JP6770454B2 - Anomaly detection system and anomaly detection method - Google Patents

Description

The present invention relates to an abnormality detection system and an abnormality detection method.

In recent years, a large number of IoT (Internet of Things) terminals infected with malware (hereinafter, also simply referred to as "terminals") have been targeted as a stepping stone for DDoS (Distributed Denial of Service attack) attacks. There is damage such as the inability to use the service.

In addition, the number of IoT terminals is said to reach 53 billion in 2020, and is expected to increase in the future (Non-Patent Document 1). For this reason, it is expected that the number of cases that will be used as a stepping stone for the above attacks will increase. Therefore, it is required to identify (detect) an IoT terminal infected with malware and prevent the above-mentioned attacks.

However, there are many IoT terminals whose performance (CPU (Central Processing Unit), memory, etc.) of the IoT terminal itself is low in order to keep the price down. Therefore, it may be difficult to provide the IoT terminal itself with a security function. Therefore, it is preferable that the IoT terminal infected with malware can be identified on the network side to which the IoT terminal is connected (for example, a network of an ISP (Internet Services Provider) or a telecommunications carrier).

Here, as a technique for identifying a terminal infected with malware on the network side, anomaly type detection is known (Non-Patent Document 2). In the anomaly type detection, by learning the normal behavior of each terminal, a detection model for use in abnormality detection (that is, detection of a terminal infected with malware infection) is created. Therefore, the anomaly type detection requires a calculation time depending on the number of terminals. In addition, the capacity of the storage area for storing the created detection model is also required according to the number of terminals.

Further, a technique for identifying a terminal infected with malware and a C & C (Command and Control) server by analyzing a DNS (Domain Name System) log is known (Non-Patent Document 3). In this technology, anomaly detection is performed by monitoring the behavior of a large number of DNS queries sent to the DNS cache server and learning the behavior peculiar to a terminal infected with malware or a malignant domain. In order to learn the behavior peculiar to a terminal infected with malware or a malicious domain from a DNS query, a calculation time corresponding to the number of queries is required. Further, when anomaly detection is performed every time a DNS query is transmitted, a detection method that can be calculated in a short time is required.

"2015 White Paper on Information and Communications", [online], Internet <URL: http://www.soumu.go.jp/johotsusintokei/whitepaper/ja/h27/html/nc254110.html> "Darktrace", [online], Internet <URL: http://www.darktrace.jp/> "Detection of abnormal terminals focusing on the number of queries in the DNS query log", Kenryu Watanabe, Minoru Ikebe, and Kazuyuki Yoshida. Multimedia, Distributed Cooperation and Mobile Symposium 2014 Proceedings 2014 (2014): 205-210.

Here, in identifying a malware-infected terminal using machine learning, a calculation time for creating a detection model and a capacity of a storage area are required according to the number of terminals to be detected. For example, when the number of terminals is N, the number of learning data is S, and SVM (Support Vector Machine) is used as the abnormality detection algorithm, the calculation time for creating the detection model is O (NSlogS), and the capacity of the storage area is. It is represented by O (NS).

However, as mentioned above, the number of IoT terminals is expected to increase in the future. In addition, a large amount of learning data is usually required to improve the detection accuracy of the machine learning algorithm.

For this reason, in identifying malware-infected terminals in a network to which a large number of IoT terminals are connected, such as networks of ISPs and telecommunications carriers, the calculation time for creating a detection model and the capacity of the storage area become enormous. In some cases, it was difficult to identify malware-infected terminals using machine learning algorithms.

The present invention has been made in view of the above points, and an object of the present invention is to support the identification of malware-infected terminals.

Therefore, in order to solve the above problem, in an abnormality detection system connected to a plurality of terminals, a clustering unit that classifies the plurality of terminals into one or more clusters and a cluster classified by the clustering unit are used. A feature amount of the cluster based on a detection model creation unit that creates a detection model for detecting that an abnormal terminal belongs to the cluster and traffic information of each terminal belonging to the cluster among the plurality of terminals. Based on the first feature amount generation unit that generates the cluster feature amount indicating the above, the detection model created by the detection model creation unit, and the cluster feature amount generated by the first feature amount generation unit. It also has an abnormality detection unit that detects that an abnormal terminal belongs to the cluster.

It can help identify malware-infected terminals.

