JP2010128674A - Computer network, and apparatus, method, and program for detecting abnormality - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a computer network, etc., for adequately detecting an abnormality degree of a whole system, while considering symmetry in exchanging elements. <P>SOLUTION: An abnormality detecting apparatus 11 is connected to the computer network 1 and includes: a data input processing part 201 for generating input data by defining a feature quantity, which is obtained by computers 11-1n connected to the computer network, as matrixes or tensors; an invariant calculation processing part 202 for calculating an invariant being an invariant quantity even when the elements are exchanged in the input data; and abnormality detecting means 203-205 for detecting whether an abnormality occurs or not, based on the invariant. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to the detection of anomalies in systems where elements operate in conjunction with one another, and more particularly to the detection of anomalies due to malicious programs such as worms, viruses, malware, etc. in computer networks.

  In a system in which a large number of connected elements operate in relation to each other such as a computer network, for example, it is necessary to quickly detect an abnormality occurring in the operation. The anomaly detection must be independent of the nature of the particular element.

  One example is the detection of anomalies due to malicious programs such as worms, viruses, malware, etc. in computer networks. When the worm spreads rapidly to the computers constituting the network, the communication traffic in the network increases rapidly. Therefore, it is considered to record the data transmission amount between the computer and the various network devices as nodes of the network together with the time, and to detect the sudden increase of communication traffic using the data as input, thereby detecting the spread of the worm.

  The following are technical documents related to the above. Patent Document 1 describes a technique of learning a normal state of a vector by using a maximum eigenvector of a matrix having a network feature amount as a component as input, and detecting an abnormality that is significantly different from the normal vector as an abnormality. Patent Document 2 discloses a technique of calculating a distance function between probability densities before and after data is input as an outlier degree, and detecting whether the data is illegal from the outlier degree of each data. Are listed.

  Japanese Patent Application Laid-Open No. 2004-228561 describes a technique for improving recognition accuracy using statistical deformation data associated with deformation of facial expressions in a method for recognizing an image of a human face. Patent Document 4 describes an example of a method for detecting an abnormality in traffic volume by using data such as traffic volume aggregated in a certain past period as index data. Japanese Patent Application Laid-Open No. 2004-228561 describes a technique for performing highly accurate alignment by reducing failure by selecting a stable feature point in a seal collation system.

Japanese Patent Application Laid-Open No. 2005-216066 JP 2004-078981 A JP 2005-208850 A JP 2008-022498 A JP 09-045455 A

  There are the following two points as the nature of the network that should be taken into account when detecting abnormalities in communication traffic caused by worms on the computer network as described above. One is network symmetry. What should be detected as an anomaly is a change in bias in data transmission. More specifically, data was exchanged only between a small number of elements (computers), but data was exchanged between all elements due to the spread of worms. It is a phenomenon that should be detected.

  On the other hand, if transmission of the amount X of data is observed from element A to element B at a certain time and transmission of the same amount of data from element C to element D is observed at the next time, this is abnormal. It is not appropriate to detect as. This is because the combination of elements that transmit and receive data has changed over time, and the bias of data transmission and reception (in this example, an amount of data of X is exchanged between two elements) has changed. Because there is no.

  The symmetry here refers to the property that, for example, the feature quantity such as communication traffic is not changed with respect to replacement of elements (computer or the like). In this case, it is necessary to detect an abnormality in consideration of symmetry with respect to the replacement of this element. In the above example, the abnormality that the bias of data transmission changes corresponds to this. Similar symmetry can be applied to other cases.

  Another characteristic of the network to be considered is that the amount of traffic on the network changes with time, and the network structure of which elements are connected to each other also changes with time. Therefore, the state that should be determined to be abnormal also varies with time. For example, even if the traffic volume is the same, it may be abnormal if the traffic volume occurs at midnight, but it may be a normal volume if it occurs in the daytime.

  Of the above two properties, the detection of an abnormality taking into account the change in time can be performed in Patent Document 1 or the like. However, it is impossible to detect abnormalities in the behavior of the entire system regardless of the properties of specific elements in consideration of the symmetry of element replacement. None of the above-mentioned patent documents 1 to 5 describes a technique capable of detecting an abnormality in consideration of the symmetry of such element replacement.

