JP7243329B2 - Computer program, event anomaly detection method, and computer - Google Patents

Description

The present invention relates to computer programs, event anomaly detection methods, and computers.

In recent years, damage from cyber attacks such as targeted attacks and malware has become a threat. In order to prevent damage from cyber-attacks, general malware behavior detection methods include blacklist-type detection, which detects when a match is made by matching against a list of attacking behaviors, and whitelist-type detection, which detects when a match is made by matching with an allow list. It is known as list type detection.

Patent Document 1 discloses a method of classifying behavior information into three types of benign, suspicious, and non-benign using AI (Artificial Intelligence), and detecting suspicious or non-benign among them. . Further, in Japanese Patent Laid-Open No. 2002-200311, a procedure is adopted in which behavior classified as suspicious or non-benign in this way is prompted to confirm by the user, and the behavior is registered in a whitelist according to the response.

Patent Document 2 discloses a configuration that analyzes events and alerts, transfers true incidents to relevant/authorized/designated parties, and performs triage for the true incidents. It is

Patent Literature 3 discloses a method capable of detecting malicious software. Specifically, the document discloses a configuration for detecting malicious software using important contextual information from client systems, machine learning techniques, automatic deployment of generic signatures, and combinations thereof. there is

Japanese Patent Publication No. 2018-522321 Japanese Patent Publication No. 2018-521430 Japanese Patent Publication No. 2014-504399

The following analysis is given by the present invention. The step of expansion of intrusion by the malware or the attacker, which occurs after the above-mentioned malware violates the security of the computer that serves as the entrance to the organization and establishes communication with the attacker, is called "Lateral Movement."

Common malware behavior detection methods include blacklist type detection, which detects when a list of attack behaviors match and whitelist type detection, which compares against a list of attack behaviors and detects when they do not match. In Lateral Movement, attackers usually use standard functions of the OS (Operating System) to move around the network unnoticed. Therefore, it is difficult to detect lateral movement with a simple blacklist of command names and the like. In other words, since the blacklist cannot detect attacks other than those known in advance, there is a problem that the lateral movement cannot be completely prevented.

The Lateral Movement is further divided into the steps of "reconnaissance", "entitlement seizure" and "computer break-in". First, the attacker conducts reconnaissance using tools and utilities such as the netstat command, which is standardly installed in the OS, and collects information necessary for the next attack. Since these commands are likely to be commonly used, it is difficult to implement countermeasures even with detection using a whitelist.

Also, the attacker looks at the actual communication flow and network usage status to narrow down the next attack target. For this reason, even if an access to a decoy server is determined to be an unauthorized access, the attacker's access often does not reach the decoy server, making detection difficult.

As the Lateral Movement moves to the next stage and sufficient information is available, attackers can use methods such as ARP (Address Resolution Protocol) spoofing and keyloggers to exfiltrate legitimate access data. The attacker then uses the stolen privileges to gain access to other computers and get closer to the original target of the attack. Once this stage is reached, it is nearly impossible to detect with traditional security features. As a result, it allows attackers to gain higher privileges and advance to new levels of targeted attacks.

Several methods have been proposed to track and detect a series of behaviors before the lateral movement becomes difficult to detect. However, lateral movement is difficult to distinguish from normal movement, and its techniques have become sophisticated, so there is a problem that it is difficult to distinguish even if the log is checked manually.

In response to the above, there is a method of detecting lateral movement using AI, but it is difficult to take measures that consider the conditions and risks unique to the organization, and the current situation is that there are many false positives (overdetection and oversight). . Another problem is that if the target of attack differs, the purpose of the attacker also differs. For this reason, there are many cases in which a classifier created using AI technology includes tissue-specific features. This leads to the fact that the classifier cannot be laterally deployed to other organizations, which is one of the reasons why it is difficult to take effective countermeasures.

In this regard, Patent Document 1 discloses that the analyzer module (corresponding to the classifier) partially considers the risk aspect, but does not mention conditions specific to the organization or lateral deployment of the classifier. do not have. As a result, according to the disclosure of Patent Literature 1, it is impossible to quickly deploy the classifier to other organizations and take quick countermeasures.

