JP2018005818A - Abnormality detection system and abnormality detection method - Google Patents

Abstract

An anomaly detection that guarantees the authenticity of an anomaly detection result shared between a plurality of devices that communicate with each other in a P2P type is made possible. In an abnormality detection system, each device stores a block chain in which a block having a black list and authenticity information is connected, and a monitoring device 10 analyzes log data of the monitored device to monitor the monitored device. Based on the anomaly detection unit 132 for detecting the anomaly, the black list registration unit 133 for registering the anomaly detection result in the black list, the black list, and the authenticity information of the last block of the block chain, A search unit 134 for searching for corresponding authenticity information, and transmitting a block including the searched authenticity information and the black list registered by the own device to another device and combining the block with the black list. And a block chain updating unit 135 that updates the block chain in combination with [Selection] Figure 2

Description

  The present invention relates to an abnormality detection system and an abnormality detection method.

  As a method for detecting an abnormality of a device, a server client type method of acquiring a log from a device to be detected and collectively detecting the abnormality on the cloud can be considered. However, with this method, when a serious vulnerability is found in the cloud, it is necessary to take a measure such as stopping the server, which may prevent detection. Therefore, a peer-to-peer (P2P) type configuration in which a plurality of devices communicate with each other is applied to share a list (black list) of abnormality detection results between the devices, and perform mutual monitoring Is considered useful.

"Improving the detection rate of unknown threats! NTT Com strengthens SIEM engine", [online], [Search June 27, 2016], Internet <URL: http://ascii.jp/elem/000/000 / 905/905805 / ＞

  However, in the method of sharing the black list between the devices and performing monitoring mutually, there is a risk that the black list is tampered with when the black list is shared. For this reason, it is difficult to share the black list while ensuring authenticity in the method of sharing the black list between the devices and monitoring each other.

  The present invention has been made in view of the above, and an anomaly detection system and an anomaly that enable anomaly detection that guarantees the authenticity of an anomaly detection result shared between a plurality of devices that communicate with each other in the P2P type An object is to provide a detection method.

  In order to solve the above-described problems and achieve the object, an abnormality detection system according to the present invention is an abnormality detection system having a plurality of devices that communicate with each other in a peer-to-peer type, and each device detects abnormality related to the device. A storage unit that stores a list of results, together with authenticity information indicating authenticity, an anomaly detection history connected in time series with a certain detection unit, and log information indicating the operation status of the own device in time series The monitoring officer device that monitors the device includes a log acquisition unit that acquires log information of the monitored device from a monitored device that is a monitoring target of the device, and a log acquired by the log acquisition unit Analyzes information to detect whether there is an abnormality in the monitored device, and lists the monitored device identification information and information indicating the abnormal state based on the abnormality detection result of the monitored device by the abnormality detection unit Registration department to register with A search unit that searches for authenticity information corresponding to the next detection unit based on the list and the authenticity information of the detection unit at the end of the abnormality detection history, and when the search unit searches for authenticity information Transmits the detection unit including the searched authenticity information and the list registered by the own device to the other device, and combines the detected unit with the abnormality detection history stored in the other device, and the searched authenticity And an update unit that updates the abnormality detection history by combining a detection unit including information and a list registered by the device itself with the abnormality detection history.

  ADVANTAGE OF THE INVENTION According to this invention, the abnormality detection which ensured the authenticity of the abnormality detection result shared between the some apparatus which mutually detects abnormality by P2P type is enabled.

FIG. 1 is a diagram schematically illustrating an example of a configuration of an abnormality detection system according to an embodiment of the present invention. FIG. 2 is a block diagram showing a configuration of the supervisor device shown in FIG. FIG. 3 is a diagram illustrating an example of the configuration of the block chain stored in the storage unit illustrated in FIG. FIG. 4 is a diagram illustrating an example of a data structure of a black list. FIG. 5 is a diagram illustrating the determination process of the determination unit illustrated in FIG. FIG. 6 is a block diagram showing a configuration of the monitored apparatus shown in FIG. FIG. 7 is a diagram for explaining the flow of processing of the abnormality detection system shown in FIG. FIG. 8 is a diagram for explaining the flow of processing of the abnormality detection system shown in FIG. FIG. 9 is a diagram for explaining the processing flow of the abnormality detection system shown in FIG. FIG. 10 is a flowchart showing the procedure of the monitoring process performed by the supervisor combination device shown in FIG. FIG. 11 is a flowchart showing the processing procedure of the block chain update process performed by the monitored apparatus shown in FIG. FIG. 12 is a diagram illustrating an example of a computer that realizes a supervisor device and a monitored device by executing a program.

  Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings. In addition, this invention is not limited by this embodiment. Moreover, in description of drawing, the same code | symbol is attached | subjected and shown to the same part.

[Embodiment]
Embodiments of the present invention will be described. In the embodiment of the present invention, an abnormality detection system and an abnormality detection method for mutually detecting an abnormality in the P2P type will be described. First, an outline of the abnormality detection system according to the embodiment will be described.

[Abnormality detection system configuration]
Next, the configuration of the abnormality detection system according to the embodiment will be described. FIG. 1 is a diagram schematically illustrating an example of a configuration of an abnormality detection system according to an embodiment of the present invention.

