JP2017004097A - Information analysis system and information analysis method - Google Patents

Abstract

The present invention provides a system and a method that make it possible to use analysis results even in important decision making by presenting information that is strongly related to a search query together with its basis. Structured information that defines a receiving unit that receives input of information to be analyzed and an information type, a node that is one information and other information, and an edge that indicates a relationship between the nodes. Clustering the relation information generation unit to be generated, the origin information search unit for extracting and outputting the information including the analysis type received by the reception unit from the structured information as the start node, and the graph structure represented by the extracted information The class reachability analysis unit that extracts the subgraph structure including the starting node and the extraction target node that becomes the end point of the starting node corresponding to the analysis type are searched from the subgraph structure, and the starting node and the extracting target node A connectivity analysis unit that outputs an extraction target node having the largest number of independent paths to the node as a node most related to the origin node. [Selection] Figure 1

Description

  The present invention relates to an information analysis system and an information analysis method for analyzing information.

  In recent years, an organization's IT system has become complicated and includes a large variety of devices and applications. Therefore, when something abnormal occurs, it is difficult to investigate and grasp what the abnormality is, and it takes a long time. In addition, the above-mentioned abnormality means that the system physically fails during operation, the application is stopped due to a mounting failure, or the failure occurs due to an external attack aimed at the organization. means.

In particular, in recent years, the outsourcing of operation and security operations for organizational systems and commercial systems has progressed, and the contractor needs to respond to abnormalities in a huge and diverse system. The need for cost increases. Anomalies can often be handled efficiently by using accumulated know-how such as past similar cases. In other words, it is possible to improve efficiency by utilizing a technique for finding an appropriate similar case from a huge amount of logs, reports, and public information. However, logs and reports are in various forms depending on the information source, and abnormalities that occur are triggered by various information each time, so there is a problem that it is difficult to find similar cases by simple search .
The above simple search refers to a search in which information is divided and held in advance for each specific key, and the keys are matched and analyzed.

  As a technique for solving the problems described above, there is a technique described in Patent Document 1. In this technology, information is held as a graph structure, the initial value specified for the node that is the starting point of the search condition is set and propagated while decreasing at a constant rate, and the node set that finally exceeds the threshold is searched There has been disclosed a method of efficiently obtaining information that cannot be easily reached in an existing search by outputting as a result.

JP 2010-191902 A

  According to Patent Document 1, since the relationship between information can be clustered while maintaining the relationship between information as a graph structure, information that has some relationship with the search target information can be used without being aware of the relationship before the search. Compared with existing search methods, there is an advantage that information accumulated so far can be used effectively.

  However, when considering application to case analysis of operational operations and security operations, for example, when investigating past similar reports for suspected malignant communications, if the search results are incorrect, normal communications are mistakenly performed. There is a risk of blocking.

  When making such an important decision that can adversely affect the operation of the system, it is necessary for the decision maker of the countermeasure to make a responsible decision based on the search result. As information necessary for this, the information presented as the search result is also important, but in addition to that, refer to the search result information about why the search result is related to the search target. Evidence information is indispensable until it is adopted as information.

  Here, it is possible to make a judgment with the above-mentioned responsibility. Specifically, for a third party who does not have knowledge about the search logic of the search system, the decision maker of the countermeasure is It is possible to explain whether the judgment has been made.

  Similarly, if the decision maker of the countermeasure does not understand why the search result is related to the search target, if multiple different information is output as the search result as a related case or countermeasure, There is also a problem that it is impossible to determine which information should be used.

  In the prior art, there is no special description about the above-described problem, and therefore, it is not possible for the prior art system to use information retrieved unintentionally by an operator as a material for judgment with responsibility. difficult.

  The present invention has been made in view of the problems to be solved. By presenting information that is strongly related to the search query together with the basis thereof to the user, the search result can be used even in an important decision making. With the goal.

  In order to solve the above problems, for example, the configuration described in the claims is adopted.