The invention described in Patent Document 2 is ultimately the same as the method using signatures (blacklist, whitelist), and is a countermeasure against Lateral Movement, which has become more sophisticated and difficult to detect manually. It can be said that it is difficult to use in .

The method of Patent Document 3 is similar to Patent Document 2 in that analysis is performed based on the event history of the system and meta information on behavior, and determination is made using AI technology and signatures (blacklist). Also, Patent Document 3 does not refer to tissue-specific conditions or lateral deployment of classifiers. For this reason, even in Patent Document 3, it is impossible to immediately deploy the classifier horizontally to other organizations and take quick countermeasures.

An object of the present invention is to provide a computer program, an event anomaly detection method, and a computer that can contribute to improvement in detection performance of anomalies hidden in the behavior of equipment represented by the lateral movement described above.

According to the first aspect, the computer has an abstract network generation function for abstracting a network to be monitored using a predetermined rule, and an event reception function for storing event information received from the outside of the system in an event queue. a feature data generating function for extracting event information from the event queue and generating feature data representing behavior of the abstracted device on the network; and feature data waiting for prediction from a prediction queue storing the feature data. is extracted, and a predetermined classifier is used to detect anomalies. This program is input to the computer device via an input device or an external communication interface, stored in a storage device, and drives the processor according to predetermined steps or processes. In addition, this program can display the results of processing, including intermediate states, at each stage via a display device as required, or can communicate with the outside via a communication interface. A computer device for that purpose typically includes a processor, a storage device, an input device, a communication interface, and optionally a display device, which are interconnected by a bus, as an example.

According to the second viewpoint, the computer performs an abstract network generation step of abstracting a network to be monitored using a predetermined rule, and an event reception step of storing event information received from outside the system in an event queue. a feature data generation step of extracting event information from the event queue and generating feature data representing the behavior of the abstracted device on the network; and feature data waiting for prediction from a prediction queue storing the feature data. and detecting an anomaly using a predetermined classifier. The method is tied to a specific machine, a computer that detects anomalies based on event information using a given classifier.

According to the third aspect, an abstract network generating unit that abstracts a network to be monitored using a predetermined rule, an event receiving unit that stores event information received from outside the system in an event queue, and the event a feature data generation unit for extracting event information from a queue and generating feature data representing behavior of the abstracted device on the network; extracting feature data waiting for prediction from a prediction queue storing the feature data; A computer is provided that includes an anomaly detection unit that detects an anomaly using a predetermined classifier.

According to the present invention, it is possible to improve the detection performance of anomalies latent in the behavior of equipment, represented by the lateral movement described above.

It is a figure which shows the structure of one Embodiment of this invention. It is a figure which shows the structure of the computer of the 1st Embodiment of this invention. FIG. 4 is a diagram showing the operation (network abstraction processing) of the computer according to the first embodiment of this invention; FIG. 3 is a diagram showing the configuration of a network to be monitored for explaining the operation of the first exemplary embodiment of the present invention; FIG. FIG. 3 is a diagram showing an example of initial data of a network abstracted by a computer according to the first embodiment of this invention; 6 is a diagram showing a state in which services are arranged as nodes in the initial data of FIG. 5; FIG. FIG. 7 is a diagram showing a state in which nodes are further arranged in the data of FIG. 6; FIG. 4 is a diagram showing the operation (feature data string generation processing) of the computer according to the first embodiment of the present invention; It is a figure which shows the example of the feature data sequence produced|generated by the computer of the 1st Embodiment of this invention. It is a figure which shows the operation|movement (classifier generation process) of the computer of the 1st Embodiment of this invention. FIG. 4 is a diagram showing the operation (feature data analysis processing) of the computer according to the first embodiment of the present invention; It is a figure which shows the structure of the computer of the 2nd Embodiment of this invention. 1 is a diagram showing the physical configuration of a computer of the present invention; FIG.

