[go: up one dir, main page]

WO2016194752A1 - Système et procédé d'analyse d'informations - Google Patents

Système et procédé d'analyse d'informations Download PDF

Info

Publication number
WO2016194752A1
WO2016194752A1 PCT/JP2016/065535 JP2016065535W WO2016194752A1 WO 2016194752 A1 WO2016194752 A1 WO 2016194752A1 JP 2016065535 W JP2016065535 W JP 2016065535W WO 2016194752 A1 WO2016194752 A1 WO 2016194752A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
analysis
node
type
relationship
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2016/065535
Other languages
English (en)
Japanese (ja)
Inventor
林 直樹
仲小路 博史
淳弥 楠美
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hitachi Systems Ltd
Original Assignee
Hitachi Systems Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hitachi Systems Ltd filed Critical Hitachi Systems Ltd
Publication of WO2016194752A1 publication Critical patent/WO2016194752A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16ZINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS, NOT OTHERWISE PROVIDED FOR
    • G16Z99/00Subject matter not provided for in other main groups of this subclass

Definitions

  • the present invention relates to an information analysis system and an information analysis method for analyzing information.
  • the above-mentioned abnormality means that the system physically fails during operation, the application is stopped due to a mounting failure, or the failure occurs due to an external attack aimed at the organization. means.
  • logs and reports are in various forms depending on the information source, and abnormalities that occur are triggered by various information each time, so there is a problem that it is difficult to find similar cases by simple search .
  • the above simple search refers to a search in which information is divided and held in advance for each specific key, and the keys are matched and analyzed.
  • Patent Document 1 As a technique for solving the problems described above, there is a technique described in Patent Document 1.
  • information is held as a graph structure, the initial value specified for the node that is the starting point of the search condition is set and propagated while decreasing at a constant rate, and the node set that finally exceeds the threshold is searched.
  • Patent Document 1 since the relationship between information can be clustered while maintaining the relationship between information as a graph structure, information that has some relationship with the search target information can be used without being aware of the relationship before the search. Compared with existing search methods, there is an advantage that information accumulated so far can be used effectively.
  • the decision maker of the countermeasure When making such an important decision that can adversely affect the operation of the system, it is necessary for the decision maker of the countermeasure to make a responsible decision based on the search result.
  • the information presented as the search result is also important, but in addition to that, refer to the search result information about why the search result is related to the search target.
  • Evidence information is indispensable until it is adopted as information.
  • the present invention has been made in view of the problems to be solved.
  • the search result can be used even in an important decision making. With the goal.
  • the present application includes a plurality of means for solving the above-described problems.
  • the application includes a receiving unit that receives input of information to be analyzed and an analysis type indicating the type of the information, and an information source. Based on the relationship analysis information indicating the relationship between one information and other information among a plurality of pieces of information, the node that is the one information and the other information in the graph structure and the relationship between the nodes are indicated.
  • a relation information generation unit that generates structured information that defines an edge; and a starting point that extracts information including the analysis type received by the receiving unit from the structured information and outputs the extracted information as a starting node
  • An information search unit a class reachability analysis unit that clusters the graph structure represented by the extracted information and extracts the subgraph structure including the origin node, and corresponds to the analysis type
  • the extraction target node that is the end point of the start point node is searched from the subgraph structure, the number of independent paths between the start point node and the extraction target node is calculated, and the number of independent paths is the largest.
  • An information analysis system comprising: an connectivity analysis unit that outputs an extraction target node as a node having the most relationship with the origin node.
  • the present invention can also be understood as an information analysis method performed by the information analysis system.
  • the present invention when analyzing information, it is possible to present information having a strong relationship with the analysis query to the user together with the basis thereof. This makes it possible to determine whether the information of the analysis result is used by the user after consenting or not, so the analysis result can be used even in situations where important decisions involving risks are made. It becomes like this.
  • FIG. 1 is an example of a configuration diagram of an information analysis system to which the technology of the present application is applied.
  • the information analysis system 1000 is a system to which the information analysis system and the information analysis method according to the present invention are applied.
  • the information analysis system 1000 acquires various types of information from the information source 1100, analyzes the relationship, and holds the information in the structured information 1051.
  • the system analyzes the accumulated information based on the analysis request from the analysis requester 1200 and returns the result. Details of each process will be described later.
  • Both the information acquisition unit 1001 and the relationship information generation unit 1002 are functions used in the structured information forming process shown in FIG.
  • the information acquisition unit 1001 is a function used in the formation process of structured information described later in FIG. 8, and is a function of acquiring various types of information from the information source 1100 and inputting the information to the relationship information generation unit 1002.