  The present application includes a plurality of means for solving the above-described problems. To give an example, the application includes a receiving unit that receives input of information to be analyzed and an analysis type indicating the type of the information, and an information source. Based on the relationship analysis information indicating the relationship between one information and other information among a plurality of pieces of information, the node that is the one information and the other information in the graph structure and the relationship between the nodes are indicated. A relation information generation unit that generates structured information that defines an edge; and a starting point that extracts information including the analysis type received by the receiving unit from the structured information and outputs the extracted information as a starting node An information search unit, a classification reachability analysis unit that clusters the graph structure represented by the extracted information and extracts a subgraph structure including the origin node, and a pre-corresponding analysis type The extraction target node serving as the end point of the start node is searched from the subgraph structure, the number of independent paths between the start node and the extraction target node is calculated, and the extraction having the largest number of independent paths And an connectivity analysis unit that outputs the target node as the node most closely related to the origin node.

  Moreover, this invention is grasped | ascertained also as an information analysis method performed with the said information analysis system.

  According to the present invention, when information is analyzed, it is possible to present information having a strong relationship with the analysis query to the user together with the basis. This makes it possible to determine whether the information of the analysis result is used by the user after consenting or not, so the analysis result can be used even in situations where important decisions involving risks are made. It becomes like this.

It is an example of the block diagram of the system to which this invention is applied. It is a figure which shows the example of a structure of a computer. It is an example of structured information. It is an example of relationship analysis logic. It is an example of branch weight information. It is an example of extraction object designation | designated information. It is an example of output generation logic. It is an example of the process which forms structured information. It is an example of the process which analyzes structured information. It is an example showing the structure of structured information. It is a processing example of classification and reachability analysis. It is an example showing a reachability analysis result. It is an example showing a connectivity analysis. It is a display example of a result.

  Hereinafter, examples will be described with reference to the drawings.

  FIG. 1 is an example of a configuration diagram of an information analysis system to which the technology of the present application is applied.

  The information analysis system 1000 is a system to which the information analysis system and the information analysis method according to the present invention are applied. The information analysis system 1000 acquires various types of information from the information source 1100, analyzes the relationship, and holds the information in the structured information 1051. In addition, the system analyzes the accumulated information based on the analysis request from the analysis requester 1200 and returns the result. Details of each process will be described later.

  Both the information acquisition unit 1001 and the relationship information generation unit 1002 are functions used in the formation process of structured information shown in FIG.

  The information acquisition unit 1001 is a function used in the formation process of structured information described later in FIG. 8, and is a function of acquiring various types of information from the information source 1100 and inputting the information to the relationship information generation unit 1002.

  When information is mechanically acquired from the information source 1100, an API (Application Programming Interface) for each information source 1100 is provided.

  At that time, the format of the information to be acquired must be one of the types defined in the input information type 4001 of the relationship analysis logic 1052 described later.

  When the information source 1100 is manually input by an operator of this system, the information acquisition unit 1001 needs to include a UI (User Interface) for manual input. The UI may be a mechanism for inputting any of the types defined by the input information type 4001 of the relationship analysis logic 1052 or a mechanism for directly editing the structured information 1051 described later. There may be.

  By accepting manual input as the information source 1100, for example, the specific information that has already been input as in the case where “alert A mentioned before was actually related to malware B later” The relationship between specific information and other specific information can be explicitly edited. As a result, when performing the analysis process described later, the information analyzed mechanically and the information that can be determined by human judgment can be combined. It becomes like this.

  The information source 1100 is not limited to any one of the information sources 1100 described above, and a plurality of types of devices, WEB sites, and the like are used as the information source 1100, and a plurality of information acquisition units 1001 are also held in accordance with each. be able to.

  The relationship information generation unit 1002 is a function for extracting information received from the information acquisition unit 1001 and the relationship between the information using the relationship analysis logic 1052, and the extraction result is structured information. It stores in 1051. Details of the processing will be described later.