  An object of the present invention is to provide a computer network, an abnormality detection device, an abnormality detection method, and an abnormality detection program capable of accurately detecting the degree of abnormality of the entire system in consideration of symmetry of element replacement. is there.

  In order to achieve the above object, a computer network according to the present invention is a computer network in which a plurality of computers are connected to each other, and at least one of the plurality of computers has communication traffic or the like of the entire network. An abnormality detection device having a first feature amount acquisition unit that detects a feature amount and an abnormality detection unit that performs calculation related to abnormality detection from the feature amount, and all other computers that are not abnormality detection devices among a plurality of computers The apparatus has a second feature amount acquisition unit that detects a feature amount and transfers the feature amount to the abnormality detection unit, and the abnormality detection unit of the abnormality detection device acquires the feature acquired by the first and second feature amount acquisition units. A data input processing unit that creates input data with quantities as matrices or tensors, and an invariant that calculates invariants that are invariable even if elements are replaced in the input data. And having a quantity computing unit, and an abnormality detecting means for detecting whether an abnormality has occurred based on invariants.

  In order to achieve the above object, an abnormality detection apparatus according to the present invention is an abnormality detection apparatus including a computer connected to a computer network, and features such as communication traffic acquired by another computer connected to the computer network. A data input processing unit that creates input data with quantities as matrices or tensors, an invariant calculation processing unit that calculates invariants that are invariable even if elements are replaced in the input data, and abnormalities based on invariants And an abnormality detecting means for detecting whether or not an error has occurred.

  In order to achieve the above object, an abnormality detection method according to the present invention is a method for detecting an abnormality occurring in a computer connected to a computer network in a computer network in which a plurality of computers are connected to each other. The feature amount acquisition unit of the computer connected to the computer network acquires the feature amount such as communication traffic, and the feature amount acquisition unit transfers the acquired feature amount to the abnormality detection device connected to the computer network, The data input processing unit of the anomaly detection device creates input data as a matrix or tensor from the transferred feature values, and the invariant calculation processing unit of the anomaly detection device does not change even if elements are replaced in the input data Whether the abnormality detection means of the abnormality detection device has an abnormality based on the invariant Or and detecting a.

  In order to achieve the above object, an abnormality detection program according to the present invention provides a computer with an abnormality detection device connected to a computer network, a matrix or a feature amount such as communication traffic acquired by a computer connected to the computer network. A procedure for creating input data as a tensor, a procedure for calculating an invariant that is an invariant even if elements are replaced in the input data, and a procedure for detecting whether an abnormality has occurred based on the invariant An abnormality detection program characterized in that is executed.

  As described above, the present invention calculates an invariant that is an invariant even if elements are replaced as described above, calculates an outlier score from the probability density of the invariant, and determines whether or not an abnormality has occurred Therefore, the symmetry of element replacement is taken into consideration. As a result, an unprecedented excellent computer network, abnormality detection device, abnormality detection method, and abnormality detection program that enable accurate detection of the degree of abnormality of the entire system while considering symmetry of element replacement Can be provided.

(First embodiment)
Hereinafter, the configuration of the embodiment of the present invention will be described with reference to FIGS.
First, the basic content of the present embodiment will be described, and then more specific content will be described.
A computer network 1 according to the present embodiment includes a plurality of computers 11 to 1n connected to each other. The computer 11, which is one of them, is an abnormality detection device having a first feature amount acquisition unit 115 that detects a feature amount of the entire network and an abnormality detection unit 116 that performs calculation related to abnormality detection from the feature amount. . The computers 12 to 1n that are not the abnormality detection device include only the second feature amount acquisition unit 125 that detects the feature amount and transfers it to the abnormality detection unit. Then, the abnormality detection unit 116 of the computer 11 replaces the elements in the input data with the data input processing unit 201 that creates input data using the feature amounts acquired by the feature amount acquisition units 115 and 125 as a matrix or a tensor. An invariant calculation processing unit 202 that calculates an invariant that is an invariant, and an abnormality detection unit that detects whether an abnormality has occurred based on the invariant.