  • an API Application Programming Interface
  • the format of the information to be acquired must be one of the types specified in the input information type 4001 of the relationship analysis logic 1052 described later.
  • the information acquisition unit 1001 needs to include a UI (User Interface) for manual input.
  • the UI may be a mechanism for inputting any of the types defined by the input information type 4001 of the relationship analysis logic 1052 or a mechanism for directly editing the structured information 1051 described later. There may be.
  • the information source 1100 By accepting manual input as the information source 1100, for example, the specific information that has already been input as in the case where “alert A mentioned before was actually related to malware B later”
  • the relationship between specific information and other specific information can be explicitly edited.
  • the information analyzed mechanically and the information that can be determined by human judgment can be combined. It becomes like this.
  • the information source 1100 is not limited to any one of the information sources 1100 described above, and a plurality of types of devices, WEB sites, and the like are used as the information source 1100, and a plurality of information acquisition units 1001 are also held in accordance with each. be able to.
  • the relationship information generation unit 1002 is a function for extracting information received from the information acquisition unit 1001 and the relationship between the information using the relationship analysis logic 1052, and the extraction result is structured information. It stores in 1051. Details of the processing will be described later.
  • the six functions of the analysis reception / response interface 1003, the origin information search unit 1004, the branch importance determination unit 1005, the classification / reachability analysis unit 1006, the connectivity analysis unit 1007, and the output generation unit 1008 are all described later with reference to FIG. This is a function used in the structured information analysis process shown in FIG.
  • the analysis reception / response interface 1003 is an interface for receiving information to be analyzed and an analysis type from an analysis requester 1200, which will be described later, and returning a result of an analysis process described later to the analysis requester 1200 described above.
  • the starting point information search unit 1004 searches the structured information 1051 for information to be analyzed with respect to the analysis target information received from the analysis requester 1200 via the analysis reception / response interface 1003, and sets it as starting point information that is a starting point node. It is a function to return. Details of the processing will be described later.
  • the branch importance determination unit 1005 weights each branch by comparing the analysis type information input by the analysis requester 1200 with the branch weight information 1054 as preprocessing of the classification / reachability analysis unit 1006. It is processing.
  • This process is not necessarily a process necessary for implementing the classification / reachability analysis unit 1006. That is, when this processing is not performed, it is possible to always process all branches with a weight of 1 regardless of the type of analysis.
  • the classification / reachability analysis unit 1006 performs clustering in consideration of the weight of the branch in the structure of information, and uses the origin information that is the result of the origin information search unit 1004 and the extraction target node that can be reached from the origin information.
  • a cluster including certain extraction target information is extracted. Furthermore, this is a function for extracting only clusters that include one or more analysis types included in the extraction target designation information 1053 from the extracted clusters.
  • the connectivity analysis unit 1007 is a particularly characteristic function in the present embodiment, and calculates the number of independent paths from the origin information to each extraction target information by using the result of the classification / reachability analysis unit 1006 as an input. It is processing. Details will be described later.
  • the output generation unit 1008 is a process of generating an output to be finally returned to the analysis requester 1200 via the analysis reception / response interface 1003 using the result of the connectivity analysis unit 1007 and the output generation logic 1055. . Details will be described later.
  • Structured information 1051 is information that is analyzed by the information analysis system 1000. Details of the information to be held will be described later with reference to FIG.
  • the relationship analysis logic 1052 is information used by the relationship information generation unit 1002. Details of the information to be held will be described later with reference to FIG.
  • the extraction target designation information 1053 is information used by the classification / reachability analysis unit 1006. Details of the information to be held will be described later with reference to FIG.
  • Branch weight information 1054 is information used by the branch importance degree determination unit 1005. Details of the information to be held will be described later with reference to FIG.
  • the output generation logic 1055 is information used by the output generation unit 1008. Details of the information to be held will be described later with reference to FIG.
  • the information source 1100 is an information source used when acquiring information handled by the system.
  • the information source 1100 is a network device, a server device, or a security device, and passes logs and alerts to the information acquisition unit 1001 as information.
  • the information source 1100 is information input by an operator of the system.
  • the information source 1100 manually input via the input interface is delivered to the information acquisition unit 1001.
  • the information source 1100 is not limited to any one of the above, and may be a plurality of information sources obtained by combining them.
  • the analysis requester 1200 is a user of the information analysis system 1000, and inputs information to be analyzed and a desired analysis type to the system via the analysis reception / response interface 1003. Received via the response interface 1003.
  • FIG. 2 is a diagram illustrating the configuration of each component in FIG.