It is a figure which shows an example of the whole structure of the system in embodiment of this invention. It is a figure which shows an example of the hardware configuration of a computer. It is a figure which shows an example of the functional structure of the learning apparatus in embodiment of this invention. It is a figure which shows an example of the functional structure of the abnormality detection apparatus in embodiment of this invention. It is a figure which shows an example of the functional structure of the storage device for abnormality detection in embodiment of this invention. It is a figure which shows an example of an address information table. It is a figure which shows an example of a cluster information table. It is a figure which shows an example of the learning information table. It is a figure which shows an example of the detection model information table. It is a figure which shows an example of a setting information table. It is a sequence diagram which shows an example of the clustering process in embodiment of this invention. It is a sequence diagram which shows an example of the creation process of the detection model in embodiment of this invention. It is a sequence diagram which shows an example of the abnormality detection processing in embodiment of this invention.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.

<Overall configuration>
First, an example of the overall configuration of the system according to the embodiment of the present invention will be described with reference to FIG. FIG. 1 is a diagram showing an example of the overall configuration of the system according to the embodiment of the present invention.

As shown in FIG. 1, the system according to the embodiment of the present invention has, for example, a system environment E which is a core network of an ISP, a telecommunications carrier, or the like, and a plurality of IoT terminals 70.

The IoT terminal 70 is, for example, various electronic devices or devices such as various sensors, surveillance cameras, various home appliances, and smart meters. Each IoT terminal 70 is connected to the system environment E, and each has different communication characteristics (for example, frequency of communication occurrence, number of types of destination (destination IP address (Internet Protocol)), packet size, etc.). ing.

The system environment E includes a transfer device 10, a traffic information collection device 20, an abnormality detection system 30, a DNS server 40, a DHCP (Dynamic Host Configuration Protocol) 50, and a security device 60.

The transfer device 10 is, for example, an edge router or the like, and has a function of relaying packets between the Internet and each IoT terminal 70. When relaying the packet of the IoT terminal 70, the transfer device 10 acquires traffic information such as the IP address of the IoT terminal 70. The traffic information acquired by the transfer device 10 is stored in the traffic information collecting device 20. Examples of the traffic information include packet header information, flow information, log information of the DNS server 40, list information of IP addresses held by the DHCP server 50, and the like.

The traffic information collecting device 20 is one or more computers that collect traffic information from the transfer device 10, the DNS server 40, the DHCP server 50, and the like, and store (store) the collected traffic information.

The DNS server 40 is one or more computers having a DNS function. The DHCP server 50 is one or more computers having a DHCP function.

The anomaly detection system 30 is a system composed of one or more computers for identifying an IoT terminal 70 infected with malware. The abnormality detection system 30 includes a learning device 31, an abnormality detection device 32, and an abnormality detection storage device 33.

The learning device 31 classifies these IoT terminals 70 into a plurality of clusters (that is, clusters the IoT terminals 70) based on a predetermined feature amount obtained from the traffic information of each IoT terminal 70. Then, the learning device 31 creates a detection model for detecting an abnormality on a cluster-by-cluster basis. To detect an abnormality on a cluster-by-cluster basis is to detect the existence of an IoT terminal 70 infected with malware among the IoT terminals 70 belonging to the cluster. The predetermined feature amount is information obtained from the traffic information of the IoT terminal 70, and examples thereof include information indicating the above-mentioned communication characteristics.

The anomaly detection device 32 detects anomalies in cluster units based on a predetermined feature amount in cluster units obtained from the traffic information of each IoT terminal 70 belonging to the cluster and a detection model created by the learning device 31. That is, the abnormality detection device 32 detects a cluster including the IoT terminal 70 infected with malware.

The abnormality detection storage device 33 manages various types of information. For example, the abnormality detection storage device 33 stores the detection model created by the learning device 31. Further, the abnormality detection storage device 33 stores various information used for abnormality detection by the abnormality detection device 32.

The security device 60 identifies the IoT terminal 70 infected with malware from the IoT terminals 70 belonging to the cluster detected as abnormal by the abnormality detection device 32. The security device 60 identifies an IoT terminal 70 infected with malware from each IoT terminal 70 belonging to the cluster by, for example, an IPS (Intrusion Prevention System), a sandbox, a DPI (Deep Packet Inspection), or the like. ..

The system configuration shown in FIG. 1 is an example and may be another configuration. For example, the system environment E may have a plurality of transfer devices 10, a plurality of traffic information collecting devices 20, a plurality of abnormality detection systems 30, and a plurality of security devices 60. Further, in the abnormality detection system 30, the learning device 31, the abnormality detection device 32, and the abnormality detection storage device 33 may be composed of one device (computer).

<Hardware configuration>
Next, the hardware configuration of the computer 100 that realizes the traffic information collecting device 20, the learning device 31, the abnormality detecting device 32, the abnormality detecting storage device 33, and the like will be described with reference to FIG. FIG. 2 is a diagram showing an example of the hardware configuration of the computer 100.