  As shown in FIG. 1, the abnormality detection system 1 has a P2P type configuration in which a plurality of devices communicate with each other. The abnormality detection system 1 has, for example, a configuration in which a plurality of supervisor devices 10 and monitored devices 20 that detect and monitor an abnormality are connected to a network 2 such as the Internet or a dedicated line.

  Each monitoring device 10 and monitored device 20 are various IoT (Internet of Things) devices and share a common protocol for data sharing when an abnormality is detected between the monitoring device 10 and the monitored device 20. Have. The monitoring device 10 and the monitored device 20 are a smart phone, a PC (Personal Computer), a PDA (Personal Digital Assistants), a server device, or the like.

  In addition, each of the supervisor device 10 and the monitored device 20 includes a black list (list) indicating an abnormality detection result regarding the monitored device 20 together with authenticity information indicating authenticity and a certain block (detection unit). The block chain (abnormality detection history) connected in time series is stored.

  The supervisor device 10 has a monitoring function for detecting an abnormality. The monitoring device 10 performs abnormality detection using log data (log information) acquired from the monitored device 20 to be monitored, and registers the abnormality detection result in the black list. Then, the supervisor device 10 searches for authenticity information to be used for the next block generation, and when the search is successful, the block including the searched authenticity information and the black list registered by the own device is changed to another block. It transmits to the monitoring device 10 and the monitored device 20. The supervisor device 10 updates the block chain to be stored by combining this block with its own block chain.

  The monitored device 20 transmits its own log data in response to a log transmission request from the supervisor device 10. Then, when the monitored device 20 registers the abnormality detection result by the monitoring device 10 in the black list and receives a block from the monitoring device 10 that has succeeded in searching for authenticity information used for the next block generation, Are updated to the block chain to be stored.

  Therefore, each supervisor device 10 and monitored device 20 of the abnormality detection system 1 share a block chain including a black list together with searched authenticity information. In other words, information and history regarding abnormality detection are managed in a distributed manner throughout the abnormality detection system 1 as a block chain together with authenticity information. Therefore, the configuration of the supervisor device 10 having a monitoring function will be described.

[Configuration of monitoring device]
FIG. 2 is a block diagram showing a configuration of the supervisor device 10 shown in FIG. As shown in FIG. 2, the supervisor device 10 includes a communication unit 11, a storage unit 12, a control unit 13, an input unit 14, and an output unit 15. Here, the supervisor device 10 having a monitoring function selects and monitors the monitored devices 20 at random by the P2P method. At this time, the supervisor device 10 may determine in advance the monitored device 20 that can be monitored by itself, and may select the monitored device 20 to be monitored this time from among them. In addition, the supervisor combination device 10 may be a monitored device 20 of another supervisor combination device 10.

  The communication unit 11 is a communication interface that transmits and receives various types of information to and from other devices connected via the network 2. When there is a log transmission request from another supervisor device 10 of the abnormality detection system 1, the communication unit 11 controls the control unit 13 (described later) and logs data 122 (described later) in the storage unit 12 (described later). (To be described later) is transmitted to the requesting supervisor device 10. In addition, when an abnormality detection process is performed in the control unit 13 (described later), the communication unit 11 controls the other monitoring combination device 10 and the monitored device 20 based on the control of the control unit 13. , Send the abnormality detection result by broadcast. In addition, the communication unit 11 receives an abnormality detection result broadcast from another supervisor device 10.

  The storage unit 12 is realized by a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk, and a processing program for operating the supervisor device 10 or a processing program The data used during the execution of is stored. The storage unit 12 stores a block information storage unit 121 and log data (log information) 122 indicating the operation history of the supervisor device 10 in time series.

  The block information storage unit 121 stores a block chain shared between the other monitoring device 10 and the monitored device 20 of the abnormality detection system 1. This block chain will be described with reference to FIG. FIG. 3 is a diagram illustrating an example of a configuration of a block chain stored in the storage unit 12 illustrated in FIG.

  As shown in FIG. 3, the block chain BC has a configuration in which, for example, blocks B0 to B3 are connected in time series. The block B0 is the head block, and the blocks B1 to B3 are black lists (1) to (3) indicating abnormality detection results regarding the monitored devices 20, respectively, and a hash (H (B0) to H (B2)) and a nonce.

  In the blacklists (1) to (3), each monitoring device 10 sequentially detects an abnormality detection result detected by itself or an abnormality detection result related to the monitored device 20 by another monitoring device 10 broadcasted. It is a registered one. The blacklists (1) to (3) are determined by the supervisor combination apparatus 10 that has been successfully searched (described later) among the supervisor combination apparatuses 10. For example, until the block B1 is coupled to the block chain BC, the abnormality detection result is registered in the black list (1). After the block B1 is coupled to the block chain BC, the abnormality detection result is registered in the black list (2) corresponding to the block B2, and the registration is continued until the block B2 is coupled to the block chain BC. .

  The hash is obtained by converting arbitrary data into a value having a certain short length by executing a hash function. Each block B1 to B3 includes the hash (H (B0) to H (B2)) of the previous block.