  Here, the abnormality detection means includes a distribution learning processing unit 203 that sequentially obtains the invariant probability density, and a score calculation processing unit that calculates a first outlier score representing the invariant abnormality degree using the probability density. 204 and an abnormality detection processing unit 205 that detects whether or not an abnormality has occurred using the first outlier score.

  The feature amount acquisition units 115 and 125 of the computers 11 to 1n are traffic acquisition units 115 and 125 that acquire communication traffic between these computers as a feature amount and transfer it to the abnormality detection unit.

By including this configuration, the present embodiment can accurately detect the degree of abnormality of the entire system while taking into account the symmetry of element replacement.
Hereinafter, this will be described in more detail.

  FIG. 2 is an explanatory diagram showing the computer network 1 according to the embodiment of the present invention. The computer network 1 is connected to n (n is an integer of 2 or more) computers 11 to 1n. In this embodiment, these computers 11 to 1n are nodes, and communication traffic between the nodes is a link. Then, information relating to communication traffic is transferred from the other computers 12 to 1n to the computer 11, which is an arbitrary one of those nodes, and calculation related to abnormality detection described later is performed on the computer 11. For this reason, the computer 11 is also referred to as an abnormality detection device.

  FIG. 1 is an explanatory diagram showing the internal configuration of the computers 11 and 12-1n shown in FIG. 2 in more detail. The computer 11 which is an abnormality detection device includes a CPU (Central Processing Unit) 111 which is a main body for executing a program, a RAM (Random Access Memory) 112 in which a program executed by the CPU 111 is read and stored, and a program and data. It is an ordinary computer device comprising a hard disk unit (HDD) 113 that is a nonvolatile mass storage device that is stored and a network adapter 114 that is connected to the computer network 1 and performs data communication with other computers and the like. .

  Further, the CPU 111 executes a traffic acquisition unit 115 and an abnormality detection unit 116 which are computer programs according to the present embodiment. Both are read from the HDD 113 to the RAM 112 and executed by the CPU 111. The traffic acquisition unit 115 detects communication traffic with other computers performed by the network adapter 114, and the abnormality detection unit 116 performs calculation related to abnormality detection from the communication traffic acquired by the traffic acquisition unit 115.

  Similarly to the computer 11, the computers 12 to 1n that are not abnormality detection devices are normal computer devices including a CPU 121, a RAM 122, an HDD 123, and a network adapter 124. The functions of these units are the same as those of the computer 11 having the same name. Although only the computer 12 is shown in FIG. 2, the configurations of the computers 13 to 1n not shown in FIG. 2 are the same as the computer 12.

  The CPU 121 executes a traffic acquisition unit 125 that is a computer program according to the present embodiment. The traffic acquisition unit 125 is read from the HDD 123 to the RAM 112 and executed by the CPU 121. The traffic acquisition unit 125 detects communication traffic with other computers performed by the network adapter 124, and transfers information about the detected communication traffic to the abnormality detection unit 116 of the computer 11.

  The abnormality detection unit 116 of the computer 11 uses the information related to the communication traffic transferred from the traffic acquisition unit 125 of the computers 12 to 1n together with the information acquired by the own traffic acquisition unit 115 to perform calculation related to the abnormality detection. Do it.

  Each of the computers 12 to 1n may be a server or a client. The traffic acquisition unit 125 detects communication traffic and transfers information about the detected communication traffic in parallel with other processing performed by the computer. The computer 11 serving as the abnormality detection device may also be a server or a client, or may be a device specialized for network management. The processing by the traffic acquisition unit 115 and the abnormality detection unit 116 may be performed in parallel with other processing performed by the computer 11.