As shown in FIG. 2, the computer 100 includes an external I / F 101, a RAM (Random Access Memory) 102, a ROM (Read Only Memory) 103, a CPU 104, a communication I / F 105, and an auxiliary storage device 106. Have. Each of these hardware is connected so as to be able to communicate with each other via the bus B.

The external I / F 101 is an interface with an external device. The external device includes a recording medium 101a and the like. The computer 100 can read or write the recording medium 101a or the like via the external I / F 101.

The recording medium 101a includes, for example, a flexible disk, a CD (Compact Disc), a DVD (Digital Versatile Disk), an SD memory card (Secure Digital memory card), a USB (Universal Serial Bus) memory card, and the like.

The RAM 102 is a volatile semiconductor memory that temporarily holds programs and data. The ROM 103 is a non-volatile semiconductor memory capable of holding programs and data even when the power is turned off. The ROM 103 stores, for example, OS (Operating System) settings, network settings, and the like.

The CPU 104 is an arithmetic unit that reads programs and data from the ROM 103, the auxiliary storage device 106, and the like onto the RAM 102 and executes processing. The communication I / F 105 is an interface for connecting the computer 100 to the network.

The auxiliary storage device 106 is, for example, an HDD (Hard Disk Drive), an SSD (Solid State Drive), or the like, and is a non-volatile storage device that stores programs and data. The programs and data stored in the auxiliary storage device 106 include, for example, an OS, application software that realizes various functions on the OS, and a program that realizes various processes in the present embodiment.

In addition to the above hardware, the computer 100 may have, for example, a display device such as a display and an input device such as a keyboard or mouse.

By having the hardware configuration shown in FIG. 2, the computer 100 according to the present embodiment can realize various processes described later.

<Functional configuration>
Next, the functional configurations of the learning device 31, the abnormality detection device 32, and the abnormality detection storage device 33 included in the abnormality detection system 30 will be described.

≪Learning device 31≫
First, the functional configuration of the learning device 31 will be described with reference to FIG. FIG. 3 is a diagram showing an example of the functional configuration of the learning device 31 according to the embodiment of the present invention.

As shown in FIG. 3, the learning device 31 includes a communication unit 311, a feature amount generation unit 312, a clustering unit 313, and a detection model creation unit 314. Each of these functional units is realized by a process of causing the CPU to execute one or more programs installed in the learning device 31.

The communication unit 311 transmits and receives information to and from the traffic information collecting device 20, the abnormality detection storage device 33, and the like. For example, the communication unit 311 receives the traffic information of each IoT terminal 70 from the traffic information collecting device 20.

The feature amount generation unit 312 performs predetermined processing on the traffic information received by the communication unit 311 (for example, counting the number of times that a predetermined IP address is included) to perform machine learning and time series analysis. Generates the required feature amount in.

Here, at the stage of clustering the IoT terminals 70, the communication unit 311 receives the traffic information of all the IoT terminals 70 (or all the IoT terminals 70 to which packets are transferred by a certain transfer device 10). Therefore, in this case, the feature amount generation unit 312 generates the feature amount from the traffic information of all these IoT terminals 70.

On the other hand, at the stage of creating the detection model, the communication unit 311 receives the traffic information of each cluster (that is, the traffic information of the IoT terminal 70 belonging to the cluster). Therefore, in this case, the feature amount generation unit 312 generates the feature amount of the cluster for each cluster. Hereinafter, the feature amount of the cluster (that is, the feature amount of each cluster) is also referred to as the “cluster feature amount”.

The clustering unit 313 clusters each IoT terminal 70 based on the feature amount generated by the feature amount generation unit 312. The clustering unit 313 transmits cluster information indicating the result of clustering to the abnormality detection storage device 33.

The detection model creation unit 314 creates learning information for creating a detection model for each cluster based on the cluster feature amount generated by the feature amount generation unit 312, and transmits the learning information to the abnormality detection storage device 33. Then, the detection model creation unit 314 creates a detection model based on, for example, learning information created during a predetermined time.

Here, the detection model is represented by an abnormality detection algorithm and parameter values of parameters used in the abnormality detection algorithm. Therefore, when the anomaly detection algorithm is predetermined, creating a detection model means determining the parameter value of the parameter used in the anomaly detection algorithm.

<< Abnormality detection device 32 >>
Next, the functional configuration of the abnormality detection device 32 will be described with reference to FIG. FIG. 4 is a diagram showing an example of the functional configuration of the abnormality detection device 32 according to the embodiment of the present invention.

As shown in FIG. 4, the abnormality detection device 32 includes a communication unit 321, a feature amount generation unit 322, and an abnormality detection unit 323. Each of these functional units is realized by a process of causing the CPU to execute one or more programs installed in the abnormality detection device 32.