  The six functions of the analysis reception / response interface 1003, the origin information search unit 1004, the branch importance determination unit 1005, the classification / reachability analysis unit 1006, the connectivity analysis unit 1007, and the output generation unit 1008 are all described later with reference to FIG. This is a function used in the structured information analysis process shown in FIG.

  The analysis reception / response interface 1003 is an interface for receiving information to be analyzed and an analysis type from an analysis requester 1200 to be described later, and returning a result of an analysis process to be described later to the analysis requester 1200 described above.

  The starting point information search unit 1004 searches the structured information 1051 for information to be analyzed with respect to the analysis target information received from the analysis requester 1200 via the analysis reception / response interface 1003, and sets it as starting point information that is a starting point node. It is a function to return. Details of the processing will be described later.

  The branch importance determination unit 1005 weights each branch by comparing the analysis type information input by the analysis requester 1200 with the branch weight information 1054 as preprocessing of the classification / reachability analysis unit 1006. It is processing.

  This process is not necessarily a process necessary for implementing the classification / reachability analysis unit 1006. That is, when this processing is not performed, it is possible to always process all branches with a weight of 1 regardless of the type of analysis.

  However, by performing this process, it is possible to attach importance to the information of a specific type and the relationship of a specific type for each analysis type, or conversely, to neglect the existence of a relationship of a specific type. Thus, there is an effect that the accuracy of analysis can be improved.

  First, the classification / reachability analysis unit 1006 performs clustering in consideration of the weight of the branch in the structure of information, and uses the origin information that is the result of the origin information search unit 1004 and the extraction target node that can be reached from the origin information. A cluster including certain extraction target information is extracted. Furthermore, this is a function for extracting only clusters that include one or more analysis types included in the extraction target designation information 1053 from the extracted clusters. Although details of the processing will be described later, as a result of this processing, it is possible to acquire a list of highly relevant information according to the analysis type.

  The connectivity analysis unit 1007 is a particularly characteristic function in the present embodiment, and calculates the number of independent paths from the origin information to each extraction target information by using the result of the classification / reachability analysis unit 1006 as an input. It is processing. Details will be described later.

  The output generation unit 1008 is a process of generating an output to be finally returned to the analysis requester 1200 via the analysis reception / response interface 1003 using the result of the connectivity analysis unit 1007 and the output generation logic 1055. . Details will be described later.

  The structured information 1051 is information to be analyzed by the information analysis system 1000. Details of the information to be held will be described later with reference to FIG.

  The relationship analysis logic 1052 is information used by the relationship information generation unit 1002. Details of the information to be held will be described later with reference to FIG.

  The extraction target designation information 1053 is information used by the classification / reachability analysis unit 1006. Details of the information to be held will be described later with reference to FIG.

  The branch weight information 1054 is information used by the branch importance degree determination unit 1005. Details of the information to be held will be described later with reference to FIG.

  The output generation logic 1055 is information used by the output generation unit 1008. Details of the information to be held will be described later with reference to FIG.

  An information source 1100 is an information source used when acquiring information handled by the system. For example, the information source 1100 is a network device, a server device, or a security device, and passes logs and alerts to the information acquisition unit 1001 as information. For example, the information source 1100 is information input by an operator of the system. The information source 1100 manually input via the input interface is delivered to the information acquisition unit 1001. The information source 1100 is not limited to any one of the above, and may be a plurality of information sources obtained by combining them.

  The analysis requester 1200 is a user of the information analysis system 1000, and inputs information to be analyzed and a desired analysis type to the system via the analysis reception / response interface 1003. Received via the response interface 1003.

  FIG. 2 is a diagram illustrating the configuration of each component in FIG.