  • These devices 2000 include a CPU 2001, a memory 2002, a communication device 2004 for communicating with other devices via the Internet and a LAN, an input device 2005 such as a keyboard and a mouse, and an output device such as a monitor and a printer.
  • a reading device 2007, and an external storage device 2003 such as a hard disk are connected via an interface 2008.
  • a portable storage medium 2009 such as an IC card or a USB memory can be connected to the reading device 2007.
  • the apparatus and apparatus for realizing the information analysis system 1000 are realized by loading a program for realizing these functions onto the memory 2002 and executing the program by the CPU 2001.
  • These programs may be stored in advance in the external storage device 2003 of the device 2000, or other programs may be stored via the reading device 2007, the communication device 2004, and a medium that can be used by the device 2000 when necessary. May be introduced into the external storage device.
  • the medium that can be used by the device 2000 refers to, for example, a storage medium 2009 that can be attached to and detached from the reading device 2007, a network 2010 that can be connected to the communication device 2004, or a carrier wave or a digital signal that propagates through the network 2010.
  • the program may be stored once in the external storage device 2003 and then loaded into the memory 2002 and executed by the CPU 2001. Alternatively, the program may be directly stored in the memory 2002 without being stored in the external storage device 2003. It may be loaded and executed by the CPU 2001.
  • FIG. 3 is a diagram showing an example of structured information 1051 held by the information analysis system 1000.
  • this system is large and needs to hold two types of information: accumulated information 3000 and relationship information 3100.
  • the stored information 3000 is information stored in the system itself. In this embodiment, specifically, for example, as shown in the figure, information of three categories of an id 3001, a type 3002, and a content 3003 is set. And hold.
  • Id 3001 is an ID (Identifier) for uniquely identifying each piece of information, and is not essential, but it is possible to simply describe the process by holding it.
  • the type 3002 is information for identifying what category the individual information of the node belongs to.
  • the extraction designation information 1053, the branch weight information 1054, the output generation logic 1055 By using in combination, the analysis accuracy can be improved, and additional information can be added to the output information. Details will be described later.
  • one information can hold only one type, and one or more types may be held simultaneously. In that case, processing can be performed without any problem by rereading the condition of “when the types match” in the processing described later as “when any of the types matches”.
  • the types that can be specified as the type 3002 are not limited to those illustrated, and any type can be appropriately specified when inputting information. That is, even if a type has never appeared before, a new type may be added without performing other processing. However, new types may be arbitrarily added as appropriate. However, in order to maintain the accuracy of the analysis processing of the present embodiment, the same type name needs to be specified for information of the same type. That is, if the content represents an employee's name, etc., they should contain at least one common type, such as “employee”.
  • the content 3003 an entity that is the content of the information can be held.
  • the content of information is expressed by holding an arbitrary key-value, but the present invention is not limited to the key-value method.
  • the first line indicates that the information “file name“ hoge.exe ”” is registered with ID0001 and type file. The same applies to the other lines.
  • the relationship information 3100 holds the relationship between the pieces of information of the stored information 3000.
  • id 3101, from-id 3102, to-id 3103, and type 3104 are held.
  • Id 3001 is an ID for uniquely identifying each relationship that an edge indicating a path between nodes has, and although it is not indispensable, it is possible to simply describe the process by holding it.
  • From-id 3102, to-id 3103, and type 3104 are information that an edge indicates which information in accumulated information 3000 is related to which information.
  • the from-id 3102 is the ID of the node that is the starting point of the edge
  • the to-id 3103 is the ID of the node that is the ending point of the edge.
  • the type 3104 is information for identifying what category the relationship of the edge is.
  • id “r0001” in the first row is information represented by “id“ 0006 ”, and mw (Malware) of the hash value“ abcde1234 ”is represented by id“ 0001 ”. This means that a file with the name “hoge.exe” is generated ”. The same applies to the other lines.
  • the relationship is given directionality as from-id 3102 and to-id 3103, but the directionality may not be handled and the non-directional relationship may be maintained.
  • FIG. 4 is a diagram showing an example of the relationship analysis logic 1052 held by the information analysis system 1000.
  • the relationship analysis logic 1052 holds in advance information defining a logic for mechanically analyzing information acquired from the information source 1100 and holding it in the structured information 1051.
  • an input information type 4001 that defines the type of information acquired from the information source 1100 and its analysis logic 4002.
  • the web page acquired from the website “hoge.security.com” can be extracted as the accumulated information 3000 and its relationship information 3100 by processing the XPath described in the first line. Means.
  • FIG. 5 is a diagram showing an example of the branch weight information 1054 held by the information analysis system 1000.
  • the branch weight information 1054 is information for prescribing the importance of the relationship such as which type of information and which type of relationship is important or neglected according to the analysis type designated by the analysis requester 1200. It is.
  • an analysis type 5001, a category 5002, a node or edge 5003, and a weight 5004 are held.
  • the analysis type 5001 is one of analysis types that the analysis requester 1200 can request from the system.
  • the category 5002 indicates any value of the type 3002 of the accumulated information 3000 (that is, the type of node) or the type 3104 of the relationship information (that is, the type of edge), or “(other)” that represents an arbitrary relationship. It is.