The communication unit 321 transmits / receives information to / from the traffic information collecting device 20, the abnormality detection storage device 33, and the like. For example, the communication unit 321 receives the traffic information of each cluster (that is, the traffic information of each IoT terminal 70 belonging to the cluster) from the traffic information collecting device 20.

The feature amount generation unit 322 generates a cluster feature amount from the traffic information received by the communication unit 321.

The abnormality detection unit 323 determines whether or not the cluster is abnormal based on the cluster feature amount generated by the feature amount generation unit 322 and the detection model received from the abnormality detection storage device 33. That is, the abnormality detection unit 323 detects a cluster including the IoT terminal 70 infected with malware. Hereinafter, the IoT terminal 70 infected with malware will be referred to as an “abnormal terminal 70”, and the cluster including the abnormal terminal 70 will be referred to as an “abnormal cluster”.

When an abnormal cluster is detected, the abnormality detection unit 323 transmits a cluster ID for identifying the abnormal cluster to the security device 60.

<< Storage device for abnormality detection 33 >>
Next, the functional configuration of the abnormality detection storage device 33 will be described with reference to FIG. FIG. 5 is a diagram showing an example of the functional configuration of the abnormality detection storage device 33 according to the embodiment of the present invention.

As shown in FIG. 5, the abnormality detection storage device 33 includes a communication unit 331 and an information management unit 332. Each of these functional units is realized by a process of causing the CPU to execute one or more programs installed in the abnormality detection storage device 33.

Further, the abnormality detection storage device 33 includes an address information table storage unit 333, a cluster information table storage unit 334, a learning information table storage unit 335, a detection model information table storage unit 336, and a setting information table storage unit 337. Have. Each of these storage units can be realized by using, for example, an auxiliary storage device.

The communication unit 331 transmits / receives information to / from the traffic information collecting device 20, the learning device 31, the abnormality detection device 32, the security device 60, and the like. For example, the communication unit 331 receives the learning information and the detection model information from the learning device 31. Further, for example, the communication unit 331 receives the cluster ID of the abnormal cluster from the abnormality detecting device 32.

The information management unit 332 reads information from the tables stored in the various storage units and stores the information in the tables stored in the various storage units.

The address information table storage unit 333 stores the address information table 333T. Here, the address information table 333T will be described with reference to FIG. FIG. 6 is a diagram showing an example of the address information table 333T.

As shown in FIG. 6, address information is stored in the address information table 333T. The address information is associated with the transfer device ID that identifies the transfer device 10 and the IP address of each IoT terminal 70 to which the packet is relayed by the transfer device 10. In other words, the address information is associated with a list of IP addresses of the IoT terminal 70 whose packets are relayed by the transfer device 10 of the transfer device ID for each transfer device ID. Such an IP address is assigned to each IoT terminal 70 by the DHCP server 50.

The cluster information table storage unit 334 stores the cluster information table 334T. Here, the cluster information table 334T will be described with reference to FIG. 7. FIG. 7 is a diagram showing an example of the cluster information table 334T.

As shown in FIG. 7, cluster information is stored in the cluster information table 334T. The cluster information is associated with the cluster ID that identifies the cluster and the IP address of the IoT terminal 70 that belongs to the cluster.

The learning information table storage unit 335 stores the learning information table 335T. Here, the learning information table 335T will be described with reference to FIG. FIG. 8 is a diagram showing an example of the learning information table 335T.

As shown in FIG. 8, the learning information table 335T stores the learning information. The learning information is associated with the cluster ID and the learning data. The training data is data (“normal” or “abnormal”) to which teacher data (“normal” or “abnormal”) is added to the cluster features (features 1, features 2, ..., Feature m) generated by the feature amount generation unit 312 (features 1, feature 2, ... In other words, the data is labeled "normal" or "abnormal").

However, when an algorithm other than supervised learning is used as the anomaly detection algorithm, supervised data is not required. The training data in this case may be a cluster feature quantity.

The detection model information table storage unit 336 stores the detection model information table 336T. Here, the detection model information table 336T will be described with reference to FIG. FIG. 9 is a diagram showing an example of the detection model information table 336T.

As shown in FIG. 9, the detection model information table 336T stores the detection model information. The detection model information is associated with the cluster ID and the parameter value of the detection model. The parameter value of the detection model is a parameter value of the parameter used in the abnormality detection algorithm set by the setting information described later. As described above, the detection model is represented by an abnormality detection algorithm and parameter values of parameters used in the abnormality detection algorithm.

The setting information table storage unit 337 stores the setting information table 337T. Here, the setting information table 337T will be described with reference to FIG. FIG. 10 is a diagram showing an example of the setting information table 337T.