  These devices 2000 include a CPU 2001, a memory 2002, a communication device 2004 for communicating with other devices via the Internet and a LAN, an input device 2005 such as a keyboard and a mouse, and an output device such as a monitor and a printer. 2006, a reading device 2007, and an external storage device 2003 such as a hard disk are connected via an interface 2008. In addition, a portable storage medium 2009 such as an IC card or a USB memory can be connected to the reading device 2007.

  The apparatus and apparatus for realizing the information analysis system 1000 in the present embodiment are realized by loading a program for realizing these functions onto the memory 2002 and executing it by the CPU 2001. These programs may be stored in advance in the external storage device 2003 of the device 2000, or other programs may be stored via the reading device 2007, the communication device 2004, and a medium that can be used by the device 2000 when necessary. May be introduced into the external storage device.

  The medium that can be used by the device 2000 refers to, for example, a storage medium 2009 that can be attached to and detached from the reading device 2007, a network 2010 that can be connected to the communication device 2004, or a carrier wave or a digital signal that propagates through the network 2010. The program may be stored once in the external storage device 2003 and then loaded into the memory 2002 and executed by the CPU 2001. Alternatively, the program may be directly stored in the memory 2002 without being stored in the external storage device 2003. It may be loaded and executed by the CPU 2001.

  FIG. 3 is a diagram showing an example of structured information 1051 held by the information analysis system 1000.

  As the structured information 1051, this system is large and needs to hold two types of information: accumulated information 3000 and relationship information 3100.

  The stored information 3000 is information stored in the system itself. In this embodiment, specifically, for example, as shown in the figure, information of three categories of an id 3001, a type 3002, and a content 3003 is set. And hold.

  The id 3001 is an ID (Identifier) for uniquely identifying each piece of information, and is not indispensable, but it is possible to simply describe the process by holding it.

  The type 3002 is information for identifying what category the individual information of the node belongs to. In this embodiment, the extraction designation information 1053, the branch weight information 1054, the output generation logic 1055, By using in combination, the analysis accuracy can be improved, and additional information can be added to the output information. Details will be described later.

  As the type 3002, one information can hold only one type, and one or more types may be held simultaneously. In that case, processing can be performed without any problem by rereading the condition of “when the types match” in the processing described later as “when any of the types matches”.

  Further, the types that can be specified as the type 3002 are not limited to those illustrated, and any type can be appropriately specified when inputting information. That is, even if a type has never appeared before, a new type may be added without performing other processing. However, new types may be arbitrarily added as appropriate. However, in order to maintain the accuracy of the analysis processing of the present embodiment, the same type name needs to be specified for information of the same type. That is, if the content represents an employee's name, etc., they should contain at least one common type, such as “employee”.

  The content 3003 can hold an entity that is the content of the information. In the present embodiment, the content of information is expressed by holding an arbitrary key-value, but the present invention is not limited to the key-value method.

  As an example of the accumulated information 3000, for example, the first line indicates that information “file name“ hoge.exe ”” is registered with ID0001 and type file. The same applies to the other lines.

  The relationship information 3100 holds the relationship between the pieces of information of the accumulated information 3000. In this embodiment, for example, id 3101, from-id 3102, to-id 3103, and type 3104 are held.

  The id 3001 is an ID for uniquely identifying each relationship that an edge indicating a path between nodes has, and although it is not indispensable, it is possible to simply describe the process by holding it.

  From-id 3102, to-id 3103, and type 3104 are information that an edge indicates which information in accumulated information 3000 is related to which information. Specifically, the from-id 3102 is the ID of the node that is the starting point of the edge, and the to-id 3103 is the ID of the node that is the ending point of the edge. The type 3104 is information for identifying what category the relationship of the edge is.

  As an example of the relationship information 3100, for example, id “r0001” in the first row is information represented by “id“ 0006 ”, and mw (Malware) of the hash value“ abcde1234 ”is represented by id“ 0001 ”. This means that a file with the name “hoge.exe” is generated ”. The same applies to the other lines.