  Nonce is a key that sets the hash of the next block to a value that satisfies a certain condition set in advance, and is an arbitrary value having a certain length. For example, the Nonce of the block B2 is an arbitrary value having a certain length such that the hash (H (B2)) of the next block B3 satisfies a predetermined condition. For example, Nonce of the block B2 is a key such that the hash used for the block B3 is “a value in which a constant number of zeros continues”.

  Thus, each block includes a black list indicating a plurality of abnormality detection results, a hash of the previous block, and a nonce. For example, the block B2 includes a black list (2) indicating a plurality of abnormality detection results, a hash (H (B1)) of the previous block B1, and a nonce.

  Here, the monitoring device 10 uses, for example, a hash (H) to be used for the next block B3 from the hash value of the block B2 and the black list (2) whose authenticity is to be guaranteed in the search unit 134 (described later). A calculation process (mining) for searching for a nonce that generates (B2)) is performed. Actually, the black list, the hash value of the block immediately before the last block of the block chain BC, and the nonce are stored in the last block of the block chain BC. Therefore, as a mining, the search unit 134 (described later) generates a hash to be used for the next block from the hash value of the last block of the block chain BC and the black list whose authenticity is to be guaranteed. Is searched with brute force. In order for the supervisor device 10 to discover Nonce ahead of the other supervisor devices 10, an enormous amount of calculation is required, and this extremely large amount of calculation is the basis for the authenticity of the blockchain contents. It has become.

  In addition, the storage unit 12 does not need to store the entire block chain BC, and if the data length of the block chain BC becomes too long according to the rules, the block chain BC may be cut at an arbitrary length. .

  The control unit 13 has an internal memory for storing a program that defines various processing procedures and the necessary data, and executes various processes using these programs. For example, the control unit 13 is an electronic circuit such as a CPU (Central Processing Unit) or an MPU (Micro Processing Unit). The control unit 13 includes a log acquisition unit 131, an abnormality detection unit 132, a black list registration unit 133 (registration unit), a search unit 134, a block chain update unit 135 (update unit), and a determination unit 136.

  The log acquisition unit 131 acquires log data of the monitored device 20 from the monitored device 20. First, the log acquisition unit 131 makes a log transmission request for monitoring to the monitored apparatus 20. As a result, the monitored device 20 transmits the log data stored in the device itself to the monitoring officer device 10 that has requested log data transmission. In addition, the log acquisition unit 131 acquires necessary information from the monitored device 20. For example, the log acquisition unit 131 acquires information on the CPU usage rate and the memory usage rate of the monitored device 20. At this time, in order for the log acquisition unit 131 to acquire more complete log data, it is desirable that the monitored apparatus 20 includes a TPM (Trusted Platform Module) or a secure hypervisor. In addition, since the supervisor device 10 may be a monitored device 20 of another supervisor device 10, it is desirable to install a TPM or a secure hypervisor in the same manner as the monitored device 20.

  The abnormality detection unit 132 analyzes the log data acquired by the log acquisition unit 131 and detects whether there is an abnormality in the monitored device 20. In this case, the abnormality detection unit 132 detects the presence or absence of abnormality using an abnormality detection algorithm such as LOF (Local Outlier Factor) which is a density-based outlier detection method. Subsequently, when the abnormality detection unit 132 detects an abnormality of the monitored device 20, the abnormality detection unit 132 broadcasts the abnormality detection result to the other monitoring device 10 and the monitored device 20 of the abnormality detection system 1. At this time, in order to enable the abnormality detection unit 132 to transmit the abnormality detection result with high integrity, and so that the black list registration unit 133 (described later) can register the abnormality detection result with high integrity to the black list. Therefore, it is desirable that the supervisor device 10 and the monitored device 20 are equipped with a TPM or a secure hypervisor.

  The black list registration unit 133 registers identification information of the monitored device 20 and information indicating an abnormal state in the black list based on the abnormality detection result of the monitored device 20 by the abnormality detection unit 132. Further, when the black list registration unit 133 receives the abnormality detection result from the other monitoring device 10, the identification information of the monitored device 20 and the information indicating the abnormal state indicated in the received abnormality detection result are displayed in the black list. sign up. Note that when the blacklist registration unit 133 detects that the monitored device 20 has returned to normal from the abnormality, the blacklist registration unit 133 performs registration to delete the abnormality of the monitored device 20 in the blacklist. As a result, for example, the supervisor device 10 creates the black list BL (1) shown in FIG.

  FIG. 4 is a diagram illustrating an example of a data structure of a black list. As shown in FIG. 4, the blacklist BL (1) includes a time stamp indicating an abnormality detection time, an IP address of the monitored device 20, an IP address of the monitoring device 10, and an environment of the monitoring device 10 (monitoring device environment). ) And a column for writing or deleting anomaly detection. In the abnormality detection column, “Write” is written for the monitored apparatus 20 in which the abnormality is detected. In addition, “Delete” is written for the monitored device 20 that is detected to have returned to normal from the abnormality. And when it returns to normal, “Delete” is written, so that it is handled in the same way as deletion from the black list. Also, a rule such as invalidating a plurality of continuous writes from the supervisor device 10 having the same IP address may be defined for the black list.