As shown in FIG. 10, the setting information is stored in the setting information table 337T. The setting information includes the data acquisition interval, the update frequency of the detection model, and the type of abnormality detection algorithm. As the data acquisition interval, a time interval in which the traffic information collecting device 20 acquires traffic information from the transfer device 10 is set. For the update frequency of the detection model, the time interval for updating the parameter value of the detection model described above is set. The setting information in which this information is set is created in advance by, for example, the system administrator of the system environment E.

As the type of abnormality detection algorithm, various algorithms used for machine learning and time series analysis can be set. Examples of these algorithms include the k-nearest neighbor method, SVM (Support Vector Machine), and neural network.

<Details of processing>
Next, the details of the processing of the system according to the embodiment of the present invention will be described.

≪Clustering process≫
First, the process of classifying (clustering) each IoT terminal 70 into a plurality of clusters will be described with reference to FIG. FIG. 11 is a sequence diagram showing an example of clustering processing according to the embodiment of the present invention. The clustering process shown in FIG. 11 may be executed, for example, in response to an operation by a system administrator or the like in the system environment E, or may be executed at a predetermined time. Further, even when the clustering process shown in FIG. 11 is executed and each IoT terminal 70 is clustered, it may be executed again according to, for example, an increase or decrease of the IoT terminal 70.

First, the traffic information collecting device 20 transmits a traffic information request to the transfer device 10 (step S101). In response to the request, the transfer device 10 transmits the traffic information of each IoT terminal 70 to which the packet is transferred to the traffic information collecting device 20 (step S102).

When the traffic information collecting device 20 receives the traffic information from the transfer device 10, the traffic information collecting device 20 transmits the traffic information to the learning device 31 (step S103). The traffic information collecting device 20 may collect traffic information from the DNS server 40 or the DHCP server 50 and transmit it to the learning device 31.

The traffic information collecting device 20 collects traffic information from the transfer device 10 at intervals set in the “data acquisition interval” of the setting information for a predetermined time, and then learns the collected traffic information. It may be transmitted to 31.

When the feature amount generation unit 312 of the learning device 31 receives the traffic information by the communication unit 311, the feature amount generation unit 312 generates the feature amount of each IoT terminal 70 (step S104). The feature amount generation unit 312 may generate, for example, "frequency of communication occurrence" and "number of types of destinations" as feature amounts based on the traffic information of each IoT terminal 70.

The "frequency of communication occurrence" and the "number of destination types" can be generated based on the log information of the DNS server 40. Specifically, after extracting the log information including the IP address of the IoT terminal 70 connected to the transfer device 10 from the log information of the DNS server 40, the number of appearances of the IP address in the extracted log information is calculated. By counting, the "frequency of communication occurrence" can be obtained. Similarly, the "number of destination types" can be obtained by counting the number of destination IP address types in the extracted log information.

By using "frequency of communication occurrence" and "number of types of destinations" as feature quantities, for example, an abnormality due to an increase in communication frequency and an increase in the number of destinations (for example, communication to a C & C server) can be detected. Is possible.

The feature amount is not limited to the above-mentioned "frequency of communication occurrence" and "number of destination types". Any feature amount can be used as long as the feature amount can classify the IoT terminal 70 (IP address) into a cluster.

Next, the clustering unit 313 of the learning device 31 clusters each of the IoT terminals 70 based on the feature amount of each IoT terminal 70 generated by the feature amount generation unit 312 (step S105). The clustering unit 313 may cluster each IoT terminal 70 by using, for example, the K-Means method or the like. However, the algorithms and parameters used for clustering (for example, the definition of distance, etc.) are not limited to a specific algorithm or a specific parameter, and an arbitrary algorithm or an arbitrary parameter can be used.

When clustering is performed by the clustering unit 313, cluster information in which the cluster ID that identifies the cluster and the IP address of the IoT terminal 70 belonging to the cluster are associated with each other is created.

Next, the communication unit 311 of the learning device 31 transmits the cluster information created by the clustering unit 313 to the abnormality detection storage device 33 (step S106).

When the information management unit 332 of the abnormality detection storage device 33 receives the cluster information by the communication unit 331, the information management unit 332 stores the cluster information in the cluster information table 334T (step S107).

As described above, each of these IoT terminals 70 is clustered based on the feature amount of each IoT terminal 70. At this time, for example, by using the communication characteristics of each IoT terminal 70 as a feature amount, the IoT terminal 70 having the same communication characteristics (specifically, the IoT terminal 70 of the same manufacturer or the IoT terminal having parts of the same manufacturer). 70 etc.) are classified into the same cluster.

≪Process to create detection model≫
Next, the process of creating a detection model for each cluster will be described with reference to FIG. FIG. 12 is a sequence diagram showing an example of a detection model creation process according to the embodiment of the present invention. The detection model creation process shown in FIG. 12 is executed every time set in the "detection model update interval" included in the setting information.

