JP7081953B2 - Alert notification device and alert notification method - Google Patents

Description

The present invention relates to an alert notification device and an alert notification method.

Conventionally, there has been known a technique for accurately notifying an operator of an alert when a security incident occurs in an IT system. Here, to notify an alert with high accuracy means not notifying an incident that does not need to be notified to the IT system operator, and notifying all incidents that need to be notified.

For example, Patent Document 1 proposes a failure sign diagnostic device capable of more accurately performing a process of calculating a failure occurrence probability. In this failure sign diagnosis device, in the sign diagnosis model creation block, a plurality of normal data groups and failure sign data groups based on the feature quantities of a plurality of image formation parameters related to the type of failure are generated for each type of failure. Divide into clusters and create a predictive diagnostic model for each of the multiple clusters. Then, in the predictive diagnosis block, with respect to the image forming apparatus to be the target of the predictive diagnosis, the predictive diagnosis data group having the feature quantities of a plurality of image forming parameters related to the type of the disorder as an element for each type of the disorder. The predictive diagnosis model with the highest compatibility is selected, and the predictive diagnosis of the disorder is performed using the predictive diagnosis model.

Japanese Unexamined Patent Publication No. 2015-0369661

In the above-mentioned conventional technique, it is necessary to divide into a plurality of clusters having a predetermined feature amount as an element and to create a predictive diagnosis model for each of the plurality of clusters. However, based on preset models and rules, it is not possible to respond to so-called zero-day attacks (attack methods that utilize the vulnerability before it is disclosed), and it constantly collects information and creates a new pattern model. And rules need to be set.

In addition, there are usually two methods for detecting anomalies such as security incidents, a supervised method and an unsupervised method. The supervised method is more accurate because the label of each event in the log information generated by the device that monitors the security incident is known, but it is very difficult to label all events. Requires human cost. Especially in security incidents, what is normal and what is abnormal changes with time and target. Events that are likely to be normal at some point may be more likely to be abnormal in the future due to new attack methods and vulnerabilities. For this reason, the supervised method requires regular re-labeling, which is extremely costly. The unsupervised method is inferior to the supervised method in terms of accuracy, but it can be realized at a relatively low cost because it is automatically detected from an event without the need for humans to attach a label.

Therefore, the present invention provides an alert notification device and an alert notification method for determining the priority for accurately notifying an operator of an alert when a security incident occurs by cluster analysis, which is a kind of unsupervised method. ..

In order to solve the above problem, in the alert notification device that notifies an alert based on the log information generated by the device that monitors the security incident, the log information is input in the alert log input section and the alert log input section. Based on the log information, the aggregation unit aggregates the number of occurrences for each combination of incident types and the number of occurrences for each source identifier that generated the incident within a predetermined time from the incident occurrence time, and the aggregation unit aggregates. The number of occurrences, the analysis department that performs cluster analysis to classify combinations based on the number of occurrences of combinations for each source identifier within a predetermined time, and the priority for the operator to respond based on the analysis results of the analysis department. A determination unit for determining the degree and a notification unit for notifying an alert based on the priority determined by the determination unit are provided. An alert notification device is provided that determines that priority should be given.
According to this, in the number of occurrences (frequency) of combinations of incident types within a predetermined time, the operator determines that the incident related to the combination with a small number of occurrences is prioritized as the incident to be dealt with by the operator. It is possible to provide an alert notification device that accurately notifies alerts.

Further, it may be further provided with an optimization unit that optimizes the number of clusters in the cluster analysis performed by the analysis unit by a statistical method.
According to this, by optimizing the number of clusters, it is possible to provide an alert notification device with higher accuracy.

Further, the cluster analysis performed by the analysis unit may be characterized by including a two-step analysis of a singular point analysis and a characteristic analysis.
According to this, it is possible to prevent normal events from becoming noise in cluster analysis, and it is possible to improve the accuracy of alert notification.

In order to solve the above problem, in the alert notification method that notifies an alert based on the log information generated by the device that monitors the security incident, the type of incident within a predetermined time from the incident occurrence time based on the log information. The number of occurrences for each combination and the number of occurrences for each source identifier that caused the incident are aggregated, and cluster analysis is performed to classify the combinations based on the number of occurrences for each combination for each source identifier within a predetermined time. Based on the result, it is determined that the combination with the smaller number of combinations for each source identifier within a predetermined time should be prioritized, and the alert notification method executed by the computer that notifies the alert based on the determined priority. Is provided.
According to this, in the number of occurrences (frequency) of combinations of incident types within a predetermined time, the operator determines that the incident related to the combination with a small number of occurrences is prioritized as the incident to be dealt with by the operator. It is possible to provide an alert notification method for accurately notifying alerts.

