することが可能となる。 Also, the extraction unit 15g uses the teacher data and the learned model 14a to calculate the degree of importance for each dimension of the feature vector representing the feature amount of each node. Then, the extracting unit 15g extracts the dimension value of the degree of importance equal to or higher than a predetermined threshold value from the calculated feature amount. As a result, the feature amount calculation device 10 can efficiently calculate high-quality feature amounts of each node.
[プログラム]
 上記実施形態に係る特徴量算出装置10が実行する処理をコンピュータが実行可能な言語で記述したプログラムを作成することもできる。一実施形態として、特徴量算出装置10は、パッケージソフトウェアやオンラインソフトウェアとして上記の特徴量算出処理を実行する特徴量算出プログラムを所望のコンピュータにインストールさせることによって実装できる。例えば、上記の特徴量算出プログラムを情報処理装置に実行させることにより、情報処理装置を特徴量算出装置10として機能させることができる。また、その他にも、情報処理装置にはスマートフォン、携帯電話機やPHS(Personal Handyphone System)等の移動体通信端末、さらには、PDA(Personal Digital Assistant)等のスレート端末等がその範疇に含まれる。また、特徴量算出装置10の機能を、クラウドサーバに実装してもよい。 [program]
It is also possible to create a program in which the processing executed by the feature amount calculation device 10 according to the above embodiment is described in a computer-executable language. As one embodiment, the feature quantity calculation device 10 can be implemented by installing a feature quantity calculation program for executing the feature quantity calculation process as package software or online software in a desired computer. For example, the information processing apparatus can function as the feature amount calculation apparatus 10 by causing the information processing apparatus to execute the above feature amount calculation program. In addition, information processing devices include mobile communication terminals such as smartphones, mobile phones and PHS (Personal Handyphone Systems), and slate terminals such as PDAs (Personal Digital Assistants). Also, the functions of the feature amount calculation device 10 may be implemented in a cloud server.
 図6は、特徴量算出プログラムを実行するコンピュータの一例を示す図である。コンピュータ1000は、例えば、メモリ1010と、CPU1020と、ハードディスクドライブインタフェース1030と、ディスクドライブインタフェース1040と、シリアルポートインタフェース1050と、ビデオアダプタ1060と、ネットワークインタフェース1070とを有する。これらの各部は、バス1080によって接続される。 FIG. 6 is a diagram showing an example of a computer that executes a feature amount calculation program. Computer 1000 includes, for example, memory 1010 , CPU 1020 , hard disk drive interface 1030 , disk drive interface 1040 , serial port interface 1050 , video adapter 1060 and network interface 1070 . These units are connected by a bus 1080 .
 メモリ1010は、ROM(Read Only Memory)1011およびRAM1012を含む。ROM1011は、例えば、BIOS(Basic Input Output System)等のブートプログラムを記憶する。ハードディスクドライブインタフェース1030は、ハードディスクドライブ1031に接続される。ディスクドライブインタフェース1040は、ディスクドライブ1041に接続される。ディスクドライブ1041には、例えば、磁気ディスクや光ディスク等の着脱可能な記憶媒体が挿入される。シリアルポートインタフェース1050には、例えば、マウス1051およびキーボード1052が接続される。ビデオアダプタ1060には、例えば、ディスプレイ1061が接続される。 The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012 . The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). Hard disk drive interface 1030 is connected to hard disk drive 1031 . Disk drive interface 1040 is connected to disk drive 1041 . A removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1041, for example. A mouse 1051 and a keyboard 1052 are connected to the serial port interface 1050, for example. For example, a display 1061 is connected to the video adapter 1060 .