  In this embodiment, the relationship is given directionality as the from-id 3102 and to-id 3103, but the directionality may not be handled and the non-directional relationship may be maintained.

  FIG. 4 is a diagram illustrating an example of the relationship analysis logic 1052 held by the information analysis system 1000.

  The relationship analysis logic 1052 holds in advance information defining a logic for mechanically analyzing information acquired from the information source 1100 and holding it in the structured information 1051.

  Specifically, this embodiment is realized by holding an input information type 4001 that defines the type of information acquired from the information source 1100 and its analysis logic 4002.

  For example, in the first line, the web page acquired from the website “hoge.security.com” can be extracted as the accumulated information 3000 and its relationship information 3100 by processing the XPath described in the first line. Means.

  FIG. 5 is a diagram showing an example of branch weight information 1054 held by the information analysis system 1000.

  The branch weight information 1054 is information for prescribing the importance of the relationship such as which type of information and which type of relationship is important or neglected according to the analysis type designated by the analysis requester 1200. It is.

  Specifically, in this embodiment, an analysis type 5001, a category 5002, a node or edge 5003, and a weight 5004 are held.

  The analysis type 5001 is one of analysis types that the analysis requester 1200 can request from the system.

  The category 5002 indicates any value of the type 3002 of the accumulated information 3000 (that is, the type of node) or the type 3104 of the relationship information (that is, the type of edge), or “(other)” that represents an arbitrary relationship. It is.

  The node or edge 5003 holds information “node” meaning that the category 5002 is a value of the type 3002, and conversely “edge” meaning that when the category 5002 is the type 3104. When the category 5002 is “(Other)”, both “edge” and node can be included, and “−” is held.

  The weight 5004 is an index of how much importance is given to the relationship, 1 being the most important, 0 means that no relationship exists in the analysis.

  For example, when analyzing the “cause”, the relationship of the type “communication” is set to weight 1, while for example, all the relationships coming out from the node of the type “analyst” are almost considered as weight 0.1. It means you can't enter.

  FIG. 6 is a diagram showing an example of the extraction target designation information 1053 held by the information analysis system 1000.

  The extraction target designation information 1053 is information that defines a category of information to be output in advance as a result of analysis.

  Specifically, in this embodiment, an analysis type 6001 and an extraction target category 6002 are held.

  For example, in this example, when the “cause” type is analyzed, the final result is that information in the “malware” category or the “vulnerability” category is output.

  FIG. 7 is a diagram illustrating an example of the output generation logic 1055 held by the information analysis system 1000.

  The output generation logic is a logic that defines what information is displayed when the analysis result is finally displayed to the analysis requester.

  In this embodiment, the information type 7001 and the additional information content 7002 displayed together with the information of the type are displayed, and the reason why the information of the type is extracted as an analysis result is displayed as a sentence. The documenting logic 7003 is held.

  For example, in this example, the “measure” type information indicates that the download link of the measure information is displayed together with the result, and the documenting logic may be a standard process.

  In this embodiment, the standard grammatical logic is the order of the subject, the object, and the predicate as “<information of from-id 3102> makes <information of to-id 3103> <3104 type>”. Represents the process of connecting with.

  As the documenting logic, an exceptional documenting method may be designated as in the “employee” type exemplified. In this example, when the relationship type is “communication history” or “holding”, it indicates that the word “terminal” is added after <from-id 3102 information>.

  Hereinafter, the basic processing flow of the present analysis system will be exemplified with reference to FIGS. 8 to 9, and how the structured information is processed will be described with reference to FIGS. 10 to 13.

  FIG. 8 is an example of a flow showing processing for forming the structured information shown in FIG.

  First, in process 8001, the information acquisition unit 1001 acquires information from the information source 1100. At that time, the information acquisition unit 1001 stores what type of information it has acquired.

  Note that the information type is one specified by the input information type 4001 of the relationship analysis logic 1052.