(Invariant calculation and abnormality detection)
FIG. 3 is an explanatory diagram for explaining the configuration of the abnormality detection unit 116 shown in FIG. 1 in more detail. The anomaly detection unit 116 includes a data input processing unit 201 that creates input data from feature quantities of the entire system, and an invariant calculation process that calculates invariants that are invariant feature quantities with respect to element replacement from the created input data. 202, a distribution learning processing unit 203 for sequentially obtaining the calculated invariant probability density, a score calculation processing unit 204 for calculating a score representing the degree of abnormality from the invariant and the updated probability density, and And an abnormality detection processing unit 205 for detecting whether an abnormality has occurred from the score. Details of the processing by each processing unit will be described later.

  In the data input processing unit 201 in FIG. 3, input data is created from feature quantities of the entire system. The feature amount of the entire system here is a set of traffic amounts between the nodes (computers 11 to 1n), and is input from the traffic acquisition units 115 and 125 to the abnormality detection unit 116. The traffic volume input data is sequentially input along with the time, or information on the time when the data is generated is given. The data input processing unit 201 creates input data therefrom.

  The input data of the traffic amount may be a tensor type, but hereinafter, a case where the input data is a matrix type will be described as an example. As described above, n computers 11 to 1n are nodes, communication traffic between the nodes is a link, and traffic observed at time t between the i-th node and the j-th node is Aij ( t), the input data at time t is represented by an n-dimensional matrix A (t) having Aij (t) as a component of i-th row and j-th column. However, 1 ≦ i ≦ n and 1 ≦ j ≦ n.

  That is, the input data A (t) is an n-dimensional matrix representing communication traffic observed between the n computers 11 to 1n constituting the computer network 1 at time t. The invariant calculation processing unit 202 is an invariant E (which is an invariable amount even if the elements are changed (the values of i and j are changed) with respect to A (t) input by the data input processing unit 201. t) is determined as follows.

  In the matrix A (t), the i-th largest eigenvalue is λi (t), the vector in which all eigenvalues are arranged is λ (t), the determinant and the trace are det [A (t)], tr [A (t )]. In detail, det [A (t)] and tr [A (t)] are defined as the following equations.

（ｆは任意の関数、Ｅ（ｔ）はスカラー） At this time, for example, the invariant E (t) can be obtained as follows.

(F is an arbitrary function, E (t) is a scalar)

（ｆは任意の関数、Ｅ（ｔ）はスカラー）

(F is an arbitrary function, E (t) is a scalar)

（Ｅ（ｔ）はｎ次元のベクトル）

(E (t) is an n-dimensional vector)

When the i-th largest eigenvalue of the matrix A (t) is λi (t) and the corresponding eigenvector is ui (t), the eigenequation corresponding to λi (t) is as follows.

If the transformation matrix for exchanging elements is U, the matrix, eigenvector, and eigenvalue under the transformation for exchanging elements are as shown in the following equations. Here, the matrix U † represents a matrix obtained by transposing the matrix U and taking the complex conjugate of each component. Therefore, U † U = 1.

If U is applied from the left to the left side and the right side of Equation 5, the following equation is obtained.

  Since U † U = 1, it can be seen that the invariant E (t) is an invariant with respect to element replacement.

  The E (t) calculated here is an amount that represents the entire system taking into account the correlation between elements. This is because E (t) is calculated using the feature quantity of the entire system, so that the correlation between elements is taken into account, and it does not depend on a specific element (it is invariant to element replacement). This is because the amount represents the whole.

  The distribution learning processing unit 203 shown in FIG. 3 learns the distribution of the invariant E (t) as follows. If the distribution of E (t) at time t is pt (E | θt), the distribution learning processing unit 203 sequentially updates pt (E | θt) every time E (t) is input. θt represents a distribution parameter.

ここでΣｔはλ（ｔ）の分散を表す行列型パラメータで、μ（ｔ）はλ（ｔ）の平均を表すベクトル型のパラメータである。θｔは、これらのパラメータをまとめて表記したものである。 For example, when E (t) is a vector λ (t) and a multidimensional normal distribution is used, pt (E | θt) can be expressed as the following equation.

Here, Σt is a matrix type parameter representing the variance of λ (t), and μ (t) is a vector type parameter representing the average of λ (t). θt represents these parameters collectively.