According to the present invention, it is possible to provide an alert notification device and an alert notification method for determining the priority of accurately notifying an operator of an alert when a security incident occurs by cluster analysis.

FIG. 3 is an overall system configuration diagram including an alert notification device according to the first embodiment of the present invention. The block block diagram of the alert notification apparatus of 1st Embodiment which concerns on this invention. The flowchart which shows the operation in the aggregation part of the alert notification apparatus of 1st Embodiment which concerns on this invention. An explanatory diagram showing a method of totaling the number of occurrences of combinations in the totaling unit of the alert notification device of the first embodiment according to the present invention. The flowchart which shows the operation in the analysis part of the alert notification apparatus of 1st Embodiment which concerns on this invention. The block block diagram of the alert notification apparatus of the modification of the 1st Embodiment which concerns on this invention. The flowchart which shows the operation in the analysis part of the alert notification apparatus of the modification of the 1st Embodiment which concerns on this invention. Explanatory diagram showing the flow of standard incident response. An example of a standard log for a breach detection system.

Hereinafter, examples of the present invention will be described with reference to the drawings.
<First Example>
The alert notification device 100 in this embodiment will be described with reference to FIGS. 1 to 5. As shown in FIG. 1, the alert notification device 100 is used as a cyber security measure in a system that monitors a request to access an IT device WS such as a web server connected to the Internet. The alert notification device 100 manages a security device SD such as a firewall, an intrusion detection system, or an integrated threat management device (Unified Threat Management) that integrates these functions, and monitors alerts generated by the security device SD.

The security device SD monitors all requests to access the IT device WS such as a web server connected to the Internet, and records all events that may cause a security incident such as unauthorized access as alert logs in the transfer device FD. Send. The transfer device FD transfers log information including an alert log from the security device SD to the aggregation device ID via the network as a client side to the server side where the alert notification device 100 is installed. The aggregation device ID adds and integrates necessary information for the transferred alert, stores log information such as an alert log in the alert DB, and also sends it to the alert notification device 100. The alert DB stores all past alert logs. The alert notification device 100 receives the input of the alert log from the aggregation device ID or the alert DB and performs analysis to extract and present a priority alert from a large number of alerts to the analyst.

Incident response by an analyst means prioritization determination, event analysis, response planning, and failure recovery when an incident is detected. As shown in FIG. 8, the standard flow of incident response is as follows after receiving a report of incident detection by the security device SD. It should be noted that although there may be event notifications from customers and related organizations, the explanation is omitted here.
(1) Receiving contact When detection or contact is received, the liaison officer confirms the information and issues it as an incident.
(2) Triage Triage investigates incidents filed by a professional security analyst and decides whether or not a response is necessary. If it is not an incident such as a false positive, or if the priority is below a certain level, it is judged that there is no need to take action.
(3) Event analysis Understand the damage and isolate the scope of the breach on the premise that a security breach has occurred. Perform forensic work such as detailed analysis of PCs suspected of being infected with malware. In this work, an investigation environment that simulates the actual environment is constructed, infected malware is executed, and the content of the infringement is analyzed. In addition, the network traffic is analyzed one by one to confirm the spread of the infection, thereby revealing the full extent of the breach.
(4) Response plan / implementation Based on the results of event analysis, plan and implement disaster recovery, response to information leakage, and recurrence prevention measures.

In such an incident response, the alert notification device 100 analyzes the alert log from the security device SD as shown in FIG. 8, and only alerts that need to involve a person such as a liaison officer or an analyst. The aim is to extract and improve the efficiency of human work in the post-process.

As shown in FIG. 2, the alert notification device 100 includes an alert log input unit 10 for inputting log information including an alert log, and an alert log shaping unit 20 for shaping the log information input to the alert log input unit 10. It also includes an alert analysis unit 30 that analyzes whether or not to notify as an alert from the formatted log information.

The alert log input unit 10 receives the log information from the transfer device FD or reads the past log information stored in the alert DB and incorporates it into the alert notification device 100. The timing of reading is based on the case where an alert with the possibility of a new incident is received from the transfer device FD (real-time processing), the case where it is periodically read from the alert DB (regular processing), or the request from the analyst. When reading from the alert DB (request processing), the alert log input unit 10 takes in the log information into the alert notification device 100 at various timings.

The alert log shaping unit 20 makes different log data formats (formats) of log information created by various security device SDs into a unified data format so that post-process processing can be performed in a unified manner. The alert log shaping unit 20 converts log information created in various formats into a data format as shown in Table 1, for example.