First, an outline of an embodiment of the present invention will be described with reference to the drawings. It should be noted that the drawing reference numerals added to this overview are added to each element for convenience as an example to aid understanding, and are not intended to limit the present invention to the illustrated embodiments. Also, connection lines between blocks in drawings and the like referred to in the following description include both bidirectional and unidirectional connections. The unidirectional arrows schematically show the flow of main signals (data) and do not exclude bidirectionality. A program is executed via a computer device, and the computer device includes, for example, a processor, a storage device, an input device, a communication interface, and, if necessary, a display device. Furthermore, the computer device is configured to be able to communicate with internal or external devices (including computers) via a communication interface, whether wired or wireless. Also, although there are ports or interfaces at input/output connection points of each block in the drawing, they are omitted from the drawing. Moreover, in the following description, "A and/or B" is used to mean at least one of A and B.

In one embodiment of the present invention, as shown in FIG. 1, the computer 1 implements an abstract network generation function 11, an event reception function 12, a feature data generation function 14, and an anomaly detection function 16. It can be realized by a computer program for

More specifically, the abstract network generation function 11 uses predetermined rules to abstract the network to be monitored. An abstracted network is illustrated in FIG.

The event reception function 12 stores event information received from outside the system in the event queue 13 .

A feature data generation function 14 extracts event information from the event queue 13 and generates feature data representing behavior of the abstracted devices on the network. As the feature data, the event information illustrated in FIG. 8 mapped onto the abstract network can be used.

Then, the anomaly detection function 16 extracts feature data waiting for prediction from the prediction queue 15 storing feature data, and detects an anomaly using a predetermined classifier.

The computer program described above makes it possible to accurately detect an abnormality typified by lateral movement. The reason for this is that the network to be monitored is abstracted, the event information is converted into feature data representing the behavior of the devices on the network, and a prediction is made using a classifier. be.

[First Embodiment]
Next, a first embodiment of the present invention will be described in detail with reference to the drawings. First, with reference to FIG. 2, the outline of this embodiment will be described. The computer 100 of this embodiment includes an abstract NW generation unit (abstract network generation unit) 101 that abstracts a network specialized for lateral movement detection. This computer 100 further comprises an event reception unit 103 that receives notification of event information generated from outside the system and stores the event information in the event queue 104 . This computer 100 further comprises a feature data generation unit 105 that refers to the event queue 104 to generate a feature data string and stores it in the prediction queue 108 . The computer 100 further includes an event anomaly detection unit 111 that analyzes event information in the prediction waiting state from the prediction queue 108 using the classifier acquired from the classifier storage unit 110 and generates prediction results/detection results. The computer 100 further includes a detection result display section 112 that displays prediction results/detection results for the system administrator.

Each part (processing means) of the computer 100 shown in FIG. 2 can also be realized by a computer program that causes a processor mounted on the computer 100 to execute the above-described processes using the hardware. Therefore, the abstract network generation unit 101, the event reception unit 103, the feature data generation unit 105, and the event anomaly detection unit 111 are configured as the abstract network generation function 11, the event reception function 12, the feature data generation function 14, and the anomaly detection function 16, respectively. corresponds to

Next, the configuration of the computer 100 of this embodiment will be described in detail with reference to the drawings. The computer 100 functions as a malware infection spread detection system by mainly performing three processes (network abstraction, prediction, and learning). Each processing order will be described below.

[Network abstraction]
First, the components involved in the network abstraction process are described. Network abstraction processing is performed by the abstract NW generation unit 101 . A NW data database (NW data DB) 102 is a database that stores the output generated by the abstract NW generation unit 101 .

The abstract NW generation unit 101 receives terminal meta-information, importance level, and meta-information related to services operating on the terminal input from outside the system (hereinafter collectively referred to as "terminal information"). . Then, the abstract network generation unit 101 receives this terminal information, abstracts the network specialized for lateral movement detection, and generates an abstract network diagram in which a plurality of areas are set for each device in which the service is running. . A specific example of network abstraction by the abstract NW generation unit 101 will be described later together with the operation of the abstract NW generation unit 101 .