  The score calculation processing unit 204 shown in FIG. 3 calculates the degree of abnormality score S (t) of the entire system at time t from the distribution of E (t) learned by the distribution learning processing unit 203. The degree of abnormality score is an amount representing how much the input data differs from normal data. If this value is large, it indicates that the data is abnormal data that does not normally appear.

図３で示した異常検出処理部２０５は、スコア計算処理部２０４で算出された異常度スコアを基にしてシステム全体の異常を検出する。異常度スコアの情報を基にシステムの異常を検出する方法としては、たとえば異常度スコアが予め設定された閾値を超えた場合を異常として検出するようにすることができる。また、検出結果の出力は、異常の発生が検出された場合にコンピュータ１１が備える表示装置（ディスプレイ）にその旨を表示するようにすることができるし、それ以外にもユーザに異常の発生を知らせることのできる方法であれば任意の出力方法を適用することができる。 The abnormality degree score S (t) is calculated, for example, as in the following equation.

The abnormality detection processing unit 205 illustrated in FIG. 3 detects an abnormality of the entire system based on the abnormality degree score calculated by the score calculation processing unit 204. As a method of detecting an abnormality of the system based on the information of the abnormality degree score, for example, a case where the abnormality degree score exceeds a preset threshold value can be detected as an abnormality. The output of the detection result can be displayed on a display device (display) included in the computer 11 when the occurrence of an abnormality is detected. Any output method can be applied as long as it can be notified.

(Overall operation of the first embodiment)
Next, the overall operation of the above embodiment will be described. The operation according to the present embodiment is a method for detecting an abnormality that has occurred in a computer network 1 in which a plurality of computers 11 to 1n are connected to each other, and the computer network 1 The feature amount acquisition units 115 and 125 of all the computers 11 to 1n connected to the computer acquire the feature amount, and the feature amount acquisition units 115 and 125 detect the acquired feature amount in the abnormality detection device ( The data input processing unit 201 of the abnormality detection device creates input data as a matrix or tensor from the transferred feature quantity, and the invariant calculation processing unit 202 of the abnormality detection device The invariant which is an invariable amount even if the elements are replaced in step 1, and the distribution learning processing unit 2 of the abnormality detection device is calculated. 3 obtains the invariant probability density sequentially, and the score calculation processing unit 204 of the abnormality detection apparatus calculates a first outlier score representing the degree of abnormality of the invariant using the probability density, and the abnormality detection apparatus The abnormality detection processing unit 205 detects whether or not an abnormality has occurred using the first outlier score.

  Further, the feature value here can be communication traffic between a plurality of computers.

Here, about each said operation step, this may be programmed so that execution is possible with a computer, and you may make it carry out these to the computers 11-1n which perform each said step directly.
By this operation, this embodiment has the following effects.

  In the present embodiment, since the communication traffic observed at the time t by the n computers 11 to 1n constituting the computer network 1 is a processing target, it is indicated that the abnormality score S (t) is high. This corresponds to the fact that the way of traffic bias is different from normal. Since this state is caused by the occurrence of an overall abnormality such as the spread of worms or the occurrence of overall communication congestion, the abnormality of the entire computer network can be detected by monitoring the abnormality score.

  For a system such as a network in which elements are correlated with each other, it is possible to detect an abnormality in the behavior of the entire system that does not depend on the properties of specific elements. The reason is that an invariable quantity is formed with respect to element replacement from the feature quantity representing the entire system, and an abnormality is detected using that quantity as an input.

  Further, it is possible to reduce false detection when detecting an abnormality. The reason is that only the abnormality that does not depend on the property of the specific element is detected, so that the number of times that the abnormality is determined (the number of alarms) can be reduced. By detecting anomalies that do not depend on the nature of a particular element, it is possible to reduce the number of times that an anomaly is judged to be abnormal just because a particular element showed exceptional behavior, even though it is not actually anomaly. Can lead to a reduction in false alarms.