 ここで、ハードディスクドライブ1031は、例えば、OS1091、アプリケーションプログラム1092、プログラムモジュール1093およびプログラムデータ1094を記憶する。上記実施形態で説明した各情報は、例えばハードディスクドライブ1031やメモリ1010に記憶される。 Here, the hard disk drive 1031 stores an OS 1091, application programs 1092, program modules 1093 and program data 1094, for example. Each piece of information described in the above embodiment is stored in the hard disk drive 1031 or the memory 1010, for example.
 また、特徴量算出プログラムは、例えば、コンピュータ1000によって実行される指令が記述されたプログラムモジュール1093として、ハードディスクドライブ1031に記憶される。具体的には、上記実施形態で説明した特徴量算出装置10が実行する各処理が記述されたプログラムモジュール1093が、ハードディスクドライブ1031に記憶される。 Also, the feature amount calculation program is stored in the hard disk drive 1031 as a program module 1093 in which commands to be executed by the computer 1000 are described, for example. Specifically, the hard disk drive 1031 stores a program module 1093 that describes each process executed by the feature amount calculation apparatus 10 described in the above embodiment.
 また、特徴量算出プログラムによる情報処理に用いられるデータは、プログラムデータ1094として、例えば、ハードディスクドライブ1031に記憶される。そして、CPU1020が、ハードディスクドライブ1031に記憶されたプログラムモジュール1093やプログラムデータ1094を必要に応じてRAM1012に読み出して、上述した各手順を実行する。 Data used for information processing by the feature amount calculation program is stored as program data 1094 in the hard disk drive 1031, for example. Then, the CPU 1020 reads out the program module 1093 and the program data 1094 stored in the hard disk drive 1031 to the RAM 1012 as necessary, and executes each procedure described above.
 なお、特徴量算出プログラムに係るプログラムモジュール1093やプログラムデータ1094は、ハードディスクドライブ1031に記憶される場合に限られず、例えば、着脱可能な記憶媒体に記憶されて、ディスクドライブ1041等を介してCPU1020によって読み出されてもよい。あるいは、特徴量算出プログラムに係るプログラムモジュール1093やプログラムデータ1094は、LAN(Local Area Network)やWAN(Wide Area Network)等のネットワークを介して接続された他のコンピュータに記憶され、ネットワークインタフェース1070を介してCPU1020によって読み出されてもよい。 Note that the program modules 1093 and program data 1094 related to the feature amount calculation program are not limited to being stored in the hard disk drive 1031, but are stored in a removable storage medium, for example, and are stored by the CPU 1020 via the disk drive 1041 or the like. may be read out. Alternatively, the program module 1093 and program data 1094 related to the feature amount calculation program are stored in another computer connected via a network such as LAN (Local Area Network) or WAN (Wide Area Network), and the network interface 1070 is may be read by CPU 1020 via
 以上、本発明者によってなされた発明を適用した実施形態について説明したが、本実施形態による本発明の開示の一部をなす記述および図面により本発明は限定されることはない。すなわち、本実施形態に基づいて当業者等によりなされる他の実施形態、実施例および運用技術等は全て本発明の範疇に含まれる。 Although the embodiment to which the invention made by the present inventor is applied has been described above, the present invention is not limited by the descriptions and drawings forming part of the disclosure of the present invention according to the present embodiment. That is, other embodiments, examples, operation techniques, etc. made by those skilled in the art based on this embodiment are all included in the scope of the present invention.
 10 特徴量算出装置
 11 入力部
 12 出力部
 13 通信制御部
 14 記憶部
 14a モデル
 15 制御部
 15a 取得部
 15b 生成部
 15c 選択部
 15d 分類部
 15e 学習部
 15f 算出部
 15g 抽出部 REFERENCE SIGNS LIST 10 feature amount calculation device 11 input unit 12 output unit 13 communication control unit 14 storage unit 14a model 15 control unit 15a acquisition unit 15b generation unit 15c selection unit 15d classification unit 15e learning unit 15f calculation unit 15g extraction unit