  For example, an abnormality indicating that the blacklist registration unit 133 detected an abnormality in the monitored device 20 with the IP address “192.168.100.2” at the time “12:01” from the monitoring device 10 with the IP address “192.168.100.1”. A case where the detection result is received will be described. In this case, the blacklist registration unit 133 registers “12:01” in the time stamp column and “192.168.100.2” in the IP address column of the monitored device 20 in the first line of the blacklist BL (1). sign up. Then, the blacklist registration unit 133 registers “192.168.100.1” in the IP address column of the monitoring officer device 10 in the same first row, and registers the environment “Win8” of “192.168.100.1” in the monitoring officer device environment column. Then, “Write” indicating that an abnormality has been detected is registered in the write / delete column.

  Also, the abnormality detection unit 132 confirms that the own device having the IP address “192.168.100.25” has returned to the normal state from the abnormality at the time “12:03”. A case where it is detected will be described. In this case, the blacklist registration unit 133 registers “12:03” in the time stamp column and “192.168.100.23” in the IP address column of the monitored device 20 in the fifth line of the blacklist BL (1). sign up. Then, the blacklist registration unit 133 registers the IP address “192.168.100.25” of the own device in the IP address column of the monitoring device 10 in the same fifth row, and the environment “Cent OS4” of the own device in the monitoring device environment field. ”And“ Delete ”indicating that the operation has returned to normal from the abnormality is registered in the write / delete column. As shown in the supervisor device environment column, the blacklist BL (1) describes abnormalities detected by a plurality of supervisor devices 10 on the network 2 operating in various environments.

  When the transmission and reception of the abnormality detection result are mutually performed between the devices in the network 2 described above, and the blacklist registration of the abnormality detection result is repeated in each device, all the supervisor devices 10 and the monitored devices 20 Will share a blacklist of similar content.

  When the abnormality detection result registered in the black list reaches a predetermined amount, the search unit 134 collects the black list into blocks based on the black list and the authenticity information of the last block in the block chain. Thus, the authenticity information in the next block is searched. The search unit 134 uses the cryptographic hash function to generate a hash to be used for the next block from the hash value and Nonce of the block at the end of the block chain and the black list to be guaranteed authenticity. A calculation process called mining (search) is performed to search for brute force. The search unit 134 performs calculation for discovering a Nonce prior to the other supervisor device 10, and the search unit 134 that has successfully searched for the Nonce, as the next block, A block including a hash of the block and a black list registered by the own device is generated.

  When the search unit 134 searches for authenticity information, the block chain update unit 135 determines that the block including the searched nonce, the hash of the previous block, and the black list registered by the own device to other blocks Sent to a device to couple the block to a block chain stored by another device. Then, the block chain update unit is a block including a nonce searched by the own device, a hash of the previous block, and a black list registered by the own device, or a block transmitted from another monitoring device 10 Is updated to the block chain stored in its own device to update the block chain.

  In other words, the block chain update unit 135 transmits the next block generated by the search unit 134 to the other supervisor device 10 and the monitored device 20 in the network 2. Then, the block chain updating unit 135 determines the black list that should be guaranteed authenticity by combining the block generated by the own device or the block transmitted by the other monitoring device 10 with the block chain. This block includes a searched nonce, a hash of the previous block, and a black list in which a plurality of abnormality detection results by each monitoring device 10 in the network 2 are registered.

  Here, as described above, the black list included in this block is registered in each device by transmitting / receiving the abnormality detection result between the devices, and the supervisor device 10 that has been successfully searched is determined. It is a thing. Further, since the hash and nonce included in each block involve a huge amount of calculation, it is very difficult to falsify the authenticity information. For this reason, all the devices on the network 2 include the black list in the block together with the authenticity hash and nonce, and by combining the block with the block chain, the same block chain is used as the abnormality detection history. Share. That is, the black list included in the block can be shared between devices on the network 2 in a state where authenticity is ensured.

  Then, the determination unit 136 refers to the black list, and when there are monitored devices 20 in which abnormality is detected from a predetermined number or more of the monitoring combination devices 10 in the black list, the monitored device 20 is abnormal. It is determined that there is a high possibility. The determination unit 136 also determines that there is a high possibility that the monitored device 20 has returned to normal when there are monitored devices 20 whose deletions are registered from a predetermined number or more of the monitoring combination devices 10 in the list. judge. The determination process of the determination unit 136 will be described with reference to FIG.

  FIG. 5 is a diagram illustrating the determination process of the determination unit 136. FIG. 5A shows a black list BL (2) as an example of a black list referred to by the determination unit 136 for determination. In FIG. 5B, the determination unit 136 performs the next determination. The black list BL (3) referred to for this purpose is shown. In this example, the predetermined number is assumed to be four times.

  First, the determination unit 136 checks the black list BL (2) (see FIG. 5A) in order to perform the determination process. In this blacklist BL (2), the monitored device 20 with the IP address “192.168.100.2” has the time “12:01”, “12:03”, “12:04”, and “12:04”. “Write” is registered from the four supervisory devices 10 over time. For this reason, the determination unit 136 determines that there is a high possibility of an abnormality because the monitored apparatus 20 with the IP address “192.168.100.2” has registered an abnormality four times or more (in FIG. 5A). (See (1)).