  • the node or edge 5003 holds information “node” meaning that the category 5002 is a value of the type 3002, and conversely “edge” meaning that when the category 5002 is the type 3104. If the category 5002 is “(Other)”, both “edge” and node can be included, and “ ⁇ ” is held.
  • the weight 5004 is an index of how much importance is given to the relationship, 1 being most important, 0 means that no relationship exists in the analysis.
  • the relationship of the type “communication” is set to weight 1, while for example, all the relationships coming out from the node of the type “analyst” are almost considered as weight 0.1. It means you can't enter.
  • FIG. 6 is a diagram showing an example of the extraction target designation information 1053 held by the information analysis system 1000.
  • the extraction target designation information 1053 is information that defines a category of information to be output in advance as a result of analysis.
  • an analysis type 6001 and an extraction target category 6002 are held.
  • this example means that when analyzing the “cause” type, the information of the “malware” category or the “vulnerability” category is output as a final result.
  • FIG. 7 is a diagram showing an example of the output generation logic 1055 held by the information analysis system 1000.
  • the output generation logic is a logic that defines what information is displayed when the analysis result is finally displayed to the analysis requester.
  • the information type 7001 and the additional information content 7002 displayed together with the information of the type are displayed, and the reason why the information of the type is extracted as an analysis result is displayed as a sentence.
  • the documenting logic 7003 is held.
  • the “measure” type information indicates that the download link of the measure information is displayed together with the result, and the documenting logic may be a standard process.
  • the standard grammatical logic is the order of subject, object, predicate, such as “ ⁇ from-id 3102 information> makes ⁇ to-id 3103 information> ⁇ 3104 type>”. Represents the process of connecting with.
  • Exceptional documentation methods may be specified as the documentation logic, such as the “employee” type shown as an example.
  • the relationship type is “communication history” or “retained”, this indicates that the word “terminal” is added after ⁇ from-id 3102 information>.
  • FIG. 8 the basic processing flow of the present analysis system will be exemplified with reference to FIGS. 8 to 9, and how the structured information is processed will be described with reference to FIGS. 10 to 13.
  • FIG. 10 the basic processing flow of the present analysis system will be exemplified with reference to FIGS. 8 to 9, and how the structured information is processed will be described with reference to FIGS. 10 to 13.
  • FIG. 10 the basic processing flow of the present analysis system will be exemplified with reference to FIGS. 8 to 9, and how the structured information is processed will be described with reference to FIGS. 10 to 13.
  • FIG. 8 is an example of a flow showing processing for forming the structured information shown in FIG.
  • the information acquisition unit 1001 acquires information from the information source 1100. At that time, the information acquisition unit 1001 stores what type of information it has acquired.
  • the information type is any of those defined by the input information type 4001 of the relationship analysis logic 1052.
  • the structured information 1051 may be edited directly as described in the explanation of FIG. 1 without proceeding to the subsequent processing.
  • the relationship information generation unit 1002 analyzes the information acquired in process 8001 according to the analysis logic 4002 of the relationship logic 1052.
  • the relationship information generation unit 1002 stores the analysis result of process 8002 as accumulated information 3000 and relationship information 3100.
  • FIG. 10 shows an example of structured information 1051 formed in this way expressed as a graph structure.
  • 10001 and 10003 represent the information of id “0001” and the information of id “0006” in the first row in the example of the accumulated information 3000, and the edge 10002 between the two nodes represents the relationship information.
  • the relationship of id “r0001” in the first row in the example of 3100 is shown.
  • a gray region surrounded by a broken line as represented by 10004 indicates that similar graph structures are connected.
  • FIG. 9 shows an example of a process flow for analyzing information according to the analysis conditions and analysis type received from the analysis requester 1200 using the structured information 1051 formed by the process shown in FIG.
  • the information analysis system 1000 receives information to be analyzed and an analysis type from the analysis requester 1200 via the analysis reception / response interface 1003.
  • the information to be analyzed is specifically a character string, and may be, for example, a host name or an IP address described in an alert when an alert is raised from some security device.
  • the hash value of a suspicious file may be used.
  • the analysis type specifies what the analysis requester 1200 wants to know, and needs to match one of the analysis types 5001 of the branch weight information 1054.
  • the starting point information search unit 1004 searches the stored information 3000 that holds the contents that match the character string to be analyzed received in the process 9001, and returns the result as starting point information.
  • Matching means that the character strings are matched or partially matched in this embodiment. If there are multiple matches, all of them are returned.
  • an example in which the analysis target matches one of the communication destinations is represented as a double line node 11002 in FIG.
  • the branch importance determining unit 1005 compares the analysis type acquired in process 9001 with the branch weight information 1054, and sets the importance for each branch.
  • the classification / reachability analysis unit 1006 clusters the graph in consideration of the branch weight set in the process 9003.
  • the branch weight set in the process 9003. There are many known methods for clustering graph information, but one of the most suitable methods in this embodiment is a method called community classification.