Claims (7)

  1.  ネットワークのノード間の通信情報を用いて、ノード間の通信を表すグラフを生成する生成部と、
     生成された前記グラフのノードのうち、所定長のパスで接続された関連するノードを選択する選択部と、
     選択された前記ノードに対して、パス上の所定距離内のノード同士をノード間の距離に応じたグループに分類する分類部と、
     分類された前記グループごとに、グループ内の各ノードの前記グラフでの特徴量を表すモデルを学習する学習部と、
     選択された前記ノードのそれぞれについて、各グループで学習されたモデルを用いて推定された特徴量を合成することにより、特徴量を算出する算出部と、
     を有することを特徴とする特徴量算出装置。     a generation unit that generates a graph representing communication between nodes using communication information between nodes in the network;
    a selection unit that selects related nodes connected by a path of a predetermined length from among the nodes of the generated graph;
    a classification unit that classifies the selected nodes within a predetermined distance on the path into groups according to the distance between the nodes;
    a learning unit that learns, for each of the classified groups, a model that represents the feature amount of each node in the group in the graph;
    a calculation unit that calculates a feature amount for each of the selected nodes by synthesizing the feature amount estimated using the model learned in each group;
    A feature amount calculation device characterized by having:
  2.  前記学習部は、分類された前記グループごとに異なるモデルを学習することを特徴とする請求項1に記載の特徴量算出装置。 The feature quantity calculation device according to claim 1, wherein the learning unit learns a different model for each of the classified groups.
  3.  前記学習部は、分類された前記グループのうち、所定の距離の範囲の複数のグループについて、共通のモデルを学習することを特徴とする請求項2に記載の特徴量算出装置。 The feature quantity calculation device according to claim 2, wherein the learning unit learns a common model for a plurality of groups within a predetermined distance range among the classified groups.
  4.  算出された前記特徴量のうち、所定のしきい値以上の重要度の次元の値を抽出する抽出部を、さらに有することを特徴とする請求項1に記載の特徴量算出装置。 The feature amount calculation device according to claim 1, further comprising an extraction unit that extracts, from among the calculated feature amounts, values of dimensions whose degree of importance is equal to or greater than a predetermined threshold.
  5.  前記抽出部は、教師データと学習された前記モデルとを用いて、各ノードの特徴量を表す特徴ベクトルの次元ごとの重要度を算出することを特徴とする請求項4に記載の特徴量算出装置。 5. The feature quantity calculation according to claim 4, wherein the extracting unit calculates the degree of importance for each dimension of a feature vector representing the feature quantity of each node using teacher data and the learned model. Device.
  6.  特徴量算出装置が実行する特徴量算出方法であって、
     ネットワークのノード間の通信情報を用いて、ノード間の通信を表すグラフを生成する生成工程と、
     生成された前記グラフのノードのうち、所定長のパスで接続された関連するノードを選択する選択工程と、
     選択された前記ノードに対して、パス上の所定距離内のノード同士をノード間の距離に応じたグループに分類する分類工程と、
     分類された前記グループごとに、グループ内の各ノードの前記グラフでの特徴量を表すモデルを学習する学習工程と、
     選択された前記ノードのそれぞれについて、各グループで学習されたモデルを用いて推定された特徴量を合成することにより、特徴量を算出工程と、
     を含んだことを特徴とする特徴量算出方法。     A feature quantity calculation method executed by a feature quantity calculation device,
    a generation step of generating a graph representing communication between nodes using communication information between nodes of the network;
    a selection step of selecting related nodes connected by a path of a predetermined length from among the nodes of the generated graph;
    a classification step of classifying the selected nodes within a predetermined distance on the path into groups according to the distance between the nodes;
    a learning step of learning a model representing a feature amount in the graph of each node in the group for each of the classified groups;
    For each of the selected nodes, a step of calculating a feature amount by synthesizing the feature amount estimated using the model learned in each group;
    A feature amount calculation method characterized by including
  7.  コンピュータに
     ネットワークのノード間の通信情報を用いて、ノード間の通信を表すグラフを生成する生成ステップと、
     生成された前記グラフのノードのうち、所定長のパスで接続された関連するノードを選択する選択ステップと、
     選択された前記ノードに対して、パス上の所定距離内のノード同士をノード間の距離に応じたグループに分類する分類ステップと、
     分類された前記グループごとに、グループ内の各ノードの前記グラフでの特徴量を表すモデルを学習する学習ステップと、
     選択された前記ノードのそれぞれについて、各グループで学習されたモデルを用いて推定された特徴量を合成することにより、特徴量を算出ステップと、
     を実行させることを特徴とする特徴量算出プログラム。     a generation step of generating a graph representing the communication between the nodes using the communication information between the nodes of the network in a computer;
    a selection step of selecting related nodes connected by a path of a predetermined length from among the nodes of the generated graph;
    a classification step of classifying the selected nodes within a predetermined distance on the path into groups according to the distance between the nodes;
    a learning step of learning a model representing a feature amount in the graph of each node in the group for each of the classified groups;
    For each of the selected nodes, calculating a feature amount by synthesizing the feature amount estimated using the model learned in each group;
    A feature amount calculation program characterized by executing
PCT/JP2021/018420 2021-05-14 2021-05-14 Feature quantity calculation device, feature quantity calculation method, and feature quantity calculation program WO2022239235A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2021/018420 WO2022239235A1 (en) 2021-05-14 2021-05-14 Feature quantity calculation device, feature quantity calculation method, and feature quantity calculation program
JP2023520722A JPWO2022239235A1 (en) 2021-05-14 2021-05-14

