| 发明名称 |
LOG ANALYZING DEVICE, ATTACK DETECTING DEVICE, ATTACK DETECTION METHOD, AND PROGRAM |
| 摘要 |
A device including: a parameter extracting unit that extracts each parameter from an access request, a character-string class converting unit that, with regard to each parameter, compares each part of a parameter value with a previously defined character string class, replaces the part with a longest matching character string class, and conducting conversion for a class sequence that is sequentially arranged in order of replacement, a profile storing unit that stores, as a profile in a storage unit, a class sequence with the appearance frequency of equal to or more than a predetermined value in the above-described group of class sequences with regard to the access request of the normal data as learning data, and a failure detecting unit that determines the presence or absence of an attack in accordance with the degree of similarity between the above-described class sequence and the profile with regard to the access request. |
| 申请公布号 |
US2017126724(A1) |
申请公布日期 |
2017.05.04 |
| 申请号 |
US201515315756 |
申请日期 |
2015.06.01 |
| 申请人 |
NIPPON TELEGRAPH AND TELEPHONE CORPORATION |
发明人 |
ZHONG Yang;ASAKURA Hiroshi;ORIHARA Shingo;AOKI Kazufumi |
| 分类号 |
H04L29/06 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A log analyzing device that analyzes an access log collected from an information processing apparatus connected to a network, the log analyzing device comprising:
a storage unit that stores a profile that is a criteria for determining whether analysis-target data indicates an attack on the information processing apparatus; a parameter extracting unit that extracts each parameter from a request in the access log; a class converting unit that, with regard to each parameter extracted by the parameter extracting unit, compares each part of a parameter value, from a first character, with a previously defined character string class, replaces the part with a longest character string class that matches the character string class, and conducts conversion for a class sequence in which replaced character string classes are sequentially arranged; a profile storing unit that stores, as the profile in the storage unit, a class sequence with an appearance frequency of equal to or more than a predetermined value in a group of the class sequences that are obtained by the parameter extracting unit and the class converting unit with regard to the access log of normal data as learning data; and a failure detecting unit that calculates a degree of similarity between the profile and the class sequence that is obtained by the parameter extracting unit and the class converting unit with regard to the access log in the analysis-target data and that determines whether an attack on the information processing apparatus occurs in accordance with the degree of similarity. |
| 地址 |
Chiyoda-ku JP |