First, the communication unit 331 of the abnormality detection storage device 33 transmits a request for traffic information in cluster units to the traffic information collecting device 20 (step S201). The abnormality detection storage device 33 can transmit a request for traffic information for each cluster by referring to the cluster information table 334T.

For example, the abnormality detection storage device 33 refers to the cluster information table 334T and sends a request including the IP address associated with the cluster ID “cluster A” to request traffic information for each cluster A. be able to. Similarly, for example, the abnormality detection storage device 33 refers to the cluster information table 334T and transmits a request including the IP address associated with the cluster ID “B” to request traffic information in cluster B units. It can be performed.

The communication unit 331 of the abnormality detection storage device 33 transmits a request for traffic information for each cluster to the traffic information collecting device 20 for each cluster.

Hereinafter, as an example, it is assumed that a request for traffic information of cluster A is transmitted.

Here, the request for traffic information in the subsequent steps S202 is executed every time set in the "data acquisition interval" of the setting information. Therefore, the subsequent processes of steps S202 to S208 are repeatedly executed at each time, for example, for a predetermined time. However, the present invention is not limited to this, and the processes of steps S202 to S208 may be executed, for example, in the process of step S208 described later, until a predetermined number of learning information is stored in the learning information table 335T. ..

When the traffic information collecting device 20 receives the traffic information request of the cluster A from the abnormality detection storage device 33, the traffic information collecting device 20 transmits the traffic information request of the IoT terminal 70 belonging to the cluster A to the transfer device 10 (step S202). The request includes the IP address of the IoT terminal 70 belonging to the cluster A.

In response to the request, the transfer device 10 transmits the traffic information of the IoT terminals 70 belonging to the cluster A to the traffic information collection device 20 among the IoT terminals 70 to which the packet is transferred (step S203).

When the traffic information collecting device 20 receives the traffic information of the IoT terminal 70 belonging to the cluster A from the transfer device 10, the traffic information collecting device 20 transmits the traffic information to the learning device 31 (step S204). The traffic information collecting device 20 may collect the traffic information of the IoT terminal 70 belonging to the cluster A from the DNS server 40 or the DHCP server 50 and transmit it to the learning device 31.

When the feature amount generation unit 312 of the learning device 31 receives the traffic information of the IoT terminal 70 belonging to the cluster A by the communication unit 311, the feature amount generation unit 312 of the learning device 31 generates the cluster feature amount of the cluster A (step S205). The feature amount generation unit 312 generates the feature amount of each IoT terminal 70 belonging to the cluster A, calculates the average value or the median value of these feature amounts, and sets the average value or the median value as the cluster feature amount. Just do it.

The feature amount generation unit 312 may generate a cluster feature amount using the same feature amount as in step S104 above, or may generate a cluster feature amount using a different feature amount. When generating the same feature amount as in step S104 above, it is preferable to set the feature amount that greatly fluctuates at the time of abnormality (that is, when the cluster includes the abnormal terminal 70) as the cluster feature amount.

Next, the feature amount generation unit 312 of the learning device 31 generates learning data by adding teacher data to the cluster feature amount (step S206). Whether the teacher data is "normal" or "abnormal" may be set by, for example, the system administrator of the system environment E, or may be set by a predetermined algorithm.

However, when an algorithm other than supervised learning is used as the anomaly detection algorithm (for example, when the k-nearest neighbor method is used), the teacher data is not required, and the feature amount generation unit 312 learns the cluster feature amount. It can be data.

When the learning data is generated, the feature amount generation unit 312 generates learning information in which the learning data is associated with the cluster ID of the cluster A.

Next, the communication unit 311 of the learning device 31 transmits the learning information to the abnormality detection storage device 33 (step S207).

When the information management unit 332 of the abnormality detection storage device 33 receives the learning information by the communication unit 331, the information management unit 332 stores the learning information in the learning information table 335T (step S208).

The communication unit 331 of the abnormality detection storage device 33 repeatedly executes the processes of steps S202 to S208 for a predetermined time, and then transmits the learning information for each cluster to the learning device 31 (step S209). That is, the communication unit 331 transmits the learning information of the cluster A acquired from the learning information table 335T by the information management unit 332 to the learning device 31.

The detection model creation unit 314 of the learning device 31 generates a parameter value of the detection model based on the learning information received from the abnormality detection storage device 33 (step S210). At this time, the detection model creation unit 314 generates the parameter value of the parameter used for the abnormality detection algorithm set in the "type of abnormality detection algorithm" of the setting information.

When the parameter value of the detection model is generated, the detection model creation unit 314 creates the detection model information in which the parameter value of the detection model and the cluster ID of the cluster A are associated with each other.