  Further, when the information source 1100 is manually input, the structured information 1051 may be edited directly as described in the description of FIG.

  Next, in process 8002, the relationship information generation unit 1002 analyzes the information acquired in process 8001 according to the analysis logic 4002 of the relationship logic 1052.

  Finally, in process 8003, the relationship information generation unit 1002 stores the analysis result of process 8002 as accumulated information 3000 and relationship information 3100.

  FIG. 10 shows an example of structured information 1051 formed in this way expressed as a graph structure.

  For example, 10001 and 10003 represent the information of id “0001” and the information of id “0006” in the first row in the example of the accumulated information 3000, and the edge 10002 between the two nodes represents the relationship information. The relationship of id “r0001” in the first row in the example of 3100 is shown. The same applies to other nodes and edges. Further, a gray region surrounded by a broken line as represented by 10004 indicates that similar graph structures are connected.

  FIG. 9 shows an example of a processing flow for analyzing information according to the analysis conditions and analysis type received from the analysis requester 1200 using the structured information 1051 formed by the processing shown in FIG.

  First, in process 9001, the information analysis system 1000 receives information to be analyzed and an analysis type from the analysis requester 1200 via the analysis reception / response interface 1003.

  In this embodiment, the information to be analyzed is specifically a character string, and may be, for example, a host name or an IP address described in an alert when an alert is raised from some security device. Alternatively, the hash value of a suspicious file may be used.

  The analysis type specifies what the analysis requester 1200 wants to know and needs to match one of the analysis types 5001 of the branch weight information 1054.

  Next, in the process 9002, the starting point information search unit 1004 searches the accumulated information 3000 that holds the contents that match the character string to be analyzed received in the process 9001, and returns the result as starting point information.

  Matching means that character strings are matched or partially matched in this embodiment. If there are multiple matches, all of them are returned. In this embodiment, an example in which the analysis target matches one of the communication destinations is represented as a double line node 11002 in FIG.

  Next, in process 9003, the branch importance level determination unit 1005 compares the analysis type acquired in process 9001 with the branch weight information 1054, and sets the importance level for each branch.

  In the present embodiment, when the analysis type is “cause”, for example, a relationship having an importance of 0.1 or less is assumed to have almost no relationship, and a broken line arrow like 11001 in FIG. Represents.

  Next, in process 9004, the classification / reachability analysis unit 1006 clusters the graphs in consideration of the branch weight set in process 9003. There are many known methods for clustering graph information, but one of the most suitable methods in this embodiment is a method called community classification.

  More specifically, community classification expresses the graph structure in a matrix form called graph Laplacian (or Laplacian matrix), and calculates its eigenvalue (or eigenvalue close to zero) and the eigenvector corresponding to that eigenvalue. Ask. Finally, the inverse graph of the mapping from the graph structure to the graph Laplacian is used to divide the graph into several subgraphs by pulling back the eigenvectors to the graph node set. Each subgraph obtained as a result of this division is divided well so that the weight of the branch is large in the entire graph, and the portion where such a branch is densely left preferentially remains. It is known that

  In this process, the classification / reachability analysis unit 1006 extracts a subgraph including a node as starting point information from the subgraph of the classification result, and returns it as a processing result. A dividing line of the entire graph as a result of community classification in the present embodiment is shown by a double line as shown by 11003 in FIG. That is, the result of this processing includes 11002 which is the starting point information in the partial graph, that is, a graph as shown in FIG. 12 is returned as a result. When there are a plurality of starting point information, a partial graph is returned for each starting point information.

  Next, in the process 9005, the connectivity analysis unit 1007 refers to the extraction target designation information 1053 for the partial graph of the result of the process 9004 (if there are a plurality of results), and the analysis type 6001 is the process 90001. All stored information 3000 (that is, nodes) matching the type specified in the extraction target category 6002 in the line that matches the acquired one is searched. By performing this process, the extraction target information that becomes the end point with respect to the starting point information is known. As the extraction target information, only the extraction target information belonging to the category corresponding to the analysis type input in the process 9001 is searched and finally output by the output generation unit 1008. In the present embodiment, two mw type nodes painted in gray as indicated by 12001 in FIG. 12 are examples of the result.