[predict]
Next, components related to prediction processing using AI will be described. The prediction process is performed by the event reception unit 103 , feature data generation unit 105 , event abnormality detection unit 111 and detection result display unit 112 .

The event receiving unit 103 receives notification of event information generated from outside the system, and stores the event information in the event queue 104 .

Here, event information received by the event receiving unit 103 will be described. The event information is information about the behavior of the terminal obtained from the OS, such as communication, process generation, and file operation. For example, system call level information can be used as event information. For Windows (registered trademark), for example, this system call level information can be obtained using Event Tracing for Windows (ETW). Similarly, system call level information can be obtained using auditd for Linux (registered trademark) and DTrace for MacOS. Also, if necessary, an agent program may be installed on the terminal to be monitored to collect event information.

The feature data generation unit 105 generates a feature data string by referring to the event queue 104 and stores it in the prediction queue 108 . The feature data generated by the feature data generation unit 105 is an integer number string representing the behavior of the device generated by inputting the event information described above. A specific example of generation of the feature data string by the feature data generation unit 105 will be described later together with the operation of the feature data generation unit 105 .

The event anomaly detection unit 111 acquires a classifier from the classifier storage unit 110 and loads it on the memory, receives event information waiting for prediction from the prediction queue 108, and uses the classifier on the memory to use the prediction result/detection result. to generate

As a classifier that the event abnormality detection unit 111 acquires from the classifier storage unit 110, a classifier for class classification generated by supervised learning, for example, deep learning can be used.

The detection result display unit 112 is configured by a display device or the like that displays the prediction result/detection result for the system administrator.

[study]
Finally, components related to learning processing using AI will be described. The learning process is performed by the feature data generation unit 105 , the learning data storage unit 106 and the classifier generation unit 109 .

The feature data generation unit 105 generates a feature data string for learning when teacher data and event information are received from the outside of the system.

The learning data accumulation unit 106 combines the teacher data and the feature data string to generate learning data, and stores the generated learning data in the learning data DB 107 .

The classifier generation unit 109 periodically refers to the learning data DB 107 to generate a classifier and stores it in the classifier storage unit 110 .

Next, the operation of this embodiment will be described in detail with reference to the drawings. Hereinafter, details of each process will be described in the order of network abstraction, learning, and prediction using the drawings, similarly to the configuration of the computer 100 described above.

[Network abstraction]
First, the flow of network abstraction processing will be described with reference to FIG. Referring to FIG. 3, abstract NW generation unit 101, upon receiving terminal information, generates initial data (initial image) for abstracting a network based on the information (step 201).

In the following description, an example of detecting an abnormal event in a network configuration such as that shown in FIG. 4 will be described. Reference numerals 301, 302, and 303 in FIG. 4 denote terminals within the organization, which do not operate the server function. Reference numerals 304, 305, and 306 in FIG. 4 denote devices at boundaries of different networks. GW is an abbreviation for gateway. Reference numerals 307 and 308 in FIG. 4 denote terminals in which Active Directory (directory service) is operating. Reference numeral 309 in FIG. 4 denotes a terminal (WebSV) in which the web service is running. SV is an abbreviation for server. In the following description, the terminals 301, 302, 303, ADs 307, 308, and WebSV 309 in FIG. 4 are hereinafter collectively treated as "terminals", and a network is abstracted for each. Since the direction from GW1 304 in FIG. 4 to the Internet is outside the organization, it is not included in the processing target.

The abstract NW generation unit 101 creates an initial image for each terminal. For example, in the case of terminal 3 303 in FIG. 4, the abstract NW generation unit 101 generates a vector image (initial image) in which a circle is drawn centering on the corresponding terminal as shown in FIG.

Next, the abstract NW generation unit 101 uses the input terminal information for each terminal and each service to update the image generated in step 201 (steps 202 and 203).

The abstract network generation unit 101 arranges each service as a node on the initial image created in step 201 based on the service meta information (protocol number, port number, importance) included in the terminal information, and generates an image. is updated (step 204). FIG. 6 shows an example of arranging nodes on the initial image of FIG.