This unified data format is divided into a common part and a custom part. The common part has standard items for alerts of the security device SD, and stores items that cannot be shared in the custom part. Therefore, the custom part has a schemaless structure. Conversion of log information to a unified data format can be set in the definition file, and the operator can add an alert format with a small burden.

The alert analysis unit 30 analyzes the priority of whether or not the alert is necessary for human analysis from a large amount of log information. The alert analysis unit 30 includes an aggregation unit 31 that aggregates the number of alerts that have a predetermined condition that occurred within a predetermined time, an analysis unit 32 that performs cluster analysis based on the number of occurrences, and an analysis based on the analysis results. It is provided with a determination unit 33 for determining a priority for an operator such as a government to respond, and a notification unit 34 for notifying an alert based on the priority.

The aggregation unit 31 is based on the log information input by the alert log input unit 10, the number of occurrences for each combination of incident types and the occurrence source identifier for each incident occurrence within a predetermined time from a certain incident occurrence time. Aggregate the number of occurrences. The operation of the totaling unit 31 will be described with reference to FIG. In addition, S in the figure means a step.

The totaling unit 31 acquires the alert output by the alert log shaping unit 20 in S100. Here, this alert is referred to as a target alert. This target alert includes an alert included in a predetermined time (for example, 30 minutes), and the starting point of the predetermined time is the time when an incident occurs. The target alert may be an alert in a past time zone that goes back a predetermined time from the starting point, or may be an alert in a time zone that is a predetermined time below the starting point (future when viewed from the starting point). That is, the aggregation unit 31 aggregates the number of occurrences within a predetermined time from the occurrence time of a certain incident. In S102, the aggregation unit 31 extracts one by one from the target alerts. The aggregation unit 31 continues the operations of S104 to S112 described below until all of the target alerts are processed (S114).

In S104, the aggregation unit 31 extracts one or a plurality of attack destinations to be operated or analyzed from the target alerts. The attack destination is the client-side IT device WS that is being attacked by the attacker, and the attacker is the device that is generating the security incident, and typically both are IP addresses (attack destination identifiers). And the origin identifier). In S106, the aggregation unit 31 extracts the same attack type (incident type) from the target alerts extracted by the same attack destination. The attack type is the type of attack that the attacker is making at the attack destination, and is, for example, the following.
-Apache Struts Content-Type Remote Code Execution
-Apache Win32 Batch File Remote Command Execution

For example, as shown in FIG. 9, the log of the intrusion detection system (IDS: Intrusion Detection System) includes the occurrence time, the attacker IP address, the attack destination IP address, the attack type name, and the like.

At this stage, the aggregation unit 31 extracts the alert group extracted from the alert log with the same attack destination and the same attack type, and extracts each type that is attacking the operation target or the analysis target. .. Here, this is called a related alert. Then, in S108, the aggregation unit 31 extracts only the alerts that can be regarded as the same attack from the related alerts. Normally, the alerts that match the source IP address that sent the request that caused the alert are alerts related to the same attacker and can be regarded as the same attack. Here, this is called an extraction alert. Further, the tabulation unit 31 extracts here according to the conditions for manifesting the features. The conditions for manifesting this feature differ depending on the security device SD. Normally not necessary, but depending on the security device SD, set the condition only for [Alert with attack identifier different from target alert].

In S110, the aggregation unit 31 assigns an attack identifier for each attack type of the extraction alert and lists the attack identifiers of the extraction alert. Then, the totaling unit 31 counts and totals the number of cases for each attack identifier in S112. As shown in FIG. 4, the aggregation unit 31 aggregates the number of occurrences for each combination of incident types. The first time zone shown in this figure shows a combination of attack types that occurred within a predetermined time thereafter starting from the time when the attack type A occurred. In the first time zone, the number of occurrences is [A: 1, B: 2, C: 1] in the combination of attack types [A, B, C]. That is, in the first time zone, there was one attack type A, two attack types B, and one attack type C. Similarly, in the second time zone, the number of occurrences in the combination of attack types [B, C, E] is [B: 2, C: 1, E: 1]. In the third time zone, the number of occurrences is [B: 1, C: 1, E: 1] in the combination of attack types [B, C, E].

The analysis unit 32 performs a cluster analysis to classify the combinations based on the number of occurrences of the attack type combinations for each source identifier within a predetermined time, which is aggregated by the aggregation unit 31. The determination unit 33 determines the priority for the operator to respond based on the analysis result of the analysis unit 32. The operation of the analysis unit 32 and the determination unit 33 will be described with reference to FIG. The analysis unit 32 acquires the number of occurrences of combinations of attack types (incident types) for each source identifier aggregated by the aggregation unit 31 in S200, and normalizes them so that they can be easily analyzed in S202. Then, the analysis unit 32 sets the parameters of the cluster analysis based on the normalization result in S204, and performs the cluster analysis of the data set of the normalization result in S206.

なお、ｖ_ｉ（i,…,n）は各クラスタ、ｘ_ｉ（i,…,n）は各データである。 Various methods can be applied to the cluster analysis method performed by the analysis unit 32, but the k-means method and the k-means ++ method are preferable. The k-means method is an algorithm for finding the center of a cluster, and has the following equation.

Note that vi ( _i , ..., N) is each cluster, and _xi (i, ..., n) is each data.

The procedure of the algorithm of the k-means method is as follows.
(1) Randomly allocate clusters to the input data.
(2) Calculate the center of each cluster from the data.
(3) From the distance between each data and the center of each cluster, distribute to the nearest cluster.
(4) If the above processing does not change the cluster of all data, or if it falls below a certain preset threshold value, the processing ends. If not, the above process is repeated.

The number of cluster divisions is preferably determined by the elbow method. In the elbow method, while changing the number of clusters, if the distance between the clusters in step (2) and each data gradually decreases, the number of clusters at the boundary is set as the optimum number of clusters. In the k-means method, the result may greatly depend on the initial cluster to be assigned to the data, so apply it repeatedly and select the best result. In that respect, in the k-means ++ method, the clusters initially allocated to the data are statistically calculated from the data, that is, the clusters are allocated so that the cluster centers are far from each other when allocating the clusters to the data. -Classification accuracy is improved compared to the means method. Then, in S208, the analysis unit 32 determines the criteria for determining the priority from the cluster results, for example, the determination criteria for calculating the number of data in each cluster, the size and density of the clusters, and the distance between the clusters. Perform calculation processing.

Based on the result of the cluster analysis of the analysis unit 32, the determination unit 33 determines in S210 that the combination of attack types with a small number of occurrences for each source identifier (source IP) within a predetermined time should be prioritized. do. That is, when a combination of attack types occurs at a low frequency, any attack (incident) in the combination has a high priority as it requires analysis by the operator.

The notification unit 34 notifies the operator of an alert as, for example, an "emergency call" based on the priority determined by the determination unit 33 in S212. The notification given by the notification unit 34 may be given to the operator visually, audibly, or by any other method.

As described above, the alert notification device 100 is a device that notifies an alert based on log information generated by a device that monitors a security incident, and is an alert log input unit 10 in which log information is input and an alert log input. Based on the log information input in Part 10, the totaling unit 31 that aggregates the number of occurrences for each combination of incident types and the number of occurrences for each source identifier that caused the incident within a predetermined time from the incident occurrence time. , Based on the analysis results of the analysis unit 32, which performs cluster analysis to classify combinations based on the number of occurrences of combinations for each source identifier within a predetermined time, which is the number of occurrences aggregated by the aggregation unit 31. The determination unit 33 includes a determination unit 33 for determining the priority for the operator to respond, and a notification unit 34 for notifying an alert based on the priority determined by the determination unit 33, and the determination unit 33 is within a predetermined time. It is determined that the combination with the smaller number of combinations for each source identifier should be prioritized. In this way, in the number of occurrences (frequency) of combinations of incident types within a predetermined time, the operator is determined to prioritize the incidents related to the combinations with a small number of occurrences as the incidents to be dealt with by the operator. It is possible to provide an alert notification device 100 that accurately notifies an alert.

The above also describes the alert notification method. That is, this alert notification method is an alert notification method that notifies an alert based on the log information generated by the device that monitors the security incident, and based on the log information, the incident occurs within a predetermined time from the incident occurrence time. The number of occurrences for each type combination and the number of occurrences for each source identifier that caused the incident are aggregated, and cluster analysis is performed to classify the combinations based on the number of occurrences for each combination for each source identifier within a predetermined time. Based on the result of the analysis, it is determined that the combination having a small number of combinations for each source identifier within a predetermined time should be prioritized, and an alert is notified based on the determined priority. Similarly, in this way, in the number of occurrences (frequency) of combinations of incident types within a predetermined time, it is determined that the incident related to the combination with a small number of occurrences is prioritized as the incident to be dealt with by the operator. It is possible to provide an alert notification method that accurately notifies the operator of an alert.

<Modified example of the first embodiment>
The alert notification device 100A according to the modified example of this embodiment will be described with reference to FIG. In addition, in order to avoid duplicate description, the same components as those in the above embodiment are designated by the same reference numerals, and the description thereof will be omitted. The alert notification device 100A has an alert log input unit 10 for inputting log information including an alert log, an alert log shaping unit 20 for shaping the log information input to the alert log input unit 10, and a formatted log information. It is provided with an alert analysis unit 30A that analyzes whether or not to notify as an alert from the inside. The alert analysis unit 30A has an aggregation unit 31 that aggregates the number of alerts that have a predetermined condition that occurred within a predetermined time, an analysis unit 32A that performs cluster analysis based on the number of occurrences, and an analysis based on the analysis result. Optimizing the number of clusters in the cluster analysis performed by the determination unit 33, which determines the priority for the operator such as the government, the notification unit 34, which notifies the alert based on the priority, and the analysis unit 32A, by a statistical method. It is provided with an optimization unit 35 for analysis.

The optimization unit 35 receives from the analyst, for example, when the analyst (operator) analyzes the alert notified with high priority and it is often judged that the alert is not related to a significant incident. The judgment is accepted and fed back to the analysis unit 32A. When the optimization unit 35 receives such a determination, the optimization unit 35 adjusts the parameters of the cluster analysis and the like according to the feedback of the analyst, for example, by changing the number of clusters in the cluster analysis, and performs the optimization. According to this, the alert notification device 100A can provide a more accurate alert notification device by optimizing the number of clusters.

Further, a further modification will be described with reference to FIG. 7. The analysis unit 32A performs the processes shown in S200 to S208 as described above. The analysis unit 32A includes a two-step analysis method of singularity analysis and characteristic analysis performed before the cluster analysis of S206 described above. The analysis unit 32A performs a cluster analysis on the normalization result (that is, the set of the above-mentioned extraction alerts) in S2061. In this case, unlike the above cluster analysis, outliers are taken. This results in a cluster of data with many similar tendencies and outliers for unique data. In this case, a suitable cluster analysis is DBSCAN.

Next, the analysis unit 32A carries out a characteristic analysis in S2062. In this characteristic analysis, only outliers are targeted from the results of the singularity analysis, and further cluster analysis is performed to form a cluster with only outliers. The subsequent processing is the same as the cluster analysis method described above. In this way, by analyzing the cluster analysis in two stages of singularity analysis and characteristic analysis, it is possible to prevent normal events from becoming noise in the cluster analysis, and it is possible to further improve the accuracy of alert notification.

It should be noted that the present invention is not limited to the illustrated examples, and can be implemented with a configuration within a range that does not deviate from the contents described in each section of the claims. That is, the present invention is mainly illustrated and described with respect to a particular embodiment, but without departing from the scope of the technical idea and object of the present invention, the quantity, with respect to the above-described embodiments. In other detailed configurations, those skilled in the art can make various modifications.

100 Alert notification device 10 Alert log input section 20 Alert log shaping section 30 Alert analysis section 31 Aggregation section 32 Analysis section 33 Judgment section 34 Notification section 35 Optimization section SD security device (device for monitoring security incidents)
FD transfer device ID aggregate device SV server CL client

Claims (4)

In an alert notification device that notifies alerts based on log information generated by devices that monitor security incidents.
The alert log input section where the log information is input, and
Based on the log information input in the alert log input unit, the number of occurrences for each combination of incident types and the number of occurrences for each source identifier that caused the incident within a predetermined time from the incident occurrence time are totaled. Aggregation department and
An analysis unit that performs cluster analysis to classify the combinations based on the number of occurrences of the combination for each source identifier within the predetermined time, which is the number of occurrences aggregated by the aggregation unit.
Based on the analysis result of the analysis unit, the determination unit that determines the priority for the operator to respond to
A notification unit that notifies an alert based on the priority determined by the determination unit, and
Equipped with
The determination unit determines that the combination in which the number of occurrences of the combination for each source identifier within the predetermined time is small should be prioritized.
Alert notification device. The alert notification device according to claim 1, further comprising an optimization unit that optimizes the number of clusters in the cluster analysis performed by the analysis unit by a statistical method. The alert notification device according to claim 1 or 2, wherein the cluster analysis performed by the analysis unit includes a two-step analysis of a singularity analysis and a characteristic analysis. In the alert notification method that notifies alerts based on the log information generated by the device that monitors security incidents.
Based on the log information, the number of occurrences for each combination of incident types and the number of occurrences for each source identifier that caused the incident within a predetermined time from the incident occurrence time are totaled.
A cluster analysis for classifying the combinations was performed based on the number of occurrences of the combinations for each source identifier within the predetermined time.
Based on the result of the cluster analysis, it is determined that the combination having a small number of occurrences of the combination for each source identifier within the predetermined time should be prioritized.
Notify an alert based on the determined priority,
Alert notification method performed by the computer .

Images