Search

US-12621328-B2 - Communication analysis system, analysis method, and recording medium

US12621328B2US 12621328 B2US12621328 B2US 12621328B2US-12621328-B2

Abstract

A communication analysis system includes: an information receiver that receives information indicating analysis target communication performed by a monitoring target; an information obtainer that obtains past communication information indicating communication by the monitoring target; a WL determiner that determines, using the obtained analysis target communication and the whitelist, that non-WL communication has been established in the analysis target communication; a similar terminal extractor that extracts one or more terminals similar to destination and source terminals included in a non-WL communication link determined; a primary similar communication link extractor that extracts a past communication link similar to the non-WL communication link as a primary similar communication link from the obtained past communication information using the extracted similar terminals; and a NW graph creator that creates a NW graph for analysis as graph information for analyzing the non-whitelist communication using the extracted primary similar communication link and the obtained past communication information.

Inventors

  • Hiroyuki Okada
  • TATSUMI OBA

Assignees

  • PANASONIC INTELLECTUAL PROPERTY CORPORATION OF AMERICA

Dates

Publication Date
20260505
Application Date
20240305
Priority Date
20210916

Claims (15)

  1. 1 . A communication analysis system for analyzing communication performed in a network of a plurality of terminals in a predetermined environment, the plurality of terminals being a monitoring target, the communication analysis system comprising: a whitelist created by learning the communication performed by the monitoring target; a communication information database (DB) that holds past communication information including information indicating past communication performed by the monitoring target; and an analysis auxiliary graph creation circuit that creates graph information for conducting an analysis of non-whitelist communication that is communication not included in the whitelist, wherein the analysis auxiliary graph creation circuit includes: an information reception circuit that receives information indicating analysis target communication that is communication performed by the monitoring target; an information obtaining circuit that obtains the past communication information from the communication information DB; a whitelist determination circuit that determines, using the whitelist and the information indicating the analysis target communication and obtained by the information reception circuit, that the non-whitelist communication has been established in the analysis target communication; a similar terminal extraction circuit that extracts a first similar terminal and a second similar terminal, the first similar terminal being at least one terminal similar to a destination terminal included in a non-whitelist communication link that is a communication link of the non-whitelist communication determined by the whitelist determination circuit, the second similar terminal being at least one terminal similar to a source terminal included in the non-whitelist communication link; a primary similar communication link extraction circuit that extracts a past communication link as a primary similar communication link from the past communication information obtained by the information obtaining circuit, using the first similar terminal and the second similar terminal extracted by the similar terminal extraction circuit, the past communication link being similar to the non-whitelist communication link and including the first similar terminal and the second similar terminal as the destination terminal or the source terminal; and a network (NW) graph creation circuit that creates a NW graph for analysis as the graph information for conducting the analysis of the non-whitelist communication, using the primary similar communication link extracted by the primary similar communication link extraction circuit and the past communication information obtained by the information obtaining circuit.
  2. 2 . The communication analysis system according to claim 1 , wherein the analysis auxiliary graph creation circuit further includes: a secondary similar communication link extraction circuit that extracts a secondary similar communication link that is a communication link different from the primary similar communication link and the non-whitelist communication link, the similar terminal extraction circuit further extracts a third similar terminal and a fourth similar terminal, the third similar terminal being at least one terminal similar to a counterpart terminal, that is different from the source terminal, of communication performed in the past by the destination terminal included in the non-whitelist communication link, the fourth similar terminal being at least one terminal similar to a counterpart terminal, that is different from the destination terminal, of communication performed by the source terminal included in the non-whitelist communication link in the past, the secondary similar communication link extraction circuit extracts, as the secondary similar communication link, a communication link of past communication similar to communication performed in the past by the source terminal or the destination terminal included in the non-whitelist communication link, using the first similar terminal, the second similar terminal, the third similar terminal, and the fourth similar terminal extracted by the similar terminal extraction circuit and the past communication information obtained by the information obtaining circuit, the communication link of the past communication being different from the primary similar communication link obtained by the primary similar communication link extraction circuit and the non-whitelist communication link, and the NW graph creation circuit creates the NW graph for analysis using the primary similar communication link extracted, the secondary similar communication link extracted, and the past communication information obtained by the information obtaining circuit.
  3. 3 . The communication analysis system according to claim 2 , wherein the NW graph creation circuit creates the NW graph and creates, as auxiliary information for a user to conduct the analysis, a message based on the NW graph created.
  4. 4 . The communication analysis system according to claim 2 , wherein the analysis auxiliary graph creation circuit further includes: a NW graph display circuit that displays, on a screen, the NW graph created by the NW graph creation circuit; and a whitelist (WL) change operation circuit that adds the non-whitelist communication to the whitelist according to an instruction from a user.
  5. 5 . The communication analysis system according to claim 4 , wherein the NW graph display circuit displays, on the screen, a scrollbar for performing an operation to adjust a threshold value of a degree of similarity between each of the destination terminal and the source terminal included in the non-whitelist communication link and the at least one terminal similar to a corresponding one of the destination terminal and the source terminal, and displays, on the screen, the NW graph in which a total number of similar terminals shown has been updated according to the threshold value changed by the operation performed by the user on the scrollbar, each of the similar terminals shown being the at least one terminal similar to the corresponding one of the destination terminal and the source terminal.