More specifically, the abstract NW generation unit 101 classifies peripheral devices into three types (types) based on the meta information of the input value, and arranges these services, which may serve as communication endpoints, as nodes on an arc. will be placed as In the example of FIG. 6, services operating on various servers are arranged as nodes in the area of Group2 (402). Also, in the example of FIG. 6, tcp/80 near the node represents the protocol number and port number. Note that tcp is an abbreviation for Transmission Control Protocol.

Similarly, in the example of FIG. 6, services operating on the Domain Controller are arranged as nodes in the area of Group3 (403). tcp/1025-65535, tcp/445, and tcp/135 near the node represent protocol numbers and port numbers. Note that tcp/1025-65535 indicates a service to which a port number between 1025 and 65535 is dynamically assigned.

Furthermore, when there are services on other terminals, the abstract NW generation unit 101 arranges them as nodes in the area of Group1 (401) as shown in FIG.

The abstract NW generation unit 101 stores the generated image (abstract network diagram) in the NW data DB 102 (step 205). Here, the description is continued assuming that the image as shown in FIG. 7 is stored.

[study]
The learning process is divided into two steps of learning data generation/accumulation and classifier generation, each of which operates independently. The operation flow will be described in the order of learning data generation/accumulation and classifier generation.

[Learning - Generation and accumulation of learning data]
The flow of learning data generation/accumulation will be described with reference to FIG. When the feature data generation unit 105 receives learning data (event information only or event information with teacher data) from outside the system, it generates a feature data string (step 501).

For example, for terminal 3 303 in FIG. 4, the feature data string is generated as follows. The characteristic data generation unit 105 searches the NW data DB 102 using the terminal identifier as a key, and acquires a vector image (initial image, see FIG. 6) of the terminal 3 303 after network abstraction. Next, the feature data generation unit 105 extracts information about communication included in the received event information, and adds an arrow indicating communication between the service and the device on the vector image after network abstraction. go. The characteristic data generation unit 105 of this embodiment changes the thickness of the arrow according to the amount of traffic. For example, when the amount of communication is large, the feature data generation unit 105 thickens the arrow (see tcp/80 in FIG. 9). Further, the feature data generation unit 105 collects dynamically used port numbers (for example, RPC dynamic ports) into one end point (node) (see tcp/1025-65535 in FIG. 9). Note that RPC is an abbreviation for Remote Procedure Call.

Also, if there is no node on the arc in the image, the feature data generation unit 105 adds a new node. The rules for node addition at this time are the same as in the network abstraction process. That is, the end points of communication on various servers are arranged as nodes in Group2 (on the arc within the dotted line frame (region) in FIG. 9-402). The end point of the communication on the Domain Controller is arranged in Group3 (on the circular arc within the dotted line frame in Fig. 9-403). The end points of communication on other terminals are arranged in Group1 (on the arc within the dotted line frame in FIG. 9-401).

The feature data generation unit 105 repeats addition of nodes and addition of arrows until processing of communication-related information included in the received event information is completed. FIG. 9 shows an example of an image immediately before feature data string generation. The feature data generation unit 105 converts the generated image into a raster image (bitmap data), converts the pixel value of each pixel into an integer, and generates a feature data string. The feature data generation unit 105 outputs values obtained by connecting each pixel value of the raster image separated by commas as a feature data string.

After generating the feature data string, the feature data generation unit 105 checks whether or not the input event information includes teacher data (step 502). For example, the teacher data can be represented by an integer value of "1" if the action corresponds to the action of spreading malware infection, and "0" if it does not correspond to the action of spreading malware infection.

As a result of the confirmation, if the teacher data is included, the feature data generation unit 105 attaches the event occurrence time and terminal identifier to the feature data string and the teacher data, and transmits them to the learning data storage unit 106 (step 503).

On the other hand, if the teacher data is not included, the feature data generation unit 105 assigns the occurrence time of the event and the terminal identifier to the feature data string and stores it in the prediction queue 108 (step 504).