  On the other hand, in the blacklist BL (2), the monitored device 20 with the IP address “192.168.100.10” receives “Write” from one monitoring officer device 10 only once at the time “12:02”. It is registered. For the monitored device 20 with the IP address “192.168.100.10”, the determination unit 136 determines that the possibility of abnormality is low because the abnormality is registered only once ((a) in FIG. 5 ( 2)).

  Subsequently, the determination unit 136 checks the black list BL (3) (see FIG. 5B) in order to perform the next determination process. Here, in the blacklist BL (3), for the monitored device 20 with the IP address “192.168.100.2” determined to be highly likely to be abnormal in the previous determination, the time “12:11”, “ “Delete” is registered from four monitoring devices 10 over four times of “12:13”, “12:14”, and “12:15” (see (1) in FIG. 5B). . For this reason, the determination unit 136 determines that there is a high possibility that the monitored device 20 with the IP address “192.168.100.2” has returned to normal four times and thus returned to normal (see FIG. 5 (b) (2)).

  The determination unit 136 may perform the determination process with reference to the black list being registered. In this case, the determination unit 136 can quickly execute an abnormality determination of each device in operation. Further, the determination unit 136 may perform the determination process with reference to the black list in the block in which the connection to the block chain is determined. In this case, since the determination unit 136 can use a blacklist whose registration contents are already determined, there is no change in the determination contents and a stable determination result can be output.

  The input unit 14 is an input interface that accepts various operations from an operator of the supervisor device 10. For example, the input unit 14 includes buttons, a touch panel, a voice input device, and input devices such as a keyboard and a mouse. The output unit 15 is, for example, a liquid crystal display, a printer, or the like, and outputs various types of information related to abnormality detection processing.

[Configuration of monitored devices]
Next, the configuration of the monitored device 20 will be described. FIG. 6 is a block diagram showing a configuration of the monitored apparatus 20 shown in FIG. As illustrated in FIG. 6, the monitored device 20 includes a communication unit 21, a storage unit 22, a control unit 23, an input unit 24, and an output unit 25.

  The communication unit 21 is a communication interface that transmits and receives various types of information to and from other devices connected via the network 2, similarly to the communication unit 11 in the supervisor device 10. When there is a log transmission request from the monitoring officer device 10 of the abnormality detection system 1, the communication unit 21 transmits log data 222 (described later) in the storage unit 22 (described later) to the requesting monitoring officer device 10. . Further, the communication unit 21 receives the abnormality detection result broadcast from the supervisor device 10.

  The storage unit 22 is realized by a semiconductor memory device such as a RAM or a flash memory, or a storage device such as a hard disk or an optical disk, and a processing program for operating the monitored device 20 or data used during the execution of the processing program. Is memorized. The storage unit 22 stores the block information storage unit 121 and the log data 222 indicating the operation history of the monitored device 20 in time series, similarly to the storage unit 12 in the monitoring device 10.

  The control unit 23 is an electronic circuit such as a CPU or MPU, and has an internal memory for storing a program that defines various processing procedures and necessary data, and executes various processes using these. The control unit 23 includes a block chain update unit 135 and a determination unit 136. Therefore, when the monitored device 20 receives the next block from the monitoring device 10, the monitored device 20 combines this block with the block chain and updates the stored block chain. As a result, the block chain is shared with the supervisor device 10 in the network 2. Further, since the monitored device 20 includes the determination unit 136 as well as the monitoring combination device 10, the determination processing using the black list can be executed.

  The input unit 24 is an input interface that accepts various operations from an operator of the monitored apparatus 20. The output unit 25 is, for example, a liquid crystal display, a printer, or the like, and outputs various types of information related to abnormality detection processing.

  In the present abnormality detection system 1, the configuration in which the monitoring device 10 and the monitored device 20 are mixed in the network 2 has been described as an example, but the present invention is not limited to this. For example, only the supervisor device 10 may exist in the network 2. In addition, in the network 2, in addition to the monitoring device 10 and the monitored device 20, the device in which the determination unit 136 of the monitoring device 10 is deleted, has a block chain, detects abnormality, blacklist registration, There may be a device that performs the search. Further, in the network 2, there may be a device in which the log data transmission function is deleted from the monitored device 20, and a device that performs abnormality determination using a block chain blacklist. In the case of such a device, since there is little influence on other devices, it is not essential to install a TPM or a secure hypervisor.

[Flow of abnormal detection system processing]
Next, a processing flow of the abnormality detection system 1 will be described. 7-9 is a figure explaining the flow of a process of the abnormality detection system 1 shown in FIG. 7 to 9, a case will be described in which the monitoring devices 10 </ b> A to 10 </ b> C among the devices on the network 2 function as the monitoring device 10 and monitor the monitored device 20 </ b> A of the monitored devices 20. Each device will be described with respect to the case where the last block of the block chain is the block B1.

