摘要 |
<p><P>PROBLEM TO BE SOLVED: To detect abnormality on which the trends of time series data are reflected in detecting unauthorized access. <P>SOLUTION: A network abnormality decision device 100 is provided with a data acquisition part 101 for acquiring a log; a totaling part 102 for generating time series data from the log; an analysis part 103 for extracting a plurality of consistent state feature values from the time series data by main component analysis, and for extracting the new data feature values of new data at a time posterior to the time series data whose consistent state feature values have been extracted; a normal state definition part 107 for defining a normal state feature value region; an abnormality detection part 104 for deciding whether or not a Mahalanobis distance between the normal state feature value region and the new data feature values exceeds a threshold; and an inclination decision part 105 for, when it is decided that the Mahalanobis distance exceeds the threshold, deciding whether or not the new data corresponding to the new data feature values are inclined to rise with respect to the time series data corresponding to the normal state feature value region, and for, when it is decided that the new data are inclined to rise, deciding that abnormality has been generated. <P>COPYRIGHT: (C)2008,JPO&INPIT</p> |