  • community classification expresses the graph structure in a matrix form called graph Laplacian (or Laplacian matrix), and calculates its eigenvalue (or eigenvalue close to zero) and the eigenvector corresponding to that eigenvalue. Ask.
  • the inverse graph of the mapping from the graph structure to the graph Laplacian is used to divide the graph into several subgraphs by pulling back the eigenvectors to the graph node set. Each subgraph obtained as a result of this division is divided well so that the weight of the branch is large in the entire graph, and the portion where such a branch is densely left preferentially remains. It is known that
  • the classification / reachability analysis unit 1006 extracts a subgraph including the node as the starting point information from the subgraph of the classification result, and returns it as a processing result.
  • a dividing line of the entire graph as a result of community classification in the present embodiment is shown by a double line as shown by 11003 in FIG. That is, the result of this processing includes 11002 which is the starting point information in the partial graph, that is, a graph as shown in FIG. 12 is returned as a result.
  • a partial graph is returned for each starting point information.
  • the connectivity analysis unit 1007 refers to the extraction target designation information 1053 for the partial graph of the result of the process 9004 (if there are a plurality of results), and the analysis type 6001 is the process 90001. All stored information 3000 (that is, nodes) matching the type specified in the extraction target category 6002 in the line that matches the acquired one is searched. By performing this process, the extraction target information that becomes the end point with respect to the starting point information is known. As the extraction target information, only the extraction target information belonging to the category corresponding to the analysis type input in the process 9001 is searched and finally output by the output generation unit 1008. In the present embodiment, two mw type nodes painted in gray as indicated by 12001 in FIG. 12 are examples of the result.
  • the present embodiment is characterized by analyzing the basis of such information, and specifically, it is performed by the following processing.
  • the connectivity analysis unit 1007 determines the edge direction for each piece of extraction target information (nodes painted in gray in FIG. 12) from the starting point information (nodes in the 20th frame in FIG. 12). , And calculate how many independent paths exist.
  • the number of independent paths means how many kinds of peripheral information that do not depend on each other indicates target information as related information, that is, the number of situation evidences. Can be caught.
  • the process 9005 calculates the number of independent paths from the origin information to each piece of extraction target information, sets the target information nodes having many independent paths as more grounded information, and sets each independent path as status evidence. Return processing.
  • the latter is returned as more justified information because it exists.
  • it may be determined as a stronger situation proof.
  • the output generation unit 1008 refers to the output generation logic 1055 and generates additional information specified by the additional information display content 7002 in accordance with the information type 7001 returned as a response. Also, it is possible to document the basis and notify the analysis requester 1200 using the documenting logic 7003 that documents the extraction basis based on the graph structure.
  • FIG. 14001 denotes an analysis target input by the analysis requester 1200.
  • FIG. 14 illustrates that the character string “example.com” described in the file “hoge.exe” is an analysis target.
  • Reference numeral 14002 denotes an analysis type input by the analysis requester 1200.
  • FIG. 14 shows that “Cause” is input as the analysis type.
  • 14003 is the total number of extraction target information returned as a result of the process 9005 as an analysis result.
  • FIG. 14 shows that two analysis results (13-c and 13-d in FIG. 13) were obtained.
  • 14004 is a function for designating in what order the analysis results are displayed. According to the present embodiment, the more independent paths, the more important. Therefore, it is desirable to display such information preferentially from the extraction target information, but it is possible to change the time series in which information is registered, for example It is.
  • FIG. 14 shows that the analysis results are displayed in descending order, which is the order in which the situation evidence is large.
  • 14005 indicates that the information displayed below it is MW0007 information.
  • Reference numeral 14006 illustrates an independent path between the communication destination 0012 serving as starting point information and the MW 0007 serving as extraction target information. Based on this information, the analysis requester 1200 can understand based on what kind of relationship the information is extracted. Further, for example, by selecting each piece of information in 14006, an additional operation such as dynamically generating and displaying additional information according to the information type is also possible.
  • 14007 indicates the reason why the information is extracted, and indicates the reason why the origin information is selected and the reason why the basis is the strongest among the extraction target information.
  • the specific grounds can be explained as they are by writing the graph structure as shown in 14008 and 14009.
  • the MW 0007 indicates that the communication is performed with the communication destination 0012.
  • 14010 is information presented in addition to the extraction target information, and can be presented together if there is usually necessary information such as whether it can be detected by anti-virus software in the case of MW type. It is. 14011 is a page numberer for switching the analysis result to be displayed.
  • Information analysis system 1001 Information acquisition unit 1002 Relation information generation unit 1003 Analysis reception / response interface 1004 Origin information search unit 1005 Branch importance level determination unit 1006 Classification / reachability analysis unit 1007 Connectivity analysis unit 1008 Output generation unit 1051 Structured Information 1052 Relation analysis logic 1053 Extraction target designation information 1054 Branch weight information 1055 Output generation logic 1100 Information source 1200 Analysis requester 2000 Hardware component of each component.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