  6. 6 . The communication analysis system according to claim 4 , wherein the primary similar communication link is included in one or more primary similar communication links, and the secondary similar communication link is included in one or more secondary similar communication links, when the user selects, in the NW graph displayed on the screen, two communication links that are the non-whitelist communication link and one of the one or more primary similar communication links, or two communication links that are the non-whitelist communication link and one of the one or more secondary similar communication links, the NW graph display circuit displays detailed information of the two communication links selected, on the screen as comparison information for conducting the analysis of the non-whitelist communication.
  7. 7 . The communication analysis system according to claim 6 , wherein the NW graph display circuit displays a message related to an operating procedure for selecting the two communication links, and guides the user to cause the comparison information to be displayed on the screen.
  8. 8 . The communication analysis system according to claim 4 , wherein when the user selects the non-whitelist communication link, the NW graph display circuit displays a button for determining whether to add, to the whitelist, the non-whitelist communication of the non-whitelist communication link selected, and the WL change operation circuit adds the non-whitelist communication to the whitelist according to input performed by the user on the button.
  9. 9 . The communication analysis system according to claim 4 , wherein the NW graph creation circuit causes the NW graph display circuit to display the non-whitelist communication link with highlights in the NW graph created.
  10. 10 . The communication analysis system according to claim 4 , wherein the NW graph creation circuit groups the destination terminal included in the non-whitelist communication link and the first similar terminal, groups the source terminal included in the non-whitelist communication link and the second similar terminal, groups the third similar terminal, and groups the fourth similar terminal, and causes the NW graph display circuit to display the NW graph.
  11. 11 . The communication analysis system according to claim 1 , wherein the similar terminal extraction circuit calculates a degree of similarity between the plurality of terminals to extract a similar terminal, using a machine learning model that has been trained.
  12. 12 . The communication analysis system according to claim 11 , wherein the machine learning model is generated by learning the communication performed by the monitoring target, using a vector of a fixed dimension for each terminal that has appeared in the communication and a matrix of a fixed size for each communication type that has appeared in the communication that have been created using link prediction or a node classification algorithm.
  13. 13 . The communication analysis system according to claim 12 , wherein the machine learning model includes one of LinkFeat, COMPosition-based multi-relational Graph Convolutional Networks (COMPGCN), Relational Graph Convolutional Network (R-GCN), DistMult, Translating Embeddings for Modeling Multi-relational Data (TransE), Holographic Embeddings of Knowledge Graphs (HolE), or Complex Embeddings for Simple Link Prediction (ComplEx).
  14. 14 . An analysis method for a computer to analyze communication performed in a network of a plurality of terminals in a predetermined environment, the plurality of terminals being a monitoring target, the analysis method comprising: receiving information indicating analysis target communication that is communication performed by the monitoring target; obtaining past communication information from a communication information database (DB) that holds the past communication information, the past communication information including information indicating past communication performed by the monitoring target; determining, using the information indicating the analysis target communication and obtained in the receiving and a whitelist created by learning the communication performed by the monitoring target, that non-whitelist communication has been established in the analysis target communication, the non-whitelist communication being communication not included in the whitelist; extracting a first similar terminal and a second similar terminal, the first similar terminal being at least one terminal similar to a destination terminal included in a non-whitelist communication link that is a communication link of the non-whitelist communication determined in the determining, the second similar terminal being at least one terminal similar to a source terminal included in the non-whitelist communication link; extracting a past communication link as a primary similar communication link from the past communication information obtained in the obtaining, using the first similar terminal and the second similar terminal extracted in the extracting, the past communication link being similar to the non-whitelist communication link and including the first similar terminal and the second similar terminal as the destination terminal or the source terminal; and creating a network (NW) graph for analysis as graph information for conducting an analysis of the non-whitelist communication, using the primary similar communication link extracted in the extracting and the past communication information obtained in the obtaining.
  15. 15 . A non-transitory computer-readable recording medium having recorded thereon a program for causing a computer to perform an analysis method for analyzing communication performed in a network of a plurality of terminals in a predetermined environment, the plurality of terminals being a monitoring target, the program causing the computer to execute: receiving information indicating analysis target communication that is communication performed by the monitoring target; obtaining past communication information from a communication information database (DB) that holds the past communication information, the past communication information including information indicating past communication performed by the monitoring target; determining, using the information indicating the analysis target communication and obtained in the receiving and a whitelist created by learning the communication performed by the monitoring target, that non-whitelist communication has been established in the analysis target communication, the non-whitelist communication being communication not included in the whitelist; extracting a first similar terminal and a second similar terminal, the first similar terminal being at least one terminal similar to a destination terminal included in a non-whitelist communication link that is a communication link of the non-whitelist communication determined in the determining, the second similar terminal being at least one terminal similar to a source terminal included in the non-whitelist communication link; extracting a past communication link as a primary similar communication link from the past communication information obtained in the obtaining, using the first similar terminal and the second similar terminal extracted in the extracting, the past communication link being similar to the non-whitelist communication link and including the first similar terminal and the second similar terminal as the destination terminal or the source terminal; and creating a network (NW) graph for analysis as graph information for conducting an analysis of the non-whitelist communication, using the primary similar communication link extracted in the extracting and the past communication information obtained in the obtaining.