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/018420 WO2022239235A1 (en) 2021-05-14 2021-05-14 Feature quantity calculation device, feature quantity calculation method, and feature quantity calculation program

Publications (1)

Publication Number Publication Date
WO2022239235A1 true WO2022239235A1 (en) 2022-11-17

Family

ID=84028959

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/018420 WO2022239235A1 (en) 2021-05-14 2021-05-14 Feature quantity calculation device, feature quantity calculation method, and feature quantity calculation program

Country Status (2)

Country Link
JP (1) JPWO2022239235A1 (en)
WO (1) WO2022239235A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019168072A1 (en) * 2018-02-27 2019-09-06 日本電信電話株式会社 Traffic anomaly sensing device, traffic anomaly sensing method, and traffic anomaly sensing program

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019168072A1 (en) * 2018-02-27 2019-09-06 日本電信電話株式会社 Traffic anomaly sensing device, traffic anomaly sensing method, and traffic anomaly sensing program

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
DAYA ABBAS ABOU; SALAHUDDIN MOHAMMAD A.; LIMAM NOURA; BOUTABA RAOUF: "BotChase: Graph-Based Bot Detection Using Machine Learning", IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, IEEE, USA, vol. 17, no. 1, 6 February 2020 (2020-02-06), USA , pages 15 - 29, XP011777410, DOI: 10.1109/TNSM.2020.2972405 *
MASAYA KUMAGAI, RYOSUKE MATSUMOTO: "Graph Based Machine Learning and Visualization for Intrusion Detection System", IPSJ SIG TECHNICAL REPORT (IEICE TECHNICAL REPORT), vol. 118 (2019-IOT-44), no. 480 (52), 28 February 2019 (2019-02-28), pages 359 - 362, XP009541114 *

Also Published As

Publication number Publication date
JPWO2022239235A1 (en) 2022-11-17

Similar Documents

Publication Publication Date Title
RU2697955C2 (en) System and method for training harmful container detection model
CN110677433B (en) Method, system, equipment and readable storage medium for predicting network attack
JP6870508B2 (en) Learning programs, learning methods and learning devices
US11494614B2 (en) Subsampling training data during artificial neural network training
US11321625B2 (en) Quantum circuit optimization using machine learning
US10834183B2 (en) Managing idle and active servers in cloud data centers
CN113010896B (en) Method, apparatus, device, medium and program product for determining abnormal object
CN111435461B (en) Antagonistic input recognition using reduced accuracy deep neural networks
WO2020166311A1 (en) Preparation device, preparation system, preparation method, and preparation program
JP2021192286A (en) Model training, image processing method and device, storage medium, and program product
JP6725452B2 (en) Classification device, classification method, and classification program
US11196633B2 (en) Generalized correlation of network resources and associated data records in dynamic network environments
JP6864610B2 (en) Specific system, specific method and specific program
JP6888737B2 (en) Learning devices, learning methods, and programs
US11777979B2 (en) System and method to perform automated red teaming in an organizational network
WO2022239235A1 (en) Feature quantity calculation device, feature quantity calculation method, and feature quantity calculation program
US20210367956A1 (en) Cyber attack coverage
US20220207388A1 (en) Automatically generating conditional instructions for resolving predicted system issues using machine learning techniques
WO2022239222A1 (en) Feature calculating device, feature calculating method and feature calculating program
WO2019244446A1 (en) System configuration derivation device, method, and program
WO2023238246A1 (en) Integrated model generation method, integrated model generation device, and integrated model generation program
AU2020468806B2 (en) Learning device, learning method, and learning program
WO2022254729A1 (en) Analyzing device, analyzing method, and analyzing program
US20210311843A1 (en) System verification program generation device, system verification program generation method, and recording medium storing system verification program generation program
CN114116151A (en) Big data frame configuration parameter optimization method based on priori knowledge

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 2023520722

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE