WO2022107296A1 - 推定装置、推定方法、および、推定プログラム - Google Patents
推定装置、推定方法、および、推定プログラム Download PDFInfo
- Publication number
- WO2022107296A1 WO2022107296A1 PCT/JP2020/043291 JP2020043291W WO2022107296A1 WO 2022107296 A1 WO2022107296 A1 WO 2022107296A1 JP 2020043291 W JP2020043291 W JP 2020043291W WO 2022107296 A1 WO2022107296 A1 WO 2022107296A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- packet
- abnormal
- feature amount
- payload
- normal
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims description 21
- 230000002159 abnormal effect Effects 0.000 claims abstract description 78
- 230000005856 abnormality Effects 0.000 claims abstract description 37
- 238000010801 machine learning Methods 0.000 claims abstract description 10
- 238000006243 chemical reaction Methods 0.000 claims abstract description 7
- 230000002441 reversible effect Effects 0.000 claims abstract description 6
- 238000000605 extraction Methods 0.000 claims description 19
- 238000003066 decision tree Methods 0.000 claims description 8
- 238000012417 linear regression Methods 0.000 claims description 2
- 238000007477 logistic regression Methods 0.000 claims description 2
- 230000009466 transformation Effects 0.000 claims 1
- 239000000284 extract Substances 0.000 abstract description 17
- 238000012545 processing Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 6
- 238000002474 experimental method Methods 0.000 description 4
- 230000010365 information processing Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 239000003086 colorant Substances 0.000 description 2
- 238000013135 deep learning Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000013528 artificial neural network Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013136 deep learning model Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012946 outsourcing Methods 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 230000007474 system interaction Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N5/00—Computing arrangements using knowledge-based models
- G06N5/01—Dynamic search techniques; Heuristics; Dynamic trees; Branch-and-bound
Definitions
- the present invention relates to an estimation device, an estimation method, and an estimation program for estimating which part of the payload of a packet determined to be abnormal is caused by the determination of abnormality.
- anomaly detectors using deep learning etc. have been proposed. If the cause of the abnormality detection by this abnormality detector can be explained, it will be useful for the user to make a decision to take appropriate measures for the detected abnormality.
- a method of estimating the cause part in the feature amount input to the explainable model and the cause part in the original data of the feature amount has been proposed.
- anomaly detectors that use deep learning in the prior art irreversibly convert from the original data to the features. In that case, it may be difficult to estimate the cause of the original data even if the abnormal part of the feature amount is found. For example, even if an abnormality detector determines a packet as abnormal, it may not be known which part of the payload of the packet is the cause of the determination of abnormality. Therefore, it is an object of the present invention to solve the above-mentioned problem and to estimate which part of the payload of the packet determined to be abnormal is caused by the packet determined to be abnormal.
- the present invention generates a feature amount by reversibly converting the payload of the packet, which is determined to be abnormal or normal by the abnormality detector, character by character, and generates the feature amount.
- the feature amount generator that gives the judgment result of whether the packet is abnormal or normal to the feature amount, the feature amount of the payload of the packet, and the judgment result of whether the packet is abnormal or normal are used as teacher data, and the above is performed by machine learning.
- a model learning unit that learns a model that classifies whether a packet is abnormal or normal, and an extraction that extracts the number of dimensions of the feature amount that contributes to the classification by a predetermined value or more in the trained model. Using the number of dimensions of the extracted feature amount and the extracted feature amount, the cause of the abnormality in the payload of the packet determined to be abnormal is estimated, and the result of the estimation is estimated. It is characterized by having an output unit for outputting.
- FIG. 1 is a diagram showing a configuration example of an estimation system.
- FIG. 2 is a flowchart showing an example of the processing procedure of the estimation system.
- FIG. 3 is a diagram showing an example of a payload of a packet determined to be normal and a payload of a packet determined to be abnormal.
- FIG. 4 is a diagram showing an example of features extracted by the extraction unit of FIG.
- FIG. 5 is a diagram showing an output example of a portion of the payload in the packet determined to be abnormal, which is presumed to be the cause of the abnormality.
- FIG. 6 is a diagram showing a configuration example of a computer that executes an estimation program.
- the estimation system 1 includes, for example, an estimation device 10, an input device 20, and an output device 30.
- the estimation device 10 estimates which part of the payload is the cause of the packet determined to be abnormal among the packets of communication data.
- the input device 20 accepts inputs of various data (for example, packets determined to be abnormal) used by the estimation device 10.
- the output device 30 outputs the data output from the estimation device 10. For example, the output device 30 displays the estimation result by the estimation device 10 on the monitor.
- the estimation device 10 includes a storage unit 11 and a control unit 12.
- the storage unit 11 stores various data referred to when the control unit 12 executes the process.
- the storage unit 11 stores, for example, normality determination data and model parameter information.
- the normality determination data is data of a packet group determined to be normal by an abnormality detector (not shown).
- the model parameter information is information indicating the parameters used when the model learning unit 123 (described later) learns the model.
- the model parameter information for example, when the model to be learned is a model using a decision tree by the model learning unit 123, max_depth in the decision tree, the number of branching conditions, and the like are shown.
- the control unit 12 controls the entire estimation device 10.
- the control unit 12 includes, for example, a data acquisition unit 121, a feature amount generation unit 122, a model learning unit 123, an extraction unit 124, and an output unit 125.
- the data acquisition unit 121 acquires various data from the input device 20. For example, the data acquisition unit 121 acquires the data of the packet group determined to be abnormal by the abnormality detector from the input device 20.
- the feature amount generation unit 122 generates a feature amount by reversibly converting the payload of the packet, which is determined to be abnormal / normal by the abnormality detector, character by character. Then, the feature amount generation unit 122 gives a determination result of whether the packet is abnormal or normal to the feature amount of the payload of the generated packet.
- the feature amount generation unit 122 extracts the payload of the packet determined to be abnormal acquired by the data acquisition unit 121, and extracts the payload from the packet of the normality determination data of the storage unit 11. Then, the feature amount generation unit 122 generates the feature amount by reversibly converting the payload of each extracted packet character by character.
- the feature amount generation unit 122 regards the payload of each packet as a hexadecimal byte string, and generates a feature amount by converting each byte into a decimal number. Then, the feature amount generation unit 122 gives a determination result of whether the packet is abnormal or normal to the feature amount of the payload of the generated packet.
- the payload extracted by the feature amount generation unit 122 from each of the packet determined to be normal and the packet determined to be abnormal is defined as x shown in the following equation (1).
- the model learning unit 123 uses the feature amount of the packet payload generated by the feature amount generation unit 122 and the determination result of whether the packet is abnormal or normal as teacher data, and classifies whether the packet is abnormal or normal by machine learning. Learn the model to do.
- the model targeted for the above learning is a highly interpretable model.
- a highly interpretable model is, for example, a model in which it is easy to interpret which feature amount greatly contributes to the classification by the model.
- the above model is a model using, for example, a decision tree, linear regression, logistic regression, or the like.
- the model parameter information of the storage unit 11 is used for learning the model.
- the extraction unit 124 extracts features having a contribution of a predetermined value or more in the model learned by the model learning unit 123. For example, in the above model, the extraction unit 124 measures how much the value of each dimension constituting the feature amount contributes to the classification of normal / abnormal in the model. Then, the extraction unit 124 extracts the number of dimensions of the feature amount whose measured contribution is equal to or higher than a predetermined value as a feature.
- the extraction unit 124 determines that "byte sequence: 43rd, byte" as shown in FIG. Column: 41st, byte column: 18th "is extracted as a feature.
- the extraction unit 124 extracts the number of dimensions of the feature amount described in the branch condition as a feature from the node in which the branch condition described in the decision tree is described.
- the output unit 125 estimates the cause of the abnormality in the payload of the packet determined to be abnormal by using the feature extracted by the extraction unit 124 and having a contribution of a predetermined value or more (for example, the number of dimensions of the feature amount). , Output the result of the estimation.
- the output unit 125 determines that the feature extracted by the extraction unit 124 (for example, “byte string: 43rd, byte string: 41st, byte string: 18th”) as shown in FIG. 4 is abnormal. It is output to the output device 30 as an estimation result of the cause of the abnormality in the payload of. As a result, the user of the estimation system 1 can confirm which byte of the payload of the packet determined to be abnormal is estimated as the cause of the abnormality.
- the output unit 125 may output information that visualizes a portion presumed to be the cause of the abnormality in the payload of the packet determined to be abnormal based on the characteristics extracted by the extraction unit 124.
- the output unit 125 outputs data in which the portion of the payload in the packet determined to be abnormal, which is presumed to be the cause of the abnormality, is highlighted by highlighting or the like based on the characteristics extracted by the extraction unit 124. It may be output to (see FIG. 5).
- the data acquisition unit 121 of the estimation device 10 acquires the data (packet) determined to be abnormal. Then, the feature amount generation unit 122 extracts the payload of the packet determined to be abnormal and converts it into a reversible feature amount (S1). Further, the feature amount generation unit 122 adds a determination result indicating that the packet is abnormal to the feature amount of the payload of the packet converted in S1.
- the feature amount generation unit 122 acquires a packet determined to be normal from the normality determination packet data. Then, the feature amount generation unit 122 extracts the payload of the packet determined to be normal and converts it into a reversible feature amount (S2). Further, the feature amount generation unit 122 adds a determination result indicating that the packet is normal to the feature amount of the payload of the packet converted in S2.
- the model learning unit 123 uses the feature amount of the payload of the packet converted in S1 and S2 and the determination result of whether the packet is abnormal or normal as teacher data, and performs machine learning with a highly interpretable model (S3). Then, the extraction unit 124 extracts the features that contributed to the cause of the abnormality from the model after machine learning (S4). For example, the extraction unit 124 measures the contribution of classification to anomalies of each feature amount from the model after machine learning, and extracts features (for example, the number of dimensions of the feature amount) whose measured contribution degree is a predetermined value or more. do.
- the output unit 125 converts the features extracted in S4 into the original data format (S5), and outputs the conversion result of S5 as the estimation result of the cause of the abnormality (S6). For example, the output unit 125 outputs to the output device 30 data in which the portion of the payload in the packet determined to be abnormal, which is presumed to be the cause of the abnormality, is highlighted by highlighting or the like (see FIG. 5).
- the estimation system 1 can estimate the cause of the packet determined to be abnormal in the payload of the packet.
- a packet with a normal / abnormal judgment result label was used.
- three types of packets (abnormality patterns 1 to 3) in which the abnormal parts of the payload are different are prepared (see FIG. 3).
- the hatched portion indicates the abnormality portion.
- the packet of the abnormality pattern 1 is a packet in which the 18th byte (function code) of the payload is different from the normal packet.
- the abnormality pattern 2 is a packet in which the possible value of the 43rd byte of the payload is different from that of the normal packet.
- the abnormality pattern 3 is a packet in which the possible value of the 41st byte of the payload is different from that of the normal packet.
- the estimation device 10 estimated, one byte at a time, which byte of the payload of the packet was abnormal.
- each byte (hexadecimal number: 0x00 to 0xff) of the payload is converted into a numerical value (decimal number: 0 to 255).
- Normal / abnormal labeling after conversion of the payload was performed manually.
- the highly interpretable model used by the estimation device 10 was a model using a decision tree.
- the estimation device 10 can extract the 18th byte as an abnormal part in the payload of the packet of the abnormality pattern 1 shown in FIG. 3, it is evaluated as OK, and it is evaluated as an abnormal part in the payload of the packet of the abnormality pattern 2. If the 43rd byte could be extracted, it was evaluated as OK. Further, if the estimation device 10 can extract the 41st byte as an abnormal part in the payload of the packet of the abnormality pattern 3, it is evaluated as OK.
- FIG. 4 shows the number of the byte string of the abnormal portion of the payload extracted by the estimation device 10.
- the estimation device 10 has three abnormal points in the payload of the packet, and the 18th byte, the 41st byte, and the 43rd byte are extracted (in any order).
- the three locations of the 18th byte, 41st byte, and 43rd byte of the payload are set in advance as abnormal locations. Therefore, the estimation device 10 correctly extracts the abnormal locations of the payload, and also , It was confirmed that only the abnormal part of the payload was extracted.
- FIG. 5 shows a portion of the estimation device 10 extracted as an abnormal portion of the payload of the packet and output in a color different from that of other portions of the payload.
- the parts in bold in FIG. 5 indicate the parts output in a color different from the colors of the other parts.
- the three byte numbers (18th byte, 41st byte, 43rd byte) extracted as abnormal parts by the estimation device 10 with the leftmost part of the payload shown in FIG. 5 (“B” in FIG. 5) as the first byte. ) Is output in a color different from the colors of other parts.
- ⁇ in the 43rd byte of the payload on the first line indicates null. Comparing the payloads of the abnormality patterns 1 to 3 shown in FIG. 3 with the output results shown in FIG. 5, it can be seen that the abnormal portion of the payload of the packet is correctly extracted.
- each component of each of the illustrated parts is a functional concept, and does not necessarily have to be physically configured as shown in the figure. That is, the specific form of distribution / integration of each device is not limited to the one shown in the figure, and all or part of them may be functionally or physically distributed / physically in arbitrary units according to various loads and usage conditions. Can be integrated and configured. Further, each processing function performed by each device may be realized by a CPU and a program executed by the CPU, or may be realized as hardware by wired logic.
- the estimation device 10 described above can be implemented by installing a program as package software or online software on a desired computer. For example, by causing the information processing device to execute the above program, the information processing device can function as the estimation device 10 of each embodiment.
- the information processing device referred to here includes a desktop type or notebook type personal computer.
- the information processing device includes smartphones, mobile communication terminals such as mobile phones and PHS (Personal Handyphone System), and terminals such as PDAs (Personal Digital Assistants).
- the estimation device 10 can be implemented as a server device in which the terminal device used by the user is a client and the service related to the above processing is provided to the client.
- the server device may be implemented as a Web server, or may be implemented as a cloud that provides services related to the above processing by outsourcing.
- FIG. 6 is a diagram showing an example of a computer that executes an estimation program.
- the computer 1000 has, for example, a memory 1010 and a CPU 1020.
- the computer 1000 also has a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. Each of these parts is connected by a bus 1080.
- the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012.
- the ROM 1011 stores, for example, a boot program such as a BIOS (Basic Input Output System).
- BIOS Basic Input Output System
- the hard disk drive interface 1030 is connected to the hard disk drive 1090.
- the disk drive interface 1040 is connected to the disk drive 1100.
- a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100.
- the serial port interface 1050 is connected to, for example, a mouse 1110 and a keyboard 1120.
- the video adapter 1060 is connected to, for example, the display 1130.
- the hard disk drive 1090 stores, for example, OS1091, application program 1092, program module 1093, and program data 1094. That is, the program that defines each process executed by the estimation device 10 is implemented as a program module 1093 in which a code that can be executed by a computer is described.
- the program module 1093 is stored in, for example, the hard disk drive 1090.
- the program module 1093 for executing the same processing as the functional configuration in the estimation device 10 is stored in the hard disk drive 1090.
- the hard disk drive 1090 may be replaced by an SSD.
- each data used in the processing of the above-described embodiment is stored as program data 1094 in, for example, a memory 1010 or a hard disk drive 1090. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1090 into the RAM 1012 and executes them as needed.
- the program module 1093 and the program data 1094 are not limited to those stored in the hard disk drive 1090, but may be stored in, for example, a removable storage medium and read by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program module 1093 and the program data 1094 may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). Then, the program module 1093 and the program data 1094 may be read from another computer by the CPU 1020 via the network interface 1070.
- LAN Local Area Network
- WAN Wide Area Network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Evolutionary Computation (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Artificial Intelligence (AREA)
- Mathematical Physics (AREA)
- General Physics & Mathematics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Medical Informatics (AREA)
- Computational Linguistics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Devices For Executing Special Programs (AREA)
- Debugging And Monitoring (AREA)
Abstract
Description
本実施形態の推定装置を含む推定システムの構成例を説明する。図1に示すように、推定システム1は、例えば、推定装置10と、入力装置20と、出力装置30とを備える。
次に、図2を用いて、推定システム1の処理手順の例を説明する。推定装置10のデータ取得部121は、異常と判定されたデータ(パケット)を取得する。そして、特徴量生成部122は、異常と判定されたパケットのペイロードを抽出し、可逆な特徴量に変換する(S1)。また、特徴量生成部122は、S1で変換したパケットのペイロードの特徴量に、当該パケットが異常である旨の判定結果を付与する。
次に、図3~図5を参照しながら、推定装置10の実験結果を説明する。ここでは、異常検知器により異常と判定されたパケットについて、推定装置10が、当該パケットのペイロードにおける異常箇所を抽出し、かつ、異常箇所以外を抽出しないかを実験した。
(1)実験には、正常/異常の判定結果のラベルが付与されたパケットを使用した。異常の判定結果のラベルが付与されたパケットについては、ペイロードの異常箇所が異なる3種類のパケット(異常パターン1~3)を用意した(図3参照)。なお、図3に示す異常パターン1~3に示すバイト列のうち、ハッチングがされた部分は異常箇所を示す。例えば、異常パターン1のパケットは、ペイロードの18バイト目(ファンクションコード)が正常パケットとは異なるパケットである。異常パターン2は、ペイロードの43バイト目のとりうる値が正常パケットとは異なるパケットである。異常パターン3は、ペイロードの41バイト目のとりうる値が正常パケットとは異なるパケットである。
(2)推定装置10は、1パケットずつ、当該パケットのペイロードの何バイト目が異常なのかを推定した。
(3)推定装置10が、ペイロードの可逆変換を行う際には、当該ペイロードの各バイト(16進数:0x00~0xff)を数値(10進数:0~255)に変換した。
(4)ペイロードの変換後の正常/異常のラベル付けは手動で実施した。
(5)推定装置10が用いる解釈性の高いモデルは、決定木を用いたモデルとした。
推定装置10が、パケットのペイロードの異常箇所(図1のハッチング部分)を抽出し、かつ、異常箇所以外(図1のハッチング部分以外)を抽出していないかを評価した。
上記の実験条件で実験を行った結果、推定装置10が、異常と判定されたパケットのペイロードの異常箇所を正しく抽出できたか否かについて、図4を用いて説明する。図4は、推定装置10によって抽出されたペイロードの異常箇所のバイト列の番号を表している。
また、図示した各部の各構成要素は機能概念的なものであり、必ずしも物理的に図示のように構成されていることを要しない。すなわち、各装置の分散・統合の具体的形態は図示のものに限られず、その全部又は一部を、各種の負荷や使用状況等に応じて、任意の単位で機能的又は物理的に分散・統合して構成することができる。さらに、各装置にて行われる各処理機能は、その全部又は任意の一部が、CPU及び当該CPUにて実行されるプログラムにて実現され、あるいは、ワイヤードロジックによるハードウェアとして実現され得る。
前記した推定装置10は、パッケージソフトウェアやオンラインソフトウェアとしてプログラムを所望のコンピュータにインストールさせることによって実装できる。例えば、上記のプログラムを情報処理装置に実行させることにより、情報処理装置を各実施形態の推定装置10として機能させることができる。ここで言う情報処理装置には、デスクトップ型又はノート型のパーソナルコンピュータが含まれる。また、その他にも、情報処理装置にはスマートフォン、携帯電話機やPHS(Personal Handyphone System)等の移動体通信端末、さらには、PDA(Personal Digital Assistant)等の端末等がその範疇に含まれる。
20 入力装置
30 出力装置
11 記憶部
12 制御部
121 データ取得部
122 特徴量生成部
123 モデル学習部
124 抽出部
125 出力部
Claims (7)
- 異常検知器により異常か正常かが判定されたパケットそれぞれについて、当該パケットのペイロードを1文字ずつ可逆変換することにより特徴量を生成し、前記生成した特徴量に当該パケットが異常か正常かの判定結果を付与する特徴量生成部と、
当該パケットのペイロードの特徴量および当該パケットが異常か正常かの判定結果を教師データとし、機械学習により、前記パケットが異常か正常かの分類を行うモデルの学習を行うモデル学習部と、
前記学習されたモデルにおける、前記分類への寄与度が所定値以上である、前記特徴量の次元数を抽出する抽出部と、
前記抽出された前記特徴量の次元数を用いて、異常と判定されたパケットのペイロードにおける異常の原因箇所を推定し、前記推定の結果を出力する出力部と
を備えることを特徴とする推定装置。 - 前記モデルは、
決定木を用いたモデルであり、
前記抽出部は、
前記寄与度が所定値以上である、前記特徴量の次元数として、前記機械学習により得られた決定木における分岐条件が記述されたノードから、当該分岐条件に記述された特徴量の次元数を抽出する
ことを特徴とする請求項1に記載の推定装置。 - 前記モデルは、
線形回帰またはロジスティック回帰を用いたモデルである
ことを特徴とする請求項1に記載の推定装置。 - 前記出力部は、
前記抽出された前記特徴量の次元数に基づき、前記異常と判定されたパケットのペイロードにおける異常の原因箇所と推定される箇所を特定し、前記特定した箇所を可視化した情報を、前記推定の結果として出力する
を備えることを特徴とする請求項1に記載の推定装置。 - 前記可逆変換は、
ASCIIコード表に則った、文字列から数値列への変換
であることを特徴とする請求項1に記載の推定装置。 - 推定装置により実行される推定方法であって、
異常検知器により異常か正常かが判定されたパケットそれぞれについて、当該パケットのペイロードを1文字ずつ可逆変換することにより複数の特徴量を生成し、前記生成した特徴量に当該パケットが異常か正常かの判定結果を付与する工程と、
前記パケットのペイロードの特徴量および当該パケットが異常か正常かの判定結果を教師データとし、機械学習により、前記パケットが異常か正常かの分類を行うモデルの学習を行う工程と、
前記学習されたモデルにおける、前記分類への寄与度が所定値以上である、前記特徴量の次元数を抽出する工程と、
前記抽出された前記特徴量の次元数を用いて、異常と判定されたパケットのペイロードにおける異常の原因箇所を推定し、前記推定の結果を出力する工程と
を含むことを特徴とする推定方法。 - 異常検知器により異常か正常かが判定されたパケットそれぞれについて、当該パケットのペイロードを1文字ずつ可逆変換することにより複数の特徴量を生成し、前記生成した特徴量に当該パケットが異常か正常かの判定結果を付与する工程と、
前記パケットのペイロードの特徴量および当該パケットが異常か正常かの判定結果を教師データとし、機械学習により、前記パケットが異常か正常かの分類を行うモデルの学習を行う工程と、
前記学習されたモデルにおける、前記分類への寄与度が所定値以上である、前記特徴量の次元数を抽出する工程と、
前記抽出された前記特徴量の次元数を用いて、異常と判定されたパケットのペイロードにおける異常の原因箇所を推定し、前記推定の結果を出力する工程と
をコンピュータに実行させることを特徴とする推定プログラム。
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2020/043291 WO2022107296A1 (ja) | 2020-11-19 | 2020-11-19 | 推定装置、推定方法、および、推定プログラム |
JP2022563513A JP7444287B2 (ja) | 2020-11-19 | 2020-11-19 | 推定装置、推定方法、および、推定プログラム |
EP20962459.2A EP4228221A4 (en) | 2020-11-19 | 2020-11-19 | ESTIMATION DEVICE, ESTIMATION METHOD AND ESTIMATION PROGRAM |
CN202080107106.5A CN116458119A (zh) | 2020-11-19 | 2020-11-19 | 估计装置、估计方法以及估计程序 |
US18/035,109 US20230412624A1 (en) | 2020-11-19 | 2020-11-19 | Estimation device, estimation method, and estimation program |
AU2020477732A AU2020477732B2 (en) | 2020-11-19 | 2020-11-19 | Estimation device, estimation method, and estimation program |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2020/043291 WO2022107296A1 (ja) | 2020-11-19 | 2020-11-19 | 推定装置、推定方法、および、推定プログラム |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022107296A1 true WO2022107296A1 (ja) | 2022-05-27 |
Family
ID=81708653
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2020/043291 WO2022107296A1 (ja) | 2020-11-19 | 2020-11-19 | 推定装置、推定方法、および、推定プログラム |
Country Status (6)
Country | Link |
---|---|
US (1) | US20230412624A1 (ja) |
EP (1) | EP4228221A4 (ja) |
JP (1) | JP7444287B2 (ja) |
CN (1) | CN116458119A (ja) |
AU (1) | AU2020477732B2 (ja) |
WO (1) | WO2022107296A1 (ja) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2023242904A1 (ja) * | 2022-06-13 | 2023-12-21 | 日本電信電話株式会社 | 異常区間推定方法、異常区間推定システム及び異常区間推定装置 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2015186662A1 (ja) * | 2014-06-06 | 2015-12-10 | 日本電信電話株式会社 | ログ分析装置、攻撃検知装置、攻撃検知方法およびプログラム |
WO2017168458A1 (ja) * | 2016-03-28 | 2017-10-05 | 日本電気株式会社 | 予測モデル選択システム、予測モデル選択方法および予測モデル選択プログラム |
JP2019033312A (ja) * | 2017-08-04 | 2019-02-28 | 株式会社日立製作所 | ネットワーク装置、パケットを処理する方法、及びプログラム |
JP2019125867A (ja) * | 2018-01-12 | 2019-07-25 | パナソニックIpマネジメント株式会社 | 監視装置、監視システム及び監視方法 |
CN111835695A (zh) * | 2019-04-23 | 2020-10-27 | 华东师范大学 | 一种基于深度学习的车载can总线入侵检测方法 |
Family Cites Families (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2001136524A (ja) * | 1999-11-02 | 2001-05-18 | Ricoh Co Ltd | 圧縮伸長装置 |
CN101645883A (zh) * | 2008-08-08 | 2010-02-10 | 比亚迪股份有限公司 | 数据传输方法、数据发送方法及数据接收方法 |
US8363729B1 (en) * | 2008-11-06 | 2013-01-29 | Marvell International Ltd. | Visual data compression algorithm with parallel processing capability |
KR101753467B1 (ko) * | 2014-06-26 | 2017-07-03 | 인텔 코포레이션 | 범용 gf(256) simd 암호용 산술 기능성을 제공하는 명령어 및 로직 |
CN108401491B (zh) | 2016-12-06 | 2021-08-10 | 松下电器(美国)知识产权公司 | 信息处理方法、信息处理***以及程序 |
JP6866930B2 (ja) * | 2017-10-16 | 2021-04-28 | 富士通株式会社 | 生産設備監視装置、生産設備監視方法及び生産設備監視プログラム |
WO2019076177A1 (zh) * | 2017-10-20 | 2019-04-25 | 人和未来生物科技(长沙)有限公司 | 基因测序数据压缩预处理、压缩、解压方法、***及计算机可读介质 |
JP6939898B2 (ja) * | 2017-12-01 | 2021-09-22 | 日本電信電話株式会社 | ビットアサイン推定装置、ビットアサイン推定方法、プログラム |
JPWO2019116418A1 (ja) | 2017-12-11 | 2020-12-17 | 日本電気株式会社 | 障害分析装置、障害分析方法および障害分析プログラム |
JP7082533B2 (ja) * | 2017-12-15 | 2022-06-08 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ | 異常検知方法および異常検知装置 |
JP6574004B2 (ja) * | 2018-01-25 | 2019-09-11 | 株式会社モルフォ | 計算手法決定システム、計算手法決定装置、処理装置、計算手法決定方法、処理方法、計算手法決定プログラム、及び、処理プログラム |
CN109146246B (zh) * | 2018-05-17 | 2021-06-04 | 清华大学 | 一种基于自动编码器和贝叶斯网络的故障检测方法 |
JP7065744B2 (ja) * | 2018-10-10 | 2022-05-12 | 株式会社日立製作所 | ネットワーク装置、パケットを処理する方法、及びプログラム |
CN109391624A (zh) * | 2018-11-14 | 2019-02-26 | 国家电网有限公司 | 一种基于机器学习的终端接入数据异常检测方法及装置 |
JPWO2020203352A1 (ja) | 2019-03-29 | 2020-10-08 |
-
2020
- 2020-11-19 CN CN202080107106.5A patent/CN116458119A/zh active Pending
- 2020-11-19 EP EP20962459.2A patent/EP4228221A4/en active Pending
- 2020-11-19 AU AU2020477732A patent/AU2020477732B2/en active Active
- 2020-11-19 JP JP2022563513A patent/JP7444287B2/ja active Active
- 2020-11-19 US US18/035,109 patent/US20230412624A1/en active Pending
- 2020-11-19 WO PCT/JP2020/043291 patent/WO2022107296A1/ja active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2015186662A1 (ja) * | 2014-06-06 | 2015-12-10 | 日本電信電話株式会社 | ログ分析装置、攻撃検知装置、攻撃検知方法およびプログラム |
WO2017168458A1 (ja) * | 2016-03-28 | 2017-10-05 | 日本電気株式会社 | 予測モデル選択システム、予測モデル選択方法および予測モデル選択プログラム |
JP2019033312A (ja) * | 2017-08-04 | 2019-02-28 | 株式会社日立製作所 | ネットワーク装置、パケットを処理する方法、及びプログラム |
JP2019125867A (ja) * | 2018-01-12 | 2019-07-25 | パナソニックIpマネジメント株式会社 | 監視装置、監視システム及び監視方法 |
CN111835695A (zh) * | 2019-04-23 | 2020-10-27 | 华东师范大学 | 一种基于深度学习的车载can总线入侵检测方法 |
Non-Patent Citations (1)
Title |
---|
K. AMARASINGHE ET AL.: "Toward Explainable Deep Neural Network based Anomaly Detection", IEEE: 11TH INTERNATIONAL CONFERENCE ON HUMAN SYSTEM INTERACTION, 2018 |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2023242904A1 (ja) * | 2022-06-13 | 2023-12-21 | 日本電信電話株式会社 | 異常区間推定方法、異常区間推定システム及び異常区間推定装置 |
Also Published As
Publication number | Publication date |
---|---|
EP4228221A4 (en) | 2024-07-31 |
JPWO2022107296A1 (ja) | 2022-05-27 |
AU2020477732B2 (en) | 2024-02-01 |
JP7444287B2 (ja) | 2024-03-06 |
AU2020477732A1 (en) | 2023-06-22 |
US20230412624A1 (en) | 2023-12-21 |
CN116458119A (zh) | 2023-07-18 |
EP4228221A1 (en) | 2023-08-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110765458B (zh) | 一种基于深度学习的恶意软件图像格式检测方法及其装置 | |
CA2351211C (en) | Text mining method and apparatus for extracting features of documents | |
CN111460446A (zh) | 基于模型的恶意文件检测方法及装置 | |
CN111813701B (zh) | 基于http的接口测试方法、装置、计算机设备及存储介质 | |
CN111835763B (zh) | 一种dns隧道流量检测方法、装置及电子设备 | |
WO2022107296A1 (ja) | 推定装置、推定方法、および、推定プログラム | |
CN115563627B (zh) | 一种基于人机协同的二进制程序漏洞静态分析方法 | |
Sepehr et al. | Blind learning of tree network topologies in the presence of hidden nodes | |
EP3336719A1 (en) | Future scenario generation device and method, and computer program | |
CN113420295A (zh) | 恶意软件的检测方法及装置 | |
WO2022059107A1 (ja) | 検知装置、検知方法及び検知プログラム | |
CN111506305B (zh) | 工具包生成方法、装置、计算机设备及可读存储介质 | |
Munea et al. | Design and implementation of fuzzing framework based on IoT applications | |
Solares et al. | Binary-arithmetic approach to observability checking in state estimation | |
Souri et al. | An analytical automated refinement approach for structural modeling large-scale codes using reverse engineering | |
Zhao et al. | Sandbox edge-based algorithm for multifractal analysis of complex networks | |
CN114499923B (zh) | 一种icmp模拟报文的生成方法及装置 | |
Sabahi-Kaviani et al. | Combining machine and automata learning for network traffic classification | |
WO2022118373A1 (ja) | 識別器生成装置、識別器生成方法および識別器生成プログラム | |
WO2022059108A1 (ja) | 検知装置、検知方法及び検知プログラム | |
Majhi et al. | Malware image classification: comparative analysis of a fine-tuned CNN and pre-trained models | |
Tran et al. | A Pairwise Based Method for Automated Test Data Generation for $\mathrm {C}/\mathrm {C}++ $ Projects | |
CN115934519A (zh) | 基于统一建模语言uml流程图的测试方法、设备及介质 | |
Li | [Retracted] Application of Artificial Intelligence Technology in Computer Network Security Communication | |
US20230222713A1 (en) | Display control device and display control method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
ENP | Entry into the national phase |
Ref document number: 2022563513 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 202080107106.5 Country of ref document: CN |
|
ENP | Entry into the national phase |
Ref document number: 2020962459 Country of ref document: EP Effective date: 20230511 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2020477732 Country of ref document: AU Date of ref document: 20201119 Kind code of ref document: A |