Description

CROSS REFERENCE TO RELATED APPLICATIONS This is a continuation application of PCT International Application No. PCT/JP2022/033440 filed on Sep. 6, 2022, designating the United States of America, which is based on and claims priority of Japanese Patent Application No. 2021-151379 filed on Sep. 16, 2021. The entire disclosures of the above-identified applications, including the specifications, drawings and claims are incorporated herein by reference in their entirety. FIELD The present disclosure relates to communication analysis systems, analysis methods, and recording media for analyzing whether communication not included in a whitelist is anomalous. BACKGROUND Conventionally, a unique communication standard has been used in a communication network (NW) in an industrial control system (ICS) that manages and controls equipment such as factory facilities. In recent years, in order to retrofit the ICS using artificial intelligence and improve convenience and versatility thereof, an open communication standard has come into use for the NW in the ICS. However, changing the configuration of equipment included in the ICS and updating said equipment are not easy, leading to insufficient security measures. Therefore, susceptibility to cyber-attacks is high, and the number of damages is growing year after year. Furthermore, in the ICS, various terminals are connected in the same segment, and terminals belonging to the same segment perform less communication with terminals outside the segment, but perform more communication within the segment using various protocols. In other words, in the ICS, since predetermined processes are performed, closed communication between specific terminals tends to be performed. Thus, the terminals used in the ICS have communication characteristics different from those of terminals used in a typical office or the like. In the ICS, because of such communication characteristics, anomaly detection using a whitelist is considered as effective and is widely used (for example, refer to Non Patent Literature (NPL) 1). Thus, by using the whitelist, it is possible to detect communication that has never been established. On the other hand, when a whitelisting period, specifically, a period for obtaining past communication to be used to create a whitelist, is not sufficient, meaning that whitelisting is not sufficient, there is a risk that numerous false detections may occur in normal communication in which whitelisting is unsuccessful. This may result in a burden on an analyst at a security operation center for analyzing alerts, which may lead to a failure to properly handle a cyber-attack to be dealt with. In this regard, there has been disclosed a method for presenting the priority level of an alert to be dealt with by learning a status of communication of a terminal through machine learning and quantifying an anomaly level of a communication link in communication not included in a whitelist (for example, refer to NPL 2). The communication link indicates a combination of IP addresses (or MAC address information) specifying terminals that are a source and a destination of transmission, a protocol to be used in the exchange between these terminals, and the category of information. CITATION LIST Non Patent Literature NPL 1: Dwight Anderson (2014). “Protect Critical Infrastructure Systems With Whitelisting”NPL 2: Tatsumi Oba, et al. (2020). “Graph Convolutional Network-based Suspicious Communication Pair Estimation for Industrial Control Systems” SUMMARY Technical Problem However, only with the priority level of an alert presented such as that disclosed in NPL 2, the analyst may fail to learn how to actually handle an issue and even when alerts to be handled are ranked in order of priority according to priority levels, it may not be possible to streamline the task of analysis that is conducted by the analyst. The present disclosure is conceived in view of the above-described circumstances and provides a communication analysis system, etc., capable of easily analyzing whether communication not included in a whitelist is anomalous. Solution to Problem In order to solve the aforementioned problem, a communication analysis system according to one aspect of the present disclosure is a communication analysis system for analyzing communication performed in a network of a plurality of terminals in a predetermined environment, the plurality of terminals being a monitoring target, the communication analysis system including: a whitelist created by learning the communication performed by the monitoring target; a communication information DB that holds past communication information including information indicating past communication performed by the monitoring target; and an analysis auxiliary graph creation system that creates graph information for conducting an analysis of non-whitelist communication that is communication not included in the whitelist. The analysis auxiliary graph creation system includes: an