  Furthermore, abnormality detection can be performed on a system that changes with time and it is difficult to define an abnormal state. The reason is that, by learning the probability distribution of the feature quantity that is invariant to the replacement of elements, it is possible to detect a low occurrence probability as an abnormality. It is not necessary to give a definition of an abnormal state to learning a probability distribution, and it is possible to handle a system that changes with time by sequentially updating the probability distribution.

(Second Embodiment)
In the second embodiment of the present invention, the network and hardware configurations, and the rough software configuration are the same as those shown in FIGS. The second embodiment differs from the first embodiment described above in that the distribution learning processing unit 203 learns the probability density distribution with respect to the invariant temporal transition, and the learned probability density An outlier score moving average function unit 302 for calculating a second outlier score indicating how far the invariant deviates from the normal appearance pattern from the distribution, and learning the probability density for the time transition of the second outlier score And a moving average distribution learning function unit 303. The score calculation processing unit 304 calculates a first outlier score from the probability density with respect to time transition of the second outlier score.

By providing this configuration, the present embodiment can more accurately detect an abrupt change of the invariant.
Hereinafter, this will be described in more detail.

  FIG. 4 is an explanatory diagram for explaining in more detail the configuration of the abnormality detection unit 116 shown in FIG. 1 according to the second embodiment of the present invention. In this embodiment, the distribution learning processing unit 203 further includes a feature amount distribution learning function unit 301 that learns a probability density distribution with respect to an invariant temporal transition, and an invariant E (t) that normally appears from the learned probability density distribution. An outlier score moving average function unit 302 that calculates a second outlier score indicating how far the pattern deviates, a moving average distribution learning function unit 303 that learns the probability density for the time transition of the second outlier score, etc. Divided into functional parts.

  The difference of the second embodiment from the first embodiment is the operation of the distribution learning processing unit 203. In the first embodiment, the degree of abnormality score is calculated based on how far the invariant E (t) deviates from the normal pattern learned so far. In the second embodiment described below, the degree of abnormality is defined by how rapidly the invariant E (t) changes.

  Also, the operation of the score calculation processing unit 304 is slightly different from the score calculation processing unit 204 in the first embodiment as will be described later, and therefore a different reference number is given here. Since the other processing units perform the same configuration and operation as those of the first embodiment shown in FIG. 3, the names and reference numbers are all the same.

The feature amount distribution learning function unit 301 learns the probability density distribution of the time transition of E (t). Hereinafter, the probability density distribution of the time transition of E (t) is expressed as the following equation.

The outlier score moving average function unit 302 in FIG. 4 represents how much E (t) deviates from the normal appearance pattern from the probability density distribution learned by the feature amount distribution learning function unit 301 (second). An outlier score O (t) is calculated. The outlier score O (t) indicates that the larger the value, the more out of the normal appearance pattern. The outlier score O (t) is calculated as follows:

The outlier score moving average function unit 302 further calculates the moving average y (t) of the outlier score O (t) by the following equation. ω represents the size of the window. This y (t) is a quantity representing the temporal density of the outlier score.

4 learns the probability density distribution of the time transition of y (t) expressed by the following equation.

The score calculation processing unit 304 calculates the (first) outlier score S ′ (t) of the moving average y (t) obtained using the moving average distribution shown in Equation 13 by the following equation. The degree of abnormality of the entire computer network 1 is assumed.

  Each processing unit other than those described above performs the same configuration and operation as in the first embodiment shown in FIG.

  This S '(t) has a property of taking a high value when a bursty sudden change occurs. Therefore, using this S ′ (t) as an outlier score is equivalent to considering a sudden change in E (t) as an abnormality of the entire system.

(Overall operation of the second embodiment)
Next, the overall operation of the above embodiment will be described. The operation according to the present embodiment is the operation described in the first embodiment, and the step of the distribution learning processing unit 203 sequentially obtaining the invariant probability density learns the probability density distribution with respect to the invariant time transition. A step of calculating a second outlier score O (t) indicating how far the invariant deviates from the normal appearance pattern from the learned probability density distribution, and a second outlier score O (t The score calculation processing unit 304 calculates a first outlier score S ′ (t) from the probability density for the time transition of the second outlier score.