La présente invention permet d'utiliser un résultat d'analyse comme facteur à prendre en compte lors de la prise de décisions mêmes importantes, par présentation à un utilisateur d'informations fortement liées à une interrogation de recherche, conjointement avec une preuve associée. Le présent système d'analyse d'informations est pourvu : d'une unité de réception qui reçoit une entrée d'informations à analyser et un type d'analyse indiquant le type des informations ; d'une unité de génération d'informations de relation qui, sur la base d'informations d'analyse relationnelle indiquant une relation entre un élément d'informations et un autre élément d'informations parmi une pluralité d'éléments d'informations compris dans une source d'informations, génère des informations structurées dans lesquelles sont définis des nœuds représentant l'un et l'autre des éléments d'informations dans une structure de graphe, et un bord indiquant une relation entre les nœuds ; d'une unité de recherche d'informations de source qui extrait, des informations structurées, des informations comprenant le type d'analyse reçu par l'unité de réception, et qui délivre en sortie les informations extraites en tant que nœud de point de départ ; d'une unité d'analyse d'accessibilité de classification qui regroupe une structure de graphe exprimée par les informations extraites et qui extrait une structure de graphe partiel comprenant le nœud de point de départ ; et d'une unité d'analyse de connectivité qui effectue une recherche dans la structure de graphe partiel de nœuds à extraire, chacun d'entre eux fournissant un point terminal pour le nœud de point de départ correspondant au type d'analyse, qui calcule le nombre de chemins indépendants entre le nœud de point de départ et chaque nœud à extraire, et qui délivre en sortie le nœud à extraire qui présente le plus grand nombre de chemins indépendants, en tant que nœud le plus fortement lié au nœud de point de départ.
PCT/JP2016/065535 2015-06-05 2016-05-26 Système et procédé d'analyse d'informations Ceased WO2016194752A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2015114777A JP6523799B2 (ja) 2015-06-05 2015-06-05 情報分析システム、情報分析方法
JP2015-114777 2015-06-05