  With the processing so far, it is possible to acquire a list of information that can be regarded as strongly related, with the analysis target information as an input. The present embodiment is characterized by analyzing the basis of such information, and specifically, it is performed by the following processing.

  Further, in the process 9005, the connectivity analysis unit 1007 determines the edge direction for each piece of extraction target information (nodes painted in gray in FIG. 12) from the starting point information (nodes in the 20th frame in FIG. 12). , And calculate how many independent paths exist.

  Here, two paths from one node to another node are independent, meaning that the two paths do not share any edge in the middle.

  For example, in the graph shown in FIG. 13 (13-a), the path from the node a to the node d always has the same edge bc, so there is only one independent path.

  On the other hand, in the graph shown in FIG. 13 (13-b), there is no common path, and independent paths from the node a to the node g are abdg, adeg, a -F-g.

  In the present embodiment, the number of independent paths means how many kinds of peripheral information that do not depend on each other indicates target information as related information, that is, the number of situation evidences. Can be caught.

  On the other hand, as shown in FIG. 13 (13-a), if there are many paths, but there are few independent paths, the relationship depends on only a small number of pieces of information. Will break the relationship at once. Therefore, as the number of common paths as described above decreases or as the number of independent paths as described above increases, the basis is more complete, so that information can be grasped from various aspects, and the situation becomes stronger and more useful.

  That is, in summary, the process 9005 calculates the number of independent paths from the origin information to each piece of extraction target information, sets the target information nodes having many independent paths as more grounded information, and sets each independent path as status evidence. Return processing.

  In the present embodiment, mw type information with one independent path as shown in FIG. 13 (13-c) and mw type information with two independent paths as shown in FIG. 13 (13-d). The latter is returned as more justified information because it exists. Further, as a more effective process of the process 9005, if it is an independent path and the types of edges constituting each path are different, it may be determined as a stronger situation proof.

  Finally, in process 9006, the output generation unit 1008 refers to the output generation logic 1055 and generates additional information specified by the additional information display content 7002 according to the information type 7001 returned as a response. Also, it is possible to document the basis and notify the analysis requester 1200 using the documenting logic 7003 that documents the extraction basis based on the graph structure.

  A display example of the output result of this embodiment will be described with reference to FIG. Reference numeral 14001 denotes an analysis target input by the analysis requester 1200. FIG. 14 illustrates that the character string “example.com” described in the file “hoge.exe” is an analysis target. Reference numeral 14002 denotes an analysis type input by the analysis requester 1200. FIG. 14 shows that “Cause” is input as the analysis type. 14003 is the total number of extraction target information returned as a result of the process 9005 as an analysis result. FIG. 14 shows that two analysis results (13-c and 13-d in FIG. 13) were obtained.

  A function 14004 designates in which order the analysis results are displayed. According to the present embodiment, the more independent paths, the more important. Therefore, it is desirable to display such information preferentially from such extraction target information, but it is also possible to change the time series in which information is registered It is. FIG. 14 shows that the analysis results are displayed in descending order, which is the order in which the situation evidence is large. 14005 indicates that the information displayed below it is MW0007 information. Reference numeral 14006 illustrates an independent path between the communication destination 0012 serving as starting point information and the MW 0007 serving as extraction target information. Based on this information, the analysis requester 1200 can understand based on what kind of relationship the information is extracted. Further, for example, by selecting each piece of information in 14006, an additional operation such as dynamically generating and displaying additional information according to the information type is also possible.