Here, about each said operation step, this may be programmed so that execution is possible with a computer, and you may make it carry out these to the computers 11-1n which perform each said step directly.
By this operation, this embodiment has the following effects.

  In addition to the features of the first embodiment, the second embodiment can obtain an effect that a sudden change in E (t) can be detected more accurately than in the first embodiment.

(Extended embodiment)
In the first and second embodiments described above, detection of anomalies caused by the occurrence and spread of worms and viruses, etc., using communication traffic between computers connected to each other via a computer network as a feature amount It was. However, the applicable range of the present invention is not limited thereto. In a system in which a large number of nodes are connected to each other, an amount indicating the relationship between these nodes can be regarded as the “feature amount (of the entire network)” here.

  For example, consider an example of a machine fault diagnosis. One part of a machine (engine, transmission, etc. for a car) is one node, and the strength of the correlation between the outputs of that part (engine output and other for a car) (Correlation coefficient between the voltages of the parts) can be regarded as a “feature amount”. If the method of the present invention is applied here, it is determined that there is an abnormality when the behavior between these parts begins to be different from the normal one, so that it can be used for failure diagnosis of the machine.

  Considering an example of the analysis of the state of the international economy, one country can be regarded as one node, and the strength of the correlation between the economic indicators (stock price index, exchange rate, etc.) of each country can be regarded as a “feature”. If the method of the present invention is applied here, it is determined that an abnormality occurs when the relationship between the stock price indexes starts to be different from the normal one, so that it can be used to detect an abnormality in the economic state.

  The present invention has been described with reference to the specific embodiments shown in the drawings. However, the present invention is not limited to the embodiments shown in the drawings, and any known hitherto provided that the effects of the present invention are achieved. Even if it is a structure, it is employable.

  It can be applied to the detection of communication traffic anomalies caused by malicious programs such as worms, viruses, and malware in computer networks. In addition to this, as described above, the present invention can be applied to a system in which a large number of nodes are connected to each other, and an amount indicating the relationship between the nodes can be regarded as a feature amount.

It is explanatory drawing which shows the structure inside the computer concerning the 1st Embodiment of this invention in detail. It is explanatory drawing shown about the computer network which concerns on the 1st Embodiment of this invention. It is explanatory drawing explaining in more detail the structure of the abnormality detection part shown in FIG. It is explanatory drawing explaining in detail the structure of the abnormality detection part shown in FIG. 1 in the 2nd Embodiment of this invention.

Explanation of symbols

1 Computer network 11, 12 Computer 111, 121 CPU
112, 122 RAM
113, 123 HDD
114, 124 Network adapter 115, 125 Traffic acquisition unit 116 Anomaly detection unit 201 Data input processing unit 202 Invariant calculation processing unit 203 Distribution learning processing unit 204, 304 Score calculation processing unit 205 Anomaly detection processing unit 301 Feature quantity distribution learning function unit 302 Outlier Score Moving Average Function Unit 303 Moving Average Distribution Learning Function Unit

Claims (13)