When the learning data accumulation unit 106 receives the feature data string and the teacher data from the feature data generation unit 105, it connects each value in the order of the teacher data and the feature data string, separated by commas. Then, the learning data storage unit 106 assigns the occurrence time of the event received from the feature data generation unit 105 and the identifier of the terminal to the combination of the teacher data and the feature data string to obtain learning data, and stores the training data in the learning data DB 107 . (Step 505).

[Learning - classifier generation]
Next, the flow of classifier generation will be described with reference to FIG. The classifier generator 109 periodically refers to the learning data DB 107 to check whether or not the learning data has newly increased (step 601). If the learning data has increased, the classifier generation unit 109 shifts to classifier generation processing (Yes in step 601). On the other hand, if the learning data has not increased, the classifier generation unit 109 ends the processing without generating a classifier (No in step 601).

The classifier generating unit 109 of the present embodiment generates classifiers for each terminal and for each specified period (hourly, daily, weekly, monthly) (step 602, step 603). Specifically, the classifier generation unit 109 accesses the learning data DB 107, specifies the identifier of the terminal and the event occurrence period, performs a search, and acquires the corresponding learning data (step 604).

Next, the classifier generator 109 generates a classifier with the acquired learning data as input (step 605). Deep learning can be used to generate the classifier.

Finally, the classifier generation unit 109 stores the generated classifier in the classifier storage unit 110 (step 606).

[predict]
Next, the flow of prediction processing using the classifier described above will be described with reference to FIG. First, when the event reception unit 103 receives the event information, it adds the event occurrence time and the identifier of the terminal where the event occurred, and registers it in the event queue 104 (step 701).

When data is registered in the event queue 104, the characteristic data generation unit 105 acquires the registered data (step 702).

The feature data generation unit 105 generates a feature data string by the same method as during learning (step 703).

Next, the feature data generation unit 105 adds the event occurrence time and the terminal identifier acquired from the event queue 104 to the generated feature data string and registers them in the prediction queue 108 (step 704).

When new data is registered in the prediction queue 108, the event abnormality detection unit 111 acquires the information (step 705).

The event abnormality detection unit 111 extracts the event occurrence time and the terminal identifier from the acquired new data, acquires the corresponding classifier from the classifier storage unit 110, and loads all the acquired classifiers into the memory. Then, the event anomaly detection unit 111 uses each classifier loaded in the memory, inputs the feature data string, and performs prediction processing (step 706). The event anomaly detection unit 111, for example, takes the average of the outputs (numbers between 0.0 and 1.0) of each classifier, and if the value exceeds a predetermined threshold, the anomaly, the threshold If the following conditions are met, it is judged to be normal.

The event abnormality detection unit 111 passes the prediction result to the detection result display unit 112 . The detection result display unit 112 outputs the prediction result (step 707).

According to this embodiment, anomalies (events related to the spread of malware infection) can be detected with high accuracy. The reason for this is that by grouping assets and risks into consideration, we have abstracted the network by removing user-specific environmental information, and adopted a method that can detect lateral movements regardless of differences in user environments. That's what it is. Further, in this embodiment, network abstraction is performed by selecting necessary information. Therefore, it is possible to anonymize information that the organization does not want to disclose to the outside.

Further, according to this embodiment, it is possible to detect a new type of lateral movement. The reason for this is that, as described above, the network is abstracted specifically for lateral movement detection, and an AI is used to detect abnormal behavior.

Also, the classifier generated by the classifier generation unit 109 in this embodiment is a classifier that can be used by other organizations. For example, computer 100 may be caused to distribute generated classifiers. As a result, the created classifier can be laterally deployed among different organizations, and it is possible to quickly take countermeasures against lateral movement. Further, according to the present embodiment, the trouble of anonymization, which is required when generating a blacklist, is not necessary.

Although each embodiment of the present invention has been described above, the present invention is not limited to the above-described embodiments, and further modifications, replacements, and adjustments can be made without departing from the basic technical idea of the present invention. can be added. For example, the network configuration, the configuration of each element, and the forms of representation such as images shown in each drawing are examples for helping understanding of the present invention, and are not limited to the configurations shown in these drawings.