Publications (1)

Publication Number Publication Date
WO2016194752A1 true WO2016194752A1 (fr) 2016-12-08

Family

ID=57440511

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2016/065535 Ceased WO2016194752A1 (fr) 2015-06-05 2016-05-26 Système et procédé d'analyse d'informations

Country Status (2)

Country Link
JP (1) JP6523799B2 (fr)
WO (1) WO2016194752A1 (fr)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6956043B2 (ja) * 2018-05-18 2021-10-27 ヤフー株式会社 演算装置、および検索方法
JP7113661B2 (ja) * 2018-05-18 2022-08-05 ヤフー株式会社 情報処理装置、情報処理方法、および情報処理プログラム
JP2020140452A (ja) * 2019-02-28 2020-09-03 富士通株式会社 ノード情報推定方法、ノード情報推定プログラムおよび情報処理装置
JP2020187419A (ja) 2019-05-10 2020-11-19 富士通株式会社 エンティティリンキング方法、情報処理装置およびエンティティリンキングプログラム

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008203964A (ja) * 2007-02-16 2008-09-04 Nec Corp 因果関係分析装置、因果関係分析方法及びプログラム
JP2012242859A (ja) * 2011-05-13 2012-12-10 Nippon Hoso Kyokai <Nhk> グラフ生成装置およびプログラム

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008203964A (ja) * 2007-02-16 2008-09-04 Nec Corp 因果関係分析装置、因果関係分析方法及びプログラム
JP2012242859A (ja) * 2011-05-13 2012-12-10 Nippon Hoso Kyokai <Nhk> グラフ生成装置およびプログラム

Also Published As

Publication number Publication date
JP6523799B2 (ja) 2019-06-05
JP2017004097A (ja) 2017-01-05

Similar Documents

Publication Publication Date Title
US9237161B2 (en) Malware detection and identification
US20250371146A1 (en) System and method for automated machine-learning, zero-day malware detection
US10972495B2 (en) Methods and apparatus for detecting and identifying malware by mapping feature data into a semantic space
US11777970B1 (en) Granular and prioritized visualization of anomalous log data
US20210021644A1 (en) Advanced cybersecurity threat mitigation using software supply chain analysis
AU2016204068B2 (en) Data acceleration
US9489376B2 (en) Identifying confidential data in a data item by comparing the data item to similar data items from alternative sources
US9621571B2 (en) Apparatus and method for searching for similar malicious code based on malicious code feature information
US9436463B2 (en) System and method for checking open source usage
EP3341884B1 (fr) Systèmes, procédés et dispositifs d&#39;analyse et de visualisation d&#39;une mémoire
US20210092160A1 (en) Data set creation with crowd-based reinforcement
CN114679329B (zh) 用于基于赝象对恶意软件自动分组的系统
US7802299B2 (en) Binary function database system
JP6503141B2 (ja) アクセス分類装置、アクセス分類方法及びアクセス分類プログラム
US20150047034A1 (en) Composite analysis of executable content across enterprise network
US20120311709A1 (en) Automatic management system for group and mutant information of malicious codes
Kumar et al. Machine learning based malware detection in cloud environment using clustering approach
US20160162507A1 (en) Automated data duplicate identification
US10929531B1 (en) Automated scoring of intra-sample sections for malware detection
US11005869B2 (en) Method for analyzing cyber threat intelligence data and apparatus thereof
WO2016194752A1 (fr) Système et procédé d&#39;analyse d&#39;informations
US10516684B1 (en) Recommending and prioritizing computer log anomalies
JP2019175334A (ja) 情報処理装置、制御方法、及びプログラム
US20180115570A1 (en) System and method for categorizing malware
Al Fahdi et al. Towards an automated forensic examiner (AFE) based upon criminal profiling & artificial intelligence

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16803187

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16803187

Country of ref document: EP

Kind code of ref document: A1