A computer network in which a plurality of computers are connected to each other,
At least one of the plurality of computers includes a first feature amount acquisition unit that detects a feature amount such as communication traffic of the entire network, and an abnormality detection unit that performs calculation related to abnormality detection from the feature amount. An abnormality detection device having
All other computers that are not the abnormality detection device among the plurality of computers have a second feature amount acquisition unit that detects the feature amount and transfers it to the abnormality detection unit,
The anomaly detection unit of the anomaly detection device includes a data input processing unit that creates input data using the feature quantities acquired by the first and second feature quantity acquisition units as a matrix or a tensor, and among the input data A computer comprising: an invariant calculation processing unit that calculates an invariant that is an invariant even when elements are replaced; and an abnormality detection unit that detects whether an abnormality has occurred based on the invariant. network.   A distribution learning processing unit that sequentially obtains the invariant probability density; and a score calculation processing unit that calculates a first outlier score representing the invariant abnormality degree using the probability density. The computer network according to claim 1, further comprising: an abnormality detection processing unit that detects whether an abnormality has occurred using the first outlier score. The distribution learning processing unit learns the probability density distribution with respect to the time transition of the invariant, and how much the invariant deviates from the normal appearance pattern from the learned probability density distribution. An outlier score moving average function unit that calculates a second outlier score indicating a moving average distribution learning function unit that learns a probability density for a time transition of the second outlier score,
The computer network according to claim 2, wherein the score calculation processing unit calculates the first outlier score from a probability density with respect to time transition of the second outlier score.   The first and second feature amount acquisition units are traffic acquisition units that acquire communication traffic between the plurality of computers as the feature amount and transfer it to the abnormality detection unit, The computer network according to any one of claims 1 to 3. An anomaly detection device comprising a computer connected to a computer network,
A data input processing unit for creating input data as a matrix or a tensor with feature quantities such as communication traffic acquired by other computers connected to the computer network; and
An invariant calculation processing unit that calculates an invariant that is an invariant even if elements are replaced in the input data;
An abnormality detection device comprising: an abnormality detection means for detecting whether an abnormality has occurred based on the invariant. The abnormality detection means is
A distribution learning processing unit for sequentially obtaining the invariant probability density;
A score calculation processing unit that calculates a first outlier score representing the degree of abnormality of the invariant using the probability density;
The abnormality detection device according to claim 5, further comprising: an abnormality detection processing unit that detects whether an abnormality has occurred using the first outlier score. The distribution learning processing unit learns the probability density distribution with respect to the time transition of the invariant, and how much the invariant deviates from the normal appearance pattern from the learned probability density distribution. An outlier score moving average function unit that calculates a second outlier score indicating a moving average distribution learning function unit that learns a probability density for a time transition of the second outlier score,
The abnormality detection apparatus according to claim 6, wherein the score calculation processing unit calculates the first outlier score from a probability density with respect to time transition of the second outlier score.   The abnormality detection device according to claim 5, wherein the feature amount is communication traffic between the plurality of computers in the computer network. In a computer network in which a plurality of computers are connected to each other, a method for detecting an abnormality that has occurred in a computer connected to the computer network,
A feature amount acquisition unit of a computer connected to the computer network acquires a feature amount such as communication traffic,
The feature amount acquisition unit transfers the acquired feature amount to an abnormality detection device connected to the computer network,
The data input processing unit of the abnormality detection device creates input data as a matrix or tensor from the transferred feature quantity,
The invariant calculation processing unit of the abnormality detection device calculates an invariant that is an invariant even if elements are replaced in the input data,
An abnormality detection method, wherein the abnormality detection means of the abnormality detection device detects whether an abnormality has occurred based on the invariant. The procedure for detecting whether or not an abnormality has occurred based on the invariant by the anomaly detection means is a procedure for the distribution learning processing unit of the anomaly detection device to sequentially obtain the probability density of the invariant, The score calculation processing unit of the abnormality detection device provides a procedure for calculating a first outlier score representing the degree of abnormality of the invariant using the probability density,
The abnormality detection method according to claim 9, wherein the abnormality detection processing unit of the abnormality detection device detects whether or not an abnormality has occurred using the first outlier score. The distribution learning processing unit sequentially obtains the invariant probability density, the procedure for learning the probability density distribution with respect to the time transition of the invariant, and the invariant from the learned probability density distribution. Providing a step of calculating a second outlier score indicating how far the appearance pattern deviates, and a procedure for learning a probability density for a time transition of the second outlier score;
11. The abnormality detection method according to claim 10, wherein the score calculation processing unit calculates the first outlier score from the probability density with respect to time transition of the second outlier score.   The abnormality detection method according to claim 9, wherein the feature amount is communication traffic between the plurality of computers. In the computer provided in the abnormality detection device connected to the computer network,
A procedure for creating input data as a matrix or tensor from features such as communication traffic acquired by a computer connected to the computer network;
A procedure for calculating an invariant which is an invariant even if elements are replaced in the input data;
And a procedure for detecting whether an abnormality has occurred based on the invariant.

Images