For example, in the embodiment described above, the computer 100 performs the learning, but the classifier itself may be created by another computer. The configuration in this case is as shown in FIG. 12 (second embodiment). The computer 100a of FIG. 12 does not have the learning data accumulation unit 106, the learning data storage unit 107, and the classifier generation unit 109, but has a classifier reception unit 113. FIG. Since the operation of other elements is the same as that of the first embodiment, the explanation is omitted.

For example, in the above-described embodiment, the feature data is a feature data string connecting the pixel values of each pixel of the bitmap image representing the behavior of the device on the abstracted network diagram. However, the feature data is not limited to this. For example, it goes without saying that the feature data extracted from the raster image (bitmap data) illustrated in FIG. 9 may be used for learning and prediction.

For example, in the embodiment described above, deep learning is used for learning, but it is also possible to create a classifier using other machine learning algorithms.

Moreover, the procedure shown in the above-described first embodiment can be implemented by a program that causes a computer (9000 in FIG. 13) to implement the network abstraction, learning, and prediction functions described above. A physical configuration of such a computer is illustrated in FIG. That is, the CPU 9010 in FIG. 13 may execute the network abstraction program and the prediction program to update each calculation parameter held in the auxiliary storage device 9040 or the like.

That is, each part (processing means, function) of the computers 100 and 100a shown in the above-described first and second embodiments uses the hardware of the processors installed in these devices to perform each of the above-described processes. It can be realized by a computer program that executes Further, each part (processing means, function) of the computers 100 and 100a described above can be implemented as hardware that carries out the corresponding function.

Finally, preferred forms of the invention are summarized.
[First form]
(See computer program according to the first aspect above)
[Second form]
The feature data generation function of the computer program described above expresses services operating on the network to be monitored as nodes based on the meta information included in the event information, and the communication between the services and the devices is indicated by arrows. It is possible to employ a configuration for generating feature data represented by .
[Third form]
The abstract network generation function of the computer program described above generates an abstract network diagram in which a plurality of areas corresponding to the type of device in which the service is running is set, centering on a specific device, and the feature data generation function is: A configuration can be adopted in which feature data corresponding to an abstract network diagram in which the nodes are arranged in an area corresponding to the type of device in which the service is running in the abstract network diagram is created.
[Fourth mode]
The above-described computer program further causes the computer to implement a classifier generation function of generating a classifier based on the event information to which the teacher data is added, when teacher data is added to the event information. may be
[Fifth form]
The classifier generation function of the computer program described above can be configured to generate a classifier at predetermined time intervals for each device.
[Sixth form]
The computer program described above may further cause the computer to distribute the generated classifier.
[Seventh form]
The anomaly detection function of the computer program described above can be configured to detect an anomaly by selecting a classifier suitable for meta information of event information from among a plurality of classifiers.
[Eighth form]
The above-described computer program may use, as the feature data, a feature data string obtained by connecting pixel values of respective pixels of a bitmap image representing the behavior of the device on the abstracted network diagram. .
[Ninth form]
(Refer to the anomaly detection method from the second point of view above)
[Tenth mode]
(See computer from the third point of view above)
It should be noted that the above ninth to tenth modes can be developed into second to eighth modes like the first mode.

It should be noted that each disclosure of the above patent documents is incorporated herein by reference. Within the framework of the full disclosure of the present invention (including the scope of claims), modifications and adjustments of the embodiments and examples are possible based on the basic technical concept thereof. Also, within the framework of the disclosure of the present invention, various combinations or selections (partial (including targeted deletion) is possible. That is, the present invention naturally includes various variations and modifications that can be made by those skilled in the art according to the entire disclosure including claims and technical ideas. In particular, any numerical range recited herein should be construed as specifically recited for any numerical value or subrange within that range, even if not otherwise stated.

1, 100, 100a, 9000 computer 11 abstract network generation function 12 event reception function 13 event queue 14 feature data generation function 15 prediction queue 16 anomaly detection function 101 abstract NW generation unit 102 NW data database (NW data DB)
103 event receiver 104 event queue
105 feature data generation unit 106 learning data storage unit 107 learning data DB
108 Prediction Queue
109 classifier generation unit 110 classifier storage unit 111 event anomaly detection unit 112 detection result display unit 113 classifier reception unit 301 to 303 terminal 304, 305 GW
306 switches
307 AD Primary
308 AD Backup
309 Web SV
401-403 area 9010 CPU
9020 Communication interface 9030 Memory 9040 Auxiliary storage device

Claims (8)

to the computer,
an abstract network generation function that abstracts a network to be monitored using predetermined rules;
an event reception function that stores event information received from outside the system in an event queue;
a feature data generation function for extracting event information from the event queue and generating feature data representing the behavior of the device on the abstracted network;
an anomaly detection function of extracting feature data waiting for prediction from the prediction queue storing the feature data and detecting an anomaly using a predetermined classifier;
A computer program for realizing
The feature data generation function represents a service operating on the network to be monitored as a node based on the meta information included in the event information. generate the data,
The abstract network generation function is
generating an abstract network diagram in which a plurality of areas corresponding to the types of devices in which the service is running are set, centering on a specific device;
A computer program, wherein the feature data generation function creates feature data corresponding to an abstract network diagram in which the nodes are arranged in an area corresponding to the type of device in which the service is running in the abstract network diagram. 2. The computer program according to claim 1, further comprising, when teacher data is added to said event information, causing said computer to implement a classifier generation function for generating a classifier based on said event information to which said teacher data is added. 3. The computer program according to claim 2 , wherein the classifier generation function generates a classifier at predetermined time intervals for each device. to the computer;
4. The computer program according to claim 2 or 3 , causing distribution of the generated classifier. 5. The computer program according to any one of claims 1 to 4 , wherein the anomaly detection function selects a classifier that matches meta information of event information from among a plurality of classifiers to detect an anomaly. 6. The computer program according to any one of claims 1 to 5 , wherein as said feature data, a feature data string connecting pixel values of respective pixels of a bitmap image representing the behavior of the device on said abstracted network diagram is used. the computer
an abstract network generation step of abstracting a network to be monitored using a predetermined rule;
an event reception step for storing event information received from outside the system in an event queue;
a feature data generating step of extracting event information from the event queue and generating feature data representing the behavior of the device on the abstracted network;
an anomaly detection step of extracting feature data waiting for prediction from the prediction queue storing the feature data and detecting an anomaly using a predetermined classifier;
An anomaly detection method comprising:
In the feature data generating step, based on the meta information included in the event information, the service operating on the network to be monitored is represented as a node, and the communication between the service and the device is represented by an arrow. generate the data,
In the abstract network generation step,
generating an abstract network diagram in which a plurality of areas corresponding to the types of devices in which the service is running are set, centering on a specific device;
The anomaly detection method, wherein, in the feature data generation step, feature data corresponding to an abstract network diagram in which the nodes are arranged in a region corresponding to a type of device in which the service is running in the abstract network diagram is generated. an abstract network generation unit that abstracts a network to be monitored using a predetermined rule;
an event receiver that stores event information received from outside the system in an event queue;
a feature data generation unit that extracts event information from the event queue and generates feature data representing behavior of the abstracted device on the network;
an anomaly detection unit that extracts feature data waiting for prediction from the prediction queue that stores the feature data and detects an anomaly using a predetermined classifier;
a computer comprising
The feature data generation unit expresses a service operating on the network to be monitored as a node based on the meta information included in the event information. generate the data,
The abstract network generation unit
generating an abstract network diagram in which a plurality of areas corresponding to the types of devices in which the service is running are set, centering on a specific device;
The computer, wherein the feature data generation unit creates feature data corresponding to an abstract network diagram in which the nodes are arranged in an area corresponding to a type of device in which the service is running in the abstract network diagram.

Images