The communication unit 311 of the learning device 31 transmits the detection model information to the abnormality detection storage device 33 (step S211).

When the information management unit 332 of the abnormality detection storage device 33 receives the detection model information by the communication unit 331, the information management unit 332 stores the detection model information in the detection model information table 336T (step S212). When the detection model information of the same cluster ID is already stored in the detection model information table 336T, the information management unit 332 overwrites and updates the detection model information with the detection model information received by the communication unit 331. Just do it.

As described above, the detection model for detecting an abnormality in each cluster is created and updated for each cluster to which the plurality of IoT terminals 70 belong. In this way, by creating the detection model for each cluster, the calculation time for creating the detection model and the capacity of the storage area can be reduced as compared with the case where the detection model is individually created for each IoT terminal 70. Can be done.

≪Anomaly detection processing≫
Next, a process of identifying (detecting) an abnormal cluster based on the detection model and then identifying an abnormal terminal 70 belonging to the abnormal cluster will be described with reference to FIG. FIG. 13 is a sequence diagram showing an example of the abnormality detection process according to the embodiment of the present invention.

First, the communication unit 331 of the abnormality detection storage device 33 transmits a request for traffic information in cluster units to the traffic information collecting device 20 (step S301). The abnormality detection storage device 33 can transmit a request for traffic information for each cluster by referring to the cluster information table 334T.

Hereinafter, as an example, it is assumed that a request for traffic information of cluster A is transmitted.

Here, the request for traffic information in the subsequent steps S302 is executed every time set in the "data acquisition interval" of the setting information. Therefore, the subsequent processes of steps S302 to S313 are repeatedly executed every time.

When the traffic information collecting device 20 receives the traffic information request of the cluster A from the abnormality detection storage device 33, the traffic information collecting device 20 transmits the traffic information request of the IoT terminal 70 belonging to the cluster A to the transfer device 10 (step S302). The request includes the IP address of the IoT terminal 70 belonging to the cluster A.

In response to the request, the transfer device 10 transmits the traffic information of the IoT terminals 70 belonging to the cluster A to the traffic information collection device 20 among the IoT terminals 70 to which the packet is transferred (step S303).

When the traffic information collecting device 20 receives the traffic information of the IoT terminal 70 belonging to the cluster A from the transfer device 10, the traffic information collecting device 20 transmits the traffic information to the abnormality detecting device 32 (step S304). The traffic information collecting device 20 may collect the traffic information of the IoT terminal 70 belonging to the cluster A from the DNS server 40 or the DHCP server 50 and transmit it to the abnormality detecting device 32.

When the feature amount generation unit 322 of the abnormality detection device 32 receives the traffic information of the IoT terminal 70 belonging to the cluster A by the communication unit 321, the feature amount generation unit 322 generates the cluster feature amount of the cluster A (step S305). The feature amount generation unit 322 generates the feature amount of the IoT terminal 70 belonging to the cluster A, and then calculates the average value or the median value of these feature amounts, so that the average value or the median value is regarded as the cluster feature amount. Just do it. The feature amount generation unit 322 generates a cluster feature amount similar to the feature amount generation unit 312 of the learning device 31.

Next, the communication unit 321 of the abnormality detection device 32 transmits a request for the parameter value of the detection model of the cluster A to the abnormality detection storage device 33 (step S306).

When the communication unit 331 of the abnormality detection storage device 33 receives the request, the information management unit 332 acquires the parameter value of the detection model of the cluster A from the detection model information table 336T and transmits it to the abnormality detection device 32 ( Step S307).

The abnormality detection unit 323 of the abnormality detection device 32 determines the abnormality of the cluster A based on the cluster feature amount generated in step S305 and the parameter value of the detection model received from the abnormality detection storage device 33. (Step S308). That is, the abnormality detection unit 323 determines whether or not the cluster A is an abnormality cluster by the abnormality detection algorithm using the cluster feature amount and the parameters of the detection model. As a result, the abnormal cluster is identified (detected).

If the cluster A is not determined to be an abnormal cluster in step S308 above (that is, if the cluster A does not include the abnormal terminal 70), the subsequent processes of steps S309 to S313 are not executed. On the other hand, when it is determined in step S308 that cluster A is an abnormal cluster (that is, when cluster A includes an abnormal terminal 70), the subsequent processes of steps S309 to S313 are executed.

The communication unit 321 of the abnormality detection device 32 transmits the cluster ID of the abnormal cluster (cluster A as an example in this embodiment) to the abnormality detection storage device 33 (step S309).