  First, the supervisor combination devices 10A to 10C set the monitored device 20A as a monitored device as a monitored device (see (1) in FIG. 7). Subsequently, the supervisor devices 10A to 10C request the monitored device 20A to transmit a log for monitoring, and in response to this, the monitored device 20A obtains the log data 222 stored in the own device from the request source. Are sent to the supervisor devices 10A to 10C. Thereby, the supervisor combination devices 10A to 10C acquire the log data of the monitored device 20A (see (2) in FIG. 7).

  Each of the supervisor combination devices 10A to 10C analyzes the log data of the monitored device 20A, and detects the presence or absence of an abnormality of the monitored device 20A. The supervisor combination devices 10A to 10C broadcast the abnormality detection result of the monitored device 20A to the other supervisor combination devices 10A to 10C and the monitored devices 20 and 20A. As a result, the monitoring combination devices 10A to 10C display the abnormality detection result by the own device and the abnormality detection results by the other monitoring combination devices 10A to 10C in the black list (2) corresponding to the block B2 next to the block chain BC ′. Register (see arrows Y21 to Y24 in FIG. 8 and (3) in FIG. 8).

  Thereafter, when the abnormality detection result registered in the black list (2) reaches a predetermined amount, the supervisor combination devices 10A to 10C end the registration in the black list (2). Subsequently, the supervisor devices 10A to 10C execute search (mining). For example, when the supervisor combination device 10B succeeds in the search for Nonce (see (4) in FIG. 8), the supervisor combination device 10B generates the next block B2, and the other supervisor combination devices 10A, 10C and The data is transmitted to the monitoring devices 20 and 20A (see (5) in FIG. 8). When the supervisor combination devices 10A and 10C and the monitored devices 20 and 20A receive the next block B2 (see FIG. 9) from the supervisor combination device 10B that has been successfully searched, the block including the blacklist BC (2) is received. B2 is coupled to the respective block chain BC ′ and updated to the block chain BC ″. As a result, by sharing the newly coupled block B2 between the devices in the network 2 (arrow Y3 in FIG. 9). And (6) of FIG. 9), the black list (2) can be shared.

  Thereafter, when the supervisor combination devices 10A to 10C set the monitored device 20A as a monitoring target (see (7) in FIG. 9), the log data of the monitored device 20A is acquired ((( 8)), the monitoring of the monitored device 20A is continued, and the abnormality detection result is registered in the black list (3) corresponding to the next block B3.

[Processing flow of monitoring device]
Next, the processing procedure of the monitoring process of the supervisor device 10 will be described. FIG. 10 is a flowchart showing the procedure of the monitoring process performed by the supervisor combination device 10 shown in FIG.

  First, the supervisor device 10 selects the monitored device 20 to be monitored (step S1) and starts monitoring. In the supervisor combination device 10, the log acquisition unit 131 acquires the log data of the monitored device 20 from the monitored device 20 (step S2). Subsequently, the abnormality detection unit 132 analyzes the log data of the monitored device 20 acquired by the log acquisition unit 131, and detects whether there is an abnormality in the monitored device 20 (step S3). Then, the abnormality detection unit 132 broadcasts the abnormality detection result to the other monitoring device 10 and the monitored device 20 of the abnormality detection system 1 and receives the abnormality detection result from the other monitoring device 10 (step). S4).

  Subsequently, the black list registration unit 133, based on the abnormality detection result by the abnormality detection unit 132 and the received abnormality detection result, information indicating the identification information and the abnormal state of the monitored device 20 indicated in the abnormality detection result. Is registered in the black list (step S5). Then, the black list registration unit 133 determines whether or not to end black list registration (step S6). When the abnormality detection result registered in the black list reaches a predetermined amount, the black list registration unit 133 determines to end the black list registration. If the black list registration unit 133 determines that the black list registration is not completed (step S6: No), the black list registration unit 133 returns to step S2 and continues the monitoring process for the monitored device 20.

  On the other hand, when the black list registration unit 133 determines that the black list registration is finished (step S6: Yes), the search unit 134 performs a search process for collecting the black list into blocks (step S7). As a search process, the search unit 134 searches for authenticity information in the next block based on the black list and the authenticity information of the block at the end of the block chain. In other words, the search unit 134 searches for a nonce that generates a hash used for the next block from the hash value of the block at the end of the block chain and the black list whose authenticity is to be guaranteed.

  And the search part 134 judges whether the search was successful (step S8). When the search unit 134 determines that the search has been successful (step S8: Yes), the search unit 134 generates the next block, and the block chain update unit 135 uses the generated block to perform other monitoring in the network 2. It transmits to the combination device 10 and the monitored device 20 (step S9). On the other hand, if the search unit 134 determines that the search has not been successful (step S8: No), the search unit 134 receives the next block from the other supervisor combination device 10 that has been successfully searched (step S10). Actually, when the search unit 134 receives the next block from another supervisor device 10 that has been successfully searched before the device itself has successfully searched (step S10), the search unit 134 has determined that the search has not been successful. Judgment is made (step S8: No).

  Then, the block chain updating unit 135 updates the block chain by combining the next block generated by the own device or the next block transmitted from the other monitoring device 10 with the block chain (step S11). . That is, the block chain update unit 135 acquires the next block, and combines the block including the black list whose authenticity is to be ensured with the block chain. This block includes the searched nonce, the hash of the previous block, and a black list indicating a plurality of abnormality detection results registered by the monitoring device 10 that has been successfully searched.

  Then, the determination unit 136 refers to the black list in the block of the updated block chain, and performs a determination process for determining whether there is an abnormality in the monitored device 20 (step S12). Note that this determination process can be executed not only after step S11 but also during blacklist registration.

  Subsequently, the control unit 13 determines whether or not to continue monitoring (step S13). When it is determined that monitoring is to be continued (step S13: Yes), the control unit 13 returns to step S1 and continues monitoring. If it is determined not to continue (step S13: No), the monitoring process by the supervisor device 10 is terminated.

[Processing flow of monitored device]
Next, the process procedure of the block chain update process of the monitored apparatus 20 will be described. FIG. 11 is a flowchart showing the processing procedure of the block chain update process performed by the monitored device 20 shown in FIG.

  First, in the monitored device 20, when the communication unit 21 receives a log data transmission request from the monitoring device 10 (step S21), the communication unit 21 transmits log data 222 to the monitoring device 10 (step S22).

  The monitored device 20 receives the next block from the other monitoring device 10 that has been successfully searched (step S23). Subsequently, the block chain update unit 135 updates the block chain by coupling the received next block to the block chain (step S24). Step S25 is step S12 shown in FIG.

[Effect of the embodiment]
As described above, each device of the abnormality detection system 1 according to the present embodiment shows the authenticity of the black list in which the same content is registered in any device by transmitting and receiving the abnormality detection result between the devices. Along with authenticity information, a block chain connected in time series with a certain block is stored. Since the authenticity information (hash and nonce) included in this block involves a huge amount of calculation, it is very difficult to alter the authenticity information. And each apparatus of the abnormality detection system 1 shares this same block chain as an abnormality detection history by including this black list in a block together with authenticity information, and confirming the connection of this block to the block chain. .

  That is, according to the present embodiment, the black list included in the block can be shared between devices on the network 2 in a state where authenticity is ensured. In other words, according to the present embodiment, it is possible to protect the black list after being registered in the block chain, which is shared among a plurality of apparatuses that perform P2P type mutual abnormality detection, from tampering. Therefore, according to the present embodiment, it is possible to realize an anomaly detection system that guarantees the authenticity of a black list shared between a plurality of devices.

  Further, in the present embodiment, the block chain can be shared by arranging data sharing protocols relating to abnormality detection among various IoT devices in the network 2. Since the devices in the network 2 are heterogeneous, they have diversity, and the possibility that the reliability of abnormality detection is extremely lowered due to a single serious vulnerability or attack can be reduced. In other words, according to the present embodiment, even when a specific detection device has a serious vulnerability or attack, a plurality of various IoT devices perform mutual monitoring. It is possible to prevent a significant decrease.

  In the present embodiment, detection of a security anomaly (abnormality) for preventing falsification of a blacklist has been described. Of course, the present invention can also be applied to other anomaly (abnormality) events such as a failure.

[System configuration, etc.]
Each component of each illustrated device is functionally conceptual and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to the one shown in the figure, and all or a part of the distribution / integration is functionally or physically distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. Further, all or a part of each processing function performed in each device can be realized by a CPU and a program that is analyzed and executed by the CPU, or can be realized as hardware by wired logic.

  In addition, among the processes described in this embodiment, all or a part of the processes described as being automatically performed can be manually performed, or the processes described as being manually performed can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the above-described document and drawings can be arbitrarily changed unless otherwise specified.

[program]
FIG. 12 is a diagram illustrating an example of a computer that realizes the supervisor device 10 and the monitored device 20 by executing a program. The computer 1000 includes a memory 1010 and a CPU 1020, for example. The computer 1000 also includes a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090. The disk drive interface 1040 is connected to the disk drive 1100. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100. The serial port interface 1050 is connected to a mouse 1110 and a keyboard 1120, for example. The video adapter 1060 is connected to the display 1130, for example.

  The hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, the program that defines each process of the supervisor device 10 and the monitored device 20 is implemented as a program module 1093 in which a code executable by a computer is described. The program module 1093 is stored in the hard disk drive 1090, for example. For example, a program module 1093 for executing the same processing as the functional configuration in the monitoring device 10 and the monitored device 20 is stored in the hard disk drive 1090. The hard disk drive 1090 may be replaced by an SSD (Solid State Drive).

  The setting data used in the processing of the above-described embodiment is stored as program data 1094 in, for example, the memory 1010 or the hard disk drive 1090. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 and executes them as necessary.

  The program module 1093 and the program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored in, for example, a removable storage medium and read out by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program module 1093 and the program data 1094 may be stored in another computer connected via a network (LAN, WAN, etc.). Then, the program module 1093 and the program data 1094 may be read by the CPU 1020 from another computer via the network interface 1070.

  As mentioned above, although embodiment which applied the invention made | formed by this inventor was described, this invention is not limited with the description and drawing which make a part of indication of this invention by this embodiment. That is, other embodiments, examples, operation techniques, and the like made by those skilled in the art based on this embodiment are all included in the scope of the present invention.