  Reference numeral 14007 indicates the reason why the information is extracted, and indicates the reason why the starting point information is selected and the reason why the basis is the strongest among the extraction target information. The specific grounds can be explained as they are by writing the graph structure as shown in 14008 and 14009. For example, as the situation 1, the MW 0007 indicates that the communication is performed with the communication destination 0012. 14010 is information that is additionally presented to the extraction target information and can be presented together with information that is normally required, such as whether it can be detected by anti-virus software in the case of MW type. It is. 14011 is a page numberer for switching the analysis result to be displayed.

  With the configuration exemplified above, the above-described effects of the present application can be obtained.

1000 Information analysis system 1001 Information acquisition unit 1002 Relation information generation unit 1003 Analysis reception / response interface 1004 Origin information search unit 1005 Branch importance level determination unit 1006 Classification / reachability analysis unit 1007 Connectivity analysis unit 1008 Output generation unit 1051 Structured Information 1052 Relation analysis logic 1053 Extraction target designation information 1054 Branch weight information 1055 Output generation logic 1100 Information source 1200 Analysis requester 2000 Hardware component of each component.

Claims (8)

A reception unit that receives input of information to be analyzed and an analysis type indicating the type of the information;
Based on the relationship analysis information indicating the relationship between one piece of information and other pieces of information included in the information source, the one piece of information in the graph structure and the node that is the other piece of information, and between the nodes A relationship information generating unit that generates structured information that defines edges indicating the relationship between
Extracting the information including the analysis type received by the receiving unit from the structured information, and outputting the extracted information as a starting node;
A class reachability analyzer that clusters the graph structure represented by the extracted information and extracts the subgraph structure including the origin node;
The extraction target node that is the end point of the starting node corresponding to the analysis type is searched from the subgraph structure, the number of independent paths between the starting node and the extracting target node is calculated, and the independent path A connectivity analyzer that outputs the extraction target node having the largest number of nodes as the node having the most relationship with the origin node;
An information analysis system comprising: The class reachability analysis unit clusters the graph structure based on weight information indicating the importance of a relationship between the predetermined node type or the edge type and the analysis type. Extract the graph structure,
The information analysis system according to claim 1. The connectivity analysis unit outputs the node as a stronger situation proof as the number of independent paths is larger or the common path between the origin node and the extraction target node is smaller.
The information analysis system according to claim 1. The combination analysis unit searches for the nodes belonging to the category corresponding to the analysis type based on the extraction target designation information that associates the predetermined analysis type with the output category of the node, Outputting the searched node as the node having the relationship;
The information analysis system according to claim 1. A reception step for receiving input of information to be analyzed and an analysis type indicating the type of the information;
Based on the relationship analysis information indicating the relationship between one piece of information and other pieces of information included in the information source, the one piece of information in the graph structure and the node that is the other piece of information, and between the nodes A relationship information generation step for generating structured information defining edges indicating the relationship between
Extracting the information including the analysis type received by the receiving unit from the structured information, and outputting the extracted information as a starting node;
A class reachability analysis step of clustering the graph structure represented by the extracted information to extract a subgraph structure including the origin node;
The extraction target node that is the end point of the starting node corresponding to the analysis type is searched from the subgraph structure, the number of independent paths between the starting node and the extracting target node is calculated, and the independent path A connectivity analysis step of outputting the extraction target node having the largest number of nodes as a node having the most relationship with the origin node;
An information analysis method comprising: In the class reachability analysis step, the graph structure is clustered on the basis of weight information indicating importance of a relationship between the predetermined node type or the edge type and the analysis type, Extract the graph structure,
The information analysis method according to claim 5. In the connectivity analysis step, the stronger the number of independent paths or the fewer common paths between the origin node and the extraction target node, the stronger the node is output as a situation proof.
The information analysis method according to claim 5. In the combination analysis step, based on the extraction target designation information that associates the predetermined analysis type with the output category of the node, the node belonging to the category corresponding to the analysis type is searched, Outputting the searched node as the node having the relationship;
The information analysis method according to claim 5.

Images