The communication unit 331 of the anomaly detection storage device 33 refers to the cluster information table 334T by the information management unit 332 and transmits the IP address associated with the cluster ID “cluster A” to the security device 60 (step S310). .. That is, the communication unit 331 transmits the IP address of the IoT terminal 70 belonging to the cluster A determined to be the abnormal cluster to the security device 60.

The security device 60 transmits a request for traffic information of the IoT terminal 70 belonging to the cluster A, which is an abnormal cluster, to the transfer device 10 (step S311). The request includes the IP address of the IoT terminal 70 belonging to the cluster A determined to be an abnormal cluster.

In response to the request, the transfer device 10 transmits the traffic information of the IoT terminal 70 belonging to the cluster A determined to be an abnormal cluster among the IoT terminals 70 to which the packet is transferred to the security device 60 (step S312). ).

When the security device 60 receives the traffic information of the IoT terminals 70 belonging to the cluster A, the security device 60 makes a detailed abnormality determination based on the traffic information, and among these IoT terminals 70, the IoT terminal 70 infected with malware. Is specified (step S313). As described above, the security device 60 identifies the IoT terminal 70 infected with malware from the IoT terminals 70 belonging to the abnormal cluster by, for example, IPS, sandbox, DPI, or the like.

As described above, when the IoT terminal 70 belonging to a certain cluster is infected with malware, the abnormality detection device 32 can identify the abnormal cluster from each cluster. In this way, by performing anomaly detection on a cluster-by-cluster basis, for example, if a commercial sensor of the same manufacturer (an example of IoT terminal 70) is vulnerable and an outbreak occurs, these commercial sensors will be used. The cluster to which it belongs can be detected as an abnormal cluster.

The present invention is not limited to the above-described embodiment disclosed specifically, and various modifications and modifications can be made without departing from the scope of claims.

10 Transfer device 20 Traffic information collection device 30 Anomaly detection system 31 Learning device 32 Anomaly detection device 33 Anomaly detection storage device 40 DNS server 50 DHCP server 60 Security device 70 IoT terminal 311 Communication unit 312 Feature quantity generation unit 313 Clustering unit 314 Detection Model creation unit 321 Communication unit 322 Feature quantity generation unit 323 Anomaly detection unit 331 Communication unit 332 Information management unit 333 Address information table storage unit 334 Cluster information table storage unit 335 Learning information table storage unit 336 Detection model information table storage unit 337 Setting information Table storage

Claims (4)

An anomaly detection system that connects to multiple terminals
A clustering unit that classifies the plurality of terminals into one or more clusters based on a plurality of terminal feature quantities indicating the characteristics of each of the plurality of terminals .
For each cluster classified by the clustering unit, a detection model for detecting that an abnormal terminal belongs to the cluster is created by using the first cluster feature amount indicating the characteristics of all the terminals belonging to the cluster. The detection model creation unit to be created and
An clusters of the one or more clusters, generate based on the traffic information of all the terminals belonging to the one cluster, the second cluster feature amount representing a feature of all the terminals belonging to the one cluster The first feature amount generation unit to be
Whether or not the abnormal terminal belongs to the one cluster based on the detection model created by the detection model creation unit and the second cluster feature amount generated by the first feature amount generation unit. Anomaly detection unit that detects the cluster to which the abnormal terminal belongs by determining whether
Anomaly detection system with. The first feature amount generation unit is
Wherein generating the average value or the median value the second cluster feature amount of a predetermined communication characteristic included in each of the traffic information of all terminals belonging to one cluster, the abnormality detection system according to claim 1. A second feature amount generating unit for generating a predetermined communication characteristic of each of the plurality of terminals as the terminal characteristic quantity,
The clustering unit
The abnormality detection system according to claim 1 or 2, wherein the plurality of terminals are classified into one or more clusters based on the terminal feature amount of each of the plurality of terminals. An anomaly detection method used in anomaly detection systems that are connected to multiple terminals.
A clustering procedure for classifying the plurality of terminals into one or more clusters based on a plurality of terminal feature quantities indicating the characteristics of each of the plurality of terminals .
For each cluster classified by the clustering procedure, a detection model for detecting that an abnormal terminal belongs to the cluster is created by using the first cluster feature amount indicating the characteristics of all the terminals belonging to the cluster. The detection model creation procedure to be created and
An clusters of the one or more clusters, generate based on the traffic information of all the terminals belonging to the one cluster, the second cluster feature amount representing a feature of all the terminals belonging to the one cluster Feature generation procedure and
Based on the detection model created by the detection model creation procedure and the second cluster feature amount generated by the feature amount generation procedure, it is determined whether or not the abnormal terminal belongs to the one cluster. By doing so, the abnormality detection procedure to detect the cluster to which the abnormal terminal belongs , and
Anomaly detection method with.

Images