DESCRIPTION OF SYMBOLS 1 Abnormality detection system 2 Network 10,10A-10C Monitoring device 20,20A Monitored device 11,21 Communication part 12,22 Storage part 13,23 Control part 14,24 Input part 15,25 Output part 121 Block information storage part 122, 222 Log data 131 Log acquisition unit 132 Anomaly detection unit 133 Blacklist registration unit 134 Search unit 135 Block chain update unit 136 Determination unit

Claims (6)

An anomaly detection system having a plurality of devices that communicate peer-to-peer with each other,
Each device has a list of abnormality detection results related to the device, together with authenticity information indicating authenticity, an abnormality detection history connected in a time series in a certain detection unit, and an operation status of the own device in time series. A storage unit for storing log information
The supervisor device that performs monitoring of the devices is:
A log acquisition unit that acquires the log information of the monitored device from the monitored device to be monitored among the devices;
An abnormality detection unit that analyzes the log information acquired by the log acquisition unit and detects whether there is an abnormality in the monitored device; and
Based on the abnormality detection result of the monitored device by the abnormality detection unit, a registration unit that registers identification information of the monitored device and information indicating an abnormal state in the list;
A search unit that searches for the authenticity information corresponding to the next detection unit based on the list and the authenticity information of the detection unit at the end of the abnormality detection history;
When the search unit searches for the authenticity information, the detection unit including the searched authenticity information and the list registered by the own device is transmitted to another device, and the detection unit is The abnormality detection history is combined with the abnormality detection history stored in another device and the detection unit including the searched authenticity information and a list registered by the own device is combined with the abnormality detection history. An update section to update;
An anomaly detection system comprising:   The apparatus determines that the monitored apparatus is likely to be abnormal when there is the monitored apparatus in which abnormality is detected from a predetermined number or more of the monitoring device in the list The abnormality detection system according to claim 1, further comprising a unit. The registration unit, when detecting that the monitored device has returned to normal from an abnormality, performs registration to delete the abnormality of the monitored device from the list,
The determination unit determines that there is a high possibility that the monitored device has returned to normal when there are the monitored devices whose deletions are registered from a predetermined number or more of the monitoring combination devices in the list. The abnormality detection system according to claim 2. The detection unit has, as the authenticity information, a hash of the previous detection unit, and a value with a predetermined condition,
The search unit is preliminarily set with the conditions for generating a hash to be used for the next block from the hash value of the detection unit at the end of the abnormality detection history and the list to be guaranteed authenticity. The anomaly detection system according to any one of claims 1 to 3, wherein the value is searched. An anomaly detection system having a plurality of devices that communicate peer-to-peer with each other,
Each device has a list of abnormality detection results related to the device, together with authenticity information indicating authenticity, an abnormality detection history connected in a time series in a certain detection unit, and an operation status of the own device in time series. A storage unit for storing log information
The supervisor device that performs monitoring of the devices is:
A log acquisition unit that acquires the log information of the monitored device from the monitored device to be monitored among the devices;
An abnormality detection unit that analyzes the log information acquired by the log acquisition unit and detects whether there is an abnormality in the monitored device; and
Based on the abnormality detection result of the monitored device by the abnormality detection unit, a registration unit that registers identification information of the monitored device and information indicating an abnormal state in the list;
Based on the list and the authenticity information of the detection unit at the end of the abnormality detection history, a search unit that searches for the authenticity information in the next detection unit;
When the search unit searches for the authenticity information, the detection unit including the searched authenticity information and the list registered by the own device is transmitted to another device, and the detection unit is The abnormality detection history is combined with the abnormality detection history stored in another device and the detection unit including the searched authenticity information and a list registered by the own device is combined with the abnormality detection history. A first updating unit for updating;
Have
The monitored device is:
A communication unit that receives the log information transmission request from the supervisor device and transmits the log information to the supervisor device;
A second updating unit that, when receiving the detection unit transmitted by the supervisor device, combines the received detection unit with the abnormality detection history to update the abnormality detection history;
An anomaly detection system comprising: An anomaly detection method performed by a plurality of devices that perform peer-to-peer communication with each other,
Each device has a list of abnormality detection results related to the device, together with authenticity information indicating authenticity, an abnormality detection history connected in a time series in a certain detection unit, and an operation status of the own device in time series. A storage unit for storing log information
A log acquisition step in which a supervisor device that performs monitoring of the device acquires the log information of the monitored device from a monitored device that is a monitoring target of the device;
An abnormality detection step in which the supervisor device analyzes the acquired log information to detect the presence or absence of an abnormality of the monitored device;
A registration step in which the supervisor device registers the identification information of the monitored device and information indicating the abnormal state in the list based on the abnormality detection result of the monitored device in the abnormality detection step;
A search step for searching for the authenticity information corresponding to the next detection unit based on the list and the authenticity information of the detection unit at the end of the abnormality detection history;
When the authenticity information is searched for in the searching step, the monitoring device transmits the detection unit including the searched authenticity information and the list registered by the own device to another device. The detection unit is combined with the abnormality detection history stored in the other device, and the detection unit including the searched authenticity information and a list registered by the own device is combined with the abnormality detection history. And updating the abnormality detection history to update the abnormality detection history,
An abnormality detection method characterized by including

Images